gentoo resync : 11.02.2018

author: V3n3RiX <venerix@redcorelinux.org> 2018-02-11 16:09:52 +0000
committer: V3n3RiX <venerix@redcorelinux.org> 2018-02-11 16:09:52 +0000
commit: f78108598211053d41752a83e0345441bb9014ae (patch)
tree: dd2fc7ae0a1aea7bda4942ab0c453d1e55284b37 /net-nds/389-ds-base
parent: dc45b83b28fb83e9659492066e347b8dc60bc9e3 (diff)
6 files changed, 386 insertions, 8 deletions
diff --git a/net-nds/389-ds-base/389-ds-base-1.3.5.19.ebuild b/net-nds/389-ds-base/389-ds-base-1.3.5.19.ebuild
index 6fddd0315a5b..e36a909ca910 100644
--- a/net-nds/389-ds-base/389-ds-base-1.3.5.19.ebuild
+++ b/net-nds/389-ds-base/389-ds-base-1.3.5.19.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
diff --git a/net-nds/389-ds-base/389-ds-base-1.3.6.8.ebuild b/net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild
index 6fddd0315a5b..0232cdec1d43 100644
--- a/net-nds/389-ds-base/389-ds-base-1.3.6.8.ebuild
+++ b/net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
@@ -53,6 +53,8 @@ src_prepare() {
 	# as per 389 documentation, when 64bit, export USE_64
 	use amd64 && export USE_64=1
 
+	epatch "${FILESDIR}/389-ds-base-1.3.6-backport-invalid-password-mig.patch"
+
 	eautoreconf
 
 	append-lfs-flags
diff --git a/net-nds/389-ds-base/389-ds-base-9999.ebuild b/net-nds/389-ds-base/389-ds-base-9999.ebuild
index 463fd580d5da..046375125af8 100644
--- a/net-nds/389-ds-base/389-ds-base-9999.ebuild
+++ b/net-nds/389-ds-base/389-ds-base-9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
diff --git a/net-nds/389-ds-base/Manifest b/net-nds/389-ds-base/Manifest
index fa544849ff3c..b21d3f175e09 100644
--- a/net-nds/389-ds-base/Manifest
+++ b/net-nds/389-ds-base/Manifest
@@ -1,8 +1,9 @@
+AUX 389-ds-base-1.3.6-backport-invalid-password-mig.patch 14710 BLAKE2B f24eb143f304923fd9d1c4deac139d13bef55212a1e3a6935b3c5f0c702b09f143021139e25f70c85c39917bdc98f0a0d2fdeb451a6cea542ba8def532794767 SHA512 b8802724887df00f202fe59b36112c77fb7d2ac0df7373e739f02dca6850d455129637a3c84e6e329c37466589785c6afb05d7ff704c77abe8295197b87a217f
 AUX 389-ds-snmp.initd 960 BLAKE2B cb5b19fb168bb810aff2d4955a3a87b6dfdef6591e2a97182dd84f102ae9214760726d9a56b29d227f2fb4b109be04f81072a6b82106b9f73298b47735a0f360 SHA512 bb76a068aa5422664c3fc87d5c28124b26d6dbc88cd88856826ae905a4149a6a1d03ec562dcace1cebc6caaa0ca3c6e9346c1af5703d89e1da600df8ca4a4ba8
 AUX 389-ds.initd-r1 2366 BLAKE2B 563dabc9ba0d3720956811ac52f85f9257e588953e3b1bfde3fc4ca7749b72604ee5a608c050cdc5222691f541bfd691c5259ac9e60194a669cfa06cd6c76794 SHA512 530316eccf25196453a51398b810dc6ca14a9bf6f8e4487cfd42d00df190653a197b1effae357c6d9e5d00cd51e8e7d47092d0ecddf2d71d6fa100b58d19b6d7
 DIST 389-ds-base-1.3.5.19.tar.bz2 3588794 BLAKE2B f3341c8ec4d1b612babe83fd0cc8a4ef43b7a05d8ab5585dceefe39caaaa8182af0d6c8de3b0e7bd867bfd02863a70d09ea0058613b3bfdffcf1140f4cb69c2d SHA512 897f59fe23a9d5a784df7a255dc300805c8f00b754d4976f8637a61954ffe2de59da09ee700dc5047b406196deb28e9647ec50c0b06c0d34371a418c126c8b7d
 DIST 389-ds-base-1.3.6.8.tar.bz2 3440164 BLAKE2B 20ff28fc1d59452e48ec6684f844dd2dec2f33492aa142c915029dfb6b0535860f4f598872d2de5d33ed8cb9b5a0d3ae47b1666cac54a4b38f0f4f954cdaf85f SHA512 b08a87bffbdf8e4c6bf6b4f87394aa0a12b8b44fcadec2f97c146b3a21ff89f5f547080aacb0ecda9b91aca83f8bf093b64c2569b2d8be84ffe22439be446234
