From 2e822e9abeebf066410087827e2157dd06fd72d8 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gmail.com>
Date: Thu, 27 Jan 2011 22:17:16 -0600
Subject: [PATCH] SEC-1659: Ensure that Digester is returning
 digest(digest(value)...) instead of digesting the same value multiple times.

Make it so that the Digester returns digest(digest(value)...) instead of digesting the same value multiple times. This
alligns with the OWASP recommendations at http://www.owasp.org/index.php/Hashing_Java#Hardening_against_the_attacker.27s_attack
---
 .../security/crypto/util/Digester.java             |  2 +-
 .../security/crypto/util/DigesterTests.java        | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/crypto/src/main/java/org/springframework/security/crypto/util/Digester.java b/crypto/src/main/java/org/springframework/security/crypto/util/Digester.java
index 7c8e51a10d..6ff2134e16 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/util/Digester.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/util/Digester.java
@@ -48,7 +48,7 @@ public class Digester {
     public byte[] digest(byte[] value) {
         synchronized (messageDigest) {
             for (int i = 0; i < (iterations - 1); i++) {
-                invokeDigest(value);
+                value = invokeDigest(value);
             }
             return messageDigest.digest(value);
         }
diff --git a/crypto/src/test/java/org/springframework/security/crypto/util/DigesterTests.java b/crypto/src/test/java/org/springframework/security/crypto/util/DigesterTests.java
index bf4b775f1b..839466261c 100644
--- a/crypto/src/test/java/org/springframework/security/crypto/util/DigesterTests.java
+++ b/crypto/src/test/java/org/springframework/security/crypto/util/DigesterTests.java
@@ -3,6 +3,9 @@ package org.springframework.security.crypto.util;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 
+import java.security.MessageDigest;
+import java.util.Arrays;
+
 import org.junit.Test;
 
 public class DigesterTests {
@@ -16,4 +19,15 @@ public class DigesterTests {
         assertFalse(new String(result).equals("text"));
     }
 
+    @Test
+    public void multiPassDigest() throws Exception {
+        MessageDigest d = MessageDigest.getInstance("SHA-1","SUN");
+        d.reset();
+        byte[] value = "text".getBytes("UTF-8");
+        byte[] singlePass = d.digest(value);
+        byte[] multiPass = digester.digest(value);
+        assertFalse(Arrays.toString(singlePass) + " should not be equal to "
+                + Arrays.toString(multiPass),
+                Arrays.equals(singlePass, multiPass));
+    }
 }