Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by fumiyas@osstech.co.jp
At Thu, 31 May 2012 08:43:30 +0200,
Michael Ströder wrote:
> I'm trying to build this module (make distclean before) from recent RE24 git
> 0cfc487a70f2de40d9827b67949569653ee0e28a but it fails:
>
> $ make
> cc -I../../../../include -Wall -g -c slapd-sha2.c
> cc -I../../../../include -Wall -g -c sha2.c
> cc -I../../../../include -shared -Wall -g slapd-sha2.o sha2.o -o slapd-sha2.so
> /usr/lib64/gcc/x86_64-suse-linux/4.5/../../../../x86_64-suse-linux/bin/ld:
> slapd-sha2.o: relocation R_X86_64_32 against `.text' can not be used when
> making a shared object; recompile with -fPIC
See the above message. :-)
> slapd-sha2.o: could not read symbols: Bad value
> collect2: ld returned 1 exit status
> make: *** [slapd-sha2.so] Error 1
>
> Do I have to tweak the Makefile?
Add -fPIC to $CCFLAGS in Makefile if you are using GCC.
--
-- Name: SATOH Fumiyasu (fumiyas @ osstech co jp)
-- Business Home: http://www.OSSTech.co.jp/
-- GitHub Home: https://GitHub.com/fumiyas/
11 years, 3 months
Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by michael@stroeder.com
This is a cryptographically signed message in MIME format.
--------------ms060305000509010900080201
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
I'm trying to build this module (make distclean before) from recent RE24 =
git
0cfc487a70f2de40d9827b67949569653ee0e28a but it fails:
$ make
cc -I../../../../include -Wall -g -c slapd-sha2.c
cc -I../../../../include -Wall -g -c sha2.c
cc -I../../../../include -shared -Wall -g slapd-sha2.o sha2.o -o slapd-sh=
a2.so
/usr/lib64/gcc/x86_64-suse-linux/4.5/../../../../x86_64-suse-linux/bin/ld=
:
slapd-sha2.o: relocation R_X86_64_32 against `.text' can not be used when=
making a shared object; recompile with -fPIC
slapd-sha2.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make: *** [slapd-sha2.so] Error 1
Do I have to tweak the Makefile?
Ciao, Michael.
--------------ms060305000509010900080201
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFOzCC
BTcwggMfoAMCAQICAwl4kDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w
HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu
ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEx
MTcxNTQzMzFaFw0xMjExMTYxNTQzMzFaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj
MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd
NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV
hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/
0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ
NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH
AgMBAAGjggEAMIH9MAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3Vy
IG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNl
cnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYB
BAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
L29jc3AuY2FjZXJ0Lm9yZzAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkq
hkiG9w0BAQUFAAOCAgEANPf/aLF41eQlvN5dEg3CFnlN//qQK7+EPIXLnHprNWLb4nBwgdPj
/E+qa1umT7px4Py3VS0UTKqLmMdWftwid8MOMHWalZwrfx0Z8U3He+EdJhOSnn9vdd/ug7Xd
dI/hRjLaBSq9ZhCczEUgL6vTxCYPlIoHF56y/oxSJw59vRBjvRFKXvpBZWseeRkcGACQduNH
SNdWC1IqHAbQlgOS9VWQUYlm//BdaLkezRxqnQp5+KJMAcZzHpdNJ3G4SqCJ02Z3n4kk8IKZ
AjgiWxisDFNsfXKDb9Ng5ntnnH2ouxrgPoNnW445tgkz50VKHstylx9s5O3G7uUTtg0J+z63
TA8xbN6kzRx7RgAUkEXhl6WEdW+3EVj5tYY38Uy8vleP+gYZfphKEmQJgIQqy9D2+gesbolT
QdWYgbUYY2AHJOshskMW7pahYnFX2pZmn/ayaPc+JFJlCEqO0+DcYQjYuv6sntQgZGkok7yZ
R4xMbyCp61pTrfGWOufZs/FiScJZg1IWY5qb4URH4VZZjLNMR2pFMRuE4LvgkkMRasbUv7Yv
n3Lzv34lTfJKUqYW6nx//L2NS4rN63o0taPwRygnuBK4kp7EYEcwtLeanJhQoIu4b6If9rwy
D7CFAp51wIewV9VtZ1Is0irNBcMVyhJogIcuIn+VWY1ff1RxySD/djMxggOUMIIDkAIBATCB
gDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcx
IjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1
cHBvcnRAY2FjZXJ0Lm9yZwIDCXiQMAkGBSsOAwIaBQCgggHoMBgGCSqGSIb3DQEJAzELBgkq
hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDUzMTA2NDMzMFowIwYJKoZIhvcNAQkEMRYE
FC85H17zMN2jlPjKKQ1rj5hqS8WpMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoG
CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggq
hkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc
BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5n
IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwgZMG
CyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6
Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEh
MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwDQYJKoZIhvcNAQEBBQAE
ggEAXbWKhps9kQkfGtZFzf7H79BV32CGHmWfLnjgZgGMaEyhcig7b3PDVVIc63qnRL5Q7chG
AJBM8L2KwPIkfk+mlso3F9cZA2oDgmSttIVYv/2IZmKkH0Ed9K4+4LhUms8lxdJGdpaj2/dS
iRFjPumGR5lHopiVa5s2YEfkry75T93hwawU6Lx5ZQ0wouuleysRAygsFaMO5r4ugp4nIX2Y
1Uqe+uyLl5fKwxSnKmfqZ24KpGGuqgrezurZDnFdAJbDF/4Gwe/EpViG28tDXx0zEMm+BejJ
4jTd7VjpUgj85QmoHTttzervjjuz5XVEf3SRdTmImTQrDgJP55zGZdKa6QAAAAAAAA==
--------------ms060305000509010900080201--
11 years, 3 months
Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by Kurt@OpenLDAP.org
On May 30, 2012, at 10:06 AM, fumiyas(a)osstech.co.jp wrote:
> I wish the following command-line option for slappasswd to
> load dynamically loadable password hash modules:
>
> $ slappasswd -o module-load=slapd-sha2.la -h '{SSHA512}'
> ...
