lunar, kinetic, and jammy all return the first result, while focal
provides the second:
triage-lunar+23.04: ~$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
triage-lunar+23.04: ~$ slapd -VV
@(#) $OpenLDAP: slapd 2.6.3+dfsg-1~exp1ubuntu1 (Nov 18 2022 21:07:45) $
triage-kinetic+22.10: ~$ slappasswd -s secret -h '{SHA256}' -o
module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
triage-kinetic+22.10: ~$ slapd -VV
@(#) $OpenLDAP: slapd 2.5.13+dfsg-1ubuntu1 (Sep 20 2022 19:30:47) $
triage-jammy+22.04: ~$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
triage-jammy+22.04: ~$ slapd -VV
@(#) $OpenLDAP: slapd 2.5.13+dfsg-0ubuntu0.22.04.1 (Aug 5 2022 14:51:52) $
triage-focal+20.04: ~$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
triage-focal+20.04: ~$ slapd -VV
@(#) $OpenLDAP: slapd (Ubuntu) (May 12 2022 13:11:05) $
triage-focal+20.04: ~$ apt-cache policy slapd
slapd:
Installed: 2.4.49+dfsg-2ubuntu1.9
On all releases, the openssl dgst call produces the same result,
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Here's two other references mentioning the same problem, and same
suggested workaround:
*
https://www.mail-archive.com/[email protected]&q=subject:%22%22&o=newest&f=1
*
https://stackoverflow.com/questions/74928752/slappasswd-generating-a-strange-password-hash-sha256-only
I don't know whether there might be side effects from adding "-fno-
strict-aliasing". However, the patch's compilation modifications looks
like it'll affect the performance of only just the sha2 module, so for
SRU policy this seems a narrow enough fix. Since this is described in
the first link as a contrib module, that may explain why this issue
hasn't come to light earlier.
** Changed in: openldap (Ubuntu)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Triaged
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description: Ubuntu 22.10
Release: 22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
