[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-cvs
Subject: /bzr/squid3/trunk/ r12762: Bug 3831: basic_ncsa_auth Blowfish and SHA support
From: Amos Jeffries <squid3 () treenet ! co ! nz>
Date: 2013-04-17 11:58:23
Message-ID: 20130417120004.74155.qmail () squid-cache ! org
[Download RAW message or body]
--===============0154514060==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
------------------------------------------------------------
revno: 12762
fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3831
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: trunk
timestamp: Wed 2013-04-17 05:58:23 -0600
message:
Bug 3831: basic_ncsa_auth Blowfish and SHA support
modified:
helpers/basic_auth/NCSA/basic_ncsa_auth.8
helpers/basic_auth/NCSA/basic_ncsa_auth.cc
--===============0154514060==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; name="r12762.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
=== modified file 'helpers/basic_auth/NCSA/basic_ncsa_auth.8'
--- a/helpers/basic_auth/NCSA/basic_ncsa_auth.8 2012-02-06 05:46:00 +0000
+++ b/helpers/basic_auth/NCSA/basic_ncsa_auth.8 2013-04-17 11:58:23 +0000
@@ -20,10 +20,18 @@
.PP
This authenticator accepts:
.BR
+* Blowfish - for passwords 72 characters or less in length
+.BR
+* SHA256 - with salting and magic strings
+.BR
+* SHA512 - with salting and magic strings
+.BR
* MD5 - with optional salt and magic strings
.BR
* DES - for passwords 8 characters or less in length
.
+NOTE: Blowfish and SHA algorithms require system-specific support.
+.
.SH OPTIONS
The only parameter is the password file.
It must have permissions to be read by the user that Squid is running as.
=== modified file 'helpers/basic_auth/NCSA/basic_ncsa_auth.cc'
--- a/helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2013-04-16 00:26:10 +0000
+++ b/helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2013-04-17 11:58:23 +0000
@@ -144,24 +144,41 @@
rfc1738_unescape(user);
rfc1738_unescape(passwd);
u = (user_data *) hash_lookup(hash, user);
- char *crypted = NULL;
if (u == NULL) {
SEND_ERR("No such user");
+ continue;
+ }
+ char *crypted = NULL;
+ size_t passwordLength = strlen(passwd);
#if HAVE_CRYPT
- } else if (strlen(passwd) <= 8 && (crypted = crypt(passwd, u->passwd)) && \
(strcmp(u->passwd, crypted) == 0)) {
- // Bug 3107: crypt() DES functionality silently truncates long \
passwords.
- SEND_OK("");
- } else if (strlen(passwd) > 8 && (crypted = crypt(passwd, u->passwd)) && \
(strcmp(u->passwd, crypted) == 0)) { + // Bug 3831: given algorithms more \
secure than DES crypt() does not truncate, so we can ignore the bug 3107 length \
checks below + // '$1$' = MD5, '$2a$' = Blowfish, '$5$' = SHA256 (Linux), \
'$6$' = SHA256 (BSD) and SHA512 + if (passwordLength > 1 && u->passwd[0] == \
'$' && + (crypted = crypt(passwd, u->passwd)) && strcmp(u->passwd, \
crypted) == 0) { + SEND_OK("");
+ continue;
+ }
+ // 'other' prefixes indicate DES algorithm.
+ if (passwordLength <= 8 && (crypted = crypt(passwd, u->passwd)) && \
(strcmp(u->passwd, crypted) == 0)) { + SEND_OK("");
+ continue;
+ }
+ if (passwordLength > 8 && (crypted = crypt(passwd, u->passwd)) && \
(strcmp(u->passwd, crypted) == 0)) {
// Bug 3107: crypt() DES functionality silently truncates long \
passwords. SEND_ERR("Password too long. Only 8 characters accepted.");
+ continue;
+ }
+
#endif
- } else if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, \
crypted) == 0) {
- SEND_OK("");
- } else if ( (crypted = md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) \
{
- SEND_OK("");
- } else {
- SEND_ERR("Wrong password");
- }
+ if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) \
== 0) { + SEND_OK("");
+ continue;
+ }
+ if ( (crypted = md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) {
+ SEND_OK("");
+ continue;
+ }
+ SEND_ERR("Wrong password");
}
if (hash != NULL) {
hashFreeItems(hash, my_free);
--===============0154514060==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic