Merge pull request #965 from stevebio/task/fipsMD5Fix2

stevebio · web-flow · commit 6ba3f22a11d8 · 2025-09-22T11:57:13.000-07:00
MLE-24397 - fix reported issue on Linux FIPS around exception caused by default load of FIPS-forbidden MD5 digest algorithm. Incorporate the source from the abandoned www-authenticate project and fix in place.
diff --git a/lib/requester.js b/lib/requester.js
@@ -2,7 +2,7 @@
 * Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 */
 'use strict';
-var createAuthInitializer = require('./www-authenticate/www-authenticate');
+var createAuthInitializer = require('./www-authenticate-patched/www-authenticate');
 var Kerberos              = require('./optional.js')
                             .libraryProperty('kerberos', 'Kerberos');
 var Multipart             = require('multipart-stream');
diff --git a/lib/www-authenticate-patched/md5.js b/lib/www-authenticate-patched/md5.js
@@ -0,0 +1,18 @@
+/*
+ * www-authenticate
+ * https://github.com/randymized/www-authenticate
+ *
+ * Copyright (c) 2013 Randy McLaughlin
+ * Licensed under the MIT license.
+ */
+
+/*
+* Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
+*/
+var crypto= require('crypto');
+
+function md5(s) {
+  return crypto.createHash('md5').update(s).digest('hex');
+}
+
+module.exports= md5;
diff --git a/lib/www-authenticate-patched/parsers.js b/lib/www-authenticate-patched/parsers.js
@@ -1,3 +1,14 @@
+/*
+ * www-authenticate
+ * https://github.com/randymized/www-authenticate
+ *
+ * Copyright (c) 2013 Randy McLaughlin
+ * Licensed under the MIT license.
+ */
+
+/*
+* Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
+*/
 var ParseAuth= /(\w+)\s+(.*)/  // -> scheme, params
   , Separators= /([",=])/
   ;
diff --git a/lib/www-authenticate-patched/user-credentials.js b/lib/www-authenticate-patched/user-credentials.js
@@ -1,3 +1,14 @@
+/*
+ * www-authenticate
+ * https://github.com/randymized/www-authenticate
+ *
+ * Copyright (c) 2013 Randy McLaughlin
+ * Licensed under the MIT license.
+ */
+
+/*
+* Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
+*/
 var md5= require('./md5');
 
 /*
diff --git a/lib/www-authenticate-patched/www-authenticate.js b/lib/www-authenticate-patched/www-authenticate.js
@@ -9,7 +9,6 @@
 /*
 * Copyright © 2015-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 */
-
 'use strict';
 
 var crypto= require('crypto')
@@ -42,20 +41,6 @@ var www_authenticator = function(username,password,options)
       cnonce= options.cnonce;
   }
   if (cnonce === void 0) cnonce= crypto.pseudoRandomBytes(8).toString('hex');
-
-  /**
-   * @typedef {Object} Authenticator
-   * @property {any} [err]
-   * @property {function(string=, string=): string} [authorize]
-   * @property {any} [parms]
-   * @property {string} [cnonce]
-   */
-
-  /**
-   * Parses the WWW-Authenticate header.
-   * @param {string} www_authenticate
-   * @returns {Authenticator}
-   */
   var parse_header= function(www_authenticate)
   {
     function Authenticator()
diff --git a/lib/www-authenticate/md5.js b/lib/www-authenticate/md5.js
diff --git a/test-basic/digestauth-fips-nomd5load.js b/test-basic/digestauth-fips-nomd5load.js
@@ -22,8 +22,8 @@ describe('FIPS test - ensure MD5 hash digester object is not loaded by default o
      * To simulate the require/load, we first delete the module from Node's require cache
      * and then require it again, which forces a reload of the module.
      */
-    delete require.cache[require.resolve('../lib/www-authenticate/www-authenticate')];
-    delete require.cache[require.resolve('../lib/www-authenticate/md5')];
+    delete require.cache[require.resolve('../lib/www-authenticate-patched/www-authenticate')];
+    delete require.cache[require.resolve('../lib/www-authenticate-patched/md5')];
     const crypto = require('crypto');
     const originalCreateHash = crypto.createHash;
 
@@ -40,8 +40,8 @@ describe('FIPS test - ensure MD5 hash digester object is not loaded by default o
       (() => crypto.createHash('md5')).should.throw('FIPS emulation: MD5 digest algorithm is not allowed on this system!');
 
       // Require the module - should not call to get MD5 digester so should not throw
-      (() => require('../lib/www-authenticate/md5')).should.not.throw();
-      (() => require('../lib/www-authenticate/www-authenticate')).should.not.throw();
+      (() => require('../lib/www-authenticate-patched/md5')).should.not.throw();
+      (() => require('../lib/www-authenticate-patched/www-authenticate')).should.not.throw();
 
     } finally {
       // Restore the original createHash function to avoid side effects