-EBUILD 389-ds-base-1.3.5.19.ebuild 2957 BLAKE2B 1d05d531bb3e2f85b9a60cb0c72086a6a9a84188cedf2c64c6cfaea29c48dc604f82512d829c9795d049ecfa3a02d2d91823a47db46235e0e20be2c54bca3bf6 SHA512 f9dce9c354af006f613df1db6316c67c1ac2d3d8bd6835f28bdee440e8bf40bfdb1611c810c0d4e040a6aec5e82fe26d43e979dc5f8ddd68e80fcfb2f47710b7
-EBUILD 389-ds-base-1.3.6.8.ebuild 2957 BLAKE2B 1d05d531bb3e2f85b9a60cb0c72086a6a9a84188cedf2c64c6cfaea29c48dc604f82512d829c9795d049ecfa3a02d2d91823a47db46235e0e20be2c54bca3bf6 SHA512 f9dce9c354af006f613df1db6316c67c1ac2d3d8bd6835f28bdee440e8bf40bfdb1611c810c0d4e040a6aec5e82fe26d43e979dc5f8ddd68e80fcfb2f47710b7
-EBUILD 389-ds-base-9999.ebuild 3083 BLAKE2B 33d9a74a380c78ec1c0422210520af58b853b06f07eaa372f16b70ee32cf2960e3e38bde4e51af84e9dc068294fdb5abdd2dec7b8322dc89e0fad698e693b3a7 SHA512 ee3423dee89abe6da876c74bf5de1794d1a2063417e7e960436379b07574ebdaa6a14a57d0798cf90ce85ed9c0b70f982621ee47818f757095921f76bb346c4f
-MISC metadata.xml 1369 BLAKE2B 4a9e90344372c5081724ef56bdf752c6c94f0240e08d8fad99f919c8cc6e3712a48b9e0794aae35805ea6326c61eb2df77526ba05f35950d4d2da87cd016254d SHA512 ed9b9c3334f71c5986cc669dcdc6a10ec93aeab4b665617457cca583695433dbe0ecfb542116096a8216b89b61ebd5dd92190e62d9812637966fa451c2f304d8
+EBUILD 389-ds-base-1.3.5.19.ebuild 2957 BLAKE2B d949b7a77c8e037d11d667bc35f290bc855b99724ed9c28bd52e2fd70973eec54c69b722a3fd9f86a91e5f8ec453cb609a503dd92fea74a44903eab1c0e4e68d SHA512 facd2e4180ecd5da4ec7c55d30d44cd3963e3a52de68cea5664d0f6ca7bdf2f7f06cfcaeff6718d0e5d97a935564990eae51c1f245f039fd62426b2de81d9a4d
+EBUILD 389-ds-base-1.3.6.8-r1.ebuild 3034 BLAKE2B 77277e1a31d2e0e718060a4ce007cc601fd48c0f813525c15d6437e1f05821197a6307be8e070af0a69253cd3cabd288ce81d640111a4feb2f708f67a7034ead SHA512 77af6cfe40c112c496c527fe5766430812e2da9d440eef15d155196d5e09b9c69473038e34a736a052e5ba7f3d046d088e8198a47e6991cadc2b7d3a8109a16c
+EBUILD 389-ds-base-9999.ebuild 3083 BLAKE2B 45a20a14951c11131a0ca5fc899e4166eda69611f4f8c7bb9619f9d5d5ad9cd2d846b01c8fc6aba385605e30b455a9344fb9dce27563558141f4bad5f7018dc0 SHA512 a86fa6972731f3e7e3aad42fec4ab14378537e1173f35a18873a38dc78459b2723b7a348333499557fa007677a97c4c2bf748dd3b2fc1bb92131853f5f73102e
+MISC metadata.xml 1311 BLAKE2B b1e0923a8a69d8ab6bbb0a4111acf20c723a96abbd956115f4d535908ceb908e82f013c3331ac3049f43b76231742271dfc10e88101b6f58e509971f300a49d4 SHA512 64d97381ce3a31ffde790e8b61570373b9e047c46ecdcd87e15efebb816ccc970343af66acdb9c03070a490fc7d3dbd23c1b15cdc19e2abd2f37b8c17261c78e
diff --git a/net-nds/389-ds-base/files/389-ds-base-1.3.6-backport-invalid-password-mig.patch b/net-nds/389-ds-base/files/389-ds-base-1.3.6-backport-invalid-password-mig.patch
new file mode 100644
index 000000000000..b4ba70a2fb5f
--- /dev/null
+++ b/net-nds/389-ds-base/files/389-ds-base-1.3.6-backport-invalid-password-mig.patch
@@ -0,0 +1,376 @@
+From cefec5714cf0fdec4aa582a5fe020ef80d6024cd Mon Sep 17 00:00:00 2001
+From: William Brown <firstyear@redhat.com>
+Date: Thu, 18 Jan 2018 11:27:58 +1000
+Subject: [PATCH] Ticket bz1525628 1.3.6 backport - invalid password migration
