diff options
Diffstat (limited to 'libjava/classpath/gnu/javax/crypto/sasl/srp/SRPClient.java')
-rw-r--r-- | libjava/classpath/gnu/javax/crypto/sasl/srp/SRPClient.java | 795 |
1 files changed, 268 insertions, 527 deletions
diff --git a/libjava/classpath/gnu/javax/crypto/sasl/srp/SRPClient.java b/libjava/classpath/gnu/javax/crypto/sasl/srp/SRPClient.java index 1a1664ff79d..f4ef4cc34c1 100644 --- a/libjava/classpath/gnu/javax/crypto/sasl/srp/SRPClient.java +++ b/libjava/classpath/gnu/javax/crypto/sasl/srp/SRPClient.java @@ -38,151 +38,91 @@ exception statement from your version. */ package gnu.javax.crypto.sasl.srp; +import gnu.java.security.Configuration; import gnu.java.security.Registry; import gnu.java.security.hash.MD5; import gnu.java.security.util.PRNG; import gnu.java.security.util.Util; - +import gnu.javax.crypto.assembly.Direction; +import gnu.javax.crypto.cipher.CipherFactory; +import gnu.javax.crypto.cipher.IBlockCipher; import gnu.javax.crypto.key.IKeyAgreementParty; import gnu.javax.crypto.key.IncomingMessage; -import gnu.javax.crypto.key.KeyAgreementFactory; import gnu.javax.crypto.key.KeyAgreementException; +import gnu.javax.crypto.key.KeyAgreementFactory; import gnu.javax.crypto.key.OutgoingMessage; import gnu.javax.crypto.key.srp6.SRP6KeyAgreement; -import gnu.javax.crypto.assembly.Direction; -import gnu.javax.crypto.cipher.CipherFactory; -import gnu.javax.crypto.cipher.IBlockCipher; import gnu.javax.crypto.sasl.ClientMechanism; import gnu.javax.crypto.sasl.IllegalMechanismStateException; import gnu.javax.crypto.sasl.InputBuffer; import gnu.javax.crypto.sasl.IntegrityException; import gnu.javax.crypto.sasl.OutputBuffer; - import gnu.javax.security.auth.Password; -import java.io.IOException; -import java.io.PrintWriter; import java.io.ByteArrayOutputStream; +import java.io.IOException; import java.io.UnsupportedEncodingException; import java.math.BigInteger; import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.HashMap; import java.util.StringTokenizer; +import java.util.logging.Logger; +import javax.security.auth.DestroyFailedException; import javax.security.auth.callback.Callback; import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.UnsupportedCallbackException; -import javax.security.auth.DestroyFailedException; import javax.security.sasl.AuthenticationException; import javax.security.sasl.SaslClient; import javax.security.sasl.SaslException; /** - * <p>The SASL-SRP client-side mechanism.</p> + * The SASL-SRP client-side mechanism. */ -public class SRPClient extends ClientMechanism implements SaslClient +public class SRPClient + extends ClientMechanism + implements SaslClient { - - // Debugging methods and variables - // ------------------------------------------------------------------------- - - private static final String NAME = "SRPClient"; - - // private static final String ERROR = "ERROR"; - // private static final String WARN = " WARN"; - private static final String INFO = " INFO"; - - private static final String TRACE = "DEBUG"; - - private static final boolean DEBUG = true; - - private static final int debuglevel = 3; - - private static final PrintWriter err = new PrintWriter(System.out, true); - - private static void debug(final String level, final Object obj) - { - err.println("[" + level + "] " + NAME + ": " + String.valueOf(obj)); - } - - // Constants and variables - // ------------------------------------------------------------------------- - - // private static final HashMap uid2ctx = new HashMap(); - + private static final Logger log = Logger.getLogger(SRPClient.class.getName()); private String uid; // the unique key for this type of client - private String U; // the authentication identity - BigInteger N, g, A, B; - private Password password; // the authentication credentials - private byte[] s; // the user's salt - private byte[] cIV, sIV; // client+server IVs, when confidentiality is on - private byte[] M1, M2; // client+server evidences - private byte[] cn, sn; // client's and server's nonce - private SRP srp; // SRP algorithm instance used by this client - private byte[] sid; // session ID when re-used - private int ttl; // session time-to-live in seconds - private byte[] sCB; // the peer's channel binding data - private String L; // available options - private String o; - private String chosenIntegrityAlgorithm; - private String chosenConfidentialityAlgorithm; - private int rawSendSize = Registry.SASL_BUFFER_MAX_LIMIT; - private byte[] K; // shared session key - private boolean replayDetection = true; // whether Replay Detection is on - private int inCounter = 0; // messages sequence numbers - private int outCounter = 0; - private IALG inMac, outMac; // if !null, use for integrity - private CALG inCipher, outCipher; // if !null, use for confidentiality - - private IKeyAgreementParty clientHandler = KeyAgreementFactory.getPartyAInstance(Registry.SRP_SASL_KA); - + private IKeyAgreementParty clientHandler = + KeyAgreementFactory.getPartyAInstance(Registry.SRP_SASL_KA); /** Our