[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
This bug was fixed in the package openldap - 2.5.14+dfsg-0ubuntu0.22.04.2 --- openldap (2.5.14+dfsg-0ubuntu0.22.04.2) jammy; urgency=medium * Build the passwd/sha2 contrib module with -fno-strict-aliasing to avoid computing an incorrect SHA256 hash with some versions of the compiler (LP: #2000817): - d/t/{control,sha2-contrib}: test to verify the SHA256 hash produced by passwd/sha2 - d/rules: set -fno-strict-aliasing only when building the passwd/sha2 contrib module -- Andreas Hasenack Sun, 12 Mar 2023 14:11:53 -0300 ** Changed in: openldap (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: Fix Released Status in openldap source package in Kinetic: Fix Released Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Fix Released Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
This bug was fixed in the package openldap - 2.5.14+dfsg-0ubuntu0.22.10.2 --- openldap (2.5.14+dfsg-0ubuntu0.22.10.2) kinetic; urgency=medium * Build the passwd/sha2 contrib module with -fno-strict-aliasing to avoid computing an incorrect SHA256 hash with some versions of the compiler (LP: #2000817): - d/t/{control,sha2-contrib}: test to verify the SHA256 hash produced by passwd/sha2 - d/rules: set -fno-strict-aliasing only when building the passwd/sha2 contrib module -- Andreas Hasenack Sun, 12 Mar 2023 14:09:05 -0300 ** Changed in: openldap (Ubuntu Kinetic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: Fix Released Status in openldap source package in Kinetic: Fix Released Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Fix Released Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Another migration-reference/0 attempt for kinetic[1] confirmed that the previous "success" was a fluke, and exim4 on plain kinetic is already failing[2]. That's bug #1983605 1. https://autopkgtest.ubuntu.com/packages/e/exim4/kinetic/ppc64el 2. https://autopkgtest.ubuntu.com/results/autopkgtest-kinetic/kinetic/ppc64el/e/exim4/20230403_151428_4e639@/log.gz -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: Fix Committed Status in openldap source package in Kinetic: Fix Committed Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Fix Released Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Jammy verification Reproducing the problem with the release packages: $ cat > test.sh #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi ^D # apt-cache policy slapd slapd: Installed: 2.5.14+dfsg-0ubuntu0.22.04.1 Candidate: 2.5.14+dfsg-0ubuntu0.22.04.1 Version table: *** 2.5.14+dfsg-0ubuntu0.22.04.1 500 500 http://br.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 100 /var/lib/dpkg/status (...) root@j-slapd-sha2:~# ./test.sh Reference hash of "secret" (openssl): {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= slapd's pw-sha2 hash: {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= ERROR: hashes differ Installing slapd from proposed: root@j-slapd-sha2:~# apt-cache policy slapd slapd: Installed: 2.5.14+dfsg-0ubuntu0.22.04.2 Candidate: 2.5.14+dfsg-0ubuntu0.22.04.2 Version table: *** 2.5.14+dfsg-0ubuntu0.22.04.2 500 500 http://br.archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages 100 /var/lib/dpkg/status Test now passes: root@j-slapd-sha2:~# ./test.sh Reference hash of "secret" (openssl): {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= slapd's pw-sha2 hash: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= PASS: hashes are identical Jammy verification succeeded. ** Tags removed: verification-needed-jammy ** Tags added: verification-done-jammy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: Fix Committed Status in openldap source package in Kinetic: Fix Committed Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Fix Released Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Hello Christian, or anyone else affected, Accepted openldap into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.5.14+dfsg-0ubuntu0.22.04.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-jammy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: openldap (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed-jammy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: Fix Committed Status in openldap source package in Kinetic: Fix Committed Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Fix Released Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu:
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1983605 is the exim4 bug. I would ask the SRU team to ignore the exim4 DEP8 errors on basis of that. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: Fix Committed Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Fix Released Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
And also without the updated packages. It's a bit random. When exim4 is failing, it stays failing. Restart it, and it might or might not be in failing mode. Sometimes it works, and keeps working. It's not related to the openldap update. I think the migration-reference/0 run that succeeded was a fluke. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: Fix Committed Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Fix Released Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
I'm able to reproduce the exim4 dep8 error on kinetic ppc64el with the updated libldap packages, investigating... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: Fix Committed Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Fix Released Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Changed in: openldap (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: Fix Committed Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Fix Released Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
I'm checking the exim4 dep8 failures in kinetic. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: Fix Committed Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Unknown Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Kinetic verification Confirming the problem with the unfixed slapd package: $ apt-cache policy slapd slapd: Installed: 2.5.14+dfsg-0ubuntu0.22.10.1 Candidate: 2.5.14+dfsg-0ubuntu0.22.10.1 Version table: *** 2.5.14+dfsg-0ubuntu0.22.10.1 500 500 http://br.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.5.13+dfsg-1ubuntu1 500 500 http://br.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages $ ./test.sh Reference hash of "secret" (openssl): {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= slapd's pw-sha2 hash: {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= ERROR: hashes differ Updating to proposed: $ apt-cache policy slapd slapd: Installed: 2.5.14+dfsg-0ubuntu0.22.10.2 Candidate: 2.5.14+dfsg-0ubuntu0.22.10.2 Version table: *** 2.5.14+dfsg-0ubuntu0.22.10.2 500 500 http://br.archive.ubuntu.com/ubuntu kinetic-proposed/main amd64 Packages 100 /var/lib/dpkg/status 2.5.14+dfsg-0ubuntu0.22.10.1 500 500 http://br.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages 2.5.13+dfsg-1ubuntu1 500 500 http://br.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages Problem fixed: $ ./test.sh Reference hash of "secret" (openssl): {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= slapd's pw-sha2 hash: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= PASS: hashes are identical Kinetic verification succeeded. ** Tags removed: verification-needed-kinetic ** Tags added: verification-done-kinetic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: Fix Committed Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Unknown Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Hello Christian, or anyone else affected, Accepted openldap into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.5.14+dfsg-0ubuntu0.22.10.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: openldap (Ubuntu Kinetic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-kinetic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: Fix Committed Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Unknown Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/438725 ** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/438726 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: In Progress Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Unknown Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Description changed: [ Impact ] - * An explanation of the effects of the bug on users and + OpenLDAP deployments using the contrib pw-sha2 module are not able to + authenticate their users because the SHA2 calculation is done + incorrectly. - * justification for backporting the fix to the stable release. + Even though this is a contrib module, from an upstream PoV, it is + shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for + use. - * In addition, it is helpful, but not required, to include an -explanation of how the upload fixes this bug. + Some fix possibilities were discussed in comment #5, and we selected the + one with the least impact to OpenLDAP users at large, which is to + recompile that module only without the strict-aliasing optimization. + + This update makes that change, and also includes a DEP8 change to verify + it. + + We didn't use a patch for the pw-sha2 Makefile because d/rules overrides + the OPT variable in the make command line + (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- + slapd-sha2-2000817#n44) + [ Test Plan ] - * detailed instructions how to reproduce the bug + # Install slapd and openssl + $ sudo apt install slapd openssl - * these should allow someone who is not familiar with the affected -package to reproduce the bug and verify that the updated package fixes -the problem. + # Run the following script - * if other testing is appropriate to perform before landing this update, -this should also be described here. + #!/bin/bash + + reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" + test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) + + echo "Reference hash of \"secret\" (openssl): ${reference_hash}" + echo "slapd's pw-sha2 hash: ${test_hash}" + + if [ "${reference_hash}" != "${test_hash}" ]; then + echo "ERROR: hashes differ" + exit 1 + else + echo "PASS: hashes are identical" + fi + + + With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. + [ Where problems could occur ] - * Think about what the upload changes in the software. Imagine the change is -wrong or breaks something else: how would this show up? - - * It is assumed that any SRU candidate patch is well-tested before -upload and has a low overall risk of regression, but it's important -to make the effort to think about what ''could'' happen in the -event of a regression. - - * This must '''never''' be "None" or "Low", or entirely an argument as to why -your upload is low risk. - - * This both shows the SRU team that the risks have been considered, -and provides guidance to testers in regression-testing the SRU. + The fix is a change of a compiler option strictly when building only the + pw-sha2 module, so it's very localized. It could affect the performance + of this module (for the worse), but it's already not working correctly. [ Other Info ] - - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance + Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 ** Description changed: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use.
