From aba086d243c22f496db8bd8e4f689f6a43126f2e Mon Sep 17 00:00:00 2001
From: Ludovic Poitou <ludovic.poitou@forgerock.com>
Date: Wed, 10 Nov 2010 18:57:00 +0000
Subject: [PATCH] Fix for OPENDJ-9, Compatibility: Support SHA2 hashes with salts greater than 64bits. The changes are providing compatibility with passwords hashed by other libraries and systems such as AIX Directory Server 6.3. Specific tests have been added and could be extended with more varied passwords.

---
 opends/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageScheme.java |   26 ++++++++++++++++----------
 1 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageScheme.java b/opends/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageScheme.java
index 5ae2c10..d2cc809 100644
--- a/opends/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageScheme.java
+++ b/opends/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageScheme.java
@@ -23,6 +23,7 @@
  *
  *
  *      Copyright 2006-2008 Sun Microsystems, Inc.
+ *      Portions Copyright 2010 ForgeRock AS.
  */
 package org.opends.server.extensions;
 
@@ -83,6 +84,8 @@
   private static final int NUM_SALT_BYTES = 8;
 
 
+  // The size of the digest in bytes.
+  private static final int SHA384_LENGTH = 384 / 8;
 
   // The message digest that will actually be used to generate the 384-bit SHA-2
   // hashes.
@@ -270,18 +273,21 @@
   public boolean passwordMatches(ByteSequence plaintextPassword,
                                  ByteSequence storedPassword)
   {
-    // Base64-decode the stored value and take the last 8 bytes as the salt.
-    byte[] saltBytes = new byte[NUM_SALT_BYTES];
-    byte[] digestBytes;
+    // Base64-decode the stored value and take the first 384 bits
+    // (SHA384_LENGTH) as the digest.
+    byte[] saltBytes;
+    byte[] digestBytes = new byte[SHA384_LENGTH];
+    int saltLength = 0;
+
     try
     {
       byte[] decodedBytes = Base64.decode(storedPassword.toString());
 
-      int digestLength = decodedBytes.length - NUM_SALT_BYTES;
-      digestBytes = new byte[digestLength];
-      System.arraycopy(decodedBytes, 0, digestBytes, 0, digestLength);
-      System.arraycopy(decodedBytes, digestLength, saltBytes, 0,
-                       NUM_SALT_BYTES);
+      saltLength = decodedBytes.length - SHA384_LENGTH;
+      saltBytes = new byte[saltLength];
+      System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA384_LENGTH);
+      System.arraycopy(decodedBytes, SHA384_LENGTH, saltBytes, 0,
+                       saltLength);
     }
     catch (Exception e)
     {
@@ -299,10 +305,10 @@
 
     // Use the salt to generate a digest based on the provided plain-text value.
     int plainBytesLength = plaintextPassword.length();
-    byte[] plainPlusSalt = new byte[plainBytesLength + NUM_SALT_BYTES];
+    byte[] plainPlusSalt = new byte[plainBytesLength + saltLength];
     plaintextPassword.copyTo(plainPlusSalt);
     System.arraycopy(saltBytes, 0,plainPlusSalt, plainBytesLength,
-                     NUM_SALT_BYTES);
+                     saltLength);
 
     byte[] userDigestBytes;
 

--
Gitblit v1.10.0