From aba086d243c22f496db8bd8e4f689f6a43126f2e Mon Sep 17 00:00:00 2001
From: Ludovic Poitou <ludovic.poitou@forgerock.com>
Date: Wed, 10 Nov 2010 18:57:00 +0000
Subject: [PATCH] Fix for OPENDJ-9, Compatibility: Support SHA2 hashes with salts greater than 64bits. The changes are providing compatibility with passwords hashed by other libraries and systems such as AIX Directory Server 6.3. Specific tests have been added and could be extended with more varied passwords.

---
 opends/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageScheme.java |   27 ++++++++++++++++-----------
 1 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageScheme.java b/opends/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageScheme.java
index 258e3af..927fb79 100644
--- a/opends/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageScheme.java
+++ b/opends/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageScheme.java
@@ -23,6 +23,7 @@
  *
  *
  *      Copyright 2006-2008 Sun Microsystems, Inc.
+ *      Portions Copyright 2010 ForgeRock AS.
  */
 package org.opends.server.extensions;
 
@@ -82,7 +83,8 @@
    */
   private static final int NUM_SALT_BYTES = 8;
 
-
+  // Size of the dgiest in bytes.
+  private static final int SHA256_LENGTH = 256 / 8;
 
   // The message digest that will actually be used to generate the 256-bit SHA-2
   // hashes.
@@ -270,18 +272,21 @@
   public boolean passwordMatches(ByteSequence plaintextPassword,
                                  ByteSequence storedPassword)
   {
-    // Base64-decode the stored value and take the last 8 bytes as the salt.
-    byte[] saltBytes = new byte[NUM_SALT_BYTES];
-    byte[] digestBytes;
+    // Base64-decode the stored value and take the first 256 bits
+    // (SHA256_LENGTH) as the digest.
+    byte[] saltBytes;
+    byte[] digestBytes = new byte[SHA256_LENGTH];
+    int saltLength = 0;
+
     try
     {
       byte[] decodedBytes = Base64.decode(storedPassword.toString());
 
-      int digestLength = decodedBytes.length - NUM_SALT_BYTES;
-      digestBytes = new byte[digestLength];
-      System.arraycopy(decodedBytes, 0, digestBytes, 0, digestLength);
-      System.arraycopy(decodedBytes, digestLength, saltBytes, 0,
-                       NUM_SALT_BYTES);
+      saltLength = decodedBytes.length - SHA256_LENGTH;
+      saltBytes = new byte[saltLength];
+      System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA256_LENGTH);
+      System.arraycopy(decodedBytes, SHA256_LENGTH, saltBytes, 0,
+                       saltLength);
     }
     catch (Exception e)
     {
@@ -299,10 +304,10 @@
 
     // Use the salt to generate a digest based on the provided plain-text value.
     int plainBytesLength = plaintextPassword.length();
-    byte[] plainPlusSalt = new byte[plainBytesLength + NUM_SALT_BYTES];
+    byte[] plainPlusSalt = new byte[plainBytesLength + saltLength];
     plaintextPassword.copyTo(plainPlusSalt);
     System.arraycopy(saltBytes, 0,plainPlusSalt, plainBytesLength,
-                     NUM_SALT_BYTES);
+                     saltLength);
 
     byte[] userDigestBytes;
 

--
Gitblit v1.10.0