summaryrefslogtreecommitdiff
path: root/net-nds/389-ds-base
diff options
context:
space:
mode:
authorV3n3RiX <venerix@redcorelinux.org>2020-08-25 10:45:55 +0100
committerV3n3RiX <venerix@redcorelinux.org>2020-08-25 10:45:55 +0100
commit3cf7c3ef441822c889356fd1812ebf2944a59851 (patch)
treec513fe68548b40365c1c2ebfe35c58ad431cdd77 /net-nds/389-ds-base
parent05b8b0e0af1d72e51a3ee61522941bf7605cd01c (diff)
gentoo resync : 25.08.2020
Diffstat (limited to 'net-nds/389-ds-base')
-rw-r--r--net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild126
-rw-r--r--net-nds/389-ds-base/389-ds-base-9999.ebuild133
-rw-r--r--net-nds/389-ds-base/Manifest7
-rw-r--r--net-nds/389-ds-base/files/389-ds-base-1.3.6-backport-invalid-password-mig.patch376
-rw-r--r--net-nds/389-ds-base/files/389-ds-snmp.initd44
-rw-r--r--net-nds/389-ds-base/files/389-ds.initd-r190
-rw-r--r--net-nds/389-ds-base/metadata.xml23
7 files changed, 0 insertions, 799 deletions
diff --git a/net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild b/net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild
deleted file mode 100644
index 1d33087c4d28..000000000000
--- a/net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild
+++ /dev/null
@@ -1,126 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=5
-
-WANT_AUTOMAKE="1.13"
-
-inherit user eutils multilib flag-o-matic autotools
-
-DESCRIPTION="389 Directory Server (core librares and daemons )"
-HOMEPAGE="http://www.port389.org/"
-SRC_URI="http://www.port389.org/sources/${P}.tar.bz2"
-
-LICENSE="GPL-3+"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE="autobind auto-dn-suffix debug doc +pam-passthru +dna +ldapi +bitwise presence kerberos selinux"
-
-# Pinned to db:4.8 as it is the current stable, can change to a later db version < 6 when they stabilize.
-# The --with-db-inc line in econf will need to be updated as well when changing db version.
-COMMON_DEPEND="
- sys-libs/db:4.8
- >=dev-libs/cyrus-sasl-2.1.19
- >=net-analyzer/net-snmp-5.1.2
- >=dev-libs/icu-3.4:=
- >=dev-libs/nss-3.22[utils]
- dev-libs/nspr
- >=dev-libs/svrcore-4.1.2
- dev-libs/openssl:0=
- dev-libs/libpcre:3
- >=dev-perl/perl-mozldap-1.5.3
- dev-perl/NetAddr-IP
- net-nds/openldap
- sys-libs/pam
- sys-libs/zlib
- kerberos? ( >=app-crypt/mit-krb5-1.7-r100[openldap] )"
-
-DEPEND="${COMMON_DEPEND}
- virtual/pkgconfig
- doc? ( app-doc/doxygen )"
-
-RDEPEND="${COMMON_DEPEND}
- selinux? ( sec-policy/selinux-dirsrv )
- virtual/perl-Time-Local
- virtual/perl-MIME-Base64"
-
-pkg_setup() {
- enewgroup dirsrv
- enewuser dirsrv -1 -1 -1 dirsrv
-}
-
-src_prepare() {
- # as per 389 documentation, when 64bit, export USE_64
- use amd64 && export USE_64=1
-
- epatch "${FILESDIR}/389-ds-base-1.3.6-backport-invalid-password-mig.patch"
-
- eautoreconf
-
- append-lfs-flags
-}
-
-src_configure() {
- econf \
- $(use_enable debug) \
- $(use_enable pam-passthru) \
- $(use_enable ldapi) \
- $(use_enable autobind) \
- $(use_enable dna) \
- $(use_enable bitwise) \
- $(use_enable presence) \
- $(use_with kerberos) \
- $(use_enable auto-dn-suffix) \
- --with-initddir=no \
- --enable-maintainer-mode \
- --with-fhs \
- --with-openldap \
- --sbindir=/usr/sbin \
- --bindir=/usr/bin \
- --with-db-inc=/usr/include/db4.8
-
-}
-
-src_compile() {
- default
- if use doc; then
- doxygen slapi.doxy || die "cannot run doxygen"
- fi
-}
-
-src_install() {
- # -j1 is a temporary workaround for bug #605432
- emake -j1 DESTDIR="${D}" install
-
- # Install gentoo style init script
- # Get these merged upstream
- newinitd "${FILESDIR}"/389-ds.initd-r1 389-ds
- newinitd "${FILESDIR}"/389-ds-snmp.initd 389-ds-snmp
-
- # cope with libraries being in /usr/lib/dirsrv
- dodir /etc/env.d
- echo "LDPATH=/usr/$(get_libdir)/dirsrv" > "${D}"/etc/env.d/08dirsrv
-
- if use doc; then
- cd "${S}" || die
- docinto html/
- dodoc -r docs/html/.
