(ITS#7979) mozNSS does not process TLS_PROTOCOL_MIN
by mreynolds@redhat.com
Full_Name: Mark Reynolds
Version: 2.4.40
OS: Fedora 20
URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch
Submission from: (NULL) (174.60.44.17)
Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code. mozNSS
defaults to SSLv3/TLS1.0 which is no longer considered secure. If a client only
supports TLSv1.1 and up, the openldap ldapsearch will fail to connect over SSL.
ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base objectclass=*
or
LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H "ldaps://localhost.localdomain:636" -b ""
-s base objectclass=*
The fix is to grab the supported version range from NSS, adjust the minimum
range if TLS_PROTOCOL_MIN is set, and then set the NSS default range with the
min and max versions.
Also updated the NSS version string map table to support up to TLSv1.3
7 years, 6 months
Re: (ITS#7977) Supported PBKDF2-SHA256 and PBKDF2-SHA512
by hamano@osstech.co.jp
Hi,
Please merge the additional patch:
https://www.osstech.co.jp/download/hamano/openldap-pbkdf2_nettle.patch
This patch include nettle support and fix a issue.
https://github.com/hamano/openldap-pbkdf2/pull/4
https://github.com/hamano/openldap-pbkdf2/pull/3
Thank you.
At Wed, 05 Nov 2014 11:57:33 +0000,
Howard Chu wrote:
>
> Tsukasa HAMANO wrote:
> > Hi, Howard
> >
> > At Wed, 05 Nov 2014 09:32:43 +0000,
> > Howard Chu wrote:
> >>
> >> Any particular reason you've decreased the iterations from 60000 to 10000?
> >>
> >
> > It was too slow when stretching 60000 on powerless server.
> > My tiny VM needed over 1sec if iterate 60000 by PBKDF2-SHA512.
> > RFC recommends more than 1000 iterations, it would be safe enough 10000 iterations.
> > FYI: http://security.stackexchange.com/questions/3959/recommended-of-iteration...
>
> OK. I've committed it without any changes, thanks for the patch.
>
> > It is desirable to be able to change the operator, but slapasswd does
> > not read slapd.conf so I was stuck.
> > I'm planning to change slappasswd that accept iteration count in the future.
> > Thank you.
> >
>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
--
Open Source Solution Technology Corporation
HAMANO Tsukasa <hamano(a)osstech.co.jp>
fingerprint = 2285 2111 6D34 3816 3C2E A5B9 16BE D101 6069 BE55
7 years, 6 months
Re: (ITS#7978) OpenLDAP 2.4 fails to build with LibreSSL
by hyc@symas.com
Spil Oss wrote:
> Hi Howard,
>
> Thanks for the pointer. --enable-lmpasswd was indeed enabled in the
> FreeBSD port. Notifying maintainer of port to switch it off and
> provided a patch for the port.
> Hope the patch I created for OpenLDAP is usable after all! Deprecated
> code in a function that should not be used, would it not be better to
> remove it completely? (or is that violating the RFCs?)
Very likely we should remove it. Will queue that up for 2.5. 2.4 is
end-of-life and feature-frozen so nothing will be added or removed from it.
> Kind regards,
>
> Bernard.
>
> On Wed, Nov 5, 2014 at 5:48 PM, Howard Chu <hyc(a)symas.com> wrote:
>> spil.oss(a)gmail.com wrote:
>>>
>>> Full_Name: Bernard Spil
>>> Version: 2.4.40
>>> OS: FreeBSD 10.1-RC2
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (185.9.255.20)
>>>
>>>
>>> When compiling OpenLDAP against the LibreSSL OpenSSL fork, compilation
>>> fails
>>> because deprecated types and functions are used. These types and functions
>>> have
>>> been marked deprecated by OpenSSL since 2002 and moved from des.h to
>>> des_old.h.
>>> LibreSSL removed these deprecated types and functions in April 2014 see
>>>
>>> https://github.com/libressl-portable/openbsd/commit/e0d211052a6946b9f8af1...
>>>
>>>> From the make output:
>>
>>
>> It appears you're compiling with the old LANMAN hash support. Nobody should
>> be using LANMAN any more, it's trivially insecure. I'm inclined to ignore
>> this ITS.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7 years, 6 months
Re: (ITS#7978) OpenLDAP 2.4 fails to build with LibreSSL
by spil.oss@gmail.com
Hi Howard,
Thanks for the pointer. --enable-lmpasswd was indeed enabled in the
FreeBSD port. Notifying maintainer of port to switch it off and
provided a patch for the port.
Hope the patch I created for OpenLDAP is usable after all! Deprecated
code in a function that should not be used, would it not be better to
remove it completely? (or is that violating the RFCs?)
Kind regards,
Bernard.
