Full_Name: HAMANO Tsukasa Version: git master OS: GNU/Linux URL: https://www.osstech.co.jp/download/hamano/openldap-pbkdf2_sha2.patch Submission from: (NULL) (240b:10:2640:bf0:426c:8fff:fe50:23a8) I've supported new schemes PBKDF2-SHA256 and PBKDF2-SHA512. Thank you. -- The attached patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by HAMANO Tsukasa <hamano@osstech.co.jp>. I have not assigned rights and/or interest in this work to any party. Copyright 2014 HAMANO Tsukasa <hamano@osstech.co.jp> Redistribution and use in source and binary forms, with or without modification, e e permitted only as authorized by the OpenLDAP Public License.
hamano@osstech.co.jp wrote: > Full_Name: HAMANO Tsukasa > Version: git master > OS: GNU/Linux > URL: https://www.osstech.co.jp/download/hamano/openldap-pbkdf2_sha2.patch > Submission from: (NULL) (240b:10:2640:bf0:426c:8fff:fe50:23a8) > > > I've supported new schemes PBKDF2-SHA256 and PBKDF2-SHA512. > Thank you. Any particular reason you've decreased the iterations from 60000 to 10000? > > -- > The attached patch file is derived from OpenLDAP Software. All of the > modifications to OpenLDAP Software represented in the following > patch(es) were developed by HAMANO Tsukasa <hamano@osstech.co.jp>. I > have not assigned rights and/or interest in this work to any party. > > Copyright 2014 HAMANO Tsukasa <hamano@osstech.co.jp> > Redistribution and use in source and binary forms, with or without > modification, e e permitted only as authorized by the OpenLDAP Public > License. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi, Howard At Wed, 05 Nov 2014 09:32:43 +0000, Howard Chu wrote: > > Any particular reason you've decreased the iterations from 60000 to 10000? > It was too slow when stretching 60000 on powerless server. My tiny VM needed over 1sec if iterate 60000 by PBKDF2-SHA512. RFC recommends more than 1000 iterations, it would be safe enough 10000 iterations. FYI: http://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256 It is desirable to be able to change the operator, but slapasswd does not read slapd.conf so I was stuck. I'm planning to change slappasswd that accept iteration count in the future. Thank you. -- Open Source Solution Technology Corporation HAMANO Tsukasa <hamano@osstech.co.jp> fingerprint = 2285 2111 6D34 3816 3C2E A5B9 16BE D101 6069 BE55
Tsukasa HAMANO wrote: > Hi, Howard > > At Wed, 05 Nov 2014 09:32:43 +0000, > Howard Chu wrote: >> >> Any particular reason you've decreased the iterations from 60000 to 10000? >> > > It was too slow when stretching 60000 on powerless server. > My tiny VM needed over 1sec if iterate 60000 by PBKDF2-SHA512. > RFC recommends more than 1000 iterations, it would be safe enough 10000 iterations. > FYI: http://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256 OK. I've committed it without any changes, thanks for the patch. > It is desirable to be able to change the operator, but slapasswd does > not read slapd.conf so I was stuck. > I'm planning to change slappasswd that accept iteration count in the future. > Thank you. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Contrib
Hi, Please merge the additional patch: https://www.osstech.co.jp/download/hamano/openldap-pbkdf2_nettle.patch This patch include nettle support and fix a issue. https://github.com/hamano/openldap-pbkdf2/pull/4 https://github.com/hamano/openldap-pbkdf2/pull/3 Thank you. At Wed, 05 Nov 2014 11:57:33 +0000, Howard Chu wrote: > > Tsukasa HAMANO wrote: > > Hi, Howard > > > > At Wed, 05 Nov 2014 09:32:43 +0000, > > Howard Chu wrote: > >> > >> Any particular reason you've decreased the iterations from 60000 to 10000? > >> > > > > It was too slow when stretching 60000 on powerless server. > > My tiny VM needed over 1sec if iterate 60000 by PBKDF2-SHA512. > > RFC recommends more than 1000 iterations, it would be safe enough 10000 iterations. > > FYI: http://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256 > > OK. I've committed it without any changes, thanks for the patch. > > > It is desirable to be able to change the operator, but slapasswd does > > not read slapd.conf so I was stuck. > > I'm planning to change slappasswd that accept iteration count in the future. > > Thank you. > > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ -- Open Source Solution Technology Corporation HAMANO Tsukasa <hamano@osstech.co.jp> fingerprint = 2285 2111 6D34 3816 3C2E A5B9 16BE D101 6069 BE55
Looking over this patch https://www.osstech.co.jp/download/hamano/openldap-pbkdf2_nettle.patch You've added a new contributor: @@ -97,3 +99,5 @@ top-level directory of the distribution or, alternatively, at # ACKNOWLEDGEMENT This work was initially developed by HAMANO Tsukasa <hamano@osstech.co.jp> +Contributor: +Luca Bruno(lucab) We cannot accept 3rd party submissions; Luca will have to submit any relevant patches directly to us, along with a corresponding IPR statement as outlined in our Contributors guidelines. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Test to Release
> with a corresponding IPR statement as outlined in > our Contributors guidelines. I was (wrongly) assuming that the explicit "Signed-off-by" line in each patch was enough to express this from my side. Just to be more explicit, here is the IPR statement for my part of the patch: """ The attached patch is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Luca Bruno, on behalf of "Rocket Internet AG". By virtue of my employment agreement with "Rocket Internet AG", I have assigned my rights and interest in this work to "Rocket Internet AG". "Rocket Internet AG" has not assigned rights and/or interest in this work to any party. I, Luca Bruno am authorized by "Rocket Internet AG", my employer, to release this work under the following terms. "Rocket Internet AG" hereby places the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. """ Cheers, Luca PS. I would suggest to explicitly CC third-parties when you are missing IPR info, as I was not aware that this ticket was waiting for input on my side. -- Luca Bruno (kaeso) Security Engineer Rocket Internet AG -> GPG Key ID: 0x4F3BBEBF
added in master added in RE24 added in RE25
changed notes changed state Release to Closed