Update the hash function for key derivation to SHA256

(cherry picked from commit e0aa2210f9a75cb015e71155de38241138b8fe1d)
2022-04-27 10:27:56 +08:00 · 2022-04-27 10:27:56 +08:00 · f0aad8573e
commit f0aad8573e
parent b7e27bd4af
2 changed files with 45 additions and 1 deletions
--- a/authd.spec
+++ b/authd.spec
@ -1,6 +1,6 @@
 Name:             authd
 Version:          1.4.4
-Release:          1
+Release:          2
 Summary:          A RFC 1413 ident protocol daemon
 License:          GPLv2+
 URL:              https://github.com/InfrastructureServices/authd
@ -9,6 +9,9 @@ Source0:          https://github.com/InfrastructureServices/authd/releases/downl
 # https://github.com/InfrastructureServices/authd/tree/master/packaging/Fedora
 Source1:          auth.socket
 Source2:          auth@.service
+
+Patch0:           backport-Update-the-hash-function-for-key-derivation-to-SHA256.patch
+
 BuildRequires:    gcc openssl-devel gettext help2man systemd-units
 Requires(post):   openssl systemd-units
 Requires(preun):  systemd-units
@ -73,5 +76,8 @@ chmod o-rw %{_sysconfdir}/ident.key
 %doc rfc1413.txt

 %changelog
+* Wed Apr 27 2022 yixiangzhike <yixiangzhike007@163.com> - 1.4.4-2
+- Update the hash function for key derivation to SHA256
+
 * Tue Sep 10 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.4.4-1
 - Package init
--- a/backport-Update-the-hash-function-for-key-derivation-to-SHA256.patch
+++ b/backport-Update-the-hash-function-for-key-derivation-to-SHA256.patch
@ -0,0 +1,38 @@
+From eae2220ad19c905bb38e06f950c07c266b6a1398 Mon Sep 17 00:00:00 2001
+From: Pavel Zhukov <pavel@zhukoff.net>
+Date: Mon, 21 Sep 2020 09:02:57 +0200
+Subject: [PATCH] Update the hash function for key derivation to SHA256
+
+Author: Philippe Troin  <phil@fifi.org>
+Bug-Url: https://bugzilla.redhat.com/1669333
+---
+ authd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/authd.c b/authd.c
+index a2072de..6d9f83e 100644
+--- a/authd.c
+++ b/authd.c
+@@ -806,7 +806,7 @@ static bool initialize_crypto(crypto_t *x, const char *filename) {
+     assert(filename != NULL && x != NULL);
+     if (stat(filename, &file) == 0) {
+         FILE *stream; ssize_t len;
+-        const EVP_MD *const HASH = EVP_md5();   // openssl compat: enc -pass
+        const EVP_MD *const HASH = EVP_sha256();   // openssl compat: enc -pass
+         const size_t KEY_SIZE = EVP_CIPHER_key_length(x->cipher);
+         const size_t IV_SIZE = EVP_CIPHER_iv_length(x->cipher);
+         char *pass = NULL; size_t z = 0;
+@@ -820,8 +820,8 @@ static bool initialize_crypto(crypto_t *x, const char *filename) {
+         if (fclose(stream) == EOF) return false;
+         if (len > 0 && pass[(size_t) (len - 1)] == '\n')
+             pass[(size_t) --len] = '\0';
+-        if (RAND_pseudo_bytes(x->salt, sizeof(x->salt)) <= 0) return false;
+-        EVP_BytesToKey(x->cipher, HASH, x->salt, pass, len, 1, x->key, x->iv);
+        if (RAND_bytes(x->salt, sizeof(x->salt)) <= 0) return false;
+        EVP_BytesToKey(x->cipher, HASH, x->salt, (const unsigned char*)pass, len, 1, x->key, x->iv);
+         memset(pass, 0, len);                           // XXX: crypto erase
+         free(pass);
+         is_initialized = true;
+-- 
+1.8.3.1
+