February 2017 - openldap-devel

asserts and manadatory build instructions (was ITS#8240)

by Michael Ströder

hyc(a)symas.com wrote in ITS#8240: > Our patch response was too hasty. There is no OpenLDAP bug here, the real > issue is production binaries being built with asserts enabled instead of > compiling with -DNDEBUG. That's an issue for packagers and distros to resolve. > Closing this ITS, not an OpenLDAP bug. Maybe I missed something. But this is the first time I've heard about -DNDEBUG being mandatory when compiling binary packages for production use. Does it have other effects? And what are general rules for assert statements in OpenLDAP code? In my own (Python) code assert statements are supposed to be only triggered if something goes wrong *internally* (type issues etc.). If somebody manages to trigger an assert statement with invalid input from "outside" I always consider this to be a serious bug revealing insufficient error handling even though e.g. web2ldap just logs the exception but won't crash. YMMV, but please clarify. I also wonder whether there are more mandatory rules for building packages and where I can find them. Please don't get me wrong: My inquiry is in good faith to avoid unnecessary ITS based on misunderstanding. Ciao, Michael.

2 years, 1 month

1
1
0 / 0

Fwd: LMDB and text encoding

by Timur Kristóf

> I just had a look at how BDB handled this. As you can see they used a > TO_TSTRING macro to convert incoming pathnames from UTF8 to UTF16. > > https://gitorious.org/berkeleydb/berkeleydb/source/347d239a1e44ed4f773ae9... > > https://gitorious.org/berkeleydb/berkeleydb/source/347d239a1e44ed4f773ae9... > > (And a FROM_TSTRING for the reverse, as well.) (Mea culpa, I accidentally hit "reply" instead of "reply all". Sorry. Now reposting to the mailing list.) Since we only need to do this on Windows, we could use MultiByteToWideChar with CP_UTF8. (That's what TO_TSTRING does, too.) I do not think we would ever need to do any such conversion on UNIX. https://msdn.microsoft.com/en-us/library/windows/desktop/dd319072%28v=vs.... I'm not sure if we can just copy-paste BDB's code. Probably not, that would lead to licensing issues, wouldn't it?

6 years, 6 months

4
16
0 / 0

Re: Revisiting the SHA1 default password hash

by Quanah Gibson-Mount

--On Friday, February 24, 2017 8:32 PM +0000 Howard Chu <hyc(a)symas.com> wrote: >> Yes, but there should be something stronger. >> >> How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core? > > Yeah at this point we can probably bypass SHA2 and just go straight to > SHA3. There's a lot of crypto software out there already using it. pbkdf2 > is still using SHA2. Worthwhile to read over: <https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016> libsodium's a pretty trivial compile, I added it to Zimbra a while back for another project. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 9 months

3
2
0 / 0

Re: Revisiting the SHA1 default password hash

by Quanah Gibson-Mount

--On Friday, February 24, 2017 10:18 PM +0100 Michael Ströder <michael(a)stroeder.com> wrote: > Michael Ströder wrote: >> I was referring to strength of password hashing scheme. > > And yes, I read your note about bcrypt. But I assumed that something > which is already there and tested may be the most successful route for > now. We ship the bcrypt module as a part of the Symas build, and there are others using it as well, per discussion on the OpenLDAP IRC channel. So it's not untested. ;) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 9 months

1
0
0 / 0

Re: Revisiting the SHA1 default password hash

by Quanah Gibson-Mount

--On Friday, February 24, 2017 9:06 PM +0100 Michael Ströder <michael(a)stroeder.com> wrote: > Quanah Gibson-Mount wrote: >> I think it would be wise to update OpenLDAP to a different default for >> userPassword. > > Yes! > >> We currently have the Contrib SHA2 module, > > SHA-2 hashes with one round are also way too fast to be a good password > hash algorithm. > >> It may be time to move the SHA2 module into core, > > Yes, but there should be something stronger. Did you just skip entirely past the point where I said: "but there has been some discussion of the limitations of the current SHA2 module in the past that would likely need addressing" ?? :) The point of that sentence was to note that there are issues with the current SSHA2 module that would need fixing prior to moving it to core. And yes, perhaps PBKDF2 should be in core as well. ;) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 9 months

