.PP
This authenticator accepts:
.BR
+* Blowfish - for passwords 72 characters or less in length
+.BR
+* SHA256 - with salting and magic strings
+.BR
+* SHA512 - with salting and magic strings
+.BR
* MD5 - with optional salt and magic strings
.BR
* DES - for passwords 8 characters or less in length
.
+NOTE: Blowfish and SHA algorithms require system-specific support.
+.
.SH OPTIONS
The only parameter is the password file.
It must have permissions to be read by the user that Squid is running as.
rfc1738_unescape(user);
rfc1738_unescape(passwd);
u = (user_data *) hash_lookup(hash, user);
- char *crypted = NULL;
if (u == NULL) {
SEND_ERR("No such user");
+ continue;
+ }
+ char *crypted = NULL;
+ size_t passwordLength = strlen(passwd);
#if HAVE_CRYPT
- } else if (strlen(passwd) <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
- // Bug 3107: crypt() DES functionality silently truncates long passwords.
+ // Bug 3831: given algorithms more secure than DES crypt() does not truncate, so we can ignore the bug 3107 length checks below
+ // '$1$' = MD5, '$2a$' = Blowfish, '$5$' = SHA256 (Linux), '$6$' = SHA256 (BSD) and SHA512
+ if (passwordLength > 1 && u->passwd[0] == '$' &&
+ (crypted = crypt(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) {
+ SEND_OK("");
+ continue;
+ }
+ // 'other' prefixes indicate DES algorithm.
+ if (passwordLength <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
SEND_OK("");
- } else if (strlen(passwd) > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
+ continue;
+ }
+ if (passwordLength > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
// Bug 3107: crypt() DES functionality silently truncates long passwords.
SEND_ERR("Password too long. Only 8 characters accepted.");
+ continue;
+ }
+
#endif
- } else if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) {
+ if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) {
SEND_OK("");
- } else if ( (crypted = md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) {
+ continue;
+ }
+ if ( (crypted = md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) {
SEND_OK("");
- } else {
- SEND_ERR("Wrong password");
+ continue;
}
+ SEND_ERR("Wrong password");
}
if (hash != NULL) {
hashFreeItems(hash, my_free);