Bug#867572: libapache2-mod-auth-pubtkt: Setting digest algorighm with TKTAuthDigest does not work

Fri, 07 Jul 2017 07:03:32 -0700 

Package: libapache2-mod-auth-pubtkt
Version: 0.10-1
Severity: important
Tags: patch upstream

Dear Maintainer,

Due to a bug in the upstream code, setting the hash digest algorithm using
TKTAuthDigest apache configuration setting does not work.  Its configuration
setting currently defaults to SHA1 and this is the only algorithm that works.
Also only DSA is usable (as far as I could test).

The problem is due to incorrect string comparison in upstream code and has been
fixed in the latest release 0.11 (only change for the release).  Updating the
Debian package to the latest version of the code should fix the issue.  I am
attaching that change as patch for quick review.

Since SHA1 is not the best algorithm to use, it would be nice to have this
fixed soon.

Thank you,

--
Sunil

commit 694b9a577f1688a8c7fb0dcccca068f85a912592
Author: Michael Kaylan <m...@kaylanm.net>
Date:   Tue Feb 28 22:30:40 2017 -0500

    Fix TKTAuthDigest algorithm selection.

diff --git a/CHANGELOG b/CHANGELOG
index b57e8c6..d5af735 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,6 @@
+v0.11 (2017-02-28)
+- Fixes selection of digest algorithm when using TKTAuthDigest.
+
 v0.10 (2016-12-16)
 ------------------
 - New option TKTAuthDigest allowing selection of the digest algorithm.
diff --git a/src/mod_auth_pubtkt.c b/src/mod_auth_pubtkt.c
index 590df5c..0895f72 100755
--- a/src/mod_auth_pubtkt.c
+++ b/src/mod_auth_pubtkt.c
@@ -254,17 +254,17 @@ static const char *setup_pubkey(cmd_parms *cmd, void 
*cfg, const char *param) {
 static const char *setup_digest(cmd_parms *cmd, void *cfg, const char *param) {
        auth_pubtkt_dir_conf *conf = (auth_pubtkt_dir_conf*)cfg;
 
-       if (strcasecmp(param, "SHA1")) {
+       if (strcasecmp(param, "SHA1") == 0) {
                conf->digest = EVP_sha1();
-       } else if (strcasecmp(param, "DSS1")) {
+       } else if (strcasecmp(param, "DSS1") == 0) {
                conf->digest = EVP_dss1();
-       } else if (strcasecmp(param, "SHA224")) {
+       } else if (strcasecmp(param, "SHA224") == 0) {
                conf->digest = EVP_sha224();
-       } else if (strcasecmp(param, "SHA256")) {
+       } else if (strcasecmp(param, "SHA256") == 0) {
                conf->digest = EVP_sha256();
-       } else if (strcasecmp(param, "SHA384")) {
+       } else if (strcasecmp(param, "SHA384") == 0) {
                conf->digest = EVP_sha384();
-       } else if (strcasecmp(param, "SHA512")) {
+       } else if (strcasecmp(param, "SHA512") == 0) {
                conf->digest = EVP_sha512();
        } else {
                return apr_pstrcat(cmd->pool, cmd->cmd->name, ": Invalid digest 
algorithm ", param, NULL);

Reply via email to