diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2020-08-25 10:45:55 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2020-08-25 10:45:55 +0100 |
commit | 3cf7c3ef441822c889356fd1812ebf2944a59851 (patch) | |
tree | c513fe68548b40365c1c2ebfe35c58ad431cdd77 /net-nds/389-ds-base | |
parent | 05b8b0e0af1d72e51a3ee61522941bf7605cd01c (diff) |
gentoo resync : 25.08.2020
Diffstat (limited to 'net-nds/389-ds-base')
-rw-r--r-- | net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild | 126 | ||||
-rw-r--r-- | net-nds/389-ds-base/389-ds-base-9999.ebuild | 133 | ||||
-rw-r--r-- | net-nds/389-ds-base/Manifest | 7 | ||||
-rw-r--r-- | net-nds/389-ds-base/files/389-ds-base-1.3.6-backport-invalid-password-mig.patch | 376 | ||||
-rw-r--r-- | net-nds/389-ds-base/files/389-ds-snmp.initd | 44 | ||||
-rw-r--r-- | net-nds/389-ds-base/files/389-ds.initd-r1 | 90 | ||||
-rw-r--r-- | net-nds/389-ds-base/metadata.xml | 23 |
7 files changed, 0 insertions, 799 deletions
diff --git a/net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild b/net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild deleted file mode 100644 index 1d33087c4d28..000000000000 --- a/net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild +++ /dev/null @@ -1,126 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=5 - -WANT_AUTOMAKE="1.13" - -inherit user eutils multilib flag-o-matic autotools - -DESCRIPTION="389 Directory Server (core librares and daemons )" -HOMEPAGE="http://www.port389.org/" -SRC_URI="http://www.port389.org/sources/${P}.tar.bz2" - -LICENSE="GPL-3+" -SLOT="0" -KEYWORDS="~amd64 ~x86" -IUSE="autobind auto-dn-suffix debug doc +pam-passthru +dna +ldapi +bitwise presence kerberos selinux" - -# Pinned to db:4.8 as it is the current stable, can change to a later db version < 6 when they stabilize. -# The --with-db-inc line in econf will need to be updated as well when changing db version. -COMMON_DEPEND=" - sys-libs/db:4.8 - >=dev-libs/cyrus-sasl-2.1.19 - >=net-analyzer/net-snmp-5.1.2 - >=dev-libs/icu-3.4:= - >=dev-libs/nss-3.22[utils] - dev-libs/nspr - >=dev-libs/svrcore-4.1.2 - dev-libs/openssl:0= - dev-libs/libpcre:3 - >=dev-perl/perl-mozldap-1.5.3 - dev-perl/NetAddr-IP - net-nds/openldap - sys-libs/pam - sys-libs/zlib - kerberos? ( >=app-crypt/mit-krb5-1.7-r100[openldap] )" - -DEPEND="${COMMON_DEPEND} - virtual/pkgconfig - doc? ( app-doc/doxygen )" - -RDEPEND="${COMMON_DEPEND} - selinux? ( sec-policy/selinux-dirsrv ) - virtual/perl-Time-Local - virtual/perl-MIME-Base64" - -pkg_setup() { - enewgroup dirsrv - enewuser dirsrv -1 -1 -1 dirsrv -} - -src_prepare() { - # as per 389 documentation, when 64bit, export USE_64 - use amd64 && export USE_64=1 - - epatch "${FILESDIR}/389-ds-base-1.3.6-backport-invalid-password-mig.patch" - - eautoreconf - - append-lfs-flags -} - -src_configure() { - econf \ - $(use_enable debug) \ - $(use_enable pam-passthru) \ - $(use_enable ldapi) \ - $(use_enable autobind) \ - $(use_enable dna) \ - $(use_enable bitwise) \ - $(use_enable presence) \ - $(use_with kerberos) \ - $(use_enable auto-dn-suffix) \ - --with-initddir=no \ - --enable-maintainer-mode \ - --with-fhs \ - --with-openldap \ - --sbindir=/usr/sbin \ - --bindir=/usr/bin \ - --with-db-inc=/usr/include/db4.8 - -} - -src_compile() { - default - if use doc; then - doxygen slapi.doxy || die "cannot run doxygen" - fi -} - -src_install() { - # -j1 is a temporary workaround for bug #605432 - emake -j1 DESTDIR="${D}" install - - # Install gentoo style init script - # Get these merged upstream - newinitd "${FILESDIR}"/389-ds.initd-r1 389-ds - newinitd "${FILESDIR}"/389-ds-snmp.initd 389-ds-snmp - - # cope with libraries being in /usr/lib/dirsrv - dodir /etc/env.d - echo "LDPATH=/usr/$(get_libdir)/dirsrv" > "${D}"/etc/env.d/08dirsrv - - if use doc; then - cd "${S}" || die - docinto html/ - dodoc -r docs/html/. - fi -} - -pkg_postinst() { - echo - elog "If you are planning to use 389-ds-snmp (ldap-agent)," - elog "make sure to properly configure: /etc/dirsrv/config/ldap-agent.conf" - elog "adding proper 'server' entries, and adding the lines below to" - elog " => /etc/snmp/snmpd.conf" - elog - elog "master agentx" - elog "agentXSocket /var/agentx/master" - elog - elog "To start 389 Directory Server (LDAP service) at boot:" - elog - elog " rc-update add 389-ds default" - elog - echo -} diff --git a/net-nds/389-ds-base/389-ds-base-9999.ebuild b/net-nds/389-ds-base/389-ds-base-9999.ebuild deleted file mode 100644 index 6e1b2eec30fc..000000000000 --- a/net-nds/389-ds-base/389-ds-base-9999.ebuild +++ /dev/null @@ -1,133 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=5 - -WANT_AUTOMAKE="1.13" - -inherit user eutils multilib flag-o-matic autotools git-r3 - -DESCRIPTION="389 Directory Server (core librares and daemons )" -HOMEPAGE="http://www.port389.org/" -SRC_URI="" -EGIT_REPO_URI="https://pagure.io/389-ds-base.git" - -LICENSE="GPL-3+" -SLOT="0" -KEYWORDS="" -IUSE="autobind auto-dn-suffix debug doc +pam-passthru +dna +ldapi +bitwise kerberos selinux test" -RESTRICT="!test? ( test )" - -# Pinned to db:4.8 as it is the current stable, can change to a later db version < 6 when they stabilize. -# The --with-db-inc line in econf will need to be updated as well when changing db version. -COMMON_DEPEND=" - sys-libs/db:4.8 - >=dev-libs/cyrus-sasl-2.1.19 - >=net-analyzer/net-snmp-5.1.2 - >=dev-libs/icu-3.4:= - >=dev-libs/nss-3.22[utils] - dev-libs/nspr - >=dev-libs/svrcore-4.1.2 - dev-libs/openssl:0= - dev-libs/libpcre:3 - >=dev-perl/perl-mozldap-1.5.3 - dev-perl/NetAddr-IP - net-nds/openldap - sys-libs/pam - sys-libs/zlib - dev-libs/libevent - dev-util/cmocka - kerberos? ( >=app-crypt/mit-krb5-1.7-r100[openldap] )" - -DEPEND="${COMMON_DEPEND} - virtual/pkgconfig - doc? ( app-doc/doxygen )" - -RDEPEND="${COMMON_DEPEND} - selinux? ( sec-policy/selinux-dirsrv ) - virtual/perl-Time-Local - virtual/perl-MIME-Base64" - -pkg_setup() { - enewgroup dirsrv - enewuser dirsrv -1 -1 -1 dirsrv -} - -src_prepare() { - # as per 389 documentation, when 64bit, export USE_64 - use amd64 && export USE_64=1 - - eautoreconf - - append-lfs-flags -} - -src_configure() { - econf \ - $(use_enable debug) \ - $(use_enable pam-passthru) \ - $(use_enable ldapi) \ - $(use_enable autobind) \ - $(use_enable dna) \ - $(use_enable bitwise) \ - $(use_with kerberos) \ - $(use_enable auto-dn-suffix) \ - $(use_enable test cmocka) \ - --with-initddir=no \ - --enable-maintainer-mode \ - --with-fhs \ - --with-openldap \ - --sbindir=/usr/sbin \ - --bindir=/usr/bin \ - --with-db-inc=/usr/include/db4.8 - -} - -src_compile() { - default - if use doc; then - doxygen docs/slapi.doxy || die "cannot run doxygen" - fi -} - -src_test() { - # -j1 is a temporary workaround for bug #605432 - emake -j1 check -} - -src_install() { - # -j1 is a temporary workaround for bug #605432 - emake -j1 DESTDIR="${D}" install - - # Install gentoo style init script - # Get these merged upstream - newinitd "${FILESDIR}"/389-ds.initd-r1 389-ds - newinitd "${FILESDIR}"/389-ds-snmp.initd 389-ds-snmp - - # cope with libraries being in /usr/lib/dirsrv - dodir /etc/env.d - echo "LDPATH=/usr/$(get_libdir)/dirsrv" > "${D}"/etc/env.d/08dirsrv - - if