You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by lq...@apache.org on 2016/02/01 16:37:37 UTC
svn commit: r1727954 - in
/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth:
database/ manager/ sasl/scram/
Author: lquack
Date: Mon Feb 1 15:37:37 2016
New Revision: 1727954
URL: http://svn.apache.org/viewvc?rev=1727954&view=rev
Log:
QPID-7035: [Java Broker] SCRAM implementation should make iteration count configurable
* Introduce a context variable "qpid.auth.scram.iteration_count" which defaults to 4096
* Change format passwords are stored for SCRAM adding a column for iteration count.
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java Mon Feb 1 15:37:37 2016
@@ -36,6 +36,7 @@ import javax.security.sasl.SaslServer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.security.auth.manager.AbstractScramAuthenticationManager;
import org.apache.qpid.server.security.auth.manager.ScramSHA1AuthenticationManager;
import org.apache.qpid.server.security.auth.manager.ScramSHA256AuthenticationManager;
import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5Initialiser;
@@ -87,10 +88,8 @@ public class PlainPasswordFilePrincipalD
}
};
- _scramSha1Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA1", "SHA-1", passwordSource);
- _scramSha256Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA256", "SHA-256", passwordSource);
-
-
+ _scramSha1Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT, "HmacSHA1", "SHA-1", passwordSource);
+ _scramSha256Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT, "HmacSHA256", "SHA-256", passwordSource);
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java Mon Feb 1 15:37:37 2016
@@ -39,7 +39,9 @@ import javax.xml.bind.DatatypeConverter;
import com.google.common.util.concurrent.ListenableFuture;
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.ManagedContextDefault;
import org.apache.qpid.server.model.PasswordCredentialManagingAuthenticationProvider;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
@@ -57,7 +59,11 @@ public abstract class AbstractScramAuthe
public static final String PLAIN = "PLAIN";
private final SecureRandom _random = new SecureRandom();
- private int _iterationCount = 4096;
+ public static final String QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT = "qpid.auth.scram.iteration_count";
+ @ManagedContextDefault(name = QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT)
+ public static final int DEFAULT_ITERATION_COUNT = 4096;
+
+ private int _iterationCount = DEFAULT_ITERATION_COUNT;
protected AbstractScramAuthenticationManager(final Map<String, Object> attributes, final Broker broker)
@@ -68,6 +74,7 @@ public abstract class AbstractScramAuthe
@StateTransition( currentState = { State.UNINITIALIZED, State.QUIESCED, State.QUIESCED }, desiredState = State.ACTIVE )
protected ListenableFuture<Void> activate()
{
+ _iterationCount = getContextValue(Integer.class, QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT);
for(ManagedUser user : getUserMap().values())
{
updateStoredPasswordFormatIfNecessary(user);
@@ -115,7 +122,7 @@ public abstract class AbstractScramAuthe
SaltAndPasswordKeys saltAndPasswordKeys = getSaltAndPasswordKeys(username);
try
{
- byte[] saltedPassword = createSaltedPassword(saltAndPasswordKeys.getSalt(), password);
+ byte[] saltedPassword = createSaltedPassword(saltAndPasswordKeys.getSalt(), password, saltAndPasswordKeys.getIterationCount());
byte[] clientKey = computeHmac(saltedPassword, "Client Key");
byte[] storedKey = MessageDigest.getInstance(getDigestName()).digest(clientKey);
@@ -148,7 +155,7 @@ public abstract class AbstractScramAuthe
private void updateStoredPasswordFormatIfNecessary(final ManagedUser user)
{
final String[] passwordFields = user.getPassword().split(",");
- if(passwordFields.length < 4)
+ if (passwordFields.length == 2)
{
byte[] saltedPassword = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.SALTED_PASSWORD.ordinal()]);
@@ -160,9 +167,11 @@ public abstract class AbstractScramAuthe
byte[] serverKey = computeHmac(saltedPassword, "Server Key");
- String password = passwordFields[PasswordField.SALT.ordinal()] + ",,"
+ String password = passwordFields[PasswordField.SALT.ordinal()] + ","
+ + "," // remove previously insecure salted password field
+ DatatypeConverter.printBase64Binary(storedKey) + ","
- + DatatypeConverter.printBase64Binary(serverKey);
+ + DatatypeConverter.printBase64Binary(serverKey) + ","
+ + DatatypeConverter.printInt(getIterationCount());
user.setPassword(password);
}
@@ -171,9 +180,22 @@ public abstract class AbstractScramAuthe
throw new IllegalArgumentException(e);
}
}
+ else if (passwordFields.length == 4)
+ {
+ String password = passwordFields[PasswordField.SALT.ordinal()] + ","
+ + "," // remove previously insecure salted password field
+ + passwordFields[PasswordField.STORED_KEY.ordinal()] + ","
+ + passwordFields[PasswordField.SERVER_KEY.ordinal()] + ","
+ + DatatypeConverter.printInt(getIterationCount());
+ user.setPassword(password);
+ }
+ else if (passwordFields.length != 5)
+ {
+ throw new IllegalConfigurationException("password field for user '" + user.getName() + "' has unrecognised format.");
+ }
}
- private byte[] createSaltedPassword(byte[] salt, String password)
+ private byte[] createSaltedPassword(byte[] salt, String password, int iterationCount)
{
Mac mac = createShaHmac(password.getBytes(ASCII));
@@ -182,7 +204,7 @@ public abstract class AbstractScramAuthe
