openldap-bugs June 2014

openldap-bugs@openldap.org

15 participants
41 discussions

Re: (ITS#7851) [PATCH] buffer overrun in password checkers with malformed hash
by ryan＠nardis.ca 26 Jun '14

26 Jun '14

This is a multi-part message in MIME format. --------------070104060109070008020807 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit I checked the new pw-pbkdf2 module. It doesn't appear to be affected by this problem. On 11/05/14 07:56 PM, Ryan Tandy wrote: > ftp://ftp.openldap.org/incoming/rtandy_20140511_fix-passwd-b64-buffer_v2.pa… You probably know this, but just in case it helps: "git am --keep-cr" is the way to apply that patch, because of … [View More]

1 0

Re: (ITS#7878) OpenLDAP MinGW Build Problem
by ron＠zytrax.com 26 Jun '14

26 Jun '14

Additional Information re ITS#7878 omitted from original report: The build did not (correctly) auto-detect either Openssl or SASL which may make it a pretty unusual build case. On 20/06/2014 4:44 PM, openldap-its(a)OpenLDAP.org wrote: > *** THIS IS AN AUTOMATICALLY GENERATED REPLY *** > > Thanks for your report to the OpenLDAP Issue Tracking System. Your > report has been assigned the tracking number ITS#7878. > > One of our support engineers will look at your report in due … [View More]

1 0

Re: (ITS#7877) please make gcrypt optional with newer gnutls
by ryan＠nardis.ca 23 Jun '14

23 Jun '14

On Fri, Jun 20, 2014 at 5:23 PM, Ryan Tandy <ryan(a)nardis.ca> wrote: > This might be a better patch, if the build system change is acceptable. As usual, I can't get anything right on the first try. That one was missing a line (but apparently not one that stopped it from building or working); and besides that I'm not supposed to be attaching these in the first place, right? Proper patch series against current master: ftp://ftp.openldap.org/incoming/20140623-rtandy-0001-ITS-7877-… [View More]

1 0

Re: (ITS#7877) please make gcrypt optional with newer gnutls
by ryan＠nardis.ca 23 Jun '14

