Source: openldap Version: 2.4.41+dfsg-1 Severity: wishlist Tags: upstream patch
Hi, please include the pbkdf2 contrib module in Debian's openldap packages. The attacked patch does this: * It starts by preparing contrib/password/pbkdf2/pw-pdkdf2.c to work with nettle * debian/patches/TS8198-0001-fix-an-always-true-check.patch patch is taken from upstream ITS#8198 * ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch * Then it adapts contrib/password/pbkdf2/Makefile to follow Debian's rules * pbkdf2-makefile-use-dpkg-buildflags * pbkdf2-makefile * Of course it doesn't forget to add a manual page (derived from a patch I sent upstream as a part of ITS#8205) * pbkdf2-makefile-manpage * Finally it updates debian/rules to make sure the module's files get compiled and installed I have this patch included in my private packaging of openldap. When creating the patch, I tried to * avoid changing existing patches That's the reason for the 'pbkdf2-makefile-use-dpkg-buildflags' patch file. Feel free to merge it into 'contrib-modules-use-dpkg-buildflags' * adhere to existing patch naming logic e.g. 'pbkdf2-makefile' Thanks for your work on openldap in Debian! Best Peter PS: support for getting ITS#8198 and ITS#8205 included upstream is very welcome -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
>From 755e6302f3f095919eed04d1849172cc61d42d8d Mon Sep 17 00:00:00 2001 From: Peter Marschall <pe...@adpm.de> Date: Sat, 8 Aug 2015 12:26:57 +0200 Subject: [PATCH] build and install pw-pbkdf2 Start by preparing contrib/password/pbkdf2/pw-pdkdf2.c to work with nettle * debian/patches/TS8198-0001-fix-an-always-true-check.patch patch is taken from upstream ITS#8198 * ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch Then adapt contrib/password/pbkdf2/Makefile to follow Debian's rules * pbkdf2-makefile-use-dpkg-buildflags * pbkdf2-makefile Don't forget to add a manual page (taken from a patch upstreamed in ITS#8205) * pbkdf2-makefile-manpage Finally compile & install it by adapting debian/rules --- .../ITS8198-0001-fix-an-always-true-check.patch | 48 +++++ ...e-libnettle-instead-of-openssl-for-crypto.patch | 196 +++++++++++++++++++++ debian/patches/pbkdf2-makefile | 43 +++++ debian/patches/pbkdf2-makefile-manpage | 184 +++++++++++++++++++ debian/patches/pbkdf2-makefile-use-dpkg-buildflags | 19 ++ debian/patches/series | 5 + debian/rules | 2 + 7 files changed, 497 insertions(+) create mode 100644 debian/patches/ITS8198-0001-fix-an-always-true-check.patch create mode 100644 debian/patches/ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch create mode 100644 debian/patches/pbkdf2-makefile create mode 100644 debian/patches/pbkdf2-makefile-manpage create mode 100644 debian/patches/pbkdf2-makefile-use-dpkg-buildflags diff --git a/debian/patches/ITS8198-0001-fix-an-always-true-check.patch b/debian/patches/ITS8198-0001-fix-an-always-true-check.patch new file mode 100644 index 0000000..f67297e --- /dev/null +++ b/debian/patches/ITS8198-0001-fix-an-always-true-check.patch @@ -0,0 +1,48 @@ +From f9e42bc1ce85a8c2bc7f3daa06a553b0f79ea6d8 Mon Sep 17 00:00:00 2001 +From: Luca Bruno <luca.br...@rocket-internet.de> +Date: Wed, 5 Nov 2014 16:15:55 +0100 +Subject: [PATCH] Fix an always-true check + +Fixed asprintf return value check, in order to properly catch +error conditions. This has been caught by clang -Wtautological-compare: + +pw-pbkdf2.c:132:17: warning: comparison of unsigned expression < 0 is always false + if(msg->bv_len < 0){ + ~~~~~~~~~~~ ^ ~ + +Signed-off-by: Luca Bruno <luca.br...@rocket-internet.de> +--- + contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c +index e7c300e..e0f5dfd 100644 +--- a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c ++++ b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c +@@ -99,7 +99,7 @@ static int pbkdf2_format( + struct berval *msg) + { + +- int rc; ++ int rc, msg_len; + char salt_b64[LUTIL_BASE64_ENCODE_LEN(PBKDF2_SALT_SIZE) + 1]; + char dk_b64[LUTIL_BASE64_ENCODE_LEN(PBKDF2_MAX_DK_SIZE) + 1]; + +@@ -115,13 +115,15 @@ static int pbkdf2_format( + return LUTIL_PASSWD_ERR; + } + b64_to_ab64(dk_b64); +- msg->bv_len = asprintf(&msg->bv_val, "%s%d$%s$%s", ++ msg_len = asprintf(&msg->bv_val, "%s%d$%s$%s", + sc->bv_val, iteration, + salt_b64, dk_b64); +- if(msg->bv_len < 0){ ++ if(msg_len < 0){ ++ msg->bv_len = 0; + return LUTIL_PASSWD_ERR; + } + ++ msg->bv_len = msg_len; + return LUTIL_PASSWD_OK; + } + diff --git a/debian/patches/ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch b/debian/patches/ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch new file mode 100644 index 0000000..75cb2a8 --- /dev/null +++ b/debian/patches/ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch @@ -0,0 +1,196 @@ +From b98457fbb009e92d394e0d99851fc720df334db7 Mon Sep 17 00:00:00 2001 +From: Luca Bruno <luca.br...@rocket-internet.de> +Date: Wed, 5 Nov 2014 15:32:33 +0100 +Subject: [PATCH] Optionally use libnettle instead of OpenSSL for crypto + +OpenLDAP can be configured to be either built with OpenSSL or +GnuTLS. This commit adds support for building pw-pbkbdf2 module +without OpenSSL, by using PBKDF2 crypto primitives provided by +libnettle. +Closes hamano/openldap-pbkdf2#2 + +Signed-off-by: Luca Bruno <luca.br...@rocket-internet.de> +--- + contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c | 104 ++++++++++++++++++++++++ + 1 file changed, 104 insertions(+) + +diff --git a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c +index e0f5dfd..8355908 100644 +--- a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c ++++ b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c +@@ -22,8 +22,19 @@ + #include <ac/string.h> + #include "lber_pvt.h" + #include "lutil.h" ++#include <stdio.h> ++#include <stdlib.h> + ++#ifdef HAVE_OPENSSL + #include <openssl/evp.h> ++#elif HAVE_GNUTLS ++#include <nettle/pbkdf2.h> ++#include <nettle/hmac.h> ++typedef void (*pbkdf2_hmac_update)(void *, unsigned, const uint8_t *); ++typedef void (*pbkdf2_hmac_digest)(void *, unsigned, uint8_t *); ++#else ++#error Unsupported crypto backend. ++#endif + + #define PBKDF2_ITERATION 10000 + #define PBKDF2_SALT_SIZE 16 +@@ -139,11 +150,22 @@ static int pbkdf2_encrypt( + struct berval dk; + int iteration = PBKDF2_ITERATION; + int rc; ++#ifdef HAVE_OPENSSL + const EVP_MD *md; ++#else ++ struct hmac_sha1_ctx sha1_ctx; ++ struct hmac_sha256_ctx sha256_ctx; ++ struct hmac_sha512_ctx sha512_ctx; ++ void * current_ctx = NULL; ++ pbkdf2_hmac_update current_hmac_update = NULL; ++ pbkdf2_hmac_digest current_hmac_digest = NULL; ++#endif + + salt.bv_val = (char *)salt_value; + salt.bv_len = sizeof(salt_value); + dk.bv_val = (char *)dk_value; ++ ++#ifdef HAVE_OPENSSL + if(!ber_bvcmp(scheme, &pbkdf2_scheme)){ + dk.bv_len = PBKDF2_SHA1_DK_SIZE; + md = EVP_sha1(); +@@ -159,16 +181,52 @@ static int pbkdf2_encrypt( + }else{ + return