- fi
-}
-
-pkg_postinst() {
- echo
- elog "If you are planning to use 389-ds-snmp (ldap-agent),"
- elog "make sure to properly configure: /etc/dirsrv/config/ldap-agent.conf"
- elog "adding proper 'server' entries, and adding the lines below to"
- elog " => /etc/snmp/snmpd.conf"
- elog
- elog "master agentx"
- elog "agentXSocket /var/agentx/master"
- elog
- elog "To start 389 Directory Server (LDAP service) at boot:"
- elog
- elog " rc-update add 389-ds default"
- elog
- echo
-}
diff --git a/net-nds/389-ds-base/389-ds-base-9999.ebuild b/net-nds/389-ds-base/389-ds-base-9999.ebuild
deleted file mode 100644
index 6e1b2eec30fc..000000000000
--- a/net-nds/389-ds-base/389-ds-base-9999.ebuild
+++ /dev/null
@@ -1,133 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=5
-
-WANT_AUTOMAKE="1.13"
-
-inherit user eutils multilib flag-o-matic autotools git-r3
-
-DESCRIPTION="389 Directory Server (core librares and daemons )"
-HOMEPAGE="http://www.port389.org/"
-SRC_URI=""
-EGIT_REPO_URI="https://pagure.io/389-ds-base.git"
-
-LICENSE="GPL-3+"
-SLOT="0"
-KEYWORDS=""
-IUSE="autobind auto-dn-suffix debug doc +pam-passthru +dna +ldapi +bitwise kerberos selinux test"
-RESTRICT="!test? ( test )"
-
-# Pinned to db:4.8 as it is the current stable, can change to a later db version < 6 when they stabilize.
-# The --with-db-inc line in econf will need to be updated as well when changing db version.
-COMMON_DEPEND="
- sys-libs/db:4.8
- >=dev-libs/cyrus-sasl-2.1.19
- >=net-analyzer/net-snmp-5.1.2
- >=dev-libs/icu-3.4:=
- >=dev-libs/nss-3.22[utils]
- dev-libs/nspr
- >=dev-libs/svrcore-4.1.2
- dev-libs/openssl:0=
- dev-libs/libpcre:3
- >=dev-perl/perl-mozldap-1.5.3
- dev-perl/NetAddr-IP
- net-nds/openldap
- sys-libs/pam
- sys-libs/zlib
- dev-libs/libevent
- dev-util/cmocka
- kerberos? ( >=app-crypt/mit-krb5-1.7-r100[openldap] )"
-
-DEPEND="${COMMON_DEPEND}
- virtual/pkgconfig
- doc? ( app-doc/doxygen )"
-
-RDEPEND="${COMMON_DEPEND}
- selinux? ( sec-policy/selinux-dirsrv )
- virtual/perl-Time-Local
- virtual/perl-MIME-Base64"
-
-pkg_setup() {
- enewgroup dirsrv
- enewuser dirsrv -1 -1 -1 dirsrv
-}
-
-src_prepare() {
- # as per 389 documentation, when 64bit, export USE_64
- use amd64 && export USE_64=1
-
- eautoreconf
-
- append-lfs-flags
-}
-
-src_configure() {
- econf \
- $(use_enable debug) \
- $(use_enable pam-passthru) \
- $(use_enable ldapi) \
- $(use_enable autobind) \
- $(use_enable dna) \
- $(use_enable bitwise) \
- $(use_with kerberos) \
- $(use_enable auto-dn-suffix) \
- $(use_enable test cmocka) \
- --with-initddir=no \
- --enable-maintainer-mode \
- --with-fhs \
- --with-openldap \
- --sbindir=/usr/sbin \
- --bindir=/usr/bin \
- --with-db-inc=/usr/include/db4.8
-
-}
-
-src_compile() {
- default
- if use doc; then
- doxygen docs/slapi.doxy || die "cannot run doxygen"
- fi
-}
-
-src_test() {
- # -j1 is a temporary workaround for bug #605432
- emake -j1 check
-}
-
-src_install() {
- # -j1 is a temporary workaround for bug #605432
- emake -j1 DESTDIR="${D}" install
-
- # Install gentoo style init script
- # Get these merged upstream
- newinitd "${FILESDIR}"/389-ds.initd-r1 389-ds
- newinitd "${FILESDIR}"/389-ds-snmp.initd 389-ds-snmp
-
- # cope with libraries being in /usr/lib/dirsrv
- dodir /etc/env.d
- echo "LDPATH=/usr/$(get_libdir)/dirsrv" > "${D}"/etc/env.d/08dirsrv
-
- if use doc; then
- cd "${S}" || die
- docinto html/
- dodoc -r docs/html/.
