1 /* 2 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package com.sun.security.sasl; 27 28 import javax.security.sasl.*; 29 import javax.security.auth.callback.*; 30 import java.util.Random; 31 import java.util.Map; 32 import java.io.IOException; 33 import java.io.UnsupportedEncodingException; 34 import java.security.NoSuchAlgorithmException; 35 36 import java.util.logging.Logger; 37 import java.util.logging.Level; 38 39 /** 40 * Implements the CRAM-MD5 SASL server-side mechanism. 41 * (<A HREF="http://www.ietf.org/rfc/rfc2195.txt">RFC 2195</A>). 42 * CRAM-MD5 has no initial response. 43 * 44 * client <---- M={random, timestamp, server-fqdn} ------- server 45 * client ----- {username HMAC_MD5(pw, M)} --------------> server 46 * 47 * CallbackHandler must be able to handle the following callbacks: 48 * - NameCallback: default name is name of user for whom to get password 49 * - PasswordCallback: must fill in password; if empty, no pw 50 * - AuthorizeCallback: must setAuthorized() and canonicalized authorization id 51 * - auth id == authzid, but needed to get canonicalized authzid 52 * 53 * @author Rosanna Lee 54 */ 55 final class CramMD5Server extends CramMD5Base implements SaslServer { 56 private String fqdn; 57 private byte[] challengeData = null; 58 private String authzid; 59 private CallbackHandler cbh; 60 61 /** 62 * Creates a SASL mechanism with client credentials that it needs 63 * to participate in CRAM-MD5 authentication exchange with the server. 64 * 65 * @param authID A non-null string representing the principal 66 * being authenticated. 67 * 68 * @param pw A non-null String or byte[] 69 * containing the password. If it is an array, it is first cloned. 70 */ 71 CramMD5Server(String protocol, String serverFqdn, Map props, 72 CallbackHandler cbh) throws SaslException { 73 if (serverFqdn == null) { 74 throw new SaslException( 75 "CRAM-MD5: fully qualified server name must be specified"); 76 } 77 78 fqdn = serverFqdn; 79 this.cbh = cbh; 80 } 81 82 /** 83 * Generates challenge based on response sent by client. 84 * 85 * CRAM-MD5 has no initial response. 86 * First call generates challenge. 87 * Second call verifies client response. If authentication fails, throws 88 * SaslException. 89 * 90 * @param responseData A non-null byte array containing the response 91 * data from the client. 92 * @return A non-null byte array containing the challenge to be sent to 93 * the client for the first call; null when 2nd call is successful. 94 * @throws SaslException If authentication fails. 95 */ 96 public byte[] evaluateResponse(byte[] responseData) 97 throws SaslException { 98 99 // See if we've been here before 100 if (completed) { 101 throw new IllegalStateException( 102 "CRAM-MD5 authentication already completed"); 103 } 104 105 if (aborted) { 106 throw new IllegalStateException( 107 "CRAM-MD5 authentication previously aborted due to error"); 108 } 109 110 try { 111 if (challengeData == null) { 112 if (responseData.length != 0) { 113 aborted = true; 114 throw new SaslException( 115 "CRAM-MD5 does not expect any initial response"); 116 } 117 118 // Generate challenge {random, timestamp, fqdn} 119 Random random = new Random(); 120 long rand = random.nextLong(); 121 long timestamp = System.currentTimeMillis(); 122 123 StringBuffer buf = new StringBuffer(); 124 buf.append('<'); 125 buf.append(rand); 126 buf.append('.'); 127 buf.append(timestamp); 128 buf.append('@'); 129 buf.append(fqdn); 130 buf.append('>'); 131 String challengeStr = buf.toString(); 132 133 logger.log(Level.FINE, 134 "CRAMSRV01:Generated