4 commits - dirsrvtests/tests ldap/servers
by Mark Reynolds
dirsrvtests/tests/suites/password/pwd_algo_test.py | 143 +++++++++++++++++++++
ldap/servers/plugins/pwdstorage/clear_pwd.c | 33 ++++
ldap/servers/plugins/pwdstorage/crypt_pwd.c | 2
ldap/servers/plugins/pwdstorage/md5_pwd.c | 2
ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c | 1
ldap/servers/plugins/pwdstorage/sha_pwd.c | 15 +-
ldap/servers/plugins/pwdstorage/smd5_pwd.c | 2
ldap/servers/slapd/ch_malloc.c | 24 +++
ldap/servers/slapd/slapi-plugin.h | 16 ++
9 files changed, 227 insertions(+), 11 deletions(-)
New commits:
commit 762219a35005914c6c088d915ac9346ce7e28512
Author: William Brown <firstyear(a)redhat.com>
Date: Thu Jul 21 13:22:30 2016 +1000
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Bug Description: Clear and unsalted password types were vulnerable to a timing
attack. This is due to the use of memcmp and strcmp in their comparison.
Fix Description: Add a constant time memcmp function, that does not shortcircuit.
Change all password comparison to use the constant time check. For the clear
scheme, alter the way we do the check to prevent length disclosure timing
attacks.
This resolves CVE-2016-5405
https://bugzilla.redhat.com/show_bug.cgi?id=1358565
https://access.redhat.com/security/cve/CVE-2016-5405
Author: wibrown
Review by: nhosoi (Thanks!)
(cherry picked from commit 9dcaa4a0c866d8696e0a2616ccf962af2833f0b8)
diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
index 8f46970..52ccb64 100644
--- a/ldap/servers/slapd/ch_malloc.c
+++ b/ldap/servers/slapd/ch_malloc.c
@@ -123,7 +123,7 @@ slapi_ch_memalign(size_t size, size_t alignment)
int oserr = errno;
oom_occurred();
- slapi_log_error(SLAPI_LOG_ERR, SLAPD_MODULE,
+ slapi_log_err(SLAPI_LOG_ERR, SLAPD_MODULE,
"malloc of %lu bytes failed; OS error %d (%s)%s\n",
size, oserr, slapd_system_strerror( oserr ), oom_advice );
exit( 1 );
@@ -349,13 +349,12 @@ slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
int result = 0;
const unsigned char *_p1 = (const unsigned char *)p1;
const unsigned char *_p2 = (const unsigned char *)p2;
- size_t i;
if (_p1 == NULL || _p2 == NULL) {
return 2;
}
- for (i = 0; i < n; i++) {
+ for (size_t i = 0; i < n; i++) {
if (_p1[i] ^ _p2[i]) {
result = 1;
}
commit 3548aff21be9f58e08b3174cb27d9b59af67cc58
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Aug 4 13:26:44 2016 -0700
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Description: Build fails with the commit f0e03b5a51972a125fe78f448d1f68e288782d1e:
error: 'for' loop initial declarations are only allowed in C99 mode
for (size_t i = 0; i < n; i++) {
^
Moved "size_t i;" to the top of slapi_ct_memcmp.
(cherry picked from commit 53da6d718b3dfee6cdd78e112d1926e90d03128a)
diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
index 7a40b74..8f46970 100644
--- a/ldap/servers/slapd/ch_malloc.c
+++ b/ldap/servers/slapd/ch_malloc.c
@@ -349,12 +349,13 @@ slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
int result = 0;
const unsigned char *_p1 = (const unsigned char *)p1;
const unsigned char *_p2 = (const unsigned char *)p2;
+ size_t i;
if (_p1 == NULL || _p2 == NULL) {
return 2;
}
- for (size_t i = 0; i < n; i++) {
+ for (i = 0; i < n; i++) {
if (_p1[i] ^ _p2[i]) {
result = 1;
}
commit c4b5dc8bf325f0a358dc135b91023c3edc103a39
Author: William Brown <firstyear(a)redhat.com>
Date: Thu Jul 21 13:22:30 2016 +1000
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Bug Description: Clear and unsalted password types were vulnerable to a timing
attack. This is due to the use of memcmp and strcmp in their comparison.
Fix Description: Add a constant time memcmp function, that does not shortcircuit.
Change all password comparison to use the constant time check. For the clear
scheme, alter the way we do the check to prevent length disclosure timing
attacks.
This resolves CVE-2016-5405
https://bugzilla.redhat.com/show_bug.cgi?id=1358565
https://access.redhat.com/security/cve/CVE-2016-5405
Author: wibrown
Review by: nhosoi (Thanks!)
(cherry picked from commit 9dcaa4a0c866d8696e0a2616ccf962af2833f0b8)
(cherry picked from commit f0e03b5a51972a125fe78f448d1f68e288782d1e)
diff --git a/dirsrvtests/tests/suites/password/pwd_algo_test.py b/dirsrvtests/tests/suites/password/pwd_algo_test.py
new file mode 100644
index 0000000..aa8cbf5
--- /dev/null
+++ b/dirsrvtests/tests/suites/password/pwd_algo_test.py
@@ -0,0 +1,143 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+DEBUGGING = True
+USER_DN = 'uid=user,ou=People,%s' % DEFAULT_SUFFIX
+
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+
+
+log = logging.getLogger(__name__)
+
+
+class TopologyStandalone(object):
+ """The DS Topology Class"""
+ def __init__(self, standalone):
+ """Init"""
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ """Create DS Deployment"""
+
+ # Creating standalone instance ...
+ if DEBUGGING:
+ standalone = DirSrv(verbose=True)
+ else:
+ standalone = DirSrv(verbose=False)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ def fin():
+ """If we are debugging just stop the instances, otherwise remove
+ them
+ """
+ if DEBUGGING:
+ standalone.stop()
+ else:
+ standalone.delete()
+
+ request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ standalone.clearTmpDir(__file__)
+
+ return TopologyStandalone(standalone)
+
+def _test_bind(inst, password):
+ result = True
+ userconn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE))
+ try:
+ userconn.simple_bind_s(USER_DN, password)
+ userconn.unbind_s()
+ except ldap.INVALID_CREDENTIALS:
+ result = False
+ return result
+
+def _test_algo(inst, algo_name):
+ inst.config.set('passwordStorageScheme', algo_name)
+
+ if DEBUGGING:
+ print('Testing %s', algo_name)
+
+ # Create the user with a password
+ inst.add_s(Entry((
+ USER_DN, {
+ 'objectClass': 'top account simplesecurityobject'.split(),
+ 'uid': 'user',
+ 'userpassword': 'Secret123'
+ })))
+
+ # Make sure when we read the userPassword field, it is the correct ALGO
+ pw_field = inst.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['userPassword'] )[0]
+
+ if DEBUGGING:
+ print(pw_field.getValue('userPassword'))
+
+ if algo_name != 'CLEAR':
+ assert(algo_name.lower() in pw_field.getValue('userPassword').lower())
+ # Now make sure a bind works
+ assert(_test_bind(inst, 'Secret123'))
+ # Bind with a wrong shorter password, should fail
+ assert(not _test_bind(inst, 'Wrong'))
+ # Bind with a wrong longer password, should fail
+ assert(not _test_bind(inst, 'This is even more wrong'))
+ # Bind with a wrong exact length password.
+ assert(not _test_bind(inst, 'Alsowrong'))
+ # Bind with a subset password, should fail
+ assert(not _test_bind(inst, 'Secret'))
+ if algo_name != 'CRYPT':
+ # Bind with a subset password that is 1 char shorter, to detect off by 1 in clear
+ assert(not _test_bind(inst, 'Secret12'))
+ # Bind with a superset password, should fail
+ assert(not _test_bind(inst, 'Secret123456'))
+ # Delete the user
+ inst.delete_s(USER_DN)
+ # done!
+
+def test_pwd_algo_test(topology):
+ """
+ Assert that all of our password algorithms correctly PASS and FAIL varying
+ password conditions.
+
+ """
+ if DEBUGGING:
+ # Add debugging steps(if any)...
