1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
Resolves: rhbz#1935051
This commit is contained in:
Zdenek Dohnal
parent
6242ccd8e7
commit
f0ce4626d0
124
cups-fips-restrict-md5.patch
Normal file
124
cups-fips-restrict-md5.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
diff --git a/cups/http-support.c b/cups/http-support.c
|
||||||
|
index a4bc079..9ee2309 100644
|
||||||
|
--- a/cups/http-support.c
|
||||||
|
+++ b/cups/http-support.c
|
||||||
|
@@ -1430,6 +1430,12 @@ _httpSetDigestAuthString(
|
||||||
|
* Use old RFC 2069 Digest method...
|
||||||
|
*/
|
||||||
|
|
||||||
|
+ if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5)
|
||||||
|
+ {
|
||||||
|
+ DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled.");
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* H(A1) = H(username:realm:password) */
|
||||||
|
snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password);
|
||||||
|
hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
|
||||||
|
diff --git a/cups/md5passwd.c b/cups/md5passwd.c
|
||||||
|
index 9af5de2..5c9a64e 100644
|
||||||
|
--- a/cups/md5passwd.c
|
||||||
|
+++ b/cups/md5passwd.c
|
||||||
|
@@ -19,6 +19,9 @@
|
||||||
|
/*
|
||||||
|
* 'httpMD5()' - Compute the MD5 sum of the username:group:password.
|
||||||
|
*
|
||||||
|
+ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
|
||||||
|
+ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
|
||||||
|
+ *
|
||||||
|
* @deprecated@
|
||||||
|
*/
|
||||||
|
|
||||||
|
@@ -28,22 +31,13 @@ httpMD5(const char *username, /* I - User name */
|
||||||
|
const char *passwd, /* I - Password string */
|
||||||
|
char md5[33]) /* O - MD5 string */
|
||||||
|
{
|
||||||
|
- unsigned char sum[16]; /* Sum data */
|
||||||
|
- char line[256]; /* Line to sum */
|
||||||
|
-
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Compute the MD5 sum of the user name, group name, and password.
|
||||||
|
- */
|
||||||
|
+ (void)username;
|
||||||
|
+ (void)realm;
|
||||||
|
+ (void)passwd;
|
||||||
|
|
||||||
|
- snprintf(line, sizeof(line), "%s:%s:%s", username, realm, passwd);
|
||||||
|
- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
|
||||||
|
+ md5[0] = '\0';
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * Return the sum...
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
- return ((char *)cupsHashString(sum, sizeof(sum), md5, 33));
|
||||||
|
+ return (NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@@ -52,6 +46,9 @@ httpMD5(const char *username, /* I - User name */
|
||||||
|
* with the server-supplied nonce value, method, and
|
||||||
|
* request-uri.
|
||||||
|
*
|
||||||
|
+ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
|
||||||
|
+ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
|
||||||
|
+ *
|
||||||
|
* @deprecated@
|
||||||
|
*/
|
||||||
|
|
||||||
|
@@ -61,35 +58,22 @@ httpMD5Final(const char *nonce, /* I - Server nonce value */
|
||||||
|
const char *resource, /* I - Resource path */
|
||||||
|
char md5[33]) /* IO - MD5 sum */
|
||||||
|
{
|
||||||
|
- unsigned char sum[16]; /* Sum data */
|
||||||
|
- char line[1024]; /* Line of data */
|
||||||
|
- char a2[33]; /* Hash of method and resource */
|
||||||
|
-
|
||||||
|
+ (void)nonce;
|
||||||
|
+ (void)method;
|
||||||
|
+ (void)resource;
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * First compute the MD5 sum of the method and resource...
|
||||||
|
- */
|
||||||
|
+ md5[0] = '\0';
|
||||||
|
|
||||||
|
- snprintf(line, sizeof(line), "%s:%s", method, resource);
|
||||||
|
- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
|
||||||
|
- cupsHashString(sum, sizeof(sum), a2, sizeof(a2));
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Then combine A1 (MD5 of username, realm, and password) with the nonce
|
||||||
|
- * and A2 (method + resource) values to get the final MD5 sum for the
|
||||||
|
- * request...
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
- snprintf(line, sizeof(line), "%s:%s:%s", md5, nonce, a2);
|
||||||
|
- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
|
||||||
|
-
|
||||||
|
- return ((char *)cupsHashString(sum, sizeof(sum), md5, 33));
|
||||||
|
+ return (NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* 'httpMD5String()' - Convert an MD5 sum to a character string.
