Commit 6fb94d7f authored by Dave Cridland's avatar Dave Cridland Committed by Guus der Kinderen

OF-1381 Close SCRAM enumeration attack

getIterations() threw an exception which
caused early termination of the SASL exchange.

Spotted by Phil Roberts of Surevine Ltd.
parent 5f76e76d
...@@ -39,6 +39,7 @@ import org.jivesoftware.openfire.auth.ConnectionException; ...@@ -39,6 +39,7 @@ import org.jivesoftware.openfire.auth.ConnectionException;
import org.jivesoftware.openfire.auth.InternalUnauthenticatedException; import org.jivesoftware.openfire.auth.InternalUnauthenticatedException;
import org.jivesoftware.openfire.auth.ScramUtils; import org.jivesoftware.openfire.auth.ScramUtils;
import org.jivesoftware.openfire.user.UserNotFoundException; import org.jivesoftware.openfire.user.UserNotFoundException;
import org.jivesoftware.util.JiveGlobals;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
...@@ -153,13 +154,8 @@ public class ScramSha1SaslServer implements SaslServer { ...@@ -153,13 +154,8 @@ public class ScramSha1SaslServer implements SaslServer {
String clientNonce = m.group(7); String clientNonce = m.group(7);
nonce = clientNonce + UUID.randomUUID().toString(); nonce = clientNonce + UUID.randomUUID().toString();
try {
serverFirstMessage = String.format("r=%s,s=%s,i=%d", nonce, DatatypeConverter.printBase64Binary(getSalt(username)), serverFirstMessage = String.format("r=%s,s=%s,i=%d", nonce, DatatypeConverter.printBase64Binary(getSalt(username)),
getIterations(username)); getIterations(username));
} catch (UserNotFoundException e) {
throw new SaslException(e.getMessage(), e);
}
return serverFirstMessage.getBytes(StandardCharsets.UTF_8); return serverFirstMessage.getBytes(StandardCharsets.UTF_8);
} }
...@@ -336,8 +332,13 @@ public class ScramSha1SaslServer implements SaslServer { ...@@ -336,8 +332,13 @@ public class ScramSha1SaslServer implements SaslServer {
/** /**
* Retrieve the iteration count from the database for a given username. * Retrieve the iteration count from the database for a given username.
*/ */
private int getIterations(final String username) throws UserNotFoundException { private int getIterations(final String username) {
try {
return AuthFactory.getIterations(username); return AuthFactory.getIterations(username);
} catch (UserNotFoundException e) {
return JiveGlobals.getIntProperty("sasl.scram-sha-1.iteration-count",
ScramUtils.DEFAULT_ITERATION_COUNT);
}
} }
/** /**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment