Bug 167441
| Summary: | Need to add SHA2 hashed password storage support | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Nathan Kinder <nkinder> | ||||||||||
| Component: | Security - General | Assignee: | Nathan Kinder <nkinder> | ||||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||||||
| Severity: | medium | Docs Contact: | |||||||||||
| Priority: | medium | ||||||||||||
| Version: | 7.1 | CC: | benl, jgalipea | ||||||||||
| Target Milestone: | --- | ||||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2011-06-06 18:07:32 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Attachments: |
|
||||||||||||
Created attachment 118396 [details]
CVS Diffs
This implements plain and salted variations of SHA2 password storage schemes.
I changed the original sha1 functions that did all of the comparison and
encoding work to be more generic so that they could handle all of the SHA
storage schemes. These worker functions will be called from wrapper functions
that pass in which particular algorithm to use.
Created attachment 118401 [details]
Revised diffs
There was also a function in plugin.c that would check if the default storage
scheme plugin was actually loaded before completely starting up. It was not
comparing the entire scheme name however. This would cause a problem when your
default scheme was "SHA" and the "SHA" plugin was not loaded. It would go
through all of the loaded plugins looking for "SHA" comparing the first 3
characters. When it encountered "SHA256" (or any of the other non-salted SHA2
schemes), it would assume that they matched and the server would start up. I
still wanted to use strncasecmp to be safe, so I added a check to see if the
string lengths are the same before comparing the actual strings.
Created attachment 118517 [details]
Re-revised diffs
Rich and Noriko reminded me that static array size initialization must use
constants to be legal. Certain compilers error out if this is not followed. I
created a macro to use for array size initialization instead. I also added
default cases for the switch statements to catch anything unexpected.
Created attachment 118533 [details]
CVS Commit
Checked into ldapserver. Reviewed by Rich and Noriko.
cloned bug verified and there are automated tests. |
The Directory Server currently supports storing SHA1 hashed passwords in both plain and salted forms. It would be nice to add support for the more recent SHA2 hashing algorithms. Ideally, we would add the following password storage schemes: SHA256 SHA384 SHA512 SSHA256 SSHA384 SSHA512