qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lqu...@apache.org
Subject svn commit: r1727954 - in /qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth: database/ manager/ sasl/scram/
Date Mon, 01 Feb 2016 15:37:37 GMT
Author: lquack
Date: Mon Feb  1 15:37:37 2016
New Revision: 1727954

URL: http://svn.apache.org/viewvc?rev=1727954&view=rev
Log:
QPID-7035: [Java Broker] SCRAM implementation should make iteration count configurable

* Introduce a context variable "qpid.auth.scram.iteration_count" which defaults to 4096
* Change format passwords are stored for SCRAM adding a column for iteration count.

Modified:
    qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
    qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
    qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
    qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
    qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
    qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java
    qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java

Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
(original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
Mon Feb  1 15:37:37 2016
@@ -36,6 +36,7 @@ import javax.security.sasl.SaslServer;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import org.apache.qpid.server.security.auth.manager.AbstractScramAuthenticationManager;
 import org.apache.qpid.server.security.auth.manager.ScramSHA1AuthenticationManager;
 import org.apache.qpid.server.security.auth.manager.ScramSHA256AuthenticationManager;
 import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5Initialiser;
@@ -87,10 +88,8 @@ public class PlainPasswordFilePrincipalD
                     }
                 };
 
-        _scramSha1Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA1", "SHA-1", passwordSource);
-        _scramSha256Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA256", "SHA-256",
passwordSource);
-
-
+        _scramSha1Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA1", "SHA-1", passwordSource);
+        _scramSha256Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA256", "SHA-256", passwordSource);
     }
 
 

Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
(original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
Mon Feb  1 15:37:37 2016
@@ -39,7 +39,9 @@ import javax.xml.bind.DatatypeConverter;
 
 import com.google.common.util.concurrent.ListenableFuture;
 
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.ManagedContextDefault;
 import org.apache.qpid.server.model.PasswordCredentialManagingAuthenticationProvider;
 import org.apache.qpid.server.model.State;
 import org.apache.qpid.server.model.StateTransition;
@@ -57,7 +59,11 @@ public abstract class AbstractScramAuthe
     public static final String PLAIN = "PLAIN";
     private final SecureRandom _random = new SecureRandom();
 
-    private int _iterationCount = 4096;
+    public static final String QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT = "qpid.auth.scram.iteration_count";
+    @ManagedContextDefault(name = QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT)
+    public static final int DEFAULT_ITERATION_COUNT = 4096;
+
+    private int _iterationCount = DEFAULT_ITERATION_COUNT;
 
 
     protected AbstractScramAuthenticationManager(final Map<String, Object> attributes,
final Broker broker)
@@ -68,6 +74,7 @@ public abstract class AbstractScramAuthe
     @StateTransition( currentState = { State.UNINITIALIZED, State.QUIESCED, State.QUIESCED
}, desiredState = State.ACTIVE )
     protected ListenableFuture<Void> activate()
     {
+        _iterationCount = getContextValue(Integer.class, QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT);
         for(ManagedUser user : getUserMap().values())
         {
             updateStoredPasswordFormatIfNecessary(user);
@@ -115,7 +122,7 @@ public abstract class AbstractScramAuthe
             SaltAndPasswordKeys saltAndPasswordKeys = getSaltAndPasswordKeys(username);
             try
             {
-                byte[] saltedPassword = createSaltedPassword(saltAndPasswordKeys.getSalt(),
password);
+                byte[] saltedPassword = createSaltedPassword(saltAndPasswordKeys.getSalt(),
password, saltAndPasswordKeys.getIterationCount());
                 byte[] clientKey = computeHmac(saltedPassword, "Client Key");
 
                 byte[] storedKey = MessageDigest.getInstance(getDigestName()).digest(clientKey);
@@ -148,7 +155,7 @@ public abstract class AbstractScramAuthe
     private void updateStoredPasswordFormatIfNecessary(final ManagedUser user)
     {
         final String[] passwordFields = user.getPassword().split(",");
-        if(passwordFields.length < 4)
+        if (passwordFields.length == 2)
         {
             byte[] saltedPassword = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.SALTED_PASSWORD.ordinal()]);
 
