Skip to content

Commit

Permalink
Work on channel binding.
Browse files Browse the repository at this point in the history
  • Loading branch information
@adiaholic
adiaholic committed Feb 5, 2020
1 parent 644a43a commit 04b60d9
Showing 1 changed file with 48 additions and 47 deletions.
95 changes: 48 additions & 47 deletions smack-core/src/main/java/org/jivesoftware/smack/sasl/gssApi/GssApiMechanism.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@
import org.jivesoftware.smack.SmackException.SmackSaslException;
import org.jivesoftware.smack.sasl.SASLMechanism;

import org.jivesoftware.smack.util.ByteUtils;
import org.jivesoftware.smack.util.SHA1;
import org.jivesoftware.smack.util.StringUtils;
import org.jivesoftware.smack.util.stringencoder.Base32;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
Expand Down Expand Up @@ -115,7 +117,7 @@ public byte[] getASN1DERencoding(String objectIdentifier) throws IOException {
* A GS2 mechanism that has a non-OID-derived SASL mechanism name is
* said to have a "user-friendly SASL mechanism name".
*/
public void generateSASLMechanismNameManually() {
protected void generateSASLMechanismNameManually() {
}

@Override
Expand All @@ -124,59 +126,58 @@ protected void authenticateInternal(CallbackHandler cbh) throws SmackSaslExcepti

@Override
protected byte[] getAuthenticationText() throws SmackSaslException {
return null;
}

/**
* The generic structure has been taken from Section 4. of RFC 4422.
* And this is an implementation for Section 5.1 RFC 5801.
*/
public void generate_GSS_Init_sec_context() {
Integer initiator_address_type = 0;
String initiator_address = "";
Integer acceptor_address_type = 0;
String acceptor_address = "";

/**
* During the SASL authentication exchange for GS2, a number of messages
* following the following format are sent between the client and server. On
* success, this number is the same as the number of context tokens that the
* GSS-API mechanism would normally require in order to establish a security
* context. On failures, the exchange can be terminated early by any party.
*
* When using a GS2 mechanism the SASL client is always a GSS-API initiator and
* the SASL server is always a GSS-API acceptor. The client calls
* GSS_Init_sec_context and the server calls GSS_Accept_sec_context.
*
* All the SASL authentication messages exchanged are exactly the same as the
* security context tokens of the GSS-API mechanism, except for the initial
* security context token.
*
* The client and server MAY send GSS-API error tokens (tokens output by
* GSS_Init_sec_context() or GSS_Accept_sec_context() when the major status code
* is other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED). As this indicates an
* error condition, after sending the token, the sending side should fail the
* authentication.
*
* The initial security context token is modified as follows:
*
* o The initial context token header (see Section 3.1 of [RFC2743]) MUST be
* removed if present. If the header is not present, the client MUST send a
* "gs2-nonstd-flag" flag (see below). On the server side, this header MUST be
* recomputed and restored prior to passing the token to GSS_Accept_sec_context,
* except when the "gs2- nonstd-flag" is sent.
*
* o A GS2 header MUST be prefixed to the resulting initial context token. This
* header has the form "gs2-header" given below in ABNF [RFC5234].
* The application-data field MUST be set to the gs2-header, excluding
* the initial [gs2-nonstd-flag ","] part, concatenated with, when a
* gs2-cb-flag of "p" is used, the application's channel binding data.
*
* The figure below describes the permissible attributes, their use, and the
* format of their values. All attribute names are single US-ASCII letters and
* are case sensitive.
*
* The "gs2-cb-flag" signals the channel binding mode. One of "p", "n", or "y"
* is used. A "p" means the client supports and used a channel binding, and the
* name of the channel binding type is indicated. An "n" means that the client
* does not support channel binding. A "y" means the client supports channel
* binding, but believes the server does not support it, so it did not use a
* channel binding. See the next section for more details.
* gs2-header = [gs2-nonstd-flag ","] gs2-cb-flag "," [gs2-authzid] ","
* ;; The GS2 header is gs2-header.
*/

// @Todo : Remove initial context token header if present
byte[] gs2_cb_flag = "gs2-cb-flag=\"p\"".getBytes();
byte[] gs2_authzid = ("gs2-authzid="+authenticationId).getBytes();

String application_data = String.valueOf(ByteUtils.concat(gs2_cb_flag,gs2_authzid));

// @Todo : If header is not present, the client must send a 'gs2-nonstd-flag'.
}

private String getGS2Header() {
String authzidPortion = "";
if (authorizationId != null) {
authzidPortion = "a=" + authorizationId;
}

// @Todo : GS2 header must be prefixed to the resulting initial context token.
// This header has the form 'gs2-header'
// ASN1InputStream input = new ASN1InputStream(objectID.getBytes());
String cbName = getChannelBindingName();
assert StringUtils.isNotEmpty(cbName);

return null;
return cbName + ',' + authzidPortion + ",";
}


protected String getChannelBindingName() {
// Check if we are using TLS and if a "-PLUS" variant of this mechanism is enabled. Assuming that the "-PLUS"
// variants always have precedence before the non-"-PLUS" variants this means that the server did not announce
// the "-PLUS" variant, as otherwise we would have tried it.
if (sslSession != null && connectionConfiguration.isEnabledSaslMechanism(getName() + "-PLUS")) {
// Announce that we support Channel Binding, i.e., the '-PLUS' flavor of this SASL mechanism, but that we
// believe the server does not.
return "y";
}
return "n";
}

@Override
Expand Down

0 comments on commit 04b60d9

Please sign in to comment.