slapd reports wrong ssf using gnutls

Bug #244925 reported by PatRiehecky
8
Affects Status Importance Assigned to Milestone
openldap2.3 (Debian)
Fix Released
Unknown
openldap2.3 (Ubuntu)
Fix Released
Medium
Unassigned
Declined for Intrepid by Steve Langasek
Hardy
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: slapd

More information in this thread : http://www.openldap.org/lists/openldap-software/200806/msg00065.html

The ssf matching is broken on gnutls with openldap 2.4 (http://www.openldap.org/lists/openldap-devel/200802/msg00072.html). At the highest cypher the reported ssf is 32 which seems a stark contrast to the 256 that is reported by the same cypher at the same bit strength using openssl. The debian project has made its stance on linking to gnutls for openldap. Ubuntu is not so strict with the purity of the tree (some gpl code is linked to bsd code a few random places), is there any way the Ubuntu team could link this to openssl - or better yet ask Canonical to get a ruling from their lawyers as to the validity of the Debian project's choice on the matter?

I am half tempted to check security on this as it breaks a large piece of the encryption enforcement, but since it breaks it in an obvious way and provides the user no false sense of security I will forgo it.

Revision history for this message
PatRiehecky (jcpunk) wrote :
Revision history for this message
Colin Watson (cjwatson) wrote :

The BSD licence is compatible with the GPL by any serious interpretation that I've ever heard (including the FSF's), provided that the advertising clause is not present. Most modern BSD code does not include the advertising clause and can legitimately be linked with GPL code.

If you know of instances where we are distributing GPL code linked with other code under an incompatible licence, please tell us. I don't believe that we are any less strict about this than Debian, and it would be rather foolish for us to be so since we're a bigger target for lawsuits.

Revision history for this message
Mathias Gug (mathiaz) wrote :
Changed in openldap2.3:
importance: Undecided → Medium
status: New → Triaged
Changed in openldap2.3:
status: Unknown → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package openldap2.3 - 2.4.10-1ubuntu1

---------------
openldap2.3 (2.4.10-1ubuntu1) intrepid; urgency=low

  * Merge from debian unstable, remaining changes:
    - debian/apparmor-profile: add AppArmor profile
    - debian/slapd.postinst: Reload AA profile on configuration
    - updated debian/slapd.README.Debian for note on AppArmor
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
      to make sure that if earlier version of apparmour-profiles gets
      installed it won't overwrite our profile.
    - Modify Maintainer value to match the DebianMaintainerField
      speficication.
    - follow ApparmorProfileMigration and force apparmor compalin mode on
      some upgrades (LP: #203529)
    - debian/slapd.dirs: add etc/apparmor.d/force-complain
    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
      non-enforcing) and upgrades where apparmor profile does not exist.
    - debian/slapd.postrm: remove symlink in force-complain/ on purge
    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
      the ucred struct now.
    - debian/patches/fix-unique-overlay-assertion.patch:
      Fix another assertion error in unique overlay (LP: #243337).
      Backport from head.
  * debian/control:
    - add time as build dependency: needed by make test.
  * debian/rules:
    - support debuild nocheck option: don't run tests if nocheck is set.
  * debian/patches/fix-gnutls-key-strength.patch:
    - fix slapd handling of ssf using gnutls. (LP: #244925).
  * Dropped - accepted in Debian:
    - debian/rules, debian/slapd.links: use hard links to slapd instead of
      symlinks for slap* so these applications aren't confined by apparmor
      (LP: #203898)
  * Dropped - fixed in new upstream release:
    - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion.
      (LP: #215904)
    - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion
      error. (LP: #234196)
    - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes.
      (LP: #220724)
    - debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using
      syncrepl. (LP: #227178)
    - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied
      upstream.

openldap2.3 (2.4.10-1) unstable; urgency=low

  [ Steve Langasek ]
  * New upstream release.
    - Clean up ld_defconn if it was freed, fixing an assertion failure in
      various clients. Closes: #469232.
    - Fixes slapd syncrepl hang on back-config. Closes: #471253.
    - Drop patch hurd-path-max, integrated upstream.
  * Drop spurious build-dependency on heimdal-dev, introduced accidentally
    as part of an aborted attempt to build the smbk5pwd overlay.
  * Use hardlinks instead of symlinks for the various slap* commands; this
    is functionally equivalent for us, and reduces divergence from
    derivatives such as Ubuntu that use apparmor. Closes: #488409.
  * New patch, no_backend_inter-linking, to fix the meta backend to not
  ...

Read more...

Changed in openldap2.3:
status: Triaged → Fix Released
Changed in openldap2.3:
status: Confirmed → Fix Released
Chuck Short (zulcss)
Changed in openldap2.3:
status: Fix Released → Confirmed
Chuck Short (zulcss)
Changed in openldap2.3:
status: Confirmed → Fix Released
Revision history for this message
Chuck Short (zulcss) wrote :

The SSF reported when using startTLS is incorrect. This is because GnuTLS reports the strength in bytes,
while the OpenLDAP code expects the strength in bits. Code needs to be updated
to adjust the SSF value when linked against GnuTLS to our expected result.

The attached patch fixes this issue.

1. Install openldap2.3
2. Enable TLS

If you have any questions please let me know.

Regards
chuck

Revision history for this message
Steve Langasek (vorlon) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in openldap2.3:
status: New → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

Any testers?

Revision history for this message
PatRiehecky (jcpunk) wrote :

I can confirm it is fixed in Intrepid. My Hardy box has a custom build in production so that may be a ways before testing can be done.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Chuck (or Pat): can you put together a simple test case description? I've been trying to modify the security team's openldap test script (at http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/annotate/267?file_id=testopenldap.py-20071127215143-r2h2d557ttml1mia-1), but my knowledge of openldap configuration is limited.

Thanks.

Revision history for this message
Hark (ubuntu-komkommerkom) wrote :

For me installing slapd from hardy-proposed fixed the problem.

Revision history for this message
Alessandro Sappia (a-sappia-gmail) wrote :

same problem on intepid

slapd_2.4.11-0ubuntu6.1_amd64.deb

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap2.3 - 2.4.9-0ubuntu0.8.04.2

---------------
openldap2.3 (2.4.9-0ubuntu0.8.04.2) hardy-proposed; urgency=low

  [Chuck Short]
  * debian/patches/fix-gnutls-key-strength.patch: fixes ssf matching key
    strength with gnutls 2.3. (LP: #244925)

  [Jamie Strandboge]
  * adjust apparmor profile to allow gssapi (LP: #229252)
  * adjust apparmor profile to allow cnconfig (LP: #243525)

 -- Chuck Short <email address hidden> Tue, 05 Aug 2008 14:37:01 +0000

Changed in openldap2.3:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.