1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
Resolves: rhbz#1935051
This commit is contained in:
Zdenek Dohnal
parent
6242ccd8e7
commit
f0ce4626d0
124
cups-fips-restrict-md5.patch
Normal file
124
cups-fips-restrict-md5.patch
Normal file
@ -0,0 +1,124 @@
|
||||
diff --git a/cups/http-support.c b/cups/http-support.c
|
||||
index a4bc079..9ee2309 100644
|
||||
--- a/cups/http-support.c
|
||||
+++ b/cups/http-support.c
|
||||
@@ -1430,6 +1430,12 @@ _httpSetDigestAuthString(
|
||||
* Use old RFC 2069 Digest method...
|
||||
*/
|
||||
|
||||
+ if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5)
|
||||
+ {
|
||||
+ DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled.");
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
/* H(A1) = H(username:realm:password) */
|
||||
snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password);
|
||||
hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
|
||||
diff --git a/cups/md5passwd.c b/cups/md5passwd.c
|
||||
index 9af5de2..5c9a64e 100644
|
||||
--- a/cups/md5passwd.c
|
||||
+++ b/cups/md5passwd.c
|
||||
@@ -19,6 +19,9 @@
|
||||
/*
|
||||
* 'httpMD5()' - Compute the MD5 sum of the username:group:password.
|
||||
*
|
||||
+ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
|
||||
+ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
|
||||
+ *
|
||||
* @deprecated@
|
||||
*/
|
||||
|
||||
@@ -28,22 +31,13 @@ httpMD5(const char *username, /* I - User name */
|
||||
const char *passwd, /* I - Password string */
|
||||
char md5[33]) /* O - MD5 string */
|
||||
{
|
||||
- unsigned char sum[16]; /* Sum data */
|
||||
- char line[256]; /* Line to sum */
|
||||
-
|
||||
-
|
||||
- /*
|
||||
- * Compute the MD5 sum of the user name, group name, and password.
|
||||
- */
|
||||
+ (void)username;
|
||||
+ (void)realm;
|
||||
+ (void)passwd;
|
||||
|
||||
- snprintf(line, sizeof(line), "%s:%s:%s", username, realm, passwd);
|
||||
- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
|
||||
+ md5[0] = '\0';
|
||||
|
||||
- /*
|
||||
- * Return the sum...
|
||||
- */
|
||||
-
|
||||
- return ((char *)cupsHashString(sum, sizeof(sum), md5, 33));
|
||||
+ return (NULL);
|
||||
}
|
||||
|
||||
|
||||
@@ -52,6 +46,9 @@ httpMD5(const char *username, /* I - User name */
|
||||
* with the server-supplied nonce value, method, and
|
||||
* request-uri.
|
||||
*
|
||||
+ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
|
||||
+ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
|
||||
+ *
|
||||
* @deprecated@
|
||||
*/
|
||||
|
||||
@@ -61,35 +58,22 @@ httpMD5Final(const char *nonce, /* I - Server nonce value */
|
||||
const char *resource, /* I - Resource path */
|
||||
char md5[33]) /* IO - MD5 sum */
|
||||
{
|
||||
- unsigned char sum[16]; /* Sum data */
|
||||
- char line[1024]; /* Line of data */
|
||||
- char a2[33]; /* Hash of method and resource */
|
||||
-
|
||||
+ (void)nonce;
|
||||
+ (void)method;
|
||||
+ (void)resource;
|
||||
|
||||
- /*
|
||||
- * First compute the MD5 sum of the method and resource...
|
||||
- */
|
||||
+ md5[0] = '\0';
|
||||
|
||||
- snprintf(line, sizeof(line), "%s:%s", method, resource);
|
||||
- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
|
||||
- cupsHashString(sum, sizeof(sum), a2, sizeof(a2));
|
||||
-
|
||||
- /*
|
||||
- * Then combine A1 (MD5 of username, realm, and password) with the nonce
|
||||
- * and A2 (method + resource) values to get the final MD5 sum for the
|
||||
- * request...