LUTIL_PASSWD_ERR; + } ++#else ++ if(!ber_bvcmp(scheme, &pbkdf2_scheme)){ ++ dk.bv_len = PBKDF2_SHA1_DK_SIZE; ++ current_ctx = &sha1_ctx; ++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update; ++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest; ++ hmac_sha1_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val); ++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha1_scheme)){ ++ dk.bv_len = PBKDF2_SHA1_DK_SIZE; ++ current_ctx = &sha1_ctx; ++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update; ++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest; ++ hmac_sha1_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val); ++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha256_scheme)){ ++ dk.bv_len = PBKDF2_SHA256_DK_SIZE; ++ current_ctx = &sha256_ctx; ++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha256_update; ++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha256_digest; ++ hmac_sha256_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val); ++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha512_scheme)){ ++ dk.bv_len = PBKDF2_SHA512_DK_SIZE; ++ current_ctx = &sha512_ctx; ++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha512_update; ++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha512_digest; ++ hmac_sha512_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val); ++ }else{ ++ return LUTIL_PASSWD_ERR; ++ } ++#endif + + if(lutil_entropy((unsigned char *)salt.bv_val, salt.bv_len) < 0){ + return LUTIL_PASSWD_ERR; + } + ++#ifdef HAVE_OPENSSL + if(!PKCS5_PBKDF2_HMAC(passwd->bv_val, passwd->bv_len, + (unsigned char *)salt.bv_val, salt.bv_len, + iteration, md, dk.bv_len, dk_value)){ + return LUTIL_PASSWD_ERR; + } ++#else ++ PBKDF2(current_ctx, current_hmac_update, current_hmac_digest, ++ dk.bv_len, iteration, ++ salt.bv_len, (const uint8_t *) salt.bv_val, ++ dk.bv_len, dk_value); ++#endif + + #ifdef SLAPD_PBKDF2_DEBUG + printf("Encrypt for %s\n", scheme->bv_val); +@@ -215,7 +273,16 @@ static int pbkdf2_check( + char dk_b64[LUTIL_BASE64_ENCODE_LEN(PBKDF2_MAX_DK_SIZE) + 1]; + unsigned char input_dk_value[PBKDF2_MAX_DK_SIZE]; + size_t dk_len; ++#ifdef HAVE_OPENSSL + const EVP_MD *md; ++#else ++ struct hmac_sha1_ctx sha1_ctx; ++ struct hmac_sha256_ctx sha256_ctx; ++ struct hmac_sha512_ctx sha512_ctx; ++ void * current_ctx = NULL; ++ pbkdf2_hmac_update current_hmac_update = NULL; ++ pbkdf2_hmac_digest current_hmac_digest = NULL; ++#endif + + #ifdef SLAPD_PBKDF2_DEBUG + printf("Checking for %s\n", scheme->bv_val); +@@ -223,6 +290,7 @@ static int pbkdf2_check( + printf(" Input Cred:\t%s\n", cred->bv_val); + #endif + ++#ifdef HAVE_OPENSSL + if(!ber_bvcmp(scheme, &pbkdf2_scheme)){ + dk_len = PBKDF2_SHA1_DK_SIZE; + md = EVP_sha1(); +@@ -238,6 +306,35 @@ static int pbkdf2_check( + }else{ + return LUTIL_PASSWD_ERR; + } ++#else ++ if(!ber_bvcmp(scheme, &pbkdf2_scheme)){ ++ dk_len = PBKDF2_SHA1_DK_SIZE; ++ current_ctx = &sha1_ctx; ++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update; ++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest; ++ hmac_sha1_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val); ++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha1_scheme)){ ++ dk_len = PBKDF2_SHA1_DK_SIZE; ++ current_ctx = &sha1_ctx; ++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update; ++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest; ++ hmac_sha1_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val); ++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha256_scheme)){ ++ dk_len = PBKDF2_SHA256_DK_SIZE; ++ current_ctx = &sha256_ctx; ++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha256_update; ++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha256_digest; ++ hmac_sha256_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val); ++ }else if(!ber_bvcmp(scheme, &pbkdf2_sha512_scheme)){ ++ dk_len = PBKDF2_SHA512_DK_SIZE; ++ current_ctx = &sha512_ctx; ++ current_hmac_update = (pbkdf2_hmac_update) &hmac_sha512_update; ++ current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha512_digest; ++ hmac_sha512_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val); ++ }else{ ++ return LUTIL_PASSWD_ERR; ++ } ++#endif + + iteration = atoi(passwd->bv_val); + if(iteration < 1){ +@@ -287,11 +384,18 @@ static int pbkdf2_check( + return LUTIL_PASSWD_ERR; + } + ++#ifdef HAVE_OPENSSL + if(!PKCS5_PBKDF2_HMAC(cred->bv_val, cred->bv_len, + salt_value, PBKDF2_SALT_SIZE, + iteration, md, dk_len, input_dk_value)){ + return LUTIL_PASSWD_ERR; + } ++#else ++ PBKDF2(current_ctx, current_hmac_update, current_hmac_digest, ++ dk_len, iteration, ++ PBKDF2_SALT_SIZE, salt_value, ++ dk_len, input_dk_value); ++#endif + + rc = memcmp(dk_value, input_dk_value, dk_len); + #ifdef SLAPD_PBKDF2_DEBUG diff --git a/debian/patches/pbkdf2-makefile b/debian/patches/pbkdf2-makefile new file mode 100644 index 0000000..a943c2e --- /dev/null +++ b/debian/patches/pbkdf2-makefile @@ -0,0 +1,43 @@ +diff --git a/contrib/slapd-modules/passwd/pbkdf2/Makefile b/contrib/slapd-modules/passwd/pbkdf2/Makefile +index 64ad97c..1bb0826 100644 +--- a/contrib/slapd-modules/passwd/pbkdf2/Makefile ++++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile +@@ -2,30 +2,30 @@ + + LDAP_SRC = ../../../.. + LDAP_BUILD = ../../../.. +-LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +-LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ +- $(LDAP_BUILD)/libraries/liblber/liblber.la ++LDAP_INC = -I$(LDAP_BUILD)/debian/build/include -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd ++LDAP_LIB = $(LDAP_BUILD)/debian/build/libraries/libldap_r/libldap_r.la \ ++ $(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la + +-LIBTOOL = $(LDAP_BUILD)/libtool ++LIBTOOL = $(LDAP_BUILD)/debian/build/libtool + CC = gcc + OPT = -g -O2 -Wall + #DEFS = -DSLAPD_PBKDF2_DEBUG + + INCS = $(LDAP_INC) +-LIBS = $(LDAP_LIB) -lcrypto ++LIBS = $(LDAP_LIB) -lnettle + + PROGRAMS = pw-pbkdf2.la + LTVER = 0:0:0 + + #prefix=/usr/local +-prefix=`grep -e "^prefix =" $(LDAP_BUILD)/Makefile | cut -d= -f2` ++prefix=/usr + + exec_prefix=$(prefix) +-ldap_subdir=/openldap ++ldap_subdir=/ldap + + libdir=$(exec_prefix)/lib + libexecdir=$(exec_prefix)/libexec +-moduledir = $(libexecdir)$(ldap_subdir) ++moduledir = $(libdir)$(ldap_subdir) + + .SUFFIXES: .c .o .lo + diff --git a/debian/patches/pbkdf2-makefile-manpage b/debian/patches/pbkdf2-makefile-manpage new file mode 100644 index 0000000..aa08375 --- /dev/null +++ b/debian/patches/pbkdf2-makefile-manpage @@ -0,0 +1,184 @@ +From: Peter Marschall <pe...