+ causes unauth bind
+
+Bug Description:  Slapi_ct_memcmp expects both inputs to be
+at LEAST size n. If they are not, we only compared UP to n.
+
+Invalid migrations of passwords (IE {CRYPT}XX) would create
+a pw which is just salt and no hash. ct_memcmp would then
+only verify the salt bits and would allow the authentication.
+
+This relies on an administrative mistake both of allowing
+password migration (nsslapd-allow-hashed-passwords) and then
+subsequently migrating an INVALID password to the server.
+
+Fix Description:  slapi_ct_memcmp now access n1, n2 size
+and will FAIL if they are not the same, but will still compare
+n bytes, where n is the "longest" memory, to the first byte
+of the other to prevent length disclosure of the shorter
+value (generally the mis-migrated password)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1525628
+
+Author: wibrown
+
+Review by: ???
+---
+ .../bz1525628_ct_memcmp_invalid_hash_test.py       | 56 ++++++++++++++++++++
+ ldap/servers/plugins/pwdstorage/clear_pwd.c        |  4 +-
+ ldap/servers/plugins/pwdstorage/crypt_pwd.c        |  4 +-
+ ldap/servers/plugins/pwdstorage/md5_pwd.c          | 36 ++++++-------
+ ldap/servers/plugins/pwdstorage/sha_pwd.c          | 18 +++++--
+ ldap/servers/plugins/pwdstorage/smd5_pwd.c         | 60 +++++++++++-----------
+ ldap/servers/slapd/ch_malloc.c                     | 36 +++++++++++--
+ ldap/servers/slapd/slapi-plugin.h                  |  2 +-
+ 8 files changed, 155 insertions(+), 61 deletions(-)
+ create mode 100644 dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py
+
+diff --git a/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py b/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py
+new file mode 100644
+index 0000000..2f38384
+--- /dev/null
++++ b/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py
+@@ -0,0 +1,56 @@
++# --- BEGIN COPYRIGHT BLOCK ---
++# Copyright (C) 2018 Red Hat, Inc.
++# All rights reserved.
++#
++# License: GPL (version 3 or any later version).
++# See LICENSE for details.
++# --- END COPYRIGHT BLOCK ---
++#
++
++import ldap
++import pytest
++import logging
++from lib389.topologies import topology_st
++from lib389._constants import PASSWORD, DEFAULT_SUFFIX
++
++from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES
++
++logging.getLogger(__name__).setLevel(logging.DEBUG)
++log = logging.getLogger(__name__)
++
++def test_invalid_hash_fails(topology_st):
++    """When given a malformed hash from userpassword migration
++    slapi_ct_memcmp would check only to the length of the shorter
++    field. This affects some values where it would ONLY verify
++    the salt is valid, and thus would allow any password to bind.
++
++    :id: 8131c029-7147-47db-8d03-ec5db2a01cfb
++    :setup: Standalone Instance
++    :steps:
++        1. Create a user
++        2. Add an invalid password hash (truncated)
++        3. Attempt to bind
++    :expectedresults:
++        1. User is added
++        2. Invalid pw hash is added
++        3. Bind fails
++    """
++    log.info("Running invalid hash test")
++
++    # Allow setting raw password hashes for migration.
++    topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on')
++
++    users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
++    user = users.create(properties=TEST_USER_PROPERTIES)
++    user.set('userPassword', '{CRYPT}XX')
++
++    # Attempt to bind. This should fail.
++    with pytest.raises(ldap.INVALID_CREDENTIALS):
++        user.bind(PASSWORD)
++    with pytest.raises(ldap.INVALID_CREDENTIALS):
++        user.bind('XX')
++    with pytest.raises(ldap.INVALID_CREDENTIALS):
++        user.bind('{CRYPT}XX')
++
++    log.info("PASSED")
++
+diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
+index b9b362d..050e60d 100644
+--- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
+@@ -39,7 +39,7 @@ clear_pw_cmp( const char *userpwd, const char *dbpwd )
+          * However, even if the first part of userpw matches dbpwd, but len !=, we
+          * have already failed anyawy. This prevents substring matching.
+          */
+-        if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) {
++        if (slapi_ct_memcmp(userpwd, dbpwd, len_user, len_dbp) != 0) {
+             result = 1;
+         }
+     } else {
+@@ -51,7 +51,7 @@ clear_pw_cmp( const char *userpwd, const char *dbpwd )
+          * dbpwd to itself. We have already got result == 1 if we are here, so we are
+          * just trying to take up time!
+          */
+-        if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) {
++        if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp, len_dbp)) {
+             /* Do nothing, we have the if to fix a coverity check. */
+         }
+     }
+diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+index dfd5af9..5fcff13 100644
+--- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+@@ -56,13 +56,13 @@ crypt_close(Slapi_PBlock *pb __attribute__((unused)))
+ int
+ crypt_pw_cmp( const char *userpwd, const char *dbpwd )
+ {
+-    int rc;
++    int32_t rc;
+     char *cp;
+     PR_Lock(cryptlock);
+     /* we use salt (first 2 chars) of encoded password in call to crypt() */
+     cp = crypt( userpwd, dbpwd );
+     if (cp) {
+-       rc= slapi_ct_memcmp( dbpwd, cp, strlen(dbpwd));
++        rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd), strlen(cp));
+     } else {
+        rc = -1;
+     }
+diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
+index b279946..2e1c472 100644
+--- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
+@@ -30,13 +30,13 @@
+ int
+ md5_pw_cmp( const char *userpwd, const char *dbpwd )
+ {
+-   int rc=-1;
+-   char * bver;
+-   PK11Context *ctx=NULL;
+-   unsigned int outLen;
+-   unsigned char hash_out[MD5_HASH_LEN];
+-   unsigned char b2a_out[MD5_HASH_LEN*2]; /* conservative */
+-   SECItem binary_item;
++    int32_t rc = -1;
++    char *bver;
++    PK11Context *ctx = NULL;
++    unsigned int outLen;
++    unsigned char hash_out[MD5_HASH_LEN];
++    unsigned char b2a_out[MD5_HASH_LEN * 2]; /* conservative */
++    SECItem binary_item;
+ 
+    ctx = PK11_CreateDigestContext(SEC_OID_MD5);
+    if (ctx == NULL) {
+@@ -51,17 +51,17 @@ md5_pw_cmp( const char *userpwd, const char *dbpwd )
+    PK11_DigestFinal(ctx, hash_out, &outLen, sizeof hash_out);
+    PK11_DestroyContext(ctx, 1);
+ 
+-   /* convert the binary hash to base64 */
+-   binary_item.data = hash_out;
+-   binary_item.len = outLen;
+-   bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
+-   /* bver points to b2a_out upon success */
+-   if (bver) {
+-	   rc = slapi_ct_memcmp(bver,dbpwd, strlen(dbpwd));
+-   } else {
+-	   slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
+-					   "Could not base64 encode hashed value for password compare");
+-   }
++    /* convert the binary hash to base64 */
++    binary_item.data = hash_out;
++    binary_item.len = outLen;
++    bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
++    /* bver points to b2a_out upon success */
++    if (bver) {
++        rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd), strlen(bver));
++    } else {
++        slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
++                      "Could not base64 encode hashed value for password compare");
++    }
+ loser:
+    return rc;
+ }
+diff --git a/ldap/servers/plugins/pwdstorage/sha_pwd.c b/ldap/servers/plugins/pwdstorage/sha_pwd.c
+index 5f41c5b..c9db896 100644
+--- a/ldap/servers/plugins/pwdstorage/sha_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c
+@@ -49,7 +49,7 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen )
+     char userhash[MAX_SHA_HASH_SIZE];
+     char quick_dbhash[MAX_SHA_HASH_SIZE + SHA_SALT_LENGTH + 3];
+     char *dbhash = quick_dbhash;
+-    struct berval salt;
++    struct berval salt = {0};
+     PRUint32 hash_len;
+     unsigned int secOID;
+     char *schemeName;
+@@ -120,10 +120,20 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen )
+     }
+ 
+     /* the proof is in the comparison... */
+-    if ( hash_len >= shaLen ) {
+-        result = slapi_ct_memcmp( userhash, dbhash, shaLen );
++    if (hash_len >= shaLen) {
++        /*
++         * This say "if the hash has a salt IE >, OR if they are equal, check the hash component ONLY.
