| From c6cd5e9c10edc68caf6936a3d3274f758e9cd03d Mon Sep 17 00:00:00 2001 |
| From: Zdenek Dohnal <zdohnal@redhat.com> |
| Date: Tue, 3 Oct 2023 13:59:40 +0200 |
| Subject: [PATCH] cups/hash.c: Put support for MacOS/Win SSL libs back |
| |
| - I mustn't remove their support in patch release - this should happen in |
| 2.5 only. |
| - I have put back support for several hashes as well - they |
| should be removed in 2.5. |
| - restrict usage of second block hashing only if OpenSSL/LibreSSL/GnuTLS |
| is available |
| |
| Upstream: https://github.com/OpenPrinting/cups/commit/c6cd5e9c10edc68caf6936a3d3274f758e9cd03d |
| Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> |
| --- |
| cups/hash.c | 271 +++++++++++++++++++++++++++++++++++++++++++++++++--- |
| 1 file changed, 260 insertions(+), 11 deletions(-) |
| |
| diff --git a/cups/hash.c b/cups/hash.c |
| index 93ca552c8..c447bab4e 100644 |
| --- a/cups/hash.c |
| +++ b/cups/hash.c |
| @@ -12,8 +12,13 @@ |
| #include "md5-internal.h" |
| #ifdef HAVE_OPENSSL |
| # include <openssl/evp.h> |
| -#else // HAVE_GNUTLS |
| +#elif defined(HAVE_GNUTLS) |
| # include <gnutls/crypto.h> |
| +#elif __APPLE__ |
| +# include <CommonCrypto/CommonDigest.h> |
| +#elif _WIN32 |
| +# include <windows.h> |
| +# include <bcrypt.h> |
| #endif // HAVE_OPENSSL |
| |
| |
| @@ -193,17 +198,18 @@ hash_data(const char *algorithm, // I - Algorithm |
| const void *b, // I - Second block or `NULL` for none |
| size_t blen) // I - Length of second block or `0` for none |
| { |
| +#if defined(HAVE_OPENSSL) || defined(HAVE_GNUTLS) |
| unsigned hashlen; // Length of hash |
| unsigned char hashtemp[64]; // Temporary hash buffer |
| -#ifdef HAVE_OPENSSL |
| - const EVP_MD *md = NULL; // Message digest implementation |
| - EVP_MD_CTX *ctx; // Context |
| -#else // HAVE_GNUTLS |
| - gnutls_digest_algorithm_t alg = GNUTLS_DIG_UNKNOWN; |
| - // Algorithm |
| - gnutls_hash_hd_t ctx; // Context |
| -#endif // HAVE_OPENSSL |
| +#else |
| + if (strcmp(algorithm, "md5") && (b || blen != 0)) |
| + { |
| + // Second block hashing is not supported without OpenSSL or GnuTLS |
| + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unsupported without GnuTLS or OpenSSL/LibreSSL."), 1); |
| |
| + return (-1); |
| + } |
| +#endif |
| |
| if (!strcmp(algorithm, "md5")) |
| { |
| @@ -223,6 +229,10 @@ hash_data(const char *algorithm, // I - Algorithm |
| } |
| |
| #ifdef HAVE_OPENSSL |
| + const EVP_MD *md = NULL; // Message digest implementation |
| + EVP_MD_CTX *ctx; // Context |
| + |
| + |
| if (!strcmp(algorithm, "sha")) |
| { |
| // SHA-1 |
| @@ -244,6 +254,14 @@ hash_data(const char *algorithm, // I - Algorithm |
| { |
| md = EVP_sha512(); |
| } |
| + else if (!strcmp(algorithm, "sha2-512_224")) |
| + { |
| + md = EVP_sha512_224(); |
| + } |
| + else if (!strcmp(algorithm, "sha2-512_256")) |
| + { |
| + md = EVP_sha512_256(); |
| + } |
| |
| if (md) |
| { |
| @@ -262,7 +280,13 @@ hash_data(const char *algorithm, // I - Algorithm |
| return ((ssize_t)hashlen); |
| } |
| |
| -#else // HAVE_GNUTLS |
| +#elif defined(HAVE_GNUTLS) |
| + gnutls_digest_algorithm_t alg = GNUTLS_DIG_UNKNOWN; // Algorithm |
| + gnutls_hash_hd_t ctx; // Context |
| + unsigned char temp[64]; // Temporary hash buffer |
| + size_t tempsize = 0; // Truncate to this size? |
| + |
| + |
