From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 17 Apr 2013 11:58:23 +0000 (-0600)
Subject: Bug 3831: basic_ncsa_auth Blowfish and SHA support
X-Git-Tag: SQUID_3_4_0_1~199
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2df24144acad235635261baa2927cf9bee327f95;p=thirdparty%2Fsquid.git

Bug 3831: basic_ncsa_auth Blowfish and SHA support
---

diff --git a/helpers/basic_auth/NCSA/basic_ncsa_auth.8 b/helpers/basic_auth/NCSA/basic_ncsa_auth.8
index 64aad09fba..1d7f32696b 100644
--- a/helpers/basic_auth/NCSA/basic_ncsa_auth.8
+++ b/helpers/basic_auth/NCSA/basic_ncsa_auth.8
@@ -20,10 +20,18 @@ This password file can be manipulated using
 .PP
 This authenticator accepts:
 .BR
+* Blowfish - for passwords 72 characters or less in length
+.BR
+* SHA256 - with salting and magic strings
+.BR
+* SHA512 - with salting and magic strings
+.BR
 * MD5 - with optional salt and magic strings
 .BR
 * DES - for passwords 8 characters or less in length
 .
+NOTE: Blowfish and SHA algorithms require system-specific support.
+.
 .SH OPTIONS
 The only parameter is the password file.
 It must have permissions to be read by the user that Squid is running as.
diff --git a/helpers/basic_auth/NCSA/basic_ncsa_auth.cc b/helpers/basic_auth/NCSA/basic_ncsa_auth.cc
index 51b89f7e9a..97d4622979 100644
--- a/helpers/basic_auth/NCSA/basic_ncsa_auth.cc
+++ b/helpers/basic_auth/NCSA/basic_ncsa_auth.cc
@@ -144,24 +144,41 @@ main(int argc, char **argv)
         rfc1738_unescape(user);
         rfc1738_unescape(passwd);
         u = (user_data *) hash_lookup(hash, user);
-        char *crypted = NULL;
         if (u == NULL) {
             SEND_ERR("No such user");
+            continue;
+        }
+        char *crypted = NULL;
+        size_t passwordLength = strlen(passwd);
 #if HAVE_CRYPT
-        } else if (strlen(passwd) <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
-            // Bug 3107: crypt() DES functionality silently truncates long passwords.
+        // Bug 3831: given algorithms more secure than DES crypt() does not truncate, so we can ignore the bug 3107 length checks below
+        // '$1$' = MD5, '$2a$' = Blowfish, '$5$' = SHA256 (Linux), '$6$' = SHA256 (BSD) and SHA512
+        if (passwordLength > 1 && u->passwd[0] == '$' &&
+            (crypted = crypt(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) {
+            SEND_OK("");
+            continue;
+        }
+        // 'other' prefixes indicate DES algorithm.
+        if (passwordLength <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
             SEND_OK("");
-        } else if (strlen(passwd) > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
+            continue;
+        }
+        if (passwordLength > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
             // Bug 3107: crypt() DES functionality silently truncates long passwords.
             SEND_ERR("Password too long. Only 8 characters accepted.");
+            continue;
+        }
+
 #endif
-        } else if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) {
+        if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) {
             SEND_OK("");
-        } else if ( (crypted =  md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) {
+            continue;
+        }
+        if ( (crypted = md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) {
             SEND_OK("");
-        } else {
-            SEND_ERR("Wrong password");
+            continue;
         }
+        SEND_ERR("Wrong password");
     }
     if (hash != NULL) {
         hashFreeItems(hash, my_free);