@adpm.de> +Date: Sat, 8 Aug 2015 17:32:04 +0200 +Subject: [PATCH] contrib/passwd/pbkdf2: add man page, install it too + +Add a manual page slapd-pw-pbkdf2.5 and update passwd/pbkdf2's Makefile to +install the new manual page. + +This patch is derived from the corresponding patch upstreamed in ITS#8205 + +--- + contrib/slapd-modules/passwd/pbkdf2/Makefile | 15 ++- + .../slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5 | 112 +++++++++++++++++++++ + 2 files changed, 126 insertions(+), 1 deletion(-) + create mode 100644 contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5 + +diff --git a/contrib/slapd-modules/passwd/pbkdf2/Makefile b/contrib/slapd-modules/passwd/pbkdf2/Makefile +index 64ad97c..fa98b0f 100644 +--- a/contrib/slapd-modules/passwd/pbkdf2/Makefile ++++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile +@@ -7,6 +7,7 @@ + $(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la + + LIBTOOL = $(LDAP_BUILD)/debian/build/libtool ++INSTALL = /usr/bin/install + CC = gcc + OPT = -g -O2 -Wall + #DEFS = -DSLAPD_PBKDF2_DEBUG +@@ -15,6 +16,7 @@ + LIBS = $(LDAP_LIB) -lnettle + + PROGRAMS = pw-pbkdf2.la ++MANPAGES = slapd-pw-pbkdf2.5 + LTVER = 0:0:0 + + #prefix=/usr/local +@@ -26,6 +28,8 @@ + libdir=$(exec_prefix)/lib + libexecdir=$(exec_prefix)/libexec + moduledir = $(libdir)$(ldap_subdir) ++mandir = $(exec_prefix)/share/man ++man5dir = $(mandir)/man5 + + .SUFFIXES: .c .o .lo + +@@ -41,8 +45,17 @@ + clean: + rm -rf *.o *.lo *.la .libs + +-install: $(PROGRAMS) ++install: install-lib install-man FORCE ++ ++install-lib: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done ++ ++install-man: $(MANPAGES) ++ mkdir -p $(DESTDIR)$(man5dir) ++ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) ++ ++FORCE: ++ +diff --git a/contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5 b/contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5 +new file mode 100644 +index 0000000..3556cc6 +--- /dev/null ++++ b/contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5 +@@ -0,0 +1,112 @@ ++.TH SLAPD-PW-PBKDF2 5 "RELEASEDATE" "OpenLDAP LDVERSION" ++.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved. ++.\" Copying restrictions apply. See COPYRIGHT/LICENSE. ++.\" $OpenLDAP$ ++.SH NAME ++slapd-pw-pbkdf2 \- SHA-2 password module to slapd ++.SH SYNOPSIS ++ETCDIR/slapd.conf ++.RS ++.LP ++.B moduleload ++.B pw-pbkdf2 ++.RE ++.SH DESCRIPTION ++.LP ++The ++.B pw-pbkdf2 ++module to ++.BR slapd (8) ++provides support for the use of the key stretching function ++PBKDF2 (Password-Based Key Derivation Function 2) following RFC 2898 ++in hashed passwords in OpenLDAP. ++.LP ++It does so by providing the following additional password schemes for use in slapd: ++.RS ++.TP ++.B {PBKDF2} ++alias to {PBKDF2-SHA1} ++.TP ++.B {PBKDF2-SHA1} ++PBKDF2 using HMAC-SHA-1 as the underlying pseudorandom function ++.TP ++.B {PBKDF2-SHA256} ++PBKDF2 using HMAC-SHA-256 as the underlying pseudorandom function ++.TP ++.B {PBKDF2-SHA512} ++PBKDF2 using HMAC-SHA-512 as the underlying pseudorandom function ++.RE ++ ++.SH CONFIGURATION ++The ++.B pw-pbkdf2 ++module does not need any configuration. ++.LP ++After loading the module, the password schemes ++{PBKDF2}, {PBKDF2-SHA1}, {PBKDF2-SHA256}, and {PBKDF2-SHA512} ++will be recognised in values of the ++.I userPassword ++attribute. ++.LP ++You can then instruct OpenLDAP to use these schemes when processing ++the LDAPv3 Password Modify (RFC 3062) extended operations by using the ++.BR password-hash ++option in ++.BR slapd.conf (5). ++ ++.SH NOTES ++If you want to use the schemes described here with ++.BR slappasswd (8), ++don't forget to load the module using its command line options. ++The relevant option/value is: ++.RS ++.LP ++.B \-o ++.BR