default source of randomness. */ private PRNG prng = null; - // Constructor(s) - // ------------------------------------------------------------------------- - public SRPClient() { super(Registry.SASL_SRP_MECHANISM); } - // Class methods - // ------------------------------------------------------------------------- - - // Instance methods - // ------------------------------------------------------------------------- - - // abstract methods implementation ----------------------------------------- - protected void initMechanism() throws SaslException { - // we shall keep track of the sid (and the security context of this - // SRP client) based on the initialisation parameters of an SRP session. + // we shall keep track of the sid (and the security context of this SRP + // client) based on the initialisation parameters of an SRP session. // we shall compute a unique key for those parameters and key the sid // (and the security context) accordingly. // 1. compute the mapping key. use MD5 (the fastest) for this purpose @@ -195,9 +135,8 @@ public class SRPClient extends ClientMechanism implements SaslClient b = protocol.getBytes(); md.update(b, 0, b.length); if (channelBinding.length > 0) - { - md.update(channelBinding, 0, channelBinding.length); - } + md.update(channelBinding, 0, channelBinding.length); + uid = Util.toBase64(md.digest()); if (ClientStore.instance().isAlive(uid)) { @@ -246,15 +185,12 @@ public class SRPClient extends ClientMechanism implements SaslClient sIV = null; inMac = outMac = null; inCipher = outCipher = null; - sid = null; ttl = 0; cn = null; sn = null; } - // javax.security.sasl.SaslClient interface implementation ----------------- - public boolean hasInitialResponse() { return true; @@ -282,7 +218,7 @@ public class SRPClient extends ClientMechanism implements SaslClient } return result; case 2: // should only occur if session re-use was rejected - if (!complete) + if (! complete) { state++; return receiveEvidence(challenge); @@ -296,211 +232,139 @@ public class SRPClient extends ClientMechanism implements SaslClient protected byte[] engineUnwrap(final byte[] incoming, final int offset, final int len) throws SaslException { - if (DEBUG && debuglevel > 8) - debug(TRACE, "==> engineUnwrap()"); - + if (Configuration.DEBUG) + log.entering(this.getClass().getName(), "engineUnwrap"); if (inMac == null && inCipher == null) - { - throw new IllegalStateException("connection is not protected"); - } - + throw new IllegalStateException("connection is not protected"); // at this point one, or both, of confidentiality and integrity protection // services are active. - final byte[] result; try { - // final InputBuffer frameIn = InputBuffer.getInstance(incoming, offset, len); - // result = frameIn.getEOS(); if (inMac != null) { // integrity bytes are at the end of the stream final int macBytesCount = inMac.length(); final int payloadLength = len - macBytesCount; - // final byte[] received_mac = frameIn.getOS(); final byte[] received_mac = new byte[macBytesCount]; System.arraycopy(incoming, offset + payloadLength, received_mac, 0, macBytesCount); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got C (received MAC): " - + Util.dumpString(received_mac)); - // inMac.update(result); + if (Configuration.DEBUG) + log.fine("Got C (received MAC): " + Util.dumpString(received_mac)); inMac.update(incoming, offset, payloadLength); if (replayDetection) { inCounter++; - if (DEBUG && debuglevel > 6) - debug(TRACE, "inCounter=" + String.valueOf(inCounter)); - inMac.update(new byte[] { (byte) (inCounter >>> 24), - (byte) (inCounter >>> 16), - (byte) (inCounter >>> 8), - (byte) inCounter }); + if (Configuration.DEBUG) + log.fine("inCounter=" + inCounter); + inMac.update(new byte[] { + (byte)(inCounter >>> 24), + (byte)(inCounter >>> 16), + (byte)(inCounter >>> 8), + (byte) inCounter }); } - final byte[] computed_mac = inMac.doFinal(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Computed MAC: " + Util.dumpString(computed_mac)); - if (!Arrays.equals(received_mac, computed_mac)) - { - throw new IntegrityException("engineUnwrap()"); - } - + if (Configuration.DEBUG) + log.fine("Computed MAC: " + Util.dumpString(computed_mac)); + if (! Arrays.equals(received_mac, computed_mac)) + throw new IntegrityException("engineUnwrap()"); // deal with the payload, which can be either plain or encrypted if (inCipher != null) - { - result = inCipher.doFinal(incoming, offset, payloadLength); - } + result = inCipher.doFinal(incoming, offset, payloadLength); else { result = new byte[len - macBytesCount]; System.arraycopy(incoming, offset, result, 0, result.length); } } - else - { // no integrity protection; just confidentiality - // if (inCipher != null) { - result = inCipher.doFinal(incoming, offset, len); - // } else { - // result = new byte[len]; - // System.arraycopy(incoming, offset, result, 0, len); - // } - } - // if (inCipher != null) { - // result = inCipher.doFinal(result); - // } + else // no integrity protection; just