[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: crypto without MD5 (ITS#3039)

To: openldap-its@OpenLDAP.org
Subject: RE: crypto without MD5 (ITS#3039)
From: hyc@highlandsun.com
Date: Thu, 25 Mar 2004 21:11:03 GMT

This is not an OpenLDAP bug. See the note about OpenSSL and crypt() in the
FAQ.
http://www.openldap.org/faq/index.cgi?file=185

Your version of OpenSSL is out of date, this problem no longer exists in
current versions of OpenSSL.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> mys@faveve.uni-stuttgart.de
> Sent: Thursday, March 25, 2004 9:06 AM
> To: openldap-its@OpenLDAP.org
> Subject: crypto without MD5 (ITS#3039)
>
>
> Full_Name: Martin Strauss
> Version: openldap-2.1.25
> OS: linux (debian woody)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (129.69.120.70)
>
>
> Hi,
> Openldap links against libcrypto without checking whether
> the function call crypt is compatible to the version found in
> libcrypt (glibc).
>
> glibc provides an extension for password hashing :
>
> GNU EXTENSION
>        The glibc2 version of this function has the following
> additional  fea-
>        tures.   If  salt is a character string starting with
> the three charac-
>        ters "$1$" followed by at most eight characters, and
> optionally  termi-
>        nated  by  "$",  then instead of using the DES
> machine, the glibc crypt
>        function uses an MD5-based algorithm,  and  outputs
> up  to  34  bytes,
>        namely  "$1$<string>$", where "<string>" stands for
> the up to 8 charac-
>        ters following "$1$" in the salt, followed by 22 bytes
> chosen from  the
>        set [a-zA-Z0-9./].  The entire key is significant here
> (instead of only
>        the first 8 bytes).
>
> most authentification programms use this feature via pam,
> the same is true for the pam_ldap module.
> It would by nice making slapd compatible to this format.
>
> However on a debian(woody) installation libcrypto (from openssl)
> does not provide this feature, and openldap configures with
> the TLS libraries
> -lssl -lcrypto , and is therefore incombatible to this format.
>
> I circumvent this by patching config.status file
> => linking against -lssl -lcrypt -lcrypto works fine
>
> Packages :
> libssl0.9.6    0.9.6c-2.woody
> libc6          2.2.5-11.5
>
> Compilation:
> tar xzf ../archiv/openldap-stable-20031217.tgz
>
> cd openldap-2.1.25
>
> ./configure --prefix=/usr/local/app/openldap-2.1.25\
>   --enable-syslog\
>   --without-cyrus-sasl\
>   --with-threads\
>   --with-tls\
>   --enable-slapd \
>     --enable-cleartext \
>     --enable-crypt \
>     --enable-bdb\
>   --enable-slurpd  \
>
> mv config.status config.status.orig
> sed -e "s/-lcrypto/-lcrypt -lcrypto/" config.status.orig >
> config.status
> ./config.status
>
> make depend
> make
>
> thanx, Martin
>

Prev by Date: Additional Backends (ITS#3040)
Next by Date: Re: Invalid free() in syncrepl (ITS#2995)
Index(es):
- Chronological
- Thread