kumquat-buildroot/package/cups/0005-cups-hash-c-Put-support-for-MacOS-Win-SSL-libs-back.patch

350 lines
9.1 KiB
Diff
Raw Normal View History

From c6cd5e9c10edc68caf6936a3d3274f758e9cd03d Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Tue, 3 Oct 2023 13:59:40 +0200
Subject: [PATCH] cups/hash.c: Put support for MacOS/Win SSL libs back
- I mustn't remove their support in patch release - this should happen in
2.5 only.
- I have put back support for several hashes as well - they
should be removed in 2.5.
- restrict usage of second block hashing only if OpenSSL/LibreSSL/GnuTLS
is available
Upstream: https://github.com/OpenPrinting/cups/commit/c6cd5e9c10edc68caf6936a3d3274f758e9cd03d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
cups/hash.c | 271 +++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 260 insertions(+), 11 deletions(-)
diff --git a/cups/hash.c b/cups/hash.c
index 93ca552c8..c447bab4e 100644
--- a/cups/hash.c
+++ b/cups/hash.c
@@ -12,8 +12,13 @@
#include "md5-internal.h"
#ifdef HAVE_OPENSSL
# include <openssl/evp.h>
-#else // HAVE_GNUTLS
+#elif defined(HAVE_GNUTLS)
# include <gnutls/crypto.h>
+#elif __APPLE__
+# include <CommonCrypto/CommonDigest.h>
+#elif _WIN32
+# include <windows.h>
+# include <bcrypt.h>
#endif // HAVE_OPENSSL
@@ -193,17 +198,18 @@ hash_data(const char *algorithm, // I - Algorithm
const void *b, // I - Second block or `NULL` for none
size_t blen) // I - Length of second block or `0` for none
{
+#if defined(HAVE_OPENSSL) || defined(HAVE_GNUTLS)
unsigned hashlen; // Length of hash
unsigned char hashtemp[64]; // Temporary hash buffer
-#ifdef HAVE_OPENSSL
- const EVP_MD *md = NULL; // Message digest implementation
- EVP_MD_CTX *ctx; // Context
-#else // HAVE_GNUTLS
- gnutls_digest_algorithm_t alg = GNUTLS_DIG_UNKNOWN;
- // Algorithm
- gnutls_hash_hd_t ctx; // Context
-#endif // HAVE_OPENSSL
+#else
+ if (strcmp(algorithm, "md5") && (b || blen != 0))
+ {
+ // Second block hashing is not supported without OpenSSL or GnuTLS
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unsupported without GnuTLS or OpenSSL/LibreSSL."), 1);
+ return (-1);
+ }
+#endif
if (!strcmp(algorithm, "md5"))
{
@@ -223,6 +229,10 @@ hash_data(const char *algorithm, // I - Algorithm
}
#ifdef HAVE_OPENSSL
+ const EVP_MD *md = NULL; // Message digest implementation
+ EVP_MD_CTX *ctx; // Context
+
+
if (!strcmp(algorithm, "sha"))
{
// SHA-1
@@ -244,6 +254,14 @@ hash_data(const char *algorithm, // I - Algorithm
{
md = EVP_sha512();
}
+ else if (!strcmp(algorithm, "sha2-512_224"))
+ {
+ md = EVP_sha512_224();
+ }
+ else if (!strcmp(algorithm, "sha2-512_256"))
+ {
+ md = EVP_sha512_256();
+ }
if (md)
{
@@ -262,7 +280,13 @@ hash_data(const char *algorithm, // I - Algorithm
return ((ssize_t)hashlen);
}
-#else // HAVE_GNUTLS
+#elif defined(HAVE_GNUTLS)
+ gnutls_digest_algorithm_t alg = GNUTLS_DIG_UNKNOWN; // Algorithm
+ gnutls_hash_hd_t ctx; // Context
+ unsigned char temp[64]; // Temporary hash buffer
+ size_t tempsize = 0; // Truncate to this size?
