[Fedora-directory-commits] ldapserver/ldap/servers/plugins/rever des.c, 1.7, 1.8

Richard Allen Megginson (rmeggins) fedora-directory-commits at redhat.com
Thu Sep 20 20:27:37 UTC 2007

Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/rever
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5955/ldapserver/ldap/servers/plugins/rever

Modified Files:
Log Message:
Resolves: bug 262021
Bug Description: Migration script does not migrate nsDS5ReplicaCredentials correctly.
Reviewed by: nhosoi (Thanks!)
Fix Description: We still need to be able to decrypt passwords using the broken method.  I guess it works on Solaris and HP because the values are already in network byte order.  But when the values were encrypted on x86, they were encrypted the wrong way.  It is safe to use MIGRATE_BROKEN_PWD on Solaris and HP because it is essentially a no-op.  But this allows us to decrypt x86 passwords and store them correctly.
Platforms tested: RHEL4 i386, RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none

Index: des.c
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/rever/des.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- des.c	10 Nov 2006 23:45:23 -0000	1.7
+++ des.c	20 Sep 2007 20:27:34 -0000	1.8
@@ -478,9 +478,21 @@
 	return err;
+  The UUID name based generator was broken on x86 platforms.  We use
+  this to generate the password encryption key.  During migration,
+  we have to fix this so we can use the fixed generator.  The env.
+  var USE_BROKEN_UUID tells the uuid generator to use the old
+  broken method to create the UUID.  That will allow us to decrypt
+  the password to the correct clear text, then we can turn off
+  the broken method and use the fixed method to encrypt the
+  password.
 char *
 migrateCredentials(char *oldpath, char *newpath, char *oldcred)
+	static char *useBrokenUUID = "USE_BROKEN_UUID=1";
+	static char *disableBrokenUUID = "USE_BROKEN_UUID";
 	char *plain = NULL;
 	char *cipher = NULL;
@@ -489,8 +501,15 @@
 	slapd_pk11_configurePKCS11(NULL, NULL, tokDes, ptokDes, NULL, NULL, NULL, NULL, 0, 0 );	
+	if (getenv("MIGRATE_BROKEN_PWD")) {
+		putenv(useBrokenUUID);
+	}
 	if ( decode_path(oldcred, &plain, oldpath) == 0 )
+		if (getenv("MIGRATE_BROKEN_PWD")) {
+			putenv(disableBrokenUUID);
+		}
 		if ( encode_path(plain, &cipher, newpath) != 0 )

More information about the Fedora-directory-commits mailing list