turn off MD5 Digest authentication by default, because MD5 is marked insecure

This commit is contained in:
Zdenek Dohnal 2021-11-23 13:47:09 +01:00
parent 9fbfd375a6
commit 456f9aa151
2 changed files with 65 additions and 1 deletions

View File

@ -0,0 +1,36 @@
From 887041aaa3f61b87c55b2a746a8813be3d584034 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Fri, 19 Nov 2021 12:23:08 +0100
Subject: [PATCH] cups/http-support.c: Apply DigestOptions to RFC 2069 support
Earlier we applied DigestOptions only for devices which implement RFC
2617 or RFC 7616, this commit applies it even for RFC 2069 support.
This issue came up during CentOS Stream/RHEL 9 development, where MD5
digest is marked as insecure for authentication/authorization, so it
should be turned off in default configurations to prevent security
issues.
---
cups/http-support.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/cups/http-support.c b/cups/http-support.c
index 209235ee6..3d1208789 100644
--- a/cups/http-support.c
+++ b/cups/http-support.c
@@ -1430,6 +1430,12 @@ _httpSetDigestAuthString(
* Use old RFC 2069 Digest method...
*/
+ if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5)
+ {
+ DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled.");
+ return (0);
+ }
+
/* H(A1) = H(username:realm:password) */
snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password);
hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
--
2.31.1

View File

@ -17,7 +17,7 @@ Summary: CUPS printing system
Name: cups Name: cups
Epoch: 1 Epoch: 1
Version: 2.3.3%{OP_VER} Version: 2.3.3%{OP_VER}
Release: 10%{?dist} Release: 11%{?dist}
License: ASL 2.0 License: ASL 2.0
Url: https://openprinting.github.io/cups/ Url: https://openprinting.github.io/cups/
# Apple stopped uploading the new versions into github, use OpenPrinting fork # Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -97,6 +97,8 @@ Patch23: 0001-cups-md5passwd.c-Stub-out-httpMD5-functions.patch
Patch24: cups-deprecate-drivers.patch Patch24: cups-deprecate-drivers.patch
# 2022610 - compile with -fstack-protector-strong if available # 2022610 - compile with -fstack-protector-strong if available
Patch25: cups-fstack-strong.patch Patch25: cups-fstack-strong.patch
# Applying DigestOptions to MD5 Digest authentication defined by RFC 2069
Patch26: 0001-cups-http-support.c-Apply-DigestOptions-to-RFC-2069-.patch
##### Patches removed because IMHO they aren't no longer needed ##### Patches removed because IMHO they aren't no longer needed
##### but still I'll leave them in git in case their removal ##### but still I'll leave them in git in case their removal
@ -322,6 +324,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
%patch24 -p1 -b .deprecated-drivers %patch24 -p1 -b .deprecated-drivers
# 2022610 - compile with fstack-protector-strong if available # 2022610 - compile with fstack-protector-strong if available
%patch25 -p1 -b .fstack-strong %patch25 -p1 -b .fstack-strong
# apply DigestOptions for MD5 Digest authentication defined by RFC 2069
%patch26 -p1 -b .no-digest-rfc2069
%if %{lspp} %if %{lspp}
@ -420,6 +424,18 @@ touch %{buildroot}%{_sysconfdir}/cups/client.conf
touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf
touch %{buildroot}%{_sysconfdir}/cups/lpoptions touch %{buildroot}%{_sysconfdir}/cups/lpoptions
# deny MD5 digest authentication by default in client.conf
cat > %{buildroot}%{_sysconfdir}/cups/client.conf <<EOF
# MD5 Digest authentication is turned off by default
# because MD5 is marked as insecure for authentication.
#
# If you need MD5 Digest authentication and you are aware of
# potential security risk, turn MD5 Digest authentication on
# by changing the directive value to 'None'.
DigestOptions DenyMD5
EOF
# LSB 3.2 printer driver directory # LSB 3.2 printer driver directory
mkdir -p %{buildroot}%{_datadir}/ppd mkdir -p %{buildroot}%{_datadir}/ppd
@ -464,6 +480,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
%post %post
%systemd_post %{name}.path %{name}.socket %{name}.service %systemd_post %{name}.path %{name}.socket %{name}.service
# remove this after F36 is EOL
# - previously the file was empty by default, so check whether the directive exists
# and if not, add the directive+value
# - we don't check for directive value in case some users already know they need MD5
# Digest authentication, so we won't break their setup with every update
# - ^\s* prevents matching comments and ignores whitespaces at the beginning
grep '^\s*DigestOptions' %{_sysconfdir}/cups/client.conf &> /dev/null || echo 'DigestOptions DenyMD5' \
>> %{_sysconfdir}/cups/client.conf
%post client %post client
%if %{use_alternatives} %if %{use_alternatives}
/usr/sbin/alternatives --install %{_bindir}/lpr print %{_bindir}/lpr.cups 40 \ /usr/sbin/alternatives --install %{_bindir}/lpr print %{_bindir}/lpr.cups 40 \
@ -673,6 +698,9 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man7/ippeveps.7.gz %{_mandir}/man7/ippeveps.7.gz
%changelog %changelog
* Mon Nov 22 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
- turn off MD5 Digest authentication by default, because MD5 is marked insecure
* Fri Nov 12 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-10 * Fri Nov 12 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-10
- 2022610 - fix compilation issues reported by annocheck - 2022610 - fix compilation issues reported by annocheck
- 2019845 - Add more warning messages about driver going deprecated (completed) - 2019845 - Add more warning messages about driver going deprecated (completed)