- fi
-}
-
-pkg_postinst() {
- echo
- elog "If you are planning to use 389-ds-snmp (ldap-agent),"
- elog "make sure to properly configure: /etc/dirsrv/config/ldap-agent.conf"
- elog "adding proper 'server' entries, and adding the lines below to"
- elog " => /etc/snmp/snmpd.conf"
- elog
- elog "master agentx"
- elog "agentXSocket /var/agentx/master"
- elog
- elog "To start 389 Directory Server (LDAP service) at boot:"
- elog
- elog " rc-update add 389-ds default"
- elog
- echo
-}
diff --git a/net-nds/389-ds-base/Manifest b/net-nds/389-ds-base/Manifest
deleted file mode 100644
index e47afd21f6b5..000000000000
--- a/net-nds/389-ds-base/Manifest
+++ /dev/null
@@ -1,7 +0,0 @@
-AUX 389-ds-base-1.3.6-backport-invalid-password-mig.patch 14710 BLAKE2B f24eb143f304923fd9d1c4deac139d13bef55212a1e3a6935b3c5f0c702b09f143021139e25f70c85c39917bdc98f0a0d2fdeb451a6cea542ba8def532794767 SHA512 b8802724887df00f202fe59b36112c77fb7d2ac0df7373e739f02dca6850d455129637a3c84e6e329c37466589785c6afb05d7ff704c77abe8295197b87a217f
-AUX 389-ds-snmp.initd 960 BLAKE2B cb5b19fb168bb810aff2d4955a3a87b6dfdef6591e2a97182dd84f102ae9214760726d9a56b29d227f2fb4b109be04f81072a6b82106b9f73298b47735a0f360 SHA512 bb76a068aa5422664c3fc87d5c28124b26d6dbc88cd88856826ae905a4149a6a1d03ec562dcace1cebc6caaa0ca3c6e9346c1af5703d89e1da600df8ca4a4ba8
-AUX 389-ds.initd-r1 2366 BLAKE2B 563dabc9ba0d3720956811ac52f85f9257e588953e3b1bfde3fc4ca7749b72604ee5a608c050cdc5222691f541bfd691c5259ac9e60194a669cfa06cd6c76794 SHA512 530316eccf25196453a51398b810dc6ca14a9bf6f8e4487cfd42d00df190653a197b1effae357c6d9e5d00cd51e8e7d47092d0ecddf2d71d6fa100b58d19b6d7
-DIST 389-ds-base-1.3.6.8.tar.bz2 3440164 BLAKE2B 20ff28fc1d59452e48ec6684f844dd2dec2f33492aa142c915029dfb6b0535860f4f598872d2de5d33ed8cb9b5a0d3ae47b1666cac54a4b38f0f4f954cdaf85f SHA512 b08a87bffbdf8e4c6bf6b4f87394aa0a12b8b44fcadec2f97c146b3a21ff89f5f547080aacb0ecda9b91aca83f8bf093b64c2569b2d8be84ffe22439be446234
-EBUILD 389-ds-base-1.3.6.8-r1.ebuild 3030 BLAKE2B 2c5a1cc34e07a34b79690adb8cb168af0fd2a31bb8996e96ab6d095bca71e427b1b74c1aeee48033d6dff496bcf440d726399a4a4fced45ff9a257d53d1e2421 SHA512 fa20a7dc388ac132bb9f56fd86cb47c0e58171ffc1c82597f0b42869fe4c68b584b4efcf6e5d76a3fca1dc6849b1f8ad8d62cf44894080fab25b581ed7ce658d
-EBUILD 389-ds-base-9999.ebuild 3105 BLAKE2B d28e621b98afc7a890e4eadc9b07827eb32e2dc60d48956e1a35d051fdcb5f0af89666fe1b8d456989b5b7525e350fb0750cddf2f72ecf3a89a11129d72e842d SHA512 e2b6a0b06a965e875aa3149060b29fe587e2f7eb59ac3190244e984eb1d28225e6b6fc01865bc594e7e3d834999fbe9da0a4a39129d970276a6614e407a694ad
-MISC metadata.xml 1019 BLAKE2B 0258798048756a11ef38481a5abbe2c3e80d186bc3d4474771232397e4ec48a270fed6a0867efafb31c4261caf130511083e65f434f03e8486713a710bd2c470 SHA512 d63ffd88de13739f9889f064cdc135ca0f82e0ecde52617e8bbe477049f0e911e3d79514dbef3ff5913b1760889a20035f89118b760ab241fe864b0d07f694a3
diff --git a/net-nds/389-ds-base/files/389-ds-base-1.3.6-backport-invalid-password-mig.patch b/net-nds/389-ds-base/files/389-ds-base-1.3.6-backport-invalid-password-mig.patch
deleted file mode 100644
index b4ba70a2fb5f..000000000000
--- a/net-nds/389-ds-base/files/389-ds-base-1.3.6-backport-invalid-password-mig.patch
+++ /dev/null