confidentiality + result = inCipher.doFinal(incoming, offset, len); } catch (IOException x) { if (x instanceof SaslException) - { - throw (SaslException) x; - } + throw (SaslException) x; throw new SaslException("engineUnwrap()", x); } - - if (DEBUG && debuglevel > 8) - debug(TRACE, "<== engineUnwrap()"); + if (Configuration.DEBUG) + log.exiting(this.getClass().getName(), "engineUnwrap"); return result; } protected byte[] engineWrap(final byte[] outgoing, final int offset, final int len) throws SaslException { - if (DEBUG && debuglevel > 8) - debug(TRACE, "==> engineWrap()"); - + if (Configuration.DEBUG) + log.entering(this.getClass().getName(), "engineWrap"); if (outMac == null && outCipher == null) - { - throw new IllegalStateException("connection is not protected"); - } - + throw new IllegalStateException("connection is not protected"); // at this point one, or both, of confidentiality and integrity protection // services are active. - - // byte[] data = new byte[len]; - // System.arraycopy(outgoing, offset, data, 0, len); byte[] result; try { - // OutputBuffer frameOut = new OutputBuffer(); final ByteArrayOutputStream out = new ByteArrayOutputStream(); // Process the data if (outCipher != null) { - // data = outCipher.doFinal(data); result = outCipher.doFinal(outgoing, offset, len); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Encoding c (encrypted plaintext): " - + Util.dumpString(result)); - - // frameOut.setEOS(data); + if (Configuration.DEBUG) + log.fine("Encoding c (encrypted plaintext): " + + Util.dumpString(result)); out.write(result); - if (outMac != null) { outMac.update(result); if (replayDetection) { outCounter++; - if (DEBUG && debuglevel > 6) - debug(TRACE, "outCounter=" + String.valueOf(outCounter)); - outMac.update(new byte[] { (byte) (outCounter >>> 24), - (byte) (outCounter >>> 16), - (byte) (outCounter >>> 8), - (byte) outCounter }); + if (Configuration.DEBUG) + log.fine("outCounter=" + outCounter); + outMac.update(new byte[] { + (byte)(outCounter >>> 24), + (byte)(outCounter >>> 16), + (byte)(outCounter >>> 8), + (byte) outCounter }); } final byte[] C = outMac.doFinal(); - // frameOut.setOS(C); out.write(C); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Encoding C (integrity checksum): " - + Util.dumpString(C)); - } // else confidentiality only; do nothing + if (Configuration.DEBUG) + log.fine("Encoding C (integrity checksum): " + Util.dumpString(C)); + } + // else confidentiality only; do nothing } - else - { // no confidentiality; just integrity [+ replay detection] - // if (DEBUG && debuglevel > 6) debug(TRACE, "Encoding p (plaintext): "+Util.dumpString(data)); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Encoding p (plaintext): " - + Util.dumpString(outgoing, offset, len)); - - // frameOut.setEOS(data); + else // no confidentiality; just integrity [+ replay detection] + { + if (Configuration.DEBUG) + log.fine("Encoding p (plaintext): " + + Util.dumpString(outgoing, offset, len)); out.write(outgoing, offset, len); - - // if (outMac != null) { - // outMac.update(data); outMac.update(outgoing, offset, len); if (replayDetection) { outCounter++; - if (DEBUG && debuglevel > 6) - debug(TRACE, "outCounter=" + String.valueOf(outCounter)); - outMac.update(new byte[] { (byte) (outCounter >>> 24), - (byte) (outCounter >>> 16), - (byte) (outCounter >>> 8), - (byte) outCounter }); + if (Configuration.DEBUG) + log.fine("outCounter=" + outCounter); + outMac.update(new byte[] { + (byte)(outCounter >>> 24), + (byte)(outCounter >>> 16), + (byte)(outCounter >>> 8), + (byte) outCounter }); } final byte[] C = outMac.doFinal(); - // frameOut.setOS(C); out.write(C); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Encoding C (integrity checksum): " - + Util.dumpString(C)); - // } + if (Configuration.DEBUG) + log.fine("Encoding C (integrity checksum): " + Util.dumpString(C)); } - - // frameOut.setEOS(data); - // - // if (outMac != null) { - // outMac.update(data); - // if (replayDetection) { - // outCounter++; - // if (DEBUG && debuglevel > 6) debug(TRACE, "outCounter="+String.valueOf(outCounter)); - // outMac.update(new byte[] { - // (byte)(outCounter >>> 24), - // (byte)(outCounter >>> 16), - // (byte)(outCounter >>> 8), - // (byte) outCounter }); - // } - // byte[] C = outMac.doFinal(); - // frameOut.setOS(C); - // if (DEBUG && debuglevel > 6) debug(TRACE, "Encoding C (integrity checksum): "+Util.dumpString(C)); - // } - - // result = frameOut.wrap(); result = out.toByteArray(); - } catch (IOException x) { if (x instanceof SaslException) - { - throw (SaslException) x; - } + throw (SaslException) x; throw new SaslException("engineWrap()", x); } - - if (DEBUG && debuglevel > 8) - debug(TRACE, "<== engineWrap()"); + if (Configuration.DEBUG) + log.exiting(this.getClass().getName(), "engineWrap"); return result; } @@ -509,13 +373,8 @@ public class SRPClient extends ClientMechanism implements SaslClient if (inMac != null) { if (inCipher != null) - { - return Registry.QOP_AUTH_CONF; - } - else - { - return