You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by lq...@apache.org on 2016/01/18 17:40:50 UTC
svn commit: r1725304 - in /qpid/java/branches/6.0.x: ./
broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/
broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/
Author: lquack
Date: Mon Jan 18 16:40:50 2016
New Revision: 1725304
URL: http://svn.apache.org/viewvc?rev=1725304&view=rev
Log:
QPID-6993 : merge to 6.0.x
merged from trunk with
svn merge -c 1725295 https://svn.apache.org/repos/asf/qpid/java/trunk
Modified:
qpid/java/branches/6.0.x/ (props changed)
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java
Propchange: qpid/java/branches/6.0.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Jan 18 16:40:50 2016
@@ -9,5 +9,5 @@
/qpid/branches/java-broker-vhost-refactor/java:1493674-1494547
/qpid/branches/java-network-refactor/qpid/java:805429-821809
/qpid/branches/qpid-2935/qpid/java:1061302-1072333
-/qpid/java/trunk:1715445-1715447,1715586,1715940,1716086-1716087,1716127-1716128,1716141,1716153,1716155,1716194,1716204,1716209,1716227,1716277,1716357,1716368,1716370,1716374,1716432,1716444-1716445,1716455,1716461,1716474,1716489,1716497,1716515,1716555,1716602,1716606-1716610,1716619,1716636,1717269,1717299,1717401,1717446,1717449,1717626,1717691,1717735,1717780,1718744,1718889,1718893,1718918,1718922,1719026,1719028,1719033,1719037,1719047,1719051,1720664,1721151,1721198,1722246,1722339,1723064,1723194,1723563,1724216,1724251,1724257,1724397,1724432,1724582,1724603,1724780
+/qpid/java/trunk:1715445-1715447,1715586,1715940,1716086-1716087,1716127-1716128,1716141,1716153,1716155,1716194,1716204,1716209,1716227,1716277,1716357,1716368,1716370,1716374,1716432,1716444-1716445,1716455,1716461,1716474,1716489,1716497,1716515,1716555,1716602,1716606-1716610,1716619,1716636,1717269,1717299,1717401,1717446,1717449,1717626,1717691,1717735,1717780,1718744,1718889,1718893,1718918,1718922,1719026,1719028,1719033,1719037,1719047,1719051,1720664,1721151,1721198,1722246,1722339,1723064,1723194,1723563,1724216,1724251,1724257,1724397,1724432,1724582,1724603,1724780,1725295
/qpid/trunk/qpid:796646-796653
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java?rev=1725304&r1=1725303&r2=1725304&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java Mon Jan 18 16:40:50 2016
@@ -112,97 +112,45 @@ public abstract class AbstractScramAuthe
if(user != null)
{
updateStoredPasswordFormatIfNecessary(user);
- String[] usernamePassword = user.getPassword().split(",");
- byte[] salt = DatatypeConverter.parseBase64Binary(usernamePassword[0]);
+ SaltAndPasswordKeys saltAndPasswordKeys = getSaltAndPasswordKeys(username);
try
{
- byte[] saltedPassword = createSaltedPassword(salt, password);
+ byte[] saltedPassword = createSaltedPassword(saltAndPasswordKeys.getSalt(), password);
byte[] clientKey = computeHmac(saltedPassword, "Client Key");
byte[] storedKey = MessageDigest.getInstance(getDigestName()).digest(clientKey);
byte[] serverKey = computeHmac(saltedPassword, "Server Key");
- if(Arrays.equals(DatatypeConverter.parseBase64Binary(usernamePassword[2]), storedKey)
- && Arrays.equals(DatatypeConverter.parseBase64Binary(usernamePassword[3]), serverKey))
-
+ if(Arrays.equals(saltAndPasswordKeys.getStoredKey(), storedKey)
+ && Arrays.equals(saltAndPasswordKeys.getServerKey(), serverKey))
{
return new AuthenticationResult(new UsernamePrincipal(username));
}
}
- catch (IllegalArgumentException | NoSuchAlgorithmException e)
+ catch (IllegalArgumentException | NoSuchAlgorithmException | SaslException e)
{
return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR,e);
}
-
}
return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
-
-
}
-
+ @Override
public int getIterationCount()
{
return _iterationCount;
}
- public byte[] getSalt(final String username)
- {
- ManagedUser user = getUser(username);
-
- if(user == null)
- {
- // don't disclose that the user doesn't exist, just generate random data so the failure is indistinguishable
- // from the "wrong password" case
-
- byte[] salt = new byte[32];
- _random.nextBytes(salt);
- return salt;
- }
- else
- {
- return DatatypeConverter.parseBase64Binary(user.getPassword().split(",")[0]);
- }
- }
-
private static final byte[] INT_1 = new byte[]{0, 0, 0, 1};
- private byte[] getStoredKey(final String username) throws SaslException
- {
- ManagedUser user = getUser(username);
- if(user == null)
- {
- throw new SaslException("Authentication Failed");
- }
- else
- {
- updateStoredPasswordFormatIfNecessary(user);
- return DatatypeConverter.parseBase64Binary(user.getPassword().split(",")[2]);
- }
- }
-
- private byte[] getServerKey(final String username) throws SaslException
- {
- ManagedUser user = getUser(username);
- if(user == null)
- {
- throw new SaslException("Authentication Failed");
- }
- else
- {
- updateStoredPasswordFormatIfNecessary(user);
- return DatatypeConverter.parseBase64Binary(user.getPassword().split(",")[3]);
- }
- }
-
-
private void updateStoredPasswordFormatIfNecessary(final ManagedUser user)
{
- if(user.getPassword().split(",").length<4)
+ final String[] passwordFields = user.getPassword().split(",");
+ if(passwordFields.length < 4)
{