+
+
if (!strcmp(algorithm, "sha"))
{
// SHA-1
@@ -284,9 +308,32 @@ hash_data(const char *algorithm, // I - Algorithm
{
alg = GNUTLS_DIG_SHA512;
}
+ else if (!strcmp(algorithm, "sha2-512_224"))
+ {
+ alg = GNUTLS_DIG_SHA512;
+ tempsize = 28;
+ }
+ else if (!strcmp(algorithm, "sha2-512_256"))
+ {
+ alg = GNUTLS_DIG_SHA512;
+ tempsize = 32;
+ }
if (alg != GNUTLS_DIG_UNKNOWN)
{
+ if (tempsize > 0)
+ {
+ // Truncate result to tempsize bytes...
+
+ if (hashsize < tempsize)
+ goto too_small;
+
+ gnutls_hash_fast(alg, a, alen, temp);
+ memcpy(hash, temp, tempsize);
+
+ return ((ssize_t)tempsize);
+ }
+
hashlen = gnutls_hash_get_len(alg);
if (hashlen > hashsize)
@@ -302,7 +349,209 @@ hash_data(const char *algorithm, // I - Algorithm
return ((ssize_t)hashlen);
}
-#endif // HAVE_OPENSSL
+
+#elif __APPLE__
+ if (!strcmp(algorithm, "sha"))
+ {
+ // SHA-1...
+
+ CC_SHA1_CTX ctx; // SHA-1 context
+
+ if (hashsize < CC_SHA1_DIGEST_LENGTH)
+ goto too_small;
+
+ CC_SHA1_Init(&ctx);
+ CC_SHA1_Update(&ctx, a, (CC_LONG)alen);
+ CC_SHA1_Final(hash, &ctx);
+
+ return (CC_SHA1_DIGEST_LENGTH);
+ }
+# ifdef CC_SHA224_DIGEST_LENGTH
+ else if (!strcmp(algorithm, "sha2-224"))
+ {
+ CC_SHA256_CTX ctx; // SHA-224 context
+
+ if (hashsize < CC_SHA224_DIGEST_LENGTH)
+ goto too_small;
+
+ CC_SHA224_Init(&ctx);
+ CC_SHA224_Update(&ctx, a, (CC_LONG)alen);
+ CC_SHA224_Final(hash, &ctx);
+
+ return (CC_SHA224_DIGEST_LENGTH);
+ }
+# endif /* CC_SHA224_DIGEST_LENGTH */
+ else if (!strcmp(algorithm, "sha2-256"))
+ {
+ CC_SHA256_CTX ctx; // SHA-256 context
+
+ if (hashsize < CC_SHA256_DIGEST_LENGTH)
+ goto too_small;
+
+ CC_SHA256_Init(&ctx);
+ CC_SHA256_Update(&ctx, a, (CC_LONG)alen);
+ CC_SHA256_Final(hash, &ctx);
+
+ return (CC_SHA256_DIGEST_LENGTH);
+ }
+ else if (!strcmp(algorithm, "sha2-384"))
+ {
+ CC_SHA512_CTX ctx; // SHA-384 context
+
+ if (hashsize < CC_SHA384_DIGEST_LENGTH)
+ goto too_small;
+
+ CC_SHA384_Init(&ctx);
+ CC_SHA384_Update(&ctx, a, (CC_LONG)alen);
+ CC_SHA384_Final(hash, &ctx);
+
+ return (CC_SHA384_DIGEST_LENGTH);
+ }
+ else if (!strcmp(algorithm, "sha2-512"))
+ {
+ CC_SHA512_CTX ctx; // SHA-512 context
+
+ if (hashsize < CC_SHA512_DIGEST_LENGTH)
+ goto too_small;
+
+ CC_SHA512_Init(&ctx);
+ CC_SHA512_Update(&ctx, a, (CC_LONG)alen);
+ CC_SHA512_Final(hash, &ctx);
+
+ return (CC_SHA512_DIGEST_LENGTH);
+ }
+# ifdef CC_SHA224_DIGEST_LENGTH
+ else if (!strcmp(algorithm, "sha2-512_224"))
+ {
+ CC_SHA512_CTX ctx; // SHA-512 context
+ unsigned char temp[CC_SHA512_DIGEST_LENGTH];
+ // SHA-512 hash
+
+ // SHA2-512 truncated to 224 bits (28 bytes)...
