Wrong SHA256-value computed on kinetic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Debian) |
Fix Released
|
Unknown
|
|||
openldap (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Jammy |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Kinetic |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Lunar |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly.
Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use.
Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https:/
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_
test_hash=
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}
The (correct) reference-value on the same system (or older ubuntu Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-
$ ./servers/
{SHA256}
Ubuntu:
Description: Ubuntu 22.10
Release: 22.10
OpenLDAP-
Related branches
- Andreas Hasenack: Approve
- Canonical Server Reporter: Pending requested
-
Diff: 3615 lines (+3210/-3)8 files modifieddebian/apparmor-profile (+61/-0)
debian/changelog (+3043/-0)
debian/control (+4/-2)
debian/rules (+17/-1)
debian/slapd.README.Debian (+11/-0)
debian/slapd.py (+51/-0)
debian/slapd.ufw.profile (+9/-0)
debian/tests/smbk5pwd (+14/-0)
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 73 lines (+38/-1)4 files modifieddebian/changelog (+12/-0)
debian/rules (+7/-1)
debian/tests/control (+3/-0)
debian/tests/sha2-contrib (+16/-0)
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 73 lines (+38/-1)4 files modifieddebian/changelog (+12/-0)
debian/rules (+7/-1)
debian/tests/control (+3/-0)
debian/tests/sha2-contrib (+16/-0)
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 102 lines (+56/-1)5 files modifieddebian/changelog (+14/-0)
debian/rules (+7/-1)
debian/tests/control (+3/-0)
debian/tests/sha2-contrib (+16/-0)
debian/tests/smbk5pwd (+16/-0)
tags: | added: server-next |
tags: |
added: server-todo removed: server-next |
Changed in openldap (Ubuntu): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in openldap (Ubuntu): | |
assignee: | Sergio Durigan Junior (sergiodj) → Andreas Hasenack (ahasenack) |
Changed in openldap (Ubuntu): | |
status: | Triaged → In Progress |
Changed in openldap (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in openldap (Ubuntu Kinetic): | |
status: | New → In Progress |
Changed in openldap (Ubuntu Jammy): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in openldap (Ubuntu Kinetic): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
description: | updated |
Changed in openldap (Debian): | |
status: | Unknown → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.