- byte[] saltedPassword = DatatypeConverter.parseBase64Binary(user.getPassword().split(",")[1]);
+ byte[] saltedPassword = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.SALTED_PASSWORD.ordinal()]);
try
{
@@ -212,7 +160,7 @@ public abstract class AbstractScramAuthe
byte[] serverKey = computeHmac(saltedPassword, "Server Key");
- String password = user.getPassword().split(",")[0] + ",,"
+ String password = passwordFields[PasswordField.SALT.ordinal()] + ",,"
+ DatatypeConverter.printBase64Binary(storedKey) + ","
+ DatatypeConverter.printBase64Binary(serverKey);
@@ -277,8 +225,7 @@ public abstract class AbstractScramAuthe
{
try
{
- byte[] salt = new byte[32];
- _random.nextBytes(salt);
+ byte[] salt = generateSalt();
byte[] saltedPassword = createSaltedPassword(salt, password);
byte[] clientKey = computeHmac(saltedPassword, "Client Key");
@@ -305,29 +252,35 @@ public abstract class AbstractScramAuthe
}
@Override
- public SaltAndSaltedPassword getSaltAndSaltedPassword(final String username)
+ public SaltAndPasswordKeys getSaltAndPasswordKeys(final String username)
{
- final byte[] salt = getSalt(username);
- SaslException tmpException = null;
+ ManagedUser user = getUser(username);
- byte[] tmpStoredKey = null;
- byte[] tmpServerKey = null;
+ final byte[] salt;
+ final byte[] storedKey;
+ final byte[] serverKey;
+ final SaslException exception;
- try
+ if(user == null)
{
- tmpStoredKey = getStoredKey(username);
- tmpServerKey = getServerKey(username);
+ // don't disclose that the user doesn't exist, just generate random data so the failure is indistinguishable
+ // from the "wrong password" case.
+ salt = generateSalt();
+ storedKey = null;
+ serverKey = null;
+ exception = new SaslException("Authentication Failed");
}
- catch (SaslException e)
+ else
{
- tmpException = e;
+ updateStoredPasswordFormatIfNecessary(user);
+ final String[] passwordFields = user.getPassword().split(",");
+ salt = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.SALT.ordinal()]);
+ storedKey = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.STORED_KEY.ordinal()]);
+ serverKey = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.SERVER_KEY.ordinal()]);
+ exception = null;
}
- final byte[] storedKey = tmpStoredKey;
- final byte[] serverKey = tmpServerKey;
- final SaslException exception = tmpException;
-
- return new SaltAndSaltedPassword()
+ return new SaltAndPasswordKeys()
{
@Override
public byte[] getSalt()
@@ -335,7 +288,6 @@ public abstract class AbstractScramAuthe
return salt;
}
-
@Override
public byte[] getStoredKey() throws SaslException
{
@@ -357,4 +309,16 @@ public abstract class AbstractScramAuthe
}
};
}
+
+ private byte[] generateSalt()
+ {
+ byte[] tmpSalt = new byte[32];
+ _random.nextBytes(tmpSalt);
+ return tmpSalt;
+ }
+
+ private enum PasswordField
+ {
+ SALT, SALTED_PASSWORD, STORED_KEY, SERVER_KEY
+ }
}
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java?rev=1725304&r1=1725303&r2=1725304&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java Mon Jan 18 16:40:50 2016
@@ -50,7 +50,7 @@ public class ScramSaslServer implements
private String _serverFirstMessage;
private String _clientFirstMessageBare;
private byte[] _serverSignature;
- private ScramSaslServerSource.SaltAndSaltedPassword _saltAndPassword;
+ private ScramSaslServerSource.SaltAndPasswordKeys _saltAndPassword;
public ScramSaslServer(final ScramSaslServerSource authenticationManager,
final String mechanism,
@@ -129,7 +129,7 @@ public class ScramSaslServer implements
_nonce = parts[3].substring(2) + UUID.randomUUID().toString();
int count = _authManager.getIterationCount();
- _saltAndPassword = _authManager.getSaltAndSaltedPassword(_username);
+ _saltAndPassword = _authManager.getSaltAndPasswordKeys(_username);
_serverFirstMessage = "r="+_nonce+",s="+ DatatypeConverter.printBase64Binary(_saltAndPassword.getSalt())+",i=" + count;
return _serverFirstMessage.getBytes(ASCII);
}
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java?rev=1725304&r1=1725303&r2=1725304&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java Mon Jan 18 16:40:50 2016
@@ -26,7 +26,7 @@ public interface ScramSaslServerSource
{
int getIterationCount();
- interface SaltAndSaltedPassword
+ interface SaltAndPasswordKeys
{
byte[] getSalt();
@@ -35,6 +35,6 @@ public interface ScramSaslServerSource
byte[] getServerKey() throws SaslException;
}
- SaltAndSaltedPassword getSaltAndSaltedPassword(String username);
+ SaltAndPasswordKeys getSaltAndPasswordKeys(String username);
}
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java?rev=1725304&r1=1725303&r2=1725304&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java Mon Jan 18 16:40:50 2016
@@ -85,7 +85,7 @@ public class ScramSaslServerSourceAdapte
}
@Override
- public SaltAndSaltedPassword getSaltAndSaltedPassword(final String username)
+ public SaltAndPasswordKeys getSaltAndPasswordKeys(final String username)
{
final char[] password = _passwordSource.getPassword(username);
final byte[] storedKey;
@@ -138,7 +138,7 @@ public class ScramSaslServerSourceAdapte
serverKey = null;
}
- return new SaltAndSaltedPassword()
+ return new SaltAndPasswordKeys()
{
@Override
public byte[] getSalt()
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org