From 7fc458b7be71111b4c4a6e91f7b3ed6642b104a1 Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Tue, 16 Jul 2013 14:12:20 +0000
Subject: [PATCH] CR-2005 Fix OPENDJ-1036 Cleanup passwords in memory?

---
 opends/src/server/org/opends/server/extensions/BlowfishPasswordStorageScheme.java |   19 +++++++++++++++++--
 1 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/BlowfishPasswordStorageScheme.java b/opends/src/server/org/opends/server/extensions/BlowfishPasswordStorageScheme.java
index 889088f..4cfd38b 100644
--- a/opends/src/server/org/opends/server/extensions/BlowfishPasswordStorageScheme.java
+++ b/opends/src/server/org/opends/server/extensions/BlowfishPasswordStorageScheme.java
@@ -23,6 +23,7 @@
  *
  *
  *      Copyright 2008 Sun Microsystems, Inc.
+ *      Portions Copyright 2013 ForgeRock AS
  */
 package org.opends.server.extensions;
 
@@ -37,6 +38,8 @@
 import org.opends.server.types.*;
 import org.opends.server.util.Base64;
 
+import java.util.Arrays;
+
 import static org.opends.messages.ExtensionMessages.*;
 import static org.opends.server.extensions.ExtensionsConstants.*;
 import static org.opends.server.loggers.debug.DebugLogger.*;
@@ -109,10 +112,11 @@
   public ByteString encodePassword(ByteSequence plaintext)
          throws DirectoryException
   {
+    byte[] plaintextBytes = null;
     try
     {
       // TODO: Can we avoid this copy?
-      byte[] plaintextBytes = plaintext.toByteArray();
+      plaintextBytes = plaintext.toByteArray();
       byte[] encodedBytes =
            cryptoManager.encrypt(CIPHER_TRANSFORMATION_BLOWFISH,
                                  KEY_SIZE_BLOWFISH, plaintextBytes);
@@ -130,6 +134,11 @@
       throw new DirectoryException(DirectoryServer.getServerErrorResultCode(),
                                    m, e);
     }
+    finally
+    {
+      if (plaintextBytes != null)
+        Arrays.fill(plaintextBytes, (byte) 0);
+    }
   }
 
 
@@ -145,11 +154,12 @@
     buffer.append('{');
     buffer.append(STORAGE_SCHEME_NAME_BLOWFISH);
     buffer.append('}');
+    byte[] plaintextBytes = null;
 
     try
     {
       // TODO: Can we avoid this copy?
-      byte[] plaintextBytes = plaintext.toByteArray();
+      plaintextBytes = plaintext.toByteArray();
       byte[] encodedBytes =
            cryptoManager.encrypt(CIPHER_TRANSFORMATION_BLOWFISH,
                                  KEY_SIZE_BLOWFISH, plaintextBytes);
@@ -167,6 +177,11 @@
       throw new DirectoryException(DirectoryServer.getServerErrorResultCode(),
                                    m, e);
     }
+    finally
+    {
+      if (plaintextBytes != null)
+        Arrays.fill(plaintextBytes, (byte) 0);
+    }
 
     return ByteString.valueOf(buffer.toString());
   }

--
Gitblit v1.10.0