use doc; then - cd "${S}" || die - docinto html/ - dodoc -r docs/html/. - fi -} - -pkg_postinst() { - echo - elog "If you are planning to use 389-ds-snmp (ldap-agent)," - elog "make sure to properly configure: /etc/dirsrv/config/ldap-agent.conf" - elog "adding proper 'server' entries, and adding the lines below to" - elog " => /etc/snmp/snmpd.conf" - elog - elog "master agentx" - elog "agentXSocket /var/agentx/master" - elog - elog "To start 389 Directory Server (LDAP service) at boot:" - elog - elog " rc-update add 389-ds default" - elog - echo -} diff --git a/net-nds/389-ds-base/Manifest b/net-nds/389-ds-base/Manifest deleted file mode 100644 index e47afd21f6b5..000000000000 --- a/net-nds/389-ds-base/Manifest +++ /dev/null @@ -1,7 +0,0 @@ -AUX 389-ds-base-1.3.6-backport-invalid-password-mig.patch 14710 BLAKE2B f24eb143f304923fd9d1c4deac139d13bef55212a1e3a6935b3c5f0c702b09f143021139e25f70c85c39917bdc98f0a0d2fdeb451a6cea542ba8def532794767 SHA512 b8802724887df00f202fe59b36112c77fb7d2ac0df7373e739f02dca6850d455129637a3c84e6e329c37466589785c6afb05d7ff704c77abe8295197b87a217f -AUX 389-ds-snmp.initd 960 BLAKE2B cb5b19fb168bb810aff2d4955a3a87b6dfdef6591e2a97182dd84f102ae9214760726d9a56b29d227f2fb4b109be04f81072a6b82106b9f73298b47735a0f360 SHA512 bb76a068aa5422664c3fc87d5c28124b26d6dbc88cd88856826ae905a4149a6a1d03ec562dcace1cebc6caaa0ca3c6e9346c1af5703d89e1da600df8ca4a4ba8 -AUX 389-ds.initd-r1 2366 BLAKE2B 563dabc9ba0d3720956811ac52f85f9257e588953e3b1bfde3fc4ca7749b72604ee5a608c050cdc5222691f541bfd691c5259ac9e60194a669cfa06cd6c76794 SHA512 530316eccf25196453a51398b810dc6ca14a9bf6f8e4487cfd42d00df190653a197b1effae357c6d9e5d00cd51e8e7d47092d0ecddf2d71d6fa100b58d19b6d7 -DIST 389-ds-base-1.3.6.8.tar.bz2 3440164 BLAKE2B 20ff28fc1d59452e48ec6684f844dd2dec2f33492aa142c915029dfb6b0535860f4f598872d2de5d33ed8cb9b5a0d3ae47b1666cac54a4b38f0f4f954cdaf85f SHA512 b08a87bffbdf8e4c6bf6b4f87394aa0a12b8b44fcadec2f97c146b3a21ff89f5f547080aacb0ecda9b91aca83f8bf093b64c2569b2d8be84ffe22439be446234 -EBUILD 389-ds-base-1.3.6.8-r1.ebuild 3030 BLAKE2B 2c5a1cc34e07a34b79690adb8cb168af0fd2a31bb8996e96ab6d095bca71e427b1b74c1aeee48033d6dff496bcf440d726399a4a4fced45ff9a257d53d1e2421 SHA512 fa20a7dc388ac132bb9f56fd86cb47c0e58171ffc1c82597f0b42869fe4c68b584b4efcf6e5d76a3fca1dc6849b1f8ad8d62cf44894080fab25b581ed7ce658d -EBUILD 389-ds-base-9999.ebuild 3105 BLAKE2B d28e621b98afc7a890e4eadc9b07827eb32e2dc60d48956e1a35d051fdcb5f0af89666fe1b8d456989b5b7525e350fb0750cddf2f72ecf3a89a11129d72e842d SHA512 e2b6a0b06a965e875aa3149060b29fe587e2f7eb59ac3190244e984eb1d28225e6b6fc01865bc594e7e3d834999fbe9da0a4a39129d970276a6614e407a694ad -MISC metadata.xml 1019 BLAKE2B 0258798048756a11ef38481a5abbe2c3e80d186bc3d4474771232397e4ec48a270fed6a0867efafb31c4261caf130511083e65f434f03e8486713a710bd2c470 SHA512 d63ffd88de13739f9889f064cdc135ca0f82e0ecde52617e8bbe477049f0e911e3d79514dbef3ff5913b1760889a20035f89118b760ab241fe864b0d07f694a3 diff --git a/net-nds/389-ds-base/files/389-ds-base-1.3.6-backport-invalid-password-mig.patch b/net-nds/389-ds-base/files/389-ds-base-1.3.6-backport-invalid-password-mig.patch deleted file mode 100644 index b4ba70a2fb5f..000000000000 --- a/net-nds/389-ds-base/files/389-ds-base-1.3.6-backport-invalid-password-mig.patch +++ /dev/null @@ -1,376 +0,0 @@ -From cefec5714cf0fdec4aa582a5fe020ef80d6024cd Mon Sep 17 00:00:00 2001 -From: William Brown <firstyear@redhat.com> -Date: Thu, 18 Jan 2018 11:27:58 +1000 -Subject: [PATCH] Ticket bz1525628 1.3.6 backport - invalid password migration - causes unauth bind - -Bug Description: Slapi_ct_memcmp expects both inputs to be -at LEAST size n. If they are not, we only compared UP to n. - -Invalid migrations of passwords (IE {CRYPT}XX) would create -a pw which is just salt and no hash. ct_memcmp would then -only verify the salt bits and would allow the authentication. - -This relies on an administrative mistake both of allowing -password migration (nsslapd-allow-hashed-passwords) and then -subsequently migrating an INVALID password to the server. - -Fix Description: slapi_ct_memcmp now access n1, n2 size -and will FAIL if they are not the same, but will still compare -n bytes, where n is the "longest" memory, to the first byte -of the other to prevent length disclosure of the shorter -value (generally the mis-migrated password) - -https://bugzilla.redhat.com/show_bug.cgi?id=1525628 - -Author: wibrown - -Review by: ??? ---- - .../bz1525628_ct_memcmp_invalid_hash_test.py | 56 ++++++++++++++++++++ - ldap/servers/plugins/pwdstorage/clear_pwd.c | 4 +- - ldap/servers/plugins/pwdstorage/crypt_pwd.c | 4 +- - ldap/servers/plugins/pwdstorage/md5_pwd.c | 36 ++++++------- - ldap/servers/plugins/pwdstorage/sha_pwd.c | 18 +++++-- - ldap/servers/plugins/pwdstorage/smd5_pwd.c | 60 +++++++++++----------- - ldap/servers/slapd/ch_malloc.c | 36 +++++++++++-- - ldap/servers/slapd/slapi-plugin.h | 2 +- - 8 files changed, 155 insertions(+), 61 deletions(-) - create mode 100644 dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py - -diff --git a/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py b/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py -new file mode 100644 -index 0000000..2f38384 ---- /dev/null -+++ b/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py -@@ -0,0 +1,56 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2018 Red Hat, Inc. -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+# -+ -+import ldap -+import pytest -+import logging -+from lib389.topologies import topology_st -+from lib389._constants import PASSWORD, DEFAULT_SUFFIX -+ -+from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES -+ -+logging.getLogger(__name__).setLevel(logging.DEBUG) -+log = logging.getLogger(__name__) -+ -+def test_invalid_hash_fails(topology_st): -+ """When given a malformed hash from userpassword migration -+ slapi_ct_memcmp would check only to the length of the shorter -+ field. This affects some values where it would ONLY verify -+ the salt is valid, and thus would allow any password to bind. -+ -+ :id: 8131c029-7147-47db-8d03-ec5db2a01cfb -+ :setup: Standalone Instance -+ :steps: -+ 1. Create a user -+ 2. Add an invalid password hash (truncated) -+ 3. Attempt to bind -+ :expectedresults: -+ 1. User is added -+ 2. Invalid pw hash is added -+ 3. Bind fails -+ """ -+ log.info("Running invalid hash test") -+ -+ # Allow setting raw password hashes for migration. -+ topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on') -+ -+ users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX) -+ user = users.create(properties=TEST_USER_PROPERTIES) -+ user.set('userPassword', '{CRYPT}XX') -+ -+ # Attempt to bind. This should fail. -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ user.bind(PASSWORD) -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ user.bind('XX') -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ user.bind('{CRYPT}XX') -+ -+ log.info("PASSED") -+ -diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c -index b9b362d..050e60d 100644 ---- a/ldap/servers/plugins/pwdstorage/clear_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c -@@ -39,7 +39,7 @@ clear_pw_cmp( const char *userpwd, const char *dbpwd ) - * However, even if the first part of userpw matches dbpwd, but len !=, we - * have already failed anyawy. This prevents substring matching. - */ -- if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) { -+ if (slapi_ct_memcmp(userpwd, dbpwd, len_user, len_dbp) != 0) { - result = 1; - } - } else { -@@ -51,7 +51,7 @@ clear_pw_cmp( const char *userpwd, const char *dbpwd ) - * dbpwd to itself. We have already got result == 1 if we are here, so we are - * just trying to take up time! - */ -- if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) { -+ if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp, len_dbp)) { - /* Do nothing, we have the if to fix a coverity check. */ - } - } -diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -index dfd5af9..5fcff13 100644 ---- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -@@ -56,13 +56,13 @@ crypt_close(Slapi_PBlock *pb __attribute__((unused))) - int - crypt_pw_cmp( const char *userpwd, const char *dbpwd ) - { -- int rc; -+ int32_t rc; - char *cp; - PR_Lock(cryptlock); - /* we use salt (first 2 chars) of encoded password in call to crypt() */ - cp = crypt( userpwd, dbpwd ); - if (cp) { -- rc= slapi_ct_memcmp( dbpwd, cp, strlen(dbpwd)); -+ rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd), strlen(cp)); - } else { - rc = -1; - } -diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c -index b279946..2e1c472 100644 ---- a/ldap/servers/plugins/pwdstorage/md5_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c -@@ -30,13 +30,13 @@ - int - md5_pw_cmp( const char *userpwd, const char *dbpwd ) - { -- int rc=-1; -- char * bver; -- PK11Context *ctx=NULL; -- unsigned int outLen; -- unsigned char hash_out[MD5_HASH_LEN]; -- unsigned char b2a_out[MD5_HASH_LEN*2]; /* conservative */ -- SECItem binary_item; -+ int32_t rc = -1; -+ char *bver; -+ PK11Context *ctx = NULL; -+ unsigned int outLen; -+ unsigned char hash_out[MD5_HASH_LEN]; -+ unsigned char b2a_out[MD5_HASH_LEN * 2]; /* conservative */ -+ SECItem binary_item; - - ctx = PK11_CreateDigestContext(SEC_OID_MD5); - if (ctx == NULL) { -@@ -51,17 +51,17 @@ md5_pw_cmp( const char *userpwd, const char *dbpwd ) - PK11_DigestFinal(ctx, hash_out, &outLen, sizeof hash_out); - PK11_DestroyContext(ctx, 1); - -- /* convert the binary hash to base64 */ -- binary_item.data = hash_out; -- binary_item.len = outLen; -- bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item); -- /* bver points to b2a_out upon success */ -- if (bver) { -- rc = slapi_ct_memcmp(bver,dbpwd, strlen(dbpwd)); -- } else { -- slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, -- "Could not base64 encode hashed value for password compare"); -- } -+ /* convert the binary hash to base64 */ -+ binary_item.data = hash_out; -+ binary_item.len = outLen; -+ bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item); -+ /* bver points to b2a_out upon success */ -+ if (bver) { -+ rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd), strlen(bver)); -+ } else { -+ slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, -+ "Could not base64 encode hashed value for password compare"); -+ } - loser: - return rc; - } -diff --git a/ldap/servers/plugins/pwdstorage/sha_pwd.c b/ldap/servers/plugins/pwdstorage/sha_pwd.c -index 5f41c5b..c9db896 100644 ---- a/ldap/servers/plugins/pwdstorage/sha_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c -@@ -49,7 +49,7 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen ) - char userhash[MAX_SHA_HASH_SIZE]; - char quick_dbhash[MAX_SHA_HASH_SIZE + SHA_SALT_LENGTH + 3]; - char *dbhash = quick_dbhash; -- struct berval salt; -+ struct berval salt = {0}; - PRUint32 hash_len; - unsigned int secOID; - char *schemeName; -@@ -120,10 +120,20 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen ) - } - - /* the proof is in the comparison... */ -- if ( hash_len >= shaLen ) { -- result = slapi_ct_memcmp( userhash, dbhash, shaLen ); -+ if (hash_len >= shaLen) { -+ /* -+ * This say "if the hash has a salt IE >, OR if they are equal, check the hash component ONLY. -+ * This is why we repeat shaLen twice, even though it seems odd. If you have a dbhast of ssha -+ * it's len is 28, and the userpw is 20, but 0 - 20 is the sha, and 21-28 is the salt, which -+ * has already been processed into userhash. -+ * The case where dbpwd is truncated is handled above in "invalid base64" arm. -+ */ -+ result = slapi_ct_memcmp(userhash, dbhash, shaLen, shaLen); - } else { -- result = slapi_ct_memcmp( userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH ); -+ /* This case is for if the salt is at the START, which only applies to DS40B1 case. -+ * May never be a valid check... -+ */ -+ result = slapi_ct_memcmp(userhash, dbhash + OLD_SALT_LENGTH, shaLen, hash_len - OLD_SALT_LENGTH); - } - - loser: -diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c -index 2e9d195..f6b4bb4 100644 ---- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c -@@ -52,35 +52,37 @@ smd5_pw_cmp( const char *userpwd, const char *dbpwd ) - /* - * Decode hash stored in database. - */ -- hash_len = pwdstorage_base64_decode_len(dbpwd, 0); -- if ( hash_len >= sizeof(quick_dbhash) ) { /* get more space: */ -- dbhash = (char*) slapi_ch_calloc( hash_len + 1, sizeof(char) ); -- if ( dbhash == NULL ) goto loser; -- } else { -- memset( quick_dbhash, 0, sizeof(quick_dbhash) ); -- } -- -- hashresult = PL_Base64Decode( dbpwd, 0, dbhash ); -- if (NULL == hashresult) { -- slapi_log_err(SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME, -- "smd5_pw_cmp: userPassword \"%s\" is the wrong length " -- "or is not properly encoded BASE64\n", dbpwd ); -- goto loser; -- } -- -- salt.bv_val = (void*)(dbhash + MD5_LENGTH); /* salt starts after hash value */ -- salt.bv_len = hash_len - MD5_LENGTH; /* remaining bytes must be salt */ -- -- /* create the hash */ -- memset( userhash, 0, sizeof(userhash) ); -- PK11_DigestBegin(ctx); -- PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd)); -- PK11_DigestOp(ctx, (unsigned char*)(salt.bv_val), salt.bv_len); -- PK11_DigestFinal(ctx, userhash, &outLen, sizeof userhash); -- PK11_DestroyContext(ctx, 1); -- -- /* Compare everything up to the salt. */ -- rc = slapi_ct_memcmp( userhash, dbhash, MD5_LENGTH ); -+ hash_len = pwdstorage_base64_decode_len(dbpwd, 0); -+ if (hash_len >= sizeof(quick_dbhash)) { /* get more space: */ -+ dbhash = (char *)slapi_ch_calloc(hash_len + 1, sizeof(char)); -+ if (dbhash == NULL) -+ goto loser; -+ } else { -+ memset(quick_dbhash, 0, sizeof(quick_dbhash)); -+ } -+ -+ hashresult = PL_Base64Decode(dbpwd, 0, dbhash); -+ if (NULL == hashresult) { -+ slapi_log_err(SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME, -+ "smd5_pw_cmp: userPassword \"%s\" is the wrong length " -+ "or is not properly encoded BASE64\n", -+ dbpwd); -+ goto loser; -+ } -+ -+ salt.bv_val = (void *)(dbhash + MD5_LENGTH); /* salt starts after hash value */ -+ salt.bv_len = hash_len - MD5_LENGTH; /* remaining bytes must be salt */ -+ -+ /* create the hash */ -+ memset(userhash, 0, sizeof(userhash)); -+ PK11_DigestBegin(ctx); -+ PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd)); -+ PK11_DigestOp(ctx, (unsigned char *)(salt.bv_val), salt.bv_len); -+ PK11_DigestFinal(ctx, userhash, &outLen, sizeof userhash); -+ PK11_DestroyContext(ctx, 1); -+ -+ /* Compare everything up to the salt. */ -+ rc = slapi_ct_memcmp(userhash, dbhash, MD5_LENGTH, MD5_LENGTH); - - loser: - if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( (char **)&dbhash ); -diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c -index 52ccb64..66cb692 100644 ---- a/ldap/servers/slapd/ch_malloc.c -+++ b/ldap/servers/slapd/ch_malloc.c -@@ -343,8 +343,8 @@ slapi_ch_smprintf(const char *fmt, ...) - - /* Constant time memcmp. Does not shortcircuit on failure! */ - /* This relies on p1 and p2 both being size at least n! */ --int --slapi_ct_memcmp( const void *p1, const void *p2, size_t n) -+int32_t -+slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2) - { - int result = 0; - const unsigned char *_p1 = (const unsigned char *)p1; -@@ -354,9 +354,35 @@ slapi_ct_memcmp( const void *p1, const void *p2, size_t n) - return 2; - } - -- for (size_t i = 0; i < n; i++) { -- if (_p1[i] ^ _p2[i]) { -- result = 1; -+ if (n1 == n2) { -+ for (size_t i = 0; i < n1; i++) { -+ if (_p1[i] ^ _p2[i]) { -+ result = 1; -+ } -+ } -+ } else { -+ const unsigned char *_pa; -+ const unsigned char *_pb; -+ size_t nl; -+ if (n2 > n1) { -+ _pa = _p2; -+ _pb = _p2; -+ nl = n2; -+ } else { -+ _pa = _p1; -+ _pb = _p1; -+ nl = n1; -+ } -+ /* We already fail as n1 != n2 */ -+ result = 3; -+ for (size_t i = 0; i < nl; i++) { -+ if (_pa[i] ^ _pb[i]) { -+ /* -+ * If we don't mutate result here, dead code elimination -+ * we remove for loop. -+ */ -+ result = 4; -+ } - } - } - return result; -diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h -index d37bc63..2c5c4ce 100644 ---- a/ldap/servers/slapd/slapi-plugin.h -+++ b/ldap/servers/slapd/slapi-plugin.h -@@ -5859,7 +5859,7 @@ char * slapi_ch_smprintf(const char *fmt, ...) - * \param n length in bytes of the content of p1 AND p2. - * \return 0 on match. 1 on non-match. 2 on presence of NULL pointer in p1 or p2. - */ --int slapi_ct_memcmp( const void *p1, const void *p2, size_t n); -+int32_t slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2); - - /* - * syntax plugin routines --- -1.8.3.1 - diff --git a/net-nds/389-ds-base/files/389-ds-snmp.initd b/net-nds/389-ds-base/files/389-ds-snmp.initd deleted file mode 100644 index 94df1580d76b..000000000000 --- a/net-nds/389-ds-base/files/389-ds-snmp.initd +++ /dev/null @@ -1,44 +0,0 @@ -#!/sbin/openrc-run -# Copyright 1999-2010 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -PIDFILE="/var/run/ldap-agent.pid" -CONFIGFILE="/etc/dirsrv/config/ldap-agent.conf" - -# instance support in progress - -depend() { - need net - use logger snmpd -} - -start() { - ebegin "Starting 389 Directory Server ldap-snmp agent" - start-stop-daemon --start --quiet -b \ - --pidfile ${PIDFILE} --exec /usr/sbin/ldap-agent -- ${CONFIGFILE} - eend ${?} - if [ "${?}" != "0" ]; then - local entries=/etc/dirsrv/slapd-* - if [ -n "${entries}" ]; then - ewarn "Please make sure that ${CONFIGFILE} contains at least" - ewarn "one of the following entries:" - for entry in ${entries}; do - entry=$(basename ${entry}) - ewarn "server ${entry}" - done - fi - fi -} - -stop() { - ebegin "Stopping 389 Directory Server ldap-snmp agent" - start-stop-daemon --stop --quiet --pidfile ${PIDFILE} - eend ${?} - -} - -restart() { - svc_stop - sleep 2 - svc_start -} diff --git a/net-nds/389-ds-base/files/389-ds.initd-r1 b/net-nds/389-ds-base/files/389-ds.initd-r1 deleted file mode 100644 index bc9e6e1bb3a7..000000000000 --- a/net-nds/389-ds-base/files/389-ds.initd-r1 +++ /dev/null @@ -1,90 +0,0 @@ -#!