author | iignatyev |
Thu, 05 Jul 2018 20:00:04 -0700 | |
changeset 50997 | b9361d8c58a5 |
parent 47216 | 71c04702a3d5 |
child 59024 | b046ba510bbc |
permissions | -rw-r--r-- |
2 | 1 |
/* |
14342
8435a30053c1
7197491: update copyright year to match last edit in jdk8 jdk repository
alanb
parents:
14340
diff
changeset
|
2 |
* Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package com.sun.security.sasl; |
|
27 |
||
28 |
import javax.security.sasl.*; |
|
29 |
import javax.security.auth.callback.*; |
|
30 |
import java.util.Random; |
|
31 |
import java.util.Map; |
|
32 |
import java.io.IOException; |
|
33 |
import java.io.UnsupportedEncodingException; |
|
34 |
import java.security.NoSuchAlgorithmException; |
|
35 |
||
36 |
import java.util.logging.Level; |
|
37 |
||
38 |
/** |
|
39 |
* Implements the CRAM-MD5 SASL server-side mechanism. |
|
5820
4f5e99470724
6967036: Need to fix links with // in Javadoc comments
ohair
parents:
5506
diff
changeset
|
40 |
* (<A HREF="http://www.ietf.org/rfc/rfc2195.txt">RFC 2195</A>). |
2 | 41 |
* CRAM-MD5 has no initial response. |
42 |
* |
|
43 |
* client <---- M={random, timestamp, server-fqdn} ------- server |
|
44 |
* client ----- {username HMAC_MD5(pw, M)} --------------> server |
|
45 |
* |
|
46 |
* CallbackHandler must be able to handle the following callbacks: |
|
47 |
* - NameCallback: default name is name of user for whom to get password |
|
48 |
* - PasswordCallback: must fill in password; if empty, no pw |
|
49 |
* - AuthorizeCallback: must setAuthorized() and canonicalized authorization id |
|
50 |
* - auth id == authzid, but needed to get canonicalized authzid |
|
51 |
* |
|
52 |
* @author Rosanna Lee |
|
53 |
*/ |
|
54 |
final class CramMD5Server extends CramMD5Base implements SaslServer { |
|
55 |
private String fqdn; |
|
56 |
private byte[] challengeData = null; |
|
57 |
private String authzid; |
|
58 |
private CallbackHandler cbh; |
|
59 |
||
60 |
/** |
|
14340 | 61 |
* Creates a CRAM-MD5 SASL server. |
2 | 62 |
* |
14340 | 63 |
* @param protocol ignored in CRAM-MD5 |
64 |
* @param serverFqdn non-null, used in generating a challenge |
|
65 |
* @param props ignored in CRAM-MD5 |
|
66 |
* @param cbh find password, authorize user |
|
2 | 67 |
*/ |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
7668
diff
changeset
|
68 |
CramMD5Server(String protocol, String serverFqdn, Map<String, ?> props, |
2 | 69 |
CallbackHandler cbh) throws SaslException { |
70 |
if (serverFqdn == null) { |
|
71 |
throw new SaslException( |
|
72 |
"CRAM-MD5: fully qualified server name must be specified"); |
|
73 |
} |
|
74 |
||
75 |
fqdn = serverFqdn; |
|
76 |
this.cbh = cbh; |
|
77 |
} |
|
78 |
||
79 |
/** |
|
80 |
* Generates challenge based on response sent by client. |
|
81 |
* |
|
82 |
* CRAM-MD5 has no initial response. |
|
83 |
* First call generates challenge. |
|
84 |
* Second call verifies client response. If authentication fails, throws |
|
85 |
* SaslException. |
|
86 |
* |
|
87 |
* @param responseData A non-null byte array containing the response |
|
88 |
* data from the client. |
|
89 |
* @return A non-null byte array containing the challenge to be sent to |
|
90 |
* the client for the first call; null when 2nd call is successful. |
|
91 |
* @throws SaslException If authentication fails. |
|
92 |
*/ |
|
93 |
public byte[] evaluateResponse(byte[] responseData) |
|
94 |
throws SaslException { |
|
95 |
||
96 |
// See if we've been here before |
|
97 |
if (completed) { |
|
98 |
throw new IllegalStateException( |
|
99 |
"CRAM-MD5 authentication already completed"); |
|
100 |
} |
|
101 |
||
102 |
if (aborted) { |
|
103 |
throw new IllegalStateException( |
|
104 |
"CRAM-MD5 authentication previously aborted due to error"); |
|
105 |
} |
|
106 |
||
107 |
try { |
|
108 |
if (challengeData == null) { |
|
109 |
if (responseData.length != 0) { |
|
110 |
aborted = true; |
|
111 |
throw new SaslException( |
|
112 |
"CRAM-MD5 does not expect any initial response"); |
|
113 |
} |
|
114 |
||
115 |
// Generate challenge {random, timestamp, fqdn} |
|
116 |
Random random = new Random(); |
|
117 |
long rand = random.nextLong(); |
|
118 |
long timestamp = System.currentTimeMillis(); |
|
119 |
||
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
14342
diff
changeset
|
120 |
StringBuilder sb = new StringBuilder(); |
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
14342
diff
changeset
|
121 |
sb.append('<'); |
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
14342
diff
changeset
|
122 |
sb.append(rand); |
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
14342
diff
changeset
|
123 |
sb.append('.'); |
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
14342
diff
changeset
|
124 |
sb.append(timestamp); |
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
14342
diff
changeset
|
125 |