@@ -1,376 +0,0 @@
-From cefec5714cf0fdec4aa582a5fe020ef80d6024cd Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Thu, 18 Jan 2018 11:27:58 +1000
-Subject: [PATCH] Ticket bz1525628 1.3.6 backport - invalid password migration
- causes unauth bind
-
-Bug Description: Slapi_ct_memcmp expects both inputs to be
-at LEAST size n. If they are not, we only compared UP to n.
-
-Invalid migrations of passwords (IE {CRYPT}XX) would create
-a pw which is just salt and no hash. ct_memcmp would then
-only verify the salt bits and would allow the authentication.
-
-This relies on an administrative mistake both of allowing
-password migration (nsslapd-allow-hashed-passwords) and then
-subsequently migrating an INVALID password to the server.
-
-Fix Description: slapi_ct_memcmp now access n1, n2 size
-and will FAIL if they are not the same, but will still compare
-n bytes, where n is the "longest" memory, to the first byte
-of the other to prevent length disclosure of the shorter
-value (generally the mis-migrated password)
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1525628
-
-Author: wibrown
-
-Review by: ???
----
- .../bz1525628_ct_memcmp_invalid_hash_test.py | 56 ++++++++++++++++++++
- ldap/servers/plugins/pwdstorage/clear_pwd.c | 4 +-
- ldap/servers/plugins/pwdstorage/crypt_pwd.c | 4 +-
- ldap/servers/plugins/pwdstorage/md5_pwd.c | 36 ++++++-------
- ldap/servers/plugins/pwdstorage/sha_pwd.c | 18 +++++--
- ldap/servers/plugins/pwdstorage/smd5_pwd.c | 60 +++++++++++-----------
- ldap/servers/slapd/ch_malloc.c | 36 +++++++++++--
- ldap/servers/slapd/slapi-plugin.h | 2 +-
- 8 files changed, 155 insertions(+), 61 deletions(-)
- create mode 100644 dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py
-
-diff --git a/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py b/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py
-new file mode 100644
-index 0000000..2f38384
---- /dev/null
-+++ b/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py
-@@ -0,0 +1,56 @@
-+# --- BEGIN COPYRIGHT BLOCK ---
-+# Copyright (C) 2018 Red Hat, Inc.
-+# All rights reserved.
-+#
-+# License: GPL (version 3 or any later version).
-+# See LICENSE for details.
-+# --- END COPYRIGHT BLOCK ---
-+#
-+
-+import ldap
-+import pytest
-+import logging
-+from lib389.topologies import topology_st
-+from lib389._constants import PASSWORD, DEFAULT_SUFFIX
-+
-+from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES
-+
-+logging.getLogger(__name__).setLevel(logging.DEBUG)
-+log = logging.getLogger(__name__)
-+
-+def test_invalid_hash_fails(topology_st):
-+ """When given a malformed hash from userpassword migration
-+ slapi_ct_memcmp would check only to the length of the shorter
-+ field. This affects some values where it would ONLY verify
-+ the salt is valid, and thus would allow any password to bind.
-+
-+ :id: 8131c029-7147-47db-8d03-ec5db2a01cfb
-+ :setup: Standalone Instance
-+ :steps:
-+ 1. Create a user
-+ 2. Add an invalid password hash (truncated)
-+ 3. Attempt to bind
-+ :expectedresults:
-+ 1. User is added
-+ 2. Invalid pw hash is added
-+ 3. Bind fails
-+ """
-+ log.info("Running invalid hash test")
-+
-+ # Allow setting raw password hashes for migration.
