Resolves: bug 262021

Bug Description: Migration script does not migrate nsDS5ReplicaCredentials correctly.
Reviewed by: nhosoi (Thanks!)
Fix Description: We still need to be able to decrypt passwords using the broken method.  I guess it works on Solaris and HP because the values are already in network byte order.  But when the values were encrypted on x86, they were encrypted the wrong way.  It is safe to use MIGRATE_BROKEN_PWD on Solaris and HP because it is essentially a no-op.  But this allows us to decrypt x86 passwords and store them correctly.
Platforms tested: RHEL4 i386, RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none

3 files changed, 29 insertions, 4 deletions

diff --git a/ldap/admin/src/scripts/DSMigration.pm.in b/ldap/admin/src/scripts/DSMigration.pm.in
index fa220a7b..6f5294d3 100644
--- a/ldap/admin/src/scripts/DSMigration.pm.in
+++ b/ldap/admin/src/scripts/DSMigration.pm.in
@@ -180,7 +180,9 @@ sub migrateCredentials {
     my ($ent, $attr, $mig, $inst) = @_;
     my $oldval = $ent->getValues($attr);
     debug(3, "Executing @bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c \'$oldval\' . . .\n");
+    $ENV{MIGRATE_BROKEN_PWD} = "1"; # passwords prior to 8.0 were encrypted incorrectly
     my $newval = `@bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c \'$oldval\'`;
+    delete $ENV{MIGRATE_BROKEN_PWD}; # clear the flag
     debug(3, "Converted old value [$oldval] to new value [$newval] for attr $attr in entry ", $ent->getDN(), "\n");
     return $newval;
 }
diff --git a/ldap/servers/plugins/rever/des.c b/ldap/servers/plugins/rever/des.c
index 014c0876..0db0c4ab 100644
--- a/ldap/servers/plugins/rever/des.c
+++ b/ldap/servers/plugins/rever/des.c
@@ -478,9 +478,21 @@ static SVRCOREError cryptPassword(struct pk11ContextStore *store, char * clear,
 	return err;
 }
 
+/*
+  The UUID name based generator was broken on x86 platforms.  We use
+  this to generate the password encryption key.  During migration,
+  we have to fix this so we can use the fixed generator.  The env.
+  var USE_BROKEN_UUID tells the uuid generator to use the old
+  broken method to create the UUID.  That will allow us to decrypt
+  the password to the correct clear text, then we can turn off
+  the broken method and use the fixed method to encrypt the
+  password.
+*/
 char *
 migrateCredentials(char *oldpath, char *newpath, char *oldcred)
 {
+	static char *useBrokenUUID = "USE_BROKEN_UUID=1";
+	static char *disableBrokenUUID = "USE_BROKEN_UUID";
 	char *plain = NULL;
 	char *cipher = NULL;
 
@@ -489,8 +501,15 @@ migrateCredentials(char *oldpath, char *newpath, char *oldcred)
 	slapd_pk11_configurePKCS11(NULL, NULL, tokDes, ptokDes, NULL, NULL, NULL, NULL, 0, 0 );	
 	NSS_NoDB_Init(NULL);
 
+	if (getenv("MIGRATE_BROKEN_PWD")) {
+		putenv(useBrokenUUID);
+	}
+
 	if ( decode_path(oldcred, &plain, oldpath) == 0 )
 	{
+		if (getenv("MIGRATE_BROKEN_PWD")) {
+			putenv(disableBrokenUUID);
+		}
 		if ( encode_path(plain, &cipher, newpath) != 0 )
 			return(NULL);
 		else
diff --git a/ldap/servers/slapd/uuid.c b/ldap/servers/slapd/uuid.c
index 3c775e7f..626b0330 100644
--- a/ldap/servers/slapd/uuid.c
+++ b/ldap/servers/slapd/uuid.c
@@ -856,10 +856,14 @@ static void format_uuid_v3(guid_t * uuid, unsigned char hash[16])
 
 	memcpy(uuid, hash, sizeof(guid_t));
 
-	/* convert UUID to local byte order */
-	uuid->time_low = PR_ntohl(uuid->time_low);
-	uuid->time_mid = PR_ntohs(uuid->time_mid);
-	uuid->time_hi_and_version = PR_ntohs(uuid->time_hi_and_version);
+	/* when migrating, we skip the ntohl in order to read in old, 
+	   incorrectly formatted uuids */
+	if (!getenv("USE_BROKEN_UUID")) {
+		/* convert UUID to local byte order */
+		uuid->time_low = PR_ntohl(uuid->time_low);
+		uuid->time_mid = PR_ntohs(uuid->time_mid);
+		uuid->time_hi_and_version = PR_ntohs(uuid->time_hi_and_version);
+	}
 
 	/* put in the variant and version bits */
 	uuid->time_hi_and_version &= 0x0FFF;