Registry.QOP_AUTH_INT; - } + return Registry.QOP_AUTH_CONF; + return Registry.QOP_AUTH_INT; } return Registry.QOP_AUTH; } @@ -525,13 +384,8 @@ public class SRPClient extends ClientMechanism implements SaslClient if (inMac != null) { if (inCipher != null) - { - return Registry.STRENGTH_HIGH; - } - else - { - return Registry.STRENGTH_MEDIUM; - } + return Registry.STRENGTH_HIGH; + return Registry.STRENGTH_MEDIUM; } return Registry.STRENGTH_LOW; } @@ -546,23 +400,18 @@ public class SRPClient extends ClientMechanism implements SaslClient return Registry.REUSE_TRUE; } - // other methods ----------------------------------------------------------- - private byte[] sendIdentities() throws SaslException { - if (DEBUG && debuglevel > 8) - debug(TRACE, "==> sendIdentities()"); - + if (Configuration.DEBUG) + log.entering(this.getClass().getName(), "sendIdentities"); // If necessary, prompt the client for the username and password getUsernameAndPassword(); - - if (DEBUG && debuglevel > 6) - debug(TRACE, "Password: \"" + new String(password.getPassword()) + "\""); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Encoding U (username): \"" + U + "\""); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Encoding I (userid): \"" + authorizationID + "\""); - + if (Configuration.DEBUG) + { + log.fine("Password: \"" + new String(password.getPassword()) + "\""); + log.fine("Encoding U (username): \"" + U + "\""); + log.fine("Encoding I (userid): \"" + authorizationID + "\""); + } // if session re-use generate new 16-byte nonce if (sid.length != 0) { @@ -570,10 +419,7 @@ public class SRPClient extends ClientMechanism implements SaslClient getDefaultPRNG().nextBytes(cn); } else - { - cn = new byte[0]; - } - + cn = new byte[0]; final OutputBuffer frameOut = new OutputBuffer(); try { @@ -586,36 +432,30 @@ public class SRPClient extends ClientMechanism implements SaslClient catch (IOException x) { if (x instanceof SaslException) - { - throw (SaslException) x; - } + throw (SaslException) x; throw new AuthenticationException("sendIdentities()", x); } final byte[] result = frameOut.encode(); - if (DEBUG && debuglevel > 8) - debug(TRACE, "<== sendIdentities()"); - if (DEBUG && debuglevel > 2) - debug(INFO, "C: " + Util.dumpString(result)); - if (DEBUG && debuglevel > 2) - debug(INFO, " U = " + U); - if (DEBUG && debuglevel > 2) - debug(INFO, " I = " + authorizationID); - if (DEBUG && debuglevel > 2) - debug(INFO, "sid = " + new String(sid)); - if (DEBUG && debuglevel > 2) - debug(INFO, " cn = " + Util.dumpString(cn)); - if (DEBUG && debuglevel > 2) - debug(INFO, "cCB = " + Util.dumpString(channelBinding)); + if (Configuration.DEBUG) + { + log.fine("C: " + Util.dumpString(result)); + log.fine(" U = " + U); + log.fine(" I = " + authorizationID); + log.fine("sid = " + new String(sid)); + log.fine(" cn = " + Util.dumpString(cn)); + log.fine("cCB = " + Util.dumpString(channelBinding)); + log.exiting(this.getClass().getName(), "sendIdentities"); + } return result; } private byte[] sendPublicKey(final byte[] input) throws SaslException { - if (DEBUG && debuglevel > 8) - debug(TRACE, "==> sendPublicKey()"); - if (DEBUG && debuglevel > 6) - debug(TRACE, "S: " + Util.dumpString(input)); - + if (Configuration.DEBUG) + { + log.entering(this.getClass().getName(), "sendPublicKey"); + log.fine("S: " + Util.dumpString(input)); + } // Server sends [00], N, g, s, B, L // or [FF], sn, sCB final InputBuffer frameIn = new InputBuffer(input); @@ -623,60 +463,50 @@ public class SRPClient extends ClientMechanism implements SaslClient try { ack = (int) frameIn.getScalar(1); - if (ack == 0x00) - { // new session + if (ack == 0x00) // new session + { N = frameIn.getMPI(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got N (modulus): " + Util.dump(N)); + if (Configuration.DEBUG) + log.fine("Got N (modulus): " + Util.dump(N)); g = frameIn.getMPI(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got g (generator): " + Util.dump(g)); + if (Configuration.DEBUG) + log.fine("Got g (generator): " + Util.dump(g)); s = frameIn.getOS(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got s (salt): " + Util.dumpString(s)); + if (Configuration.DEBUG) + log.fine("Got s (salt): " + Util.dumpString(s)); B = frameIn.getMPI(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got B (server ephermeral public key): " - + Util.dump(B)); + if (Configuration.DEBUG) + log.fine("Got B (server ephermeral public key): " + Util.dump(B)); L = frameIn.getText(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got L (available options): \"" + L + "\""); + if (Configuration.DEBUG) + log.fine("Got L (available options): \"" + L + "\""); } - else if (ack == 0xFF) - { // session re-use + else if (ack == 0xFF) // session re-use + { sn = frameIn.getOS(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got sn (server nonce): " + Util.dumpString(sn)); + if (Configuration.DEBUG) + log.fine("Got sn (server nonce): " + Util.dumpString(sn)); sCB = frameIn.getEOS(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got