This is an automated email from the ASF dual-hosted git repository.

soarez pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/trunk by this push:
     new d7e5d0a59b5 KAFKA-18064: SASL mechanisms should throw exception on 
wrap/unwrap (#17901)
d7e5d0a59b5 is described below

commit d7e5d0a59b5bc33c3a802b6ddcc2e58339ef07be
Author: Istvan Toth <st...@stoty.hu>
AuthorDate: Tue Jan 14 12:30:01 2025 +0100

    KAFKA-18064: SASL mechanisms should throw exception on wrap/unwrap (#17901)
    
    SASL mechanisms that do support neither integrity nor confidentality should 
throw exception on wrap/unwrap.
    
    The current implementation does not implement wrap/unwrap correctly.
    This may cause security issues, if the code using the mechanisms does
    not check for QOP correctly.
    
    Reviewers: Gaurav Narula <gaurav_naru...@apple.com>, Igor Soarez 
<i...@soarez.me>
---
 .../common/security/oauthbearer/internals/OAuthBearerSaslClient.java | 5 ++---
 .../common/security/oauthbearer/internals/OAuthBearerSaslServer.java | 5 ++---
 .../kafka/common/security/plain/internals/PlainSaslServer.java       | 5 ++---
 .../kafka/common/security/scram/internals/ScramSaslClient.java       | 4 ++--
 .../kafka/common/security/scram/internals/ScramSaslServer.java       | 5 ++---
 5 files changed, 10 insertions(+), 14 deletions(-)

diff --git 
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.java
 
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.java
index 6561f12f503..447678163b4 100644
--- 
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.java
+++ 
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.java
@@ -29,7 +29,6 @@ import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
-import java.util.Arrays;
 import java.util.Map;
 import java.util.Objects;
 
@@ -131,14 +130,14 @@ public class OAuthBearerSaslClient implements SaslClient {
     public byte[] unwrap(byte[] incoming, int offset, int len) {
         if (!isComplete())
             throw new IllegalStateException("Authentication exchange has not 
completed");
-        return Arrays.copyOfRange(incoming, offset, offset + len);
+        throw new IllegalStateException("OAUTHBEARER supports neither 
integrity nor privacy");
     }
 
     @Override
     public byte[] wrap(byte[] outgoing, int offset, int len) {
         if (!isComplete())
             throw new IllegalStateException("Authentication exchange has not 
completed");
-        return Arrays.copyOfRange(outgoing, offset, offset + len);
+        throw new IllegalStateException("OAUTHBEARER supports neither 
integrity nor privacy");
     }
 
     @Override
diff --git 
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslServer.java
 
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslServer.java
index bf5c4723ee1..a60f33d0ef1 100644
--- 
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslServer.java
+++ 
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslServer.java
@@ -31,7 +31,6 @@ import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
-import java.util.Arrays;
 import java.util.Map;
 import java.util.Objects;
 
@@ -134,14 +133,14 @@ public class OAuthBearerSaslServer implements SaslServer {
     public byte[] unwrap(byte[] incoming, int offset, int len) {
         if (!complete)
             throw new IllegalStateException("Authentication exchange has not 
completed");
-        return Arrays.copyOfRange(incoming, offset, offset + len);
+        throw new IllegalStateException("OAUTHBEARER supports neither 
integrity nor privacy");
     }
 
     @Override
     public byte[] wrap(byte[] outgoing, int offset, int len) {
         if (!complete)
             throw new IllegalStateException("Authentication exchange has not 
completed");
-        return Arrays.copyOfRange(outgoing, offset, offset + len);
+        throw new IllegalStateException("OAUTHBEARER supports neither 
integrity nor privacy");
     }
 
     @Override
diff --git 
a/clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainSaslServer.java
 
b/clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainSaslServer.java
index 6dcb6d62b16..999862160f5 100644
--- 
a/clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainSaslServer.java
+++ 
b/clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainSaslServer.java
@@ -21,7 +21,6 @@ import 
org.apache.kafka.common.security.plain.PlainAuthenticateCallback;
 
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
 
@@ -162,14 +161,14 @@ public class PlainSaslServer implements SaslServer {
     public byte[] unwrap(byte[] incoming, int offset, int len) {
         if (!complete)
             throw new IllegalStateException("Authentication exchange has not 
completed");
-        return Arrays.copyOfRange(incoming, offset, offset + len);
+        throw new IllegalStateException("PLAIN supports neither integrity nor 
privacy");
     }
 
     @Override
     public byte[] wrap(byte[] outgoing, int offset, int len) {
         if (!complete)
             throw new IllegalStateException("Authentication exchange has not 
completed");
-        return Arrays.copyOfRange(outgoing, offset, offset + len);
+        throw new IllegalStateException("PLAIN supports neither integrity nor 
privacy");
     }
 
     @Override
diff --git 
a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java
 
b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java
index 852875b9e5f..9afcd6c07e3 100644
--- 
a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java
+++ 
b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java
@@ -162,14 +162,14 @@ public class ScramSaslClient implements SaslClient {
     public byte[] unwrap(byte[] incoming, int offset, int len) {
         if (!isComplete())
             throw new IllegalStateException("Authentication exchange has not 
completed");
-        return Arrays.copyOfRange(incoming, offset, offset + len);
+        throw new IllegalStateException("SCRAM supports neither integrity nor 
privacy");
     }
 
     @Override
     public byte[] wrap(byte[] outgoing, int offset, int len) {
         if (!isComplete())
             throw new IllegalStateException("Authentication exchange has not 
completed");
-        return Arrays.copyOfRange(outgoing, offset, offset + len);
+        throw new IllegalStateException("SCRAM supports neither integrity nor 
privacy");
     }
 
     @Override
diff --git 
a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
 
b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
index 2be4c4e24b6..e8576e03798 100644
--- 
a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
+++ 
b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
@@ -35,7 +35,6 @@ import org.slf4j.LoggerFactory;
 import java.security.InvalidKeyException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.util.Arrays;
 import java.util.Collection;
 import java.util.Map;
 import java.util.Set;
@@ -205,14 +204,14 @@ public class ScramSaslServer implements SaslServer {
     public byte[] unwrap(byte[] incoming, int offset, int len) {
         if (!isComplete())
             throw new IllegalStateException("Authentication exchange has not 
completed");
-        return Arrays.copyOfRange(incoming, offset, offset + len);
+        throw new IllegalStateException("SCRAM supports neither integrity nor 
privacy");
     }
 
     @Override
     public byte[] wrap(byte[] outgoing, int offset, int len) {
         if (!isComplete())
             throw new IllegalStateException("Authentication exchange has not 
completed");
-        return Arrays.copyOfRange(outgoing, offset, offset + len);
+        throw new IllegalStateException("SCRAM supports neither integrity nor 
privacy");
     }
 
     @Override

Reply via email to