Re: slappasswd generating a supposedly incorrect password hash (only when using {SHA256})

Wed, 28 Dec 2022 15:40:18 -0800 

Ralf Hildebrandt wrote:
> Using slapd 2.5.13+dfsg-1ubuntu1 on ubuntu 22.10:
> =================================================
> 
> The password hashes are differing between what "slappasswd" and
> "openssl dgst" emit:
> 
> $ slappasswd -s secret -h '{SHA256}' -o module-path=/usr/lib/ldap -o 
> module-load=pw-sha2 
> {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
> 
> $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
> K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
> 
> With SHA512 on the other hand, the hash generated by different programs is 
> identical:
> 
> $ slappasswd -s secret -h '{SHA512}' -o module-path=/usr/lib/ldap -o 
> module-load=pw-sha2 
> {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
> 
> $ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64
> vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm
> W192CF5bDufKRpayrW/isg==
> 
> On an older box (ubuntu 20.04) with slapd 2.4.49+dfsg-2ubuntu1.9 we're seeing:
> ==============================================================================
> 
> $ slappasswd -s secret -h '{SHA256}' -o module-path=/usr/lib/ldap -o 
> module-load=pw-sha2
> {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
> $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
> K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
> 
> 
> So why is the SHA256 password hash generated by the 2.5.13 slappasswd
> command different from the hashes generated by the other programs/versions?
> 
The source code for the pw-sha2 module hasn't changed since 2015 at least. 
There's no difference between 2.4 and 2.5.

The variable here is your OS and compiler versions. I get the same result as 
you on ubuntu 22 with the
default compile options. If I compile the module with only "-g" and no 
optimization, I get a different
result. So the compiler is doing something screwy.

Note that the sha2.c used in the pw module comes from 
https://aarongifford.com/computers/sha.html and is
unmodified. Probably you should report a bug to the gcc project.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to