From c003d61541bd600ece8c7fea005e1acc4a4be3a6 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Fri, 3 May 2013 13:42:42 +0200 Subject: [PATCH] add patches --- 0002-use-libgcrypt-for-MD5.patch | 162 ++++++++++++++++++++++++++++ 0003-fix-crash-in-iscsi-tools.patch | 53 +++++++++ 2 files changed, 215 insertions(+) create mode 100644 0002-use-libgcrypt-for-MD5.patch create mode 100644 0003-fix-crash-in-iscsi-tools.patch diff --git a/0002-use-libgcrypt-for-MD5.patch b/0002-use-libgcrypt-for-MD5.patch new file mode 100644 index 0000000..9bb7224 --- /dev/null +++ b/0002-use-libgcrypt-for-MD5.patch @@ -0,0 +1,162 @@ +From 8217ffdc2af8b412949d0d21a6ff3777c8e4953f Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 3 May 2013 12:47:12 +0200 +Subject: [PATCH] use libgcrypt for MD5 + +This makes sure that CHAP authentication is disabled if the system +is running in FIPS 140-2 mode. MD5 is not a secure algorithm according +to the standard. + +Signed-off-by: Paolo Bonzini + +Conflicts: + Makefile.am + lib/login.c +--- + Makefile.am | 6 +++++- + configure.ac | 3 +++ + lib/login.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++------- + 3 files changed, 61 insertions(+), 8 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index b750cdb..e308552 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -25,9 +25,13 @@ dist_noinst_DATA = lib/libiscsi.syms + lib_LTLIBRARIES = lib/libiscsi.la + lib_libiscsi_la_SOURCES = \ + lib/connect.c lib/crc32c.c lib/discovery.c lib/init.c \ +- lib/login.c lib/md5.c lib/nop.c lib/pdu.c lib/scsi-command.c \ ++ lib/login.c lib/nop.c lib/pdu.c lib/scsi-command.c \ + lib/scsi-lowlevel.c lib/socket.c lib/sync.c lib/task_mgmt.c + ++if !HAVE_LIBGCRYPT ++lib_libiscsi_la_SOURCES += lib/md5.c ++endif ++ + SONAME=$(firstword $(subst ., ,$(VERSION))) + SOREL=$(shell printf "%d%02d%02d" $(subst ., ,$(VERSION))) + lib_libiscsi_la_LDFLAGS = \ +diff --git a/configure.ac b/configure.ac +index bb95018..95d4ec6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -28,6 +28,9 @@ AC_SUBST(WARN_CFLAGS) + + AC_CONFIG_HEADER(config.h) + ++AC_CHECK_LIB([gcrypt], [gcry_control]) ++AM_CONDITIONAL([HAVE_LIBGCRYPT], [test $ac_cv_lib_gcrypt_gcry_control = yes]) ++ + AC_CACHE_CHECK([for sin_len in sock],libiscsi_cv_HAVE_SOCK_SIN_LEN,[ + AC_TRY_COMPILE([#include + #include +diff --git a/lib/login.c b/lib/login.c +index 5da4d21..39ae237 100644 +--- a/lib/login.c ++++ b/lib/login.c +@@ -25,12 +25,17 @@ + #include + #endif + ++#include "config.h" + #include ++#include + #include + #include + #include "iscsi.h" + #include "iscsi-private.h" + #include "md5.h" ++#ifdef HAVE_LIBGCRYPT ++#include ++#endif + + static int + iscsi_login_add_initiatorname(struct iscsi_context *iscsi, struct iscsi_pdu *pdu) +@@ -649,13 +654,48 @@ i2h(int i) + return i + '0'; + } + ++#ifndef HAVE_LIBGCRYPT ++typedef struct MD5Context *gcry_md_hd_t; ++#define gcry_md_write MD5Update ++#define GCRY_MD_MD5 1 ++ ++static inline void gcry_md_open(gcry_md_hd_t *hd, int algo, unsigned int flags) ++{ ++ assert(algo == GCRY_MD_MD5 && flags == 0); ++ *hd = malloc(sizeof(struct MD5Context)); ++ if (*hd) { ++ MD5Init(*hd); ++ } ++} ++ ++static inline void gcry_md_putc(gcry_md_hd_t h, unsigned char c) ++{ ++ MD5Update(h, &c, 1); ++} ++ ++static