[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic

Thu, 09 Mar 2023 13:27:03 -0800 

This bug was fixed in the package openldap - 2.6.3+dfsg-1~exp1ubuntu2

---------------
openldap (2.6.3+dfsg-1~exp1ubuntu2) lunar; urgency=medium

  * Build the passwd/sha2 contrib module with -fno-strict-aliasing to
    avoid computing an incorrect SHA256 hash with some versions of the
    compiler (LP: #2000817):
    - d/t/{control,sha2-contrib}: test to verify the SHA256 hash
      produced by passwd/sha2
    - d/rules: set -fno-strict-aliasing only when building the
      passwd/sha2 contrib module
  * d/t/smbk5pwd: Allow the openldap user to read the Heimdal master key in the
    smbk5pwd DEP8 test (LP: #2004560)

 -- Andreas Hasenack <[email protected]>  Fri, 03 Feb 2023 09:33:14
-0300

** Changed in: openldap (Ubuntu Lunar)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817

Title:
  Wrong SHA256-value computed on kinetic

Status in openldap package in Ubuntu:
  Fix Released
Status in openldap source package in Jammy:
  In Progress
Status in openldap source package in Kinetic:
  In Progress
Status in openldap source package in Lunar:
  Fix Released
Status in openldap package in Debian:
  Unknown

Bug description:
  The OpenLDAP-contrib module sha2 (located in contrib/slapd-
  modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
  kinetic. This breaks our current password-authentication in ldap.

  
  The problematic computation:

      $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
      {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=

  The (correct) reference-value on the same system (or older ubuntu
  Versions):

      $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
      K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=

  
  We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. 
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The 
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". 
Then the correct value is computed. An example taken from a git-compiled 
version of OpenLDAP 2.5.13:

      $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o 
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
      {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=


  
  Ubuntu:

      Description:    Ubuntu 22.10
      Release:        22.10

      OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to