@@ -160,9 +167,11 @@ public abstract class AbstractScramAuthe
 
                 byte[] serverKey = computeHmac(saltedPassword, "Server Key");
 
-                String password = passwordFields[PasswordField.SALT.ordinal()] + ",,"
+                String password = passwordFields[PasswordField.SALT.ordinal()] + ","
+                                  + "," // remove previously insecure salted password field
                                   + DatatypeConverter.printBase64Binary(storedKey) + ","
-                                  + DatatypeConverter.printBase64Binary(serverKey);
+                                  + DatatypeConverter.printBase64Binary(serverKey) + ","
+                                  + DatatypeConverter.printInt(getIterationCount());
 
                 user.setPassword(password);
             }
@@ -171,9 +180,22 @@ public abstract class AbstractScramAuthe
                 throw new IllegalArgumentException(e);
             }
         }
+        else if (passwordFields.length == 4)
+        {
+            String password = passwordFields[PasswordField.SALT.ordinal()] + ","
+                    + "," // remove previously insecure salted password field
+                    + passwordFields[PasswordField.STORED_KEY.ordinal()] + ","
+                    + passwordFields[PasswordField.SERVER_KEY.ordinal()] + ","
+                    + DatatypeConverter.printInt(getIterationCount());
+            user.setPassword(password);
+        }
+        else if (passwordFields.length != 5)
+        {
+            throw new IllegalConfigurationException("password field for user '" + user.getName()
+ "' has unrecognised format.");
+        }
     }
 
-    private byte[] createSaltedPassword(byte[] salt, String password)
+    private byte[] createSaltedPassword(byte[] salt, String password, int iterationCount)
     {
         Mac mac = createShaHmac(password.getBytes(ASCII));
 
@@ -182,7 +204,7 @@ public abstract class AbstractScramAuthe
         byte[] result = mac.doFinal();
 
         byte[] previous = null;
-        for(int i = 1; i < getIterationCount(); i++)
+        for(int i = 1; i < iterationCount; i++)
         {
             mac.update(previous != null? previous: result);
             previous = mac.doFinal();
@@ -225,16 +247,19 @@ public abstract class AbstractScramAuthe
     {
         try
         {
+            final int iterationCount = getIterationCount();
             byte[] salt = generateSalt();
-            byte[] saltedPassword = createSaltedPassword(salt, password);
+            byte[] saltedPassword = createSaltedPassword(salt, password, iterationCount);
             byte[] clientKey = computeHmac(saltedPassword, "Client Key");
 
             byte[] storedKey = MessageDigest.getInstance(getDigestName()).digest(clientKey);
             byte[] serverKey = computeHmac(saltedPassword, "Server Key");
 
-            return DatatypeConverter.printBase64Binary(salt) + ",,"
+            return DatatypeConverter.printBase64Binary(salt) + ","
+                   + "," // leave insecure salted password field blank
                    + DatatypeConverter.printBase64Binary(storedKey) + ","
-                   + DatatypeConverter.printBase64Binary(serverKey);
+                   + DatatypeConverter.printBase64Binary(serverKey) + ","
+                   + DatatypeConverter.printInt(iterationCount);
         }
         catch (NoSuchAlgorithmException e)
         {
@@ -259,6 +284,7 @@ public abstract class AbstractScramAuthe
         final byte[] salt;
         final byte[] storedKey;
         final byte[] serverKey;
+        final int iterationCount;
         final SaslException exception;
 
         if(user == null)
@@ -268,6 +294,7 @@ public abstract class AbstractScramAuthe
             salt = generateSalt();
             storedKey = null;
             serverKey = null;
+            iterationCount = -1;
             exception = new SaslException("Authentication Failed");
         }
         else
@@ -277,6 +304,7 @@ public abstract class AbstractScramAuthe
             salt = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.SALT.ordinal()]);
             storedKey = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.STORED_KEY.ordinal()]);
             serverKey = DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.SERVER_KEY.ordinal()]);
+            iterationCount = DatatypeConverter.parseInt(passwordFields[PasswordField.ITERATION_COUNT.ordinal()]);
             exception = null;
         }
 
