a57494f Ticket 47462 - Stop using DES in the reversible password

Authored and Committed by mreynolds 6 years ago
    Ticket 47462 - Stop using DES in the reversible password
     encryption plug-in
    
    Bug Description:  DES is not a safe cipher to use for Password Based Encryption(pbe).
                      AES should be used instead.
    
    Fix Description:  Use AES for all new password encodings.  AES requires that the
                      algorithm ID used to encode the password, must also be used to
                      decode it.  So, the algorithm ID is now stored in the cipher prefix:
    
                           {AES-<BASE64 encoded alg ID>}<ENCODED PASSWORD>
    
                      Since DES is no longer being used, the library has been renamed to a
                      more apprpriate name:
    
                           libdes-plugin -> libpbe-plugin
    
                      During upgrades the DES plugin entry has its library path updated
                      to use libpbe-plugin.  The MMR plugin changes its dependency from
                      DES to AES, and the AES plugin entry is added, and all the password
                      attributes found in the old DES Plugin are migrated over to the new
                      AES Plugin entry.
    
                      When the server is restarted it checks for any DES passwords in the
                      database and cn=config.  If any are found they are converted to AES,
                      and the DES plugin is disabled.
    
                      Also created a new operation flag: SLAPI_OP_FLAG_IGNORE_UNINDEXED
    
                      This flag prevents an internal unnidexed search from being logged
                      in the "errors" log.  When the server starts up it can potentially
                      do unindexed searches while looking for DES passwords.  We don't
                      want this log "noise" in the errors log everytime the server starts.
    
    https://fedorahosted.org/389/ticket/47462
    
    Design Doc: http://www.port389.org/docs/389ds/design/pbe.html
    
    Valgrind: Passed
    
    Reviewed by: nhosoi(Thanks!)
    
        
file modified
+8 -6
file modified
+52 -52
file modified
+15 -0
file modified
+27 -165
file modified
+25 -15
ldap/servers/plugins/rever/pbe.c ldap/servers/plugins/rever/des.c
file renamed
+494 -424
file modified
+243 -1
file modified
+57 -25
file modified
+1 -1
file modified
+2 -1
file modified
+6 -4
file modified
+2 -2