From f0ce4626d07793a7f1818f2111b53a7f2f8e7883 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 8 Dec 2021 08:27:46 +0100 Subject: [PATCH] 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5 Resolves: rhbz#1935051 --- cups-fips-restrict-md5.patch | 124 +++++++++++++++++++++++++++++++++++ cups.spec | 28 ++++++++ 2 files changed, 152 insertions(+) create mode 100644 cups-fips-restrict-md5.patch diff --git a/cups-fips-restrict-md5.patch b/cups-fips-restrict-md5.patch new file mode 100644 index 0000000..41223fa --- /dev/null +++ b/cups-fips-restrict-md5.patch @@ -0,0 +1,124 @@ +diff --git a/cups/http-support.c b/cups/http-support.c +index a4bc079..9ee2309 100644 +--- a/cups/http-support.c ++++ b/cups/http-support.c +@@ -1430,6 +1430,12 @@ _httpSetDigestAuthString( + * Use old RFC 2069 Digest method... + */ + ++ if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5) ++ { ++ DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled."); ++ return (0); ++ } ++ + /* H(A1) = H(username:realm:password) */ + snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password); + hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash)); +diff --git a/cups/md5passwd.c b/cups/md5passwd.c +index 9af5de2..5c9a64e 100644 +--- a/cups/md5passwd.c ++++ b/cups/md5passwd.c +@@ -19,6 +19,9 @@ + /* + * 'httpMD5()' - Compute the MD5 sum of the username:group:password. + * ++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0 ++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead. ++ * + * @deprecated@ + */ + +@@ -28,22 +31,13 @@ httpMD5(const char *username, /* I - User name */ + const char *passwd, /* I - Password string */ + char md5[33]) /* O - MD5 string */ + { +- unsigned char sum[16]; /* Sum data */ +- char line[256]; /* Line to sum */ +- +- +- /* +- * Compute the MD5 sum of the user name, group name, and password. +- */ ++ (void)username; ++ (void)realm; ++ (void)passwd; + +- snprintf(line, sizeof(line), "%s:%s:%s", username, realm, passwd); +- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum)); ++ md5[0] = '\0'; + +- /* +- * Return the sum... +- */ +- +- return ((char *)cupsHashString(sum, sizeof(sum), md5, 33)); ++ return (NULL); + } + + +@@ -52,6 +46,9 @@ httpMD5(const char *username, /* I - User name */ + * with the server-supplied nonce value, method, and + * request-uri. + * ++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0 ++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead. ++ * + * @deprecated@ + */ + +@@ -61,35 +58,22 @@ httpMD5Final(const char *nonce, /* I - Server nonce value */ + const char *resource, /* I - Resource path */ + char md5[33]) /* IO - MD5 sum */ + { +- unsigned char sum[16]; /* Sum data */ +- char line[1024]; /* Line of data */ +- char a2[33]; /* Hash of method and resource */ +- ++ (void)nonce; ++ (void)method; ++ (void)resource; + +- /* +- * First compute the MD5 sum of the method and resource... +- */ ++ md5[0] = '\0'; + +- snprintf(line, sizeof(line), "%s:%s", method, resource); +- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum)); +- cupsHashString(sum, sizeof(sum), a2, sizeof(a2)); +- +- /* +- * Then combine A1 (MD5 of username, realm, and password) with the nonce +- * and A2 (method + resource) values to get the final MD5 sum for the +- * request... +- */ +- +- snprintf(line, sizeof(line), "%s:%s:%s", md5, nonce, a2); +- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum)); +- +- return ((char *)cupsHashString(sum, sizeof(sum), md5, 33)); ++ return (NULL); + } + + + /* + * 'httpMD5String()' - Convert an MD5 sum to a character string. + * ++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0 ++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead. ++ * + * @deprecated@ + */ + +@@ -98,5 +82,9 @@ httpMD5String(const unsigned char *sum, /* I - MD5 sum data */ + char md5[33]) + /* O - MD5 sum in hex */ + { +- return ((char *)cupsHashString(sum, 16, md5, 33)); ++ (void)sum; ++ ++ md5[0] = '\0'; ++ ++ return (NULL); + } diff --git a/cups.spec b/cups.spec index 265c1b3..c704557 100644 --- a/cups.spec +++ b/cups.spec @@ -92,6 +92,8 @@ Patch22: cups-deprecate-drivers.patch Patch23: 0001-Add-with-idle-exit-timeout-configure-option.patch # 2018951 - RFE: Implement TimeoutStartSec configuration during build Patch24: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch +# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5 +Patch25: cups-fips-restrict-md5.patch ##### Patches removed because IMHO they aren't no longer needed @@ -316,6 +318,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch23 -p1 -b .idleexittimeout # 2018951 - RFE: Implement TimeoutStartSec configuration during build %patch24 -p1 -b .conf-timeoutstartsec +# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5 +%patch25 -p1 -b .restrict-md5 %if %{lspp} @@ -419,6 +423,18 @@ touch %{buildroot}%{_sysconfdir}/cups/client.conf touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf touch %{buildroot}%{_sysconfdir}/cups/lpoptions +# deny MD5 digest authentication by default in client.conf +cat > %{buildroot}%{_sysconfdir}/cups/client.conf < /dev/null || echo 'DigestOptions DenyMD5' \ +>> %{_sysconfdir}/cups/client.conf + # Because of moving logs to journal, we need to create placeholder files # at /var/log/cups for users, whose are going to install CUPS on new OS # machine with info message @@ -719,6 +744,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Mon Dec 06 2021 Zdenek Dohnal - 1:2.3.3op2-11 +- 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5 + * Wed Dec 01 2021 Zdenek Dohnal - 1:2.3.3op2-11 - 2018951 - RFE: Implement TimeoutStartSec configuration during build