Revert back to using GnuTLS as the TLS backend
The previous commit switched from GnuTLS to OpenSSL to avoid direct usage of Nettle functions for NTLM, which worked but posed user-visible incompatibilities such as PKCS#11 URI passed with --certificate option. This patch switches wget back to using GnuTLS but uses non-Nettle implementation of deprecated algorithms for NTLM. Resolves: RHEL-69748 Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
Daiki Ueno
parent
5ca36e9dcc
commit
ef17e7a0e2
153
wget-1.24.5-no-nettle.patch
Normal file
153
wget-1.24.5-no-nettle.patch
Normal file
@ -0,0 +1,153 @@
|
||||
From 9476ce232a3dcadc205e963eb69a567f478fde95 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 11 Dec 2024 17:14:58 +0900
|
||||
Subject: [PATCH] wget-1.24.5-no-nettle.patch
|
||||
|
||||
---
|
||||
src/http-ntlm.c | 91 ++++++++++++++++++++++++++++++++++++-------------
|
||||
1 file changed, 68 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/src/http-ntlm.c b/src/http-ntlm.c
|
||||
index ee054e0..9f5b50e 100644
|
||||
--- a/src/http-ntlm.c
|
||||
+++ b/src/http-ntlm.c
|
||||
@@ -44,13 +44,14 @@ as that of the covered work. */
|
||||
|
||||
#include "utils.h"
|
||||
#include "http-ntlm.h"
|
||||
+#include "md4.h"
|
||||
|
||||
-#ifdef HAVE_NETTLE
|
||||
-# include <nettle/md4.h>
|
||||
+#ifdef HAVE_LIBGNUTLS
|
||||
+# include <gnutls/crypto.h>
|
||||
+#elif defined HAVE_NETTLE
|
||||
# include <nettle/des.h>
|
||||
#else
|
||||
# include <openssl/des.h>
|
||||
-# include <openssl/md4.h>
|
||||
# include <openssl/opensslv.h>
|
||||
|
||||
# if OPENSSL_VERSION_NUMBER < 0x00907001L
|
||||
@@ -164,7 +165,31 @@ ntlm_input (struct ntlmdata *ntlm, const char *header)
|
||||
* Turns a 56 bit key into the 64 bit, odd parity key and sets the key. The
|
||||
* key schedule ks is also set.
|
||||
*/
|
||||
-#ifdef HAVE_NETTLE
|
||||
+#ifdef HAVE_LIBGNUTLS
|
||||
+static void
|
||||
+setup_des_key(unsigned char *key_56,
|
||||
+ gnutls_cipher_hd_t *des)
|
||||
+{
|
||||
+ unsigned char key[8];
|
||||
+ gnutls_datum_t _key;
|
||||
+ int ret;
|
||||
+
|
||||
+ key[0] = key_56[0];
|
||||
+ key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
|
||||
+ key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
|
||||
+ key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
|
||||
+ key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
|
||||
+ key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
|
||||
+ key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
|
||||
+ key[7] = (key_56[6] << 1) & 0xFF;
|
||||
+
|
||||
+ _key.data = key;
|
||||
+ _key.size = sizeof(key);
|
||||
+ ret = gnutls_cipher_init(des, GNUTLS_CIPHER_DES_CBC, &_key, NULL);
|
||||
+ if (ret < 0)
|
||||
+ abort ();
|
||||
+}
|
||||
+#elif defined HAVE_NETTLE
|
||||
static void
|
||||
setup_des_key(unsigned char *key_56,
|
||||
struct des_ctx *des)
|
||||
@@ -211,7 +236,28 @@ setup_des_key(unsigned char *key_56,
|
||||
static void
|
||||
calc_resp(unsigned char *keys, unsigned char *plaintext, unsigned char *results)
|
||||
{
|
||||
-#ifdef HAVE_NETTLE
|
||||
+#ifdef HAVE_LIBGNUTLS
|
||||
+ gnutls_cipher_hd_t des;
|
||||
+ int ret;
|
||||
+
|
||||
+ setup_des_key(keys, &des);
|
||||
+ ret = gnutls_cipher_encrypt2(des, plaintext, 8, results, 8);
|
||||
+ if (ret < 0)
|
||||
+ abort ();
|
||||
+ gnutls_cipher_deinit(des);
|
||||
+
|
||||
+ setup_des_key(keys + 7, &des);
|
||||
+ ret = gnutls_cipher_encrypt2(des, plaintext, 8, results + 8, 8);
|
||||
+ if (ret < 0)
|
||||
+ abort ();
|
||||
+ gnutls_cipher_deinit(des);
|
||||
+
|
||||
+ setup_des_key(keys + 14, &des);
|
||||
+ ret = gnutls_cipher_encrypt2(des, plaintext, 8, results + 16, 8);
|
||||
+ if (ret < 0)
|
||||
+ abort ();
|
||||
+ gnutls_cipher_deinit(des);
|
||||
+#elif defined HAVE_NETTLE
|
||||
struct des_ctx des;
|
||||
|
||||
