Source: openldap
Version: 2.4.41+dfsg-1
Severity: wishlist
Tags: upstream patch
Hi,
please include the pbkdf2 contrib module in Debian's openldap packages.
The attacked patch does this:
* It starts by preparing contrib/password/pbkdf2/pw-pdkdf2.c to work with nettle
* debian/patches/TS8198-0001-fix-an-always-true-check.patch
patch is taken from upstream ITS#8198
* ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch
* Then it adapts contrib/password/pbkdf2/Makefile to follow Debian's rules
* pbkdf2-makefile-use-dpkg-buildflags
* pbkdf2-makefile
* Of course it doesn't forget to add a manual page
(derived from a patch I sent upstream as a part of ITS#8205)
* pbkdf2-makefile-manpage
* Finally it updates debian/rules to make sure the module's files get compiled
and installed
I have this patch included in my private packaging of openldap.
When creating the patch, I tried to
* avoid changing existing patches
That's the reason for the 'pbkdf2-makefile-use-dpkg-buildflags' patch file.
Feel free to merge it into 'contrib-modules-use-dpkg-buildflags'
* adhere to existing patch naming logic
e.g. 'pbkdf2-makefile'
Thanks for your work on openldap in Debian!
Best
Peter
PS: support for getting ITS#8198 and ITS#8205 included upstream is very welcome
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
>From 755e6302f3f095919eed04d1849172cc61d42d8d Mon Sep 17 00:00:00 2001
From: Peter Marschall <pe...@adpm.de>
Date: Sat, 8 Aug 2015 12:26:57 +0200
Subject: [PATCH] build and install pw-pbkdf2
Start by preparing contrib/password/pbkdf2/pw-pdkdf2.c to work with nettle
* debian/patches/TS8198-0001-fix-an-always-true-check.patch
patch is taken from upstream ITS#8198
* ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch
Then adapt contrib/password/pbkdf2/Makefile to follow Debian's rules
* pbkdf2-makefile-use-dpkg-buildflags
* pbkdf2-makefile
Don't forget to add a manual page (taken from a patch upstreamed in ITS#8205)
* pbkdf2-makefile-manpage
Finally compile & install it by adapting debian/rules
---
.../ITS8198-0001-fix-an-always-true-check.patch | 48 +++++
...e-libnettle-instead-of-openssl-for-crypto.patch | 196 +++++++++++++++++++++
debian/patches/pbkdf2-makefile | 43 +++++
debian/patches/pbkdf2-makefile-manpage | 184 +++++++++++++++++++
debian/patches/pbkdf2-makefile-use-dpkg-buildflags | 19 ++
debian/patches/series | 5 +
debian/rules | 2 +
7 files changed, 497 insertions(+)
create mode 100644 debian/patches/ITS8198-0001-fix-an-always-true-check.patch
create mode 100644 debian/patches/ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch
create mode 100644 debian/patches/pbkdf2-makefile
create mode 100644 debian/patches/pbkdf2-makefile-manpage
create mode 100644 debian/patches/pbkdf2-makefile-use-dpkg-buildflags
diff --git a/debian/patches/ITS8198-0001-fix-an-always-true-check.patch b/debian/patches/ITS8198-0001-fix-an-always-true-check.patch
new file mode 100644
index 0000000..f67297e
--- /dev/null
+++ b/debian/patches/ITS8198-0001-fix-an-always-true-check.patch
@@ -0,0 +1,48 @@
+From f9e42bc1ce85a8c2bc7f3daa06a553b0f79ea6d8 Mon Sep 17 00:00:00 2001
+From: Luca Bruno <luca.br...@rocket-internet.de>
+Date: Wed, 5 Nov 2014 16:15:55 +0100
+Subject: [PATCH] Fix an always-true check
+
+Fixed asprintf return value check, in order to properly catch
+error conditions. This has been caught by clang -Wtautological-compare:
+
+pw-pbkdf2.c:132:17: warning: comparison of unsigned expression < 0 is always false
+ if(msg->bv_len < 0){
+ ~~~~~~~~~~~ ^ ~
+
+Signed-off-by: Luca Bruno <luca.br...@rocket-internet.de>
+---
+ contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
+index e7c300e..e0f5dfd 100644
+--- a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
++++ b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
+@@ -99,7 +99,7 @@ static int pbkdf2_format(
+ struct berval *msg)
+ {
+
+- int rc;
++ int rc, msg_len;
+ char salt_b64[LUTIL_BASE64_ENCODE_LEN(PBKDF2_SALT_SIZE) + 1];
+ char dk_b64[LUTIL_BASE64_ENCODE_LEN(PBKDF2_MAX_DK_SIZE) + 1];
+
+@@ -115,13 +115,15 @@ static int pbkdf2_format(
+ return LUTIL_PASSWD_ERR;
+ }
+ b64_to_ab64(dk_b64);
+- msg->bv_len = asprintf(&msg->bv_val, "%s%d$%s$%s",
++ msg_len = asprintf(&msg->bv_val, "%s%d$%s$%s",
+ sc->bv_val, iteration,
+ salt_b64, dk_b64);
+- if(msg->bv_len < 0){
++ if(msg_len < 0){
++ msg->bv_len = 0;
+ return LUTIL_PASSWD_ERR;
+ }
+
++ msg->bv_len = msg_len;
+ return LUTIL_PASSWD_OK;
+ }
+
diff --git a/debian/patches/ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch b/debian/patches/ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch
new file mode 100644
index 0000000..75cb2a8
--- /dev/null
+++ b/debian/patches/ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch
@@ -0,0 +1,196 @@
+From b98457fbb009e92d394e0d99851fc720df334db7 Mon Sep 17 00:00:00 2001
+From: Luca Bruno <luca.br...@rocket-internet.de>
+Date: Wed, 5 Nov 2014 15:32:33 +0100
+Subject: [PATCH] Optionally use libnettle instead of OpenSSL for crypto
+
+OpenLDAP can be configured to be either built with OpenSSL or
+GnuTLS. This commit adds support for building pw-pbkbdf2 module
+without OpenSSL, by using PBKDF2 crypto primitives provided by
+libnettle.
+Closes hamano/openldap-pbkdf2#2
+
+Signed-off-by: Luca Bruno <luca.br...@rocket-internet.de>
+---
+ contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c | 104 ++++++++++++++++++++++++
+ 1 file changed, 104 insertions(+)
+
+diff --git a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
+index e0f5dfd..8355908 100644
+--- a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
++++ b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
+@@ -22,8 +22,19 @@
+ #include <ac/string.h>
+ #include "lber_pvt.h"
+ #include "lutil.h"
++#include <stdio.h>
++#include <stdlib.h>
+
++#ifdef HAVE_OPENSSL
+ #include <openssl/evp.h>
++#elif HAVE_GNUTLS
++#include <nettle/pbkdf2.h>
++#include <nettle/hmac.h>
++typedef void (*pbkdf2_hmac_update)(void *, unsigned, const uint8_t *);
++typedef void (*pbkdf2_hmac_digest)(void *, unsigned, uint8_t *);
++#else
++#error Unsupported crypto backend.
++#endif
+
+ #define PBKDF2_ITERATION 10000
+ #define PBKDF2_SALT_SIZE 16
+@@ -139,11 +150,22 @@ static int pbkdf2_encrypt(
+ struct berval dk;
+ int iteration = PBKDF2_ITERATION;
+ int rc;
++#ifdef HAVE_OPENSSL
+ const EVP_MD *md;
++#else
++ struct hmac_sha1_ctx sha1_ctx;
++ struct hmac_sha256_ctx sha256_ctx;
++ struct hmac_sha512_ctx sha512_ctx;
++ void * current_ctx = NULL;
++ pbkdf2_hmac_update current_hmac_update = NULL;
++ pbkdf2_hmac_digest current_hmac_digest = NULL;
++#endif
+
+ salt.bv_val = (char *)salt_value;
+ salt.bv_len = sizeof(salt_value);
+ dk.bv_val = (char *)dk_value;
++
++#ifdef HAVE_OPENSSL
+ if(!ber_bvcmp(scheme, &pbkdf2_scheme)){
+ dk.bv_len = PBKDF2_SHA1_DK_SIZE;
+ md = EVP_sha1();
+@@ -159,16 +181,52 @@ static int pbkdf2_encrypt(
