Red Hat Bugzilla – Bug 167441
Need to add SHA2 hashed password storage support
Last modified: 2015-01-04 18:19:05 EST
The Directory Server currently supports storing SHA1 hashed passwords in both
plain and salted forms. It would be nice to add support for the more recent
SHA2 hashing algorithms. Ideally, we would add the following password storage
Created attachment 118396 [details]
This implements plain and salted variations of SHA2 password storage schemes.
I changed the original sha1 functions that did all of the comparison and
encoding work to be more generic so that they could handle all of the SHA
storage schemes. These worker functions will be called from wrapper functions
that pass in which particular algorithm to use.
Created attachment 118401 [details]
There was also a function in plugin.c that would check if the default storage
scheme plugin was actually loaded before completely starting up. It was not
comparing the entire scheme name however. This would cause a problem when your
default scheme was "SHA" and the "SHA" plugin was not loaded. It would go
through all of the loaded plugins looking for "SHA" comparing the first 3
characters. When it encountered "SHA256" (or any of the other non-salted SHA2
schemes), it would assume that they matched and the server would start up. I
still wanted to use strncasecmp to be safe, so I added a check to see if the
string lengths are the same before comparing the actual strings.
Created attachment 118517 [details]
Rich and Noriko reminded me that static array size initialization must use
constants to be legal. Certain compilers error out if this is not followed. I
created a macro to use for array size initialization instead. I also added
default cases for the switch statements to catch anything unexpected.
Created attachment 118533 [details]
Checked into ldapserver. Reviewed by Rich and Noriko.
cloned bug verified and there are automated tests.