Package: libapache2-mod-auth-pubtkt Version: 0.10-1 Severity: important Tags: patch upstream
Dear Maintainer, Due to a bug in the upstream code, setting the hash digest algorithm using TKTAuthDigest apache configuration setting does not work. Its configuration setting currently defaults to SHA1 and this is the only algorithm that works. Also only DSA is usable (as far as I could test). The problem is due to incorrect string comparison in upstream code and has been fixed in the latest release 0.11 (only change for the release). Updating the Debian package to the latest version of the code should fix the issue. I am attaching that change as patch for quick review. Since SHA1 is not the best algorithm to use, it would be nice to have this fixed soon. Thank you, -- Sunil
commit 694b9a577f1688a8c7fb0dcccca068f85a912592 Author: Michael Kaylan <m...@kaylanm.net> Date: Tue Feb 28 22:30:40 2017 -0500 Fix TKTAuthDigest algorithm selection. diff --git a/CHANGELOG b/CHANGELOG index b57e8c6..d5af735 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,6 @@ +v0.11 (2017-02-28) +- Fixes selection of digest algorithm when using TKTAuthDigest. + v0.10 (2016-12-16) ------------------ - New option TKTAuthDigest allowing selection of the digest algorithm. diff --git a/src/mod_auth_pubtkt.c b/src/mod_auth_pubtkt.c index 590df5c..0895f72 100755 --- a/src/mod_auth_pubtkt.c +++ b/src/mod_auth_pubtkt.c @@ -254,17 +254,17 @@ static const char *setup_pubkey(cmd_parms *cmd, void *cfg, const char *param) { static const char *setup_digest(cmd_parms *cmd, void *cfg, const char *param) { auth_pubtkt_dir_conf *conf = (auth_pubtkt_dir_conf*)cfg; - if (strcasecmp(param, "SHA1")) { + if (strcasecmp(param, "SHA1") == 0) { conf->digest = EVP_sha1(); - } else if (strcasecmp(param, "DSS1")) { + } else if (strcasecmp(param, "DSS1") == 0) { conf->digest = EVP_dss1(); - } else if (strcasecmp(param, "SHA224")) { + } else if (strcasecmp(param, "SHA224") == 0) { conf->digest = EVP_sha224(); - } else if (strcasecmp(param, "SHA256")) { + } else if (strcasecmp(param, "SHA256") == 0) { conf->digest = EVP_sha256(); - } else if (strcasecmp(param, "SHA384")) { + } else if (strcasecmp(param, "SHA384") == 0) { conf->digest = EVP_sha384(); - } else if (strcasecmp(param, "SHA512")) { + } else if (strcasecmp(param, "SHA512") == 0) { conf->digest = EVP_sha512(); } else { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": Invalid digest algorithm ", param, NULL);