>
> $ slappasswd -o module-path=/path/to/lib/openldap \
> -o module-load=slapd-sha2.la -h '{SSHA512}'
This seems more appropriate approach to me than reading slapd.conf files. Users who use a particular module frequently can use an alias to reduce the typing overhead.
-- Kurt
11 years, 3 months
Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by fumiyas@osstech.co.jp
Hi,
I wish the following command-line option for slappasswd to
load dynamically loadable password hash modules:
$ slappasswd -o module-load=slapd-sha2.la -h '{SSHA512}'
...
$ slappasswd -o module-path=/path/to/lib/openldap \
-o module-load=slapd-sha2.la -h '{SSHA512}'
...
At Wed, 30 May 2012 13:45:48 GMT,
Kurt(a)OpenLDAP.org wrote:
> While if I needed some scheme only in contrib I might resort to other means to generate the hash (such as a little perl), I don't object to slappasswd, when requested by option, reading the configuration, loading the modules, and generating the hash. I would only object if slappasswd did this by default, as that would cause me to have to use other means even for core schemes.
I've revised the patch:
https://gist.github.com/2632560
With this patch:
$ slappasswd
Same as the original behavior (do not read any config)
$ slappasswd -f /path/to/slapd.conf
Read the specified slapd.conf
$ slappasswd -f -
Read the default slapd.conf
--
-- Name: SATOH Fumiyasu (fumiyas @ osstech co jp)
-- Business Home: http://www.OSSTech.co.jp/
-- GitHub Home: https://GitHub.com/fumiyas/
11 years, 3 months
Re: (ITS#7271) Don't clobber SASL_NOCANON in clients/tools/common.c
by hyc@symas.com
W. Trevor King wrote:
> On Wed, May 30, 2012 at 06:14:38AM -0700, Howard Chu wrote:
>> Ideally the command line option should have been able to set this
>> explicitly to both true and false, to allow complete control over
>> the option. But I'm not particularly concerned either way. Since the
>> option currently can only be set to true, it would be sufficient to
>> just check for nocanon != 0 before calling ldap_set_option.
>
> My personal goal here is to not need to bother with command line
> options, so I'm fine with this less general solution. Another patch
> (only set the option with an explicit `-N`) attached.
>
> ---
> The attached patch file is derived from OpenLDAP Software. All of the
> modifications to OpenLDAP Software represented in the following
> patch(es) were developed by W. Trevor King wking(a)tremily.us. I have
> not assigned rights and/or interest in this work to any party.
>
> I, W. Trevor King, hereby place the following modifications to
> OpenLDAP Software (and only these modifications) into the public
> domain. Hence, these modifications may be freely used and/or
> redistributed for any purpose with or without attribution and/or other
> notice.
>
Thanks, added to master.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 3 months
Re: (ITS#7271) Don't clobber SASL_NOCANON in clients/tools/common.c
by wking@tremily.us
--oLBj+sq0vYjzfsbl
Content-Type: multipart/mixed; boundary="yrj/dFKFPuw6o+aM"
Content-Disposition: inline
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, May 30, 2012 at 06:14:38AM -0700, Howard Chu wrote:
> Ideally the command line option should have been able to set this
> explicitly to both true and false, to allow complete control over
> the option. But I'm not particularly concerned either way. Since the
> option currently can only be set to true, it would be sufficient to
> just check for nocanon !=3D 0 before calling ldap_set_option.
My personal goal here is to not need to bother with command line
options, so I'm fine with this less general solution. Another patch
(only set the option with an explicit `-N`) attached.
---
The attached patch file is derived from OpenLDAP Software. All of the
modifications to OpenLDAP Software represented in the following
patch(es) were developed by W. Trevor King wking(a)tremily.us. I have
not assigned rights and/or interest in this work to any party.
