Kinetic verification
Confirming the problem with the unfixed slapd package:
$ apt-cache policy slapd
slapd:
Installed: 2.5.14+dfsg-0ubuntu0.22.10.1
Candidate: 2.5.14+dfsg-0ubuntu0.22.10.1
Version table:
*** 2.5.14+dfsg-0ubuntu0.22.10.1 500
500 http://br.archive.ubuntu.com/ubuntu kinetic-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.5.13+dfsg-1ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
$ ./test.sh
Reference hash of "secret" (openssl):
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
slapd's pw-sha2 hash: {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
ERROR: hashes differ
Updating to proposed:
$ apt-cache policy slapd
slapd:
Installed: 2.5.14+dfsg-0ubuntu0.22.10.2
Candidate: 2.5.14+dfsg-0ubuntu0.22.10.2
Version table:
*** 2.5.14+dfsg-0ubuntu0.22.10.2 500
500 http://br.archive.ubuntu.com/ubuntu kinetic-proposed/main amd64
Packages
100 /var/lib/dpkg/status
2.5.14+dfsg-0ubuntu0.22.10.1 500
500 http://br.archive.ubuntu.com/ubuntu kinetic-updates/main amd64
Packages
2.5.13+dfsg-1ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
Problem fixed:
$ ./test.sh
Reference hash of "secret" (openssl):
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
slapd's pw-sha2 hash: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
PASS: hashes are identical
Kinetic verification succeeded.
** Tags removed: verification-needed-kinetic
** Tags added: verification-done-kinetic
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
Fix Committed
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Unknown
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description: Ubuntu 22.10
Release: 22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
