Bug 3107: nsca_auth DES silently truncates passwords to 8 bytes

diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml
index 0241b751f8ad90b52ddacc958dc58ed6335d529e..4ac2582e12d52f50382cd39dc84c20396dc176fd 100644 (file)
--- a/doc/release-notes/release-3.1.sgml
+++ b/doc/release-notes/release-3.1.sgml
@@ -1010,6 +1010,7 @@ NOCOMMENT_START
        <tag>auth_param ntlm, basic, digest</tag>
        <p>BASIC, DIGEST:  New parameter option <em>utf8 on|off</em> to permit helpers to selectively process UTF-8 characters even though
           HTTP accepts only ISO-8859-1.</p>
+       <p>NCSA authenticator updated to reject passwords with more than 8 characters when using DES encryption method.
        <p>NTLM: The helper binary bundled with Squid under the name <em>ntlm_auth</em> has been renamed to accurately reflect
           its real behavior and to prevent confusion with the more useful Samba helper using the same name.
        <p>Despite being used for NTLM, the helper does not in fact provide true NTLM function. What it does provide is

diff --git a/helpers/basic_auth/NCSA/basic_ncsa_auth.8 b/helpers/basic_auth/NCSA/basic_ncsa_auth.8
index b6683124a000773b0b3a67a1b7bd8e31fa346bf3..74e329ecb49751d9914624f7feca66d05c774b3a 100644 (file)
--- a/helpers/basic_auth/NCSA/basic_ncsa_auth.8
+++ b/helpers/basic_auth/NCSA/basic_ncsa_auth.8
@@ -17,6 +17,13 @@ httpd\-style password file when using basic HTTP authentication.
 This password file can be manipulated using
 .B htpasswd.
 .
+.PP
+.This authenticator accepts:
+.BR
+* MD5 - with optional salt and magic strings
+.BR
+* DES - for passwords 8 characters or less in length
+.
 .SH OPTIONS
 The only parameter is the password file.
 It must have permissions to be read by the user that Squid is running as.
@@ -29,6 +36,12 @@ It must have permissions to be read by the user that Squid is running as.
 .B basic_ncsa_auth
 must have access to the password file to be executed.
 .
+.SH KNOWN ISSUES
+.PP
+DES functionality (used by htpasswd by default) silently truncates passwords to 8 characters.
+Allowing login with password values shorter than the one desired.
+This authenticator will reject login with long passwords when using DES.
+.
 .SH AUTHOR
 This manual was written by
 .if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org>

diff --git a/helpers/basic_auth/NCSA/basic_ncsa_auth.cc b/helpers/basic_auth/NCSA/basic_ncsa_auth.cc
index bdd7311f94fb4d11755fe8710adaa7243c675a05..e98e7ece20bbed6680c78fe7a7bd331c869fafd8 100644 (file)
--- a/helpers/basic_auth/NCSA/basic_ncsa_auth.cc
+++ b/helpers/basic_auth/NCSA/basic_ncsa_auth.cc
@@ -13,6 +13,7 @@
  * - extra fields in the password file are ignored; this makes it
  *   possible to use a Unix password file but I do not recommend that.
  *
+ *  MD5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco
  */
 
 #include "config.h"
@@ -139,12 +140,13 @@ main(int argc, char **argv)
         if (u == NULL) {
             SEND_ERR("No such user");
 #if HAVE_CRYPT
-        } else if (strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+        } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+            // Bug 3107: crypt() DES functionality silently truncates long passwords.
             SEND_OK("");
 #endif
         } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
             SEND_OK("");
-        } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {  /* md5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco */
+        } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {
             SEND_OK("");
         } else {
             SEND_ERR("Wrong password");