+ pass
+
+ for algo in ('CLEAR', 'CRYPT', 'MD5', 'SHA', 'SHA256', 'SHA384', 'SHA512', 'SMD5', 'SSHA', 'SSHA256', 'SSHA384', 'SSHA512'):
+ _test_algo(topology.standalone, algo)
+
+ log.info('Test PASSED')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
index b9b362d..2afe16e 100644
--- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
@@ -26,6 +26,7 @@ int
clear_pw_cmp( const char *userpwd, const char *dbpwd )
{
int result = 0;
+ int len = 0;
int len_user = strlen(userpwd);
int len_dbp = strlen(dbpwd);
if ( len_user != len_dbp ) {
diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
index 29355a2..93b54b2 100644
--- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
@@ -54,7 +54,7 @@ crypt_pw_cmp( const char *userpwd, const char *dbpwd )
/* we use salt (first 2 chars) of encoded password in call to crypt() */
cp = crypt( userpwd, dbpwd );
if (cp) {
- rc= strcmp( dbpwd, cp);
+ rc= slapi_ct_memcmp( dbpwd, cp, strlen(dbpwd));
} else {
rc = -1;
}
diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
index a2b374b..b279946 100644
--- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
@@ -57,7 +57,7 @@ md5_pw_cmp( const char *userpwd, const char *dbpwd )
bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
/* bver points to b2a_out upon success */
if (bver) {
- rc = strcmp(bver,dbpwd);
+ rc = slapi_ct_memcmp(bver,dbpwd, strlen(dbpwd));
} else {
slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
"Could not base64 encode hashed value for password compare");
diff --git a/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c b/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c
index 2fed61f..ae1f7b8 100644
--- a/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c
@@ -84,6 +84,7 @@ ns_mta_md5_pw_cmp(const char * clear, const char *mangled)
mta_hash[32] = mta_salt[32] = 0;
+ /* This is salted, so we don't need to change it for constant time */
return( strcmp(mta_hash,ns_mta_hash_alg(buffer,mta_salt,clear)));
}
diff --git a/ldap/servers/plugins/pwdstorage/sha_pwd.c b/ldap/servers/plugins/pwdstorage/sha_pwd.c
index 30fe725..5f41c5b 100644
--- a/ldap/servers/plugins/pwdstorage/sha_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c
@@ -120,13 +120,16 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen )
}
/* the proof is in the comparison... */
- result = ( hash_len >= shaLen ) ?
- ( memcmp( userhash, dbhash, shaLen ) ) : /* include salt */
- ( memcmp( userhash, dbhash + OLD_SALT_LENGTH,
- hash_len - OLD_SALT_LENGTH ) ); /* exclude salt */
+ if ( hash_len >= shaLen ) {
+ result = slapi_ct_memcmp( userhash, dbhash, shaLen );
+ } else {
+ result = slapi_ct_memcmp( userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH );
+ }
- loser:
- if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( &dbhash );
+loser:
+ if ( dbhash && dbhash != quick_dbhash ) {
+ slapi_ch_free_string( &dbhash );
+ }
return result;
}
diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
index 1309d28..2e9d195 100644
--- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
@@ -80,7 +80,7 @@ smd5_pw_cmp( const char *userpwd, const char *dbpwd )
PK11_DestroyContext(ctx, 1);
/* Compare everything up to the salt. */
- rc = memcmp( userhash, dbhash, MD5_LENGTH );
+ rc = slapi_ct_memcmp( userhash, dbhash, MD5_LENGTH );
loser:
if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( (char **)&dbhash );
diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
index 8278de4..7a40b74 100644
--- a/ldap/servers/slapd/ch_malloc.c
+++ b/ldap/servers/slapd/ch_malloc.c
@@ -340,3 +340,25 @@ slapi_ch_smprintf(const char *fmt, ...)
return p;
}
#endif
+
+/* Constant time memcmp. Does not shortcircuit on failure! */
+/* This relies on p1 and p2 both being size at least n! */
+int
+slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
+{
+ int result = 0;
+ const unsigned char *_p1 = (const unsigned char *)p1;
+ const unsigned char *_p2 = (const unsigned char *)p2;
+
+ if (_p1 == NULL || _p2 == NULL) {
+ return 2;
+ }
+
+ for (size_t i = 0; i < n; i++) {
+ if (_p1[i] ^ _p2[i]) {
+ result = 1;
+ }
+ }
+ return result;
+}
+
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index f4253de..7c087e6 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -5837,6 +5837,22 @@ char * slapi_ch_smprintf(const char *fmt, ...)
#else
;
#endif
+/**
+ * slapi_ct_memcmp is a constant time memory comparison function. This is for
+ * use with password hashes and other locations which could lead to a timing
+ * attack due to early shortcut returns. This function *does not* shortcircuit
+ * during the comparison, always checking every byte regardless if it has already
+ * found that the memory does not match.
+ *
+ * WARNING! p1 and p2 must both reference content that is at least of size 'n'.
+ * Else this function may over-run (And will certainly fail).
+ *
+ * \param p1 pointer to first value to check.
+ * \param p2 pointer to second value to check.
+ * \param n length in bytes of the content of p1 AND p2.
+ * \return 0 on match. 1 on non-match. 2 on presence of NULL pointer in p1 or p2.
+ */
+int slapi_ct_memcmp( const void *p1, const void *p2, size_t n);
/*
* syntax plugin routines
commit 3d92679cf97518aedcf6534ac5967edf8d2c9d28
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Aug 8 10:12:33 2016 -0700
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Description: Fixing a compiler warning introduced by commit
f0e03b5a51972a125fe78f448d1f68e288782d1e.
(cherry picked from commit c62ea0c98445d31fb55baebe9778fe860b3266ea)
diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
index 84dac2a..b9b362d 100644
--- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
@@ -25,7 +25,37 @@
int
clear_pw_cmp( const char *userpwd, const char *dbpwd )
{
- return( strcmp( userpwd, dbpwd ));
+ int result = 0;
+ int len_user = strlen(userpwd);
+ int len_dbp = strlen(dbpwd);
+ if ( len_user != len_dbp ) {
+ result = 1;
+ }
+ /* We have to do this comparison ANYWAY else we have a length timing attack. */
+ if ( len_user >= len_dbp ) {
+ /*
+ * If they are the same length, result will be 0 here, and if we pass
+ * the check, we don't update result either. IE we pass.
+ * However, even if the first part of userpw matches dbpwd, but len !=, we
+ * have already failed anyawy. This prevents substring matching.
+ */
+ if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) {
+ result = 1;
+ }
+ } else {
+ /*
+ * If we stretched the userPassword, we'll allow a new timing attack, where
+ * if we see a delay on a short pw, we know we are stretching.
+ * when the delay goes away, it means we've found the length.
+ * Instead, because we don't want to use the short pw for comp, we just compare
+ * dbpwd to itself. We have already got result == 1 if we are here, so we are
+ * just trying to take up time!
+ */
+ if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) {
+ /* Do nothing, we have the if to fix a coverity check. */
+ }
+ }
+ return result;
}
char *
7 years, 5 months
Branch '389-ds-base-1.2.11' - Makefile.am
by Noriko Hosoi
Makefile.am | 1 +
1 file changed, 1 insertion(+)
New commits:
commit 4fbcabbef3a2f1197d553f593b4b040ac968eade
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Nov 3 11:19:41 2016 -0700
Ticket 47462 - Add AES plugin to replace DES plugin
Description: Adding 50AES-pbe-plugin.ldif to update_DATA.
diff --git a/Makefile.am b/Makefile.am
index d018cb8..b44fd04 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -500,6 +500,7 @@ update_DATA = ldap/admin/src/scripts/exampleupdate.pl \
ldap/admin/src/scripts/50smd5pwdstorageplugin.ldif \
ldap/admin/src/scripts/50refintprecedence.ldif \
ldap/admin/src/scripts/50retroclprecedence.ldif \
+ ldap/admin/src/scripts/50AES-pbe-plugin.ldif \
ldap/admin/src/scripts/52updateAESplugin.pl \
ldap/admin/src/scripts/60upgradeschemafiles.pl \
ldap/admin/src/scripts/70upgradefromldif.pl \
7 years, 5 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Noriko Hosoi
ldap/servers/plugins/referint/referint.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
New commits:
commit 6cc76d8a96b4c41b00475280b0f3f236778bb35e
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Jul 31 12:21:19 2013 -0400
Ticket 47411 - Replace substring search with plain search in referint plugin
Bug Description: RI plugin uses a substring search by default, which is much more
expensive than an equality search filter.
Fix Description: Only use the substring search if the operation is a modrdn.
https://fedorahosted.org/389/ticket/47411
Reveiwed by: richm(Thanks!)