challenge: {0}", challengeStr); 135 136 challengeData = challengeStr.getBytes("UTF8"); 137 return challengeData.clone(); 138 139 } else { 140 // Examine response to see if correctly encrypted challengeData 141 if(logger.isLoggable(Level.FINE)) { 142 logger.log(Level.FINE, 143 "CRAMSRV02:Received response: {0}", 144 new String(responseData, "UTF8")); 145 } 146 147 // Extract username from response 148 int ulen = 0; 149 for (int i = 0; i < responseData.length; i++) { 150 if (responseData[i] == ' ') { 151 ulen = i; 152 break; 153 } 154 } 155 if (ulen == 0) { 156 aborted = true; 157 throw new SaslException( 158 "CRAM-MD5: Invalid response; space missing"); 159 } 160 String username = new String(responseData, 0, ulen, "UTF8"); 161 162 logger.log(Level.FINE, 163 "CRAMSRV03:Extracted username: {0}", username); 164 165 // Get user's password 166 NameCallback ncb = 167 new NameCallback("CRAM-MD5 authentication ID: ", username); 168 PasswordCallback pcb = 169 new PasswordCallback("CRAM-MD5 password: ", false); 170 cbh.handle(new Callback[]{ncb,pcb}); 171 char pwChars[] = pcb.getPassword(); 172 if (pwChars == null || pwChars.length == 0) { 173 // user has no password; OK to disclose to server 174 aborted = true; 175 throw new SaslException( 176 "CRAM-MD5: username not found: " + username); 177 } 178 pcb.clearPassword(); 179 String pwStr = new String(pwChars); 180 for (int i = 0; i < pwChars.length; i++) { 181 pwChars[i] = 0; 182 } 183 pw = pwStr.getBytes("UTF8"); 184 185 // Generate a keyed-MD5 digest from the user's password and 186 // original challenge. 187 String digest = HMAC_MD5(pw, challengeData); 188 189 logger.log(Level.FINE, 190 "CRAMSRV04:Expecting digest: {0}", digest); 191 192 // clear pw when we no longer need it 193 clearPassword(); 194 195 // Check whether digest is as expected 196 byte [] expectedDigest = digest.getBytes("UTF8"); 197 int digestLen = responseData.length - ulen - 1; 198 if (expectedDigest.length != digestLen) { 199 aborted = true; 200 throw new SaslException("Invalid response"); 201 } 202 int j = 0; 203 for (int i = ulen + 1; i < responseData.length ; i++) { 204 if (expectedDigest[j++] != responseData[i]) { 205 aborted = true; 206 throw new SaslException("Invalid response"); 207 } 208 } 209 210 // All checks out, use AuthorizeCallback to canonicalize name 211 AuthorizeCallback acb = new AuthorizeCallback(username, username); 212 cbh.handle(new Callback[]{acb}); 213 if (acb.isAuthorized()) { 214 authzid = acb.getAuthorizedID(); 215 } else { 216 // Not authorized 217 aborted = true; 218 throw new SaslException( 219 "CRAM-MD5: user not authorized: " + username); 220 } 221 222 logger.log(Level.FINE, 223 "CRAMSRV05:Authorization id: {0}", authzid); 224 225 completed = true; 226 return null; 227 } 228 } catch (UnsupportedEncodingException e) { 229 aborted = true; 230 throw new SaslException("UTF8 not available on platform", e); 231 } catch (NoSuchAlgorithmException e) { 232 aborted = true; 233 throw new SaslException("MD5 algorithm not available on platform", e); 234 } catch (UnsupportedCallbackException e) { 235 aborted = true; 236 throw new SaslException("CRAM-MD5 authentication failed", e); 237 } catch (SaslException e) { 238 throw e; // rethrow 239 } catch (IOException e) { 240 aborted = true; 241 throw new SaslException("CRAM-MD5 authentication failed", e); 242 } 243 } 244 245 public String getAuthorizationID() { 246 if (completed) { 247 return authzid; 248 } else { 249 throw new IllegalStateException( 250 "CRAM-MD5 authentication not completed"); 251 } 252 } 253 }