23 Jun '14

--047d7bdc8ac419e30c04fc856540 Content-Type: text/plain; charset=UTF-8 And here are the changes for smbk5pwd. Tried to use gnutls' own api since it abstracts gcrypt/nettle, but sadly it doesn't provide md4, so nettle it is. Note this patch assumes the HAVE_GNUTLS_GCRYPT define from the configure addition in the previous patch. --047d7bdc8ac419e30c04fc856540 Content-Type: text/x-patch; charset=US-ASCII; name="0001-ITS-7877-support-nettle-in-smbk5pwd.patch" Content-Disposition: attachment; … [View More]filename="0001-ITS-7877-support-nettle-in-smbk5pwd.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_hws5388e1 RnJvbSAwMTU3Nzc4OTM3NTZiMjEwZGVlN2Q0MDA2ZWM0ZGVmMDEwMTQ0NTE2IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBSeWFuIFRhbmR5IDxyeWFuQG5hcmRpcy5jYT4KRGF0ZTogTW9u LCAyMyBKdW4gMjAxNCAxMToxOToyNiAtMDcwMApTdWJqZWN0OiBbUEFUQ0hdIElUUyM3ODc3IHN1 cHBvcnQgbmV0dGxlIGluIHNtYms1cHdkCgotLS0KIGNvbnRyaWIvc2xhcGQtbW9kdWxlcy9zbWJr NXB3ZC9zbWJrNXB3ZC5jIHwgMzAgKysrKysrKysrKysrKysrKysrKysrKysrKystLS0tCiAxIGZp bGUgY2hhbmdlZCwgMjYgaW5zZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQg YS9jb250cmliL3NsYXBkLW1vZHVsZXMvc21iazVwd2Qvc21iazVwd2QuYyBiL2NvbnRyaWIvc2xh cGQtbW9kdWxlcy9zbWJrNXB3ZC9zbWJrNXB3ZC5jCmluZGV4IDA3NWNlODguLjZjMDAzMDEgMTAw NjQ0Ci0tLSBhL2NvbnRyaWIvc2xhcGQtbW9kdWxlcy9zbWJrNXB3ZC9zbWJrNXB3ZC5jCisrKyBi L2NvbnRyaWIvc2xhcGQtbW9kdWxlcy9zbWJrNXB3ZC9zbWJrNXB3ZC5jCkBAIC02Niw4ICs2Niwx NSBAQCBzdGF0aWMgT2JqZWN0Q2xhc3MgKm9jX2tyYjVLRENFbnRyeTsKIAogI2lmZGVmIERPX1NB TUJBCiAjaWZkZWYgSEFWRV9HTlVUTFMKLSNpbmNsdWRlIDxnY3J5cHQuaD4KIHR5cGVkZWYgdW5z aWduZWQgY2hhciBERVNfY2Jsb2NrWzhdOworI2lmZGVmIEhBVkVfR05VVExTX0dDUllQVAorI2lu Y2x1ZGUgPGdjcnlwdC5oPgorI2Vsc2UKKy8qIGFzc3VtZSBnbnV0bHMgJiYgIWdjcnlwdCA9PiBu ZXR0bGUgKi8KKyNkZWZpbmUgSEFWRV9HTlVUTFNfTkVUVExFIDEKKyNpbmNsdWRlIDxuZXR0bGUv ZGVzLmg+CisjaW5jbHVkZSA8bmV0dGxlL21kNC5oPgorI2VuZGlmCiAjZWxpZiBIQVZFX09QRU5T U0wKICNpbmNsdWRlIDxvcGVuc3NsL2Rlcy5oPgogI2luY2x1ZGUgPG9wZW5zc2wvbWQ0Lmg+CkBA IC0xOTIsMTIgKzE5OSwxNCBAQCBzdGF0aWMgdm9pZCBsbWhhc2goCiAJREVTX2NibG9jayBoYnVm WzJdOwogI2lmZGVmIEhBVkVfT1BFTlNTTAogCURFU19rZXlfc2NoZWR1bGUgc2NoZWR1bGU7Ci0j ZWxpZiBkZWZpbmVkKEhBVkVfR05VVExTKQorI2VsaWYgZGVmaW5lZChIQVZFX0dOVVRMU19HQ1JZ UFQpCiAJZ2NyeV9jaXBoZXJfaGRfdCBoID0gTlVMTDsKIAlnY3J5X2Vycm9yX3QgZXJyOwogCiAJ ZXJyID0gZ2NyeV9jaXBoZXJfb3BlbiggJmgsIEdDUllfQ0lQSEVSX0RFUywgR0NSWV9DSVBIRVJf TU9ERV9DQkMsIDAgKTsKIAlpZiAoIGVyciApIHJldHVybjsKKyNlbGlmIGRlZmluZWQoSEFWRV9H TlVUTFNfTkVUVExFKQorCXN0cnVjdCBkZXNfY3R4IGN0eDsKICNlbmRpZgogCiAJc3RybmNweSgg VWNhc2VQYXNzd29yZCwgcGFzc3dkLT5idl92YWwsIDE0ICk7CkBAIC0yMDUsNyArMjE0LDcgQEAg c3RhdGljIHZvaWQgbG1oYXNoKAogCWxkYXBfcHZ0X3N0cjJ1cHBlciggVWNhc2VQYXNzd29yZCAp OwogCiAJbG1QYXNzd2RfdG9fa2V5KCBVY2FzZVBhc3N3b3JkLCAma2V5ICk7Ci0jaWZkZWYgSEFW RV9HTlVUTFMKKyNpZmRlZiBIQVZFX0dOVVRMU19HQ1JZUFQKIAllcnIgPSBnY3J5X2NpcGhlcl9z ZXRrZXkoIGgsICZrZXksIHNpemVvZihrZXkpICk7CiAJaWYgKCBlcnIgPT0gMCApIHsKIAkJZXJy ID0gZ2NyeV9jaXBoZXJfZW5jcnlwdCggaCwgJmhidWZbMF0sIHNpemVvZihrZXkpLCAmU3RkVGV4 dCwgc2l6ZW9mKGtleSkgKTsKQEAgLTIxOSw2ICsyMjgsMTMgQEAgc3RhdGljIHZvaWQgbG1oYXNo KAogCQl9CiAJCWdjcnlfY2lwaGVyX2Nsb3NlKCBoICk7CiAJfQorI2VsaWYgZGVmaW5lZChIQVZF X0dOVVRMU19ORVRUTEUpCisJZGVzX3NldF9rZXkoICZjdHgsICZrZXkgKTsKKwlkZXNfZW5jcnlw dCggJmN0eCwgc2l6ZW9mKGtleSksICZoYnVmWzBdLCAmU3RkVGV4dCApOworCisJbG1QYXNzd2Rf dG9fa2V5KCAmVWNhc2VQYXNzd29yZFs3XSwgJmtleSApOworCWRlc19zZXRfa2V5KCAmY3R4LCAm a2V5ICk7CisJZGVzX2VuY3J5cHQoICZjdHgsIHNpemVvZihrZXkpLCAmaGJ1ZlsxXSwgJlN0ZFRl eHQgKTsKICNlbGlmIGRlZmluZWQoSEFWRV9PUEVOU1NMKQogCWRlc19zZXRfa2V5X3VuY2hlY2tl ZCggJmtleSwgc2NoZWR1bGUgKTsKIAlkZXNfZWNiX2VuY3J5cHQoICZTdGRUZXh0LCAmaGJ1Zlsw XSwgc2NoZWR1bGUgLCBERVNfRU5DUllQVCApOwpAQCAtMjQzLDYgKzI1OSw4IEBAIHN0YXRpYyB2 b2lkIG50aGFzaCgKIAljaGFyIGhidWZbSEFTSExFTl07CiAjaWZkZWYgSEFWRV9PUEVOU1NMCiAJ TUQ0X0NUWCBjdHg7CisjZWxpZiBkZWZpbmVkKEhBVkVfR05VVExTX05FVFRMRSkKKwlzdHJ1Y3Qg bWQ0X2N0eCBjdHg7CiAjZW5kaWYKIAogCWlmIChwYXNzd2QtPmJ2X2xlbiA+IE1BWF9QV0xFTioy KQpAQCAtMjUyLDggKzI3MCwxMiBAQCBzdGF0aWMgdm9pZCBudGhhc2goCiAJTUQ0X0luaXQoICZj dHggKTsKIAlNRDRfVXBkYXRlKCAmY3R4LCBwYXNzd2QtPmJ2X3ZhbCwgcGFzc3dkLT5idl9sZW4g KTsKIAlNRDRfRmluYWwoICh1bnNpZ25lZCBjaGFyICopaGJ1ZiwgJmN0eCApOwotI2VsaWYgZGVm aW5lZChIQVZFX0dOVVRMUykKKyNlbGlmIGRlZmluZWQoSEFWRV9HTlVUTFNfR0NSWVBUKQogCWdj cnlfbWRfaGFzaF9idWZmZXIoR0NSWV9NRF9NRDQsIGhidWYsIHBhc3N3ZC0+YnZfdmFsLCBwYXNz d2QtPmJ2X2xlbiApOworI2VsaWYgZGVmaW5lZChIQVZFX0dOVVRMU19ORVRUTEUpCisJbWQ0X2lu aXQoICZjdHggKTsKKwltZDRfdXBkYXRlKCAmY3R4LCBwYXNzd2QtPmJ2X2xlbiwgcGFzc3dkLT5i dl92YWwgKTsKKwltZDRfZGlnZXN0KCAmY3R4LCBzaXplb2YoaGJ1ZiksICh1bnNpZ25lZCBjaGFy ICopaGJ1ZiApOwogI2VuZGlmCiAKIAloZXhpZnkoIGhidWYsIGhhc2ggKTsKLS0gCjIuMC4wCgo= --047d7bdc8ac419e30c04fc856540-- [View Less]

