Attachment 592770 Details for Bug 833216 – fips/crypt patch for fedora version

[patch] fips/crypt patch for fedora version

squid-3.2.0-fips.patch (text/plain), 8.80 KB, created by Paul Wouters on 2012-06-18 22:35:38 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Paul Wouters

Created: 2012-06-18 22:35:38 UTC

Size: 8.80 KB

patch

obsolete

>diff -aur squid-3.2.0.16-origish/helpers/basic_auth/NCSA/basic_ncsa_auth.cc squid-3.2.0.16/helpers/basic_auth/NCSA/basic_ncsa_auth.cc
>--- squid-3.2.0.16-origish/helpers/basic_auth/NCSA/basic_ncsa_auth.cc	2012-03-06 21:42:55.000000000 -0500
>+++ squid-3.2.0.16/helpers/basic_auth/NCSA/basic_ncsa_auth.cc	2012-06-18 18:26:38.220363581 -0400
>@@ -139,21 +139,38 @@
>         u = (user_data *) hash_lookup(hash, user);
>         if (u == NULL) {
>             SEND_ERR("No such user");
>+	}
> #if HAVE_CRYPT
>-        } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
>-            // Bug 3107: crypt() DES functionality silently truncates long passwords.
>-            SEND_OK("");
>-        } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
>-            // Bug 3107: crypt() DES functionality silently truncates long passwords.
>-            SEND_ERR("Password too long. Only 8 characters accepted.");
>+	else {
>+		char *crypted = crypt(passwd, u->passwd);
>+		if (crypted != NULL && strlen(passwd) <= 8 && strcmp(u->passwd, crypted) == 0) {
>+		  // Bug 3107: crypt() DES functionality silently truncates long passwords.
>+            	  SEND_OK("");
>+		} else if (crypted != NULL && strlen(passwd) > 8 &&  strcmp(u->passwd, crypted) == 0) {
>+		   // Bug 3107: crypt() DES functionality silently truncates long passwords.
>+		    SEND_ERR("Password too long. Only 8 characters accepted.");
>+		} else {
>+			char altpasswd[255]; /* more then enough for sha512 */
>+			altpasswd[0]='\0';
>+			strncat(altpasswd, "$1$", strlen("$1$"));
>+			strncat(altpasswd, passwd, strlen(passwd));
>+			crypted = crypt(altpasswd, u->passwd);
>+			if ( (crypted != NULL) && strlen(passwd) > 8 &&(strcmp(u->passwd, crypted) == 0)) {
>+				
>+				SEND_OK("");
>+			} else {
>+				 if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {	/* md5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco */
>+            				SEND_OK("");
>+        			} else {
>+            				SEND_ERR("ERR Wrong password\n");
>+        			}
>+			}
>+		}
>+	}
>+#else
>+	else
>+             SEND_ERR("ERR Wrong password\n");
> #endif
>-        } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
>-            SEND_OK("");
>-        } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {
>-            SEND_OK("");
>-        } else {
>-            SEND_ERR("Wrong password");
>-        }
>     }
>     if (hash != NULL) {
>         hashFreeItems(hash, my_free);
>diff -aur squid-3.2.0.16-origish/helpers/basic_auth/NCSA/crypt_md5.cc squid-3.2.0.16/helpers/basic_auth/NCSA/crypt_md5.cc
>--- squid-3.2.0.16-origish/helpers/basic_auth/NCSA/crypt_md5.cc	2012-03-06 21:42:55.000000000 -0500
>+++ squid-3.2.0.16/helpers/basic_auth/NCSA/crypt_md5.cc	2012-06-18 18:26:23.389201532 -0400
>@@ -55,7 +55,7 @@
>     static const char *sp, *ep;
>     unsigned char final[16];
>     int sl, pl, i, j;
>-    SquidMD5_CTX ctx, ctx1;
>+    MD5_CTX ctx, ctx1;
>     unsigned long l;
> 
>     if (*salt == '$') {
>@@ -178,7 +178,7 @@
> char *md5sum(const char *s)
> {
>     static unsigned char digest[16];
>-    SquidMD5_CTX ctx;
>+    MD5_CTX ctx;
>     int idx;
>     static char sum[33];
> 
>Only in squid-3.2.0.16/helpers/basic_auth/NCSA: crypt_md5.cc.fips
>diff -aur squid-3.2.0.16-origish/helpers/basic_auth/RADIUS/basic_radius_auth.cc squid-3.2.0.16/helpers/basic_auth/RADIUS/basic_radius_auth.cc
>--- squid-3.2.0.16-origish/helpers/basic_auth/RADIUS/basic_radius_auth.cc	2012-03-06 21:42:55.000000000 -0500
>+++ squid-3.2.0.16/helpers/basic_auth/RADIUS/basic_radius_auth.cc	2012-06-18 18:26:23.390201543 -0400
>@@ -155,7 +155,7 @@
> static void
> md5_calc(uint8_t out[16], void *in, size_t len)
> {
>-    SquidMD5_CTX ctx;
>+    MD5_CTX ctx;
>     SquidMD5Init(&ctx);
>     SquidMD5Update(&ctx, in, len);
>     SquidMD5Final(out, &ctx);
>Only in squid-3.2.0.16/helpers/basic_auth/RADIUS: basic_radius_auth.cc.fips
>diff -aur squid-3.2.0.16-origish/include/md5.h squid-3.2.0.16/include/md5.h
>--- squid-3.2.0.16-origish/include/md5.h	2012-03-06 21:42:55.000000000 -0500
>+++ squid-3.2.0.16/include/md5.h	2012-06-18 18:26:23.390201543 -0400
>@@ -32,6 +32,8 @@
>  *
>  */
> 
>+#include <openssl/md5.h>
>+#if 0
> typedef struct SquidMD5Context {
>     uint32_t buf[4];
>     uint32_t bytes[2];
>@@ -42,6 +44,13 @@
> SQUIDCEXTERN void SquidMD5Update(struct SquidMD5Context *context, const void *buf, unsigned len);
> SQUIDCEXTERN void SquidMD5Final(uint8_t digest[16], struct SquidMD5Context *context);
> SQUIDCEXTERN void SquidMD5Transform(uint32_t buf[4], uint32_t const in[16]);
>+#endif
>+
>+#define SquidMD5Init(x) MD5_Init(x)
>+#define SquidMD5Update(x,y,z) MD5_Update(x,y,z)
>+#define SquidMD5Final(x,y) MD5_Final(x,y)
>+#define SquidMD5Transform(x,y) MD5_Transform(x,y)
>+
> 
> #define SQUID_MD5_DIGEST_LENGTH         16
> 
>Only in squid-3.2.0.16/include: md5.h.fips
>diff -aur squid-3.2.0.16-origish/lib/md5.c squid-3.2.0.16/lib/md5.c
>--- squid-3.2.0.16-origish/lib/md5.c	2012-03-06 21:42:55.000000000 -0500
>+++ squid-3.2.0.16/lib/md5.c	2012-06-18 18:26:23.391201554 -0400
>@@ -55,12 +55,13 @@
> #define byteSwap(buf,words)
> #endif
> 
>+#if 0
> /*
>  * Start MD5 accumulation.  Set bit count to 0 and buffer to mysterious
>  * initialization constants.
>  */
> void
>-SquidMD5Init(struct SquidMD5Context *ctx)
>+SquidMD5Init(struct MD5Context *ctx)
> {
>     ctx->buf[0] = 0x67452301;
>     ctx->buf[1] = 0xefcdab89;
>@@ -250,5 +251,5 @@
>     buf[2] += c;
>     buf[3] += d;
> }
>-
> #endif /* !ASM_MD5 */
>+#endif
>Only in squid-3.2.0.16/lib: md5.c.fips
>diff -aur squid-3.2.0.16-origish/lib/rfc2617.c squid-3.2.0.16/lib/rfc2617.c
>--- squid-3.2.0.16-origish/lib/rfc2617.c	2012-03-06 21:42:55.000000000 -0500
>+++ squid-3.2.0.16/lib/rfc2617.c	2012-06-18 18:26:23.391201554 -0400
>@@ -118,7 +118,7 @@
>     HASHHEX SessionKey
> )
> {
>-    SquidMD5_CTX Md5Ctx;
>+    MD5_CTX Md5Ctx;
> 
>     if (pszUserName) {
>         SquidMD5Init(&Md5Ctx);
>@@ -157,7 +157,7 @@
>     HASHHEX Response		/* request-digest or response-digest */
> )
> {
>-    SquidMD5_CTX Md5Ctx;
>+    MD5_CTX Md5Ctx;
>     HASH HA2;
>     HASH RespHash;
>     HASHHEX HA2Hex;
>Only in squid-3.2.0.16/lib: rfc2617.c.fips
>diff -aur squid-3.2.0.16-origish/src/MemObject.cc squid-3.2.0.16/src/MemObject.cc
>--- squid-3.2.0.16-origish/src/MemObject.cc	2012-03-06 21:42:55.000000000 -0500
>+++ squid-3.2.0.16/src/MemObject.cc	2012-06-18 18:26:23.392201565 -0400
>@@ -53,9 +53,9 @@
> url_checksum(const char *url)
> {
>     unsigned int ck;
>-    SquidMD5_CTX M;
>+    MD5_CTX M;
>     static unsigned char digest[16];
>-    SquidMD5Init(&M);
>+    private_MD5_Init(&M);
>     SquidMD5Update(&M, (unsigned char *) url, strlen(url));
>     SquidMD5Final(digest, &M);
>     memcpy(&ck, digest, sizeof(ck));
>Only in squid-3.2.0.16/src: MemObject.cc.fips
>diff -aur squid-3.2.0.16-origish/src/store_key_md5.cc squid-3.2.0.16/src/store_key_md5.cc
>--- squid-3.2.0.16-origish/src/store_key_md5.cc	2012-03-06 21:42:55.000000000 -0500
>+++ squid-3.2.0.16/src/store_key_md5.cc	2012-06-18 18:26:23.392201565 -0400
>@@ -102,10 +102,10 @@
> storeKeyPrivate(const char *url, const HttpRequestMethod& method, int id)
> {
>     static cache_key digest[SQUID_MD5_DIGEST_LENGTH];
>-    SquidMD5_CTX M;
>+    MD5_CTX M;
>     assert(id > 0);
>     debugs(20, 3, "storeKeyPrivate: " << RequestMethodStr(method) << " " << url);
>-    SquidMD5Init(&M);
>+    private_MD5_Init(&M);
>     SquidMD5Update(&M, (unsigned char *) &id, sizeof(id));
>     SquidMD5Update(&M, (unsigned char *) &method, sizeof(method));
>     SquidMD5Update(&M, (unsigned char *) url, strlen(url));
>@@ -118,8 +118,8 @@
> {
>     static cache_key digest[SQUID_MD5_DIGEST_LENGTH];
>     unsigned char m = (unsigned char) method.id();
>-    SquidMD5_CTX M;
>-    SquidMD5Init(&M);
>+    MD5_CTX M;
>+    private_MD5_Init(&M);
>     SquidMD5Update(&M, &m, sizeof(m));
>     SquidMD5Update(&M, (unsigned char *) url, strlen(url));
>     SquidMD5Final(digest, &M);
>@@ -138,8 +138,8 @@
>     static cache_key digest[SQUID_MD5_DIGEST_LENGTH];
>     unsigned char m = (unsigned char) method.id();
>     const char *url = urlCanonical(request);
>-    SquidMD5_CTX M;
>-    SquidMD5Init(&M);
>+    MD5_CTX M;
>+    private_MD5_Init(&M);
>     SquidMD5Update(&M, &m, sizeof(m));
>     SquidMD5Update(&M, (unsigned char *) url, strlen(url));
> 
>Only in squid-3.2.0.16/src: store_key_md5.cc.fips
>diff -aur squid-3.2.0.16-origish/src/wccp2.cc squid-3.2.0.16/src/wccp2.cc
>--- squid-3.2.0.16-origish/src/wccp2.cc	2012-03-06 21:42:55.000000000 -0500
>+++ squid-3.2.0.16/src/wccp2.cc	2012-06-18 18:26:23.394201587 -0400
>@@ -581,7 +581,7 @@
> {
>     uint8_t md5_digest[16];
>     char pwd[WCCP2_PASSWORD_LEN];
>-    SquidMD5_CTX M;
>+    MD5_CTX M;
> 
>     struct wccp2_security_md5_t *ws;
> 
>@@ -635,7 +635,7 @@
>     struct wccp2_security_md5_t *ws = (struct wccp2_security_md5_t *) security;
>     uint8_t md5_digest[16], md5_challenge[16];
>     char pwd[WCCP2_PASSWORD_LEN];
>-    SquidMD5_CTX M;
>+    MD5_CTX M;
> 
>     /* Make sure the security type matches what we expect */
> 
>Only in squid-3.2.0.16/src: wccp2.cc.fips

Actions: View | Diff

Attachments on bug 833216: 592770