350 lines
9.1 KiB
Diff
350 lines
9.1 KiB
Diff
|
From c6cd5e9c10edc68caf6936a3d3274f758e9cd03d Mon Sep 17 00:00:00 2001
|
||
|
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||
|
Date: Tue, 3 Oct 2023 13:59:40 +0200
|
||
|
Subject: [PATCH] cups/hash.c: Put support for MacOS/Win SSL libs back
|
||
|
|
||
|
- I mustn't remove their support in patch release - this should happen in
|
||
|
2.5 only.
|
||
|
- I have put back support for several hashes as well - they
|
||
|
should be removed in 2.5.
|
||
|
- restrict usage of second block hashing only if OpenSSL/LibreSSL/GnuTLS
|
||
|
is available
|
||
|
|
||
|
Upstream: https://github.com/OpenPrinting/cups/commit/c6cd5e9c10edc68caf6936a3d3274f758e9cd03d
|
||
|
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||
|
---
|
||
|
cups/hash.c | 271 +++++++++++++++++++++++++++++++++++++++++++++++++---
|
||
|
1 file changed, 260 insertions(+), 11 deletions(-)
|
||
|
|
||
|
diff --git a/cups/hash.c b/cups/hash.c
|
||
|
index 93ca552c8..c447bab4e 100644
|
||
|
--- a/cups/hash.c
|
||
|
+++ b/cups/hash.c
|
||
|
@@ -12,8 +12,13 @@
|
||
|
#include "md5-internal.h"
|
||
|
#ifdef HAVE_OPENSSL
|
||
|
# include <openssl/evp.h>
|
||
|
-#else // HAVE_GNUTLS
|
||
|
+#elif defined(HAVE_GNUTLS)
|
||
|
# include <gnutls/crypto.h>
|
||
|
+#elif __APPLE__
|
||
|
+# include <CommonCrypto/CommonDigest.h>
|
||
|
+#elif _WIN32
|
||
|
+# include <windows.h>
|
||
|
+# include <bcrypt.h>
|
||
|
#endif // HAVE_OPENSSL
|
||
|
|
||
|
|
||
|
@@ -193,17 +198,18 @@ hash_data(const char *algorithm, // I - Algorithm
|
||
|
const void *b, // I - Second block or `NULL` for none
|
||
|
size_t blen) // I - Length of second block or `0` for none
|
||
|
{
|
||
|
+#if defined(HAVE_OPENSSL) || defined(HAVE_GNUTLS)
|
||
|
unsigned hashlen; // Length of hash
|
||
|
unsigned char hashtemp[64]; // Temporary hash buffer
|
||
|
-#ifdef HAVE_OPENSSL
|
||
|
- const EVP_MD *md = NULL; // Message digest implementation
|
||
|
- EVP_MD_CTX *ctx; // Context
|
||
|
-#else // HAVE_GNUTLS
|
||
|
- gnutls_digest_algorithm_t alg = GNUTLS_DIG_UNKNOWN;
|
||
|
- // Algorithm
|
||
|
- gnutls_hash_hd_t ctx; // Context
|
||
|
-#endif // HAVE_OPENSSL
|
||
|
+#else
|
||
|
+ if (strcmp(algorithm, "md5") && (b || blen != 0))
|
||
|
+ {
|
||
|
+ // Second block hashing is not supported without OpenSSL or GnuTLS
|
||
|
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unsupported without GnuTLS or OpenSSL/LibreSSL."), 1);
|
||
|
|
||
|
+ return (-1);
|
||
|
+ }
|
||
|
+#endif
|
||
|
|
||
|
if (!strcmp(algorithm, "md5"))
|
||
|
{
|
||
|
@@ -223,6 +229,10 @@ hash_data(const char *algorithm, // I - Algorithm
|
||
|
}
|
||
|
|
||
|
#ifdef HAVE_OPENSSL
|
||
|
+ const EVP_MD *md = NULL; // Message digest implementation
|
||
|
+ EVP_MD_CTX *ctx; // Context
|
||
|
+
|
||
|
+
|
||
|
if (!strcmp(algorithm, "sha"))
|
||
|
{
|
||
|
// SHA-1
|
||
|
@@ -244,6 +254,14 @@ hash_data(const char *algorithm, // I - Algorithm
|
||
|
{
|
||
|
md = EVP_sha512();
|
||
|
}
|
||
|
+ else if (!strcmp(algorithm, "sha2-512_224"))
|
||
|
+ {
|
||
|
+ md = EVP_sha512_224();
|
||
|
+ }
|
||
|
+ else if (!strcmp(algorithm, "sha2-512_256"))
|
||
|
+ {
|
||
|
+ md = EVP_sha512_256();
|
||
|
+ }
|
||
|
|
||
|
if (md)
|
||
|
{
|
||
|
@@ -262,7 +280,13 @@ hash_data(const char *algorithm, // I - Algorithm
|
||
|
return ((ssize_t)hashlen);
|
||
|
}
|
||
|
|
||
|
-#else // HAVE_GNUTLS
|
||
|
+#elif defined(HAVE_GNUTLS)
|
||
|
+ gnutls_digest_algorithm_t alg = GNUTLS_DIG_UNKNOWN; // Algorithm
|
||
|
+ gnutls_hash_hd_t ctx; // Context
|
||
|
+ unsigned char temp[64]; // Temporary hash buffer
|
||
|
+ size_t tempsize = 0; // Truncate to this size?
|
||
|
+
|
||
|
+
|
||
|
if (!strcmp(algorithm, "sha"))
|
||
|
{
|
||
|
// SHA-1
|
||
|
@@ -284,9 +308,32 @@ hash_data(const char *algorithm, // I - Algorithm
|
||
|
{
|
||
|
alg = GNUTLS_DIG_SHA512;
|
||
|
}
|
||
|
+ else if (!strcmp(algorithm, "sha2-512_224"))
|
||
|
+ {
|
||
|
+ alg = GNUTLS_DIG_SHA512;
|
||
|
+ tempsize = 28;
|
||
|
+ }
|
||
|
+ else if (!strcmp(algorithm, "sha2-512_256"))
|
||
|
+ {
|
||
|
+ alg = GNUTLS_DIG_SHA512;
|
||
|
+ tempsize = 32;
|
||
|
+ }
|
||
|
|
||
|
if (alg != GNUTLS_DIG_UNKNOWN)
|
||
|
{
|
||
|
+ if (tempsize > 0)
|
||
|
+ {
|
||
|
+ // Truncate result to tempsize bytes...
|
||
|
+
|
||
|
+ if (hashsize < tempsize)
|
||
|
+ goto too_small;
|
||
|
+
|
||
|
+ gnutls_hash_fast(alg, a, alen, temp);
|
||
|
+ memcpy(hash, temp, tempsize);
|
||
|
+
|
||
|
+ return ((ssize_t)tempsize);
|
||
|
+ }
|
||
|
+
|
||
|
hashlen = gnutls_hash_get_len(alg);
|
||
|
|
||
|
if (hashlen > hashsize)
|
||
|
@@ -302,7 +349,209 @@ hash_data(const char *algorithm, // I - Algorithm
|
||
|
|
||
|
return ((ssize_t)hashlen);
|
||
|
}
|
||
|
-#endif // HAVE_OPENSSL
|
||
|
+
|
||
|
+#elif __APPLE__
|
||
|
+ if (!strcmp(algorithm, "sha"))
|
||
|
+ {
|
||
|
+ // SHA-1...
|
||
|
+
|
||
|
+ CC_SHA1_CTX ctx; // SHA-1 context
|
||
|
+
|
||
|
+ if (hashsize < CC_SHA1_DIGEST_LENGTH)
|
||
|
+ goto too_small;
|
||
|
+
|
||
|
+ CC_SHA1_Init(&ctx);
|
||
|
+ CC_SHA1_Update(&ctx, a, (CC_LONG)alen);
|
||
|
+ CC_SHA1_Final(hash, &ctx);
|
||
|
+
|
||
|
+ return (CC_SHA1_DIGEST_LENGTH);
|
||
|
+ }
|
||
|
+# ifdef CC_SHA224_DIGEST_LENGTH
|
||
|
+ else if (!strcmp(algorithm, "sha2-224"))
|
||
|
+ {
|
||
|
+ CC_SHA256_CTX ctx; // SHA-224 context
|
||
|
+
|
||
|
+ if (hashsize < CC_SHA224_DIGEST_LENGTH)
|
||
|
+ goto too_small;
|
||
|
+
|
||
|
+ CC_SHA224_Init(&ctx);
|
||
|
+ CC_SHA224_Update(&ctx, a, (CC_LONG)alen);
|
||
|
+ CC_SHA224_Final(hash, &ctx);
|
||
|
+
|
||
|
+ return (CC_SHA224_DIGEST_LENGTH);
|
||
|
+ }
|
||
|
+# endif /* CC_SHA224_DIGEST_LENGTH */
|
||
|
+ else if (!strcmp(algorithm, "sha2-256"))
|
||
|
+ {
|
||
|
+ CC_SHA256_CTX ctx; // SHA-256 context
|
||
|
+
|
||
|
+ if (hashsize < CC_SHA256_DIGEST_LENGTH)
|
||
|
+ goto too_small;
|
||
|
+
|
||
|
+ CC_SHA256_Init(&ctx);
|
||
|
+ CC_SHA256_Update(&ctx, a, (CC_LONG)alen);
