|
16 | 16 |
|
17 | 17 | package org.jivesoftware.openfire.auth; |
18 | 18 |
|
19 | | -import java.security.MessageDigest; |
20 | 19 | import java.security.NoSuchAlgorithmException; |
21 | 20 | import java.security.SecureRandom; |
22 | 21 | import java.sql.Connection; |
@@ -345,17 +344,16 @@ public boolean checkPassword(String username, String testPassword) throws UserNo |
345 | 344 | Log.debug("No available SCRAM-SHA-1 credentials for checkPassword for user {}", username); |
346 | 345 | return false; |
347 | 346 | } |
348 | | - final byte[] testStoredKey; |
349 | 347 | try { |
350 | 348 | final byte[] saltShaker = DatatypeConverter.parseBase64Binary(credential.salt); |
351 | | - final byte[] saltedPassword = ScramUtils.createSaltedPassword(saltShaker, testPassword, credential.iterations, ScramSha1SaslServer.HMAC_ALGORITHM_NAME); |
352 | | - final byte[] clientKey = ScramUtils.computeHmac(saltedPassword, "Client Key", ScramSha1SaslServer.HMAC_ALGORITHM_NAME); |
353 | | - testStoredKey = MessageDigest.getInstance(ScramSha1SaslServer.DIGEST_ALGORITHM_NAME).digest(clientKey); |
| 349 | + final ScramUtils.ScramKeys keys = ScramUtils.deriveScramKeys( |
| 350 | + saltShaker, testPassword, credential.iterations, |
| 351 | + ScramSha1SaslServer.HMAC_ALGORITHM_NAME, ScramSha1SaslServer.DIGEST_ALGORITHM_NAME); |
| 352 | + return DatatypeConverter.printBase64Binary(keys.storedKey).equals(credential.storedKey); |
354 | 353 | } catch(SaslException | NoSuchAlgorithmException | IllegalArgumentException e) { |
355 | 354 | Log.warn("Unable to check SCRAM values for PLAIN authentication for user '{}'", username, e); |
356 | 355 | return false; |
357 | 356 | } |
358 | | - return DatatypeConverter.printBase64Binary(testStoredKey).equals(credential.storedKey); |
359 | 357 | } |
360 | 358 | catch (SQLException sqle) { |
361 | 359 | Log.warn("A database error occurred while authenticating user {}:", username, sqle); |
@@ -388,15 +386,15 @@ public void setPassword(String username, String password) throws UserNotFoundExc |
388 | 386 | byte[] saltShaker = new byte[SALT_LENGTH]; |
389 | 387 | random.nextBytes(saltShaker); |
390 | 388 | final String salt = DatatypeConverter.printBase64Binary(saltShaker); |
| 389 | + ScramUtils.ScramKeys keys = null; |
391 | 390 | final int iterations = ScramSha1SaslServer.ITERATION_COUNT.getValue(); |
392 | | - byte[] saltedPassword = null, clientKey = null, storedKey = null, serverKey = null; |
393 | 391 | try { |
394 | | - saltedPassword = ScramUtils.createSaltedPassword(saltShaker, password, iterations, ScramSha1SaslServer.HMAC_ALGORITHM_NAME); |
395 | | - clientKey = ScramUtils.computeHmac(saltedPassword, "Client Key", ScramSha1SaslServer.HMAC_ALGORITHM_NAME); |
396 | | - storedKey = MessageDigest.getInstance(ScramSha1SaslServer.DIGEST_ALGORITHM_NAME).digest(clientKey); |
397 | | - serverKey = ScramUtils.computeHmac(saltedPassword, "Server Key", ScramSha1SaslServer.HMAC_ALGORITHM_NAME); |
| 392 | + keys = ScramUtils.deriveScramKeys( |
| 393 | + saltShaker, password, iterations, |
| 394 | + ScramSha1SaslServer.HMAC_ALGORITHM_NAME, |
| 395 | + ScramSha1SaslServer.DIGEST_ALGORITHM_NAME); |
398 | 396 | } catch (SaslException | NoSuchAlgorithmException e) { |
399 | | - Log.warn("Unable to persist values for SCRAM authentication."); |
| 397 | + Log.warn("Unable to derive SCRAM credential while trying to persist values for SCRAM authentication", e); |
400 | 398 | } |
401 | 399 |
|
402 | 400 | String plaintextToStore = password; |
@@ -453,8 +451,8 @@ public void setPassword(String username, String password) throws UserNotFoundExc |
453 | 451 | ScramSha1SaslServer.MECHANISM_NAME, |
454 | 452 | salt, |
455 | 453 | iterations, |
456 | | - storedKey == null ? null : DatatypeConverter.printBase64Binary(storedKey), |
457 | | - serverKey == null ? null : DatatypeConverter.printBase64Binary(serverKey) |
| 454 | + keys == null ? null : DatatypeConverter.printBase64Binary(keys.storedKey), |
| 455 | + keys == null ? null : DatatypeConverter.printBase64Binary(keys.serverKey) |
458 | 456 | ) |
459 | 457 | ); |
460 | 458 | } |
|
0 commit comments