Commit 737f2a76 authored by Dave Cridland's avatar Dave Cridland Committed by Guus der Kinderen

OF-1381 Close SCRAM enumeration attack

getIterations() threw an exception which
caused early termination of the SASL exchange.

Spotted by Phil Roberts of Surevine Ltd.
parent 6d240f6e
...@@ -35,6 +35,7 @@ import org.jivesoftware.openfire.auth.ConnectionException; ...@@ -35,6 +35,7 @@ import org.jivesoftware.openfire.auth.ConnectionException;
import org.jivesoftware.openfire.auth.InternalUnauthenticatedException; import org.jivesoftware.openfire.auth.InternalUnauthenticatedException;
import org.jivesoftware.openfire.auth.ScramUtils; import org.jivesoftware.openfire.auth.ScramUtils;
import org.jivesoftware.openfire.user.UserNotFoundException; import org.jivesoftware.openfire.user.UserNotFoundException;
import org.jivesoftware.util.JiveGlobals;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
...@@ -55,7 +56,7 @@ public class ScramSha1SaslServer implements SaslServer { ...@@ -55,7 +56,7 @@ public class ScramSha1SaslServer implements SaslServer {
private String serverFirstMessage; private String serverFirstMessage;
private String clientFirstMessageBare; private String clientFirstMessageBare;
private SecureRandom random = new SecureRandom(); private SecureRandom random = new SecureRandom();
private enum State { private enum State {
INITIAL, INITIAL,
IN_PROGRESS, IN_PROGRESS,
...@@ -149,14 +150,9 @@ public class ScramSha1SaslServer implements SaslServer { ...@@ -149,14 +150,9 @@ public class ScramSha1SaslServer implements SaslServer {
String clientNonce = m.group(7); String clientNonce = m.group(7);
nonce = clientNonce + UUID.randomUUID().toString(); nonce = clientNonce + UUID.randomUUID().toString();
try { serverFirstMessage = String.format("r=%s,s=%s,i=%d", nonce, DatatypeConverter.printBase64Binary(getSalt(username)),
serverFirstMessage = String.format("r=%s,s=%s,i=%d", nonce, DatatypeConverter.printBase64Binary(getSalt(username)), getIterations(username));
getIterations(username)); return serverFirstMessage.getBytes(StandardCharsets.UTF_8);
} catch (UserNotFoundException e) {
throw new SaslException(e.getMessage(), e);
}
return serverFirstMessage.getBytes(StandardCharsets.UTF_8);
} }
/** /**
...@@ -332,8 +328,13 @@ public class ScramSha1SaslServer implements SaslServer { ...@@ -332,8 +328,13 @@ public class ScramSha1SaslServer implements SaslServer {
/** /**
* Retrieve the iteration count from the database for a given username. * Retrieve the iteration count from the database for a given username.
*/ */
private int getIterations(final String username) throws UserNotFoundException { private int getIterations(final String username) {
return AuthFactory.getIterations(username); try {
return AuthFactory.getIterations(username);
} catch (UserNotFoundException e) {
return JiveGlobals.getIntProperty("sasl.scram-sha-1.iteration-count",
ScramUtils.DEFAULT_ITERATION_COUNT);
}
} }
/** /**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment