From 507cec1ff250e03da899ad027bc421b55d980c2b Mon Sep 17 00:00:00 2001 From: Steve Biondi Date: Mon, 22 Sep 2025 10:31:02 -0700 Subject: [PATCH 1/2] Re-add external www-authenticate library so we can show our changes in another commit.. Delete and re-add existing www-authenticate files to www-authenticate-patched. Change path for require for requester and tests. Changes to www-authenticate will be in subsequent commit, for tracking --- lib/requester.js | 2 +- .../md5.js | 4 +++- .../parsers.js | 3 ++- .../user-credentials.js | 4 ++-- .../www-authenticate.js | 20 ++----------------- test-basic/digestauth-fips-nomd5load.js | 8 ++++---- 6 files changed, 14 insertions(+), 27 deletions(-) rename lib/{www-authenticate => www-authenticate-patched}/md5.js (58%) rename lib/{www-authenticate => www-authenticate-patched}/parsers.js (99%) rename lib/{www-authenticate => www-authenticate-patched}/user-credentials.js (88%) rename lib/{www-authenticate => www-authenticate-patched}/www-authenticate.js (93%) diff --git a/lib/requester.js b/lib/requester.js index bb063426..8f922a2c 100644 --- a/lib/requester.js +++ b/lib/requester.js @@ -2,7 +2,7 @@ * Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved. */ 'use strict'; -var createAuthInitializer = require('./www-authenticate/www-authenticate'); +var createAuthInitializer = require('./www-authenticate-patched/www-authenticate'); var Kerberos = require('./optional.js') .libraryProperty('kerberos', 'Kerberos'); var Multipart = require('multipart-stream'); diff --git a/lib/www-authenticate/md5.js b/lib/www-authenticate-patched/md5.js similarity index 58% rename from lib/www-authenticate/md5.js rename to lib/www-authenticate-patched/md5.js index 3e6de8bf..5af85469 100644 --- a/lib/www-authenticate/md5.js +++ b/lib/www-authenticate-patched/md5.js @@ -1,4 +1,6 @@ -var crypto= require('crypto'); +var crypto= require('crypto') + , md5sum = crypto.createHash('md5') + ; function md5(s) { return crypto.createHash('md5').update(s).digest('hex'); diff --git a/lib/www-authenticate/parsers.js b/lib/www-authenticate-patched/parsers.js similarity index 99% rename from lib/www-authenticate/parsers.js rename to lib/www-authenticate-patched/parsers.js index 65e2be1d..8659d62d 100644 --- a/lib/www-authenticate/parsers.js +++ b/lib/www-authenticate-patched/parsers.js @@ -88,6 +88,8 @@ function Parse_WWW_Authenticate(to_parse) } } +Parse_Authentication_Info.prototype.parse_params= parse_params; + function Parse_Authentication_Info(to_parse) { this.scheme= 'Digest'; @@ -100,7 +102,6 @@ function Parse_Authentication_Info(to_parse) } } -Parse_Authentication_Info.prototype.parse_params= parse_params; Parse_WWW_Authenticate.prototype.parse_params= parse_params; module.exports = { diff --git a/lib/www-authenticate/user-credentials.js b/lib/www-authenticate-patched/user-credentials.js similarity index 88% rename from lib/www-authenticate/user-credentials.js rename to lib/www-authenticate-patched/user-credentials.js index 25bc405d..60ce4f0a 100644 --- a/lib/www-authenticate/user-credentials.js +++ b/lib/www-authenticate-patched/user-credentials.js @@ -16,9 +16,9 @@ function user_credentials(username,password,options) { '' : (!password && password !== '' ? - Buffer.from(username, "ascii").toString("base64") + new Buffer(username, "ascii").toString("base64") : - Buffer.from(username+':'+password, "ascii").toString("base64") + new Buffer(username+':'+password, "ascii").toString("base64") ) function Credentials() { diff --git a/lib/www-authenticate/www-authenticate.js b/lib/www-authenticate-patched/www-authenticate.js similarity index 93% rename from lib/www-authenticate/www-authenticate.js rename to lib/www-authenticate-patched/www-authenticate.js index f09c16ba..6bcb129f 100644 --- a/lib/www-authenticate/www-authenticate.js +++ b/lib/www-authenticate-patched/www-authenticate.js @@ -1,3 +1,4 @@ + /* * www-authenticate * https://github.com/randymized/www-authenticate @@ -6,13 +7,10 @@ * Licensed under the MIT license. */ -/* -* Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved. -*/ - 'use strict'; var crypto= require('crypto') + , md5sum = crypto.createHash('md5') , parsers= require('./parsers') , md5= require('./md5') , user_credentials= require('./user-credentials') @@ -42,20 +40,6 @@ var www_authenticator = function(username,password,options) cnonce= options.cnonce; } if (cnonce === void 0) cnonce= crypto.pseudoRandomBytes(8).toString('hex'); - - /** - * @typedef {Object} Authenticator - * @property {any} [err] - * @property {function(string=, string=): string} [authorize] - * @property {any} [parms] - * @property {string} [cnonce] - */ - - /** - * Parses the WWW-Authenticate header. - * @param {string} www_authenticate - * @returns {Authenticator} - */ var parse_header= function(www_authenticate) { function Authenticator() diff --git a/test-basic/digestauth-fips-nomd5load.js b/test-basic/digestauth-fips-nomd5load.js index c90ca73d..fd244643 100644 --- a/test-basic/digestauth-fips-nomd5load.js +++ b/test-basic/digestauth-fips-nomd5load.js @@ -22,8 +22,8 @@ describe('FIPS test - ensure MD5 hash digester object is not loaded by default o * To simulate the require/load, we first delete the module from Node's require