+ }else{
+ return LUTIL_PASSWD_ERR;
+ }
++#else
++ if(!ber_bvcmp(scheme, &pbkdf2_scheme)){
++ dk.bv_len = PBKDF2_SHA1_DK_SIZE;
++ current_ctx = &sha1_ctx;
++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update;
++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest;
++ hmac_sha1_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val);
++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha1_scheme)){
++ dk.bv_len = PBKDF2_SHA1_DK_SIZE;
++ current_ctx = &sha1_ctx;
++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update;
++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest;
++ hmac_sha1_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val);
++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha256_scheme)){
++ dk.bv_len = PBKDF2_SHA256_DK_SIZE;
++ current_ctx = &sha256_ctx;
++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha256_update;
++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha256_digest;
++ hmac_sha256_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val);
++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha512_scheme)){
++ dk.bv_len = PBKDF2_SHA512_DK_SIZE;
++ current_ctx = &sha512_ctx;
++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha512_update;
++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha512_digest;
++ hmac_sha512_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val);
++ }else{
++ return LUTIL_PASSWD_ERR;
++ }
++#endif
+
+ if(lutil_entropy((unsigned char *)salt.bv_val, salt.bv_len) < 0){
+ return LUTIL_PASSWD_ERR;
+ }
+
++#ifdef HAVE_OPENSSL
+ if(!PKCS5_PBKDF2_HMAC(passwd->bv_val, passwd->bv_len,
+ (unsigned char *)salt.bv_val, salt.bv_len,
+ iteration, md, dk.bv_len, dk_value)){
+ return LUTIL_PASSWD_ERR;
+ }
++#else
++ PBKDF2(current_ctx, current_hmac_update, current_hmac_digest,
++ dk.bv_len, iteration,
++ salt.bv_len, (const uint8_t *) salt.bv_val,
++ dk.bv_len, dk_value);
++#endif
+
+ #ifdef SLAPD_PBKDF2_DEBUG
+ printf("Encrypt for %s\n", scheme->bv_val);
+@@ -215,7 +273,16 @@ static int pbkdf2_check(
+ char dk_b64[LUTIL_BASE64_ENCODE_LEN(PBKDF2_MAX_DK_SIZE) + 1];
+ unsigned char input_dk_value[PBKDF2_MAX_DK_SIZE];
+ size_t dk_len;
++#ifdef HAVE_OPENSSL
+ const EVP_MD *md;
++#else
++ struct hmac_sha1_ctx sha1_ctx;
++ struct hmac_sha256_ctx sha256_ctx;
++ struct hmac_sha512_ctx sha512_ctx;
++ void * current_ctx = NULL;
++ pbkdf2_hmac_update current_hmac_update = NULL;
++ pbkdf2_hmac_digest current_hmac_digest = NULL;
++#endif
+
+ #ifdef SLAPD_PBKDF2_DEBUG
+ printf("Checking for %s\n", scheme->bv_val);
+@@ -223,6 +290,7 @@ static int pbkdf2_check(
+ printf(" Input Cred:\t%s\n", cred->bv_val);
+ #endif
+
++#ifdef HAVE_OPENSSL
+ if(!ber_bvcmp(scheme, &pbkdf2_scheme)){
+ dk_len = PBKDF2_SHA1_DK_SIZE;
+ md = EVP_sha1();
+@@ -238,6 +306,35 @@ static int pbkdf2_check(
+ }else{
+ return LUTIL_PASSWD_ERR;
+ }
++#else
++ if(!ber_bvcmp(scheme, &pbkdf2_scheme)){
++ dk_len = PBKDF2_SHA1_DK_SIZE;
++ current_ctx = &sha1_ctx;
++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update;
++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest;
++ hmac_sha1_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val);
++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha1_scheme)){
++ dk_len = PBKDF2_SHA1_DK_SIZE;
++ current_ctx = &sha1_ctx;
++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update;
++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest;