| if (!strcmp(algorithm, "sha")) |
| { |
| // SHA-1 |
| @@ -284,9 +308,32 @@ hash_data(const char *algorithm, // I - Algorithm |
| { |
| alg = GNUTLS_DIG_SHA512; |
| } |
| + else if (!strcmp(algorithm, "sha2-512_224")) |
| + { |
| + alg = GNUTLS_DIG_SHA512; |
| + tempsize = 28; |
| + } |
| + else if (!strcmp(algorithm, "sha2-512_256")) |
| + { |
| + alg = GNUTLS_DIG_SHA512; |
| + tempsize = 32; |
| + } |
| |
| if (alg != GNUTLS_DIG_UNKNOWN) |
| { |
| + if (tempsize > 0) |
| + { |
| + // Truncate result to tempsize bytes... |
| + |
| + if (hashsize < tempsize) |
| + goto too_small; |
| + |
| + gnutls_hash_fast(alg, a, alen, temp); |
| + memcpy(hash, temp, tempsize); |
| + |
| + return ((ssize_t)tempsize); |
| + } |
| + |
| hashlen = gnutls_hash_get_len(alg); |
| |
| if (hashlen > hashsize) |
| @@ -302,7 +349,209 @@ hash_data(const char *algorithm, // I - Algorithm |
| |
| return ((ssize_t)hashlen); |
| } |
| -#endif // HAVE_OPENSSL |
| + |
| +#elif __APPLE__ |
| + if (!strcmp(algorithm, "sha")) |
| + { |
| + // SHA-1... |
| + |
| + CC_SHA1_CTX ctx; // SHA-1 context |
| + |
| + if (hashsize < CC_SHA1_DIGEST_LENGTH) |
| + goto too_small; |
| + |
| + CC_SHA1_Init(&ctx); |
| + CC_SHA1_Update(&ctx, a, (CC_LONG)alen); |
| + CC_SHA1_Final(hash, &ctx); |
| + |
| + return (CC_SHA1_DIGEST_LENGTH); |
| + } |
| +# ifdef CC_SHA224_DIGEST_LENGTH |
| + else if (!strcmp(algorithm, "sha2-224")) |
| + { |
| + CC_SHA256_CTX ctx; // SHA-224 context |
| + |
| + if (hashsize < CC_SHA224_DIGEST_LENGTH) |
| + goto too_small; |
| + |
| + CC_SHA224_Init(&ctx); |
| + CC_SHA224_Update(&ctx, a, (CC_LONG)alen); |
| + CC_SHA224_Final(hash, &ctx); |
| + |
| + return (CC_SHA224_DIGEST_LENGTH); |
| + } |
| +# endif /* CC_SHA224_DIGEST_LENGTH */ |
| + else if (!strcmp(algorithm, "sha2-256")) |
| + { |
| + CC_SHA256_CTX ctx; // SHA-256 context |
| + |
| + if (hashsize < CC_SHA256_DIGEST_LENGTH) |
| + goto too_small; |
| + |
| + CC_SHA256_Init(&ctx); |
| + CC_SHA256_Update(&ctx, a, (CC_LONG)alen); |
| + CC_SHA256_Final(hash, &ctx); |
| + |
| + return (CC_SHA256_DIGEST_LENGTH); |
| + } |
| + else if (!strcmp(algorithm, "sha2-384")) |
| + { |
| + CC_SHA512_CTX ctx; // SHA-384 context |
| + |
| + if (hashsize < CC_SHA384_DIGEST_LENGTH) |
| + goto too_small; |
| + |
| + CC_SHA384_Init(&ctx); |
| + CC_SHA384_Update(&ctx, a, (CC_LONG)alen); |
| + CC_SHA384_Final(hash, &ctx); |
| + |
| + return (CC_SHA384_DIGEST_LENGTH); |
| + } |
| + else if (!strcmp(algorithm, "sha2-512")) |
| + { |
| + CC_SHA512_CTX ctx; // SHA-512 context |
| + |
| + if (hashsize < CC_SHA512_DIGEST_LENGTH) |
| + goto too_small; |
| + |
| + CC_SHA512_Init(&ctx); |
| + CC_SHA512_Update(&ctx, a, (CC_LONG)alen); |
| + CC_SHA512_Final(hash, &ctx); |
| + |
| + return (CC_SHA512_DIGEST_LENGTH); |
| + } |
| +# ifdef CC_SHA224_DIGEST_LENGTH |
| + else if (!strcmp(algorithm, "sha2-512_224")) |
| + { |
| + CC_SHA512_CTX ctx; // SHA-512 context |
| + unsigned char temp[CC_SHA512_DIGEST_LENGTH]; |
| + // SHA-512 hash |
| + |
| + // SHA2-512 truncated to 224 bits (28 bytes)... |
| + |
| + if (hashsize < CC_SHA224_DIGEST_LENGTH) |
| + goto too_small; |
| + |
| + CC_SHA512_Init(&ctx); |
| + CC_SHA512_Update(&ctx, a, (CC_LONG)alen); |
| + CC_SHA512_Final(temp, &ctx); |
| + |
| + memcpy(hash, temp, CC_SHA224_DIGEST_LENGTH); |
| + |