2
2
0 / 0

Re: Revisiting the SHA1 default password hash

by Howard Chu

Michael Ströder wrote: > Quanah Gibson-Mount wrote: >> I think it would be wise to update OpenLDAP to a different default for userPassword. > > Yes! > >> We currently have the Contrib SHA2 module, > > SHA-2 hashes with one round are also way too fast to be a good password hash algorithm. > >> It may be time to move the SHA2 module into core, > > Yes, but there should be something stronger. > > How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core? Yeah at this point we can probably bypass SHA2 and just go straight to SHA3. There's a lot of crypto software out there already using it. pbkdf2 is still using SHA2. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

6 years, 9 months

1
0
0 / 0

Revisiting the SHA1 default password hash

by Quanah Gibson-Mount

The general weakness of SHA has been understood for some time, although progress advances on finding collisions (Such as <https://security.googleblog.com/2017/02/announcing-first-sha1-collision.h...>). I think it would be wise to update OpenLDAP to a different default for userPassword. We currently have the Contrib SHA2 module, and there's a nice bcrypt(*) module on Github (I asked the author if they would be willing to contribute it, but they seem to have gone silent). It may be time to move the SHA2 module into core, but there has been some discussion of the limitations of the current SHA2 module in the past that would likely need addressing. What do other folks think? * <https://github.com/wclarie/openldap-bcrypt/issues/1> --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 9 months

2
1
0 / 0

ITS8529 -- Inclusion in RE24?

by Quanah Gibson-Mount

The patch for ITS8529 has been pushed to OpenLDAP master. Generally I'd push something like this to RE24 as well, except for the fact that it results in a behavior change vs prior releases (at least if OpenLDAP is linked to OpenSSL). On the plus side, the patch reveals potential misconfigurations that were previously not noted. On the minus side, it could affect someone's existing deployment. (Although that deployment would clearly be in error). I personally think it would be best to apply it to RE24, particularly given that it has security implications. I know Michael Stroeder already noted he would like to see it in RE24 as well. Does anyone have some good concrete reasons why it should not go into RE24? Thanks, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 9 months

2
1
0 / 0

Re: test061 broken in HEAD for back-mdb

by Quanah Gibson-Mount

--On Friday, February 03, 2017 8:19 PM +0100 Dieter Klünter <dieter(a)dkluenter.de> wrote: > git branch -v > * OPENLDAP_REL_ENG_2_4 ab6f04c Fix comparison error > OPENLDAP_REL_ENG_2_5 0f7064d Merge remote-tracking branch > 'origin/master' into OPENLDAP_REL_ENG_2_5 > master c01bbc7 Tweak examples to use back-mdb > > anything else? 64 bit vs 32 bit? I've just done another 500 runs of test061 for RE24 with a fresh checkout, and it passed every time. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 10 months

1
0
0 / 0

Re: test061 broken in HEAD for back-mdb

by Quanah Gibson-Mount

--On Friday, February 03, 2017 1:53 PM +0100 Dieter Klünter <dieter(a)dkluenter.de> wrote: > Am Wed, 01 Feb 2017 13:14:56 -0800 > schrieb Quanah Gibson-Mount <quanah(a)symas.com>: > >> For some reason, test061 routinely fails for back-mdb in HEAD. I've >> not had luck reproducing the issue with other backends or in RE24. >> >> To eliminate it being a replication delay, I increased the for loop >> to give 55 seconds time (1 through 10 seconds) chance to replicate. >> Most of the time the test fails in fewer than 50 iterations (most >> often fewer than 20), however one time it took as long as 85 >> iterations before failing. > [...] > > I now have intensively tested this issue and found occurrences in all > branches. Just some examples: > > ERROR: Entry 21 not replicated to ldap://localhost:9012/! (32)! > Error found after 1 of 1 iterations > Failed after 15 of 50 iterations > [dieter@pink tests (OPENLDAP_REL_ENG_2_4=)]$ > > ERROR: Entry 21 not replicated to ldap://localhost:9012/! (32)! > Error found after 1 of 1 iterations > Failed after 6 of 50 iterations > [dieter@pink tests (OPENLDAP_REL_ENG_2_5=)]$ > > I did about 100 test runs looping 50 times. In average every 7th > testrun failed. Interesting... I've had > 1000 passes and 0 failures in RE24. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 10 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel February 2017