sCB (server channel binding): " - + Util.dumpString(sCB)); - } - else - { // unexpected scalar - throw new SaslException("sendPublicKey(): Invalid scalar (" + ack - + ") in server's request"); + if (Configuration.DEBUG) + log.fine("Got sCB (server channel binding): " + Util.dumpString(sCB)); } + else // unexpected scalar + throw new SaslException("sendPublicKey(): Invalid scalar (" + ack + + ") in server's request"); } catch (IOException x) { if (x instanceof SaslException) - { - throw (SaslException) x; - } + throw (SaslException) x; throw new SaslException("sendPublicKey()", x); } - if (ack == 0x00) { // new session --------------------------------------- o = createO(L.toLowerCase()); // do this first to initialise the SRP hash - final byte[] pBytes; // use ASCII encoding to inter-operate w/ non-java pBytes = password.getBytes(); - // ---------------------------------------------------------------------- final HashMap mapA = new HashMap(); - // mapA.put(SRP6KeyAgreement.HASH_FUNCTION, srp.newDigest()); mapA.put(SRP6KeyAgreement.HASH_FUNCTION, srp.getAlgorithm()); mapA.put(SRP6KeyAgreement.USER_IDENTITY, U); mapA.put(SRP6KeyAgreement.USER_PASSWORD, pBytes); @@ -689,9 +519,6 @@ public class SRPClient extends ClientMechanism implements SaslClient { throw new SaslException("sendPublicKey()", x); } - - // ---------------------------------------------------------------------- - // ------------------------------------------------------------------- try { @@ -702,7 +529,6 @@ public class SRPClient extends ClientMechanism implements SaslClient out.writeMPI(B); IncomingMessage in = new IncomingMessage(out.toByteArray()); out = clientHandler.processMessage(in); - in = new IncomingMessage(out.toByteArray()); A = in.readMPI(); K = clientHandler.getSharedSecret(); @@ -712,13 +538,11 @@ public class SRPClient extends ClientMechanism implements SaslClient throw new SaslException("sendPublicKey()", x); } // ------------------------------------------------------------------- - - if (DEBUG && debuglevel > 6) - debug(TRACE, "K: " + Util.dumpString(K)); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Encoding A (client ephemeral public key): " - + Util.dump(A)); - + if (Configuration.DEBUG) + { + log.fine("K: " + Util.dumpString(K)); + log.fine("Encoding A (client ephemeral public key): " + Util.dump(A)); + } try { M1 = srp.generateM1(N, g, U, s, A, B, K, authorizationID, L, cn, @@ -728,13 +552,11 @@ public class SRPClient extends ClientMechanism implements SaslClient { throw new AuthenticationException("sendPublicKey()", x); } - - if (DEBUG && debuglevel > 6) - debug(TRACE, "Encoding o (client chosen options): \"" + o + "\""); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Encoding cIV (client IV): \"" + Util.dumpString(cIV) - + "\""); - + if (Configuration.DEBUG) + { + log.fine("Encoding o (client chosen options): \"" + o + "\""); + log.fine("Encoding cIV (client IV): \"" + Util.dumpString(cIV) + "\""); + } final OutputBuffer frameOut = new OutputBuffer(); try { @@ -746,74 +568,65 @@ public class SRPClient extends ClientMechanism implements SaslClient catch (IOException x) { if (x instanceof SaslException) - { - throw (SaslException) x; - } + throw (SaslException) x; throw new AuthenticationException("sendPublicKey()", x); } final byte[] result = frameOut.encode(); - if (DEBUG && debuglevel > 8) - debug(TRACE, "<== sendPublicKey()"); - if (DEBUG && debuglevel > 2) - debug(INFO, "New session, or session re-use rejected..."); - if (DEBUG && debuglevel > 2) - debug(INFO, "C: " + Util.dumpString(result)); - if (DEBUG && debuglevel > 2) - debug(INFO, " A = 0x" + A.toString(16)); - if (DEBUG && debuglevel > 2) - debug(INFO, " M1 = " + Util.dumpString(M1)); - if (DEBUG && debuglevel > 2) - debug(INFO, " o = " + o); - if (DEBUG && debuglevel > 2) - debug(INFO, "cIV = " + Util.dumpString(cIV)); - + if (Configuration.DEBUG) + { + log.fine("New session, or session re-use rejected..."); + log.fine("C: " + Util.dumpString(result)); + log.fine(" A = 0x" + A.toString(16)); + log.fine(" M1 = " + Util.dumpString(M1)); + log.fine(" o = " + o); + log.fine("cIV = " + Util.dumpString(cIV)); + log.exiting(this.getClass().getName(), "sendPublicKey"); + } return result; } - else - { // session re-use accepted ------------------------------------- + else // session re-use accepted ------------------------------------------- + { setupSecurityServices(true); - if (DEBUG && debuglevel > 8) - debug(TRACE, "<== sendPublicKey()"); - if (DEBUG && debuglevel > 2) - debug(INFO, "Session re-use accepted..."); + if (Configuration.DEBUG) + { + log.fine("Session re-use accepted..."); + log.exiting(this.getClass().getName(), "sendPublicKey"); + } return null; } } private byte[] receiveEvidence(byte[] input) throws SaslException { - if (DEBUG && debuglevel > 8) - debug(TRACE, "==> receiveEvidence()"); - if (DEBUG && debuglevel > 6) - debug(TRACE, "S: " + Util.dumpString(input)); - + if (Configuration.DEBUG) + { + log.entering(this.getClass().getName(), "receiveEvidence"); + log.fine("S: " + Util.dumpString(input)); + } // Server send M2, sIV, sCB, sid, ttl final InputBuffer frameIn = new InputBuffer(input); try { M2 = frameIn.getOS(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got M2 (server evidence): " + Util.dumpString(M2)); + if (Configuration.DEBUG) + log.fine("Got M2 (server evidence): " + Util.dumpString(M2)); sIV = frameIn.getOS(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got sIV (server IV): " + Util.dumpString(sIV)); + if (Configuration.DEBUG) + log.fine("Got sIV (server IV): " + Util.dumpString(sIV)); sid = frameIn.getEOS(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got sid (session ID): " + new String(sid)); + if (Configuration.DEBUG) + log.fine("Got sid (session ID): " + new String(sid)); ttl = (int) frameIn.getScalar(4); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got ttl (session time-to-live): " + ttl + "sec."); + if (Configuration.DEBUG) + log.fine("Got ttl (session time-to-live): " + ttl + "sec."); sCB = frameIn.getEOS(); - if (DEBUG && debuglevel > 6) - debug(TRACE, "Got sCB (server channel binding): " - + Util.dumpString(sCB)); + if (Configuration.DEBUG) + log.fine("Got sCB (server channel binding): " + Util.dumpString(sCB)); } catch (IOException x) { if (x instanceof SaslException) - { - throw (SaslException) x; - } + throw (SaslException) x; throw new AuthenticationException("receiveEvidence()", x); } @@ -827,18 +640,13 @@ public class SRPClient extends ClientMechanism implements SaslClient { throw new AuthenticationException("receiveEvidence()", x); } - - if (DEBUG && debuglevel > 6) - debug(TRACE, "Expected: " + Util.dumpString(expected)); - if (!Arrays.equals(M2, expected)) - { - throw new AuthenticationException("M2 mismatch"); - } - + if (Configuration.DEBUG) + log.fine("Expected: " + Util.dumpString(expected)); + if (! Arrays.equals(M2, expected)) + throw new AuthenticationException("M2 mismatch"); setupSecurityServices(false); - - if (DEBUG && debuglevel > 8) - debug(TRACE, "<== receiveEvidence()"); + if (Configuration.DEBUG) + log.exiting(this.getClass().getName(), "receiveEvidence"); return null; } @@ -846,19 +654,15 @@ public class SRPClient extends ClientMechanism implements SaslClient { try { - if ((!properties.containsKey(Registry.SASL_USERNAME)) - && (!properties.containsKey(Registry.SASL_PASSWORD))) + if ((! properties.containsKey(Registry.SASL_USERNAME)) + && (! properties.containsKey(Registry.SASL_PASSWORD))) { final NameCallback nameCB; final String defaultName = System.getProperty("user.name"); if (defaultName == null) - { - nameCB = new NameCallback("username: "); - } + nameCB = new NameCallback("username: "); else - { - nameCB = new NameCallback("username: ", defaultName); - } + nameCB = new NameCallback("username: ", defaultName); final PasswordCallback pwdCB = new PasswordCallback("password: ", false); handler.handle(new Callback[] { nameCB, pwdCB }); @@ -868,21 +672,15 @@ public class SRPClient extends ClientMechanism implements SaslClient else { if (properties.containsKey(Registry.SASL_USERNAME)) - { - this.U = (String) properties.get(Registry.SASL_USERNAME); - } + this.U = (String) properties.get(Registry.SASL_USERNAME); else { final NameCallback nameCB; final String defaultName = System.getProperty("user.name"); if (defaultName == null) - { - nameCB = new NameCallback("username: "); - } + nameCB = new NameCallback("username: "); else - { - nameCB = new NameCallback("username: ", defaultName); - } + nameCB = new NameCallback("username: ", defaultName); this.handler.handle(new Callback[] { nameCB }); this.U = nameCB.getName(); } @@ -897,14 +695,12 @@ public class SRPClient extends ClientMechanism implements SaslClient else if (pw instanceof String) password = new Password(((String) pw).toCharArray()); else - throw new IllegalArgumentException( - pw.getClass().getName() - + "is not a valid password class"); + throw new IllegalArgumentException(pw.getClass().getName() + + "is not a valid password class"); } else { - final PasswordCallback pwdCB = new PasswordCallback( - "password: ", + final PasswordCallback pwdCB = new PasswordCallback("password: ", false); this.handler.handle(new Callback[] { pwdCB }); password = new Password(pwdCB.getPassword()); @@ -912,13 +708,9 @@ public class SRPClient extends ClientMechanism implements SaslClient } if (U == null) - { - throw new AuthenticationException("null username supplied"); - } + throw new AuthenticationException("null username supplied"); if (password == null) - { - throw new AuthenticationException("null password supplied"); - } + throw new AuthenticationException("null password supplied"); } catch (UnsupportedCallbackException x) { @@ -935,9 +727,8 @@ public class SRPClient extends ClientMechanism implements SaslClient // to us by the client. private String createO(final String aol) throws AuthenticationException { - if (DEBUG && debuglevel > 8) - debug(TRACE, "==> createO(\"" + aol + "\")"); - + if (Configuration.DEBUG) + log.entering(this.getClass().getName(), "createO", aol); boolean replaydetectionAvailable = false; boolean integrityAvailable = false; boolean confidentialityAvailable = false; @@ -945,7 +736,6 @@ public class SRPClient extends ClientMechanism implements SaslClient int i; String mdName = SRPRegistry.SRP_DEFAULT_DIGEST_NAME; - final StringTokenizer st = new StringTokenizer(aol, ","); while (st.hasMoreTokens()) { @@ -953,55 +743,45 @@ public class SRPClient extends ClientMechanism implements SaslClient if (option.startsWith(SRPRegistry.OPTION_SRP_DIGEST + "=")) { option = option.substring(option.indexOf('=') + 1); - if (DEBUG && debuglevel > 6) - debug(TRACE, "mda: <" + option + ">"); + if (Configuration.DEBUG) + log.fine("mda: <" + option + ">"); for (i = 0; i < SRPRegistry.INTEGRITY_ALGORITHMS.length; i++) - { - if (SRPRegistry.SRP_ALGORITHMS[i].equals(option)) - { - mdName = option; - break; - } - } + if (SRPRegistry.SRP_ALGORITHMS[i].equals(option)) + { + mdName = option; + break; + } } else if (option.equals(SRPRegistry.OPTION_REPLAY_DETECTION)) - { - replaydetectionAvailable = true; - } + replaydetectionAvailable = true; else if (option.startsWith(SRPRegistry.OPTION_INTEGRITY + "=")) { option = option.substring(option.indexOf('=') + 1); - if (DEBUG && debuglevel > 6) - debug(TRACE, "ialg: <" + option + ">"); + if (Configuration.DEBUG) + log.fine("ialg: <" + option + ">"); for (i = 0; i < SRPRegistry.INTEGRITY_ALGORITHMS.length; i++) - { - if (SRPRegistry.INTEGRITY_ALGORITHMS[i].equals(option)) - { - chosenIntegrityAlgorithm = option; - integrityAvailable = true; - break; - } - } + if (SRPRegistry.INTEGRITY_ALGORITHMS[i].equals(option)) + { + chosenIntegrityAlgorithm = option; + integrityAvailable = true; + break; + } } else if (option.startsWith(SRPRegistry.OPTION_CONFIDENTIALITY + "=")) { option = option.substring(option.indexOf('=') + 1); - if (DEBUG && debuglevel > 6) - debug(TRACE, "calg: <" + option + ">"); + if (Configuration.DEBUG) + log.fine("calg: <" + option + ">"); for (i = 0; i < SRPRegistry.CONFIDENTIALITY_ALGORITHMS.length; i++) - { - if (SRPRegistry.CONFIDENTIALITY_ALGORITHMS[i].equals(option)) - { - chosenConfidentialityAlgorithm = option; - confidentialityAvailable = true; - break; - } - } + if (SRPRegistry.CONFIDENTIALITY_ALGORITHMS[i].equals(option)) + { + chosenConfidentialityAlgorithm = option; + confidentialityAvailable = true; + break; + } } else if (option.startsWith(SRPRegistry.OPTION_MANDATORY + "=")) - { - mandatory = option.substring(option.indexOf('=') + 1); - } + mandatory = option.substring(option.indexOf('=') + 1); else if (option.startsWith(SRPRegistry.OPTION_MAX_BUFFER_SIZE + "=")) { final String maxBufferSize = option.substring(option.indexOf('=') + 1); @@ -1010,32 +790,27 @@ public class SRPClient extends ClientMechanism implements SaslClient rawSendSize = Integer.parseInt(maxBufferSize); if (rawSendSize > Registry.SASL_BUFFER_MAX_LIMIT || rawSendSize < 1) - { - throw new AuthenticationException( - "Illegal value for 'maxbuffersize' option"); - } + throw new AuthenticationException( + "Illegal value for 'maxbuffersize' option"); } catch (NumberFormatException x) { throw new AuthenticationException( - SRPRegistry.OPTION_MAX_BUFFER_SIZE - + "=" - + String.valueOf(maxBufferSize), - x); + SRPRegistry.OPTION_MAX_BUFFER_SIZE + "=" + maxBufferSize, x); } } } - - replayDetection = replaydetectionAvailable - && Boolean.valueOf( - (String) properties.get(SRPRegistry.SRP_REPLAY_DETECTION)).booleanValue(); - boolean integrity = integrityAvailable - && Boolean.valueOf( - (String) properties.get(SRPRegistry.SRP_INTEGRITY_PROTECTION)).booleanValue(); - boolean confidentiality = confidentialityAvailable - && Boolean.valueOf( - (String) properties.get(SRPRegistry.SRP_CONFIDENTIALITY)).booleanValue(); - + String s; + Boolean flag; + s = (String) properties.get(SRPRegistry.SRP_REPLAY_DETECTION); + flag = Boolean.valueOf(s); + replayDetection = replaydetectionAvailable && flag.booleanValue(); + s = (String) properties.get(SRPRegistry.SRP_INTEGRITY_PROTECTION); + flag = Boolean.valueOf(s); + boolean integrity = integrityAvailable && flag.booleanValue(); + s = (String) properties.get(SRPRegistry.SRP_CONFIDENTIALITY); + flag = Boolean.valueOf(s); + boolean confidentiality = confidentialityAvailable && flag.booleanValue(); // make sure we do the right thing if (SRPRegistry.OPTION_REPLAY_DETECTION.equals(mandatory)) { @@ -1043,95 +818,68 @@ public class SRPClient extends ClientMechanism implements SaslClient integrity = true; } else if (SRPRegistry.OPTION_INTEGRITY.equals(mandatory)) - { - integrity = true; - } + integrity = true; else if (SRPRegistry.OPTION_CONFIDENTIALITY.equals(mandatory)) - { - confidentiality = true; - } + confidentiality = true; + if (replayDetection) { if (chosenIntegrityAlgorithm == null) - { - throw new AuthenticationException( - "Replay detection is required but no " - + "integrity protection algorithm was chosen"); - } + throw new AuthenticationException( + "Replay detection is