Detect libnettle MD5 components and use by default instead of the bundled Squid version or OpenSSL libcrypto.
This patch is a transition step using its MD5 capabilities by default when present but retaining the Squid built-in MD5 for now. There is not expected to be any run-time differences from this as the actual implementation in nettle is the same code by same author as bundled with Squid. Just absent the adaptations made to it over time for Squid guidelines compliance. NOTE: the OpenSSL MD5 definitions removed from configure.ac have not been used in several versions due to earlier build issues. Amos
=== modified file 'configure.ac' --- configure.ac 2014-03-05 12:08:54 +0000 +++ configure.ac 2014-03-11 03:19:43 +0000 @@ -1214,6 +1214,28 @@ AM_CONDITIONAL(ENABLE_HTCP, [test "x$enable_htcp" = "xyes"]) AC_MSG_NOTICE([HTCP support enabled: $enable_htcp]) +# Cryptograhic libraries +AC_ARG_WITH(nettle, + AS_HELP_STRING([--without-nettle],[Compile without the Nettle crypto library.]),[ +case "$with_nettle" in + yes|no) + : # Nothing special to do here + ;; + *) + if test ! -d "$withval" ; then + AC_MSG_ERROR([--with-nettle path does not point to a directory]) + fi + NETTLELIBDIR="$with_nettle/lib" + CPPFLAGS="-I$with_nettle/include $CPPFLAGS" + with_nettle=yes + esac +]) +if test "x$with_nettle" != "xno" ; then + AC_CHECK_HEADERS(nettle/md5.h) + AC_CHECK_LIB(nettle, nettle_md5_init,[NETTLELIB="-lnettle"],[with_nettle=no]) +fi +AC_MSG_NOTICE([Using Nettle cryptographic library: ${with_nettle:=yes}]) +AC_SUBST(NETTLELIB) # SSL is not enabled by default. # Default is to use OpenSSL when available @@ -1263,11 +1285,9 @@ ]) SQUID_DEFINE_BOOL(USE_SSL,$enable_ssl, [Define this to include code for SSL gatewaying support]) -AC_MSG_NOTICE([Using OpenSSL MD5 implementation: ${with_openssl:=no}]) -SQUID_DEFINE_BOOL(USE_OPENSSL,${with_openssl}, - [Define this to make use of the OpenSSL libraries for MD5 calculation rather than Squid-supplied MD5 implementation or if building with SSL encryption]) +AC_MSG_NOTICE([Using OpenSSL library: ${with_openssl:=no}]) if test "x$enable_ssl" = "xyes"; then - if test "x$SSLLIB" = "x"; then + if test "x$SSLLIB" = "x" -a "x$with_nettle" = "xno"; then SSLLIB="-lcrypto" # for MD5 routines fi # This is a workaround for RedHat 9 brain damage.. === modified file 'helpers/basic_auth/NCSA/Makefile.am' --- helpers/basic_auth/NCSA/Makefile.am 2013-05-01 10:13:22 +0000 +++ helpers/basic_auth/NCSA/Makefile.am 2014-03-11 05:06:05 +0000 @@ -8,6 +8,7 @@ $(top_builddir)/lib/libmisccontainers.la \ $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ + $(NETTLELIB) \ $(CRYPTLIB) \ $(SSLLIB) \ $(XTRA_LIBS) === modified file 'helpers/digest_auth/LDAP/Makefile.am' --- helpers/digest_auth/LDAP/Makefile.am 2013-05-04 06:34:24 +0000 +++ helpers/digest_auth/LDAP/Makefile.am 2014-03-11 05:27:44 +0000 @@ -14,6 +14,7 @@ $(COMPAT_LIB) \ $(LDAPLIB) \ $(LBERLIB) \ + $(NETTLELIB) \ $(CRYPTLIB) \ $(SSLLIB) \ $(XTRA_LIBS) === modified file 'helpers/digest_auth/file/Makefile.am' --- helpers/digest_auth/file/Makefile.am 2013-05-04 06:34:24 +0000 +++ helpers/digest_auth/file/Makefile.am 2014-03-11 05:37:29 +0000 @@ -14,6 +14,7 @@ $(top_builddir)/lib/libmisccontainers.la \ $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ + $(NETTLELIB) \ $(CRYPTLIB) \ $(SSLLIB) \ $(XTRA_LIBS) === modified file 'include/md5.h' --- include/md5.h 2010-11-21 04:40:05 +0000 +++ include/md5.h 2014-03-11 05:01:13 +0000 @@ -1,6 +1,18 @@ #ifndef SQUID_MD5_H #define SQUID_MD5_H +#if HAVE_NETTLE_MD5_H +#include <nettle/md5.h> + +typedef struct md5_ctx SquidMD5_CTX; + +#define SquidMD5Init(c) md5_init((c)) +#define SquidMD5Update(c,b,l) md5_update((c), (l), (const uint8_t *)(b)) +#define SquidMD5Final(d,c) md5_digest((c), MD5_DIGEST_SIZE, (uint8_t *)(d)) + +#define SQUID_MD5_DIGEST_LENGTH MD5_DIGEST_SIZE + +#else /* * This is the header file for the MD5 message-digest algorithm. * The algorithm is due to Ron Rivest. This code was @@ -45,4 +57,6 @@ #define SQUID_MD5_DIGEST_LENGTH 16 +#endif /* HAVE_NETTLE_MD5_H */ + #endif /* SQUID_MD5_H */ === modified file 'lib/md5.c' --- lib/md5.c 2012-01-20 18:55:04 +0000 +++ lib/md5.c 2014-03-11 03:15:27 +0000 @@ -32,6 +32,8 @@ #include "squid.h" #include "md5.h" +#if !HAVE_NETTLE_MD5_H + #if HAVE_STRING_H #include <string.h> /* for memcpy() */ #endif @@ -252,3 +254,4 @@ } #endif /* !ASM_MD5 */ +#endif /* HAVE_ETTLE_MD5_H */ === modified file 'src/Makefile.am' --- src/Makefile.am 2014-02-11 13:14:09 +0000 +++ src/Makefile.am 2014-03-11 08:42:37 +0000 @@ -639,6 +639,7 @@ $(DISK_LINKOBJS) \ $(REPL_OBJS) \ $(DISK_OS_LIBS) \ + $(NETTLELIB) \ $(CRYPTLIB) \ $(REGEXLIB) \ $(ADAPTATION_LIBS) \ @@ -760,6 +761,7 @@ mgr/libmgr.la \ $(XTRA_OBJS) \ $(REPL_OBJS) \ + $(NETTLELIB) \ $(CRYPTLIB) \ $(REGEXLIB) \ $(SSLLIB) \ @@ -1348,6 +1350,7 @@ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ $(DISK_OS_LIBS) \ + $(NETTLELIB) \ $(REGEXLIB) \ $(SQUID_CPPUNIT_LIBS) \ $(SSLLIB) \ @@ -1610,6 +1613,7 @@ $(top_builddir)/lib/libmisccontainers.la \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ + $(NETTLELIB) \ $(REGEXLIB) \ $(SQUID_CPPUNIT_LIBS) \ $(SQUID_CPPUNIT_LA) \ @@ -1791,6 +1795,7 @@ $(top_builddir)/lib/libmisccontainers.la \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ + $(NETTLELIB) \ $(REGEXLIB) \ $(SQUID_CPPUNIT_LIBS) \ $(SSLLIB) \ @@ -2038,6 +2043,7 @@ ipc/libipc.la \ mgr/libmgr.la \ $(SNMP_LIBS) \ + $(NETTLELIB) \ $(REGEXLIB) \ $(SQUID_CPPUNIT_LIBS) \ $(SQUID_CPPUNIT_LA) \ @@ -2285,6 +2291,7 @@ ipc/libipc.la \ mgr/libmgr.la \ $(SNMP_LIBS) \ + $(NETTLELIB) \ $(REGEXLIB) \ $(SQUID_CPPUNIT_LIBS) \ $(SQUID_CPPUNIT_LA) \ @@ -2525,6 +2532,7 @@ $(top_builddir)/lib/libmisccontainers.la \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ + $(NETTLELIB) \ $(REGEXLIB) \ $(SQUID_CPPUNIT_LIBS) \ $(SQUID_CPPUNIT_LA) \ @@ -2813,6 +2821,7 @@ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ $(DISK_OS_LIBS) \ + $(NETTLELIB) \ $(REGEXLIB) \ $(SQUID_CPPUNIT_LIBS) \ $(SQUID_CPPUNIT_LA) \ @@ -2987,6 +2996,7 @@ $(top_builddir)/lib/libmisccontainers.la \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ + $(NETTLELIB) \ $(REGEXLIB) \ $(SQUID_CPPUNIT_LIBS) \ $(SSLLIB) \ @@ -3225,6 +3235,7 @@ $(top_builddir)/lib/libmisccontainers.la \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ + $(NETTLELIB) \ $(REGEXLIB) \ $(SQUID_CPPUNIT_LIBS) \ $(SSLLIB) \ @@ -3403,6 +3414,7 @@ $(top_builddir)/lib/libmisccontainers.la \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ + $(NETTLELIB) \ $(REGEXLIB) \ $(SQUID_CPPUNIT_LIBS) \ $(SSLLIB) \ @@ -3648,6 +3660,7 @@ $(top_builddir)/lib/libmisccontainers.la \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ + $(NETTLELIB) \ $(COMPAT_LIB) \ $(SQUID_CPPUNIT_LIBS) \ $(SQUID_CPPUNIT_LA) \ === modified file 'src/wccp2.cc' --- src/wccp2.cc 2014-02-13 07:02:35 +0000 +++ src/wccp2.cc 2014-03-11 07:44:50 +0000 @@ -67,7 +67,7 @@ #define WCCP2_MASK_ASSIGNMENT 0x01 #define WCCP2_NONE_SECURITY_LEN 0 -#define WCCP2_MD5_SECURITY_LEN 16 +#define WCCP2_MD5_SECURITY_LEN SQUID_MD5_DIGEST_LENGTH // 16 /* Useful defines */ #define WCCP2_NUMPORTS 8 @@ -573,7 +573,7 @@ static char wccp2_update_md5_security(char *password, char *ptr, char *packet, int len) { - uint8_t md5_digest[16]; + uint8_t md5Digest[SQUID_MD5_DIGEST_LENGTH]; char pwd[WCCP2_PASSWORD_LEN]; SquidMD5_CTX M; @@ -601,7 +601,7 @@ * including the WCCP message header. The WCCP security implementation * area should be zero'ed before calculating the MD5 hash. */ - /* XXX eventually we should be able to kill md5_digest and blit it directly in */ + /* XXX eventually we should be able to kill md5Digest and blit it directly in */ memset(ws->security_implementation, 0, sizeof(ws->security_implementation)); SquidMD5Init(&M); @@ -610,9 +610,9 @@ SquidMD5Update(&M, packet, len); - SquidMD5Final(md5_digest, &M); + SquidMD5Final(md5Digest, &M); - memcpy(ws->security_implementation, md5_digest, sizeof(md5_digest)); + memcpy(ws->security_implementation, md5Digest, sizeof(md5Digest)); /* Finished! */ return 1; @@ -627,7 +627,7 @@ { struct wccp2_security_md5_t *ws = (struct wccp2_security_md5_t *) security; - uint8_t md5_digest[16], md5_challenge[16]; + uint8_t md5Digest[SQUID_MD5_DIGEST_LENGTH], md5_challenge[SQUID_MD5_DIGEST_LENGTH]; char pwd[WCCP2_PASSWORD_LEN]; SquidMD5_CTX M; @@ -655,7 +655,7 @@ pwd[sizeof(pwd) - 1] = '\0'; /* Take a copy of the challenge: we need to NUL it before comparing */ - memcpy(md5_challenge, ws->security_implementation, 16); + memcpy(md5_challenge, ws->security_implementation, sizeof(md5_challenge)); memset(ws->security_implementation, 0, sizeof(ws->security_implementation)); @@ -665,9 +665,9 @@ SquidMD5Update(&M, packet, len); - SquidMD5Final(md5_digest, &M); + SquidMD5Final(md5Digest, &M); - return (memcmp(md5_digest, md5_challenge, 16) == 0); + return (memcmp(md5Digest, md5_challenge, SQUID_MD5_DIGEST_LENGTH) == 0); } void