#858 Fix: Legacy authentication breaks non-ASCII characters in passwords

Author: mrotteveel

src/main/org/firebirdsql/ds/AbstractConnectionPropertiesDataSource.java

@@ -441,6 +441,16 @@ public void setSocketFactory(@Nullable String socketFactory) {
         FirebirdConnectionProperties.super.setSocketFactory(socketFactory);
     }
 
+    @Override
+    public String getLegacyAuthCharset() {
+        return FirebirdConnectionProperties.super.getLegacyAuthCharset();
+    }
+
+    @Override
+    public void setLegacyAuthCharset(@Nullable String legacyAuthCharset) {
+        FirebirdConnectionProperties.super.setLegacyAuthCharset(legacyAuthCharset);
+    }
+
     @Override
     public boolean isUseCatalogAsPackage() {
         return FirebirdConnectionProperties.super.isUseCatalogAsPackage();

src/main/org/firebirdsql/gds/ng/wire/auth/ClientAuthBlock.java

@@ -66,6 +66,10 @@ public ClientAuthBlock(IAttachProperties<?> attachProperties) throws SQLExceptio
         return attachProperties.getPassword();
     }
 
+    public String getLegacyAuthCharset() {
+        return attachProperties.getLegacyAuthCharset();
+    }
+
     public boolean isAuthComplete() {
         return authComplete;
     }

src/main/org/firebirdsql/gds/ng/wire/auth/legacy/LegacyAuthenticationPlugin.java

@@ -29,7 +29,7 @@ public AuthStatus authenticate(ClientAuthBlock clientAuthBlock) {
         if (clientAuthBlock.getLogin() == null || clientAuthBlock.getPassword() == null) {
             return AuthStatus.AUTH_CONTINUE;
         }
-        clientData = LegacyHash.fbCrypt(clientAuthBlock.getPassword());
+        clientData = LegacyHash.fbCrypt(clientAuthBlock.getPassword(), clientAuthBlock.getLegacyAuthCharset());
         return AuthStatus.AUTH_SUCCESS;
     }
 

src/main/org/firebirdsql/gds/ng/wire/auth/legacy/LegacyHash.java

@@ -11,6 +11,9 @@
 
 import org.jspecify.annotations.Nullable;
 
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+
 /**
  * Implements the one way password hash used by the legacy authentication of Firebird.
  * <p>
@@ -363,21 +366,25 @@ private static void initPerm(long[][] perm, byte[] p) {
     }
 
     /**
-     * Encrypts String into crypt (Unix) code as used by Firebird.
+     * Encrypts {@code key} into UnixCrypt hash as used by Firebird Legacy_Auth.
      *
      * @param key
      *         the key to be encrypted
+     * @param charsetName
+     *         character set to convert {@code key} to bytes
      * @return the encrypted String
+     * @since 7
      */
-    public static byte[] fbCrypt(@Nullable String key) {
+    public static byte[] fbCrypt(@Nullable String key, String charsetName) {
         if (key == null) {
-            return new byte[] { '*' }; // will NOT match under ANY circumstances!
+            // will NOT match under ANY circumstances!
+            return new byte[] { '*' };
         }
-
-        final int keyLen = key.length();
+        byte[] keyBytes = key.getBytes(toCharset(charsetName));
+        final int keyLen = keyBytes.length;
         long keyword = 0L;
         for (int i = 0; i < 8; i++) {
-            keyword = keyword << 8 | ((i < keyLen) ? 2 * key.charAt(i) : 0);
+            keyword = keyword << 8 | ((i < keyLen) ? 2 * (keyBytes[i] & 0xFF) : 0);
         }
 
         long rsltblock = desCipher(desSetKey(keyword));
@@ -393,5 +400,15 @@ public static byte[] fbCrypt(@Nullable String key) {
         return cryptResult;
     }
 
+    private static Charset toCharset(String charsetName) {
+        try {
+            return Charset.forName(charsetName);
+        } catch (IllegalArgumentException e) {
+            System.getLogger(LegacyHash.class.getName()).log(System.Logger.Level.WARNING,
+                    () -> "Invalid character set %s, falling back to UTF-8".formatted(charsetName), e);
+            return StandardCharsets.UTF_8;
+        }
+    }
+
 }
 

src/main/org/firebirdsql/gds/ng/wire/version10/V10ParameterConverter.java

@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: Copyright 2014-2023 Mark Rotteveel
+// SPDX-FileCopyrightText: Copyright 2014-2026 Mark Rotteveel
 // SPDX-License-Identifier: LGPL-2.1-or-later
 package org.firebirdsql.gds.ng.wire.version10;
 
@@ -30,7 +30,8 @@ protected void populateAuthenticationProperties(final AbstractConnection<?, ?> c
             pb.addArgument(tagMapping.getUserNameTag(), props.getUser());
         }
         if (props.getPassword() != null) {
-            pb.addArgument(tagMapping.getEncryptedPasswordTag(), LegacyHash.fbCrypt(props.getPassword()));
+            pb.addArgument(tagMapping.getEncryptedPasswordTag(),
+                    LegacyHash.fbCrypt(props.getPassword(), props.getLegacyAuthCharset()));
         }
     }
 

src/main/org/firebirdsql/jaybird/props/AttachmentProperties.java

@@ -6,6 +6,8 @@
 import org.firebirdsql.gds.ng.WireCrypt;
 import org.jspecify.annotations.Nullable;
 
+import java.nio.charset.Charset;
+
 import static org.firebirdsql.jaybird.props.PropertyConstants.DEFAULT_WIRE_COMPRESSION;
 
 /**
@@ -477,4 +479,40 @@ default void setSocketFactory(@Nullable String socketFactory) {
         setProperty(PropertyNames.socketFactory, socketFactory);
     }
 
+    /**
+     * The Java character set to use when processing a password for Legacy_Auth in the pure Java protocol.
+     * <p>
+     * In general, this should be {@code UTF-8} (the default). Using a different character set may be needed when
+     * connecting to Firebird 2.5 and older when using passwords with non-ASCII characters.
+     * </p>
+     *
+     * @return Java character set name (default {@code UTF-8})
+     * @since 7
+     */
+    default String getLegacyAuthCharset() {
+        return getProperty(PropertyNames.legacyAuthCharset, PropertyConstants.DEFAULT_LEGACY_AUTH_CHARSET);
+    }
+
+    /**
+     * Sets the Java character set to use when processing a password for Legacy_Auth in the pure Java protocol.
+     * <p>
+     * In general, this should be {@code UTF-8} (the default). Using a different character set may be needed when
+     * connecting to Firebird 2.5 and older when using passwords with non-ASCII characters.
+     * </p>
+     *
+     * @param legacyAuthCharset
+     *         Java character set name (use {@code null} to reset to the default, {@code UTF-8})
+     * @throws java.nio.charset.IllegalCharsetNameException
+     *         if {@code legacyAuthCharset} is an illegal character set name
+     * @throws java.nio.charset.UnsupportedCharsetException
+     *         if {@code legacyAuth} is not supported
+     * @since 7
+     */
+    default void setLegacyAuthCharset(@Nullable String legacyAuthCharset) {
+        if (legacyAuthCharset != null) {
+            Charset.forName(legacyAuthCharset);
+        }
+        setProperty(PropertyNames.legacyAuthCharset, legacyAuthCharset);
+    }
+
 }

src/main/org/firebirdsql/jaybird/props/PropertyConstants.java

@@ -71,6 +71,7 @@ public final class PropertyConstants {
     public static final String SESSION_TIME_ZONE_SERVER = "server";
 
     public static final String DEFAULT_AUTH_PLUGINS = "Srp256,Srp";
+    static final String DEFAULT_LEGACY_AUTH_CHARSET = "UTF-8";
 
     private PropertyConstants() {
         // no instances

src/main/org/firebirdsql/jaybird/props/PropertyNames.java

@@ -41,6 +41,7 @@ public final class PropertyNames {
     public static final String enableProtocol = "enableProtocol";
     public static final String parallelWorkers = "parallelWorkers";
     public static final String socketFactory = "socketFactory";
+    public static final String legacyAuthCharset = "legacyAuthCharset";
 
     // database connection
     public static final String sqlDialect = "sqlDialect";

src/main/org/firebirdsql/jaybird/props/internal/StandardConnectionPropertyDefiner.java

@@ -63,6 +63,7 @@ public Stream<ConnectionProperty> defineProperties() {
                 builder(parallelWorkers).type(INT).aliases("parallel_workers", "isc_dpb_parallel_workers")
                         .dpbItem(isc_dpb_parallel_workers),
                 builder(socketFactory),
+                builder(legacyAuthCharset).aliases("legacyAuthCharSet"),
 
                 // Database properties
                 builder(charSet).aliases("charset", "localEncoding", "local_encoding"),

src/test/org/firebirdsql/common/extension/DatabaseUserExtension.java

@@ -58,7 +58,7 @@ public static DatabaseUserExtension withDatabaseUser() {
     public void createUser(String username, String password, @Nullable String plugin) throws SQLException {
         requireNonNull(username, "userName");
         requireNonNull(password, "password");
-        try (var connection = getConnectionViaDriverManager();
+        try (var connection = getConnectionViaDriverManager("lc_ctype", "UTF8");
              var statement = connection.createStatement()) {
             var createUserSql = new StringBuilder("CREATE USER ").append(statement.enquoteIdentifier(username, false))
                     .append(" PASSWORD ").append(statement.enquoteLiteral(password));
@@ -76,7 +76,7 @@ public void afterEach(ExtensionContext context) {
         if (createdUsers.isEmpty()) {
             return;
         }
-        try (var connection = getConnectionViaDriverManager()) {
+        try (var connection = getConnectionViaDriverManager("lc_ctype", "UTF8")) {
             connection.setAutoCommit(false);
             try (var statement = connection.createStatement()) {
                 for (User user : createdUsers) {