required but no integrity protection " + + "algorithm was chosen"); } if (integrity) { if (chosenIntegrityAlgorithm == null) - { - throw new AuthenticationException( - "Integrity protection is required but no " - + "algorithm was chosen"); - } + throw new AuthenticationException( + "Integrity protection is required but no algorithm was chosen"); } if (confidentiality) { if (chosenConfidentialityAlgorithm == null) - { - throw new AuthenticationException( - "Confidentiality protection is required " - + "but no algorithm was chosen"); - } + throw new AuthenticationException( + "Confidentiality protection is required but no algorithm was chosen"); } - // 1. check if we'll be using confidentiality; if not set IV to 0-byte if (chosenConfidentialityAlgorithm == null) - { - cIV = new byte[0]; - } + cIV = new byte[0]; else { // 2. get the block size of the cipher final IBlockCipher cipher = CipherFactory.getInstance(chosenConfidentialityAlgorithm); if (cipher == null) - { - throw new AuthenticationException("createO()", - new NoSuchAlgorithmException()); - } + throw new AuthenticationException("createO()", + new NoSuchAlgorithmException()); final int blockSize = cipher.defaultBlockSize(); // 3. generate random iv cIV = new byte[blockSize]; getDefaultPRNG().nextBytes(cIV); } - srp = SRP.instance(mdName); - // Now create the options list specifying which of the available options // we have chosen. // For now we just select the defaults. Later we need to add support for // properties (perhaps in a file) where a user can specify the list of // algorithms they would prefer to use. - final StringBuffer sb = new StringBuffer(); - sb.append(SRPRegistry.OPTION_SRP_DIGEST).append("=").append(mdName).append( - ","); + sb.append(SRPRegistry.OPTION_SRP_DIGEST) + .append("=").append(mdName).append(","); if (replayDetection) - { - sb.append(SRPRegistry.OPTION_REPLAY_DETECTION).append(","); - } + sb.append(SRPRegistry.OPTION_REPLAY_DETECTION).append(","); if (integrity) - { - sb.append(SRPRegistry.OPTION_INTEGRITY).append("=").append( - chosenIntegrityAlgorithm).append( - ","); - } + sb.append(SRPRegistry.OPTION_INTEGRITY) + .append("=").append(chosenIntegrityAlgorithm).append(","); if (confidentiality) - { - sb.append(SRPRegistry.OPTION_CONFIDENTIALITY).append("=").append( - chosenConfidentialityAlgorithm).append( - ","); - } - final String result = sb.append(SRPRegistry.OPTION_MAX_BUFFER_SIZE).append( - "=").append( - Registry.SASL_BUFFER_MAX_LIMIT).toString(); - - if (DEBUG && debuglevel > 8) - debug(TRACE, "<== createO() --> " + result); + sb.append(SRPRegistry.OPTION_CONFIDENTIALITY) + .append("=").append(chosenConfidentialityAlgorithm).append(","); + + final String result = sb.append(SRPRegistry.OPTION_MAX_BUFFER_SIZE) + .append("=").append(Registry.SASL_BUFFER_MAX_LIMIT) + .toString(); + if (Configuration.DEBUG) + log.exiting(this.getClass().getName(), "createO", result); return result; } @@ -1139,33 +887,30 @@ public class SRPClient extends ClientMechanism implements SaslClient throws SaslException { complete = true; // signal end of authentication phase - if (!sessionReUse) + if (! sessionReUse) { outCounter = inCounter = 0; // instantiate cipher if confidentiality protection filter is active if (chosenConfidentialityAlgorithm != null) { - if (DEBUG && debuglevel > 2) - debug(INFO, "Activating confidentiality protection filter"); + if (Configuration.DEBUG) + log.fine("Activating confidentiality protection filter"); inCipher = CALG.getInstance(chosenConfidentialityAlgorithm); outCipher = CALG.getInstance(chosenConfidentialityAlgorithm); } // instantiate hmacs if integrity protection filter is active if (chosenIntegrityAlgorithm != null) { - if (DEBUG && debuglevel > 2) - debug(INFO, "Activating integrity protection filter"); + if (Configuration.DEBUG) + log.fine("Activating integrity protection filter"); inMac = IALG.getInstance(chosenIntegrityAlgorithm); outMac = IALG.getInstance(chosenIntegrityAlgorithm); } } - else - { // same session new Keys - K = srp.generateKn(K, cn, sn); - } + else // same session new Keys + K = srp.generateKn(K, cn, sn); final KDF kdf = KDF.getInstance(K); - // initialise in/out ciphers if confidentiality protection is used if (inCipher != null) { @@ -1178,16 +923,13 @@ public class SRPClient extends ClientMechanism implements SaslClient inMac.init(kdf); outMac.init(kdf); } - if (sid != null && sid.length != 0) { // update the security context and save in map - if (DEBUG && debuglevel > 2) - debug(INFO, "Updating security context for UID = " + uid); - ClientStore.instance().cacheSession( - uid, + if (Configuration.DEBUG) + log.fine("Updating security context for UID = " + uid); + ClientStore.instance().cacheSession(uid, ttl, - new SecurityContext( - srp.getAlgorithm(), + new SecurityContext(srp.getAlgorithm(), sid, K, cIV, @@ -1205,7 +947,6 @@ public class SRPClient extends ClientMechanism implements SaslClient { if (prng == null) prng = PRNG.getInstance(); - return prng; } -}
\ No newline at end of file +} |