(cherry picked from commit a5dde495a7df7b19fd71cccdb0eb1b91d1f73b58)
diff --git a/ldap/servers/plugins/referint/referint.c b/ldap/servers/plugins/referint/referint.c
index 4a722c1..bd0fbe9 100644
--- a/ldap/servers/plugins/referint/referint.c
+++ b/ldap/servers/plugins/referint/referint.c
@@ -704,11 +704,14 @@ update_integrity(char **argv, Slapi_DN *origSDN,
{
search_base = slapi_sdn_get_dn( sdn );
- for(i = 3; argv[i] != NULL; i++)
- {
+ for(i = 3; argv[i] != NULL; i++){
char buf[BUFSIZ];
- filter = slapi_ch_smprintf("(%s=*%s)", argv[i],
- escape_filter_value(origDN, len, buf));
+ if(newrDN){
+ /* we need to check the children of the old dn, so use a wildcard */
+ filter = slapi_ch_smprintf("(%s=*%s)", argv[i], escape_filter_value(origDN, len, buf));
+ } else {
+ filter = slapi_ch_smprintf("(%s=%s)", argv[i], escape_filter_value(origDN, len, buf));
+ }
if ( filter ) {
/* Need only the current attribute and its subtypes */
char *attrs[2];
7 years, 5 months
ldap/admin
by thierry bordaz
ldap/admin/src/scripts/DSUtil.pm.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
New commits:
commit 3204074fc52ab7afb9bede059c86c53ce4765f40
Author: Thierry Bordaz <tbordaz(a)redhat.com>
Date: Fri Oct 21 16:28:59 2016 +0200
Ticket 49016 - (un)register/migration/remove may fail if there is no suffix on 'userRoot' backend
Bug Description:
If an instance has no suffix on 'userRoot' backend, then the info structure
may contain empty 'Suffix'.
In fact if the last backend has no suffix (like cn=config), it overwite all
previsously found value.
This affect register (and possibly unregister/migrate/remove)
Fix Description:
Before overwriting the 'Suffix' value, check that the found backend contains
'nsslapd-suffix'.
https://fedorahosted.org/389/ticket/49016
Reviewed by: Noriko Hosoi (Thank you Noriko)
Platforms tested: RHEL 7.2
Flag Day: no
Doc impact: no
diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in
index 756d6ea..eac59a3 100644
--- a/ldap/admin/src/scripts/DSUtil.pm.in
+++ b/ldap/admin/src/scripts/DSUtil.pm.in
@@ -975,7 +975,9 @@ sub createInfFromConfig {
}
# use the userRoot suffix if available
while ($ent) {
- $suffix = $ent->getValues('nsslapd-suffix');
+ if ($ent->getValues('nsslapd-suffix')) {
+ $suffix = $ent->getValues('nsslapd-suffix');
+ }
last if ($ent->hasValue('cn', 'userRoot', 1));
$ent = $conn->nextEntry();
}
7 years, 5 months
Branch '389-ds-base-1.3.5' - ldap/admin
by thierry bordaz
ldap/admin/src/scripts/DSUtil.pm.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
New commits:
commit 1bafab5ae1e894ae3680679e03e457b9ace7e7d2
Author: Thierry Bordaz <tbordaz(a)redhat.com>
Date: Fri Oct 21 16:28:59 2016 +0200
Ticket 49016 - (un)register/migration/remove may fail if there is no suffix on 'userRoot' backend
Bug Description:
If an instance has no suffix on 'userRoot' backend, then the info structure
may contain empty 'Suffix'.
In fact if the last backend has no suffix (like cn=config), it overwite all
previsously found value.
This affect register (and possibly unregister/migrate/remove)
Fix Description:
Before overwriting the 'Suffix' value, check that the found backend contains
'nsslapd-suffix'.
https://fedorahosted.org/389/ticket/49016
Reviewed by: Noriko Hosoi (Thank you Noriko)
Platforms tested: RHEL 7.2
Flag Day: no
Doc impact: no
diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in
index 756d6ea..eac59a3 100644
--- a/ldap/admin/src/scripts/DSUtil.pm.in
+++ b/ldap/admin/src/scripts/DSUtil.pm.in
@@ -975,7 +975,9 @@ sub createInfFromConfig {
}
# use the userRoot suffix if available
while ($ent) {
- $suffix = $ent->getValues('nsslapd-suffix');
+ if ($ent->getValues('nsslapd-suffix')) {
+ $suffix = $ent->getValues('nsslapd-suffix');
+ }
last if ($ent->hasValue('cn', 'userRoot', 1));
$ent = $conn->nextEntry();
}
7 years, 5 months
dirsrvtests/tests ldap/ldif ldap/servers Makefile.am
by William Brown
Makefile.am | 3
dirsrvtests/tests/tickets/ticket397_test.py | 151 ++++++++++++++++++
ldap/ldif/template-dse.ldif.in | 9 +
ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c | 216 +++++++++++++++++++++++++++
ldap/servers/plugins/pwdstorage/pwd_init.c | 20 ++
ldap/servers/plugins/pwdstorage/pwdstorage.h | 7
ldap/servers/slapd/pw.c | 7
ldap/servers/slapd/pw.h | 3
8 files changed, 414 insertions(+), 2 deletions(-)
New commits:
commit 542287ce724e4d3bd69d699d3d61c3e640cc1541
Author: William Brown <firstyear(a)redhat.com>
Date: Tue Aug 2 16:54:08 2016 +1000
Ticket 397 - Add PBKDF2 to Directory Server password storage.
Bug Description: We need to improve the cryptographic quality of hashes
available in DS to prevent attacks on hashes both online and offline.
Fix Description: PBKDF2 is a hash that provides "iterations" of complexity
and work time to ensure complexity on the behalf of an attacker. It makes it
harder to create rainbow tables, bruteforce, or hardware accelerate attacks.
https://fedorahosted.org/389/ticket/397
Author: wibrown
Review by: rrelyea, nhosoi (Thanks!)
diff --git a/Makefile.am b/Makefile.am
index b6ebf92..546f89e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1419,7 +1419,8 @@ libpwdstorage_plugin_la_SOURCES = ldap/servers/plugins/pwdstorage/clear_pwd.c \
ldap/servers/plugins/pwdstorage/pwd_util.c \
ldap/servers/plugins/pwdstorage/sha_pwd.c \
ldap/servers/plugins/pwdstorage/smd5_pwd.c \
- ldap/servers/plugins/pwdstorage/ssha_pwd.c
+ ldap/servers/plugins/pwdstorage/ssha_pwd.c \
+ ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
libpwdstorage_plugin_la_CPPFLAGS = $(PLUGIN_CPPFLAGS)
libpwdstorage_plugin_la_LIBADD = libslapd.la $(NSS_LINK) $(NSPR_LINK) $(LIBCRYPT)
diff --git a/dirsrvtests/tests/tickets/ticket397_test.py b/dirsrvtests/tests/tickets/ticket397_test.py
new file mode 100644
index 0000000..4bf4eda
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket397_test.py
@@ -0,0 +1,151 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+DEBUGGING = False
+USER_DN = 'uid=user,ou=People,%s' % DEFAULT_SUFFIX
+
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+
+
+log = logging.getLogger(__name__)
+
+
+class TopologyStandalone(object):
+ """The DS Topology Class"""
+ def __init__(self, standalone):
+ """Init"""
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ """Create DS Deployment"""
+
+ # Creating standalone instance ...
+ if DEBUGGING:
+ standalone = DirSrv(verbose=True)
+ else:
+ standalone = DirSrv(verbose=False)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ def fin():
+ """If we are debugging just stop the instances, otherwise remove
+ them
+ """
+ if DEBUGGING:
+ standalone.stop()
+ else:
+ standalone.delete()
+
+ request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ standalone.clearTmpDir(__file__)
+
+ return TopologyStandalone(standalone)
+
+def _test_bind(inst, password):
+ result = True
+ userconn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE))
+ try:
+ userconn.simple_bind_s(USER_DN, password)
+ userconn.unbind_s()
+ except ldap.INVALID_CREDENTIALS:
+ result = False
+ return result
+
+def _test_algo(inst, algo_name):
+ inst.config.set('passwordStorageScheme', algo_name)
+
+ if DEBUGGING:
+ print('Testing %s' % algo_name)
+
+ # Create the user with a password
+ inst.add_s(Entry((
+ USER_DN, {
+ 'objectClass': 'top account simplesecurityobject'.split(),
+ 'uid': 'user',
+ 'userpassword': ['Secret123', ]
+ })))
+
+ # Make sure when we read the userPassword field, it is the correct ALGO
+ pw_field = inst.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['userPassword'] )[0]
+
+ if DEBUGGING:
+ print(pw_field.getValue('userPassword'))
+
+ if algo_name != 'CLEAR':
+ lalgo_name = algo_name.lower()
+ lpw_algo_name = pw_field.getValue('userPassword').lower()
+ assert(lpw_algo_name.startswith("{%s}" % lalgo_name))
+ # Now make sure a bind works
+ assert(_test_bind(inst, 'Secret123'))
+ # Bind with a wrong shorter password, should fail
+ assert(not _test_bind(inst, 'Wrong'))
+ # Bind with a wrong longer password, should fail
+ assert(not _test_bind(inst, 'This is even more wrong'))
+ # Bind with a password that has the algo in the name
+ assert(not _test_bind(inst, '{%s}SomeValues....' % algo_name))
+ # Bind with a wrong exact length password.