byte[] result = mac.doFinal();
byte[] previous = null;
- for(int i = 1; i < getIterationCount(); i++)
+ for(int i = 1; i < iterationCount; i++)
{
mac.update(previous != null? previous: result);
previous = mac.doFinal();
@@ -225,16 +247,19 @@ public abstract class AbstractScramAuthe
{
try
{
+ final int iterationCount = getIterationCount();
byte[] salt = generateSalt();
- byte[] saltedPassword = createSaltedPassword(salt, password);
+ byte[] saltedPassword = createSaltedPassword(salt, password, iterationCount);
byte[] clientKey = computeHmac(saltedPassword, "Client Key");
byte[] storedKey = MessageDigest.getInstance(getDigestName()).digest(clientKey);
byte[] serverKey = computeHmac(saltedPassword, "Server Key");
- return DatatypeConverter.printBase64Binary(salt) + ",,"
+ return DatatypeConverter.printBase64Binary(salt) + ","
+ + "," // leave insecure salted password field blank
+ DatatypeConverter.printBase64Binary(storedKey) + ","
- + DatatypeConverter.printBase64Binary(serverKey);
+ + DatatypeConverter.printBase64Binary(serverKey) + ","
+ + DatatypeConverter.printInt(iterationCount);
}
catch (NoSuchAlgorithmException e)
{
@@ -259,6 +284,7 @@ public abstract class AbstractScramAuthe
final byte[] salt;
final byte[] storedKey;
final byte[] serverKey;
+ final int iterationCount;
final SaslException exception;
if(user == null)
@@ -268,6 +294,7 @@ public abstract class AbstractScramAuthe
salt = generateSalt();
storedKey = null;
serverKey = null;
+ iterationCount = -1;
exception = new SaslException("Authentication Failed");
}
else
@@ -277,6 +304,7 @@ public abstract class AbstractScramAuthe
salt = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.SALT.ordinal()]);
storedKey = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.STORED_KEY.ordinal()]);
serverKey = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.SERVER_KEY.ordinal()]);
+ iterationCount = DatatypeConverter.parseInt(passwordFields[PasswordField.ITERATION_COUNT.ordinal()]);
exception = null;
}
@@ -307,6 +335,16 @@ public abstract class AbstractScramAuthe
}
return serverKey;
}
+
+ @Override
+ public int getIterationCount() throws SaslException
+ {
+ if(iterationCount < 0)
+ {
+ throw exception;
+ }
+ return iterationCount;
+ }
};
}
@@ -319,6 +357,6 @@ public abstract class AbstractScramAuthe
private enum PasswordField
{
- SALT, SALTED_PASSWORD, STORED_KEY, SERVER_KEY
+ SALT, SALTED_PASSWORD, STORED_KEY, SERVER_KEY, ITERATION_COUNT
}
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java Mon Feb 1 15:37:37 2016
@@ -81,8 +81,8 @@ public class PlainAuthenticationProvider
- _scramSha1Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA1", "SHA-1", passwordSource);
- _scramSha256Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA256", "SHA-256", passwordSource);
+ _scramSha1Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT, "HmacSHA1", "SHA-1", passwordSource);
+ _scramSha256Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT, "HmacSHA256", "SHA-256", passwordSource);
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java Mon Feb 1 15:37:37 2016
@@ -80,8 +80,8 @@ public class SimpleAuthenticationManager
}
};
- _scramSha1Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA1", "SHA-1", passwordSource);
- _scramSha256Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA256", "SHA-256", passwordSource);
+ _scramSha1Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT, "HmacSHA1", "SHA-1", passwordSource);
+ _scramSha256Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT, "HmacSHA256", "SHA-256", passwordSource);
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java Mon Feb 1 15:37:37 2016
@@ -128,9 +128,8 @@ public class ScramSaslServer implements
}
_nonce = parts[3].substring(2) + UUID.randomUUID().toString();
- int count = _authManager.getIterationCount();
_saltAndPassword = _authManager.getSaltAndPasswordKeys(_username);
- _serverFirstMessage = "r="+_nonce+",s="+ DatatypeConverter.printBase64Binary(_saltAndPassword.getSalt())+",i=" + count;
+ _serverFirstMessage = "r="+_nonce+",s="+ DatatypeConverter.printBase64Binary(_saltAndPassword.getSalt())+",i=" + DatatypeConverter.printInt(_saltAndPassword.getIterationCount());
return _serverFirstMessage.getBytes(ASCII);
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java Mon Feb 1 15:37:37 2016
@@ -33,6 +33,8 @@ public interface ScramSaslServerSource
byte[] getStoredKey() throws SaslException;
byte[] getServerKey() throws SaslException;
+
+ int getIterationCount() throws SaslException;
}
SaltAndPasswordKeys getSaltAndPasswordKeys(String username);
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java Mon Feb 1 15:37:37 2016
@@ -91,6 +91,7 @@ public class ScramSaslServerSourceAdapte
final byte[] storedKey;
final byte[] serverKey;
final byte[] salt = new byte[32];
+ final int iterationCount = getIterationCount();
_random.nextBytes(salt);
if(password != null)
@@ -110,7 +111,7 @@ public class ScramSaslServerSourceAdapte
byte[] saltedPassword = mac.doFinal();
byte[] previous = null;
- for (int i = 1; i < getIterationCount(); i++)
+ for (int i = 1; i < iterationCount; i++)
{
mac.update(previous != null ? previous : saltedPassword);
previous = mac.doFinal();
@@ -167,6 +168,12 @@ public class ScramSaslServerSourceAdapte
return serverKey;
}
+ @Override
+ public int getIterationCount() throws SaslException
+ {
+ return iterationCount;
+ }
+
};
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org