From 9582291a9ff7961af7a4ed579a76dc3db3cae66e Mon Sep 17 00:00:00 2001
From: Ludovic Poitou <ludovic.poitou@forgerock.com>
Date: Sun, 21 Nov 2010 19:35:53 +0000
Subject: [PATCH] Update code to log a message when the base64 decoded password is smaller than expected (salt length is zero or less). Provide basic test for SHA384, and minor updates.
---
opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java | 8 ++++
opends/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageScheme.java | 8 ++++
opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageSchemeTestCase.java | 2
opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageSchemeTestCase.java | 69 ++++++++++++++++++++++++++++++++++
opends/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageScheme.java | 8 ++++
opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageSchemeTestCase.java | 2
opends/src/messages/messages/extension.properties | 2 +
opends/src/messages/messages/extension_fr.properties | 1
opends/src/server/org/opends/server/extensions/SaltedSHA1PasswordStorageScheme.java | 9 ++++
9 files changed, 107 insertions(+), 2 deletions(-)
diff --git a/opends/src/messages/messages/extension.properties b/opends/src/messages/messages/extension.properties
index 8d31afb..763eeb0 100644
--- a/opends/src/messages/messages/extension.properties
+++ b/opends/src/messages/messages/extension.properties
@@ -1428,3 +1428,5 @@
MILD_ERR_PASSWORDPOLICYSUBENTRY_VATTR_NOT_SEARCHABLE_577=The %s \
attribute is not searchable and should not be included in otherwise \
unindexed search filters
+MILD_ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD_578=The password \
+value %s has been base64-decoded but is too short to be valid
diff --git a/opends/src/messages/messages/extension_fr.properties b/opends/src/messages/messages/extension_fr.properties
index cf02896..5dcb94e 100644
--- a/opends/src/messages/messages/extension_fr.properties
+++ b/opends/src/messages/messages/extension_fr.properties
@@ -529,3 +529,4 @@
INFO_GSSAPI_STOPPED_575=Le gestionnaire de m\u00e9canisme SASL GSSAPI s'est arr\u00eat\u00e9
MILD_ERR_COLLECTIVEATTRIBUTESUBENTRIES_VATTR_NOT_SEARCHABLE_576=L'attribut %s ne peut pas faire l'objet d'une recherche et ne doit pas \u00eatre inclus dans des filtres de recherche non index\u00e9s
MILD_ERR_PASSWORDPOLICYSUBENTRY_VATTR_NOT_SEARCHABLE_577=L'attribut %s ne peut pas faire l'objet d'une recherche et ne doit pas \u00eatre inclus dans des filtres de recherche non index\u00e9s
+MILD_ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD_578=La valeur du mot de passe %s a \u00e9t\u00e9 d\u00e9cod\u00e9 en base64, mais est trop courte pour \u00eatre valide
diff --git a/opends/src/server/org/opends/server/extensions/SaltedSHA1PasswordStorageScheme.java b/opends/src/server/org/opends/server/extensions/SaltedSHA1PasswordStorageScheme.java
index e986365..49bd575 100644
--- a/opends/src/server/org/opends/server/extensions/SaltedSHA1PasswordStorageScheme.java
+++ b/opends/src/server/org/opends/server/extensions/SaltedSHA1PasswordStorageScheme.java
@@ -23,6 +23,7 @@
*
*
* Copyright 2006-2010 Sun Microsystems, Inc.
+ * Portions Copyright 2010 ForgeRock AS.
*/
package org.opends.server.extensions;
@@ -278,6 +279,14 @@
byte[] decodedBytes = Base64.decode(storedPassword.toString());
saltLength = decodedBytes.length - SHA1_LENGTH;
+ if (saltLength <= 0)
+ {
+ Message message =
+ ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
+ storedPassword.toString());
+ ErrorLogger.logError(message);
+ return false;
+ }
saltBytes = new byte[saltLength];
System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA1_LENGTH);
System.arraycopy(decodedBytes, SHA1_LENGTH, saltBytes, 0,
diff --git a/opends/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageScheme.java b/opends/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageScheme.java
index 927fb79..b51327d 100644
--- a/opends/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageScheme.java
+++ b/opends/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageScheme.java
@@ -283,6 +283,14 @@
byte[] decodedBytes = Base64.decode(storedPassword.toString());
saltLength = decodedBytes.length - SHA256_LENGTH;
+ if (saltLength <= 0)
+ {
+ Message message =
+ ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
+ storedPassword.toString());
+ ErrorLogger.logError(message);
+ return false;
+ }
saltBytes = new byte[saltLength];
System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA256_LENGTH);
System.arraycopy(decodedBytes, SHA256_LENGTH, saltBytes, 0,
diff --git a/opends/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageScheme.java b/opends/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageScheme.java
index d2cc809..ebbb8bd 100644
--- a/opends/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageScheme.java
+++ b/opends/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageScheme.java
@@ -284,6 +284,14 @@
byte[] decodedBytes = Base64.decode(storedPassword.toString());
saltLength = decodedBytes.length - SHA384_LENGTH;
+ if (saltLength <= 0)
+ {
+ Message message =
+ ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
+ storedPassword.toString());
+ ErrorLogger.logError(message);
+ return false;
+ }
saltBytes = new byte[saltLength];
System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA384_LENGTH);
System.arraycopy(decodedBytes, SHA384_LENGTH, saltBytes, 0,
diff --git a/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java b/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
index 8065641..8e553a9 100644
--- a/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
+++ b/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
@@ -283,6 +283,14 @@
byte[] decodedBytes = Base64.decode(storedPassword.toString());
saltLength = decodedBytes.length - SHA512_LENGTH;
+ if (saltLength <= 0)
+ {
+ Message message =
+ ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(
+ storedPassword.toString());
+ ErrorLogger.logError(message);
+ return false;
+ }
saltBytes = new byte[saltLength];
System.arraycopy(decodedBytes, 0, digestBytes, 0, SHA512_LENGTH);
System.arraycopy(decodedBytes, SHA512_LENGTH, saltBytes, 0,
diff --git a/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageSchemeTestCase.java b/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageSchemeTestCase.java
index 9aa69bf..4123621 100644
--- a/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageSchemeTestCase.java
+++ b/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA256PasswordStorageSchemeTestCase.java
@@ -99,7 +99,7 @@
{
new Object[] { "secret", "{SSHA256}xIar81hLva6DoMGVtk5WWfJTnBvkyAsYkj0phSdBBDW2DC1dXI79cw==" }
};
-}
+ }
@Test(dataProvider = "testSSHA256Passwords")
public void testAuthSSHA256Passwords(
diff --git a/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageSchemeTestCase.java b/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageSchemeTestCase.java
index 6339891..ca63cc9 100644
--- a/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageSchemeTestCase.java
+++ b/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA384PasswordStorageSchemeTestCase.java
@@ -23,16 +23,23 @@
*
*
* Copyright 2006-2008 Sun Microsystems, Inc.
