------------------------------------------------------------ revno: 12531 revision-id: squid3@treenet.co.nz-20130424153949-lebovcrjechmmznu parent: squid3@treenet.co.nz-20130418053328-u0s5nyubm579zct8 fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3831 committer: Amos Jeffries branch nick: 3.3 timestamp: Wed 2013-04-24 09:39:49 -0600 message: Bug 3831: basic_ncsa_auth Blowfish and SHA support ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20130424153949-lebovcrjechmmznu # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: d02156641d09a55ec8151f7ea474f9e949ee6f8b # timestamp: 2013-04-24 15:44:02 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: squid3@treenet.co.nz-20130418053328-\ # u0s5nyubm579zct8 # # Begin patch === modified file 'helpers/basic_auth/NCSA/basic_ncsa_auth.8' --- helpers/basic_auth/NCSA/basic_ncsa_auth.8 2012-02-06 05:46:00 +0000 +++ helpers/basic_auth/NCSA/basic_ncsa_auth.8 2013-04-24 15:39:49 +0000 @@ -20,10 +20,18 @@ .PP This authenticator accepts: .BR +* Blowfish - for passwords 72 characters or less in length +.BR +* SHA256 - with salting and magic strings +.BR +* SHA512 - with salting and magic strings +.BR * MD5 - with optional salt and magic strings .BR * DES - for passwords 8 characters or less in length . +NOTE: Blowfish and SHA algorithms require system-specific support. +. .SH OPTIONS The only parameter is the password file. It must have permissions to be read by the user that Squid is running as. === modified file 'helpers/basic_auth/NCSA/basic_ncsa_auth.cc' --- helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2013-04-18 05:30:47 +0000 +++ helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2013-04-24 15:39:49 +0000 @@ -144,24 +144,41 @@ rfc1738_unescape(user); rfc1738_unescape(passwd); u = (user_data *) hash_lookup(hash, user); - char *crypted = NULL; if (u == NULL) { SEND_ERR("No such user"); + continue; + } + char *crypted = NULL; + size_t passwordLength = strlen(passwd); #if HAVE_CRYPT - } else if (strlen(passwd) <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) { - // Bug 3107: crypt() DES functionality silently truncates long passwords. - SEND_OK(""); - } else if (strlen(passwd) > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) { + // Bug 3831: given algorithms more secure than DES crypt() does not truncate, so we can ignore the bug 3107 length checks below + // '$1$' = MD5, '$2a$' = Blowfish, '$5$' = SHA256 (Linux), '$6$' = SHA256 (BSD) and SHA512 + if (passwordLength > 1 && u->passwd[0] == '$' && + (crypted = crypt(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) { + SEND_OK(""); + continue; + } + // 'other' prefixes indicate DES algorithm. + if (passwordLength <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) { + SEND_OK(""); + continue; + } + if (passwordLength > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) { // Bug 3107: crypt() DES functionality silently truncates long passwords. SEND_ERR("Password too long. Only 8 characters accepted."); + continue; + } + #endif - } else if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) { - SEND_OK(""); - } else if ( (crypted = md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) { - SEND_OK(""); - } else { - SEND_ERR("Wrong password"); - } + if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) { + SEND_OK(""); + continue; + } + if ( (crypted = md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) { + SEND_OK(""); + continue; + } + SEND_ERR("Wrong password"); } if (hash != NULL) { hashFreeItems(hash, my_free);