|
||||
- */
|
||||
-
|
||||
- snprintf(line, sizeof(line), "%s:%s:%s", md5, nonce, a2);
|
||||
- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
|
||||
-
|
||||
- return ((char *)cupsHashString(sum, sizeof(sum), md5, 33));
|
||||
+ return (NULL);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* 'httpMD5String()' - Convert an MD5 sum to a character string.
|
||||
*
|
||||
+ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
|
||||
+ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
|
||||
+ *
|
||||
* @deprecated@
|
||||
*/
|
||||
|
||||
@@ -98,5 +82,9 @@ httpMD5String(const unsigned char *sum, /* I - MD5 sum data */
|
||||
char md5[33])
|
||||
/* O - MD5 sum in hex */
|
||||
{
|
||||
- return ((char *)cupsHashString(sum, 16, md5, 33));
|
||||
+ (void)sum;
|
||||
+
|
||||
+ md5[0] = '\0';
|
||||
+
|
||||
+ return (NULL);
|
||||
}
|
||||
28
cups.spec
28
cups.spec
@ -92,6 +92,8 @@ Patch22: cups-deprecate-drivers.patch
|
||||
Patch23: 0001-Add-with-idle-exit-timeout-configure-option.patch
|
||||
# 2018951 - RFE: Implement TimeoutStartSec configuration during build
|
||||
Patch24: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch
|
||||
# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
|
||||
Patch25: cups-fips-restrict-md5.patch
|
||||
|
||||
|
||||
##### Patches removed because IMHO they aren't no longer needed
|
||||
@ -316,6 +318,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
|
||||
%patch23 -p1 -b .idleexittimeout
|
||||
# 2018951 - RFE: Implement TimeoutStartSec configuration during build
|
||||
%patch24 -p1 -b .conf-timeoutstartsec
|
||||
# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
|
||||
%patch25 -p1 -b .restrict-md5
|
||||
|
||||
|
||||
%if %{lspp}
|
||||
@ -419,6 +423,18 @@ touch %{buildroot}%{_sysconfdir}/cups/client.conf
|
||||
touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf
|
||||
touch %{buildroot}%{_sysconfdir}/cups/lpoptions
|
||||
|
||||
# deny MD5 digest authentication by default in client.conf
|
||||
cat > %{buildroot}%{_sysconfdir}/cups/client.conf <<EOF
|
||||
# MD5 Digest authentication is turned off by default
|
||||
# because MD5 is marked as insecure for authentication.
|
||||
#
|
||||
# If you need MD5 Digest authentication and you are aware of
|
||||
# potential security risk, turn MD5 Digest authentication on
|
||||
# by changing the directive value to 'None'.
|
||||
|
||||
DigestOptions DenyMD5
|
||||
EOF
|
||||
|
||||
# LSB 3.2 printer driver directory
|
||||
mkdir -p %{buildroot}%{_datadir}/ppd
|
||||
|
||||
@ -471,6 +487,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
|
||||
%post
|
||||
%systemd_post %{name}.path %{name}.socket %{name}.service
|
||||
|
||||
# remove this after F36 is EOL
|
||||
# - previously the file was empty by default, so check whether the directive exists
|
||||
# and if not, add the directive+value
|
||||
# - we don't check for directive value in case some users already know they need MD5
|
||||
# Digest authentication, so we won't break their setup with every update
|
||||
# - ^\s* prevents matching comments and ignores whitespaces at the beginning
|
||||
grep '^\s*DigestOptions' %{_sysconfdir}/cups/client.conf &> /dev/null || echo 'DigestOptions DenyMD5' \
|
||||
>> %{_sysconfdir}/cups/client.conf
|
||||
|
||||
# Because of moving logs to journal, we need to create placeholder files
|
||||
# at /var/log/cups for users, whose are going to install CUPS on new OS
|
||||
# machine with info message
|
||||
@ -719,6 +744,9 @@ rm -f %{cups_serverbin}/backend/smb
|
||||
%{_mandir}/man7/ippeveps.7.gz
|
||||
|
||||
%changelog
|
||||
* Mon Dec 06 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
|
||||
- 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
|
||||
|
||||
* Wed Dec 01 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
|
||||
- 2018951 - RFE: Implement TimeoutStartSec configuration during build
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user