++ hmac_sha1_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val);
++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha256_scheme)){
++ dk_len = PBKDF2_SHA256_DK_SIZE;
++ current_ctx = &sha256_ctx;
++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha256_update;
++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha256_digest;
++ hmac_sha256_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val);
++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha512_scheme)){
++ dk_len = PBKDF2_SHA512_DK_SIZE;
++ current_ctx = &sha512_ctx;
++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha512_update;
++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha512_digest;
++ hmac_sha512_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val);
++ }else{
++ return LUTIL_PASSWD_ERR;
++ }
++#endif
+
+ iteration = atoi(passwd->bv_val);
+ if(iteration < 1){
+@@ -287,11 +384,18 @@ static int pbkdf2_check(
+ return LUTIL_PASSWD_ERR;
+ }
+
++#ifdef HAVE_OPENSSL
+ if(!PKCS5_PBKDF2_HMAC(cred->bv_val, cred->bv_len,
+ salt_value, PBKDF2_SALT_SIZE,
+ iteration, md, dk_len, input_dk_value)){
+ return LUTIL_PASSWD_ERR;
+ }
++#else
++ PBKDF2(current_ctx, current_hmac_update, current_hmac_digest,
++ dk_len, iteration,
++ PBKDF2_SALT_SIZE, salt_value,
++ dk_len, input_dk_value);
++#endif
+
+ rc = memcmp(dk_value, input_dk_value, dk_len);
+ #ifdef SLAPD_PBKDF2_DEBUG
diff --git a/debian/patches/pbkdf2-makefile b/debian/patches/pbkdf2-makefile
new file mode 100644
index 0000000..a943c2e
--- /dev/null
+++ b/debian/patches/pbkdf2-makefile
@@ -0,0 +1,43 @@
+diff --git a/contrib/slapd-modules/passwd/pbkdf2/Makefile b/contrib/slapd-modules/passwd/pbkdf2/Makefile
+index 64ad97c..1bb0826 100644
+--- a/contrib/slapd-modules/passwd/pbkdf2/Makefile
++++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile
+@@ -2,30 +2,30 @@
+
+ LDAP_SRC = ../../../..
+ LDAP_BUILD = ../../../..
+-LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
+-LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
+- $(LDAP_BUILD)/libraries/liblber/liblber.la
++LDAP_INC = -I$(LDAP_BUILD)/debian/build/include -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
++LDAP_LIB = $(LDAP_BUILD)/debian/build/libraries/libldap_r/libldap_r.la \
++ $(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la
+
+-LIBTOOL = $(LDAP_BUILD)/libtool
++LIBTOOL = $(LDAP_BUILD)/debian/build/libtool
+ CC = gcc
+ OPT = -g -O2 -Wall
+ #DEFS = -DSLAPD_PBKDF2_DEBUG
+
+ INCS = $(LDAP_INC)
+-LIBS = $(LDAP_LIB) -lcrypto
++LIBS = $(LDAP_LIB) -lnettle
+
+ PROGRAMS = pw-pbkdf2.la
+ LTVER = 0:0:0
+
+ #prefix=/usr/local
+-prefix=`grep -e "^prefix =" $(LDAP_BUILD)/Makefile | cut -d= -f2`
++prefix=/usr
+
+ exec_prefix=$(prefix)
+-ldap_subdir=/openldap
++ldap_subdir=/ldap
+
+ libdir=$(exec_prefix)/lib
+ libexecdir=$(exec_prefix)/libexec
+-moduledir = $(libexecdir)$(ldap_subdir)
++moduledir = $(libdir)$(ldap_subdir)
+
+ .SUFFIXES: .c .o .lo
+
diff --git a/debian/patches/pbkdf2-makefile-manpage b/debian/patches/pbkdf2-makefile-manpage
new file mode 100644
index 0000000..aa08375
--- /dev/null
+++ b/debian/patches/pbkdf2-makefile-manpage
@@ -0,0 +1,184 @@
+From: Peter Marschall <pe...@adpm.de>
+Date: Sat, 8 Aug 2015 17:32:04 +0200
+Subject: [PATCH] contrib/passwd/pbkdf2: add man page, install it too
+
+Add a manual page slapd-pw-pbkdf2.5 and update passwd/pbkdf2's Makefile to
+install the new manual page.