++         * This is why we repeat shaLen twice, even though it seems odd. If you have a dbhast of ssha
++         * it's len is 28, and the userpw is 20, but 0 - 20 is the sha, and 21-28 is the salt, which
++         * has already been processed into userhash.
++         * The case where dbpwd is truncated is handled above in "invalid base64" arm.
++         */
++        result = slapi_ct_memcmp(userhash, dbhash, shaLen, shaLen);
+     } else {
+-        result = slapi_ct_memcmp( userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH );
++        /* This case is for if the salt is at the START, which only applies to DS40B1 case.
++         * May never be a valid check...
++         */
++        result = slapi_ct_memcmp(userhash, dbhash + OLD_SALT_LENGTH, shaLen, hash_len - OLD_SALT_LENGTH);
+     }
+ 
+ loser:
+diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
+index 2e9d195..f6b4bb4 100644
+--- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
+@@ -52,35 +52,37 @@ smd5_pw_cmp( const char *userpwd, const char *dbpwd )
+    /*
+     * Decode hash stored in database.
+     */
+-   hash_len = pwdstorage_base64_decode_len(dbpwd, 0);
+-   if ( hash_len >= sizeof(quick_dbhash) ) { /* get more space: */
+-      dbhash = (char*) slapi_ch_calloc( hash_len + 1, sizeof(char) );
+-      if ( dbhash == NULL ) goto loser;
+-   } else {
+-      memset( quick_dbhash, 0, sizeof(quick_dbhash) );
+-   }
+-
+-   hashresult = PL_Base64Decode( dbpwd, 0, dbhash );
+-   if (NULL == hashresult) {
+-      slapi_log_err(SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME,
+-            "smd5_pw_cmp: userPassword \"%s\" is the wrong length "
+-            "or is not properly encoded BASE64\n", dbpwd );
+-      goto loser;
+-   }
+-
+-   salt.bv_val = (void*)(dbhash + MD5_LENGTH); /* salt starts after hash value */
+-   salt.bv_len = hash_len - MD5_LENGTH; /* remaining bytes must be salt */
+-
+-   /* create the hash */
+-   memset( userhash, 0, sizeof(userhash) );
+-   PK11_DigestBegin(ctx);
+-   PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd));
+-   PK11_DigestOp(ctx, (unsigned char*)(salt.bv_val), salt.bv_len);
+-   PK11_DigestFinal(ctx, userhash, &outLen, sizeof userhash);
+-   PK11_DestroyContext(ctx, 1);
+-
+-   /* Compare everything up to the salt. */
+-   rc = slapi_ct_memcmp( userhash, dbhash, MD5_LENGTH );
++    hash_len = pwdstorage_base64_decode_len(dbpwd, 0);
++    if (hash_len >= sizeof(quick_dbhash)) { /* get more space: */
++        dbhash = (char *)slapi_ch_calloc(hash_len + 1, sizeof(char));
++        if (dbhash == NULL)
++            goto loser;
++    } else {
++        memset(quick_dbhash, 0, sizeof(quick_dbhash));
++    }
++
++    hashresult = PL_Base64Decode(dbpwd, 0, dbhash);
++    if (NULL == hashresult) {
++        slapi_log_err(SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME,
++                      "smd5_pw_cmp: userPassword \"%s\" is the wrong length "
++                      "or is not properly encoded BASE64\n",
++                      dbpwd);
++        goto loser;
++    }
++
++    salt.bv_val = (void *)(dbhash + MD5_LENGTH); /* salt starts after hash value */
++    salt.bv_len = hash_len - MD5_LENGTH;         /* remaining bytes must be salt */
++
++    /* create the hash */
++    memset(userhash, 0, sizeof(userhash));
++    PK11_DigestBegin(ctx);
++    PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd));
++    PK11_DigestOp(ctx, (unsigned char *)(salt.bv_val), salt.bv_len);
++    PK11_DigestFinal(ctx, userhash, &outLen, sizeof userhash);
++    PK11_DestroyContext(ctx, 1);
++
++    /* Compare everything up to the salt. */
++    rc = slapi_ct_memcmp(userhash, dbhash, MD5_LENGTH, MD5_LENGTH);
+ 
+ loser:
+    if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( (char **)&dbhash );
+diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
+index 52ccb64..66cb692 100644
+--- a/ldap/servers/slapd/ch_malloc.c
++++ b/ldap/servers/slapd/ch_malloc.c
+@@ -343,8 +343,8 @@ slapi_ch_smprintf(const char *fmt, ...)
