james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benoit Tellier (Jira)" <server-...@james.apache.org>
Subject [jira] [Closed] (JAMES-3512) DigestUtil hash bug
Date Sat, 01 May 2021 16:32:00 GMT

     [ https://issues.apache.org/jira/browse/JAMES-3512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Benoit Tellier closed JAMES-3512.
    Fix Version/s: 3.6.0
       Resolution: Fixed

> DigestUtil hash bug
> -------------------
>                 Key: JAMES-3512
>                 URL: https://issues.apache.org/jira/browse/JAMES-3512
>             Project: James Server
>          Issue Type: Bug
>    Affects Versions: master
>            Reporter: Danny Thuering
>            Priority: Minor
>             Fix For: 3.6.0
>          Time Spent: 2h
>  Remaining Estimate: 0h
> I was testing how to transfer user password hashes from the Cassandra user table to an
external system but the hashes were too short when validating with a different SHA1 digest
> I have added a sample to illustrate the issue. There are two bytes missing on the hash
compared to e.g. `com.google.common.hash.Hashing`.
> The problem seems to be a missing `flush` or `close` on the `OutputStream` in `DigestUtil.java`.
> [https://github.com/apache/james-project/blob/ec7b50b82c5386aec6ee115a3b4c1b3018f7b4a8/server/data/data-library/src/main/java/org/apache/james/user/lib/util/DigestUtil.java#L146]
> Here the output from my tests:
> {{james base4     : n7f+Eheu1EKwTA9eQ7XVp9Mo}}
> {{hcode hex       : 9fb7fe1217aed442b04c0f5e43b5d5a7d3287097}}
> {{james hex       : 9fb7fe1217aed442b04c0f5e43b5d5a7d328}}
> {{james fix base64: n7f+Eheu1EKwTA9eQ7XVp9MocJc=}}
> {{james fix hash  : 9fb7fe1217aed442b04c0f5e43b5d5a7d3287097}}
> The sample is transforming the stored password base64 to hex encoding and you can see
the missing two bytes. The fix used `flush` on digesting a password.
> [https://gist.github.com/dthuering/67e804897d10330c24e62a1767139264]
> Maybe I miss something but it looks like a bug. It is not affecteing running instances
but is a problem on mobing hashes to other systems.

This message was sent by Atlassian Jira

To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

View raw message