From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 27 Aug 2011 13:45:12 +0000 (-0600)
Subject: Bug 3107: ncsa_auth DES silently truncates passwords to 8 bytes
X-Git-Tag: SQUID_3_0_STABLE26~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3739252e5b3ab4283e270b09aa3664f2a2107ce0;p=thirdparty%2Fsquid.git

Bug 3107: ncsa_auth DES silently truncates passwords to 8 bytes
---

diff --git a/helpers/basic_auth/NCSA/ncsa_auth.8 b/helpers/basic_auth/NCSA/ncsa_auth.8
index 85da640986..a818ba431c 100644
--- a/helpers/basic_auth/NCSA/ncsa_auth.8
+++ b/helpers/basic_auth/NCSA/ncsa_auth.8
@@ -26,13 +26,29 @@ ncsa_auth \- NCSA httpd-style password file authentication helper for Squid
 The only parameter is the password file.  It must have permissions to be read by the user that Squid is running as (cache_effective_user in squid.conf).
 .PP
 This password file can be manipulated using htpasswd.
+.
+.PP
+.This authenticator accepts:
+.BR
+* MD5 - with optional salt and magic strings
+.BR
+* DES - for passwords 8 characters or less in length
+.
 .SH OPTIONS
 Only specify the password file name.
 .SH EXAMPLE
 \fBncsa_auth\fP /etc/squid/squid.pass
 .SH SECURITY
 \fBncsa_auth\fP must have access to the password file to be executed.
+.
+.SH KNOWN ISSUES
+.PP
+DES functionality (used by htpasswd by default) silently truncates passwords to 8 characters.
+Allowing login with password values shorter than the one desired.
+This authenticator will reject login with long passwords when using DES.
+.
 .SH SEE ALSO
 \fBhtpasswd\fP(1), \fBsquid\fP(8)
+.
 .SH AUTHOR
 Manpage written by Rodrigo Rubira Branco <rrbranco@br.ibm.com>
diff --git a/helpers/basic_auth/NCSA/ncsa_auth.c b/helpers/basic_auth/NCSA/ncsa_auth.c
index 68bf4dbd6a..6f4b591d74 100644
--- a/helpers/basic_auth/NCSA/ncsa_auth.c
+++ b/helpers/basic_auth/NCSA/ncsa_auth.c
@@ -15,6 +15,7 @@
  * - extra fields in the password file are ignored; this makes it
  *   possible to use a Unix password file but I do not recommend that.
  *
+ *  MD5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco
  */
 
 #include "config.h"
@@ -143,12 +144,18 @@ main(int argc, char **argv)
 	if (u == NULL) {
 	    printf("ERR No such user\n");
 #if HAVE_CRYPT
-	} else if (strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
-	    printf("OK\n");
+        } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+            // Bug 3107: crypt() DES functionality silently truncates long passwords.
+            printf("OK\n");
+        } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+            // Bug 3107: crypt() DES functionality silently truncates long passwords.
+            fprintf(stderr, "SECURITY ALERT: NCSA DES algorithm truncating user %s password to 8 bytes. Upgrade to MD5.", user);
+            // Highly Unsafe: permit a transition period for admin to update passwords.
+            printf("OK\n");
 #endif
 	} else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
 	    printf("OK\n");
-	} else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {	/* md5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco */
+	} else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {
 	    printf("OK\n");
 	} else {
 	    printf("ERR Wrong password\n");