+ assert(not _test_bind(inst, 'Alsowrong'))
+ # Bind with a subset password, should fail
+ assert(not _test_bind(inst, 'Secret'))
+ if algo_name != 'CRYPT':
+ # Bind with a subset password that is 1 char shorter, to detect off by 1 in clear
+ assert(not _test_bind(inst, 'Secret12'))
+ # Bind with a superset password, should fail
+ assert(not _test_bind(inst, 'Secret123456'))
+ # Delete the user
+ inst.delete_s(USER_DN)
+ # done!
+
+def test_397(topology):
+ """
+ Assert that all of our password algorithms correctly PASS and FAIL varying
+ password conditions.
+
+ """
+ if DEBUGGING:
+ # Add debugging steps(if any)...
+ log.info("ATTACH NOW")
+ time.sleep(30)
+
+ # Merge this to the password suite in the future
+
+ for algo in ('PBKDF2_SHA256', ):
+ for i in range(0, 10):
+ _test_algo(topology.standalone, algo)
+
+ log.info('Test PASSED')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 8258b70..7e519f2 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -211,6 +211,15 @@ nsslapd-plugininitfunc: ns_mta_md5_pwd_storage_scheme_init
nsslapd-plugintype: pwdstoragescheme
nsslapd-pluginenabled: on
+dn: cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
+objectclass: top
+objectclass: nsSlapdPlugin
+cn: PBKDF2_SHA256
+nsslapd-pluginpath: libpwdstorage-plugin
+nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init
+nsslapd-plugintype: pwdstoragescheme
+nsslapd-pluginenabled: on
+
dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
new file mode 100644
index 0000000..1b3e555
--- /dev/null
+++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
@@ -0,0 +1,216 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright (C) 2016 Red Hat, Inc.
+ * All rights reserved.
+ *
+ * License: GPL (version 3 or any later version).
+ * See LICENSE for details.
+ * END COPYRIGHT BLOCK **/
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+/*
+ * slapd hashed password routines
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include "pwdstorage.h"
+
+#include <pk11pub.h>
+
+/* Need this for htonl and ntohl */
+#include <arpa/inet.h>
+
+/* WB Nist recommend 128 bits (16 bytes) in 2016, may as well go for more to future proof. */
+/* !!!!!!!! NEVER CHANGE THESE VALUES !!!!!!!! */
+#define PBKDF2_SALT_LENGTH 64
+#define PBKDF2_ITERATIONS_LENGTH 4
+/* If this isn't 256 NSS explodes without setting an error code .... */
+#define PBKDF2_HASH_LENGTH 256
+#define PBKDF2_TOTAL_LENGTH (PBKDF2_ITERATIONS_LENGTH + PBKDF2_SALT_LENGTH + PBKDF2_HASH_LENGTH)
+/* ======== END NEVER CHANGE THESE VALUES ==== */
+
+/*
+ * WB - It's important we keep this private, and we increment it over time.
+ * Administrators are likely to forget to update it, or they will set it too low.
+ * We therfore keep it private, so we can increase it as our security recomendations
+ * change and improve.
+ *
+ * At the same time we MUST increase this with each version of Directory Server
+ * This value is written into the hash, so it's safe to change.
+ */
+#define PBKDF2_ITERATIONS 30000
+
+static const char *schemeName = PBKDF2_SHA256_SCHEME_NAME;
+static const PRUint32 schemeNameLength = PBKDF2_SHA256_NAME_LEN;
+
+/* For requesting the slot which supports these types */
+static CK_MECHANISM_TYPE mechanism_array[] = {CKM_SHA256_HMAC, CKM_PKCS5_PBKD2};
+
+void
+pbkdf2_sha256_extract(char *hash_in, SECItem *salt, PRUint32 *iterations)
+{
+ /*
+ * This will take the input of hash_in (generated from pbkdf2_sha256_hash) and
+ * populate the hash (output of nss pkbdf2), salt, and iterations.
+ * Enough space should be avaliable in these for the values to fit into.
+ */
+
+ memcpy(iterations, hash_in, PBKDF2_ITERATIONS_LENGTH);
+ /* We use ntohl on this value to make sure it's correct endianess. */
+ *iterations = ntohl(*iterations);
+
+ /* warning: pointer targets in assignment differ in signedness [-Wpointer-sign] */
+ salt->data = (unsigned char *)(hash_in + PBKDF2_ITERATIONS_LENGTH);
+ salt->len = PBKDF2_SALT_LENGTH;
+}
+
+SECStatus
+pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *salt, PRUint32 iterations)
+{
+ SECItem *result = NULL;
+ SECAlgorithmID *algid = NULL;
+ PK11SlotInfo *slot = NULL;
+ PK11SymKey *symkey = NULL;
+
+ /* We assume that NSS is already started. */
+ algid = PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, SEC_OID_HMAC_SHA256, SEC_OID_HMAC_SHA256, hash_out_len, iterations, salt);
+
+ if (algid != NULL) {
+ /* Gets the best slot that provides SHA256HMAC and PBKDF2 (may not be the default!) */
+ slot = PK11_GetBestSlotMultiple(mechanism_array, 2, NULL);
+ if (slot != NULL) {
+ symkey = PK11_PBEKeyGen(slot, algid, pwd, PR_FALSE, NULL);
+ PK11_FreeSlot(slot);
+ if (symkey == NULL) {
+ /* We try to get the Error here but NSS has two or more error interfaces, and sometimes it uses none of them. */
+ PRInt32 status = PORT_GetError();
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to retrieve symkey from NSS. Error code might be %d ???\n", status);
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "The most likely cause is your system has nss 3.21 or lower. PBKDF2 requires nss 3.22 or higher.\n");
+ return SECFailure;
+ }
+ } else {
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to retrieve slot from NSS.\n");
+ return SECFailure;
+ }
+ SECOID_DestroyAlgorithmID(algid, PR_TRUE);
+ } else {
+ /* Uh oh! */
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to generate algorithm ID.\n");
+ return SECFailure;
+ }
+
+ if (PK11_ExtractKeyValue(symkey) == SECSuccess) {
+ result = PK11_GetKeyData(symkey);
+ if (result != NULL && result->len <= hash_out_len) {
+ memcpy(hash_out, result->data, result->len);
+ PK11_FreeSymKey(symkey);
+ } else {
+ PK11_FreeSymKey(symkey);
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to retrieve (get) hash output.\n");
+ return SECFailure;
+ }
+ } else {
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to extract hash output.\n");
+ return SECFailure;
+ }
+
+ return SECSuccess;
+}
+
+char *
+pbkdf2_sha256_pw_enc(const char *pwd)
+{
+ char hash[ PBKDF2_TOTAL_LENGTH ];
+ size_t encsize = 3 + schemeNameLength + LDIF_BASE64_LEN(PBKDF2_TOTAL_LENGTH);
+ char *enc = slapi_ch_calloc(encsize, sizeof(char));
+ PRUint32 iterations = PBKDF2_ITERATIONS;
+
+ SECItem saltItem;
+ SECItem passItem;
+ char salt[PBKDF2_SALT_LENGTH];
+
+ memset(hash, 0, PBKDF2_TOTAL_LENGTH);
+ memset(salt, 0, PBKDF2_SALT_LENGTH);
+ saltItem.data = (unsigned char *)salt;
+ saltItem.len = PBKDF2_SALT_LENGTH;
+ passItem.data = (unsigned char *)pwd;
+ passItem.len = strlen(pwd);
+
+ /* make a new random salt */
+ slapi_rand_array(salt, PBKDF2_SALT_LENGTH);
+
+ /*
+ * Preload the salt and iterations to the output.
+ * memcpy the iterations to the hash_out
+ * We use ntohl on this value to make sure it's correct endianess.
+ */
+ iterations = htonl(iterations);
+ memcpy(hash, &iterations, PBKDF2_ITERATIONS_LENGTH);
+ /* memcpy the salt to the hash_out */
+ memcpy(hash + PBKDF2_ITERATIONS_LENGTH, saltItem.data, PBKDF2_SALT_LENGTH);
+
+ /*
+ * This offset is to make the hash function put the values
+ * In the correct part of the memory.
