Bug#1030716: openldap: password/sha2 produces incorrect SHA256
Andreas Hasenack
andreas at canonical.com
Mon Feb 6 17:51:34 GMT 2023
Package: openldap
Version: 2.5.13+dfsg-3
Severity: normal
Dear Maintainer,
we got a report[1] on Ubuntu that the contrib module password/sha2 was
producing an incorrect SHA256 hash. It was confirmed for a number of
releases (22.04, 22.10 and the upcoming 23.04). I checked and it also
happens on current debian/sid:
$ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2
{SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54=
$ echo "{SHA256}$(echo -n secret | openssl dgst -sha256 -binary |
openssl enc -base64)"
{SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
The suggested fix was to rebuild just this module with
`-fno-strict-aliasing`, and indeed that fixed it in Ubuntu. Other
options include:
- finding the offending piece of code that is causing this
optimization to misbehave
- updating the module to use gnutls or openssl, whatever openldap ends
up being linked with
- not building/shipping this module
1. https://bugs.launchpad.net/bugs/2000817
More information about the Pkg-openldap-devel
mailing list