On Wed, Nov 5, 2014 at 5:48 PM, Howard Chu <hyc(a)symas.com> wrote:
> spil.oss(a)gmail.com wrote:
>>
>> Full_Name: Bernard Spil
>> Version: 2.4.40
>> OS: FreeBSD 10.1-RC2
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (185.9.255.20)
>>
>>
>> When compiling OpenLDAP against the LibreSSL OpenSSL fork, compilation
>> fails
>> because deprecated types and functions are used. These types and functions
>> have
>> been marked deprecated by OpenSSL since 2002 and moved from des.h to
>> des_old.h.
>> LibreSSL removed these deprecated types and functions in April 2014 see
>>
>> https://github.com/libressl-portable/openbsd/commit/e0d211052a6946b9f8af1...
>>
>>> From the make output:
>
>
> It appears you're compiling with the old LANMAN hash support. Nobody should
> be using LANMAN any more, it's trivially insecure. I'm inclined to ignore
> this ITS.
>>
>>
>> --- passwd.o ---
>> passwd.c:41:9: error: unknown type name 'des_cblock'; did you mean
>> 'DES_cblock'?
>> typedef des_cblock des_key;
>> ^~~~~~~~~~
>> DES_cblock
>> /usr/local/include/openssl/des.h:73:23: note: 'DES_cblock' declared here
>> typedef unsigned char DES_cblock[8];
>> ^
>> passwd.c:42:9: erro3A3A unknown type name 'des_cblock'; did you mean
>> 'DES_cblock'?
>> typedef des_cblock des_data_block;
>> ^~~~~~~~~~
>> DES_cblock
>> /usr/local/include/openssl/des.h:73:23: note: 'DES_cblock' declared here
>> typedef unsigned char DES_cblock[8];
>> ^
>> passwd.c:43:9: error: unknown type name 'des_key_schedule'; did you mean
>> 'DES_key_schedule'?
>> typedef des_key_schedule des_context;
>> ^~~~~~~~~~~~~~~~
>> DES_key_schedule
>> /usr/local/include/openssl/des.h:87:7: note: 'DESeyey_schedule' declared
>> here
>> } DES_key_schedule;
>> ^
>> passwd.c:670:5: warning: implicit declaration of function
>> 'des_set_odd_parity'
>> is invalid in C99 [-Wimplicit-function-declaration]
>> des_set_odd_parity( key );
>> ^
>> passwd.c:867:2: warningA imimplicit declaration of function
>> 'des_set_key_unchecked' is invalid in C99
>> [-Wimplicit-function-declaration]
>> des_set_key_unchecked( &key, schedule );
>> ^
>> passwd.c:868:2: warning: implicit declaration of function
>> 'des_ecb_encrypt' is
>> invalid in C99 [-Wimplicit-function-declaration]
>> des_ecb_encrypt( &StdText, &PasswordHash1, schedule , DES_ENCRYPT
>> );
>> ^
>> 3 warnings and 3 errors generated.
>> *** [passwd.o] Error code 1
>>
>> make[4]: stopped in
>> /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries/liblutil
>> 1 error
>>
>> make[4]: stopped in
>> /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries/liblutil
>> *** [all-common] Error code 2
>>
>> make[3]: stopped in
>> /usr/ports/net/openldap24-server/work/openldap-2.4.40/librars%s
>> 1 error
>>
>> make[3]: stopped in
>> /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries
>> *** [all-common] Error code 2
>>
>> make[2]: stopped in /usr/ports/net/openldap24-server/work/openldap-2.4.40
>> 1 error
>>
>> make[2]: stopped in /u%2/ports/net/openldap24-server/work/openldap-2.4.40
>> ===> Compilation failed unexpectedly.
>> Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure
>> to
>> the maintainer.
>> *** Error code 1
>>
>> Stop.
>>
>>
>>
>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
7 years, 6 months
Re: (ITS#7978) OpenLDAP 2.4 fails to build with LibreSSL
by bernard@bachfreund.nl
--=_6538b474f9e6aa431d332f9d976b1b83
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
format=flowed
Patch to upgrade to the current DES_* types and functions, at least
compiles with this.
On 2014-11-05 17:48, Howard Chu wrote:
> spil.oss(a)gmail.com wrote:
>> Full_Name: Bernard Spil
>> Version: 2.4.40
>> OS: FreeBSD 10.1-RC2
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (185.9.255.20)
>>
>>
>> When compiling OpenLDAP against the LibreSSL OpenSSL fork, compilation
>> fails
>> because deprecated types and functions are used. These types and
>> functions have
>> been marked deprecated by OpenSSL since 2002 and moved from des.h to
>> des_old.h.
>> LibreSSL removed these deprecated types and functions in April 2014
>> see
>> https://github.com/libressl-portable/openbsd/commit/e0d211052a6946b9f8af1...
>>
>>> From the make output:
>
> It appears you're compiling with the old LANMAN hash support. Nobody
> should be using LANMAN any more, it's trivially insecure. I'm inclined
> to ignore this ITS.
>>
>> --- passwd.o ---
>> passwd.c:41:9: error: unknown type name 'des_cblock'; did you mean
>> 'DES_cblock'?
>> typedef des_cblock des_key;
>> ^~~~~~~~~~
>> DES_cblock
>> /usr/local/include/openssl/des.h:73:23: note: 'DES_cblock' declared
>> here
>> typedef unsigned char DES_cblock[8];
>> ^
>> passwd.c:42:9: erro3A3A unknown type name 'des_cblock'; did you mean
>> 'DES_cblock'?
>> typedef des_cblock des_data_block;
>> ^~~~~~~~~~
>> DES_cblock
>> /usr/local/include/openssl/des.h:73:23: note: 'DES_cblock' declared
>> here
>> typedef unsigned char DES_cblock[8];
>> ^
>> passwd.c:43:9: error: unknown type name 'des_key_schedule'; did you
>> mean
>> 'DES_key_schedule'?
>> typedef des_key_schedule des_context;
>> ^~~~~~~~~~~~~~~~
>> DES_key_schedule
>> /usr/local/include/openssl/des.h:87:7: note: 'DESeyey_schedule'
>> declared here
>> } DES_key_schedule;
>> ^
>> passwd.c:670:5: warning: implicit declaration of function
>> 'des_set_odd_parity'
>> is invalid in C99 [-Wimplicit-function-declaration]
>> des_set_odd_parity( key );
>> ^
>> passwd.c:867:2: warningA imimplicit declaration of function
>> 'des_set_key_unchecked' is invalid in C99
>> [-Wimplicit-function-declaration]
>> des_set_key_unchecked( &key, schedule );
>> ^
>> passwd.c:868:2: warning: implicit declaration of function
>> 'des_ecb_encrypt' is
>> invalid in C99 [-Wimplicit-function-declaration]
>> des_ecb_encrypt( &StdText, &PasswordHash1, schedule ,
>> DES_ENCRYPT );
>> ^
>> 3 warnings and 3 errors generated.
>> *** [passwd.o] Error code 1
>>
>> make[4]: stopped in
>> /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries/liblutil
>> 1 error
>>
>> make[4]: stopped in
>> /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries/liblutil
>> *** [all-common] Error code 2
>>
>> make[3]: stopped in
>> /usr/ports/net/openldap24-server/work/openldap-2.4.40/librars%s
>> 1 error
>>
>> make[3]: stopped in
>> /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries
>> *** [all-common] Error code 2
>>
>> make[2]: stopped in
>> /usr/ports/net/openldap24-server/work/openldap-2.4.40
>> 1 error
>>
>> make[2]: stopped in
>> /u%2/ports/net/openldap24-server/work/openldap-2.4.40
>> ===> Compilation failed unexpectedly.
>> Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the
>> failure to
>> the maintainer.
>> *** Error code 1
>>
>> Stop.
>>
>>
>>
--=_6538b474f9e6aa431d332f9d976b1b83
Content-Transfer-Encoding: base64
Content-Type: text/x-diff;
name=patch-libraries_liblutil_passwd.c
Content-Disposition: attachment;
filename=patch-libraries_liblutil_passwd.c;
size=5977
LS0tIGxpYnJhcmllcy9saWJsdXRpbC9wYXNzd2QuYy5vcmlnCTIwMTQtMDktMTkgMDM6NDg6NDku
MDAwMDAwMDAwICswMjAwCisrKyBsaWJyYXJpZXMvbGlibHV0aWwvcGFzc3dkLmMJMjAxNC0xMS0w
NSAxOTo1NzoxMC44MDc1NTUwMjUgKzAxMDAKQEAgLTM4LDExICszOCwxMSBAQAogIwlpbmNsdWRl
IDxvcGVuc3NsL2Rlcy5oPgogCiAKLXR5cGVkZWYgZGVzX2NibG9jayBkZXNfa2V5OwotdHlwZWRl
ZiBkZXNfY2Jsb2NrIGRlc19kYXRhX2Jsb2NrOwotdHlwZWRlZiBkZXNfa2V5X3NjaGVkdWxlIGRl
c19jb250ZXh0OwotI2RlZmluZSBkZXNfZmFpbGVkKGVuY3J5cHRlZCkgMAotI2RlZmluZSBkZXNf
ZmluaXNoKGtleSwgc2NoZWR1bGUpIAordHlwZWRlZiBERVNfY2Jsb2NrIERFU19rZXk7Cit0eXBl
ZGVmIERFU19jYmxvY2sgREVTX2RhdGFfYmxvY2s7Cit0eXBlZGVmIERFU19rZXlfc2NoZWR1bGUg
REVTX2NvbnRleHQ7CisjZGVmaW5lIERFU19mYWlsZWQoZW5jcnlwdGVkKSAwCisjZGVmaW5lIERF
U19maW5pc2goa2V5LCBzY2hlZHVsZSkgCiAKICNlbGlmIGRlZmluZWQoSEFWRV9NT1pOU1MpCiAv
KgpAQCAtNTMsOSArNTMsOSBAQAogKi8KICNkZWZpbmUgUFJPVFlQRVNfSCAxCiAjCWluY2x1ZGUg
PG5zcy9wazExcHViLmg+Ci10eXBlZGVmIFBLMTFTeW1LZXkgKmRlc19rZXk7Ci10eXBlZGVmIHVu
c2lnbmVkIGNoYXIgZGVzX2RhdGFfYmxvY2tbOF07Ci10eXBlZGVmIFBLMTFDb250ZXh0ICpkZXNf
Y29udGV4dFsxXTsKK3R5cGVkZWYgUEsxMVN5bUtleSAqREVTX2tleTsKK3R5cGVkZWYgdW5zaWdu
ZWQgY2hhciBERVNfZGF0YV9ibG9ja1s4XTsKK3R5cGVkZWYgUEsxMUNvbnRleHQgKkRFU19jb250
ZXh0WzFdOwogI2RlZmluZSBERVNfRU5DUllQVCBDS0FfRU5DUllQVAogCiAjZW5kaWYKQEAgLTY2
NCwxMCArNjY0LDEwIEBACiAgKiBhYnN0cmFjdCBhd2F5IHNldHRpbmcgdGhlIHBhcml0eS4KICAq
Lwogc3RhdGljIHZvaWQKLWRlc19zZXRfa2V5X2FuZF9wYXJpdHkoIGRlc19rZXkgKmtleSwgdW5z
aWduZWQgY2hhciAqa2V5RGF0YSkKK0RFU19zZXRfa2V5X2FuZF9wYXJpdHkoIERFU19rZXkgKmtl
eSwgdW5zaWduZWQgY2hhciAqa2V5RGF0YSkKIHsKICAgICBtZW1jcHkoa2V5LCBrZXlEYXRhLCA4
KTsKLSAgICBkZXNfc2V0X29kZF9wYXJpdHkoIGtleSApOworICAgIERFU19zZXRfb2RkX3Bhcml0
eSgga2V5ICk7CiB9CiAKIApAQCAtNjc3LDcgKzY3Nyw3IEBACiAgKiBpbXBsZW1lbnQgTW96TlNT
IHdyYXBwZXJzIGZvciB0aGUgb3BlblNTTCBjYWxscyAKICAqLwogc3RhdGljIHZvaWQKLWRlc19z
ZXRfa2V5X2FuZF9wYXJpdHkoIGRlc19rZXkgKmtleSwgdW5zaWduZWQgY2hhciAqa2V5RGF0YSkK
K0RFU19zZXRfa2V5X2FuZF9wYXJpdHkoIERFU19rZXkgKmtleSwgdW5zaWduZWQgY2hhciAqa2V5
RGF0YSkKIHsKICAgICBTRUNJdGVtIGtleURhdGFJdGVtOwogICAgIFBLMTFTbG90SW5mbyAqc2xv
dDsKQEAgLTY5OSw3ICs2OTksNyBAQAogfQogCiBzdGF0aWMgdm9pZAotZGVzX3NldF9rZXlfdW5j
aGVja2VkKCBkZXNfa2V5ICprZXksIGRlc19jb250ZXh0IGN0eHQgKQorREVTX3NldF9rZXlfdW5j
aGVja2VkKCBERVNfa2V5ICprZXksIERFU19jb250ZXh0IGN0eHQgKQogewogICAgIGN0eHRbMF0g
PSBOVUxMOwogCkBAIC03MTIsMzcgKzcxMiwzNyBAQAogfQogCiBzdGF0aWMgdm9pZAotZGVzX2Vj