inline char *gcry_md_read(gcry_md_hd_t h, int algo) ++{ ++ unsigned char digest[16]; ++ assert(algo == 0 || algo == GCRY_MD_MD5); ++ ++ MD5Final(digest, h); ++ return memcpy(h->buf, digest, sizeof(digest)); ++} ++ ++static inline void gcry_md_close(gcry_md_hd_t h) ++{ ++ memset(h, 0, sizeof(*h)); ++ free(h); ++} ++#endif ++ + static int + iscsi_login_add_chap_response(struct iscsi_context *iscsi, struct iscsi_pdu *pdu) + { + char *str; + unsigned char c, cc[2]; + unsigned char digest[16]; +- struct MD5Context ctx; ++ gcry_md_hd_t ctx; + int i; + + if (iscsi->current_phase != ISCSI_PDU_LOGIN_CSG_SECNEG +@@ -663,21 +703,27 @@ iscsi_login_add_chap_response(struct iscsi_context *iscsi, struct iscsi_pdu *pdu + return 0; + } + ++ gcry_md_open(&ctx, GCRY_MD_MD5, 0); ++ if (!ctx) { ++ iscsi_set_error(iscsi, "Cannot create MD5 algorithm"); ++ return -1; ++ } ++ + if (!iscsi->chap_c[0]) { + iscsi_set_error(iscsi, "No CHAP challenge found"); + return -1; + } +- MD5Init(&ctx); +- c = iscsi->chap_i; +- MD5Update(&ctx, &c, 1); +- MD5Update(&ctx, (unsigned char *)iscsi->passwd, strlen(iscsi->passwd)); ++ gcry_md_putc(ctx, iscsi->chap_i); ++ gcry_md_write(ctx, (unsigned char *)iscsi->passwd, strlen(iscsi->passwd)); ++ + str = iscsi->chap_c; + while (*str != 0) { + c = (h2i(str[0]) << 4) | h2i(str[1]); + str += 2; +- MD5Update(&ctx, &c, 1); ++ gcry_md_putc(ctx, c); + } +- MD5Final(digest, &ctx); ++ memcpy(digest, gcry_md_read(ctx, 0), sizeof(digest)); ++ gcry_md_close(ctx); + + str = (char *)"CHAP_R=0x"; + if (iscsi_pdu_add_data(iscsi, pdu, (unsigned char *)str, strlen(str)) +-- +1.8.2 + diff --git a/0003-fix-crash-in-iscsi-tools.patch b/0003-fix-crash-in-iscsi-tools.patch new file mode 100644 index 0000000..37ae089 --- /dev/null +++ b/0003-fix-crash-in-iscsi-tools.patch @@ -0,0 +1,53 @@ +From 38ef7b1e200f8f6315335c5b6aba3405bf9ee404 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 3 May 2013 13:26:37 +0200 +Subject: [PATCH] fix crash in iscsi-tools + +--- + src/iscsi-inq.c | 2 -- + src/iscsi-ls.c | 2 -- + src/iscsi-readcapacity16.c | 2 -- + 3 files changed, 6 deletions(-) + +diff --git a/src/iscsi-inq.c b/src/iscsi-inq.c +index 031e4e3..fa15a53 100644 +--- a/src/iscsi-inq.c ++++ b/src/iscsi-inq.c +@@ -276,8 +276,6 @@ int main(int argc, const char *argv[]) + } + iscsi_url = iscsi_parse_full_url(iscsi, url); + +- if (url) free(url); +- + if (iscsi_url == NULL) { + fprintf(stderr, "Failed to parse URL: %s\n", + iscsi_get_error(iscsi)); +diff --git a/src/iscsi-ls.c b/src/iscsi-ls.c +index b8c4b7c..6feec11 100644 +--- a/src/iscsi-ls.c ++++ b/src/iscsi-ls.c +@@ -373,8 +373,6 @@ int main(int argc, const char *argv[]) + + iscsi_url = iscsi_parse_portal_url(iscsi, url); + +- if (url) free(url); +- + if (iscsi_url == NULL) { + fprintf(stderr, "Failed to parse URL: %s\n", + iscsi_get_error(iscsi)); +diff --git a/src/iscsi-readcapacity16.c b/src/iscsi-readcapacity16.c +index bbbc38f..39a70b9 100644 +--- a/src/iscsi-readcapacity16.c ++++ b/src/iscsi-readcapacity16.c +@@ -118,8 +118,6 @@ int main(int argc, const char *argv[]) + } + iscsi_url = iscsi_parse_full_url(iscsi, url); + +- if (url) free(url); +- + if (iscsi_url == NULL) { + fprintf(stderr, "Failed to parse URL: %s\n", + iscsi_get_error(iscsi)); +-- +1.8.2 +