|
||||||
|
*
|
||||||
|
+ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
|
||||||
|
+ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
|
||||||
|
+ *
|
||||||
|
* @deprecated@
|
||||||
|
*/
|
||||||
|
|
||||||
|
@@ -98,5 +82,9 @@ httpMD5String(const unsigned char *sum, /* I - MD5 sum data */
|
||||||
|
char md5[33])
|
||||||
|
/* O - MD5 sum in hex */
|
||||||
|
{
|
||||||
|
- return ((char *)cupsHashString(sum, 16, md5, 33));
|
||||||
|
+ (void)sum;
|
||||||
|
+
|
||||||
|
+ md5[0] = '\0';
|
||||||
|
+
|
||||||
|
+ return (NULL);
|
||||||
|
}
|
||||||
28
cups.spec
28
cups.spec
@ -92,6 +92,8 @@ Patch22: cups-deprecate-drivers.patch
|
|||||||
Patch23: 0001-Add-with-idle-exit-timeout-configure-option.patch
|
Patch23: 0001-Add-with-idle-exit-timeout-configure-option.patch
|
||||||
# 2018951 - RFE: Implement TimeoutStartSec configuration during build
|
# 2018951 - RFE: Implement TimeoutStartSec configuration during build
|
||||||
Patch24: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch
|
Patch24: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch
|
||||||
|
# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
|
||||||
|
Patch25: cups-fips-restrict-md5.patch
|
||||||
|
|
||||||
|
|
||||||
##### Patches removed because IMHO they aren't no longer needed
|
##### Patches removed because IMHO they aren't no longer needed
|
||||||
@ -316,6 +318,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
|
|||||||
%patch23 -p1 -b .idleexittimeout
|
%patch23 -p1 -b .idleexittimeout
|
||||||
# 2018951 - RFE: Implement TimeoutStartSec configuration during build
|
# 2018951 - RFE: Implement TimeoutStartSec configuration during build
|
||||||
%patch24 -p1 -b .conf-timeoutstartsec
|
%patch24 -p1 -b .conf-timeoutstartsec
|
||||||
|
# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
|
||||||
|
%patch25 -p1 -b .restrict-md5
|
||||||
|
|
||||||
|
|
||||||
%if %{lspp}
|
%if %{lspp}
|
||||||
@ -419,6 +423,18 @@ touch %{buildroot}%{_sysconfdir}/cups/client.conf
|
|||||||
touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf
|
touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf
|
||||||
touch %{buildroot}%{_sysconfdir}/cups/lpoptions
|
touch %{buildroot}%{_sysconfdir}/cups/lpoptions
|
||||||
|
|
||||||
|
# deny MD5 digest authentication by default in client.conf
|
||||||
|
cat > %{buildroot}%{_sysconfdir}/cups/client.conf <<EOF
|
||||||
|
# MD5 Digest authentication is turned off by default
|
||||||
|
# because MD5 is marked as insecure for authentication.
|
||||||
|
#
|
||||||
|
# If you need MD5 Digest authentication and you are aware of
|
||||||
|
# potential security risk, turn MD5 Digest authentication on
|
||||||
|
# by changing the directive value to 'None'.
|
||||||
|
|
||||||
|
DigestOptions DenyMD5
|
||||||
|
EOF
|
||||||
|
|
||||||
# LSB 3.2 printer driver directory
|
# LSB 3.2 printer driver directory
|
||||||
mkdir -p %{buildroot}%{_datadir}/ppd
|
mkdir -p %{buildroot}%{_datadir}/ppd
|
||||||
|
|
||||||
@ -471,6 +487,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
|
|||||||
%post
|
%post
|
||||||
%systemd_post %{name}.path %{name}.socket %{name}.service
|
%systemd_post %{name}.path %{name}.socket %{name}.service
|
||||||
|
|
||||||
|
# remove this after F36 is EOL
|
||||||
|
# - previously the file was empty by default, so check whether the directive exists
|
||||||
|
# and if not, add the directive+value
|
||||||
|
# - we don't check for directive value in case some users already know they need MD5
|
||||||
|
# Digest authentication, so we won't break their setup with every update
|
||||||
|
# - ^\s* prevents matching comments and ignores whitespaces at the beginning
|
||||||
|
grep '^\s*DigestOptions' %{_sysconfdir}/cups/client.conf &> /dev/null || echo 'DigestOptions DenyMD5' \
|
||||||
|
>> %{_sysconfdir}/cups/client.conf
|
||||||
|
|
||||||
# Because of moving logs to journal, we need to create placeholder files
|
# Because of moving logs to journal, we need to create placeholder files
|
||||||
# at /var/log/cups for users, whose are going to install CUPS on new OS
|
# at /var/log/cups for users, whose are going to install CUPS on new OS
|
||||||
# machine with info message
|
# machine with info message
|
||||||
@ -719,6 +744,9 @@ rm -f %{cups_serverbin}/backend/smb
|
|||||||
%{_mandir}/man7/ippeveps.7.gz
|
%{_mandir}/man7/ippeveps.7.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Dec 06 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
|
||||||
|
- 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
|
||||||
|
|
||||||
* Wed Dec 01 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
|
* Wed Dec 01 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
|
||||||
- 2018951 - RFE: Implement TimeoutStartSec configuration during build
|
- 2018951 - RFE: Implement TimeoutStartSec configuration during build
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user