[jboss-jira] [JBoss JIRA] (ELY-1160) Elytron, SASL digest mechanism works only with MD5 hash function

Elytron, SASL digest mechanism works only with MD5 hash function ---------------------------------------------------------------- Key: ELY-1160 URL: https://issues.jboss.org/browse/ELY-1160 Project: WildFly Elytron Issue Type: Bug Reporter: Martin Choma Priority: Critical Elytron SASL mechanism works only with MD5. When trying to use one of DIGEST-SHA, DIGEST-SHA-256, DIGEST-SHA-512 I get {code} ELY05055: [DIGEST-SHA-256] Authentication rejected (invalid proof) {code} I know these mechanisms are marked as tech preview [2], but should work. DIGEST hash function can make problems in fips environment, like this customer case [1] in case of HTTP DIGEST mechanism {code:title=server.log} 10:56:26,243 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Initialized connection from /127.0.0.1:39291 to /127.0.0.1:9990 with options {org.jboss.remoting3.RemotingOptions.SASL_PROTOCOL=>remote} 10:56:26,244 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Accepted connection from /127.0.0.1:39291 to localhost.localdomain/127.0.0.1:9990 10:56:26,250 TRACE [org.jboss.remoting.remote] (management I/O-2) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@63e189b6 10:56:26,252 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 28 bytes 10:56:26,252 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel 10:56:26,261 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header 10:56:26,262 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers 10:56:26,262 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 59 bytes 10:56:26,262 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192] 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192] 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capabilities request 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: version 1 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote endpoint name "cli-client" 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: message close protocol supported 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote version is "5.0.0.Beta22-redhat-1" 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels in is "40" 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels out is "40" 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: authentication service 10:56:26,264 TRACE [org.jboss.remoting.remote.server] (management I/O-2) No EXTERNAL mechanism due to lack of SSL 10:56:26,269 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Added mechanism DIGEST-SHA-256 10:56:26,269 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 85 bytes 10:56:26,269 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel 10:56:26,384 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header 10:56:26,384 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers 10:56:26,384 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 20 bytes 10:56:26,385 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192] 10:56:26,385 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192] 10:56:26,385 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received authentication request 10:56:26,391 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='DIGEST-SHA-256' host-name='localhost.localdomain' protocol='remote' 10:56:26,392 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='DIGEST-SHA-256' host-name='localhost.localdomain' protocol='remote' 10:56:26,393 TRACE [org.wildfly.security] (management I/O-2) Handling AvailableRealmsCallback: realms = [ManagementRealm] 10:56:26,454 TRACE [org.jboss.remoting.endpoint] (management I/O-2) Allocated tick to 8 of endpoint "localhost:MANAGEMENT" <1f0d26e2> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@55587716) 10:56:26,460 TRACE [org.jboss.remoting.remote.server] (management task-1) Server sending authentication challenge 10:56:26,461 TRACE [org.jboss.remoting.remote] (management task-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Authentication@5a85277e 10:56:26,461 TRACE [org.jboss.remoting.endpoint] (management task-1) Resource closed count 00000007 of endpoint "localhost:MANAGEMENT" <1f0d26e2> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@55587716) 10:56:26,461 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 118 bytes 10:56:26,462 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel 10:56:29,472 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header 10:56:29,473 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers 10:56:29,473 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 324 bytes 10:56:29,473 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=320 cap=8192] 10:56:29,473 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=320 cap=8192] 10:56:29,473 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received authentication response 10:56:29,473 TRACE [org.jboss.remoting.endpoint] (management I/O-2) Allocated tick to 8 of endpoint "localhost:MANAGEMENT" <1f0d26e2> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@55587716) 10:56:29,475 TRACE [org.wildfly.security] (management task-2) Handling RealmCallback: selected = [ManagementRealm] 10:56:29,475 TRACE [org.wildfly.security] (management task-2) Handling NameCallback: authenticationName = admin 10:56:29,476 TRACE [org.wildfly.security] (management task-2) Principal assigning: [admin], pre-realm rewritten: [admin], realm name: [ManagementRealm], post-realm rewritten: [admin], realm rewritten: [admin] 10:56:29,478 TRACE [org.wildfly.security] (management task-2) Handling CredentialCallback: failed to obtain credential 10:56:29,478 TRACE [org.wildfly.security] (management task-2) Handling RealmCallback: selected = [ManagementRealm] 10:56:29,478 TRACE [org.wildfly.security] (management task-2) Handling NameCallback: authenticationName = admin 10:56:29,483 TRACE [org.wildfly.security] (management task-2) Handling CredentialCallback: obtained credential: org.wildfly.security.credential.PasswordCredential@7917c4d1 10:56:29,485 TRACE [org.jboss.remoting.remote.server] (management task-2) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05055: [DIGEST-SHA-256] Authentication rejected (invalid proof) at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:279) at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:355) at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180) at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:328) at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58) at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106) at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217) at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:470) at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:897) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 10:56:29,486 TRACE [org.wildfly.security] (management task-2) Handling AuthenticationCompleteCallback: fail 10:56:29,498 TRACE [org.jboss.remoting.remote] (management task-2) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@3770546b 10:56:29,498 TRACE [org.jboss.remoting.endpoint] (management task-2) Resource closed count 00000007 of endpoint "localhost:MANAGEMENT" <1f0d26e2> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@55587716) 10:56:29,499 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5 bytes 10:56:29,499 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel 10:56:29,499 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header 10:56:29,499 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers 10:56:29,500 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 59 bytes 10:56:29,500 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192] 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192] 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capabilities request 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: version 1 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote endpoint name "cli-client" 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: message close protocol supported 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote version is "5.0.0.Beta22-redhat-1" 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels in is "40" 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels out is "40" 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: authentication service 10:56:29,501 TRACE [org.jboss.remoting.remote.server] (management I/O-2) No EXTERNAL mechanism due to lack of SSL 10:56:29,502 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Added mechanism DIGEST-SHA-256 10:56:29,502 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 85 bytes 10:56:29,502 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel 10:56:29,503 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header 10:56:29,503 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers 10:56:29,503 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF 10:56:29,503 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream {code} [1] https://access.redhat.com/support/cases/#/case/01761455 [2] https://docs.google.com/document/d/1JelV424cHI1cr1BSH2MCXDAUlorGGJGca7uwZ...