/sbin/openrc-run -# Copyright 1999-2016 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -DIRSRV_EXEC="/usr/sbin/ns-slapd" -PID_DIRECTORY="/var/run/dirsrv" -LOCK_DIRECTORY="/var/lock/dirsrv" -DIRSRV_CONF_DIR="/etc/dirsrv" -DS_INSTANCES=${DIRSRV_CONF_DIR}/slapd-* -F389DS_INSTANCES="" - -depend() { - need net logger - use dns - provide dirsvr ldap -} - -checkconfig() { - if [ -z "${DS_INSTANCES}" ]; then - eerror "389 Directory Server has not been configured." - eend 1 - return 1 - fi -} - -start() { - checkconfig || return 1 - - for instance in ${DS_INSTANCES}; do - instance=$(basename ${instance}) - # skip .removed instances, bug #338133 - if [ "${instance%%.removed}" != "${instance}" ]; then - continue - fi - # Create the required directories in case they got nuked - mkdir -p ${PID_DIRECTORY} - mkdir -p ${LOCK_DIRECTORY}/${instance} - # This will probably break one day, we should be pulling out the suitespotuser from dse.ldif - chown dirsrv: ${PID_DIRECTORY} - chown dirsrv: ${LOCK_DIRECTORY}/${instance} - ebegin "Starting 389 Directory Server: instance ${instance}" - start-stop-daemon --start --quiet -m \ - --pidfile ${PID_DIRECTORY}/${instance}.startpid \ - --exec ${DIRSRV_EXEC} -- -D ${DIRSRV_CONF_DIR}/${instance} \ - -i ${PID_DIRECTORY}/${instance}.pid \ - -w ${PID_DIRECTORY}/${instance}.startpid - sts=${?} - eend ${sts} - if [ "${sts}" != "0" ]; then - return 1 - fi - done -} - - - -stop() { - checkconfig || return 1 - - for instance in ${DS_INSTANCES}; do - instance=$(basename ${instance}) - if [ "${instance%%.removed}" != "${instance}" ]; then - continue - fi - ebegin "Stopping 389 Directory Server: instance ${instance}" - start-stop-daemon --stop --quiet \ - --pidfile ${PID_DIRECTORY}/${instance}.pid \ - --exec ${DIRSRV_EXEC} - eend ${?} - done -} - -status() { - for instance in ${DS_INSTANCES}; do - instance=$(basename ${instance}) - if [ "${instance%%.removed}" != "${instance}" ]; then - continue - fi - if [ -e ${PID_DIRECTORY}/${instance}.pid ]; then - pid=$(cat ${PID_DIRECTORY}/${instance}.pid) - if [ $(echo "$pid" | grep -c $pid) -ge 1 ]; then - einfo "389 Directory Server: instance ${instance} (pid $pid) running." - else - ewarn "389 Directory Server: instance ${instance} (pid $pid) NOT running." - fi - else - eerror "389 Directory Server: instance ${instance} is NOT running." - fi - done -} diff --git a/net-nds/389-ds-base/metadata.xml b/net-nds/389-ds-base/metadata.xml deleted file mode 100644 index 55831e027b4c..000000000000 --- a/net-nds/389-ds-base/metadata.xml +++ /dev/null @@ -1,23 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> -<pkgmetadata> - <!-- maintainer-needed --> - <longdescription>The enterprise-class Open Source LDAP server for Linux - </longdescription> -<use> - <flag name="pam-passthru">Enable pam-passthru plugin - for simple and - fast system services used in ldap</flag> - <flag name="dna">Enable dna (distributed numeric assignment ) plugin - to - automatically assign unique uid numbers to new user entries as they - are created.</flag> - <flag name="presence">Enable presence plugin - non-standard syntax - validation</flag> - <flag name="bitwise">Enable bitwise plugin - supported data in raw/bitwise - format</flag> - <flag name="autobind">Enable auto bind over unix domain socket (LDAPI) - support</flag> - <flag name="auto-dn-suffix">Enable auto bind with auto dn suffix over unix - domain socket (LDAPI) support</flag> - <flag name="ldapi">Enable LDAP over unix domain socket (LDAPI) support</flag> -</use> -</pkgmetadata> |