2 Replies Latest reply on May 2, 2002 10:16 AM by Richard Robinson

    bug in Util.calculatePasswordHash

    Richard Robinson Newbie

      Hi,

      I have a strange hobby of browsing through source code and started looking at JBoss' security source code today. In doing so, I think I've spotted a bug. This is from the snapshot for Apr 17th in
      jboss-all/security/src/main/org/jboss/security/Util.java
      starting at line 151:
      for(int n = 0, p = 0; p < password.length; p ++)
      {
      char c = password[p];
      passBytes[n ++] = (byte) (c & 0x00FF00);
      passBytes[n ++] = (byte) (c & 0x0000FF);
      }

      as it stands now, the high order byte of each Unicode character in the password is always considered zero when it's hashed, which is probably a problem.

      To fix it line 154 should be (I think):
      passBytes[n ++] = (byte) ((c & 0x00FF00) >> 8);

      At the moment I haven't yet installed JBoss on my system, can't build it and don't have CVS capability. It sure does look like a bug though.