From 7fc458b7be71111b4c4a6e91f7b3ed6642b104a1 Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Tue, 16 Jul 2013 14:12:20 +0000
Subject: [PATCH] CR-2005 Fix OPENDJ-1036 Cleanup passwords in memory?

---
 opends/src/server/org/opends/server/extensions/SHA1PasswordStorageScheme.java |   26 +++++++++++++++++++++++---
 1 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/SHA1PasswordStorageScheme.java b/opends/src/server/org/opends/server/extensions/SHA1PasswordStorageScheme.java
index 569c24d..69ec9c9 100644
--- a/opends/src/server/org/opends/server/extensions/SHA1PasswordStorageScheme.java
+++ b/opends/src/server/org/opends/server/extensions/SHA1PasswordStorageScheme.java
@@ -23,12 +23,14 @@
  *
  *
  *      Copyright 2006-2008 Sun Microsystems, Inc.
+ *      Portions Copyright 2013 ForgeRock AS.
  */
 package org.opends.server.extensions;
 
 
 
 import java.security.MessageDigest;
+import java.util.Arrays;
 
 import org.opends.messages.Message;
 import org.opends.server.admin.std.server.SHA1PasswordStorageSchemeCfg;
@@ -140,13 +142,14 @@
          throws DirectoryException
   {
     byte[] digestBytes;
+    byte[] plaintextBytes = null;
 
     synchronized (digestLock)
     {
       try
       {
         // TODO: Can we avoid this copy?
-        byte[] plaintextBytes = plaintext.toByteArray();
+        plaintextBytes = plaintext.toByteArray();
         digestBytes = messageDigest.digest(plaintextBytes);
       }
       catch (Exception e)
@@ -161,6 +164,11 @@
         throw new DirectoryException(DirectoryServer.getServerErrorResultCode(),
                                      message, e);
       }
+      finally
+      {
+        if (plaintextBytes != null)
+          Arrays.fill(plaintextBytes, (byte) 0);
+      }
     }
 
     return ByteString.valueOf(Base64.encode(digestBytes));
@@ -181,13 +189,14 @@
     buffer.append('}');
 
     // TODO: Can we avoid this copy?
-    byte[] plaintextBytes = plaintext.toByteArray();
+    byte[] plaintextBytes = null;
     byte[] digestBytes;
 
     synchronized (digestLock)
     {
       try
       {
+        plaintextBytes = plaintext.toByteArray();
         digestBytes = messageDigest.digest(plaintextBytes);
       }
       catch (Exception e)
@@ -202,6 +211,11 @@
         throw new DirectoryException(DirectoryServer.getServerErrorResultCode(),
                                      message, e);
       }
+      finally
+      {
+        if (plaintextBytes != null)
+          Arrays.fill(plaintextBytes, (byte) 0);
+      }
     }
 
     buffer.append(Base64.encode(digestBytes));
@@ -219,13 +233,14 @@
                                  ByteSequence storedPassword)
   {
     // TODO: Can we avoid this copy?
-    byte[] plaintextPasswordBytes = plaintextPassword.toByteArray();
+    byte[] plaintextPasswordBytes = null;
     ByteString userPWDigestBytes;
 
     synchronized (digestLock)
     {
       try
       {
+        plaintextPasswordBytes = plaintextPassword.toByteArray();
         userPWDigestBytes =
             ByteString.wrap(messageDigest.digest(plaintextPasswordBytes));
       }
@@ -238,6 +253,11 @@
 
         return false;
       }
+      finally
+      {
+        if (plaintextPasswordBytes != null)
+          Arrays.fill(plaintextPasswordBytes, (byte) 0);
+      }
     }
 
     ByteString storedPWDigestBytes;

--
Gitblit v1.10.0