Add patch to use OpenSSL RC4 implementation

Upstream proposed as PR#559 Signed-off-by: Simo Sorce <simo@redhat.com>
2019-06-13 18:10:40 -04:00 · 2019-06-13 18:10:40 -04:00 · 9ce724bfec
parent 09be16f01d
commit 9ce724bfec
2 changed files with 159 additions and 0 deletions
--- a/cyrus-sasl-pr559-RC4-openssl.patch
+++ b/cyrus-sasl-pr559-RC4-openssl.patch
@ -0,0 +1,156 @@
+From 8aa9ae816ddf66921b4a8a0f422517e6f2e55ac6 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 27 Mar 2019 14:29:08 -0400
+Subject: [PATCH] Use Openssl RC4 when available
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ configure.ac        |   5 +--
+ plugins/digestmd5.c | 107 +++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 108 insertions(+), 4 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 388f5d02..cfdee4a2 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -1103,13 +1103,12 @@ AC_ARG_WITH(configdir, [   --with-configdir=DIR    set the directory where confi
+   configdir='${plugindir}:${sysconfdir}/sasl2')
+ AC_SUBST(configdir)
+ 
+-dnl look for rc4 libraries. we accept the CMU one or one from openSSL
+-AC_ARG_WITH(rc4, [  --with-rc4              use internal rc4 routines [[yes]] ],
+AC_ARG_WITH(rc4, [  --with-rc4              use rc4 routines [[yes]] ],
+ 	with_rc4=$withval,
+ 	with_rc4=yes)
+ 
+ if test "$with_rc4" != no; then
+-    AC_DEFINE(WITH_RC4,[],[Use internal RC4 implementation?])
+    AC_DEFINE(WITH_RC4,[],[Use RC4])
+ fi
+ 
+ building_for_macosx=no
+diff --git a/plugins/digestmd5.c b/plugins/digestmd5.c
+index df35093d..c6b54317 100644
+--- a/plugins/digestmd5.c
+++ b/plugins/digestmd5.c
+@@ -1117,6 +1117,111 @@ static void free_des(context_t *text)
+ #endif /* WITH_DES */
+ 
+ #ifdef WITH_RC4
+#ifdef HAVE_OPENSSL
+#include <openssl/evp.h>
+
+static void free_rc4(context_t *text)
+{
+    if (text->cipher_enc_context) {
+        EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_enc_context);
+        text->cipher_enc_context = NULL;
+    }
+    if (text->cipher_dec_context) {
+        EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_dec_context);
+        text->cipher_dec_context = NULL;
+    }
+}
+
+static int init_rc4(context_t *text,
+		    unsigned char enckey[16],
+		    unsigned char deckey[16])
+{
+    EVP_CIPHER_CTX *ctx;
+    int rc;
+
+    ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) return SASL_NOMEM;
+
+    rc = EVP_EncryptInit_ex(ctx, EVP_rc4(), NULL, enckey, NULL);
+    if (rc != 1) return SASL_FAIL;
+
+    text->cipher_enc_context = (void *)ctx;
+
+    ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) return SASL_NOMEM;
+
+    rc = EVP_DecryptInit_ex(ctx, EVP_rc4(), NULL, deckey, NULL);
+    if (rc != 1) return SASL_FAIL;
+
+    text->cipher_dec_context = (void *)ctx;
+
+    return SASL_OK;
+}
+
+static int dec_rc4(context_t *text,
+		   const char *input,
+		   unsigned inputlen,
+		   unsigned char digest[16] __attribute__((unused)),
+		   char *output,
+		   unsigned *outputlen)
+{
+    int len;
+    int rc;
+
+    /* decrypt the text part & HMAC */
+    rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->cipher_dec_context,
+                           (unsigned char *)output, &len,
+                           (const unsigned char *)input, inputlen);
+    if (rc != 1) return SASL_FAIL;
+
+    *outputlen = len;
+
+    rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_dec_context,
+                             (unsigned char *)output + len, &len);
+    if (rc != 1) return SASL_FAIL;
+
+    *outputlen += len;
+
+    /* subtract the HMAC to get the text length */
+    *outputlen -= 10;
+
+    return SASL_OK;
+}
+
+static int enc_rc4(context_t *text,
+		   const char *input,
+		   unsigned inputlen,
+		   unsigned char digest[16],
+		   char *output,
+		   unsigned *outputlen)
+{
+    int len;
+    int rc;
+    /* encrypt the text part */
+    rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
+                           (unsigned char *)output, &len,
+                           (const unsigned char *)input, inputlen);
+    if (rc != 1) return SASL_FAIL;
+
+    *outputlen = len;
+
+    /* encrypt the `MAC part */
+    rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
+                           (unsigned char *)output + *outputlen, &len,
+                           digest, 10);
+    if (rc != 1) return SASL_FAIL;
+
+    *outputlen += len;
+
+    rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_enc_context,
+                             (unsigned char *)output + *outputlen, &len);
+    if (rc != 1) return SASL_FAIL;
+
+    *outputlen += len;
+
+    return SASL_OK;
+}
+#else
+ /* quick generic implementation of RC4 */
+ struct rc4_context_s {
+     unsigned char sbox[256];
+@@ -1296,7 +1401,7 @@ static int enc_rc4(context_t *text,
+     
+     return SASL_OK;
+ }
+-
+#endif /* HAVE_OPENSSL */
+ #endif /* WITH_RC4 */
+ 
+ struct digest_cipher available_ciphers[] =
--- a/cyrus-sasl.spec
+++ b/cyrus-sasl.spec
@ -31,6 +31,7 @@ Patch23: cyrus-sasl-2.1.23-man.patch
 Patch24: cyrus-sasl-2.1.21-sizes.patch
 # The 64 bit *INT8 type is not used anywhere and other types match
 Patch49: cyrus-sasl-2.1.26-md5global.patch
+Patch60: cyrus-sasl-pr559-RC4-openssl.patch

 BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
 BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig
@ -149,6 +150,7 @@ the GS2 authentication scheme.
 %patch23 -p1 -b .man
 %patch24 -p1 -b .sizes
 %patch49 -p1 -b .md5global.h
+%patch60 -p1 -b .openssl_rc4

 %build
 # reconfigure
@ -357,6 +359,7 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 %changelog
 * Thu Jun 13 2019 Simo Sorce - 2.1.27-1
 - Update to final 2.1.27 sources
+- Also add patch to use OpenSSL RC4, currently proposed as PR 559

 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-0.6rc7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild