Created attachment 431596 [details, diff] OpenLDAP patch for LibreSSL due old LANMAN support OpenLDAP fails to compile when libressl use flag is used. Please include this patch for libressl, it compiles correctly when used: The reason of the problem: http://www.openldap.org/lists/openldap-bugs/201411/msg00007.html The proposed working patch: http://www.openldap.org/lists/openldap-technical/201411/msg00121.html Tested version: 2.4.44 Patch attached. Diff for openldap-2.4.44.ebuild: 341a342,343 > epatch "${FILESDIR}"/${PN}-2.4.44-libressl.patch >
Please attach the full build log.
Created attachment 431742 [details] Build log for compiling openldap
Created attachment 431744 [details] Emerge --info
Pull request added in https://github.com/gentoo/gentoo/pull/1334 if needed.
How does that patch affect building against current stable openssl? Has upstream openldap adopted it yet? It looks like they intend to from the last comment in http://www.openldap.org/its/index.cgi/Incoming?id=7978
Anthony, I don't have openssl installed in my computer, and doing a test would take me a lot of time right now due recompilation on every single package from libressl to openssl, that's why I have the patch working only for libressl instead openssl. Testing against openssl that would require a further analysis, open for anyone who wants it, but this patch at least is intended for libressl specific use case, no idea if would work for openssl correctly as global feature, even understanding the OpenLDAP devs approved that change as proposal for OpenLDAP 2.5 following your mailing list posted. Can someone test if works correctly using openssl?
1. This patch causes build failure with OpenSSL. 2. It overrides prototypes wrongly: OpenLDAP has it's own des_* functions, eg des_set_key_unchecked function which was search & replaced to DES_set_key_unchecked very dubiously 3. After you ignore all the changes in case, I'm concerned about the subtle : function signature changes regarding the schedule argument: 148 - des_set_key_unchecked( &key, schedule ); 149 - des_ecb_encrypt( &StdText, &PasswordHash1, schedule , DES_ENCRYPT ); 150 + DES_set_key_unchecked( &key, &schedule ); 151 + DES_ecb_encrypt( &StdText, &PasswordHash1, &schedule , DES_ENCRYPT ); (and more of the same) I'm in favour of upstream's suggest that lmpasswd is to be removed entirely. Pablo: For future reference, it shouldn't take you long at all to start up a chroot that uses openssl, just unpack a stage tarball into a directory, bindmount proc/sys/dev/etc, chroot, emerge-webrsync, modify ebuild for test, get results. Or fire up a virtual machine running gentoo.
So why don't we disable-lmpasswd as upstream suggests? lmhash only seems to be necessary when using Samba and Windows prior to Windows NT.
(In reply to Felix Janda from comment #8) > So why don't we disable-lmpasswd as upstream suggests? > > lmhash only seems to be necessary when using Samba and Windows prior to > Windows NT. Do you mean, some USE parameter only for lmpasswd? I think would work. I can work on a patch if this idea would be approved, I don't want to create a patch if the idea will never go upstream. I'm really sorry for not responding this ticket again with a proper test of openssl, I just forgot to answer.
Fixed in 2.4.45
