Bug 3107: ncsa_auth DES silently truncates passwords to 8 bytes

diff --git a/helpers/basic_auth/NCSA/ncsa_auth.8 b/helpers/basic_auth/NCSA/ncsa_auth.8
index 85da640986a3fab1d37e4b64b3aa503310f3a8ef..a818ba431cf9bc8899953a14a67129a1ed837879 100644 (file)
--- a/helpers/basic_auth/NCSA/ncsa_auth.8
+++ b/helpers/basic_auth/NCSA/ncsa_auth.8
@@ -26,13 +26,29 @@ ncsa_auth \- NCSA httpd-style password file authentication helper for Squid
 The only parameter is the password file.  It must have permissions to be read by the user that Squid is running as (cache_effective_user in squid.conf).
 .PP
 This password file can be manipulated using htpasswd.
+.
+.PP
+.This authenticator accepts:
+.BR
+* MD5 - with optional salt and magic strings
+.BR
+* DES - for passwords 8 characters or less in length
+.
 .SH OPTIONS
 Only specify the password file name.
 .SH EXAMPLE
 \fBncsa_auth\fP /etc/squid/squid.pass
 .SH SECURITY
 \fBncsa_auth\fP must have access to the password file to be executed.
+.
+.SH KNOWN ISSUES
+.PP
+DES functionality (used by htpasswd by default) silently truncates passwords to 8 characters.
+Allowing login with password values shorter than the one desired.
+This authenticator will reject login with long passwords when using DES.
+.
 .SH SEE ALSO
 \fBhtpasswd\fP(1), \fBsquid\fP(8)
+.
 .SH AUTHOR
 Manpage written by Rodrigo Rubira Branco <rrbranco@br.ibm.com>

diff --git a/helpers/basic_auth/NCSA/ncsa_auth.c b/helpers/basic_auth/NCSA/ncsa_auth.c
index 68bf4dbd6ac4d88cbfda49eea2f04ee711da66a5..6f4b591d74bb10868f74d775f4e45d15b6f40933 100644 (file)
--- a/helpers/basic_auth/NCSA/ncsa_auth.c
+++ b/helpers/basic_auth/NCSA/ncsa_auth.c
@@ -15,6 +15,7 @@
  * - extra fields in the password file are ignored; this makes it
  *   possible to use a Unix password file but I do not recommend that.
  *
+ *  MD5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco
  */
 
 #include "config.h"
@@ -143,12 +144,18 @@ main(int argc, char **argv)
        if (u == NULL) {
            printf("ERR No such user\n");
 #if HAVE_CRYPT
-       } else if (strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
-           printf("OK\n");
+        } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+            // Bug 3107: crypt() DES functionality silently truncates long passwords.
+            printf("OK\n");
+        } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+            // Bug 3107: crypt() DES functionality silently truncates long passwords.
+            fprintf(stderr, "SECURITY ALERT: NCSA DES algorithm truncating user %s password to 8 bytes. Upgrade to MD5.", user);
+            // Highly Unsafe: permit a transition period for admin to update passwords.
+            printf("OK\n");
 #endif
        } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
            printf("OK\n");
-       } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {   /* md5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco */
+       } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {
            printf("OK\n");
        } else {
            printf("ERR Wrong password\n");