From 7fc458b7be71111b4c4a6e91f7b3ed6642b104a1 Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Tue, 16 Jul 2013 14:12:20 +0000
Subject: [PATCH] CR-2005 Fix OPENDJ-1036 Cleanup passwords in memory?

---
 opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java |   30 +++++++++++++++++++++++++++---
 1 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java b/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
index 8e553a9..e3d5460 100644
--- a/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
+++ b/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
@@ -23,7 +23,7 @@
  *
  *
  *      Copyright 2006-2008 Sun Microsystems, Inc.
- *      Portions Copyright 2010 ForgeRock AS.
+ *      Portions Copyright 2010-2013 ForgeRock AS.
  */
 package org.opends.server.extensions;
 
@@ -192,6 +192,10 @@
         throw new DirectoryException(DirectoryServer.getServerErrorResultCode(),
                                      message, e);
       }
+      finally
+      {
+        Arrays.fill(plainPlusSalt, (byte) 0);
+      }
     }
 
     // Append the salt to the hashed value and base64-the whole thing.
@@ -250,6 +254,10 @@
         throw new DirectoryException(DirectoryServer.getServerErrorResultCode(),
                                      message, e);
       }
+      finally
+      {
+        Arrays.fill(plainPlusSalt, (byte) 0);
+      }
     }
 
     // Append the salt to the hashed value and base64-the whole thing.
@@ -334,6 +342,10 @@
 
         return false;
       }
+      finally
+      {
+        Arrays.fill(plainPlusSalt, (byte) 0);
+      }
     }
 
     return Arrays.equals(digestBytes, userDigestBytes);
@@ -403,6 +415,10 @@
         throw new DirectoryException(DirectoryServer.getServerErrorResultCode(),
                                      message, e);
       }
+      finally
+      {
+        Arrays.fill(plainPlusSalt, (byte) 0);
+      }
     }
 
 
@@ -452,8 +468,15 @@
 
     synchronized (digestLock)
     {
-      return Arrays.equals(digestBytes,
-                                messageDigest.digest(plainPlusSaltBytes));
+      try
+      {
+        return Arrays.equals(digestBytes,
+                                  messageDigest.digest(plainPlusSaltBytes));
+      }
+      finally
+      {
+        Arrays.fill(plainPlusSaltBytes, (byte) 0);
+      }
     }
   }
 
@@ -555,6 +578,7 @@
     System.arraycopy(digestBytes, 0, digestPlusSalt, 0, digestBytes.length);
     System.arraycopy(saltBytes, 0, digestPlusSalt, digestBytes.length,
                      NUM_SALT_BYTES);
+    Arrays.fill(passwordPlusSalt, (byte) 0);
 
     return "{" + STORAGE_SCHEME_NAME_SALTED_SHA_512 + "}" +
            Base64.encode(digestPlusSalt);

--
Gitblit v1.10.0