Yl9lbmNyeXB0KCBkZXNfZGF0YV9ibG9jayAqcGxhaW4sIGRlc19kYXRhX2Jsb2NrICplbmNyeXB0
ZWQsIAotCQkJZGVzX2NvbnRleHQgY3R4dCwgaW50IG9wKQorREVTX2VjYl9lbmNyeXB0KCBERVNf
ZGF0YV9ibG9jayAqcGxhaW4sIERFU19kYXRhX2Jsb2NrICplbmNyeXB0ZWQsIAorCQkJREVTX2Nv
bnRleHQgY3R4dCwgaW50IG9wKQogewogICAgIFNFQ1N0YXR1cyBydjsKICAgICBpbnQgc2l6ZTsK
IAogICAgIGlmIChjdHh0WzBdID09IE5VTEwpIHsKIAkvKiBuZWVkIHRvIGZhaWwgaGVyZS4uLiAg
Ki8KLQltZW1zZXQoZW5jcnlwdGVkLCAwLCBzaXplb2YoZGVzX2RhdGFfYmxvY2spKTsKKwltZW1z
ZXQoZW5jcnlwdGVkLCAwLCBzaXplb2YoREVTX2RhdGFfYmxvY2spKTsKIAlyZXR1cm47CiAgICAg
fQogICAgIHJ2ID0gUEsxMV9DaXBoZXJPcChjdHh0WzBdLCAodW5zaWduZWQgY2hhciAqKSZlbmNy
eXB0ZWRbMF0sIAotCQkJJnNpemUsIHNpemVvZihkZXNfZGF0YV9ibG9jayksCi0JCQkodW5zaWdu
ZWQgY2hhciAqKSZwbGFpblswXSwgc2l6ZW9mKGRlc19kYXRhX2Jsb2NrKSk7CisJCQkmc2l6ZSwg
c2l6ZW9mKERFU19kYXRhX2Jsb2NrKSwKKwkJCSh1bnNpZ25lZCBjaGFyICopJnBsYWluWzBdLCBz
aXplb2YoREVTX2RhdGFfYmxvY2spKTsKICAgICBpZiAocnYgIT0gU0VDU3VjY2VzcykgewogCS8q
IHNpZ25hbCBmYWlsdXJlICovCi0JbWVtc2V0KGVuY3J5cHRlZCwgMCwgc2l6ZW9mKGRlc19kYXRh
X2Jsb2NrKSk7CisJbWVtc2V0KGVuY3J5cHRlZCwgMCwgc2l6ZW9mKERFU19kYXRhX2Jsb2NrKSk7
CiAJcmV0dXJuOwogICAgIH0KICAgICByZXR1cm47CiB9CiAKIHN0YXRpYyBpbnQKLWRlc19mYWls
ZWQoZGVzX2RhdGFfYmxvY2sgKmVuY3J5cHRlZCkKK0RFU19mYWlsZWQoREVTX2RhdGFfYmxvY2sg
KmVuY3J5cHRlZCkKIHsKLSAgIHN0YXRpYyBjb25zdCBkZXNfZGF0YV9ibG9jayB6ZXJvID0geyAw
IH07CisgICBzdGF0aWMgY29uc3QgREVTX2RhdGFfYmxvY2sgemVybyA9IHsgMCB9OwogICAgcmV0
dXJuIG1lbWNtcChlbmNyeXB0ZWQsIHplcm8sIHNpemVvZih6ZXJvKSkgPT0gMDsKIH0KIAogc3Rh
dGljIHZvaWQKLWRlc19maW5pc2goZGVzX2tleSAqa2V5LCBkZXNfY29udGV4dCBjdHh0KQorREVT
X2ZpbmlzaChERVNfa2V5ICprZXksIERFU19jb250ZXh0IGN0eHQpCiB7CiAgICAgIGlmICgqa2V5
KSB7CiAJUEsxMV9GcmVlU3ltS2V5KCprZXkpOwpAQCAtODE3LDcgKzgxNyw3IEBACiAKIHN0YXRp
YyB2b2lkIGxtUGFzc3dkX3RvX2tleSgKIAljb25zdCBjaGFyICpsbVBhc3N3ZCwKLQlkZXNfa2V5
ICprZXkpCisJREVTX2tleSAqa2V5KQogewogCWNvbnN0IHVuc2lnbmVkIGNoYXIgKmxwdyA9IChj
b25zdCB1bnNpZ25lZCBjaGFyICopIGxtUGFzc3dkOwogCXVuc2lnbmVkIGNoYXIga1s4XTsKQEAg
LTgzMiw3ICs4MzIsNyBAQAogCWtbNl0gPSAoKGxwd1s1XSAmIDB4M0YpIDw8IDIpIHwgKGxwd1s2
XSA+PiA2KTsKIAlrWzddID0gKChscHdbNl0gJiAweDdGKSA8PCAxKTsKIAkJCi0JZGVzX3NldF9r
ZXlfYW5kX3Bhcml0eSgga2V5LCBrICk7CisJREVTX3NldF9rZXlfYW5kX3Bhcml0eSgga2V5LCBr
ICk7CiB9CQogCiBzdGF0aWMgaW50IGNoa19sYW5tYW4oCkBAIC04NDMsMTAgKzg0MywxMCBAQAog
ewogCWJlcl9sZW5fdCBpOwogCWNoYXIgVWNhc2VQYXNzd29yZFsxNV07Ci0JZGVzX2tleSBrZXk7
Ci0JZGVzX2NvbnRleHQgc2NoZWR1bGU7Ci0JZGVzX2RhdGFfYmxvY2sgU3RkVGV4dCA9ICJLR1Mh
QCMkJSI7Ci0JZGVzX2RhdGFfYmxvY2sgUGFzc3dvcmRIYXNoMSwgUGFzc3dvcmRIYXNoMjsKKwlE