|
||
|
+ CC_SHA256_Final(hash, &ctx);
|
||
|
+
|
||
|
+ return (CC_SHA256_DIGEST_LENGTH);
|
||
|
+ }
|
||
|
+ else if (!strcmp(algorithm, "sha2-384"))
|
||
|
+ {
|
||
|
+ CC_SHA512_CTX ctx; // SHA-384 context
|
||
|
+
|
||
|
+ if (hashsize < CC_SHA384_DIGEST_LENGTH)
|
||
|
+ goto too_small;
|
||
|
+
|
||
|
+ CC_SHA384_Init(&ctx);
|
||
|
+ CC_SHA384_Update(&ctx, a, (CC_LONG)alen);
|
||
|
+ CC_SHA384_Final(hash, &ctx);
|
||
|
+
|
||
|
+ return (CC_SHA384_DIGEST_LENGTH);
|
||
|
+ }
|
||
|
+ else if (!strcmp(algorithm, "sha2-512"))
|
||
|
+ {
|
||
|
+ CC_SHA512_CTX ctx; // SHA-512 context
|
||
|
+
|
||
|
+ if (hashsize < CC_SHA512_DIGEST_LENGTH)
|
||
|
+ goto too_small;
|
||
|
+
|
||
|
+ CC_SHA512_Init(&ctx);
|
||
|
+ CC_SHA512_Update(&ctx, a, (CC_LONG)alen);
|
||
|
+ CC_SHA512_Final(hash, &ctx);
|
||
|
+
|
||
|
+ return (CC_SHA512_DIGEST_LENGTH);
|
||
|
+ }
|
||
|
+# ifdef CC_SHA224_DIGEST_LENGTH
|
||
|
+ else if (!strcmp(algorithm, "sha2-512_224"))
|
||
|
+ {
|
||
|
+ CC_SHA512_CTX ctx; // SHA-512 context
|
||
|
+ unsigned char temp[CC_SHA512_DIGEST_LENGTH];
|
||
|
+ // SHA-512 hash
|
||
|
+
|
||
|
+ // SHA2-512 truncated to 224 bits (28 bytes)...
|
||
|
+
|
||
|
+ if (hashsize < CC_SHA224_DIGEST_LENGTH)
|
||
|
+ goto too_small;
|
||
|
+
|
||
|
+ CC_SHA512_Init(&ctx);
|
||
|
+ CC_SHA512_Update(&ctx, a, (CC_LONG)alen);
|
||
|
+ CC_SHA512_Final(temp, &ctx);
|
||
|
+
|
||
|
+ memcpy(hash, temp, CC_SHA224_DIGEST_LENGTH);
|
||
|
+
|
||
|
+ return (CC_SHA224_DIGEST_LENGTH);
|
||
|
+ }
|
||
|
+# endif // CC_SHA224_DIGEST_LENGTH
|
||
|
+ else if (!strcmp(algorithm, "sha2-512_256"))
|
||
|
+ {
|
||
|
+ CC_SHA512_CTX ctx; // SHA-512 context
|
||
|
+ unsigned char temp[CC_SHA512_DIGEST_LENGTH];
|
||
|
+ // SHA-512 hash
|
||
|
+
|
||
|
+ // SHA2-512 truncated to 256 bits (32 bytes)...
|
||
|
+
|
||
|
+ if (hashsize < CC_SHA256_DIGEST_LENGTH)
|
||
|
+ goto too_small;
|
||
|
+
|
||
|
+ CC_SHA512_Init(&ctx);
|
||
|
+ CC_SHA512_Update(&ctx, a, (CC_LONG)alen);
|
||
|
+ CC_SHA512_Final(temp, &ctx);
|
||
|
+
|
||
|
+ memcpy(hash, temp, CC_SHA256_DIGEST_LENGTH);
|
||
|
+
|
||
|
+ return (CC_SHA256_DIGEST_LENGTH);
|
||
|
+ }
|
||
|
+
|
||
|
+#elif _WIN32
|
||
|
+ // Use Windows CNG APIs to perform hashing...
