[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
This bug was fixed in the package openldap -
2.5.14+dfsg-0ubuntu0.22.04.2
---
openldap (2.5.14+dfsg-0ubuntu0.22.04.2) jammy; urgency=medium
* Build the passwd/sha2 contrib module with -fno-strict-aliasing to
avoid computing an incorrect SHA256 hash with some versions of the
compiler (LP: #2000817):
- d/t/{control,sha2-contrib}: test to verify the SHA256 hash
produced by passwd/sha2
- d/rules: set -fno-strict-aliasing only when building the
passwd/sha2 contrib module
-- Andreas Hasenack Sun, 12 Mar 2023 14:11:53
-0300
** Changed in: openldap (Ubuntu Jammy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
Fix Released
Status in openldap source package in Kinetic:
Fix Released
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Fix Released
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
This bug was fixed in the package openldap -
2.5.14+dfsg-0ubuntu0.22.10.2
---
openldap (2.5.14+dfsg-0ubuntu0.22.10.2) kinetic; urgency=medium
* Build the passwd/sha2 contrib module with -fno-strict-aliasing to
avoid computing an incorrect SHA256 hash with some versions of the
compiler (LP: #2000817):
- d/t/{control,sha2-contrib}: test to verify the SHA256 hash
produced by passwd/sha2
- d/rules: set -fno-strict-aliasing only when building the
passwd/sha2 contrib module
-- Andreas Hasenack Sun, 12 Mar 2023 14:09:05
-0300
** Changed in: openldap (Ubuntu Kinetic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
Fix Released
Status in openldap source package in Kinetic:
Fix Released
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Fix Released
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Another migration-reference/0 attempt for kinetic[1] confirmed that the
previous "success" was a fluke, and exim4 on plain kinetic is already
failing[2]. That's bug #1983605
1. https://autopkgtest.ubuntu.com/packages/e/exim4/kinetic/ppc64el
2.
https://autopkgtest.ubuntu.com/results/autopkgtest-kinetic/kinetic/ppc64el/e/exim4/20230403_151428_4e639@/log.gz
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
Fix Committed
Status in openldap source package in Kinetic:
Fix Committed
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Fix Released
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Jammy verification
Reproducing the problem with the release packages:
$ cat > test.sh
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
^D
# apt-cache policy slapd
slapd:
Installed: 2.5.14+dfsg-0ubuntu0.22.04.1
Candidate: 2.5.14+dfsg-0ubuntu0.22.04.1
Version table:
*** 2.5.14+dfsg-0ubuntu0.22.04.1 500
500 http://br.archive.ubuntu.com/ubuntu jammy-updates/main amd64
Packages
100 /var/lib/dpkg/status
(...)
root@j-slapd-sha2:~# ./test.sh
Reference hash of "secret" (openssl):
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
slapd's pw-sha2 hash:
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
ERROR: hashes differ
Installing slapd from proposed:
root@j-slapd-sha2:~# apt-cache policy slapd
slapd:
Installed: 2.5.14+dfsg-0ubuntu0.22.04.2
Candidate: 2.5.14+dfsg-0ubuntu0.22.04.2
Version table:
*** 2.5.14+dfsg-0ubuntu0.22.04.2 500
500 http://br.archive.ubuntu.com/ubuntu jammy-proposed/main amd64
Packages
100 /var/lib/dpkg/status
Test now passes:
root@j-slapd-sha2:~# ./test.sh
Reference hash of "secret" (openssl):
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
slapd's pw-sha2 hash:
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
PASS: hashes are identical
Jammy verification succeeded.
** Tags removed: verification-needed-jammy
** Tags added: verification-done-jammy
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
Fix Committed
Status in openldap source package in Kinetic:
Fix Committed
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Fix Released
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Hello Christian, or anyone else affected,
Accepted openldap into jammy-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openldap/2.5.14+dfsg-0ubuntu0.22.04.2
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: openldap (Ubuntu Jammy)
Status: In Progress => Fix Committed
** Tags added: verification-needed-jammy
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
Fix Committed
Status in openldap source package in Kinetic:
Fix Committed
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Fix Released
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1983605 is the
exim4 bug. I would ask the SRU team to ignore the exim4 DEP8 errors on
basis of that.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
Fix Committed
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Fix Released
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
And also without the updated packages. It's a bit random. When exim4 is
failing, it stays failing. Restart it, and it might or might not be in
failing mode. Sometimes it works, and keeps working. It's not related to
the openldap update. I think the migration-reference/0 run that
succeeded was a fluke.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
Fix Committed
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Fix Released
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
I'm able to reproduce the exim4 dep8 error on kinetic ppc64el with the
updated libldap packages, investigating...
