Bug 167441 - Need to add SHA2 hashed password storage support
Need to add SHA2 hashed password storage support
Product: 389
Classification: Community
Component: Security - General (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nathan Kinder
Chandrasekar Kannan
Depends On:
  Show dependency treegraph
Reported: 2005-09-02 13:40 EDT by Nathan Kinder
Modified: 2015-01-04 18:19 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-06-06 14:07:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
CVS Diffs (30.04 KB, patch)
2005-09-02 13:50 EDT, Nathan Kinder
no flags Details | Diff
Revised diffs (30.98 KB, patch)
2005-09-02 15:22 EDT, Nathan Kinder
no flags Details | Diff
Re-revised diffs (31.70 KB, patch)
2005-09-06 12:42 EDT, Nathan Kinder
no flags Details | Diff
CVS Commit (1.06 KB, text/plain)
2005-09-06 17:17 EDT, Nathan Kinder
no flags Details

  None (edit)
Description Nathan Kinder 2005-09-02 13:40:21 EDT
The Directory Server currently supports storing SHA1 hashed passwords in both
plain and salted forms.  It would be nice to add support for the more recent
SHA2 hashing algorithms.  Ideally, we would add the following password storage

Comment 1 Nathan Kinder 2005-09-02 13:50:22 EDT
Created attachment 118396 [details]
CVS Diffs

This implements plain and salted variations of SHA2 password storage schemes. 
I changed the original sha1 functions that did all of the comparison and
encoding work to be more generic so that they could handle all of the SHA
storage schemes.  These worker functions will be called from wrapper functions
that pass in which particular algorithm to use.
Comment 2 Nathan Kinder 2005-09-02 15:22:28 EDT
Created attachment 118401 [details]
Revised diffs

There was also a function in plugin.c that would check if the default storage
scheme plugin was actually loaded before completely starting up.  It was not
comparing the entire scheme name however. This would cause a problem when your
default scheme was "SHA" and the "SHA" plugin was not loaded. It would go
through all of the loaded plugins looking for "SHA" comparing the first 3
characters. When it encountered "SHA256" (or any of the other non-salted SHA2
schemes), it would assume that they matched and the server would start up.  I
still wanted to use strncasecmp to be safe, so I added a check to see if the
string lengths are the same before comparing the actual strings.
Comment 3 Nathan Kinder 2005-09-06 12:42:44 EDT
Created attachment 118517 [details]
Re-revised diffs

Rich and Noriko reminded me that static array size initialization must use
constants to be legal.	Certain compilers error out if this is not followed.  I
created a macro to use for array size initialization instead.  I also added
default cases for the switch statements to catch anything unexpected.
Comment 4 Nathan Kinder 2005-09-06 17:17:14 EDT
Created attachment 118533 [details]
CVS Commit

Checked into ldapserver.  Reviewed by Rich and Noriko.
Comment 6 Jenny Galipeau 2011-06-06 14:07:32 EDT
cloned bug verified and there are automated tests.

Note You need to log in before you can comment on or make changes to this bug.