QPID-6465: Fix ArrayIndexOutOfBoundsException thrown on attempt to hexify password in MD5AuthenticationProvider

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1669340 13f79535-47bb-0310-9956-ffa450edef68
author: Alex Rudyy <orudyy@apache.org> 2015-03-26 13:23:45 +0000
committer: Alex Rudyy <orudyy@apache.org> 2015-03-26 13:23:45 +0000
commit: 9cc2707d5306101dcf3fb371624fbc29323c00f6 (patch)
tree: 8446b735fda69d779ff4940b4d2ec8be80327901
parent: 9206eb02974a8aaf9e4693c8e1063ea93b82253c (diff)
download: qpid-python-9cc2707d5306101dcf3fb371624fbc29323c00f6.tar.gz
2 files changed, 52 insertions, 2 deletions
diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/MD5AuthenticationProvider.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/MD5AuthenticationProvider.java
index cdb2f3dcc7..44aef27de0 100644
--- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/MD5AuthenticationProvider.java
+++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/MD5AuthenticationProvider.java
@@ -183,9 +183,9 @@ public class MD5AuthenticationProvider
                             char[] password;
                             if(_hexify)
                             {
-                                password = new char[passwordBytes.length];
+                                password = new char[passwordBytes.length * 2];
 
-                                for(int i = 0; i < passwordBytes.length; i--)
+                                for(int i = 0; i < passwordBytes.length; i++)
                                 {
                                     password[2*i] = HEX_CHARACTERS[(((int)passwordBytes[i]) & 0xf0)>>4];
                                     password[(2*i)+1] = HEX_CHARACTERS[(((int)passwordBytes[i]) & 0x0f)];
diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/MD5AuthenticationManagerTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/MD5AuthenticationManagerTest.java
index aecd318937..25540dcb92 100644
--- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/MD5AuthenticationManagerTest.java
+++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/MD5AuthenticationManagerTest.java
@@ -20,10 +20,20 @@
  */
 package org.apache.qpid.server.security.auth.manager;
 
+import javax.security.sasl.SaslServer;
+import java.util.HashMap;
 import java.util.Map;
 
+import org.apache.qpid.server.model.User;
+import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.sasl.SaslUtil;
+
 public class MD5AuthenticationManagerTest extends ManagedAuthenticationManagerTestBase
 {
+
+    public static final String USER_NAME = "test";
+    public static final String USER_PASSWORD = "password";
+
     @Override
     public void setUp() throws Exception
     {
@@ -48,6 +58,46 @@ public class MD5AuthenticationManagerTest extends ManagedAuthenticationManagerTe
         super.tearDown();
     }
 
+    public void testMD5HexAuthenticationWithValidCredentials() throws Exception
+    {
+        createUser(USER_NAME, USER_PASSWORD);
+        AuthenticationResult result = authenticate("CRAM-MD5-HEX", USER_NAME, USER_PASSWORD);
+        assertEquals("Unexpected authentication result", AuthenticationResult.AuthenticationStatus.SUCCESS, result.getStatus());
+    }
+
+    public void testMD5HexAuthenticationWithInvalidPassword() throws Exception
+    {
+        createUser(USER_NAME, USER_PASSWORD);
+        AuthenticationResult result = authenticate("CRAM-MD5-HEX", USER_NAME, "invalid");
+        assertEquals("Unexpected authentication result", AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
+    }
+
+    public void testMD5HexAuthenticationWithInvalidUsername() throws Exception
+    {
+        createUser(USER_NAME, USER_PASSWORD);
+        AuthenticationResult result = authenticate("CRAM-MD5-HEX", "invalid", USER_PASSWORD);
+        assertEquals("Unexpected authentication result", AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
+    }
 
+    private AuthenticationResult authenticate(String mechanism, String userName, String userPassword) throws Exception
+    {
+        SaslServer ss = getAuthManager().createSaslServer(mechanism, "test", null);
+        byte[] challenge = ss.evaluateResponse(new byte[0]);
 
+        byte[] response = SaslUtil.generateCramMD5HexClientResponse(userName, userPassword, challenge);;
+
+        return  getAuthManager().authenticate(ss, response);
+    }
+
+    private User createUser(String userName, String userPassword)
+    {
+        final Map<String, Object> childAttrs = new HashMap<String, Object>();
+
+        childAttrs.put(User.NAME, userName);
+        childAttrs.put(User.PASSWORD, userPassword);
+        User user = getAuthManager().addChild(User.class, childAttrs);
+        assertNotNull("User should be created but addChild returned null", user);
+        assertEquals(userName, user.getName());
+        return user;
+    }
 }
author	Alex Rudyy <orudyy@apache.org>	2015-03-26 13:23:45 +0000
committer	Alex Rudyy <orudyy@apache.org>	2015-03-26 13:23:45 +0000
commit	9cc2707d5306101dcf3fb371624fbc29323c00f6 (patch)
tree	8446b735fda69d779ff4940b4d2ec8be80327901
parent	9206eb02974a8aaf9e4693c8e1063ea93b82253c (diff)
download	qpid-python-9cc2707d5306101dcf3fb371624fbc29323c00f6.tar.gz