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
Fix Committed
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Fix Released
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Changed in: openldap (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
Fix Committed
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Fix Released
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
I'm checking the exim4 dep8 failures in kinetic.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
Fix Committed
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Unknown
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Kinetic verification
Confirming the problem with the unfixed slapd package:
$ apt-cache policy slapd
slapd:
Installed: 2.5.14+dfsg-0ubuntu0.22.10.1
Candidate: 2.5.14+dfsg-0ubuntu0.22.10.1
Version table:
*** 2.5.14+dfsg-0ubuntu0.22.10.1 500
500 http://br.archive.ubuntu.com/ubuntu kinetic-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.5.13+dfsg-1ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
$ ./test.sh
Reference hash of "secret" (openssl):
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
slapd's pw-sha2 hash: {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
ERROR: hashes differ
Updating to proposed:
$ apt-cache policy slapd
slapd:
Installed: 2.5.14+dfsg-0ubuntu0.22.10.2
Candidate: 2.5.14+dfsg-0ubuntu0.22.10.2
Version table:
*** 2.5.14+dfsg-0ubuntu0.22.10.2 500
500 http://br.archive.ubuntu.com/ubuntu kinetic-proposed/main amd64
Packages
100 /var/lib/dpkg/status
2.5.14+dfsg-0ubuntu0.22.10.1 500
500 http://br.archive.ubuntu.com/ubuntu kinetic-updates/main amd64
Packages
2.5.13+dfsg-1ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
Problem fixed:
$ ./test.sh
Reference hash of "secret" (openssl):
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
slapd's pw-sha2 hash: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
PASS: hashes are identical
Kinetic verification succeeded.
** Tags removed: verification-needed-kinetic
** Tags added: verification-done-kinetic
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
Fix Committed
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Unknown
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Hello Christian, or anyone else affected,
Accepted openldap into kinetic-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/openldap/2.5.14+dfsg-0ubuntu0.22.10.2
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
kinetic to verification-done-kinetic. If it does not fix the bug for
you, please add a comment stating that, and change the tag to
verification-failed-kinetic. In either case, without details of your
testing we will not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: openldap (Ubuntu Kinetic)
Status: In Progress => Fix Committed
** Tags added: verification-needed verification-needed-kinetic
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
Fix Committed
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Unknown
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/438725
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/438726
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
In Progress
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Unknown
Bug description:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available
for use.
Some fix possibilities were discussed in comment #5, and we selected
the one with the least impact to OpenLDAP users at large, which is to
recompile that module only without the strict-aliasing optimization.
This update makes that change, and also includes a DEP8 change to
verify it.
We didn't use a patch for the pw-sha2 Makefile because d/rules
overrides the OPT variable in the make command line
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
slapd-sha2-2000817#n44)
[ Test Plan ]
# Install slapd and openssl
$ sudo apt install slapd openssl
# Run the following script
#!/bin/bash
reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
echo "slapd's pw-sha2 hash: ${test_hash}"
if [ "${reference_hash}" != "${test_hash}" ]; then
echo "ERROR: hashes differ"
exit 1
else
echo "PASS: hashes are identical"
fi
With the affected openldap package installed, the script should print
an error. With the packages from proposed, the hashes should be
identical.
[ Where problems could occur ]
The fix is a change of a compiler option strictly when building only
the pw-sha2 module, so it's very localized. It could affect the
performance of this module (for the worse), but it's already not
working correctly.
[ Other Info ]
Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Description changed:
[ Impact ]
- * An explanation of the effects of the bug on users and
+ OpenLDAP deployments using the contrib pw-sha2 module are not able to
+ authenticate their users because the SHA2 calculation is done
+ incorrectly.
- * justification for backporting the fix to the stable release.
+ Even though this is a contrib module, from an upstream PoV, it is
+ shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for
+ use.
- * In addition, it is helpful, but not required, to include an
-explanation of how the upload fixes this bug.
+ Some fix possibilities were discussed in comment #5, and we selected the
+ one with the least impact to OpenLDAP users at large, which is to
+ recompile that module only without the strict-aliasing optimization.
+
+ This update makes that change, and also includes a DEP8 change to verify
+ it.
+
+ We didn't use a patch for the pw-sha2 Makefile because d/rules overrides
+ the OPT variable in the make command line
+
(https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar-
+ slapd-sha2-2000817#n44)
+
[ Test Plan ]
- * detailed instructions how to reproduce the bug
+ # Install slapd and openssl
+ $ sudo apt install slapd openssl
- * these should allow someone who is not familiar with the affected
-package to reproduce the bug and verify that the updated package fixes
-the problem.