+ */
+ if ( pbkdf2_sha256_hash(hash + PBKDF2_ITERATIONS_LENGTH + PBKDF2_SALT_LENGTH, PBKDF2_HASH_LENGTH, &passItem, &saltItem, PBKDF2_ITERATIONS) != SECSuccess ) {
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Could not generate pbkdf2_sha256_hash!\n");
+ return NULL;
+ }
+
+ sprintf(enc, "%c%s%c", PWD_HASH_PREFIX_START, schemeName, PWD_HASH_PREFIX_END);
+ (void)PL_Base64Encode( hash, PBKDF2_TOTAL_LENGTH, enc + 2 + schemeNameLength);
+ PR_ASSERT(enc[encsize - 1] == '\0');
+
+ slapi_log_err(SLAPI_LOG_PLUGIN, (char *)schemeName, "Generated hash %s\n", enc);
+
+ return enc;
+}
+
+PRInt32
+pbkdf2_sha256_pw_cmp(const char *userpwd, const char *dbpwd)
+{
+ PRInt32 result = 1; /* Default to fail. */
+ char dbhash[ PBKDF2_TOTAL_LENGTH ];
+ char userhash[ PBKDF2_HASH_LENGTH ];
+ PRUint32 dbpwd_len = strlen(dbpwd);
+ SECItem saltItem;
+ SECItem passItem;
+ PRUint32 iterations = 0;
+
+ /* Our hash value is always at a known offset. */
+ char *hash = dbhash + PBKDF2_ITERATIONS_LENGTH + PBKDF2_SALT_LENGTH;
+
+ slapi_log_err(SLAPI_LOG_PLUGIN, (char *)schemeName, "Comparing password\n");
+
+ memset(dbhash, 0, PBKDF2_TOTAL_LENGTH);
+
+ passItem.data = (unsigned char *)userpwd;
+ passItem.len = strlen(userpwd);
+
+ /* Decode the DBpwd to bytes from b64 */
+ if ( PL_Base64Decode( dbpwd, dbpwd_len, dbhash) == NULL ) {
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value\n");
+ return result;
+ }
+ /* extract the fields */
+ pbkdf2_sha256_extract(dbhash, &saltItem, &iterations);
+
+ /* Now send the userpw to the hash function, with the salt + iter. */
+ if ( pbkdf2_sha256_hash(userhash, PBKDF2_HASH_LENGTH, &passItem, &saltItem, iterations) != SECSuccess ) {
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to hash userpwd value\n");
+ return result;
+ }
+ /* Now compare the result of pbkdf2_sha256_hash. */
+ result = memcmp(userhash, hash, PBKDF2_HASH_LENGTH);
+
+ return result;
+}
+
+
diff --git a/ldap/servers/plugins/pwdstorage/pwd_init.c b/ldap/servers/plugins/pwdstorage/pwd_init.c
index 5efd9ca..d66bb98 100644
--- a/ldap/servers/plugins/pwdstorage/pwd_init.c
+++ b/ldap/servers/plugins/pwdstorage/pwd_init.c
@@ -44,6 +44,8 @@ static Slapi_PluginDesc md5_pdesc = { "md5-password-storage-scheme", VENDOR, DS_
static Slapi_PluginDesc smd5_pdesc = { "smd5-password-storage-scheme", VENDOR, DS_PACKAGE_VERSION, "Salted MD5 hash algorithm (SMD5)" };
+static Slapi_PluginDesc pbkdf2_sha256_pdesc = { "pbkdf2-sha256-password-storage-scheme", VENDOR, DS_PACKAGE_VERSION, "Salted PBKDF2 SHA256 hash algorithm (PBKDF2_SHA256)" };
+
static char *plugin_name = "NSPwdStoragePlugin";
int
@@ -336,3 +338,21 @@ smd5_pwd_storage_scheme_init( Slapi_PBlock *pb )
slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "<= smd5_pwd_storage_scheme_init %d\n\n", rc );
return( rc );
}
+
+int
+pbkdf2_sha256_pwd_storage_scheme_init(Slapi_PBlock *pb)
+{
+ int rc;
+
+ slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name, "=> pbkdf2_sha256_pwd_storage_scheme_init\n");
+
+ rc = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, (void *) SLAPI_PLUGIN_VERSION_01);
+ rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&pbkdf2_sha256_pdesc);
+ rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_ENC_FN, (void *)pbkdf2_sha256_pw_enc);
+ rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_CMP_FN, (void *)pbkdf2_sha256_pw_cmp);
+ rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_NAME, PBKDF2_SHA256_SCHEME_NAME);
+
+ slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name, "<= pbkdf2_sha256_pwd_storage_scheme_init %d\n", rc);
+ return rc;
+}
+
diff --git a/ldap/servers/plugins/pwdstorage/pwdstorage.h b/ldap/servers/plugins/pwdstorage/pwdstorage.h
index 1e085c7..27e708d 100644
--- a/ldap/servers/plugins/pwdstorage/pwdstorage.h
+++ b/ldap/servers/plugins/pwdstorage/pwdstorage.h
@@ -54,6 +54,9 @@
#define MD5_NAME_LEN 3
#define SALTED_MD5_SCHEME_NAME "SMD5"
#define SALTED_MD5_NAME_LEN 4
+#define PBKDF2_SHA256_SCHEME_NAME "PBKDF2_SHA256"
+#define PBKDF2_SHA256_NAME_LEN 13
+
SECStatus sha_salted_hash(char *hash_out, const char *pwd, struct berval *salt, unsigned int secOID);
int sha_pw_cmp( const char *userpwd, const char *dbpwd, unsigned int shaLen );
@@ -82,6 +85,10 @@ char *md5_pw_enc( const char *pwd );
int smd5_pw_cmp( const char *userpwd, const char *dbpwd );
char *smd5_pw_enc( const char *pwd );
+SECStatus pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *salt, PRUint32 iterations);
+char * pbkdf2_sha256_pw_enc(const char *pwd);
+int pbkdf2_sha256_pw_cmp(const char *userpwd, const char *dbpwd);
+
/* Utility functions */
PRUint32 pwdstorage_base64_decode_len(const char *encval, PRUint32 enclen);
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 2506a2b..5af04d2 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -262,6 +262,13 @@ pw_val2scheme( char *val, char **valpwdp, int first_is_default )
if (NULL == val) {
return( NULL );
}
+
+ /*
+ * Future implementors of new password mechanisms may find that this function
+ * is causing them trouble. If your hash ends up as {CLEAR}{NEWMECH}.... it
+ * because NEWMECH > PWD_MAX_NAME_LEN. Update pw.h!
+ */
+
if ( *val != PWD_HASH_PREFIX_START ||
( end = strchr( val, PWD_HASH_PREFIX_END )) == NULL ||
( namelen = end - val - 1 ) > PWD_MAX_NAME_LEN ) {
diff --git a/ldap/servers/slapd/pw.h b/ldap/servers/slapd/pw.h
index 58e7441..8e07582 100644
--- a/ldap/servers/slapd/pw.h
+++ b/ldap/servers/slapd/pw.h
@@ -19,7 +19,8 @@
#ifndef _SLAPD_PW_H_
#define _SLAPD_PW_H_
-#define PWD_MAX_NAME_LEN 10
+// Updated to the 13 for PBKDF2_SHA256
+#define PWD_MAX_NAME_LEN 13
#define PWD_HASH_PREFIX_START '{'
#define PWD_HASH_PREFIX_END '}'
7 years, 5 months
dirsrvtests/tests ldap/admin
by Simon Pichugin
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py | 4 ++--
dirsrvtests/tests/tickets/ticket1347760_test.py | 12 ++++++------
ldap/admin/src/defaults.inf.in | 2 +-
3 files changed, 9 insertions(+), 9 deletions(-)
New commits:
commit 299169ecbd2a7d4ef805465234112ce6ecaa7e77
Author: Simon Pichugin <spichugi(a)redhat.com>
Date: Tue Nov 1 09:38:19 2016 +0100
Ticket 49024 - Fix CI test failures and defaults.inf
Description: Fix error_log path in the defaults.inf file.
Ticket 1347760 - set access_log path properly.
pwdPolicy_warning_test - replace a month with 30 day,
because it will cause large test time execution in the end of
a month, when next month has less days then the current.
https://fedorahosted.org/389/ticket/49024
Reviewed by: nhosoi, wbrown (Thanks!)
diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py
index 4647e24..f3e57f4 100644
--- a/dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py
+++ b/dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py
@@ -442,7 +442,7 @@ def test_with_different_password_states(topology, global_policy, add_user):
try:
log.info("Expiring user's password by moving the"\
" system date past the valid period")
- subprocess.check_call(['/usr/bin/date', '-s', 'next month'])
+ subprocess.check_call(['/usr/bin/date', '-s', '+30 day'])
log.info('Wait for the server to pick up new date')
time.sleep(5)
@@ -455,7 +455,7 @@ def test_with_different_password_states(topology, global_policy, add_user):
log.info("Bind Failed, error: {:s}".format(str(ex)))
log.info("Resetting the system date")
- subprocess.check_call(['/usr/bin/date', '-s', 'last month'])
+ subprocess.check_call(['/usr/bin/date', '-s', '-30 day'])
log.info('Wait for the server to pick up new date')
time.sleep(5)
diff --git a/dirsrvtests/tests/tickets/ticket1347760_test.py b/dirsrvtests/tests/tickets/ticket1347760_test.py
index a142ada..48643cc 100644
--- a/dirsrvtests/tests/tickets/ticket1347760_test.py
+++ b/dirsrvtests/tests/tickets/ticket1347760_test.py
@@ -13,6 +13,7 @@ import logging
import pytest
from subprocess import Popen
from lib389 import DirSrv, Entry
+from lib389.paths import Paths
from lib389._constants import *
from lib389.properties import *
from lib389.tasks import *
@@ -38,11 +39,6 @@ BOGUSSUFFIX = 'uid=bogus,ou=people,dc=bogus'
GROUPOU = 'ou=groups,%s' % DEFAULT_SUFFIX
BOGUSOU = 'ou=OU,%s' % DEFAULT_SUFFIX
-logging.getLogger(__name__).setLevel(logging.DEBUG)
-log = logging.getLogger(__name__)
-
-installation1_prefix = None
-
class TopologyStandalone(object):
def __init__(self, standalone):
@@ -224,6 +220,11 @@ def test_ticket1347760(topology):
log.info('Deleting aci in %s.' % DEFAULT_SUFFIX)
topology.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_DELETE, 'aci', None)])
+ log.info('While binding as DM, acquire an access log path')
+ ds_paths = Paths(serverid=topology.standalone.serverid,
+ instance=topology.standalone)
+ file_path = ds_paths.access_log
+
log.info('Bind case 1. the bind user has no rights to read the entry itself, bind should be successful.')
log.info('Bind as {%s,%s} who has no access rights.' % (BINDDN, BINDPW))
try:
@@ -232,7 +233,6 @@ def test_ticket1347760(topology):
log.info('Desc ' + e.message['desc'])
assert False
- file_path = os.path.join(topology.standalone.prefix, 'var/log/dirsrv/slapd-%s/access' % topology.standalone.serverid)
file_obj = open(file_path, "r")
log.info('Access log path: %s' % file_path)
diff --git a/ldap/admin/src/defaults.inf.in b/ldap/admin/src/defaults.inf.in
index c0469b3..7729c06 100644
--- a/ldap/admin/src/defaults.inf.in
+++ b/ldap/admin/src/defaults.inf.in
@@ -48,7 +48,7 @@ lock_dir = @localstatedir@/lock/dirsrv/slapd-{instance_name}
log_dir = @localstatedir@/log/dirsrv/slapd-{instance_name}
access_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/access
audit_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/audit
-error_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/error
+error_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/errors
inst_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}
db_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/db
backup_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/bak
7 years, 5 months
2 commits - m4/nunc-stans.m4 rpm/389-ds-base.spec.in
by William Brown
m4/nunc-stans.m4 | 13 +++++++++++++
rpm/389-ds-base.spec.in | 3 ++-
2 files changed, 15 insertions(+), 1 deletion(-)
New commits:
commit 095b720ab5dc1dab860da62826c227fc31630859
Author: William Brown <firstyear(a)redhat.com>
Date: Tue Nov 1 15:45:31 2016 +1000
Ticket 49026 - Support nunc-stans pkgconfig
Bug Description: Without pkgconfig we would have to provide a with path to
the our tools incase nunc-stans was in a weird location. This avoids that issue
Fix Description: Add the support to use pkgconfig for nunc-stans.
https://fedorahosted.org/389/ticket/49026
Author: wibrown
Review by: mreynolds (Thanks)
diff --git a/m4/nunc-stans.m4 b/m4/nunc-stans.m4
index 6c3a360..442a0df 100644
--- a/m4/nunc-stans.m4
+++ b/m4/nunc-stans.m4
@@ -61,3 +61,16 @@ AC_ARG_WITH(nunc-stans-lib, AS_HELP_STRING([--with-nunc-stans-lib=PATH],[nunc-st
fi
],
AC_MSG_RESULT(no))
+
+if test -z "$nunc_stans_inc" -o -z "$nunc_stans_lib"; then
+ AC_PATH_PROG(PKG_CONFIG, pkg-config)
+ AC_MSG_CHECKING(for nunc-stans with pkg-config)
+ if test -n "$PKG_CONFIG"; then
+ if $PKG_CONFIG --exists nunc-stans; then
+ nunc_stans_inc=`$PKG_CONFIG --cflags-only-I nunc-stans`
+ nunc_stans_lib=`$PKG_CONFIG --libs-only-L nunc-stans`
+ AC_MSG_RESULT([using system nunc-stans])
+ fi
+ fi
+fi
+
commit 416f2621bf956d4d804e673239dc31fecfd4fffa
Author: William Brown <firstyear(a)redhat.com>
Date: Tue Nov 1 12:29:01 2016 +1000
Ticket 49025 - Upgrade nunc-stans to 0.2.1
Bug Description: Nunc Stans 0.2.0 had a defect which prevented signal
registration functioning correctly.
Fix Description: Upgrade to 0.2.1
https://fedorahosted.org/389/ticket/49025
Author: wibrown
Review by: mreynolds (Thanks!)
diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in
index cd054ec..9fe6a96 100644
--- a/rpm/389-ds-base.spec.in
+++ b/rpm/389-ds-base.spec.in
@@ -18,7 +18,7 @@
# To build without nunc-stans, set use_nunc_stans to 0.
%global use_nunc_stans __NUNC_STANS_ON__
%if %{use_nunc_stans}
-%global nunc_stans_ver 0.2.0
+%global nunc_stans_ver 0.2.1
%endif
# This enables an ASAN build. This should not go to production, so we rename.
@@ -253,6 +253,7 @@ cp %{SOURCE2} README.devel
%if %{use_nunc_stans}
pushd ../nunc-stans-%{nunc_stans_ver}
+autoreconf -fiv
%configure --with-fhs --libdir=%{_libdir}/%{pkgname}
# We install into our build dir first, then later we install to the correct build root.
# This is to make it possible for directory server to use us, else we can't resolve
7 years, 5 months
Changes to 'refs/tags/389-admin-1.1.46'
by Noriko Hosoi
Changes since 389-admin-1.1.11:
Endi S. Dewata (3):
Bug 573889 - Migration does not remove deprecated schema
Bug 644929 - FDS to 389 DS migration results in both Fedora and 389 entries
Bug 470576 - Migration could do addition checks before commiting actions
Ludwig (1):
Ticket 47563 - cannot restart directory server from console
Mark Reynolds (23):
Ticket #286 - compilation fixes for 'format-security'
Ticket 401 - Console login fails with anonymous access disabled
Ticket 400 - BIND operation result not checked properly in admin server
Ticket 47665 - Create new instance results in setting wrong ACI for the "cn=config" entry
Ticket 47495 - admin express: wrong instance creation time
Ticket 47497 - Admin Express - remove "Security Level"
Ticket 47850 - "nsslapd-allow-anonymous-access: rootdse" makes login as "admin" fail at the first time
Ticket 47300 - Update man page for remove-ds-admin.pl
Ticket 47891 - Admin Server reconfig breaks SSL config
Ticket 47893 - Admin Server should use Sys::Hostname instead Net::Domain
Ticket 47548 - register-ds-admin does not register into remote config ds
Ticket 47860 - register-ds-admin.pl problem when following steps to replicate o=netscaperoot
Ticket 47697 - Resource leak in lib/libdsa/dsalib_updown.c
Ticket 201 - nCipher HSM cannot be configured via the console
Ticket 47929 - Admin Server - disable SSLv3 by default
Ticket 47548 - register-ds-admin.pl fails to set local bind DN and password
Ticket 47548 - register-ds-admin - silent file incorrectly processed
Ticket 48213 - Admin server registration requires anonymous binds
Ticket 48306 - perl module conditional test is not conditional when checking SELinux policies
Ticket 48907 - register-ds-admin fails to find local config DS
TIcket 48823 - Admin Server - Add IPv6 support
Ticket 48932 - stopping admin server stops all httpd processes
Ticket 49015 - register-ds-admin.pl - silent install does not
Nathan Kinder (49):
Bug 648949 - Merge selinux policy into base OS
Regenerated autoconf files
Bug 638511 - dirsrv-admin crashes at startup with SELinux enabled
Bug 668950 - Add posix group support to Console
Bug 672468 - Don't use empty path elements in LD_LIBRARY_PATH
Bug 618897 - Wrong permissions when creating instance from Console
Bug 493424 - remove unneeded modules for admin server apache config
Bug 614690 - Don't use exec to call genrb
Bug 699815 - (cov#10859) Add missing braces in mod_admserv code
Bug 699815 - (cov#10858) getenv() called twice in viewlog cgi
Bug 699815 - (cov#10849,10851) Remove unused variables
Bug 699907 - (cov#10844) Uninitialized time struct
Bug 699907 - (cov#10843) Use of uninitialized variable in logging code
Bug 699907 - (cov#10840) Use of uninitialized buffer in security cgi
Bug 699907 - (cov#10836) Use of uninitialized var in http conn code
Bug 699907 - (cov#10833) Use of uninitialized vars in SNMP code
Bug 700532 - (cov#10832) Incorrect if condition in dsalib
Bug 700875 - (cov#10778) Cleanup ds_bring_up_server_install() in dsalib
Bug 700890 - (cov#10812) Check return value of open() properly in libadmin
Bug 700948 - (cov#10846) - Use of uninitialized variable in mod_admserv
Bug 700948 - (cov#10845) Use of uninitialized variable in mod_admserv
Bug 700948 - (cov#10839) Use of uninitialized variable in security cgi
Bug 700948 - (cov#10837) Use of uninitialized variable in monreplication
Bug 700948 - (cov#10835) Use of unitialized pointer in config cgi
Bug 700948 - (cov#10813) dynamic overrun possibility in ds_listdb cgi
Bug 700948 - (cov#10842) Use of unintialized variable in statusping
Bug 700948 - (cov#10842) Use of unintialized variable in statusping
Bug 702150 - (cov#10823) File descriptors leaked in help cgi
Bug 702150 - (cov#10822,10821) file descriptor leaks in config cgi
Bug 702150 - (cov#10820,10819) file descriptor leaks in readlog cgi
Bug 702150 - leak of config array in dsalib
Bug 702150 - (cov#10816) file descriptor leak in dsalib
Bug 702150 - (cov#10817) Leak of string in libdsa
Bug 702150 - Resouce leaks in htmladmin.c
Bug 702705 - (cov#10830) NULL pointer dereference in htmladmin
Bug 702705 - NULL pointer dereferences in viewlog cgi
Bug 702705 - (cov#10803) NULL pointer dereference in security cgi
Bug 702705 - (cov#10785) NULL pointer dereference in ds_snmpctrl
Bug 702705 - (cov#10784,10783) NULL pointer dereferences in dsalib
Bug 719056 - migrate-ds-admin.pl needs to update SELinux policy
Bug 724808 - startup CGIs write temp file to /
Bug 730079 - Update SELinux policy during upgrades
Ticket #329 - Port modules to httpd 2.4
Ticket #47333 - Relabel lockfile when starting Admin Server
Ticket #47334 - Avoid quoting all settings in console.conf
Ticket 47468 - Change security password validation error is out of order
Ticket 47466 - Importing CA cert with existing name crashes security CGI
Ticket 362 - Directory Console generates insufficient key strength
Ticket 47467 - Improve CRL import error messages
Noriko Hosoi (47):
Bug 151705 - Need to update Console Cipher Preferences with new ciphers
start-ds-admin.in -- replaced "return 1" with "exit 1"
Bug 616260 - libds-admin-serv linking fails due to unresolved link-time dependencies
Bug 618858 - move start-ds-admin env file into main admin server
Bug 387981 - plain files can be chosen on the Restore Directory dialog
Bug 604881 - admin server log files have incorrect permissions/ownerships
Bug 604881 - admin server log files have incorrect permissions/ownerships
Bug 245278 - Changing to a password with a single quote does not work
Bug 211296 - Clean up all HTML pages (Admin Express, Repl Monitor, etc)
Bug 158926 - Unable to install CA certificate when using
Bug 476925 - Admin Server: Do not allow 8-bit passwords for the admin user
Bug 476925 - Admin Server: Do not allow 8-bit passwords for
Trac Ticket #307 - htmladmin keeps segfaulting
If htmladmin fails to connect to the server, the cgi could crash.
Ticket #293 - remove-ds-admin.pl does not remove everything
Ticket #476 - 389 ds do not start on F18 due to missing modules
bump version to 1.1.31
Ticket #567 - Restart of Admin server from console fails on segfault
bump version to 1.1.32
bump version to 1.1.33
bump version to 1.1.34
Ticket #47493 - Configuration Tab does not work with FIPS mode enabled
bump version to 1.1.36
Ticket 47891 - Admin Server reconfig breaks SSL config
Ticket #47995 - Admin Server: source code cleaning
bump version to 1.1.37
Ticket #48024 - repl-monitor invoked from adminserver cgi fails
bump version to 1.1.38
Ticket #48153 - [adminserver] support NSS 3.18
bump version to 1.1.39
Ticket #48171 - remove-ds-admin.pl removes files in the rpm
Ticket #47467 - Improve Add CRL/CKL dialog and errors
bump version to 1.1.40
Ticket #48186 - register-ds-admin.pl script prints clear text password in the terminal
Ticket #47493 - Configuration Tab does not work with FIPS mode enabled
bump version to 1.1.41
bump version to 1.1.42
Ticket #48409 - RHDS upgrade change Ownership of certificate files upon upgrade.
Ticket #48410 - 389-admin - Unable to remove / unregister a DS instance from admin server
Ticket #48429 - running remove-ds-admin.pl multiple times will make it so you cannot install DS
bump version to 1.1.43
Ticket #47413 - 389-admin fails to build with latest httpd
Bug 1236635 - 389-admin TPS srpmtest failure
bump version to 1.1.44
Ticket #48988 - ds_removal and ds_unregister should support prompting for password
bump version to 1.1.45
bump version to 1.1.46
Rich Megginson (66):
bump version to 1.1.12.a1
initial support for openldap
add selinux policy for dsgw
skip LD_PRELOAD if using openldap
add more log information if nss init fails
add even more nss debugging
Bug 618454 - mod_admserv should only clear NSS caches and shutdown if NSS is initialized
bump version to 1.1.12.a2
fix building with mozldap
bump version to 1.1.12.a3
fix autotool build issues with properties files
setup-ds-admin.pl -u exits with ServerAdminID and as_uid related error
Bug 656441 - Missing library path entry causes LD_PRELOAD error
bump version to 1.1.13
bump version to 1.1.14.a1
Bug 664671 - Admin server segfault when full SSL access (http+ldap+console) required
bump version to 1.1.14
bump version to 1.1.15
bump version to 1.1.16
Bug 703990 - Support upgrade from Red Hat Directory Server
bump version to 1.1.17
add support for different skins
skip rebranding current brand
bump version to 1.1.18
look for separate openldap ldif library
bump version to 1.1.19
Bug 710372 - Not able to open the Manage Certificate from DS-console
better NSS error handling - reduce memory leaks
fix typo in NSS_Shutdown warning message
added tests for the security cgi
Bug 713000 - Migration stops if old admin server cannot be stopped
Bug 718079 - Perl errors when running migrate-ds-admin.pl
Bug 718285 - AdminServer should use "service" command instead of start/stop/restart scripts
bump version to 1.1.20
bump version to 1.1.21
handle binary upgrade
add man pages for ds_removal and ds_unregister
bump version to 1.1.22
fix binary paths
bump version to 1.1.23
bump version to 1.1.24
Bug 695741 - Providing native systemd file for upcoming F16 Feature Systemd
Bug 740959 - 389-console put CA certificates into wrong database
bump version to 1.1.25
Bug 767823 - selinux: need to allow admin server to connect to ldap port
bump version to 1.1.26
Ticket #161 - Review and address latest Coverity issues
Ticket #281 - TLS not working with latest openldap
bump version to 1.1.27
bump version to 1.1.28
bump version to 1.1.29
bump version to 1.1.30
ignore files generated by Eclipse
Ticket #47486 compiler warnings in adminutil, admin, dsgw
Ticket #47465 problem with 389-adminutil detection in m4/adminutil.m4 in 389-admin and 389-dsgw
add more debugging for SSL connection problems
Ticket #47413 389-admin fails to build with latest httpd
compiler warning - ldif_read_record lineno type depends on openldap version
add Eclipse and patch files
bump version to 1.1.35
Ticket #47498 Error Message for Failed to create the configuration directory server
Ticket #418 Error with register-ds-admin.pl
Ticket #222 Admin Express issues "Internal Server Error" when the Config DS is down.