RVNfa2V5IGtleTsKKwlERVNfY29udGV4dCBzY2hlZHVsZTsKKwlERVNfZGF0YV9ibG9jayBTdGRU
ZXh0ID0gIktHUyFAIyQlIjsKKwlERVNfZGF0YV9ibG9jayBQYXNzd29yZEhhc2gxLCBQYXNzd29y
ZEhhc2gyOwogCWNoYXIgUGFzc3dvcmRIYXNoWzMzXSwgc3RvcmVkUGFzc3dvcmRIYXNoWzMzXTsK
IAkKIAlmb3IoIGk9MDsgaTxjcmVkLT5idl9sZW47IGkrKykgewpAQCAtODY0LDIxICs4NjQsMjEg
QEAKIAlsZGFwX3B2dF9zdHIydXBwZXIoIFVjYXNlUGFzc3dvcmQgKTsKIAkKIAlsbVBhc3N3ZF90
b19rZXkoIFVjYXNlUGFzc3dvcmQsICZrZXkgKTsKLQlkZXNfc2V0X2tleV91bmNoZWNrZWQoICZr
ZXksIHNjaGVkdWxlICk7Ci0JZGVzX2VjYl9lbmNyeXB0KCAmU3RkVGV4dCwgJlBhc3N3b3JkSGFz
aDEsIHNjaGVkdWxlICwgREVTX0VOQ1JZUFQgKTsKKwlERVNfc2V0X2tleV91bmNoZWNrZWQoICZr
ZXksICZzY2hlZHVsZSApOworCURFU19lY2JfZW5jcnlwdCggJlN0ZFRleHQsICZQYXNzd29yZEhh
c2gxLCAmc2NoZWR1bGUgLCBERVNfRU5DUllQVCApOwogCi0JaWYgKGRlc19mYWlsZWQoJlBhc3N3
b3JkSGFzaDEpKSB7CisJaWYgKERFU19mYWlsZWQoJlBhc3N3b3JkSGFzaDEpKSB7CiAJICAgIHJl
dHVybiBMVVRJTF9QQVNTV0RfRVJSOwogCX0KIAkKIAlsbVBhc3N3ZF90b19rZXkoICZVY2FzZVBh
c3N3b3JkWzddLCAma2V5ICk7Ci0JZGVzX3NldF9rZXlfdW5jaGVja2VkKCAma2V5LCBzY2hlZHVs
ZSApOwotCWRlc19lY2JfZW5jcnlwdCggJlN0ZFRleHQsICZQYXNzd29yZEhhc2gyLCBzY2hlZHVs
ZSAsIERFU19FTkNSWVBUICk7Ci0JaWYgKGRlc19mYWlsZWQoJlBhc3N3b3JkSGFzaDIpKSB7CisJ
REVTX3NldF9rZXlfdW5jaGVja2VkKCAma2V5LCAmc2NoZWR1bGUgKTsKKwlERVNfZWNiX2VuY3J5
cHQoICZTdGRUZXh0LCAmUGFzc3dvcmRIYXNoMiwgJnNjaGVkdWxlICwgREVTX0VOQ1JZUFQgKTsK
KwlpZiAoREVTX2ZhaWxlZCgmUGFzc3dvcmRIYXNoMikpIHsKIAkgICAgcmV0dXJuIExVVElMX1BB
U1NXRF9FUlI7CiAJfQogCi0JZGVzX2ZpbmlzaCggJmtleSwgc2NoZWR1bGUgKTsKKwlERVNfZmlu
aXNoKCAma2V5LCBzY2hlZHVsZSApOwogCQogCXNwcmludGYoIFBhc3N3b3JkSGFzaCwgIiUwMngl
MDJ4JTAyeCUwMnglMDJ4JTAyeCUwMnglMDJ4JTAyeCUwMnglMDJ4JTAyeCUwMnglMDJ4JTAyeCUw
MngiLCAKIAkJUGFzc3dvcmRIYXNoMVswXSxQYXNzd29yZEhhc2gxWzFdLFBhc3N3b3JkSGFzaDFb
Ml0sUGFzc3dvcmRIYXNoMVszXSwKQEAgLTExMzksMTAgKzExMzksMTAgQEAKIAogCWJlcl9sZW5f
dCBpOwogCWNoYXIgVWNhc2VQYXNzd29yZFsxNV07Ci0JZGVzX2tleSBrZXk7Ci0JZGVzX2NvbnRl
eHQgc2NoZWR1bGU7Ci0JZGVzX2RhdGFfYmxvY2sgU3RkVGV4dCA9ICJLR1MhQCMkJSI7Ci0JZGVz
X2RhdGFfYmxvY2sgUGFzc3dvcmRIYXNoMSwgUGFzc3dvcmRIYXNoMjsKKwlERVNfa2V5IGtleTsK
KwlERVNfY29udGV4dCBzY2hlZHVsZTsKKwlERVNfZGF0YV9ibG9jayBTdGRUZXh0ID0gIktHUyFA
IyQlIjsKKwlERVNfZGF0YV9ibG9jayBQYXNzd29yZEhhc2gxLCBQYXNzd29yZEhhc2gyOwogCWNo
YXIgUGFzc3dvcmRIYXNoWzMzXTsKIAkKIAlmb3IoIGk9MDsgaTxwYXNzd2QtPmJ2X2xlbjsgaSsr
KSB7CkBAIC0xMTYwLDEyICsxMTYwLDEyIEBACiAJbGRhcF9wdnRfc3RyMnVwcGVyKCBVY2FzZVBh
c3N3b3JkICk7CiAJCiAJbG1QYXNzd2RfdG9fa2V5KCBVY2FzZVBhc3N3b3JkLCAma2V5ICk7Ci0J
ZGVzX3NldF9rZXlfdW5jaGVja2VkKCAma2V5LCBzY2hlZHVsZSApOwotCWRlc19lY2JfZW5jcnlw
dCggJlN0ZFRleHQsICZQYXNzd29yZEhhc2gxLCBzY2hlZHVsZSAsIERFU19FTkNSWVBUICk7CisJ
REVTX3NldF9rZXlfdW5jaGVja2VkKCAma2V5LCAmc2NoZWR1bGUgKTsKKwlERVNfZWNiX2VuY3J5
cHQoICZTdGRUZXh0LCAmUGFzc3dvcmRIYXNoMSwgJnNjaGVkdWxlICwgREVTX0VOQ1JZUFQgKTsK
IAkKIAlsbVBhc3N3ZF90b19rZXkoICZVY2FzZVBhc3N3b3JkWzddLCAma2V5ICk7Ci0JZGVzX3Nl
dF9rZXlfdW5jaGVja2VkKCAma2V5LCBzY2hlZHVsZSApOwotCWRlc19lY2JfZW5jcnlwdCggJlN0
ZFRleHQsICZQYXNzd29yZEhhc2gyLCBzY2hlZHVsZSAsIERFU19FTkNSWVBUICk7CisJREVTX3Nl
dF9rZXlfdW5jaGVja2VkKCAma2V5LCAmc2NoZWR1bGUgKTsKKwlERVNfZWNiX2VuY3J5cHQoICZT
dGRUZXh0LCAmUGFzc3dvcmRIYXNoMiwgJnNjaGVkdWxlICwgREVTX0VOQ1JZUFQgKTsKIAkKIAlz
cHJpbnRmKCBQYXNzd29yZEhhc2gsICIlMDJ4JTAyeCUwMnglMDJ4JTAyeCUwMnglMDJ4JTAyeCUw
MnglMDJ4JTAyeCUwMnglMDJ4JTAyeCUwMnglMDJ4IiwgCiAJCVBhc3N3b3JkSGFzaDFbMF0sUGFz
c3dvcmRIYXNoMVsxXSxQYXNzd29yZEhhc2gxWzJdLFBhc3N3b3JkSGFzaDFbM10sCg==
--=_6538b474f9e6aa431d332f9d976b1b83--
7 years, 6 months
Re: (ITS#7978) OpenLDAP 2.4 fails to build with LibreSSL
by hyc@symas.com
spil.oss(a)gmail.com wrote:
> Full_Name: Bernard Spil
> Version: 2.4.40
> OS: FreeBSD 10.1-RC2
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (185.9.255.20)
>
>
> When compiling OpenLDAP against the LibreSSL OpenSSL fork, compilation fails
> because deprecated types and functions are used. These types and functions have
> been marked deprecated by OpenSSL since 2002 and moved from des.h to des_old.h.
> LibreSSL removed these deprecated types and functions in April 2014 see
> https://github.com/libressl-portable/openbsd/commit/e0d211052a6946b9f8af1...
>
>>From the make output:
It appears you're compiling with the old LANMAN hash support. Nobody should be
using LANMAN any more, it's trivially insecure. I'm inclined to ignore this ITS.
>
> --- passwd.o ---
> passwd.c:41:9: error: unknown type name 'des_cblock'; did you mean
> 'DES_cblock'?
> typedef des_cblock des_key;
> ^~~~~~~~~~
> DES_cblock
> /usr/local/include/openssl/des.h:73:23: note: 'DES_cblock' declared here
> typedef unsigned char DES_cblock[8];
> ^
> passwd.c:42:9: erro3A3A unknown type name 'des_cblock'; did you mean
> 'DES_cblock'?
> typedef des_cblock des_data_block;
> ^~~~~~~~~~
> DES_cblock
> /usr/local/include/openssl/des.h:73:23: note: 'DES_cblock' declared here
> typedef unsigned char DES_cblock[8];
> ^
> passwd.c:43:9: error: unknown type name 'des_key_schedule'; did you mean
> 'DES_key_schedule'?
> typedef des_key_schedule des_context;
> ^~~~~~~~~~~~~~~~
> DES_key_schedule
> /usr/local/include/openssl/des.h:87:7: note: 'DESeyey_schedule' declared here
> } DES_key_schedule;
> ^
> passwd.c:670:5: warning: implicit declaration of function 'des_set_odd_parity'
> is invalid in C99 [-Wimplicit-function-declaration]
> des_set_odd_parity( key );
> ^
> passwd.c:867:2: warningA imimplicit declaration of function
> 'des_set_key_unchecked' is invalid in C99 [-Wimplicit-function-declaration]
> des_set_key_unchecked( &key, schedule );
> ^
> passwd.c:868:2: warning: implicit declaration of function 'des_ecb_encrypt' is
> invalid in C99 [-Wimplicit-function-declaration]
> des_ecb_encrypt( &StdText, &PasswordHash1, schedule , DES_ENCRYPT );
> ^
> 3 warnings and 3 errors generated.
> *** [passwd.o] Error code 1
>
> make[4]: stopped in /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries/liblutil
> 1 error
>
> make[4]: stopped in /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries/liblutil
> *** [all-common] Error code 2
>
> make[3]: stopped in /usr/ports/net/openldap24-server/work/openldap-2.4.40/librars%s
> 1 error
>
> make[3]: stopped in /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries
> *** [all-common] Error code 2
>
> make[2]: stopped in /usr/ports/net/openldap24-server/work/openldap-2.4.40
> 1 error
>
> make[2]: stopped in /u%2/ports/net/openldap24-server/work/openldap-2.4.40
> ===> Compilation failed unexpectedly.
> Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
> the maintainer.
> *** Error code 1
>
> Stop.
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7 years, 6 months
(ITS#7978) OpenLDAP 2.4 fails to build with LibreSSL
by spil.oss@gmail.com
Full_Name: Bernard Spil
Version: 2.4.40
OS: FreeBSD 10.1-RC2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (185.9.255.20)
When compiling OpenLDAP against the LibreSSL OpenSSL fork, compilation fails
because deprecated types and functions are used. These types and functions have
been marked deprecated by OpenSSL since 2002 and moved from des.h to des_old.h.
LibreSSL removed these deprecated types and functions in April 2014 see
https://github.com/libressl-portable/openbsd/commit/e0d211052a6946b9f8af1...
>From the make output:
--- passwd.o ---
passwd.c:41:9: error: unknown type name 'des_cblock'; did you mean
'DES_cblock'?
typedef des_cblock des_key;
^~~~~~~~~~
DES_cblock
/usr/local/include/openssl/des.h:73:23: note: 'DES_cblock' declared here
typedef unsigned char DES_cblock[8];
^
passwd.c:42:9: erro3A3A unknown type name 'des_cblock'; did you mean
'DES_cblock'?
typedef des_cblock des_data_block;
^~~~~~~~~~
DES_cblock
/usr/local/include/openssl/des.h:73:23: note: 'DES_cblock' declared here
typedef unsigned char DES_cblock[8];
^
passwd.c:43:9: error: unknown type name 'des_key_schedule'; did you mean
'DES_key_schedule'?
typedef des_key_schedule des_context;
^~~~~~~~~~~~~~~~
DES_key_schedule
/usr/local/include/openssl/des.h:87:7: note: 'DESeyey_schedule' declared here
} DES_key_schedule;
^
passwd.c:670:5: warning: implicit declaration of function 'des_set_odd_parity'
is invalid in C99 [-Wimplicit-function-declaration]
des_set_odd_parity( key );
^
passwd.c:867:2: warningA imimplicit declaration of function
'des_set_key_unchecked' is invalid in C99 [-Wimplicit-function-declaration]
des_set_key_unchecked( &key, schedule );
^
passwd.c:868:2: warning: implicit declaration of function 'des_ecb_encrypt' is
invalid in C99 [-Wimplicit-function-declaration]
des_ecb_encrypt( &StdText, &PasswordHash1, schedule , DES_ENCRYPT );
^
3 warnings and 3 errors generated.
*** [passwd.o] Error code 1
make[4]: stopped in /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries/liblutil
1 error
make[4]: stopped in /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries/liblutil
*** [all-common] Error code 2
make[3]: stopped in /usr/ports/net/openldap24-server/work/openldap-2.4.40/librars%s
1 error
make[3]: stopped in /usr/ports/net/openldap24-server/work/openldap-2.4.40/libraries
*** [all-common] Error code 2
make[2]: stopped in /usr/ports/net/openldap24-server/work/openldap-2.4.40
1 error
make[2]: stopped in /u%2/ports/net/openldap24-server/work/openldap-2.4.40
===> Compilation failed unexpectedly.
Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
the maintainer.
*** Error code 1
Stop.
7 years, 6 months