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Description changed: + [ Impact ] + + * An explanation of the effects of the bug on users and + + * justification for backporting the fix to the stable release. + + * In addition, it is helpful, but not required, to include an +explanation of how the upload fixes this bug. + + [ Test Plan ] + + * detailed instructions how to reproduce the bug + + * these should allow someone who is not familiar with the affected +package to reproduce the bug and verify that the updated package fixes +the problem. + + * if other testing is appropriate to perform before landing this update, +this should also be described here. + + [ Where problems could occur ] + + * Think about what the upload changes in the software. Imagine the change is +wrong or breaks something else: how would this show up? + + * It is assumed that any SRU candidate patch is well-tested before +upload and has a low overall risk of regression, but it's important +to make the effort to think about what ''could'' happen in the +event of a regression. + + * This must '''never''' be "None" or "Low", or entirely an argument as to why +your upload is low risk. + + * This both shows the SRU team that the risks have been considered, +and provides guidance to testers in regression-testing the SRU. + + [ Other Info ] + + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + * and address these questions in advance + + [Original Description] + The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. - The problematic computation: - $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 - {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= + $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 + {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): - $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 - K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= + $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 + K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= + We nailed the problem down to a bug in the gcc-optimizer for strict- + aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the + reason. The workaround is to compile the sha2-Module with the flag + "-fno-strict-aliasing". Then the correct value is computed. An example + taken from a git-compiled version of OpenLDAP 2.5.13: - We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: - - $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs - {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= - - + $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs + {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: - Description:Ubuntu 22.10 - Release:22.10 + Description:Ubuntu 22.10 + Release:22.10 - OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 + OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: In Progress Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Unknown Bug description: [ Impact ] * An explanation of the effects of the bug on users and * justification for backporting the fix to the stable release. * In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug. [ Test Plan ] * detailed instructions how to reproduce the bug * these should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem. * if other testing is appropriate to perform before landing this update, this should also be described here. [ Where problems could occur ] * Think about what the upload changes in the software. Imagine the
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
This bug was fixed in the package openldap - 2.6.3+dfsg-1~exp1ubuntu2 --- openldap (2.6.3+dfsg-1~exp1ubuntu2) lunar; urgency=medium * Build the passwd/sha2 contrib module with -fno-strict-aliasing to avoid computing an incorrect SHA256 hash with some versions of the compiler (LP: #2000817): - d/t/{control,sha2-contrib}: test to verify the SHA256 hash produced by passwd/sha2 - d/rules: set -fno-strict-aliasing only when building the passwd/sha2 contrib module * d/t/smbk5pwd: Allow the openldap user to read the Heimdal master key in the smbk5pwd DEP8 test (LP: #2004560) -- Andreas Hasenack Fri, 03 Feb 2023 09:33:14 -0300 ** Changed in: openldap (Ubuntu Lunar) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: In Progress Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Unknown Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Changed in: openldap (Ubuntu Jammy) Status: New => In Progress ** Changed in: openldap (Ubuntu Kinetic) Status: New => In Progress ** Changed in: openldap (Ubuntu Jammy) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: openldap (Ubuntu Kinetic) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: In Progress Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: In Progress Status in openldap source package in Lunar: In Progress Status in openldap package in Debian: Unknown Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Bug watch added: Debian Bug tracker #1030716 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030716 ** Also affects: openldap (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030716 Importance: Unknown Status: Unknown ** Also affects: openldap (Ubuntu Kinetic) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Lunar) Importance: Undecided Assignee: Andreas Hasenack (ahasenack) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: In Progress Status in openldap source package in Jammy: New Status in openldap source package in Kinetic: New Status in openldap source package in Lunar: In Progress Status in openldap package in Debian: Unknown Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Changed in: openldap (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: In Progress Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/436723 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Triaged Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Writing down some options from a quick handover discussion I had with Sergio, in no particular order: - rebuild openldap with the attached patch, disabling strict aliasing just for that module - check if LTO is having an effect on this: maybe disabling LTO also fixes it, and there is precedence for such a change in an SRU - maybe the module code can be changed to not trigger this bug - future-land: make the module use gnutls for such functions -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Triaged Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Changed in: openldap (Ubuntu) Assignee: Sergio Durigan Junior (sergiodj) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Triaged Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Changed in: openldap (Ubuntu) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Triaged Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Tags removed: server-next ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Triaged Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Triaged Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
lunar, kinetic, and jammy all return the first result, while focal provides the second: triage-lunar+23.04: ~$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= triage-lunar+23.04: ~$ slapd -VV @(#) $OpenLDAP: slapd 2.6.3+dfsg-1~exp1ubuntu1 (Nov 18 2022 21:07:45) $ triage-kinetic+22.10: ~$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= triage-kinetic+22.10: ~$ slapd -VV @(#) $OpenLDAP: slapd 2.5.13+dfsg-1ubuntu1 (Sep 20 2022 19:30:47) $ triage-jammy+22.04: ~$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= triage-jammy+22.04: ~$ slapd -VV @(#) $OpenLDAP: slapd 2.5.13+dfsg-0ubuntu0.22.04.1 (Aug 5 2022 14:51:52) $ triage-focal+20.04: ~$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= triage-focal+20.04: ~$ slapd -VV @(#) $OpenLDAP: slapd (Ubuntu) (May 12 2022 13:11:05) $ triage-focal+20.04: ~$ apt-cache policy slapd slapd: Installed: 2.4.49+dfsg-2ubuntu1.9 On all releases, the openssl dgst call produces the same result, K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Here's two other references mentioning the same problem, and same suggested workaround: * https://www.mail-archive.com/search?l=openldap-techni...@openldap.org=subject:%22%22=newest=1 * https://stackoverflow.com/questions/74928752/slappasswd-generating-a-strange-password-hash-sha256-only I don't know whether there might be side effects from adding "-fno- strict-aliasing". However, the patch's compilation modifications looks like it'll affect the performance of only just the sha2 module, so for SRU policy this seems a narrow enough fix. Since this is described in the first link as a contrib module, that may explain why this issue hasn't come to light earlier. ** Changed in: openldap (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Triaged Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
The attachment "openldap-contrib-sha2.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Confirmed Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000817] Re: Wrong SHA256-value computed on kinetic
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openldap (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Confirmed Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp