This is an automated email from the ASF dual-hosted git repository. soarez pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push: new d7e5d0a59b5 KAFKA-18064: SASL mechanisms should throw exception on wrap/unwrap (#17901) d7e5d0a59b5 is described below commit d7e5d0a59b5bc33c3a802b6ddcc2e58339ef07be Author: Istvan Toth <st...@stoty.hu> AuthorDate: Tue Jan 14 12:30:01 2025 +0100 KAFKA-18064: SASL mechanisms should throw exception on wrap/unwrap (#17901) SASL mechanisms that do support neither integrity nor confidentality should throw exception on wrap/unwrap. The current implementation does not implement wrap/unwrap correctly. This may cause security issues, if the code using the mechanisms does not check for QOP correctly. Reviewers: Gaurav Narula <gaurav_naru...@apple.com>, Igor Soarez <i...@soarez.me> --- .../common/security/oauthbearer/internals/OAuthBearerSaslClient.java | 5 ++--- .../common/security/oauthbearer/internals/OAuthBearerSaslServer.java | 5 ++--- .../kafka/common/security/plain/internals/PlainSaslServer.java | 5 ++--- .../kafka/common/security/scram/internals/ScramSaslClient.java | 4 ++-- .../kafka/common/security/scram/internals/ScramSaslServer.java | 5 ++--- 5 files changed, 10 insertions(+), 14 deletions(-) diff --git a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.java b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.java index 6561f12f503..447678163b4 100644 --- a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.java +++ b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.java @@ -29,7 +29,6 @@ import org.slf4j.LoggerFactory; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.util.Arrays; import java.util.Map; import java.util.Objects; @@ -131,14 +130,14 @@ public class OAuthBearerSaslClient implements SaslClient { public byte[] unwrap(byte[] incoming, int offset, int len) { if (!isComplete()) throw new IllegalStateException("Authentication exchange has not completed"); - return Arrays.copyOfRange(incoming, offset, offset + len); + throw new IllegalStateException("OAUTHBEARER supports neither integrity nor privacy"); } @Override public byte[] wrap(byte[] outgoing, int offset, int len) { if (!isComplete()) throw new IllegalStateException("Authentication exchange has not completed"); - return Arrays.copyOfRange(outgoing, offset, offset + len); + throw new IllegalStateException("OAUTHBEARER supports neither integrity nor privacy"); } @Override diff --git a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslServer.java b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslServer.java index bf5c4723ee1..a60f33d0ef1 100644 --- a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslServer.java +++ b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslServer.java @@ -31,7 +31,6 @@ import org.slf4j.LoggerFactory; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.util.Arrays; import java.util.Map; import java.util.Objects; @@ -134,14 +133,14 @@ public class OAuthBearerSaslServer implements SaslServer { public byte[] unwrap(byte[] incoming, int offset, int len) { if (!complete) throw new IllegalStateException("Authentication exchange has not completed"); - return Arrays.copyOfRange(incoming, offset, offset + len); + throw new IllegalStateException("OAUTHBEARER supports neither integrity nor privacy"); } @Override public byte[] wrap(byte[] outgoing, int offset, int len) { if (!complete) throw new IllegalStateException("Authentication exchange has not completed"); - return Arrays.copyOfRange(outgoing, offset, offset + len); + throw new IllegalStateException("OAUTHBEARER supports neither integrity nor privacy"); } @Override diff --git a/clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainSaslServer.java b/clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainSaslServer.java index 6dcb6d62b16..999862160f5 100644 --- a/clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainSaslServer.java +++ b/clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainSaslServer.java @@ -21,7 +21,6 @@ import org.apache.kafka.common.security.plain.PlainAuthenticateCallback; import java.nio.charset.StandardCharsets; import java.util.ArrayList; -import java.util.Arrays; import java.util.List; import java.util.Map; @@ -162,14 +161,14 @@ public class PlainSaslServer implements SaslServer { public byte[] unwrap(byte[] incoming, int offset, int len) { if (!complete) throw new IllegalStateException("Authentication exchange has not completed"); - return Arrays.copyOfRange(incoming, offset, offset + len); + throw new IllegalStateException("PLAIN supports neither integrity nor privacy"); } @Override public byte[] wrap(byte[] outgoing, int offset, int len) { if (!complete) throw new IllegalStateException("Authentication exchange has not completed"); - return Arrays.copyOfRange(outgoing, offset, offset + len); + throw new IllegalStateException("PLAIN supports neither integrity nor privacy"); } @Override diff --git a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java index 852875b9e5f..9afcd6c07e3 100644 --- a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java +++ b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java @@ -162,14 +162,14 @@ public class ScramSaslClient implements SaslClient { public byte[] unwrap(byte[] incoming, int offset, int len) { if (!isComplete()) throw new IllegalStateException("Authentication exchange has not completed"); - return Arrays.copyOfRange(incoming, offset, offset + len); + throw new IllegalStateException("SCRAM supports neither integrity nor privacy"); } @Override public byte[] wrap(byte[] outgoing, int offset, int len) { if (!isComplete()) throw new IllegalStateException("Authentication exchange has not completed"); - return Arrays.copyOfRange(outgoing, offset, offset + len); + throw new IllegalStateException("SCRAM supports neither integrity nor privacy"); } @Override diff --git a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java index 2be4c4e24b6..e8576e03798 100644 --- a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java +++ b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java @@ -35,7 +35,6 @@ import org.slf4j.LoggerFactory; import java.security.InvalidKeyException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.util.Arrays; import java.util.Collection; import java.util.Map; import java.util.Set; @@ -205,14 +204,14 @@ public class ScramSaslServer implements SaslServer { public byte[] unwrap(byte[] incoming, int offset, int len) { if (!isComplete()) throw new IllegalStateException("Authentication exchange has not completed"); - return Arrays.copyOfRange(incoming, offset, offset + len); + throw new IllegalStateException("SCRAM supports neither integrity nor privacy"); } @Override public byte[] wrap(byte[] outgoing, int offset, int len) { if (!isComplete()) throw new IllegalStateException("Authentication exchange has not completed"); - return Arrays.copyOfRange(outgoing, offset, offset + len); + throw new IllegalStateException("SCRAM supports neither integrity nor privacy"); } @Override