+ 
+ /* Constant time memcmp. Does not shortcircuit on failure! */
+ /* This relies on p1 and p2 both being size at least n! */
+-int
+-slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
++int32_t
++slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2)
+ {
+     int result = 0;
+     const unsigned char *_p1 = (const unsigned char *)p1;
+@@ -354,9 +354,35 @@ slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
+         return 2;
+     }
+ 
+-    for (size_t i = 0; i < n; i++) {
+-        if (_p1[i] ^ _p2[i]) {
+-            result = 1;
++    if (n1 == n2) {
++        for (size_t i = 0; i < n1; i++) {
++            if (_p1[i] ^ _p2[i]) {
++                result = 1;
++            }
++        }
++    } else {
++        const unsigned char *_pa;
++        const unsigned char *_pb;
++        size_t nl;
++        if (n2 > n1) {
++            _pa = _p2;
++            _pb = _p2;
++            nl = n2;
++        } else {
++            _pa = _p1;
++            _pb = _p1;
++            nl = n1;
++        }
++        /* We already fail as n1 != n2 */
++        result = 3;
++        for (size_t i = 0; i < nl; i++) {
++            if (_pa[i] ^ _pb[i]) {
++                /*
++                 * If we don't mutate result here, dead code elimination
++                 * we remove for loop.
++                 */
++                result = 4;
++            }
+         }
+     }
+     return result;
+diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
+index d37bc63..2c5c4ce 100644
+--- a/ldap/servers/slapd/slapi-plugin.h
++++ b/ldap/servers/slapd/slapi-plugin.h
+@@ -5859,7 +5859,7 @@ char * slapi_ch_smprintf(const char *fmt, ...)
+  * \param n length in bytes of the content of p1 AND p2.
+  * \return 0 on match. 1 on non-match. 2 on presence of NULL pointer in p1 or p2.
+  */
+-int slapi_ct_memcmp( const void *p1, const void *p2, size_t n);
++int32_t slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2);
+ 
+ /*
+  * syntax plugin routines
+-- 
+1.8.3.1
+
diff --git a/net-nds/389-ds-base/metadata.xml b/net-nds/389-ds-base/metadata.xml
index 301c6e83da4b..0a91bf8a3097 100644
--- a/net-nds/389-ds-base/metadata.xml
+++ b/net-nds/389-ds-base/metadata.xml
@@ -4,7 +4,6 @@
 	<maintainer type="person">
 		<email>wibrown@redhat.com</email>
 		<name>William Brown</name>
-		<description>Part of the 389-ds core team</description>
 	</maintainer>
 	<maintainer type="person">
 		<email>wes@sol1.com.au</email>
author	V3n3RiX <venerix@redcorelinux.org>	2018-02-11 16:09:52 +0000
committer	V3n3RiX <venerix@redcorelinux.org>	2018-02-11 16:09:52 +0000
commit	f78108598211053d41752a83e0345441bb9014ae (patch)
tree	dd2fc7ae0a1aea7bda4942ab0c453d1e55284b37 /net-nds/389-ds-base
parent	dc45b83b28fb83e9659492066e347b8dc60bc9e3 (diff)