+ # Run the following script
- * if other testing is appropriate to perform before landing this update,
-this should also be described here.
+ #!/bin/bash
+
+ reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
+ test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2)
+
+ echo "Reference hash of \"secret\" (openssl): ${reference_hash}"
+ echo "slapd's pw-sha2 hash: ${test_hash}"
+
+ if [ "${reference_hash}" != "${test_hash}" ]; then
+ echo "ERROR: hashes differ"
+ exit 1
+ else
+ echo "PASS: hashes are identical"
+ fi
+
+
+ With the affected openldap package installed, the script should print an
error. With the packages from proposed, the hashes should be identical.
+
[ Where problems could occur ]
- * Think about what the upload changes in the software. Imagine the change is
-wrong or breaks something else: how would this show up?
-
- * It is assumed that any SRU candidate patch is well-tested before
-upload and has a low overall risk of regression, but it's important
-to make the effort to think about what ''could'' happen in the
-event of a regression.
-
- * This must '''never''' be "None" or "Low", or entirely an argument as to why
-your upload is low risk.
-
- * This both shows the SRU team that the risks have been considered,
-and provides guidance to testers in regression-testing the SRU.
+ The fix is a change of a compiler option strictly when building only the
+ pw-sha2 module, so it's very localized. It could affect the performance
+ of this module (for the worse), but it's already not working correctly.
[ Other Info ]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
- * and address these questions in advance
+ Not at this time.
[Original Description]
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-
aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
reason. The workaround is to compile the sha2-Module with the flag
"-fno-strict-aliasing". Then the correct value is computed. An example
taken from a git-compiled version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
** Description changed:
[ Impact ]
OpenLDAP deployments using the contrib pw-sha2 module are not able to
authenticate their users because the SHA2 calculation is done
incorrectly.
Even though this is a contrib module, from an upstream PoV, it is
shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for
use.
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Description changed:
+ [ Impact ]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+
+ [ Test Plan ]
+
+ * detailed instructions how to reproduce the bug
+
+ * these should allow someone who is not familiar with the affected
+package to reproduce the bug and verify that the updated package fixes
+the problem.
+
+ * if other testing is appropriate to perform before landing this update,
+this should also be described here.
+
+ [ Where problems could occur ]
+
+ * Think about what the upload changes in the software. Imagine the change is
+wrong or breaks something else: how would this show up?
+
+ * It is assumed that any SRU candidate patch is well-tested before
+upload and has a low overall risk of regression, but it's important
+to make the effort to think about what ''could'' happen in the
+event of a regression.
+
+ * This must '''never''' be "None" or "Low", or entirely an argument as to why
+your upload is low risk.
+
+ * This both shows the SRU team that the risks have been considered,
+and provides guidance to testers in regression-testing the SRU.
+
+ [ Other Info ]
+
+ * Anything else you think is useful to include
+ * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
+ * and address these questions in advance
+
+ [Original Description]
+
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
-
The problematic computation:
- $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
- {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
+ $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
+ {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
- $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
- K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
+ $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
+ K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
+ We nailed the problem down to a bug in the gcc-optimizer for strict-
+ aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the
+ reason. The workaround is to compile the sha2-Module with the flag
+ "-fno-strict-aliasing". Then the correct value is computed. An example
+ taken from a git-compiled version of OpenLDAP 2.5.13:
- We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
-
- $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
- {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
-
-
+ $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
+ {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
- Description:Ubuntu 22.10
- Release:22.10
+ Description:Ubuntu 22.10
+ Release:22.10
- OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
+ OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
In Progress
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Unknown
Bug description:
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
This bug was fixed in the package openldap - 2.6.3+dfsg-1~exp1ubuntu2
---
openldap (2.6.3+dfsg-1~exp1ubuntu2) lunar; urgency=medium
* Build the passwd/sha2 contrib module with -fno-strict-aliasing to
avoid computing an incorrect SHA256 hash with some versions of the
compiler (LP: #2000817):
- d/t/{control,sha2-contrib}: test to verify the SHA256 hash
produced by passwd/sha2
- d/rules: set -fno-strict-aliasing only when building the
passwd/sha2 contrib module
* d/t/smbk5pwd: Allow the openldap user to read the Heimdal master key in the
smbk5pwd DEP8 test (LP: #2004560)
-- Andreas Hasenack Fri, 03 Feb 2023 09:33:14
-0300
** Changed in: openldap (Ubuntu Lunar)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
In Progress
Status in openldap source package in Lunar:
Fix Released
Status in openldap package in Debian:
Unknown
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Changed in: openldap (Ubuntu Jammy)
Status: New => In Progress
** Changed in: openldap (Ubuntu Kinetic)
Status: New => In Progress
** Changed in: openldap (Ubuntu Jammy)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: openldap (Ubuntu Kinetic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
In Progress
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Kinetic:
In Progress
Status in openldap source package in Lunar:
In Progress
Status in openldap package in Debian:
Unknown
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Bug watch added: Debian Bug tracker #1030716
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030716
** Also affects: openldap (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030716
Importance: Unknown
Status: Unknown
** Also affects: openldap (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Also affects: openldap (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: openldap (Ubuntu Lunar)
Importance: Undecided
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
In Progress
Status in openldap source package in Jammy:
New
Status in openldap source package in Kinetic:
New
Status in openldap source package in Lunar:
In Progress
Status in openldap package in Debian:
Unknown
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Changed in: openldap (Ubuntu)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
In Progress
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/436723
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Triaged
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Writing down some options from a quick handover discussion I had with Sergio,
in no particular order:
- rebuild openldap with the attached patch, disabling strict aliasing just for
that module
- check if LTO is having an effect on this: maybe disabling LTO also fixes it,
and there is precedence for such a change in an SRU
- maybe the module code can be changed to not trigger this bug
- future-land: make the module use gnutls for such functions
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Triaged
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Changed in: openldap (Ubuntu)
Assignee: Sergio Durigan Junior (sergiodj) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Triaged
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Changed in: openldap (Ubuntu)
Assignee: (unassigned) => Sergio Durigan Junior (sergiodj)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Triaged
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Tags removed: server-next
** Tags added: server-todo
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Triaged
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Tags added: server-next
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Triaged
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
lunar, kinetic, and jammy all return the first result, while focal
provides the second:
triage-lunar+23.04: ~$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
triage-lunar+23.04: ~$ slapd -VV
@(#) $OpenLDAP: slapd 2.6.3+dfsg-1~exp1ubuntu1 (Nov 18 2022 21:07:45) $
triage-kinetic+22.10: ~$ slappasswd -s secret -h '{SHA256}' -o
module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
triage-kinetic+22.10: ~$ slapd -VV
@(#) $OpenLDAP: slapd 2.5.13+dfsg-1ubuntu1 (Sep 20 2022 19:30:47) $
triage-jammy+22.04: ~$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
triage-jammy+22.04: ~$ slapd -VV
@(#) $OpenLDAP: slapd 2.5.13+dfsg-0ubuntu0.22.04.1 (Aug 5 2022 14:51:52) $
triage-focal+20.04: ~$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
triage-focal+20.04: ~$ slapd -VV
@(#) $OpenLDAP: slapd (Ubuntu) (May 12 2022 13:11:05) $
triage-focal+20.04: ~$ apt-cache policy slapd
slapd:
Installed: 2.4.49+dfsg-2ubuntu1.9
On all releases, the openssl dgst call produces the same result,
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Here's two other references mentioning the same problem, and same
suggested workaround:
*
https://www.mail-archive.com/search?l=openldap-techni...@openldap.org=subject:%22%22=newest=1
*
https://stackoverflow.com/questions/74928752/slappasswd-generating-a-strange-password-hash-sha256-only
I don't know whether there might be side effects from adding "-fno-
strict-aliasing". However, the patch's compilation modifications looks
like it'll affect the performance of only just the sha2 module, so for
SRU policy this seems a narrow enough fix. Since this is described in
the first link as a contrib module, that may explain why this issue
hasn't come to light earlier.
** Changed in: openldap (Ubuntu)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Triaged
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
The attachment "openldap-contrib-sha2.patch" seems to be a patch. If it
isn't, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are a member of the ~ubuntu-reviewers,
unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Confirmed
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openldap (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2000817
Title:
Wrong SHA256-value computed on kinetic
Status in openldap package in Ubuntu:
Confirmed
Bug description:
The OpenLDAP-contrib module sha2 (located in contrib/slapd-
modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu
kinetic. This breaks our current password-authentication in ldap.
The problematic computation:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
The (correct) reference-value on the same system (or older ubuntu
Versions):
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing.
so most probably the gcc-version on kinetic (v12.2.0) is the reason. The
workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing".
Then the correct value is computed. An example taken from a git-compiled
version of OpenLDAP 2.5.13:
$ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Ubuntu:
Description:Ubuntu 22.10
Release:22.10
OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
