[jboss-jira] [JBoss JIRA] (ELY-1160) Elytron, SASL digest mechanism works only with MD5 hash function

Farah Juma (JIRA) issues at jboss.org
Tue Sep 12 11:53:00 EDT 2017 

     [ https://issues.jboss.org/browse/ELY-1160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Farah Juma resolved ELY-1160.
-----------------------------
    Resolution: Rejected


Closing this one since the corresponding JBEAP issue was rejected since this is just a configuration issue. Using DIGEST-SHA, DIGEST-SHA-256, and DIGEST-SHA-512 does work properly.

> Elytron, SASL digest mechanism works only with MD5 hash function
> ----------------------------------------------------------------
>
>                 Key: ELY-1160
>                 URL: https://issues.jboss.org/browse/ELY-1160
>             Project: WildFly Elytron
>          Issue Type: Bug
>            Reporter: Martin Choma
>            Priority: Critical
>
> Elytron SASL mechanism works only with MD5. When trying to use one of DIGEST-SHA, DIGEST-SHA-256, DIGEST-SHA-512 I get 
> {code}
> ELY05055: [DIGEST-SHA-256] Authentication rejected (invalid proof)
> {code}
> I know these mechanisms are marked as tech preview [2], but should work.
> DIGEST hash function can make problems in fips environment, like this customer case [1] in case of HTTP DIGEST mechanism
> {code:title=server.log}
> 10:56:26,243 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Initialized connection from /127.0.0.1:39291 to /127.0.0.1:9990 with options {org.jboss.remoting3.RemotingOptions.SASL_PROTOCOL=>remote}
> 10:56:26,244 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Accepted connection from /127.0.0.1:39291 to localhost.localdomain/127.0.0.1:9990
> 10:56:26,250 TRACE [org.jboss.remoting.remote] (management I/O-2) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial at 63e189b6
> 10:56:26,252 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 28 bytes
> 10:56:26,252 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
> 10:56:26,261 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
> 10:56:26,262 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
> 10:56:26,262 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 59 bytes
> 10:56:26,262 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
> 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
> 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capabilities request
> 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: version 1
> 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote endpoint name "cli-client"
> 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: message close protocol supported
> 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote version is "5.0.0.Beta22-redhat-1"
> 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels in is "40"
> 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels out is "40"
> 10:56:26,263 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: authentication service
> 10:56:26,264 TRACE [org.jboss.remoting.remote.server] (management I/O-2) No EXTERNAL mechanism due to lack of SSL
> 10:56:26,269 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Added mechanism DIGEST-SHA-256
> 10:56:26,269 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 85 bytes
> 10:56:26,269 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
> 10:56:26,384 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
> 10:56:26,384 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
> 10:56:26,384 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 20 bytes
> 10:56:26,385 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192]
> 10:56:26,385 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192]
> 10:56:26,385 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received authentication request
> 10:56:26,391 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='DIGEST-SHA-256' host-name='localhost.localdomain' protocol='remote'
> 10:56:26,392 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='DIGEST-SHA-256' host-name='localhost.localdomain' protocol='remote'
> 10:56:26,393 TRACE [org.wildfly.security] (management I/O-2) Handling AvailableRealmsCallback: realms = [ManagementRealm]
> 10:56:26,454 TRACE [org.jboss.remoting.endpoint] (management I/O-2) Allocated tick to 8 of endpoint "localhost:MANAGEMENT" <1f0d26e2> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor at 55587716)
> 10:56:26,460 TRACE [org.jboss.remoting.remote.server] (management task-1) Server sending authentication challenge
> 10:56:26,461 TRACE [org.jboss.remoting.remote] (management task-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Authentication at 5a85277e
> 10:56:26,461 TRACE [org.jboss.remoting.endpoint] (management task-1) Resource closed count 00000007 of endpoint "localhost:MANAGEMENT" <1f0d26e2> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor at 55587716)
> 10:56:26,461 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 118 bytes
> 10:56:26,462 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
> 10:56:29,472 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
> 10:56:29,473 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
> 10:56:29,473 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 324 bytes
> 10:56:29,473 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=320 cap=8192]
> 10:56:29,473 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=320 cap=8192]
> 10:56:29,473 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received authentication response
> 10:56:29,473 TRACE [org.jboss.remoting.endpoint] (management I/O-2) Allocated tick to 8 of endpoint "localhost:MANAGEMENT" <1f0d26e2> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor at 55587716)
> 10:56:29,475 TRACE [org.wildfly.security] (management task-2) Handling RealmCallback: selected = [ManagementRealm]
> 10:56:29,475 TRACE [org.wildfly.security] (management task-2) Handling NameCallback: authenticationName = admin
> 10:56:29,476 TRACE [org.wildfly.security] (management task-2) Principal assigning: [admin], pre-realm rewritten: [admin], realm name: [ManagementRealm], post-realm rewritten: [admin], realm rewritten: [admin]
> 10:56:29,478 TRACE [org.wildfly.security] (management task-2) Handling CredentialCallback: failed to obtain credential
> 10:56:29,478 TRACE [org.wildfly.security] (management task-2) Handling RealmCallback: selected = [ManagementRealm]
> 10:56:29,478 TRACE [org.wildfly.security] (management task-2) Handling NameCallback: authenticationName = admin
> 10:56:29,483 TRACE [org.wildfly.security] (management task-2) Handling CredentialCallback: obtained credential: org.wildfly.security.credential.PasswordCredential at 7917c4d1
> 10:56:29,485 TRACE [org.jboss.remoting.remote.server] (management task-2) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05055: [DIGEST-SHA-256] Authentication rejected (invalid proof)
>     at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:279)
>     at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:355)
>     at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
>     at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:328)
>     at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
>     at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
>     at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
>     at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
>     at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
>     at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:470)
>     at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:897)
>     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>     at java.lang.Thread.run(Thread.java:745)
> 10:56:29,486 TRACE [org.wildfly.security] (management task-2) Handling AuthenticationCompleteCallback: fail
> 10:56:29,498 TRACE [org.jboss.remoting.remote] (management task-2) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial at 3770546b
> 10:56:29,498 TRACE [org.jboss.remoting.endpoint] (management task-2) Resource closed count 00000007 of endpoint "localhost:MANAGEMENT" <1f0d26e2> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor at 55587716)
> 10:56:29,499 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5 bytes
> 10:56:29,499 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
> 10:56:29,499 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
> 10:56:29,499 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
> 10:56:29,500 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 59 bytes
> 10:56:29,500 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
> 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
> 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capabilities request
> 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: version 1
> 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote endpoint name "cli-client"
> 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: message close protocol supported
> 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote version is "5.0.0.Beta22-redhat-1"
> 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels in is "40"
> 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels out is "40"
> 10:56:29,500 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: authentication service
> 10:56:29,501 TRACE [org.jboss.remoting.remote.server] (management I/O-2) No EXTERNAL mechanism due to lack of SSL
> 10:56:29,502 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Added mechanism DIGEST-SHA-256
> 10:56:29,502 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 85 bytes
> 10:56:29,502 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
> 10:56:29,503 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
> 10:56:29,503 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
> 10:56:29,503 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF
> 10:56:29,503 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream
> {code}
> [1] https://access.redhat.com/support/cases/#/case/01761455
> [2] https://docs.google.com/document/d/1JelV424cHI1cr1BSH2MCXDAUlorGGJGca7uwZvXFavc/edit#



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list