-+ topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on')
-+
-+ users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
-+ user = users.create(properties=TEST_USER_PROPERTIES)
-+ user.set('userPassword', '{CRYPT}XX')
-+
-+ # Attempt to bind. This should fail.
-+ with pytest.raises(ldap.INVALID_CREDENTIALS):
-+ user.bind(PASSWORD)
-+ with pytest.raises(ldap.INVALID_CREDENTIALS):
-+ user.bind('XX')
-+ with pytest.raises(ldap.INVALID_CREDENTIALS):
-+ user.bind('{CRYPT}XX')
-+
-+ log.info("PASSED")
-+
-diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
-index b9b362d..050e60d 100644
---- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
-@@ -39,7 +39,7 @@ clear_pw_cmp( const char *userpwd, const char *dbpwd )
- * However, even if the first part of userpw matches dbpwd, but len !=, we
- * have already failed anyawy. This prevents substring matching.
- */
-- if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) {
-+ if (slapi_ct_memcmp(userpwd, dbpwd, len_user, len_dbp) != 0) {
- result = 1;
- }
- } else {
-@@ -51,7 +51,7 @@ clear_pw_cmp( const char *userpwd, const char *dbpwd )
- * dbpwd to itself. We have already got result == 1 if we are here, so we are
- * just trying to take up time!
- */
-- if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) {
-+ if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp, len_dbp)) {
- /* Do nothing, we have the if to fix a coverity check. */
- }
- }
-diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-index dfd5af9..5fcff13 100644
---- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-@@ -56,13 +56,13 @@ crypt_close(Slapi_PBlock *pb __attribute__((unused)))
- int
- crypt_pw_cmp( const char *userpwd, const char *dbpwd )
- {
-- int rc;
-+ int32_t rc;
- char *cp;
- PR_Lock(cryptlock);
- /* we use salt (first 2 chars) of encoded password in call to crypt() */
- cp = crypt( userpwd, dbpwd );
- if (cp) {
-- rc= slapi_ct_memcmp( dbpwd, cp, strlen(dbpwd));
-+ rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd), strlen(cp));
- } else {
- rc = -1;
- }
-diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
-index b279946..2e1c472 100644
---- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
-@@ -30,13 +30,13 @@
- int
- md5_pw_cmp( const char *userpwd, const char *dbpwd )
- {
-- int rc=-1;
-- char * bver;
-- PK11Context *ctx=NULL;
-- unsigned int outLen;
-- unsigned char hash_out[MD5_HASH_LEN];
-- unsigned char b2a_out[MD5_HASH_LEN*2]; /* conservative */
-- SECItem binary_item;
-+ int32_t rc = -1;
-+ char *bver;
-+ PK11Context *ctx = NULL;
-+ unsigned int outLen;
-+ unsigned char hash_out[MD5_HASH_LEN];
-+ unsigned char b2a_out[MD5_HASH_LEN * 2]; /* conservative */
-+ SECItem binary_item;
-
- ctx = PK11_CreateDigestContext(SEC_OID_MD5);
- if (ctx == NULL) {
-@@ -51,17 +51,17 @@ md5_pw_cmp( const char *userpwd, const char *dbpwd )
- PK11_DigestFinal(ctx, hash_out, &outLen, sizeof hash_out);
- PK11_DestroyContext(ctx, 1);
-
-- /* convert the binary hash to base64 */
-- binary_item.data = hash_out;
-- binary_item.len = outLen;
-- bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
-- /* bver points to b2a_out upon success */
-- if (bver) {
-- rc = slapi_ct_memcmp(bver,dbpwd, strlen(dbpwd));
-- } else {
-- slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
-- "Could not base64 encode hashed value for password compare");
-- }
-+ /* convert the binary hash to base64 */
-+ binary_item.data = hash_out;
-+ binary_item.len = outLen;
-+ bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
-+ /* bver points to b2a_out upon success */
-+ if (bver) {
-+ rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd), strlen(bver));
-+ } else {
-+ slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
-+ "Could not base64 encode hashed value for password compare");
-+ }
- loser:
- return rc;
- }
-diff --git a/ldap/servers/plugins/pwdstorage/sha_pwd.c b/ldap/servers/plugins/pwdstorage/sha_pwd.c
-index 5f41c5b..c9db896 100644
---- a/ldap/servers/plugins/pwdstorage/sha_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c
-@@ -49,7 +49,7 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen )
- char userhash[MAX_SHA_HASH_SIZE];
- char quick_dbhash[MAX_SHA_HASH_SIZE + SHA_SALT_LENGTH + 3];
- char *dbhash = quick_dbhash;
-- struct berval salt;
-+ struct berval salt = {0};
- PRUint32 hash_len;
- unsigned int secOID;
- char *schemeName;
-@@ -120,10 +120,20 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen )
- }
-
- /* the proof is in the comparison... */
-- if ( hash_len >= shaLen ) {
-- result = slapi_ct_memcmp( userhash, dbhash, shaLen );
-+ if (hash_len >= shaLen) {
-+ /*
-+ * This say "if the hash has a salt IE >, OR if they are equal, check the hash component ONLY.
-+ * This is why we repeat shaLen twice, even though it seems odd. If you have a dbhast of ssha
-+ * it's len is 28, and the userpw is 20, but 0 - 20 is the sha, and 21-28 is the salt, which
-+ * has already been processed into userhash.
-+ * The case where dbpwd is truncated is handled above in "invalid base64" arm.
-+ */
-+ result = slapi_ct_memcmp(userhash, dbhash, shaLen, shaLen);
- } else {
-- result = slapi_ct_memcmp( userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH );
-+ /* This case is for if the salt is at the START, which only applies to DS40B1 case.
-+ * May never be a valid check...
-+ */
-+ result = slapi_ct_memcmp(userhash, dbhash + OLD_SALT_LENGTH, shaLen, hash_len - OLD_SALT_LENGTH);
- }
-
- loser:
-diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
-index 2e9d195..f6b4bb4 100644
---- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
-@@ -52,35 +52,37 @@ smd5_pw_cmp( const char *userpwd, const char *dbpwd )
- /*
- * Decode hash stored in database.
- */
-- hash_len = pwdstorage_base64_decode_len(dbpwd, 0);
-- if ( hash_len >= sizeof(quick_dbhash) ) { /* get more space: */
-- dbhash = (char*) slapi_ch_calloc( hash_len + 1, sizeof(char) );
-- if ( dbhash == NULL ) goto loser;
-- } else {
-- memset( quick_dbhash, 0, sizeof(quick_dbhash) );
-- }
--
-- hashresult = PL_Base64Decode( dbpwd, 0, dbhash );
-- if (NULL == hashresult) {
-- slapi_log_err(SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME,
-- "smd5_pw_cmp: userPassword \"%s\" is the wrong length "
-- "or is not properly encoded BASE64\n", dbpwd );
-- goto loser;
-- }
--
-- salt.bv_val = (void*)(dbhash + MD5_LENGTH); /* salt starts after hash value */
-- salt.bv_len = hash_len - MD5_LENGTH; /* remaining bytes must be salt */
--
-- /* create the hash */
-- memset( userhash, 0, sizeof(userhash) );
-- PK11_DigestBegin(ctx);
-- PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd));
-- PK11_DigestOp(ctx, (unsigned char*)(salt.bv_val), salt.bv_len);
-- PK11_DigestFinal(ctx, userhash, &outLen, sizeof userhash);
-- PK11_DestroyContext(ctx, 1);
--
-- /* Compare everything up to the salt. */
-- rc = slapi_ct_memcmp( userhash, dbhash, MD5_LENGTH );
-+ hash_len = pwdstorage_base64_decode_len(dbpwd, 0);
-+ if (hash_len >= sizeof(quick_dbhash)) { /* get more space: */
-+ dbhash = (char *)slapi_ch_calloc(hash_len + 1, sizeof(char));
-+ if (dbhash == NULL)
-+ goto loser;
-+ } else {
-+ memset(quick_dbhash, 0, sizeof(quick_dbhash));
-+ }
-+
-+ hashresult = PL_Base64Decode(dbpwd, 0, dbhash);
-+ if (NULL == hashresult) {
-+ slapi_log_err(SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME,
-+ "smd5_pw_cmp: userPassword \"%s\" is the wrong length "
-+ "or is not properly encoded BASE64\n",
-+ dbpwd);
-+ goto loser;
-+ }
-+
-+ salt.bv_val = (void *)(dbhash + MD5_LENGTH); /* salt starts after hash value */
-+ salt.bv_len = hash_len - MD5_LENGTH; /* remaining bytes must be salt */
-+
-+ /* create the hash */
-+ memset(userhash, 0, sizeof(userhash));
-+ PK11_DigestBegin(ctx);
-+ PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd));
-+ PK11_DigestOp(ctx, (unsigned char *)(salt.bv_val), salt.bv_len);
-+ PK11_DigestFinal(ctx, userhash, &outLen, sizeof userhash);
-+ PK11_DestroyContext(ctx, 1);
-+
-+ /* Compare everything up to the salt. */
-+ rc = slapi_ct_memcmp(userhash, dbhash, MD5_LENGTH, MD5_LENGTH);
-
- loser:
- if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( (char **)&dbhash );
-diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
-index 52ccb64..66cb692 100644
---- a/ldap/servers/slapd/ch_malloc.c
-+++ b/ldap/servers/slapd/ch_malloc.c
-@@ -343,8 +343,8 @@ slapi_ch_smprintf(const char *fmt, ...)
-
- /* Constant time memcmp. Does not shortcircuit on failure! */
- /* This relies on p1 and p2 both being size at least n! */
--int
--slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
-+int32_t
-+slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2)
- {
- int result = 0;
- const unsigned char *_p1 = (const unsigned char *)p1;
-@@ -354,9 +354,35 @@ slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
- return 2;
- }
-
-- for (size_t i = 0; i < n; i++) {
-- if (_p1[i] ^ _p2[i]) {
-- result = 1;
-+ if (n1 == n2) {
-+ for (size_t i = 0; i < n1; i++) {
-+ if (_p1[i] ^ _p2[i]) {
-+ result = 1;
-+ }
-+ }
-+ } else {
-+ const unsigned char *_pa;
-+ const unsigned char *_pb;
-+ size_t nl;
-+ if (n2 > n1) {
-+ _pa = _p2;
-+ _pb = _p2;
-+ nl = n2;
-+ } else {
-+ _pa = _p1;
-+ _pb = _p1;
-+ nl = n1;
-+ }
-+ /* We already fail as n1 != n2 */
-+ result = 3;
-+ for (size_t i = 0; i < nl; i++) {
-+ if (_pa[i] ^ _pb[i]) {
-+ /*
-+ * If we don't mutate result here, dead code elimination
-+ * we remove for loop.
-+ */
-+ result = 4;
-+ }
- }
- }
- return result;
-diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
-index d37bc63..2c5c4ce 100644
---- a/ldap/servers/slapd/slapi-plugin.h
-+++ b/ldap/servers/slapd/slapi-plugin.h
-@@ -5859,7 +5859,7 @@ char * slapi_ch_smprintf(const char *fmt, ...)
- * \param n length in bytes of the content of p1 AND p2.
- * \return 0 on match. 1 on non-match. 2 on presence of NULL pointer in p1 or p2.
- */
--int slapi_ct_memcmp( const void *p1, const void *p2, size_t n);
-+int32_t slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2);
-
- /*
- * syntax plugin routines
---
-1.8.3.1
-
diff --git a/net-nds/389-ds-base/files/389-ds-snmp.initd b/net-nds/389-ds-base/files/389-ds-snmp.initd
deleted file mode 100644
index 94df1580d76b..000000000000
--- a/net-nds/389-ds-base/files/389-ds-snmp.initd
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2010 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-PIDFILE="/var/run/ldap-agent.pid"
-CONFIGFILE="/etc/dirsrv/config/ldap-agent.conf"
-
-# instance support in progress
-
-depend() {
- need net
- use logger snmpd
-}
-
-start() {
- ebegin "Starting 389 Directory Server ldap-snmp agent"
- start-stop-daemon --start --quiet -b \
- --pidfile ${PIDFILE} --exec /usr/sbin/ldap-agent -- ${CONFIGFILE}
- eend ${?}
- if [ "${?}" != "0" ]; then
- local entries=/etc/dirsrv/slapd-*
- if [ -n "${entries}" ]; then
- ewarn "Please make sure that ${CONFIGFILE} contains at least"
- ewarn "one of the following entries:"
- for entry in ${entries}; do
- entry=$(basename ${entry})
- ewarn "server ${entry}"
- done
- fi
- fi
-}
-
-stop() {
- ebegin "Stopping 389 Directory Server ldap-snmp agent"
- start-stop-daemon --stop --quiet --pidfile ${PIDFILE}
- eend ${?}
-
-}
-
-restart() {
- svc_stop
- sleep 2
- svc_start
-}
diff --git a/net-nds/389-ds-base/files/389-ds.initd-r1 b/net-nds/389-ds-base/files/389-ds.initd-r1
deleted file mode 100644
index bc9e6e1bb3a7..000000000000
--- a/net-nds/389-ds-base/files/389-ds.initd-r1
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-DIRSRV_EXEC="/usr/sbin/ns-slapd"
-PID_DIRECTORY="/var/run/dirsrv"
-LOCK_DIRECTORY="/var/lock/dirsrv"
-DIRSRV_CONF_DIR="/etc/dirsrv"
-DS_INSTANCES=${DIRSRV_CONF_DIR}/slapd-*
-F389DS_INSTANCES=""
-
-depend() {
- need net logger
- use dns
- provide dirsvr ldap
-}
-
-checkconfig() {
- if [ -z "${DS_INSTANCES}" ]; then
- eerror "389 Directory Server has not been configured."