1 0

Re: (ITS#7878) OpenLDAP MinGW Build Problem
by hyc＠symas.com 23 Jun '14

23 Jun '14

ron(a)zytrax.com wrote: > Full_Name: Ron Aitchison > Version: 2.4.39 > OS: Windows 7/MinGW-w64/MSYS > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (67.230.141.32) > > > Checked the build error reports before submitting > Building OpenLDAP 2.4.39 under MinGW-w64 (Win32 chain) and MSYS > Configure command > ./configure --prefix=/target LIBS='-lpcre -lgdi32 -lpthread' --enable-overlays > --disable-shared CPPFLAGS='-I/target/include' LDFLAGS='-… [View More]

1 0

Re: (ITS#7879) liblmdb "mtest" programs do not build on mingw64
by hyc＠symas.com 23 Jun '14

23 Jun '14

batterseapower(a)hotmail.com wrote: > Full_Name: Max Bolingbroke > Version: LMDB HEAD > OS: Windows > URL: ftp://ftp.openldap.org/incoming/max-bolingbroke-20140622.patch > Submission from: (NULL) (81.111.197.81) > > > srandom/random do not appear to be defined on mingw. The trivial patch in > max-bolingbroke-20140622.patch simply defines these functions to the C standard > equivalents on Windows, which lets LMDB build cleanly there. I've committed a different … [View More]

1 0

(ITS#7879) liblmdb "mtest" programs do not build on mingw64
by batterseapower＠hotmail.com 22 Jun '14

22 Jun '14

Full_Name: Max Bolingbroke Version: LMDB HEAD OS: Windows URL: ftp://ftp.openldap.org/incoming/max-bolingbroke-20140622.patch Submission from: (NULL) (81.111.197.81) srandom/random do not appear to be defined on mingw. The trivial patch in max-bolingbroke-20140622.patch simply defines these functions to the C standard equivalents on Windows, which lets LMDB build cleanly there. I, Maximilian Bolingbroke, hereby place the following modifications to liblmdb (and only these modifications) into … [View More]

1 0

Re: (ITS#7877) please make gcrypt optional with newer gnutls
by ryan＠nardis.ca 20 Jun '14

20 Jun '14

This is a multi-part message in MIME format. --------------010505020103090906040401 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit This might be a better patch, if the build system change is acceptable. --------------010505020103090906040401 Content-Type: text/x-patch; name="0001-ITS-7877-detect-whether-gnutls-uses-gcrypt.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-ITS-7877-detect-whether-gnutls-uses-gcrypt.… [View More]patch" >From e904900beb419576abc098e96deda04e53119603 Mon Sep 17 00:00:00 2001 From: Ryan Tandy <ryan(a)nardis.ca> Date: Fri, 20 Jun 2014 14:44:23 -0700 Subject: [PATCH] ITS#7877 detect whether gnutls uses gcrypt --- configure.in | 14 ++++++++++++++ libraries/libldap/tls_g.c | 20 ++++++++++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/configure.in b/configure.in index 84bfc8a..27fe13a 100644 --- a/configure.in +++ b/configure.in @@ -1223,6 +1223,20 @@ if test $ol_link_tls = no ; then fi fi +if test $ol_with_tls = gnutls ; then + AC_CHECK_HEADERS(gcrypt.h) + + if test $ac_cv_header_gcrypt_h = yes ; then + AC_CHECK_LIB(gnutls, gcry_cipher_open, + [have_gnutls_gcrypt=yes], [have_gnutls_gcrypt=no]) + + if test $have_gnutls_gcrypt = yes ; then + AC_DEFINE(HAVE_GNUTLS_GCRYPT, 1, + [define if GnuTLS is using GCrypt]) + fi + fi +fi + dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3 dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs dnl are not in the default system location diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c index ee83b5c..417c768 100644 --- a/libraries/libldap/tls_g.c +++ b/libraries/libldap/tls_g.c @@ -43,10 +43,16 @@ #include <gnutls/gnutls.h> #include <gnutls/x509.h> -#include <gcrypt.h> #if LIBGNUTLS_VERSION_NUMBER >= 0x020200 #define HAVE_CIPHERSUITES 1 +#else +#undef HAVE_CIPHERSUITES +#endif + +#ifdef HAVE_GNUTLS_GCRYPT +#include <gcrypt.h> +#if LIBGNUTLS_VERSION_NUMBER >= 0x020200 /* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt 1.4.x * but that dependency isn't reflected in their configure script, resulting in * build errors on older gcrypt. So, if they have a working build environment, @@ -54,9 +60,9 @@ */ #define HAVE_GCRYPT_RAND 1 #else -#undef HAVE_CIPHERSUITES #undef HAVE_GCRYPT_RAND #endif +#endif #ifndef HAVE_CIPHERSUITES /* Versions prior to 2.2.0 didn't handle cipher suites, so we had to @@ -143,6 +149,15 @@ tlsg_mutex_unlock( void **lock ) return ldap_pvt_thread_mutex_unlock( *lock ); } +#if GNUTLS_VERSION_NUMBER >= 0x020b00 +tlsg_thr_init( void ) +{ + gnutls_global_set_mutex (tlsg_mutex_init, + tlsg_mutex_destroy, + tlsg_mutex_lock, + tlsg_mutex_unlock); +} +#else static struct gcry_thread_cbs tlsg_thread_cbs = { GCRY_THREAD_OPTION_USER, NULL, @@ -158,6 +173,7 @@ tlsg_thr_init( void ) { gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs); } +#endif #endif /* LDAP_R_COMPILE */ /* -- 1.9.1 --------------010505020103090906040401-- [View Less]

1 0

(ITS#7878) OpenLDAP MinGW Build Problem
by ron＠zytrax.com 20 Jun '14

20 Jun '14

Full_Name: Ron Aitchison Version: 2.4.39 OS: Windows 7/MinGW-w64/MSYS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (67.230.141.32) Checked the build error reports before submitting Building OpenLDAP 2.4.39 under MinGW-w64 (Win32 chain) and MSYS Configure command ./configure --prefix=/target LIBS='-lpcre -lgdi32 -lpthread' --enable-overlays --disable-shared CPPFLAGS='-I/target/include' LDFLAGS='-L/target/lib' make depend - works make - fails with undefined uint32_t in /servers/… [View More]

1 0

(ITS#7877) please make gcrypt optional with newer gnutls
by ryan＠nardis.ca 20 Jun '14

20 Jun '14

Full_Name: Ryan Tandy Version: HEAD OS: Debian unstable URL: Submission from: (NULL) (142.32.208.235) Debian bug report: https://bugs.debian.org/745231 Quoting Andreas Metzler: "given that gmp has been dual-licensed LGPLv3+/GPLv2+ it should be possible to switch openldap over to the newer version of gnutls. Upstream's 0205e83f4670d10ad3c6ae4b8fc5ec1d0c7020c0 lets the Debian package build successfully (including testsuite). However even with patch there is still some work to be done. … [View More]libraries/libldap/tls_g.c has some gcrypt related code that should be simply unnecessary with gnutls3, therefore it should not link against libgcrypt either. (Except for contrib/slapd-modules/smbk5pwd/smbk5pwd.c)." The following changes make gcrypt optional for libldap. For versions where both nettle and gcrypt are supported, I assume the default since no mechanism is provided for detecting which is actually in use. Tested with GnuTLS 2.8.6 and 3.2.15. --- a/libraries/libldap/tls_g.c +++ b/libraries/libldap/tls_g.c @@ -43,10 +43,17 @@ #include <gnutls/gnutls.h> #include <gnutls/x509.h> -#include <gcrypt.h> #if LIBGNUTLS_VERSION_NUMBER >= 0x020200 #define HAVE_CIPHERSUITES 1 +#else +#undef HAVE_CIPHERSUITES +#endif + +/* gnutls >= 2.11.1 no longer uses gcrypt by default */ +#if LIBGNUTLS_VERSION_NUMBER < 0x020b01 +#include <gcrypt.h> +#if LIBGNUTLS_VERSION_NUMBER >= 0x020200 /* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt 1.4.x * but that dependency isn't reflected in their configure script, resulting in * build errors on older gcrypt. So, if they have a working build environment, @@ -54,9 +61,10 @@ */ #define HAVE_GCRYPT_RAND 1 #else -#undef HAVE_CIPHERSUITES #undef HAVE_GCRYPT_RAND #endif +#endif + #ifndef HAVE_CIPHERSUITES /* Versions prior to 2.2.0 didn't handle cipher suites, so we had to @@ -143,6 +151,7 @@ tlsg_mutex_unlock( void **lock ) return ldap_pvt_thread_mutex_unlock( *lock ); } +#if GNUTLS_VERSION_NUMBER <= 0x020b00 static struct gcry_thread_cbs tlsg_thread_cbs = { GCRY_THREAD_OPTION_USER, NULL, @@ -158,6 +167,16 @@ tlsg_thr_init( void ) { gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs); } +#else +static void +tlsg_thr_init( void ) +{ + gnutls_global_set_mutex (tlsg_mutex_init, + tlsg_mutex_destroy, + tlsg_mutex_lock, + tlsg_mutex_unlock); +} +#endif #endif /* LDAP_R_COMPILE */ /* I have not looked at smbk5pwd yet. [View Less]

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs June 2014