| + return (CC_SHA224_DIGEST_LENGTH); |
| + } |
| +# endif // CC_SHA224_DIGEST_LENGTH |
| + else if (!strcmp(algorithm, "sha2-512_256")) |
| + { |
| + CC_SHA512_CTX ctx; // SHA-512 context |
| + unsigned char temp[CC_SHA512_DIGEST_LENGTH]; |
| + // SHA-512 hash |
| + |
| + // SHA2-512 truncated to 256 bits (32 bytes)... |
| + |
| + if (hashsize < CC_SHA256_DIGEST_LENGTH) |
| + goto too_small; |
| + |
| + CC_SHA512_Init(&ctx); |
| + CC_SHA512_Update(&ctx, a, (CC_LONG)alen); |
| + CC_SHA512_Final(temp, &ctx); |
| + |
| + memcpy(hash, temp, CC_SHA256_DIGEST_LENGTH); |
| + |
| + return (CC_SHA256_DIGEST_LENGTH); |
| + } |
| + |
| +#elif _WIN32 |
| + // Use Windows CNG APIs to perform hashing... |
| + BCRYPT_ALG_HANDLE alg; // Algorithm handle |
| + LPCWSTR algid = NULL; // Algorithm ID |
| + ssize_t hashlen; // Hash length |
| + NTSTATUS status; // Status of hash |
| + unsigned char temp[64]; // Temporary hash buffer |
| + size_t tempsize = 0; // Truncate to this size? |
| + |
| + |
| + if (!strcmp(algorithm, "sha")) |
| + { |
| + algid = BCRYPT_SHA1_ALGORITHM; |
| + hashlen = 20; |
| + } |
| + else if (!strcmp(algorithm, "sha2-256")) |
| + { |
| + algid = BCRYPT_SHA256_ALGORITHM; |
| + hashlen = 32; |
| + } |
| + else if (!strcmp(algorithm, "sha2-384")) |
| + { |
| + algid = BCRYPT_SHA384_ALGORITHM; |
| + hashlen = 48; |
| + } |
| + else if (!strcmp(algorithm, "sha2-512")) |
| + { |
| + algid = BCRYPT_SHA512_ALGORITHM; |
| + hashlen = 64; |
| + } |
| + else if (!strcmp(algorithm, "sha2-512_224")) |
| + { |
| + algid = BCRYPT_SHA512_ALGORITHM; |
| + hashlen = tempsize = 28; |
| + } |
| + else if (!strcmp(algorithm, "sha2-512_256")) |
| + { |
| + algid = BCRYPT_SHA512_ALGORITHM; |
| + hashlen = tempsize = 32; |
| + } |
| + |
| + if (algid) |
| + { |
| + if (hashsize < (size_t)hashlen) |
| + goto too_small; |
| + |
| + if ((status = BCryptOpenAlgorithmProvider(&alg, algid, NULL, 0)) < 0) |
| + { |
| + DEBUG_printf(("2cupsHashData: BCryptOpenAlgorithmProvider returned %d.", status)); |
| + |
| + if (status == STATUS_INVALID_PARAMETER) |
| + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad algorithm parameter."), 1); |
| + else |
| + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to access cryptographic provider."), 1); |
| + |
| + return (-1); |
| + } |
| + |
| + if (tempsize > 0) |
| + { |
| + // Do a truncated SHA2-512 hash... |
| + status = BCryptHash(alg, NULL, 0, (PUCHAR)a, (ULONG)alen, temp, sizeof(temp)); |
| + memcpy(hash, temp, hashlen); |
| + } |
| + else |
| + { |
| + // Hash directly to buffer... |
| + status = BCryptHash(alg, NULL, 0, (PUCHAR)a, (ULONG)alen, hash, (ULONG)hashlen); |
| + } |
| + |
| + BCryptCloseAlgorithmProvider(alg, 0); |
| + |
| + if (status < 0) |
| + { |
| + DEBUG_printf(("2cupsHashData: BCryptHash returned %d.", status)); |
| + |
| + if (status == STATUS_INVALID_PARAMETER) |
| + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad hashing parameter."), 1); |
| + else |
| + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Hashing failed."), 1); |
| + |
| + return (-1); |
| + } |
| + |
| + return (hashlen); |
| + } |
| + |
| +#else |
| + if (hashsize < 64) |
| + goto too_small; |
| +#endif // __APPLE__ |
| |
| // Unknown hash algorithm... |
| _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unknown hash algorithm."), 1); |