cache * and then require it again, which forces a reload of the module. */ - delete require.cache[require.resolve('../lib/www-authenticate/www-authenticate')]; - delete require.cache[require.resolve('../lib/www-authenticate/md5')]; + delete require.cache[require.resolve('../lib/www-authenticate-patched/www-authenticate')]; + delete require.cache[require.resolve('../lib/www-authenticate-patched/md5')]; const crypto = require('crypto'); const originalCreateHash = crypto.createHash; @@ -40,8 +40,8 @@ describe('FIPS test - ensure MD5 hash digester object is not loaded by default o (() => crypto.createHash('md5')).should.throw('FIPS emulation: MD5 digest algorithm is not allowed on this system!'); // Require the module - should not call to get MD5 digester so should not throw - (() => require('../lib/www-authenticate/md5')).should.not.throw(); - (() => require('../lib/www-authenticate/www-authenticate')).should.not.throw(); + (() => require('../lib/www-authenticate-patched/md5')).should.not.throw(); + (() => require('../lib/www-authenticate-patched/www-authenticate')).should.not.throw(); } finally { // Restore the original createHash function to avoid side effects From 9d57aef620d59378f14cc0c089b731180eff8fe5 Mon Sep 17 00:00:00 2001 From: Steve Biondi Date: Mon, 22 Sep 2025 11:12:36 -0700 Subject: [PATCH 2/2] Remove unnecessary top-level MD5 digester functions that cause an exception on FIPS-enabled systems when the www-authenticate module is loaded via require. The MD5 digester functions are already created on demand when using DIGEST authentication. Use Buffer.from rather than deprecated new Buffer constructor form. Move the Parser_Authenticate_Info prototype statement to after the definition of the function. Add copyright to all the files. --- lib/www-authenticate-patched/md5.js | 15 ++++++++++++--- lib/www-authenticate-patched/parsers.js | 14 ++++++++++++-- lib/www-authenticate-patched/user-credentials.js | 15 +++++++++++++-- lib/www-authenticate-patched/www-authenticate.js | 5 +++-- 4 files changed, 40 insertions(+), 9 deletions(-) diff --git a/lib/www-authenticate-patched/md5.js b/lib/www-authenticate-patched/md5.js index 5af85469..732d576e 100644 --- a/lib/www-authenticate-patched/md5.js +++ b/lib/www-authenticate-patched/md5.js @@ -1,6 +1,15 @@ -var crypto= require('crypto') - , md5sum = crypto.createHash('md5') - ; +/* + * www-authenticate + * https://github.com/randymized/www-authenticate + * + * Copyright (c) 2013 Randy McLaughlin + * Licensed under the MIT license. + */ + +/* +* Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved. +*/ +var crypto= require('crypto'); function md5(s) { return crypto.createHash('md5').update(s).digest('hex'); diff --git a/lib/www-authenticate-patched/parsers.js b/lib/www-authenticate-patched/parsers.js index 8659d62d..7deb6fe6 100644 --- a/lib/www-authenticate-patched/parsers.js +++ b/lib/www-authenticate-patched/parsers.js @@ -1,3 +1,14 @@ +/* + * www-authenticate + * https://github.com/randymized/www-authenticate + * + * Copyright (c) 2013 Randy McLaughlin + * Licensed under the MIT license. + */ + +/* +* Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved. +*/ var ParseAuth= /(\w+)\s+(.*)/ // -> scheme, params , Separators= /([",=])/ ; @@ -88,8 +99,6 @@ function Parse_WWW_Authenticate(to_parse) } } -Parse_Authentication_Info.prototype.parse_params= parse_params; - function Parse_Authentication_Info(to_parse) { this.scheme= 'Digest'; @@ -102,6 +111,7 @@ function Parse_Authentication_Info(to_parse) } } +Parse_Authentication_Info.prototype.parse_params= parse_params; Parse_WWW_Authenticate.prototype.parse_params= parse_params; module.exports = { diff --git a/lib/www-authenticate-patched/user-credentials.js b/lib/www-authenticate-patched/user-credentials.js index 60ce4f0a..c1f5db0b 100644 --- a/lib/www-authenticate-patched/user-credentials.js +++ b/lib/www-authenticate-patched/user-credentials.js @@ -1,3 +1,14 @@ +/* + * www-authenticate + * https://github.com/randymized/www-authenticate + * + * Copyright (c) 2013 Randy McLaughlin + * Licensed under the MIT license. + */ + +/* +* Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved. +*/ var md5= require('./md5'); /* @@ -16,9 +27,9 @@ function user_credentials(username,password,options) { '' : (!password && password !== '' ? - new Buffer(username, "ascii").toString("base64") + Buffer.from(username, "ascii").toString("base64") : - new Buffer(username+':'+password, "ascii").toString("base64") + Buffer.from(username+':'+password, "ascii").toString("base64") ) function Credentials() { diff --git a/lib/www-authenticate-patched/www-authenticate.js b/lib/www-authenticate-patched/www-authenticate.js index 6bcb129f..739006b8 100644 --- a/lib/www-authenticate-patched/www-authenticate.js +++ b/lib/www-authenticate-patched/www-authenticate.js @@ -1,4 +1,3 @@ - /* * www-authenticate * https://github.com/randymized/www-authenticate @@ -7,10 +6,12 @@ * Licensed under the MIT license. */ +/* +* Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved. +*/ 'use strict'; var crypto= require('crypto') - , md5sum = crypto.createHash('md5') , parsers= require('./parsers') , md5= require('./md5') , user_credentials= require('./user-credentials')