From 8e55f5cdea2fa3f6b06d4f0d4d4c05366b917b41 Mon Sep 17 00:00:00 2001
From: Ludovic Poitou <ludovic.poitou@forgerock.com>
Date: Wed, 10 Nov 2010 18:57:00 +0000
Subject: [PATCH] Fix for OPENDJ-9, Compatibility: Support SHA2 hashes with salts greater than 64bits. The changes are providing compatibility with passwords hashed by other libraries and systems such as AIX Directory Server 6.3. Specific tests have been added and could be extended with more varied passwords.

---
 opendj-sdk/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java |   26 ++++++++++++++++----------
 1 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/opendj-sdk/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java b/opendj-sdk/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
index b0a6bcf..8065641 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
@@ -23,6 +23,7 @@
  *
  *
  *      Copyright 2006-2008 Sun Microsystems, Inc.
+ *      Portions Copyright 2010 ForgeRock AS.
  */
 package org.opends.server.extensions;
 
@@ -83,6 +84,8 @@
   private static final int NUM_SALT_BYTES = 8;
 
 
+  // The size of the digest in bytes.
+  private static final int SHA512_LENGTH = 512 / 8;
 
   // The message digest that will actually be used to generate the 512-bit SHA-2
   // hashes.
@@ -269,18 +272,21 @@
   public boolean passwordMatches(ByteSequence plaintextPassword,
                                  ByteSequence storedPassword)
   {
-    // Base64-decode the stored value and take the last 8 bytes as the salt.
-    byte[] saltBytes = new byte[NUM_SALT_BYTES];
-    byte[] digestBytes;
+    // Base64-decode the stored value and take the first 512 bits
+    // (SHA512_LENGTH) as the digest.
+    byte[] saltBytes;
+    byte[] digestBytes = new byte[SHA512_LENGTH];
+    int saltLength = 0;
+
     try
     {
       byte[] decodedBytes = Base64.decode(storedPassword.toString());
 
-      int digestLength = decodedBytes.length - NUM_SALT_BYTES;
-      digestBytes = new byte[digestLength];
-      System.arraycopy(decodedBytes, 0, digestBytes, 0, digestLength);
-      System.arraycopy(decodedBytes, digestLength, saltBytes, 0,
-                       NUM_SALT_BYTES);
+      saltLength = decodedBytes.length - SHA512_LENGTH;
+      saltBytes = new byte[saltLength];
+      System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA512_LENGTH);
+      System.arraycopy(decodedBytes, SHA512_LENGTH, saltBytes, 0,
+                       saltLength);
     }
     catch (Exception e)
     {
@@ -298,10 +304,10 @@
 
     // Use the salt to generate a digest based on the provided plain-text value.
     int plainBytesLength = plaintextPassword.length();
-    byte[] plainPlusSalt = new byte[plainBytesLength + NUM_SALT_BYTES];
+    byte[] plainPlusSalt = new byte[plainBytesLength + saltLength];
     plaintextPassword.copyTo(plainPlusSalt);
     System.arraycopy(saltBytes, 0,plainPlusSalt, plainBytesLength,
-                     NUM_SALT_BYTES);
+                     saltLength);
 
     byte[] userDigestBytes;
 

--
Gitblit v1.10.0