- eend 1
- return 1
- fi
-}
-
-start() {
- checkconfig || return 1
-
- for instance in ${DS_INSTANCES}; do
- instance=$(basename ${instance})
- # skip .removed instances, bug #338133
- if [ "${instance%%.removed}" != "${instance}" ]; then
- continue
- fi
- # Create the required directories in case they got nuked
- mkdir -p ${PID_DIRECTORY}
- mkdir -p ${LOCK_DIRECTORY}/${instance}
- # This will probably break one day, we should be pulling out the suitespotuser from dse.ldif
- chown dirsrv: ${PID_DIRECTORY}
- chown dirsrv: ${LOCK_DIRECTORY}/${instance}
- ebegin "Starting 389 Directory Server: instance ${instance}"
- start-stop-daemon --start --quiet -m \
- --pidfile ${PID_DIRECTORY}/${instance}.startpid \
- --exec ${DIRSRV_EXEC} -- -D ${DIRSRV_CONF_DIR}/${instance} \
- -i ${PID_DIRECTORY}/${instance}.pid \
- -w ${PID_DIRECTORY}/${instance}.startpid
- sts=${?}
- eend ${sts}
- if [ "${sts}" != "0" ]; then
- return 1
- fi
- done
-}
-
-
-
-stop() {
- checkconfig || return 1
-
- for instance in ${DS_INSTANCES}; do
- instance=$(basename ${instance})
- if [ "${instance%%.removed}" != "${instance}" ]; then
- continue
- fi
- ebegin "Stopping 389 Directory Server: instance ${instance}"
- start-stop-daemon --stop --quiet \
- --pidfile ${PID_DIRECTORY}/${instance}.pid \
- --exec ${DIRSRV_EXEC}
- eend ${?}
- done
-}
-
-status() {
- for instance in ${DS_INSTANCES}; do
- instance=$(basename ${instance})
- if [ "${instance%%.removed}" != "${instance}" ]; then
- continue
- fi
- if [ -e ${PID_DIRECTORY}/${instance}.pid ]; then
- pid=$(cat ${PID_DIRECTORY}/${instance}.pid)
- if [ $(echo "$pid" | grep -c $pid) -ge 1 ]; then
- einfo "389 Directory Server: instance ${instance} (pid $pid) running."
- else
- ewarn "389 Directory Server: instance ${instance} (pid $pid) NOT running."
- fi
- else
- eerror "389 Directory Server: instance ${instance} is NOT running."
- fi
- done
-}
diff --git a/net-nds/389-ds-base/metadata.xml b/net-nds/389-ds-base/metadata.xml
deleted file mode 100644
index 55831e027b4c..000000000000
--- a/net-nds/389-ds-base/metadata.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
-<pkgmetadata>
- <!-- maintainer-needed -->
- <longdescription>The enterprise-class Open Source LDAP server for Linux
- </longdescription>
-<use>
- <flag name="pam-passthru">Enable pam-passthru plugin - for simple and
- fast system services used in ldap</flag>
- <flag name="dna">Enable dna (distributed numeric assignment ) plugin - to
- automatically assign unique uid numbers to new user entries as they
- are created.</flag>
- <flag name="presence">Enable presence plugin - non-standard syntax
- validation</flag>
- <flag name="bitwise">Enable bitwise plugin - supported data in raw/bitwise
- format</flag>
- <flag name="autobind">Enable auto bind over unix domain socket (LDAPI)
- support</flag>
- <flag name="auto-dn-suffix">Enable auto bind with auto dn suffix over unix
- domain socket (LDAPI) support</flag>
- <flag name="ldapi">Enable LDAP over unix domain socket (LDAPI) support</flag>
-</use>
-</pkgmetadata>