|
||
|
+ BCRYPT_ALG_HANDLE alg; // Algorithm handle
|
||
|
+ LPCWSTR algid = NULL; // Algorithm ID
|
||
|
+ ssize_t hashlen; // Hash length
|
||
|
+ NTSTATUS status; // Status of hash
|
||
|
+ unsigned char temp[64]; // Temporary hash buffer
|
||
|
+ size_t tempsize = 0; // Truncate to this size?
|
||
|
+
|
||
|
+
|
||
|
+ if (!strcmp(algorithm, "sha"))
|
||
|
+ {
|
||
|
+ algid = BCRYPT_SHA1_ALGORITHM;
|
||
|
+ hashlen = 20;
|
||
|
+ }
|
||
|
+ else if (!strcmp(algorithm, "sha2-256"))
|
||
|
+ {
|
||
|
+ algid = BCRYPT_SHA256_ALGORITHM;
|
||
|
+ hashlen = 32;
|
||
|
+ }
|
||
|
+ else if (!strcmp(algorithm, "sha2-384"))
|
||
|
+ {
|
||
|
+ algid = BCRYPT_SHA384_ALGORITHM;
|
||
|
+ hashlen = 48;
|
||
|
+ }
|
||
|
+ else if (!strcmp(algorithm, "sha2-512"))
|
||
|
+ {
|
||
|
+ algid = BCRYPT_SHA512_ALGORITHM;
|
||
|
+ hashlen = 64;
|
||
|
+ }
|
||
|
+ else if (!strcmp(algorithm, "sha2-512_224"))
|
||
|
+ {
|
||
|
+ algid = BCRYPT_SHA512_ALGORITHM;
|
||
|
+ hashlen = tempsize = 28;
|
||
|
+ }
|
||
|
+ else if (!strcmp(algorithm, "sha2-512_256"))
|
||
|
+ {
|
||
|
+ algid = BCRYPT_SHA512_ALGORITHM;
|
||
|
+ hashlen = tempsize = 32;
|
||
|
+ }
|
||
|
+
|
||
|
+ if (algid)
|
||
|
+ {
|
||
|
+ if (hashsize < (size_t)hashlen)
|
||
|
+ goto too_small;
|
||
|
+
|
||
|
+ if ((status = BCryptOpenAlgorithmProvider(&alg, algid, NULL, 0)) < 0)
|
||
|
+ {
|
||
|
+ DEBUG_printf(("2cupsHashData: BCryptOpenAlgorithmProvider returned %d.", status));
|
||
|
+
|
||
|
+ if (status == STATUS_INVALID_PARAMETER)
|
||
|
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad algorithm parameter."), 1);
|
||
|
+ else
|
||
|
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to access cryptographic provider."), 1);
|
||
|
+
|
||
|
+ return (-1);
|
||
|
+ }
|
||
|
+
|
||
|
+ if (tempsize > 0)
|
||
|
+ {
|
||
|
+ // Do a truncated SHA2-512 hash...
|
||
|
+ status = BCryptHash(alg, NULL, 0, (PUCHAR)a, (ULONG)alen, temp, sizeof(temp));
|
||
|
+ memcpy(hash, temp, hashlen);
|
||
|
+ }
|
||
|
+ else
|
||
|
+ {
|
||
|
+ // Hash directly to buffer...
|
||
|
+ status = BCryptHash(alg, NULL, 0, (PUCHAR)a, (ULONG)alen, hash, (ULONG)hashlen);
|
||
|
+ }
|
||
|
+
|
||
|
+ BCryptCloseAlgorithmProvider(alg, 0);
|
||
|
+
|
||
|
+ if (status < 0)
|
||
|
+ {
|
||
|
+ DEBUG_printf(("2cupsHashData: BCryptHash returned %d.", status));
|
||
|
+
|
||
|
+ if (status == STATUS_INVALID_PARAMETER)
|
||
|
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad hashing parameter."), 1);
|
||
|
+ else
|
||
|
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Hashing failed."), 1);
|
||
|
+
|
||
|
+ return (-1);
|
||
|
+ }
|
||
|
+
|
||
|
+ return (hashlen);
|
||
|
+ }
|
||
|
+
|
||
|
+#else
|
||
|
+ if (hashsize < 64)
|
||
|
+ goto too_small;
|
||
|
+#endif // __APPLE__
|
||
|
|
||
|
// Unknown hash algorithm...
|
||
|
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unknown hash algorithm."), 1);
|