+ * Portions Copyright 2010 ForgeRock AS.
*/
package org.opends.server.extensions;
+import static org.testng.Assert.*;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+
+import org.opends.server.TestCaseUtils;
import org.opends.server.admin.server.AdminTestCaseUtils;
import org.opends.server.admin.std.meta.
SaltedSHA384PasswordStorageSchemeCfgDefn;
import org.opends.server.admin.std.server.SaltedSHA384PasswordStorageSchemeCfg;
import org.opends.server.api.PasswordStorageScheme;
+import org.opends.server.types.Entry;
@@ -74,5 +81,67 @@
scheme.initializePasswordStorageScheme(configuration);
return scheme;
}
+
+ /**
+ * Retrieves a set of passwords (plain and SSHA384 encrypted) that may
+ * be used to test the compatibility of SSHA384 passwords.
+ * The encrypted versions have been provided by external tools or
+ * users
+ *
+ * @return A set of couple (cleartext, encrypted) passwords that
+ * may be used to test the SSHA384 password storage scheme
+ */
+
+ @DataProvider(name = "testSSHA384Passwords")
+ public Object[][] getTestSSHA384Passwords()
+ throws Exception
+ {
+ return new Object[][]
+ {
+ // Note that this test password has been generated with OpenDJ
+ // Ideally, they should come from other projects, programs
+ new Object[] { "secret", "{SSHA384}+Cw4SXSlJ9q++MCoOan5nWEcLEAMeRo4Y+1gmcZ8JinT9fz/5QG+npm8pQv2J2skOHy+FioGcig=" }
+ };
+}
+
+ @Test(dataProvider = "testSSHA384Passwords")
+ public void testAuthSSHA384Passwords(
+ String plaintextPassword,
+ String encodedPassword) throws Exception
+ {
+ // Start/clear-out the memory backend
+ TestCaseUtils.initializeTestBackend(true);
+
+ boolean allowPreencodedDefault = setAllowPreencodedPasswords(true);
+
+ try {
+
+ Entry userEntry = TestCaseUtils.makeEntry(
+ "dn: uid=testSSHA384.user,o=test",
+ "objectClass: top",
+ "objectClass: person",
+ "objectClass: organizationalPerson",
+ "objectClass: inetOrgPerson",
+ "uid: testSSHA384.user",
+ "givenName: TestSSHA384",
+ "sn: User",
+ "cn: TestSSHA384 User",
+ "userPassword: " + encodedPassword);
+
+
+ // Add the entry
+ TestCaseUtils.addEntry(userEntry);
+
+ assertTrue(TestCaseUtils.canBind("uid=testSSHA384.user,o=test",
+ plaintextPassword),
+ "Failed to bind when pre-encoded password = \"" +
+ encodedPassword + "\" and " +
+ "plaintext password = \"" +
+ plaintextPassword + "\"" );
+ } finally {
+ setAllowPreencodedPasswords(allowPreencodedDefault);
+ }
+ }
+
}
diff --git a/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageSchemeTestCase.java b/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageSchemeTestCase.java
index 09135c7..4d58e67 100644
--- a/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageSchemeTestCase.java
+++ b/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageSchemeTestCase.java
@@ -100,7 +100,7 @@
{
new Object[] { "secret", "{SSHA512}8gRXO3lD2fGN3JIhbNJOsh31IRFKnWbDNl+cPH3HoJCkUpxZPG617TnN6Nvl2mVMSBLlzPu2eMpOhCDKoolNG6QCsYf2hppQTAVaqfx25PUJ1ngbuBiNDCpK6Xj5PYZiFwa+cpkY/Pzs77bLn3VMxmHhwa+vowfGhy5RRW+6npQ=" }
};
-}
+ }
@Test(dataProvider = "testSSHA512Passwords")
public void testAuthSSHA512Passwords(
--
Gitblit v1.10.0