I, W. Trevor King, hereby place the following modifications to
OpenLDAP Software (and only these modifications) into the public
domain. Hence, these modifications may be freely used and/or
redistributed for any purpose with or without attribution and/or other
notice.
--=20
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="tool-nocanon.patch"
Content-Transfer-Encoding: quoted-printable
diff --git a/clients/tools/common.c b/clients/tools/common.c
index 9c98b62..e928fb2 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -1410,12 +1410,13 @@ dnssrv_free:;
=20
#ifdef HAVE_CYRUS_SASL
/* canon */
- if( ldap_set_option( ld, LDAP_OPT_X_SASL_NOCANON,
- nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF ) !=3D LDAP_OPT_SUCCESS )
- {
- fprintf( stderr, "Could not set LDAP_OPT_X_SASL_NOCANON %s\n",
- nocanon ? "on" : "off" );
- tool_exit( ld, EXIT_FAILURE );
+ if( nocanon ) {
+ if( ldap_set_option( ld, LDAP_OPT_X_SASL_NOCANON,
+ LDAP_OPT_ON ) !=3D LDAP_OPT_SUCCESS )
+ {
+ fprintf( stderr, "Could not set LDAP_OPT_X_SASL_NOCANON on\n" );
+ tool_exit( ld, EXIT_FAILURE );
+ }
}
#endif
if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol )
--yrj/dFKFPuw6o+aM--
--oLBj+sq0vYjzfsbl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
iQIcBAEBAgAGBQJPxjviAAoJEEUbTsx0l5OM4+AQALnDBr4YL5g8BIgsU7Fvea1O
3cCh+arj8S3mFsltqKnvOZTRqnPp9yafmCKzLnb8DP3xstXFwF3A/J1o8+Ptzi9d
v5EbYd/+jUp1kQBAQHclS87OwjijgHuZtRZxcJXbh4CrV7T/FG6byiVvpFpxR06O
ug306vFhqhBk1FpbUJU+R0u7gzUaTjhW4O/RE9kPEaqnkSSfd+NuCF1L8ZHzmAOc
xA8gJgUVP5GOgfrZeoQjuyO+mGOVpHPjcybs1VThyhbLWwPKb/RExdTa/0x+A/p8
hVlM9C9SGr1UC3QQaboSON0rhP4UjHc/HCA53Ijgw+vCr0KiaUDjaiG83ydj0EfY
Q71IF/PY286lUCLorw1ZJqtAP1dRbpWCk+45A4ZoMR6zWgUUX1L27v7gD5pUQZWW
J85OU8D1OFuH1tYNXp+6VgiQpO5ofwQTaQo2puVOjwGpgjCjl1g69kWLjle9JvEv
cRZ9wuT3rfVc9Ujv/Tqirw6cy+1QJopKjRlHcV1RX6j34RFBfc9qwcM/3BC1sMGD
2IDRte87sUAq+i3bM43iFujTI9AwUd3pAP/9x2D7tnrr4t5ixV+MBtaNmWtblBos
XHeReDSakxipIfBxJtQTSTeKrb7VPS4d7RpUEg5etXLIxVaJyVpSTl0G3b8tWwC0
yZySTz5NthLULma8573R
=lyIG
-----END PGP SIGNATURE-----
--oLBj+sq0vYjzfsbl--
11 years, 3 months
Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by Kurt@OpenLDAP.org
On May 29, 2012, at 1:38 PM, michael(a)stroeder.com wrote:
> Still you did not answer why SHA-1 is in and SHA-2 is out.
Well, the general rule is simply all new hash schemes should go in contrib first. What you ask is for an exception to this general rule for SHA-2. I don't see the arguments for the exception being all that strong. Arguing it should be "in" because SHA-1 is "in" is a really poor argument. SHA-1 is "in" because it was grandfathered in. SHA-2, like any new hash scheme, is "out" because of the current practice to put new schemes in contrib. It's as simple as that, I think.
I do note that there's many issues bring hashes into core. One key one is that core schemes ought to work with minimal 3rd party libraries, and that means without OpenSSL. So bringing these schemes also means, if we hold to this, bring in a SHA2 implementation into core... and that's gets, well, more involved. And that's one of reasons we have the core/contrib split.
Anyways, I personally think no exception should be granted, these schemes should go into contrib like any other new hash scheme would.
I've thought a bit about whether slappasswd should or should not load modules.
I stand against slapppasswd reading slapd configuration by default. I would not object to reading slapd configuration when specifically requested by the user (by a command line argument).
I generally run slappasswd (for setup purposes) as a user which has no access to slapd configuration. This not only for convenience, but for security reasons (limit programs which can read the configuration, as the configuration contains sensitive information).
While if I needed some scheme only in contrib I might resort to other means to generate the hash (such as a little perl), I don't object to slappasswd, when requested by option, reading the configuration, loading the modules, and generating the hash. I would only object if slappasswd did this by default, as that would cause me to have to use other means even for core schemes.
-- Kurt
11 years, 3 months