sb.append('@'); |
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
14342
diff
changeset
|
126 |
sb.append(fqdn); |
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
14342
diff
changeset
|
127 |
sb.append('>'); |
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
14342
diff
changeset
|
128 |
String challengeStr = sb.toString(); |
2 | 129 |
|
130 |
logger.log(Level.FINE, |
|
131 |
"CRAMSRV01:Generated challenge: {0}", challengeStr); |
|
132 |
||
133 |
challengeData = challengeStr.getBytes("UTF8"); |
|
134 |
return challengeData.clone(); |
|
135 |
||
136 |
} else { |
|
137 |
// Examine response to see if correctly encrypted challengeData |
|
138 |
if(logger.isLoggable(Level.FINE)) { |
|
139 |
logger.log(Level.FINE, |
|
140 |
"CRAMSRV02:Received response: {0}", |
|
141 |
new String(responseData, "UTF8")); |
|
142 |
} |
|
143 |
||
144 |
// Extract username from response |
|
145 |
int ulen = 0; |
|
146 |
for (int i = 0; i < responseData.length; i++) { |
|
147 |
if (responseData[i] == ' ') { |
|
148 |
ulen = i; |
|
149 |
break; |
|
150 |
} |
|
151 |
} |
|
152 |
if (ulen == 0) { |
|
153 |
aborted = true; |
|
154 |
throw new SaslException( |
|
155 |
"CRAM-MD5: Invalid response; space missing"); |
|
156 |
} |
|
157 |
String username = new String(responseData, 0, ulen, "UTF8"); |
|
158 |
||
159 |
logger.log(Level.FINE, |
|
160 |
"CRAMSRV03:Extracted username: {0}", username); |
|
161 |
||
162 |
// Get user's password |
|
163 |
NameCallback ncb = |
|
164 |
new NameCallback("CRAM-MD5 authentication ID: ", username); |
|
165 |
PasswordCallback pcb = |
|
166 |
new PasswordCallback("CRAM-MD5 password: ", false); |
|
167 |
cbh.handle(new Callback[]{ncb,pcb}); |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
25859
diff
changeset
|
168 |
char[] pwChars = pcb.getPassword(); |
2 | 169 |
if (pwChars == null || pwChars.length == 0) { |
170 |
// user has no password; OK to disclose to server |
|
171 |
aborted = true; |
|
172 |
throw new SaslException( |
|
173 |
"CRAM-MD5: username not found: " + username); |
|
174 |
} |
|
175 |
pcb.clearPassword(); |
|
176 |
String pwStr = new String(pwChars); |
|
177 |
for (int i = 0; i < pwChars.length; i++) { |
|
178 |
pwChars[i] = 0; |
|
179 |
} |
|
180 |
pw = pwStr.getBytes("UTF8"); |
|
181 |
||
182 |
// Generate a keyed-MD5 digest from the user's password and |
|
183 |
// original challenge. |
|
184 |
String digest = HMAC_MD5(pw, challengeData); |
|
185 |
||
186 |
logger.log(Level.FINE, |
|
187 |
"CRAMSRV04:Expecting digest: {0}", digest); |
|
188 |
||
189 |
// clear pw when we no longer need it |
|
190 |
clearPassword(); |
|
191 |
||
192 |
// Check whether digest is as expected |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
25859
diff
changeset
|
193 |
byte[] expectedDigest = digest.getBytes("UTF8"); |
2 | 194 |
int digestLen = responseData.length - ulen - 1; |
195 |
if (expectedDigest.length != digestLen) { |
|
196 |
aborted = true; |
|
197 |
throw new SaslException("Invalid response"); |
|
198 |
} |
|
199 |
int j = 0; |
|
200 |
for (int i = ulen + 1; i < responseData.length ; i++) { |
|
201 |
if (expectedDigest[j++] != responseData[i]) { |
|
202 |
aborted = true; |
|
203 |
throw new SaslException("Invalid response"); |
|
204 |
} |
|
205 |
} |
|
206 |
||
207 |
// All checks out, use AuthorizeCallback to canonicalize name |
|
208 |
AuthorizeCallback acb = new AuthorizeCallback(username, username); |
|
209 |
cbh.handle(new Callback[]{acb}); |
|
210 |
if (acb.isAuthorized()) { |
|
211 |
authzid = acb.getAuthorizedID(); |
|
212 |
} else { |
|
213 |
// Not authorized |
|
214 |
aborted = true; |
|
215 |
throw new SaslException( |
|
216 |
"CRAM-MD5: user not authorized: " + username); |
|
217 |
} |
|
218 |
||
219 |
logger.log(Level.FINE, |
|
220 |
"CRAMSRV05:Authorization id: {0}", authzid); |
|
221 |
||
222 |
completed = true; |
|
223 |
return null; |
|
224 |
} |
|
225 |
} catch (UnsupportedEncodingException e) { |
|
226 |
aborted = true; |
|
227 |
throw new SaslException("UTF8 not available on platform", e); |
|
228 |
} catch (NoSuchAlgorithmException e) { |
|
229 |
aborted = true; |
|
230 |
throw new SaslException("MD5 algorithm not available on platform", e); |
|
231 |
} catch (UnsupportedCallbackException e) { |
|
232 |
aborted = true; |
|
233 |
throw new SaslException("CRAM-MD5 authentication failed", e); |
|
234 |
} catch (SaslException e) { |
|
235 |
throw e; // rethrow |
|
236 |
} catch (IOException e) { |
|
237 |
aborted = true; |
|
238 |
throw new SaslException("CRAM-MD5 authentication failed", e); |
|
239 |
} |
|
240 |
} |
|
241 |
||
242 |
public String getAuthorizationID() { |
|
243 |
if (completed) { |
|
244 |
return authzid; |
|
245 |
} else { |
|
246 |
throw new IllegalStateException( |
|
247 |
"CRAM-MD5 authentication not completed"); |
|
248 |
} |
|
249 |
} |
|
250 |
} |