+
+ if (hashsize < CC_SHA224_DIGEST_LENGTH)
+ goto too_small;
+
+ CC_SHA512_Init(&ctx);
+ CC_SHA512_Update(&ctx, a, (CC_LONG)alen);
+ CC_SHA512_Final(temp, &ctx);
+
+ memcpy(hash, temp, CC_SHA224_DIGEST_LENGTH);
+
+ return (CC_SHA224_DIGEST_LENGTH);
+ }
+# endif // CC_SHA224_DIGEST_LENGTH
+ else if (!strcmp(algorithm, "sha2-512_256"))
+ {
+ CC_SHA512_CTX ctx; // SHA-512 context
+ unsigned char temp[CC_SHA512_DIGEST_LENGTH];
+ // SHA-512 hash
+
+ // SHA2-512 truncated to 256 bits (32 bytes)...
+
+ if (hashsize < CC_SHA256_DIGEST_LENGTH)
+ goto too_small;
+
+ CC_SHA512_Init(&ctx);
+ CC_SHA512_Update(&ctx, a, (CC_LONG)alen);
+ CC_SHA512_Final(temp, &ctx);
+
+ memcpy(hash, temp, CC_SHA256_DIGEST_LENGTH);
+
+ return (CC_SHA256_DIGEST_LENGTH);
+ }
+
+#elif _WIN32
+ // Use Windows CNG APIs to perform hashing...
+ BCRYPT_ALG_HANDLE alg; // Algorithm handle
+ LPCWSTR algid = NULL; // Algorithm ID
+ ssize_t hashlen; // Hash length
+ NTSTATUS status; // Status of hash
+ unsigned char temp[64]; // Temporary hash buffer
+ size_t tempsize = 0; // Truncate to this size?
+
+
+ if (!strcmp(algorithm, "sha"))
+ {
+ algid = BCRYPT_SHA1_ALGORITHM;
+ hashlen = 20;
+ }
+ else if (!strcmp(algorithm, "sha2-256"))
+ {
+ algid = BCRYPT_SHA256_ALGORITHM;
+ hashlen = 32;
+ }
+ else if (!strcmp(algorithm, "sha2-384"))
+ {
+ algid = BCRYPT_SHA384_ALGORITHM;
+ hashlen = 48;
+ }
+ else if (!strcmp(algorithm, "sha2-512"))
+ {
+ algid = BCRYPT_SHA512_ALGORITHM;
+ hashlen = 64;
+ }
+ else if (!strcmp(algorithm, "sha2-512_224"))
+ {
+ algid = BCRYPT_SHA512_ALGORITHM;
+ hashlen = tempsize = 28;
+ }
+ else if (!strcmp(algorithm, "sha2-512_256"))
+ {
+ algid = BCRYPT_SHA512_ALGORITHM;
+ hashlen = tempsize = 32;
+ }
+
+ if (algid)
+ {
+ if (hashsize < (size_t)hashlen)
+ goto too_small;
+
+ if ((status = BCryptOpenAlgorithmProvider(&alg, algid, NULL, 0)) < 0)
+ {
+ DEBUG_printf(("2cupsHashData: BCryptOpenAlgorithmProvider returned %d.", status));
+
+ if (status == STATUS_INVALID_PARAMETER)
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad algorithm parameter."), 1);
+ else
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to access cryptographic provider."), 1);
+
+ return (-1);
+ }
+
+ if (tempsize > 0)
+ {
+ // Do a truncated SHA2-512 hash...
+ status = BCryptHash(alg, NULL, 0, (PUCHAR)a, (ULONG)alen, temp, sizeof(temp));
+ memcpy(hash, temp, hashlen);
+ }
+ else
+ {
+ // Hash directly to buffer...
+ status = BCryptHash(alg, NULL, 0, (PUCHAR)a, (ULONG)alen, hash, (ULONG)hashlen);
+ }
+
+ BCryptCloseAlgorithmProvider(alg, 0);
+
+ if (status < 0)
+ {
+ DEBUG_printf(("2cupsHashData: BCryptHash returned %d.", status));
+
+ if (status == STATUS_INVALID_PARAMETER)
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad hashing parameter."), 1);
+ else
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Hashing failed."), 1);
+
+ return (-1);
+ }
+
+ return (hashlen);
+ }
+
+#else
+ if (hashsize < 64)
+ goto too_small;
+#endif // __APPLE__
// Unknown hash algorithm...
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unknown hash algorithm."), 1);