From cccd13179cdaf7750d92784d65576b18c1f7a9c9793cec644b75cb867c62a85e Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Thu, 18 Jul 2019 14:14:00 +0000 Subject: [PATCH 1/2] - - old_nettle_compat.patch: Fix compatibility with nettle in SLE-12 OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=193 --- old_nettle_compat.patch | 95 +++++++++++++++++++++++++++++++++++++++++ squid.changes | 5 +++ squid.spec | 4 ++ 3 files changed, 104 insertions(+) create mode 100644 old_nettle_compat.patch diff --git a/old_nettle_compat.patch b/old_nettle_compat.patch new file mode 100644 index 0000000..a4f6ffd --- /dev/null +++ b/old_nettle_compat.patch @@ -0,0 +1,95 @@ +Author: Adam Majer +Date: Thu Jul 18 13:57:22 CEST 2019 + +nettle from SLE-12 is missing the change from later +versions that ignores the destLen parameter size to +base64_decode_update function. This is only used in +the assert() but we need to pass real size of the buffer +as otherwise all we get is a crash. + +The missing commit in nettle is, +commit 07cb0b62a5fab216ed647f5a87e0f17ab3c9a615 +Author: Niels Möller +Date: Fri Feb 7 09:11:20 2014 +0100 + + Base64 and base16 decoding: Use *dst_length as output only. + + +Index: squid-3.5.21/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc +=================================================================== +--- squid-3.5.21.orig/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc ++++ squid-3.5.21/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc +@@ -667,7 +667,7 @@ main(int argc, char *const argv[]) + + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); +- unsigned int dstLen = 0; ++ unsigned int dstLen = input_token.length; + if (!base64_decode_update(&ctx, &dstLen, static_cast(input_token.value), srcLen, b64Token) || + !base64_decode_final(&ctx)) { + debug((char *) "%s| %s: ERROR: Invalid base64 token [%s]\n", LogTime(), PROGRAM, b64Token); +Index: squid-3.5.21/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc +=================================================================== +--- squid-3.5.21.orig/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc ++++ squid-3.5.21/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc +@@ -341,7 +341,7 @@ main(int argc, char *const argv[]) + + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); +- unsigned int dstLen = 0; ++ unsigned int dstLen = length; + if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), reinterpret_cast(buf+3)) || + !base64_decode_final(&ctx)) { + if (debug) +Index: squid-3.5.21/helpers/ntlm_auth/fake/ntlm_fake_auth.cc +=================================================================== +--- squid-3.5.21.orig/helpers/ntlm_auth/fake/ntlm_fake_auth.cc ++++ squid-3.5.21/helpers/ntlm_auth/fake/ntlm_fake_auth.cc +@@ -151,7 +151,7 @@ main(int argc, char *argv[]) + buflen = strlen(buf); /* keep this so we only scan the buffer for \0 once per loop */ + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); +- unsigned int dstLen = 0; ++ unsigned int dstLen = HELPER_INPUT_BUFFER; + if (buflen > 3 && + base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, reinterpret_cast(buf+3)) && + base64_decode_final(&ctx)) { +Index: squid-3.5.21/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc +=================================================================== +--- squid-3.5.21.orig/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc ++++ squid-3.5.21/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc +@@ -517,7 +517,7 @@ manage_request() + /* figure out what we got */ + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); +- unsigned int dstLen = 0; ++ unsigned int dstLen = NTLM_BLOB_BUFFER_SIZE; + int decodedLen = 0; + if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast(decoded), strlen(buf)-3, reinterpret_cast(buf+3)) || + !base64_decode_final(&ctx)) { +Index: squid-3.5.21/src/HttpHeader.cc +=================================================================== +--- squid-3.5.21.orig/src/HttpHeader.cc ++++ squid-3.5.21/src/HttpHeader.cc +@@ -1535,7 +1535,7 @@ HttpHeader::getAuth(http_hdr_type id, co + static char decodedAuthToken[8192]; + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); +- unsigned int decodedLen = 0; ++ unsigned int decodedLen = 8190; + if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), strlen(field), reinterpret_cast(field)) || + !base64_decode_final(&ctx)) { + return NULL; +Index: squid-3.5.21/src/auth/basic/Config.cc +=================================================================== +--- squid-3.5.21.orig/src/auth/basic/Config.cc ++++ squid-3.5.21/src/auth/basic/Config.cc +@@ -173,7 +173,7 @@ Auth::Basic::Config::decodeCleartext(con + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); + +- unsigned int dstLen = 0; ++ unsigned int dstLen = BASE64_DECODE_LENGTH(srcLen)+1; + if (base64_decode_update(&ctx, &dstLen, reinterpret_cast(cleartext), srcLen, (const uint8_t*)eek) && base64_decode_final(&ctx)) { + cleartext[dstLen] = '\0'; + diff --git a/squid.changes b/squid.changes index 49dfd45..6f6f597 100644 --- a/squid.changes +++ b/squid.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jul 18 14:11:28 UTC 2019 - Adam Majer + +- old_nettle_compat.patch: Fix compatibility with nettle in SLE-12 + ------------------------------------------------------------------- Mon Jul 15 14:58:13 UTC 2019 - Adam Majer diff --git a/squid.spec b/squid.spec index 694f164..970de79 100644 --- a/squid.spec +++ b/squid.spec @@ -39,6 +39,7 @@ Source15: cache_dir.sed Source16: initialize_cache_if_needed.sh Source17: tmpfilesdir.squid.conf Patch1: missing_installs.patch +Patch2: old_nettle_compat.patch BuildRequires: cppunit-devel BuildRequires: db-devel BuildRequires: ed @@ -88,6 +89,9 @@ cp %{SOURCE10} . # upstream patches after RELEASE perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"` %patch1 -p1 +%if %{suse_version} < 1500 +%patch2 -p1 +%endif %build %define _lto_cflags %{nil} From e1d5654187c25f52c0a067191244306f542f61bdf7c280678375662bc26bac21 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Thu, 18 Jul 2019 14:27:06 +0000 Subject: [PATCH 2/2] Fix patch for current patch OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=194 --- old_nettle_compat.patch | 145 +++++++++++++++++++++++++--------------- 1 file changed, 91 insertions(+), 54 deletions(-) diff --git a/old_nettle_compat.patch b/old_nettle_compat.patch index a4f6ffd..d4a2095 100644 --- a/old_nettle_compat.patch +++ b/old_nettle_compat.patch @@ -15,81 +15,118 @@ Date: Fri Feb 7 09:11:20 2014 +0100 Base64 and base16 decoding: Use *dst_length as output only. -Index: squid-3.5.21/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc +Index: squid-4.8/src/HttpHeader.cc =================================================================== ---- squid-3.5.21.orig/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc -+++ squid-3.5.21/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc -@@ -667,7 +667,7 @@ main(int argc, char *const argv[]) +--- squid-4.8.orig/src/HttpHeader.cc ++++ squid-4.8/src/HttpHeader.cc +@@ -1301,7 +1301,7 @@ HttpHeader::getAuthToken(Http::HdrType i + char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen)); + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); +- size_t decodedLen = 0; ++ size_t decodedLen = BASE64_DECODE_LENGTH(fieldLen); + if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), fieldLen, field) || + !base64_decode_final(&ctx)) { + return nil; +Index: squid-4.8/src/auth/basic/Config.cc +=================================================================== +--- squid-4.8.orig/src/auth/basic/Config.cc ++++ squid-4.8/src/auth/basic/Config.cc +@@ -176,7 +176,7 @@ Auth::Basic::Config::decodeCleartext(con + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); + +- size_t dstLen = 0; ++ size_t dstLen = BASE64_DECODE_LENGTH(srcLen)+1; + if (base64_decode_update(&ctx, &dstLen, reinterpret_cast(cleartext), srcLen, eek) && base64_decode_final(&ctx)) { + cleartext[dstLen] = '\0'; + +Index: squid-4.8/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc +=================================================================== +--- squid-4.8.orig/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc ++++ squid-4.8/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc +@@ -131,6 +131,7 @@ token_decode(size_t *decodedLen, uint8_t + { + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); ++ *decodedLen = BASE64_DECODE_LENGTH(strlen(srcLen)); + if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), reinterpret_cast(buf)) || + !base64_decode_final(&ctx)) { + SEND("BH base64 decode failed"); +Index: squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc +=================================================================== +--- squid-4.8.orig/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc ++++ squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc +@@ -681,7 +681,7 @@ main(int argc, char *const argv[]) struct base64_decode_ctx ctx; base64_decode_init(&ctx); -- unsigned int dstLen = 0; -+ unsigned int dstLen = input_token.length; +- size_t dstLen = 0; ++ size_t dstLen = BASE64_DECODE_LENGTH(srcLen); if (!base64_decode_update(&ctx, &dstLen, static_cast(input_token.value), srcLen, b64Token) || !base64_decode_final(&ctx)) { debug((char *) "%s| %s: ERROR: Invalid base64 token [%s]\n", LogTime(), PROGRAM, b64Token); -Index: squid-3.5.21/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc +Index: squid-4.8/src/auth/negotiate/wrapper/negotiate_wrapper.cc =================================================================== ---- squid-3.5.21.orig/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc -+++ squid-3.5.21/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc -@@ -341,7 +341,7 @@ main(int argc, char *const argv[]) +--- squid-4.8.orig/src/auth/negotiate/wrapper/negotiate_wrapper.cc ++++ squid-4.8/src/auth/negotiate/wrapper/negotiate_wrapper.cc +@@ -192,7 +192,7 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT struct base64_decode_ctx ctx; base64_decode_init(&ctx); -- unsigned int dstLen = 0; -+ unsigned int dstLen = length; - if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), reinterpret_cast(buf+3)) || +- size_t dstLen = 0; ++ size_t dstLen = length+1; + if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), buf+3) || !base64_decode_final(&ctx)) { - if (debug) -Index: squid-3.5.21/helpers/ntlm_auth/fake/ntlm_fake_auth.cc + if (debug_enabled) +Index: squid-4.8/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc =================================================================== ---- squid-3.5.21.orig/helpers/ntlm_auth/fake/ntlm_fake_auth.cc -+++ squid-3.5.21/helpers/ntlm_auth/fake/ntlm_fake_auth.cc -@@ -151,7 +151,7 @@ main(int argc, char *argv[]) - buflen = strlen(buf); /* keep this so we only scan the buffer for \0 once per loop */ - struct base64_decode_ctx ctx; - base64_decode_init(&ctx); -- unsigned int dstLen = 0; -+ unsigned int dstLen = HELPER_INPUT_BUFFER; - if (buflen > 3 && - base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, reinterpret_cast(buf+3)) && - base64_decode_final(&ctx)) { -Index: squid-3.5.21/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc -=================================================================== ---- squid-3.5.21.orig/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc -+++ squid-3.5.21/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc +--- squid-4.8.orig/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc ++++ squid-4.8/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc @@ -517,7 +517,7 @@ manage_request() - /* figure out what we got */ struct base64_decode_ctx ctx; base64_decode_init(&ctx); -- unsigned int dstLen = 0; -+ unsigned int dstLen = NTLM_BLOB_BUFFER_SIZE; - int decodedLen = 0; - if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast(decoded), strlen(buf)-3, reinterpret_cast(buf+3)) || + size_t dstLen = 0; +- int decodedLen = 0; ++ int decodedLen = NTLM_BLOB_BUFFER_SIZE; + if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast(decoded), strlen(buf)-3, buf+3) || !base64_decode_final(&ctx)) { -Index: squid-3.5.21/src/HttpHeader.cc + SEND("NA Packet format error, couldn't base64-decode"); +Index: squid-4.8/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc =================================================================== ---- squid-3.5.21.orig/src/HttpHeader.cc -+++ squid-3.5.21/src/HttpHeader.cc -@@ -1535,7 +1535,7 @@ HttpHeader::getAuth(http_hdr_type id, co - static char decodedAuthToken[8192]; +--- squid-4.8.orig/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc ++++ squid-4.8/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc +@@ -418,6 +418,7 @@ token_decode(size_t *decodedLen, uint8_t + { struct base64_decode_ctx ctx; base64_decode_init(&ctx); -- unsigned int decodedLen = 0; -+ unsigned int decodedLen = 8190; - if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), strlen(field), reinterpret_cast(field)) || ++ *decodedLen = BASE64_DECODE_LENGTH(strlen(buf))+1; + if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), reinterpret_cast(buf)) || !base64_decode_final(&ctx)) { - return NULL; -Index: squid-3.5.21/src/auth/basic/Config.cc + SEND_BH("message=\"base64 decode failed\""); +Index: squid-4.8/src/auth/ntlm/fake/ntlm_fake_auth.cc =================================================================== ---- squid-3.5.21.orig/src/auth/basic/Config.cc -+++ squid-3.5.21/src/auth/basic/Config.cc -@@ -173,7 +173,7 @@ Auth::Basic::Config::decodeCleartext(con +--- squid-4.8.orig/src/auth/ntlm/fake/ntlm_fake_auth.cc ++++ squid-4.8/src/auth/ntlm/fake/ntlm_fake_auth.cc +@@ -153,7 +153,7 @@ main(int argc, char *argv[]) + ntlmhdr *packet; + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); +- size_t dstLen = 0; ++ size_t dstLen = HELPER_INPUT_BUFFER; + if (buflen > 3 && + base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, buf+3) && + base64_decode_final(&ctx)) { +Index: squid-4.8/tools/cachemgr.cc +=================================================================== +--- squid-4.8.orig/tools/cachemgr.cc ++++ squid-4.8/tools/cachemgr.cc +@@ -1103,7 +1103,7 @@ decode_pub_auth(cachemgr_request * req) + char *buf = static_cast(xmalloc(BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1)); struct base64_decode_ctx ctx; base64_decode_init(&ctx); - -- unsigned int dstLen = 0; -+ unsigned int dstLen = BASE64_DECODE_LENGTH(srcLen)+1; - if (base64_decode_update(&ctx, &dstLen, reinterpret_cast(cleartext), srcLen, (const uint8_t*)eek) && base64_decode_final(&ctx)) { - cleartext[dstLen] = '\0'; - +- size_t decodedLen = 0; ++ size_t decodedLen = BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1; + if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(buf), strlen(req->pub_auth), req->pub_auth) || + !base64_decode_final(&ctx)) { + debug("cmgr: base64 decode failure. Incomplete auth token string.\n");