+
+This patch is derived from the corresponding patch upstreamed in ITS#8205
+
+---
+ contrib/slapd-modules/passwd/pbkdf2/Makefile | 15 ++-
+ .../slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5 | 112 +++++++++++++++++++++
+ 2 files changed, 126 insertions(+), 1 deletion(-)
+ create mode 100644 contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5
+
+diff --git a/contrib/slapd-modules/passwd/pbkdf2/Makefile b/contrib/slapd-modules/passwd/pbkdf2/Makefile
+index 64ad97c..fa98b0f 100644
+--- a/contrib/slapd-modules/passwd/pbkdf2/Makefile
++++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile
+@@ -7,6 +7,7 @@
+ $(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la
+
+ LIBTOOL = $(LDAP_BUILD)/debian/build/libtool
++INSTALL = /usr/bin/install
+ CC = gcc
+ OPT = -g -O2 -Wall
+ #DEFS = -DSLAPD_PBKDF2_DEBUG
+@@ -15,6 +16,7 @@
+ LIBS = $(LDAP_LIB) -lnettle
+
+ PROGRAMS = pw-pbkdf2.la
++MANPAGES = slapd-pw-pbkdf2.5
+ LTVER = 0:0:0
+
+ #prefix=/usr/local
+@@ -26,6 +28,8 @@
+ libdir=$(exec_prefix)/lib
+ libexecdir=$(exec_prefix)/libexec
+ moduledir = $(libdir)$(ldap_subdir)
++mandir = $(exec_prefix)/share/man
++man5dir = $(mandir)/man5
+
+ .SUFFIXES: .c .o .lo
+
+@@ -41,8 +45,17 @@
+ clean:
+ rm -rf *.o *.lo *.la .libs
+
+-install: $(PROGRAMS)
++install: install-lib install-man FORCE
++
++install-lib: $(PROGRAMS)
+ mkdir -p $(DESTDIR)$(moduledir)
+ for p in $(PROGRAMS) ; do \
+ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
+ done
++
++install-man: $(MANPAGES)
++ mkdir -p $(DESTDIR)$(man5dir)
++ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
++
++FORCE:
++
+diff --git a/contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5 b/contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5
+new file mode 100644
+index 0000000..3556cc6
+--- /dev/null
++++ b/contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5
+@@ -0,0 +1,112 @@
++.TH SLAPD-PW-PBKDF2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
++.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved.
++.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
++.\" $OpenLDAP$
++.SH NAME
++slapd-pw-pbkdf2 \- SHA-2 password module to slapd
++.SH SYNOPSIS
++ETCDIR/slapd.conf
++.RS
++.LP
++.B moduleload
++.B pw-pbkdf2
++.RE
++.SH DESCRIPTION
++.LP
++The
++.B pw-pbkdf2
++module to
++.BR slapd (8)
++provides support for the use of the key stretching function
++PBKDF2 (Password-Based Key Derivation Function 2) following RFC 2898
++in hashed passwords in OpenLDAP.
++.LP
++It does so by providing the following additional password schemes for use in slapd:
++.RS
++.TP
++.B {PBKDF2}
++alias to {PBKDF2-SHA1}
++.TP
++.B {PBKDF2-SHA1}
++PBKDF2 using HMAC-SHA-1 as the underlying pseudorandom function
++.TP
++.B {PBKDF2-SHA256}
++PBKDF2 using HMAC-SHA-256 as the underlying pseudorandom function
++.TP
++.B {PBKDF2-SHA512}
++PBKDF2 using HMAC-SHA-512 as the underlying pseudorandom function
++.RE
++
++.SH CONFIGURATION
++The
++.B pw-pbkdf2
++module does not need any configuration.
++.LP
++After loading the module, the password schemes
++{PBKDF2}, {PBKDF2-SHA1}, {PBKDF2-SHA256}, and {PBKDF2-SHA512}
++will be recognised in values of the
++.I userPassword
++attribute.
++.LP
++You can then instruct OpenLDAP to use these schemes when processing
++the LDAPv3 Password Modify (RFC 3062) extended operations by using the
++.BR password-hash
++option in
++.BR slapd.conf (5).
++
++.SH NOTES
++If you want to use the schemes described here with
++.BR slappasswd (8),
++don't forget to load the module using its command line options.
++The relevant option/value is:
++.RS
++.LP
++.B \-o
++.BR module\-load = pw-pbkdf2
++.LP
++.RE
++Depending on
++.BR pw-pbkdf2 's
++location, you may also need:
++.RS
++.LP
++.B \-o
++.BR module\-path = \fIpathspec\fP
++.RE
++
++.SH EXAMPLES
++All of the userPassword LDAP attributes below encode the password
++.RI ' secret '.