setup_des_key(keys, &des);
|
||||
@@ -274,7 +320,22 @@ mkhash(const char *password,
|
||||
|
||||
{
|
||||
/* create LanManager hashed password */
|
||||
-#ifdef HAVE_NETTLE
|
||||
+#ifdef HAVE_LIBGNUTLS
|
||||
+ gnutls_cipher_hd_t des;
|
||||
+ int ret;
|
||||
+
|
||||
+ setup_des_key(pw, &des);
|
||||
+ ret = gnutls_cipher_encrypt2(des, magic, 8, lmbuffer, 8);
|
||||
+ if (ret < 0)
|
||||
+ abort ();
|
||||
+ gnutls_cipher_deinit(des);
|
||||
+
|
||||
+ setup_des_key(pw + 7, &des);
|
||||
+ ret = gnutls_cipher_encrypt2(des, magic, 8, lmbuffer + 8, 8);
|
||||
+ if (ret < 0)
|
||||
+ abort ();
|
||||
+ gnutls_cipher_deinit(des);
|
||||
+#elif defined HAVE_NETTLE
|
||||
struct des_ctx des;
|
||||
|
||||
setup_des_key(pw, &des);
|
||||
@@ -301,12 +362,6 @@ mkhash(const char *password,
|
||||
|
||||
#ifdef USE_NTRESPONSES
|
||||
{
|
||||
-#ifdef HAVE_NETTLE
|
||||
- struct md4_ctx MD4;
|
||||
-#else
|
||||
- MD4_CTX MD4;
|
||||
-#endif
|
||||
-
|
||||
unsigned char pw4[64];
|
||||
|
||||
len = strlen (password);
|
||||
@@ -319,17 +374,7 @@ mkhash(const char *password,
|
||||
pw4[2 * i + 1] = 0;
|
||||
}
|
||||
|
||||
-#ifdef HAVE_NETTLE
|
||||
- nettle_md4_init(&MD4);
|
||||
- nettle_md4_update(&MD4, (unsigned) (2 * len), pw4);
|
||||
- nettle_md4_digest(&MD4, MD4_DIGEST_SIZE, ntbuffer);
|
||||
-#else
|
||||
- /* create NT hashed password */
|
||||
- MD4_Init(&MD4);
|
||||
- MD4_Update(&MD4, pw4, 2 * len);
|
||||
- MD4_Final(ntbuffer, &MD4);
|
||||
-#endif
|
||||
-
|
||||
+ md4_buffer((const char *) pw4, (unsigned) (2 * len), ntbuffer);
|
||||
memset(ntbuffer + 16, 0, 5);
|
||||
}
|
||||
|
||||
--
|
||||
2.47.0
|
||||
|
||||
14
wget.spec
14
wget.spec
@ -1,7 +1,7 @@
|
||||
Summary: A utility for retrieving files using the HTTP or FTP protocols
|
||||
Name: wget
|
||||
Version: 1.24.5
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: GPL-3.0-or-later AND LGPL-2.1-or-later AND GFDL-1.3-or-later
|
||||
Url: http://www.gnu.org/software/wget/
|
||||
Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
|
||||
@ -9,6 +9,7 @@ Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
|
||||
Patch1: wget-1.17-path.patch
|
||||
Patch3: wget-1.21-metalink-man.patch
|
||||
Patch5: wget-1.21-CVE-2024-38428.patch
|
||||
Patch6: wget-1.24.5-no-nettle.patch
|
||||
|
||||
Provides: webclient
|
||||
Provides: bundled(gnulib)
|
||||
@ -18,7 +19,7 @@ BuildRequires: perl(lib)
|
||||
BuildRequires: perl(English)
|
||||
BuildRequires: perl(HTTP::Daemon)
|
||||
BuildRequires: python3
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: gnutls-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: texinfo
|
||||
BuildRequires: gettext
|
||||
@ -31,6 +32,7 @@ BuildRequires: gpgme-devel
|
||||
BuildRequires: gcc
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: git-core
|
||||
BuildRequires: nettle-devel
|
||||
|
||||
%description
|
||||
GNU Wget is a file retrieval utility which can use either the HTTP or
|
||||
@ -50,11 +52,12 @@ grep "PACKAGE_STRING='wget .* (Red Hat modified)'" configure || exit 1
|
||||
|
||||
%build
|
||||
%configure \
|
||||
--with-ssl=openssl \
|
||||
--with-ssl=gnutls \
|
||||
--with-libpsl \
|
||||
--enable-largefile \
|
||||
--enable-opie \
|
||||
--enable-digest \
|
||||
--enable-ntlm \
|
||||
--enable-nls \
|
||||
--enable-ipv6 \
|
||||
--disable-rpath
|
||||
@ -80,6 +83,11 @@ make check
|
||||
%{_infodir}/*
|
||||
|
||||
%changelog
|
||||
* Wed Dec 11 2024 Daiki Ueno <dueno@redhat.com> - 1.24.5-5
|
||||
- Revert back to using GnuTLS as the TLS backend
|
||||
- Use bundled implementation of MD4 for NTLM
|
||||
Resolves: RHEL-69748 - wget cannot open pkcs11 uri
|
||||
|
||||
* Thu Nov 07 2024 Michal Ruprich <mruprich@redhat.com> - 1.24.5-4
|
||||
- Resolves: RHEL-59862 - Avoid direct usage of nettle functions
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user