@@ -307,6 +335,16 @@ public abstract class AbstractScramAuthe
                 }
                 return serverKey;
             }
+
+            @Override
+            public int getIterationCount() throws SaslException
+            {
+                if(iterationCount < 0)
+                {
+                    throw exception;
+                }
+                return iterationCount;
+            }
         };
     }
 
@@ -319,6 +357,6 @@ public abstract class AbstractScramAuthe
 
     private enum PasswordField
     {
-        SALT, SALTED_PASSWORD, STORED_KEY, SERVER_KEY
+        SALT, SALTED_PASSWORD, STORED_KEY, SERVER_KEY, ITERATION_COUNT
     }
 }

Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
(original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
Mon Feb  1 15:37:37 2016
@@ -81,8 +81,8 @@ public class PlainAuthenticationProvider
 
 
 
-        _scramSha1Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA1", "SHA-1", passwordSource);
-        _scramSha256Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA256", "SHA-256",
passwordSource);
+        _scramSha1Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA1", "SHA-1", passwordSource);
+        _scramSha256Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA256", "SHA-256", passwordSource);
 
     }
 

Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
(original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
Mon Feb  1 15:37:37 2016
@@ -80,8 +80,8 @@ public class SimpleAuthenticationManager
                     }
                 };
 
-        _scramSha1Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA1", "SHA-1", passwordSource);
-        _scramSha256Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA256", "SHA-256",
passwordSource);
+        _scramSha1Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA1", "SHA-1", passwordSource);
+        _scramSha256Adapter = new ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA256", "SHA-256", passwordSource);
 
     }
 

Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
(original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
Mon Feb  1 15:37:37 2016
@@ -128,9 +128,8 @@ public class ScramSaslServer implements
         }
         _nonce = parts[3].substring(2) + UUID.randomUUID().toString();
 
-        int count = _authManager.getIterationCount();
         _saltAndPassword = _authManager.getSaltAndPasswordKeys(_username);
-        _serverFirstMessage = "r="+_nonce+",s="+ DatatypeConverter.printBase64Binary(_saltAndPassword.getSalt())+",i="
+ count;
+        _serverFirstMessage = "r="+_nonce+",s="+ DatatypeConverter.printBase64Binary(_saltAndPassword.getSalt())+",i="
+ DatatypeConverter.printInt(_saltAndPassword.getIterationCount());
         return _serverFirstMessage.getBytes(ASCII);
     }
 

Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java
(original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java
Mon Feb  1 15:37:37 2016
@@ -33,6 +33,8 @@ public interface ScramSaslServerSource
         byte[] getStoredKey() throws SaslException;
 
         byte[] getServerKey() throws SaslException;
+
+        int getIterationCount() throws SaslException;
     }
 
     SaltAndPasswordKeys getSaltAndPasswordKeys(String username);

Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java?rev=1727954&r1=1727953&r2=1727954&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java
(original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java
Mon Feb  1 15:37:37 2016
@@ -91,6 +91,7 @@ public class ScramSaslServerSourceAdapte
         final byte[] storedKey;
         final byte[] serverKey;
         final byte[] salt = new byte[32];
+        final int iterationCount = getIterationCount();
         _random.nextBytes(salt);
 
         if(password != null)
@@ -110,7 +111,7 @@ public class ScramSaslServerSourceAdapte
                 byte[] saltedPassword = mac.doFinal();
 
                 byte[] previous = null;
-                for (int i = 1; i < getIterationCount(); i++)
+                for (int i = 1; i < iterationCount; i++)
                 {
                     mac.update(previous != null ? previous : saltedPassword);
                     previous = mac.doFinal();
@@ -167,6 +168,12 @@ public class ScramSaslServerSourceAdapte
                 return serverKey;
             }
 
+            @Override
+            public int getIterationCount() throws SaslException
+            {
+                return iterationCount;
+            }
+
 
         };
     }



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message