search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.12k stars 13.41k forks source link

OpenLDAP doesn't work with {CRYPT} #313224

Open leona-ya opened 3 months ago

leona-ya commented 3 months ago

Describe the bug

When generating a password hash with {CRYPT} as hashing algorithm (i.e. libxcrypt crypt()), the generation fails. This applies to both slappasswd and normal openldap server. Other hashing algorithms work.

When I gdb-ed through the application it seems that in libraries/liblutil/passwd.c:641 LUTIL_PASSWD_ERR = -1; is returned, because

(gdb) call (char) crypt("t", salt)
$13 = 0 '\000'

Steps To Reproduce

Steps to reproduce the behavior:

$ ./result/bin/slappasswd -h "{CRYPT}"
New password:
Re-enter new password:
Password generation failed for scheme {CRYPT}:

Expected behavior

A clear and concise description of what you expected to happen.

A hash should be generated by the crypt() api.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

last gdb steps:

Breakpoint 10, hash_crypt (scheme=0x6857d8, passwd=0x7fffffff9050, hash=0x7fffffff9060, text=<optimized out>) at passwd.c:881
881             for( i=0; i< ( sizeof(salt) - 1 ); i++ ) {
(gdb) s
884             salt[sizeof( salt ) - 1 ] = '\0';
(gdb) s
886             if( salt_format != NULL ) {
(gdb) s
894             rc = lutil_cryptptr( passwd->bv_val, (char *) salt, &hash->bv_val );
(gdb) s
lutil_crypt (key=0x6871c0 "t", salt=0x7fffffff8f90 "UEsUOGVDqz9OJopLFYbPaN7mLDBNdR/", hash=0x7fffffff9068) at passwd.c:627
627             char *cr = crypt( key, salt );
(gdb) print salt
$8 = 0x7fffffff8f90 "UEsUOGVDqz9OJopLFYbPaN7mLDBNdR/"
(gdb) print key
$9 = 0x6871c0 "t"
(gdb) s
630             if( cr == NULL || cr[0] == '\0' ) {
(gdb) s
641             return rc;
(gdb) s
hash_crypt (scheme=0x6857d8, passwd=0x7fffffff9050, hash=0x7fffffff9060, text=<optimized out>) at passwd.c:895
895             if ( rc != LUTIL_PASSWD_OK ) return rc;
(gdb) print rc
$10 = -1

Notify maintainers

@mweinelt @ajs124 @dasJ

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

$ nix-info -m
 - system: `"x86_64-linux"`
 - host os: `Linux 6.8.10, NixOS, 24.05 (Uakari), 24.05pre-git`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Add a :+1: reaction to issues you find important.

mweinelt commented 3 months ago

I don't think we support weak ciphers any longer. :thinking:

Can you rebuild openldap against libxcrypt-legacy and try again?

leona-ya commented 3 months ago

Unfortunately that works :c I was hoping that it would use yescrypt then (as libxcrypt's default), but maybe i understood something wrong. I also tried to explicitly convince it to use yescrypt/sha512/bcrypt, but that didn't work either

mweinelt commented 3 months ago

{CRYPT} is actually a concrete scheme that was imported for compatibility with Linux passwd/shadow entries.

https://www.openldap.org/faq/data/cache/344.html

leona-ya commented 3 months ago

Hmm this reads to me that it should also supports the Linux shadow type hashes with newer algorithms generated by libxcrypt