Ticket #434 admin-serv logs filling with "admserv_host_ip_check: ap_get_remote_host could not resolve <ip address>"
Ticket #47300 [RFE] remove-ds-admin.pl: redesign the behaviour
Ticket #47478 No groups file? error restarting Admin server
Wes Hardin (1):
fix for bug 377 - Unchecked use of SELinux command
William Brown (2):
Ticket 47840 - Fix setup-ds-admin.pl to create adm.conf with sbin scripts
Ticket 48931 - start-ds-admin should use systemctl
noriko (1):
Ticket #47298 - remove-ds-admin.pl does not stop the admin server
---
.gitignore | 4
Makefile.am | 113
Makefile.in | 2110 -
VERSION.sh | 4
aclocal.m4 | 7614 ----
admserv/cfgstuff/console.conf.in | 6
admserv/cfgstuff/ds_removal.in | 7
admserv/cfgstuff/ds_unregister.in | 7
admserv/cfgstuff/httpd-2.2.conf.in | 13
admserv/cfgstuff/httpd-2.4.conf.in | 742
admserv/cfgstuff/httpd.conf.in | 2
admserv/cfgstuff/initconfig.in | 5
admserv/cfgstuff/restart-ds-admin.in | 12
admserv/cfgstuff/start-ds-admin.in | 114
admserv/cfgstuff/stop-ds-admin.in | 55
admserv/cgi-ds/ds_listdb.c | 26
admserv/cgi-ds/ds_snmpctrl.c | 5
admserv/cgi-src40/ReadLog.c | 18
admserv/cgi-src40/admlib.mk | 119
admserv/cgi-src40/admpw.c | 79
admserv/cgi-src40/cgicommon.h | 1
admserv/cgi-src40/cgicommon.properties | 3
admserv/cgi-src40/config.c | 47
admserv/cgi-src40/dllglue.c | 42
admserv/cgi-src40/ds_create.in | 18
admserv/cgi-src40/ds_remove.in | 6
admserv/cgi-src40/dsconfig.c | 10
admserv/cgi-src40/head.html | 1
admserv/cgi-src40/help.c | 15
admserv/cgi-src40/htmladmin.c | 810
admserv/cgi-src40/htmladmin.properties | 42
admserv/cgi-src40/monreplication.c | 7
admserv/cgi-src40/repl-monitor-cgi.pl.in | 30
admserv/cgi-src40/restartsrv.c | 9
admserv/cgi-src40/sec-activate.c | 163
admserv/cgi-src40/security.c | 348
admserv/cgi-src40/security.properties | 8
admserv/cgi-src40/start_config_ds.c | 11
admserv/cgi-src40/statpingserv.c | 82
admserv/cgi-src40/stopsrv.c | 10
admserv/cgi-src40/ugdsconfig.c | 39
admserv/cgi-src40/viewdata.c | 264
admserv/cgi-src40/viewdata.properties | 2
admserv/cgi-src40/viewlog.c | 75
admserv/cgi-src40/viewlog.properties | 6
admserv/genrb_wrapper.sh | 2
admserv/html/admserv.html.in | 11
admserv/html/htmladmin.html.in | 13
admserv/html/monreplication.html | 20
admserv/html/viewdata.html | 6
admserv/html/viewlog.html | 14
admserv/makeUpgradeTar.sh | 30
admserv/newinst/src/25changefedorato389.pl | 250
admserv/newinst/src/25rebrand.pl.in | 413
admserv/newinst/src/30updateglobalpref.pl.in | 9
admserv/newinst/src/AdminMigration.pm.in | 79
admserv/newinst/src/AdminServer.pm.in | 299
admserv/newinst/src/AdminUtil.pm.in | 183
admserv/newinst/src/ConfigDSDialogs.pm | 42
admserv/newinst/src/dirserver.map.in | 1
admserv/newinst/src/register-ds-admin.pl.in | 773
admserv/newinst/src/register-ds-admin.res.in | 40
admserv/newinst/src/register_param.map.in | 4
admserv/newinst/src/register_server.pl.in | 6
admserv/newinst/src/remove-ds-admin.pl.in | 8
admserv/newinst/src/setup-ds-admin.pl.in | 6
admserv/newinst/src/setup-ds-admin.res.in | 20
admserv/schema/ldif/02globalpreferences.ldif.tmpl | 49
admserv/schema/ldif/10dsdata.ldif.tmpl | 39
compile | 245
config.guess | 768
config.h.in | 36
config.sub | 452
configure |38679 +++++++++-------------
configure.ac | 111
depcomp | 637
include/base/file.h | 3
include/base/util.h | 3
include/libadmin/dbtlibadmin.h | 2
include/libadmin/libadmin.h | 92
include/libdsa/dsalib.h | 15
install-sh | 526
lib/base/file.cpp | 30
lib/base/nscputil.cpp | 51
lib/libadmin/dllglue.c | 77
lib/libadmin/httpcon.c | 5
lib/libadmin/referer.c | 4
lib/libadmin/template.c | 29
lib/libadmin/util.c | 973
lib/libdsa/dsalib_conf.c | 37
lib/libdsa/dsalib_confs.c | 93
lib/libdsa/dsalib_location.c | 56
lib/libdsa/dsalib_tailf.c | 1
lib/libdsa/dsalib_updown.c | 118
lib/libdsa/dsalib_util.c | 56
ltmain.sh |14878 +++++---
m4/adminutil.m4 | 4
m4/httpd.m4 | 3
m4/mod_nss.m4 | 2
m4/mozldap.m4 | 116
m4/openldap.m4 | 138
m4/selinux.m4 | 3
man/man8/ds_removal.8 | 54
man/man8/ds_unregister.8 | 48
man/man8/register-ds-admin.pl.8 | 187
man/man8/remove-ds-admin.pl.8 | 10
man/man8/restart-ds-admin.8 | 10
man/man8/start-ds-admin.8 | 10
man/man8/stop-ds-admin.8 | 10
missing | 453
mod_admserv/mod_admserv.c | 564
mod_admserv/mod_admserv.h | 15
mod_restartd/mod_restartd-2.2.c | 22
selinux/dirsrv-admin.fc.in | 5
selinux/dirsrv-admin.te | 2
tests/ds_create/testget.1 | 2
tests/htmladmin/testget.2 | 2
tests/htmladmin/testget.3 | 2
tests/htmladmin/testget.4 | 2
tests/htmladmin/testget.5 | 2
tests/htmladmin/testget.6 | 2
tests/htmladmin/testget.7 | 2
tests/htmladmin/testget.8 | 2
tests/security/testpost.1 | 1
tests/security/testpost.10 | 1
tests/security/testpost.11 | 1
tests/security/testpost.12 | 1
tests/security/testpost.13 | 1
tests/security/testpost.14 | 1
tests/security/testpost.15 | 1
tests/security/testpost.16 | 1
tests/security/testpost.17 | 1
tests/security/testpost.18 | 1
tests/security/testpost.19 | 1
tests/security/testpost.2 | 1
tests/security/testpost.20 | 1
tests/security/testpost.21 | 1
tests/security/testpost.3 | 1
tests/security/testpost.4 | 1
tests/security/testpost.5 | 1
tests/security/testpost.6 | 1
tests/security/testpost.7 | 1
tests/security/testpost.8 | 1
tests/security/testpost.9 | 1
tests/setup.sh | 250
tests/ugdsconfig/testget.10 | 2
tests/viewdata/testget.2 | 2
tests/viewdata/testget.3 | 2
tests/viewdata/testget.4 | 2
tests/viewlog/testget.3 | 2
tests/viewlog/testget.4 | 2
wrappers/initscript.in | 3
wrappers/systemd.service.in | 24
153 files changed, 36411 insertions(+), 38969 deletions(-)
---
7 years, 5 months
VERSION.sh
by Noriko Hosoi
VERSION.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit ad1a4c7fc0f95fdc9d117dcd704a518a2a969d34
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Nov 1 09:28:33 2016 -0700
bump version to 1.1.46
diff --git a/VERSION.sh b/VERSION.sh
index 4e1f314..1975cdd 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -11,7 +11,7 @@ vendorurl=http://port389.org
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=1
-VERSION_MAINT=45
+VERSION_MAINT=46
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
7 years, 5 months