module\-load = pw-pbkdf2 ++.LP ++.RE ++Depending on ++.BR pw-pbkdf2 's ++location, you may also need: ++.RS ++.LP ++.B \-o ++.BR module\-path = \fIpathspec\fP ++.RE ++ ++.SH EXAMPLES ++All of the userPassword LDAP attributes below encode the password ++.RI ' secret '. ++.EX ++.LP ++userPassword: {PBKDF2-SHA512}10000$/oQ4xZi382mk7kvCd3ZdkA$2wqjpuyV2l0U/a1QwoQPOtlQL.UcJGNACj1O24balruqQb/NgPW6OCvvrrJP8.SzA3/5iYvLnwWPzeX8IK/bEQ ++.LP ++userPassword: {PBKDF2-SHA256}10000$jq40ImWtmpTE.aYDYV1GfQ$mpiL4ui02ACmYOAnCjp/MI1gQk50xLbZ54RZneU0fCg ++.LP ++userPassword: {PBKDF2-SHA1}10000$QJTEclnXgh9Cz3ChCWpdAg$9.s98jwFJM.NXJK9ca/oJ5AyoAQ ++.EE ++.LP ++To make {PBKDF2-SHA512} the password hash used in Password Modify extended operations, ++simply set this line in slapd.conf(5): ++.EX ++.LP ++password-hash {PBKDF2-SHA512} ++.EX ++ ++.SH SEE ALSO ++.BR slapd.conf (5), ++.BR ldappasswd (1), ++.BR slappasswd (8), ++.BR ldap (3), ++.LP ++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) ++.LP ++ ++.SH ACKNOWLEDGEMENTS ++This manual page has been writen by Peter Marschall based on the ++module's README file written by HAMANO Tsukasa <ham...@osstech.co.jp> ++.LP ++.B OpenLDAP ++is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). ++.B OpenLDAP ++is derived from University of Michigan LDAP 3.3 Release. +-- +2.5.0 + diff --git a/debian/patches/pbkdf2-makefile-use-dpkg-buildflags b/debian/patches/pbkdf2-makefile-use-dpkg-buildflags new file mode 100644 index 0000000..72be40f --- /dev/null +++ b/debian/patches/pbkdf2-makefile-use-dpkg-buildflags @@ -0,0 +1,19 @@ +diff --git a/contrib/slapd-modules/passwd/pbkdf2/Makefile b/contrib/slapd-modules/passwd/pbkdf2/Makefile +index 64ad97c..b23c5c1 100644 +--- a/contrib/slapd-modules/passwd/pbkdf2/Makefile ++++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile +@@ -30,12 +30,12 @@ moduledir = $(libexecdir)$(ldap_subdir) + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(OPT) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + pw-pbkdf2.la: pw-pbkdf2.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(OPT) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: diff --git a/debian/patches/series b/debian/patches/series index 87dda63..c2dd376 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -26,3 +26,8 @@ ITS6035-olcauthzregex-needs-restart.patch starttls-MSbug.patch listmatch.patch facsimileNumberMatch.patch +ITS8198-0001-fix-an-always-true-check.patch +ITS8198-0002-optionally-use-libnettle-instead-of-openssl-for-crypto.patch +pbkdf2-makefile-use-dpkg-buildflags +pbkdf2-makefile +pbkdf2-makefile-manpage diff --git a/debian/rules b/debian/rules index 1196dd6..4fa1f36 100755 --- a/debian/rules +++ b/debian/rules @@ -91,6 +91,7 @@ override_dh_auto_build: $(MAKE) -C contrib/slapd-modules/autogroup $(MAKE) -C contrib/slapd-modules/lastbind $(MAKE) -C contrib/slapd-modules/passwd/sha2 + $(MAKE) -C contrib/slapd-modules/passwd/pbkdf2 override_dh_auto_install: dh_auto_install -- $(MAKEVARS) @@ -98,6 +99,7 @@ override_dh_auto_install: $(MAKE) -C contrib/slapd-modules/autogroup install DESTDIR=$(installdir) $(MAKE) -C contrib/slapd-modules/lastbind install DESTDIR=$(installdir) $(MAKE) -C contrib/slapd-modules/passwd/sha2 install DESTDIR=$(installdir) + $(MAKE) -C contrib/slapd-modules/passwd/pbkdf2 install DESTDIR=$(installdir) # Empty the dependency_libs file in the .la files. for F in $(installdir)/usr/lib/ldap/*.la; do \ -- 2.5.0