++.EX
++.LP
++userPassword: {PBKDF2-SHA512}10000$/oQ4xZi382mk7kvCd3ZdkA$2wqjpuyV2l0U/a1QwoQPOtlQL.UcJGNACj1O24balruqQb/NgPW6OCvvrrJP8.SzA3/5iYvLnwWPzeX8IK/bEQ
++.LP
++userPassword: {PBKDF2-SHA256}10000$jq40ImWtmpTE.aYDYV1GfQ$mpiL4ui02ACmYOAnCjp/MI1gQk50xLbZ54RZneU0fCg
++.LP
++userPassword: {PBKDF2-SHA1}10000$QJTEclnXgh9Cz3ChCWpdAg$9.s98jwFJM.NXJK9ca/oJ5AyoAQ
++.EE
++.LP
++To make {PBKDF2-SHA512} the password hash used in Password Modify extended operations,
++simply set this line in slapd.conf(5):
++.EX
++.LP
++password-hash {PBKDF2-SHA512}
++.EX
++
++.SH SEE ALSO
++.BR slapd.conf (5),
++.BR ldappasswd (1),
++.BR slappasswd (8),
++.BR ldap (3),
++.LP
++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
++.LP
++
++.SH ACKNOWLEDGEMENTS
++This manual page has been writen by Peter Marschall based on the
++module's README file written by HAMANO Tsukasa <ham...@osstech.co.jp>
++.LP
++.B OpenLDAP
++is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
++.B OpenLDAP
++is derived from University of Michigan LDAP 3.3 Release.
+--
+2.5.0
+
diff --git a/debian/patches/pbkdf2-makefile-use-dpkg-buildflags b/debian/patches/pbkdf2-makefile-use-dpkg-buildflags
new file mode 100644
index 0000000..72be40f
--- /dev/null
+++ b/debian/patches/pbkdf2-makefile-use-dpkg-buildflags
@@ -0,0 +1,19 @@
+diff --git a/contrib/slapd-modules/passwd/pbkdf2/Makefile b/contrib/slapd-modules/passwd/pbkdf2/Makefile
+index 64ad97c..b23c5c1 100644
+--- a/contrib/slapd-modules/passwd/pbkdf2/Makefile
++++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile
+@@ -30,12 +30,12 @@ moduledir = $(libexecdir)$(ldap_subdir)
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(OPT) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ pw-pbkdf2.la: pw-pbkdf2.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(OPT) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
diff --git a/debian/patches/series b/debian/patches/series
index 87dda63..c2dd376 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,8 @@ ITS6035-olcauthzregex-needs-restart.patch
starttls-MSbug.patch
listmatch.patch
facsimileNumberMatch.patch
+ITS8198-0001-fix-an-always-true-check.patch
+ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch
+pbkdf2-makefile-use-dpkg-buildflags
+pbkdf2-makefile
+pbkdf2-makefile-manpage
diff --git a/debian/rules b/debian/rules
index 1196dd6..4fa1f36 100755
--- a/debian/rules
+++ b/debian/rules
@@ -91,6 +91,7 @@ override_dh_auto_build:
$(MAKE) -C contrib/slapd-modules/autogroup
$(MAKE) -C contrib/slapd-modules/lastbind
$(MAKE) -C contrib/slapd-modules/passwd/sha2
+ $(MAKE) -C contrib/slapd-modules/passwd/pbkdf2
override_dh_auto_install:
dh_auto_install -- $(MAKEVARS)
@@ -98,6 +99,7 @@ override_dh_auto_install:
$(MAKE) -C contrib/slapd-modules/autogroup install DESTDIR=$(installdir)
$(MAKE) -C contrib/slapd-modules/lastbind install DESTDIR=$(installdir)
$(MAKE) -C contrib/slapd-modules/passwd/sha2 install DESTDIR=$(installdir)
+ $(MAKE) -C contrib/slapd-modules/passwd/pbkdf2 install DESTDIR=$(installdir)
# Empty the dependency_libs file in the .la files.
for F in $(installdir)/usr/lib/ldap/*.la; do \
--
2.5.0
