From 2c4d2f9160425c5e63efaff7128950e6ca824bf4ce358cd1e27808ae93c5e538 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 26 Nov 2018 16:55:50 +0000 Subject: [PATCH] Accepting request 649912 from home:stroeder:branches:network Update to 2.1.27 Please carefully review this change! I don't know what's the build issue on older distro version. I've successfully tested on Tumbleweed x86_64: LDAPI with SASL/EXTERNAL, LDAPS client certs with SASL/EXTERNAL, LDAP with SASL/GSSAPI to MS AD OBS-URL: https://build.opensuse.org/request/show/649912 OBS-URL: https://build.opensuse.org/package/show/network/cyrus-sasl?expand=0&rev=74 --- cyrus-sasl-2.1.26.tar.gz | 3 - cyrus-sasl-2.1.27-openssl-1.1.0.patch | 438 -------------------------- cyrus-sasl-2.1.27.tar.gz | 3 + cyrus-sasl-issue-402.patch | 70 ---- cyrus-sasl-lfs.patch | 82 +---- cyrus-sasl-no_rpath.patch | 6 +- cyrus-sasl-revert_gssapi_flags.patch | 15 - cyrus-sasl-saslauthd.changes | 31 ++ cyrus-sasl-saslauthd.spec | 15 +- cyrus-sasl.changes | 32 ++ cyrus-sasl.dif | 27 +- cyrus-sasl.spec | 19 +- fix-sasl-header.diff | 12 - fix_libpq-fe_include.diff | 11 + shared_link_on_ppc.patch | 10 - 15 files changed, 107 insertions(+), 667 deletions(-) delete mode 100644 cyrus-sasl-2.1.26.tar.gz delete mode 100644 cyrus-sasl-2.1.27-openssl-1.1.0.patch create mode 100644 cyrus-sasl-2.1.27.tar.gz delete mode 100644 cyrus-sasl-issue-402.patch delete mode 100644 cyrus-sasl-revert_gssapi_flags.patch delete mode 100644 fix-sasl-header.diff create mode 100644 fix_libpq-fe_include.diff delete mode 100644 shared_link_on_ppc.patch diff --git a/cyrus-sasl-2.1.26.tar.gz b/cyrus-sasl-2.1.26.tar.gz deleted file mode 100644 index ff07f5c..0000000 --- a/cyrus-sasl-2.1.26.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8fbc5136512b59bb793657f36fadda6359cae3b08f01fd16b3d406f1345b7bc3 -size 5220231 diff --git a/cyrus-sasl-2.1.27-openssl-1.1.0.patch b/cyrus-sasl-2.1.27-openssl-1.1.0.patch deleted file mode 100644 index 045d509..0000000 --- a/cyrus-sasl-2.1.27-openssl-1.1.0.patch +++ /dev/null @@ -1,438 +0,0 @@ -Index: cyrus-sasl-2.1.26/plugins/ntlm.c -=================================================================== ---- cyrus-sasl-2.1.26.orig/plugins/ntlm.c 2012-01-28 00:31:36.000000000 +0100 -+++ cyrus-sasl-2.1.26/plugins/ntlm.c 2017-09-04 12:00:57.773615637 +0200 -@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char - return P24; - } - -+static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ return HMAC_CTX_new(); -+#else -+ return utils->malloc(sizeof(HMAC_CTX)); -+#endif -+} -+ -+static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ HMAC_CTX_free(ctx); -+#else -+ HMAC_cleanup(ctx); -+ utils->free(ctx); -+#endif -+} -+ - static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, - const char *authid, const char *target, - const unsigned char *challenge, -@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char * - const sasl_utils_t *utils, - char **buf, unsigned *buflen, int *result) - { -- HMAC_CTX ctx; -+ HMAC_CTX *ctx = NULL; - unsigned char hash[EVP_MAX_MD_SIZE]; - char *upper; - unsigned int len; -@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char * - SETERROR(utils, "cannot allocate NTLMv2 hash"); - *result = SASL_NOMEM; - } -+ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate HMAC CTX"); -+ *result = SASL_NOMEM; -+ } - else { - /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */ - P16_nt(hash, passwd, utils, buf, buflen, result); -@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char * - HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len); - - /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */ -- HMAC_Init(&ctx, hash, len, EVP_md5()); -- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH); -- HMAC_Update(&ctx, blob, bloblen); -- HMAC_Final(&ctx, V2, &len); -- HMAC_cleanup(&ctx); -+ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL); -+ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH); -+ HMAC_Update(ctx, blob, bloblen); -+ HMAC_Final(ctx, V2, &len); - - /* the blob is concatenated outside of this function */ - - *result = SASL_OK; - } - -+ if (ctx) _plug_HMAC_CTX_free(ctx, utils); -+ - return V2; - } - -Index: cyrus-sasl-2.1.26/plugins/otp.c -=================================================================== ---- cyrus-sasl-2.1.26.orig/plugins/otp.c 2012-10-12 16:05:48.000000000 +0200 -+++ cyrus-sasl-2.1.26/plugins/otp.c 2017-09-04 12:00:57.773615637 +0200 -@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_opti - {NULL, 0, NULL} - }; - -+static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ return EVP_MD_CTX_new(); -+#else -+ return utils->malloc(sizeof(EVP_MD_CTX)); -+#endif -+} -+ -+static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ EVP_MD_CTX_free(ctx); -+#else -+ utils->free(ctx); -+#endif -+} -+ - /* Convert the binary data into ASCII hex */ - void bin2hex(unsigned char *bin, int binlen, char *hex) - { -@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int bin - * swabbing bytes if necessary. - */ - static void otp_hash(const EVP_MD *md, char *in, size_t inlen, -- unsigned char *out, int swab) -+ unsigned char *out, int swab, EVP_MD_CTX *mdctx) - { -- EVP_MD_CTX mdctx; -- char hash[EVP_MAX_MD_SIZE]; -+ unsigned char hash[EVP_MAX_MD_SIZE]; - unsigned int i; - int j; - unsigned hashlen; - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, in, inlen); -- EVP_DigestFinal(&mdctx, hash, &hashlen); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, in, inlen); -+ EVP_DigestFinal(mdctx, hash, &hashlen); - - /* Fold the result into 64 bits */ - for (i = OTP_HASH_SIZE; i < hashlen; i++) { -@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils - char *secret, char *otp) - { - const EVP_MD *md; -- char *key; -+ EVP_MD_CTX *mdctx = NULL; -+ char *key = NULL; -+ int r = SASL_OK; - - if (!(md = EVP_get_digestbyname(alg->evp_name))) { - utils->seterror(utils->conn, 0, -@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils - return SASL_FAIL; - } - -+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate MD CTX"); -+ r = SASL_NOMEM; -+ goto done; -+ } -+ - if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) { - SETERROR(utils, "cannot allocate OTP key"); -- return SASL_NOMEM; -+ r = SASL_NOMEM; -+ goto done; - } - - /* initial step */ - strcpy(key, seed); - strcat(key, secret); -- otp_hash(md, key, strlen(key), otp, alg->swab); -+ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx); - - /* computation step */ - while (seq-- > 0) -- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab); -- -- utils->free(key); -+ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx); -+ -+ done: -+ if (key) utils->free(key); -+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); - -- return SASL_OK; -+ return r; - } - - static int parse_challenge(const sasl_utils_t *utils, -@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg - - /* Convert the 6 words into binary data */ - static int word2bin(const sasl_utils_t *utils, -- char *words, unsigned char *bin, const EVP_MD *md) -+ char *words, unsigned char *bin, const EVP_MD *md, -+ EVP_MD_CTX *mdctx) - { - int i, j; - char *c, *word, buf[OTP_RESPONSE_MAX+1]; -@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t * - - /* alternate dictionary */ - if (alt_dict) { -- EVP_MD_CTX mdctx; -- char hash[EVP_MAX_MD_SIZE]; -- int hashlen; -+ unsigned char hash[EVP_MAX_MD_SIZE]; -+ unsigned hashlen; - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, word, strlen(word)); -- EVP_DigestFinal(&mdctx, hash, &hashlen); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, word, strlen(word)); -+ EVP_DigestFinal(mdctx, hash, &hashlen); - - /* use lowest 11 bits */ - x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1]; -@@ -802,6 +834,7 @@ static int verify_response(server_contex - char *response) - { - const EVP_MD *md; -+ EVP_MD_CTX *mdctx = NULL; - char *c; - int do_init = 0; - unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE]; -@@ -815,6 +848,11 @@ static int verify_response(server_contex - return SASL_FAIL; - } - -+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate MD CTX"); -+ return SASL_NOMEM; -+ } -+ - /* eat leading whitespace */ - c = response; - while (isspace((int) *c)) c++; -@@ -824,7 +862,7 @@ static int verify_response(server_contex - r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE); - } - else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) { -- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md); -+ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx); - } - else if (!strncasecmp(c, OTP_INIT_HEX_TYPE, - strlen(OTP_INIT_HEX_TYPE))) { -@@ -834,7 +872,7 @@ static int verify_response(server_contex - else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, - strlen(OTP_INIT_WORD_TYPE))) { - do_init = 1; -- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md); -+ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx); - } - else { - SETERROR(utils, "unknown OTP extended response type"); -@@ -843,14 +881,15 @@ static int verify_response(server_contex - } - else { - /* standard response, try word first, and then hex */ -- r = word2bin(utils, c, cur_otp, md); -+ r = word2bin(utils, c, cur_otp, md, mdctx); - if (r != SASL_OK) - r = hex2bin(c, cur_otp, OTP_HASH_SIZE); - } - - if (r == SASL_OK) { - /* do one more hash (previous otp) and compare to stored otp */ -- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab); -+ otp_hash(md, (char *) cur_otp, OTP_HASH_SIZE, -+ prev_otp, text->alg->swab, mdctx); - - if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) { - /* update the secret with this seq/otp */ -@@ -879,23 +918,28 @@ static int verify_response(server_contex - *new_resp++ = '\0'; - } - -- if (!(new_chal && new_resp)) -- return SASL_BADAUTH; -+ if (!(new_chal && new_resp)) { -+ r = SASL_BADAUTH; -+ goto done; -+ } - - if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1)) - != SASL_OK) { -- return r; -+ goto done; - } - -- if (seq < 1 || !strcasecmp(seed, text->seed)) -- return SASL_BADAUTH; -+ if (seq < 1 || !strcasecmp(seed, text->seed)) { -+ r = SASL_BADAUTH; -+ goto done; -+ } - - /* find the MDA */ - if (!(md = EVP_get_digestbyname(alg->evp_name))) { - utils->seterror(utils->conn, 0, - "OTP algorithm %s is not available", - alg->evp_name); -- return SASL_BADAUTH; -+ r = SASL_BADAUTH; -+ goto done; - } - - if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) { -@@ -903,7 +947,7 @@ static int verify_response(server_contex - } - else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, - strlen(OTP_INIT_WORD_TYPE))) { -- r = word2bin(utils, new_resp, new_otp, md); -+ r = word2bin(utils, new_resp, new_otp, md, mdctx); - } - - if (r == SASL_OK) { -@@ -914,7 +958,10 @@ static int verify_response(server_contex - memcpy(text->otp, new_otp, OTP_HASH_SIZE); - } - } -- -+ -+ done: -+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); -+ - return r; - } - -Index: cyrus-sasl-2.1.26/saslauthd/lak.c -=================================================================== ---- cyrus-sasl-2.1.26.orig/saslauthd/lak.c 2012-10-12 16:05:48.000000000 +0200 -+++ cyrus-sasl-2.1.26/saslauthd/lak.c 2017-09-04 12:00:57.773615637 +0200 -@@ -61,6 +61,35 @@ - #include - #include "lak.h" - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+static EVP_MD_CTX *EVP_MD_CTX_new(void) -+{ -+ return EVP_MD_CTX_create(); -+} -+static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) -+{ -+ if (ctx == NULL) -+ return; -+ -+ EVP_MD_CTX_destroy(ctx); -+} -+ -+static EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) -+{ -+ EVP_ENCODE_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); -+ -+ if (ctx != NULL) { -+ memset(ctx, 0, sizeof(*ctx)); -+ } -+ return ctx; -+} -+static void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) -+{ -+ OPENSSL_free(ctx); -+ return; -+} -+#endif -+ - typedef struct lak_auth_method { - int method; - int (*check) (LAK *lak, const char *user, const char *service, const char *realm, const char *password) ; -@@ -1715,20 +1744,28 @@ static int lak_base64_decode( - - int rc, i, tlen = 0; - char *text; -- EVP_ENCODE_CTX EVP_ctx; -+ EVP_ENCODE_CTX *enc_ctx = EVP_ENCODE_CTX_new(); - -- text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1); - if (text == NULL) - return LAK_NOMEM; - -- EVP_DecodeInit(&EVP_ctx); -- rc = EVP_DecodeUpdate(&EVP_ctx, text, &i, (char *)src, strlen(src)); -+ text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1); -+ if (text == NULL) { -+ EVP_ENCODE_CTX_free(enc_ctx); -+ return LAK_NOMEM; -+ } -+ -+ EVP_DecodeInit(enc_ctx); -+ rc = EVP_DecodeUpdate(enc_ctx, (unsigned char *) text, &i, (const unsigned char *)src, strlen(src)); - if (rc < 0) { -+ EVP_ENCODE_CTX_free(enc_ctx); - free(text); - return LAK_FAIL; - } - tlen += i; -- EVP_DecodeFinal(&EVP_ctx, text, &i); -+ EVP_DecodeFinal(enc_ctx, (unsigned char *) text, &i); -+ -+ EVP_ENCODE_CTX_free(enc_ctx); - - *ret = text; - if (rlen != NULL) -@@ -1744,7 +1781,7 @@ static int lak_check_hashed( - { - int rc, clen; - LAK_HASH_ROCK *hrock = (LAK_HASH_ROCK *) rock; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx; - const EVP_MD *md; - unsigned char digest[EVP_MAX_MD_SIZE]; - char *cred; -@@ -1753,17 +1790,24 @@ static int lak_check_hashed( - if (!md) - return LAK_FAIL; - -+ mdctx = EVP_MD_CTX_new(); -+ if (!mdctx) -+ return LAK_NOMEM; -+ - rc = lak_base64_decode(hash, &cred, &clen); -- if (rc != LAK_OK) -+ if (rc != LAK_OK) { -+ EVP_MD_CTX_free(mdctx); - return rc; -+ } - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, passwd, strlen(passwd)); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, passwd, strlen(passwd)); - if (hrock->salted) { -- EVP_DigestUpdate(&mdctx, &cred[EVP_MD_size(md)], -+ EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)], - clen - EVP_MD_size(md)); - } -- EVP_DigestFinal(&mdctx, digest, NULL); -+ EVP_DigestFinal(mdctx, digest, NULL); -+ EVP_MD_CTX_free(mdctx); - - rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md)); - free(cred); diff --git a/cyrus-sasl-2.1.27.tar.gz b/cyrus-sasl-2.1.27.tar.gz new file mode 100644 index 0000000..537762b --- /dev/null +++ b/cyrus-sasl-2.1.27.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0385b2f797f13cead2327454eb47550f0bb4c1f0c4af1176d550a31eff7c2cf9 +size 4166667 diff --git a/cyrus-sasl-issue-402.patch b/cyrus-sasl-issue-402.patch deleted file mode 100644 index d20eaa6..0000000 --- a/cyrus-sasl-issue-402.patch +++ /dev/null @@ -1,70 +0,0 @@ -commit 06260404c047e111f86b67de2862ec124f8fe2ec -Author: Sergio Gelato -Date: Wed Oct 21 20:45:17 2015 +0200 - - Postpone computing maxbufsize until after security layers have been set. - - Prior to this commit it was possible for the GSSAPI mechanism acceptor to - return a zero maxbufsize together with the integrity and/or confidentiality - layer bits set. This is not a workable combination. - - Solve this by not zeroing maxbufsize (as required by RFC 4752 when only - the only security layer selected is authentication) until computation of - the security layer mask is complete. The condition for zeroing maxbufsize - then becomes much more straightforward. - -diff --git a/plugins/gssapi.c b/plugins/gssapi.c -index 2fd1b3b..e861864 100644 ---- a/plugins/gssapi.c -+++ b/plugins/gssapi.c -@@ -1007,21 +1007,14 @@ gssapi_server_mech_ssfcap(context_t *text, - } - - /* build up our security properties token */ -- if (text->requiressf != 0 && -- (text->qop & (LAYER_INTEGRITY|LAYER_CONFIDENTIALITY))) { -- if (params->props.maxbufsize > 0xFFFFFF) { -- /* make sure maxbufsize isn't too large */ -- /* maxbufsize = 0xFFFFFF */ -- sasldata[1] = sasldata[2] = sasldata[3] = 0xFF; -- } else { -- sasldata[1] = (params->props.maxbufsize >> 16) & 0xFF; -- sasldata[2] = (params->props.maxbufsize >> 8) & 0xFF; -- sasldata[3] = (params->props.maxbufsize >> 0) & 0xFF; -- } -+ if (params->props.maxbufsize > 0xFFFFFF) { -+ /* make sure maxbufsize isn't too large */ -+ /* maxbufsize = 0xFFFFFF */ -+ sasldata[1] = sasldata[2] = sasldata[3] = 0xFF; - } else { -- /* From RFC 4752: "The client verifies that the server maximum buffer is 0 -- if the server does not advertise support for any security layer." */ -- sasldata[1] = sasldata[2] = sasldata[3] = 0; -+ sasldata[1] = (params->props.maxbufsize >> 16) & 0xFF; -+ sasldata[2] = (params->props.maxbufsize >> 8) & 0xFF; -+ sasldata[3] = (params->props.maxbufsize >> 0) & 0xFF; - } - - sasldata[0] = 0; -@@ -1047,6 +1040,12 @@ gssapi_server_mech_ssfcap(context_t *text, - sasldata[0] |= LAYER_CONFIDENTIALITY; - } - -+ if ((sasldata[0] & ~LAYER_NONE) == 0) { -+ /* From RFC 4752: "The client verifies that the server maximum buffer is 0 -+ if the server does not advertise support for any security layer." */ -+ sasldata[1] = sasldata[2] = sasldata[3] = 0; -+ } -+ - /* Remember what we want and can offer */ - text->qop = sasldata[0]; - -@@ -1401,7 +1400,7 @@ int gssapiv2_server_plug_init( - keytab, errno); - return SASL_FAIL; - } -- -+ - if(strlen(keytab) > 1024) { - utils->log(NULL, SASL_LOG_ERR, - "path to keytab is > 1024 characters"); diff --git a/cyrus-sasl-lfs.patch b/cyrus-sasl-lfs.patch index e9a90d6..0ced6b3 100644 --- a/cyrus-sasl-lfs.patch +++ b/cyrus-sasl-lfs.patch @@ -1,83 +1,13 @@ ---- configure.in.orig -+++ configure.in -@@ -84,7 +84,9 @@ AC_ARG_ENABLE(obsolete_cram_attr, - enable_obsolete_cram_attr=$enableval, - enable_obsolete_cram_attr=yes) +--- cyrus-sasl-2.1.27.orig/configure.ac 2018-10-09 16:58:04.000000000 +0200 ++++ cyrus-sasl-2.1.27/configure.ac 2018-11-17 13:05:26.475631124 +0100 +@@ -95,7 +95,9 @@ + enable_obsolete_digest_attr=$enableval, + enable_obsolete_digest_attr=yes) -AC_PROG_CC +AC_PROG_CC_STDC +AC_USE_SYSTEM_EXTENSIONS +AC_SYS_LARGEFILE + AX_PROG_CC_FOR_BUILD AC_PROG_CPP AC_PROG_AWK - AC_PROG_LN_S ---- saslauthd/configure.in.orig -+++ saslauthd/configure.in -@@ -19,7 +19,9 @@ AM_INIT_AUTOMAKE(saslauthd,2.1.25) - CMU_INIT_AUTOMAKE - - dnl Checks for programs. --AC_PROG_CC -+AC_PROG_CC_STDC -+AC_USE_SYSTEM_EXTENSIONS -+AC_SYS_LARGEFILE - AC_PROG_CPP - AC_PROG_AWK - AC_PROG_MAKE_SET ---- plugins/Makefile.am.orig -+++ plugins/Makefile.am -@@ -49,7 +49,8 @@ - plugin_version = 3:0:0 - - INCLUDES=-I$(top_srcdir)/include -I$(top_srcdir)/lib -I$(top_srcdir)/sasldb -I$(top_builddir)/include --AM_LDFLAGS = -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version) -+AM_CPPFLAGS = -include $(top_builddir)/config.h -+AM_LDFLAGS = -module -shared -export-dynamic -rpath $(plugindir) -version-info $(plugin_version) - - COMPAT_OBJS = @LTGETADDRINFOOBJS@ @LTGETNAMEINFOOBJS@ @LTSNPRINTFOBJS@ - ---- lib/Makefile.am.orig -+++ lib/Makefile.am -@@ -43,7 +43,8 @@ - # CURRENT:REVISION:AGE - sasl_version = 3:0:0 - --INCLUDES=-DLIBSASL_EXPORTS=1 -I$(top_srcdir)/include -I$(top_srcdir)/plugins -I$(top_builddir)/include -I$(top_srcdir)/sasldb -+ -+AM_CPPFLAGS=-DLIBSASL_EXPORTS=1 -include $(top_builddir)/config.h -I$(top_srcdir)/include -I$(top_srcdir)/plugins -I$(top_builddir)/include -I$(top_srcdir)/sasldb - - EXTRA_DIST = windlopen.c staticopen.h NTMakefile - EXTRA_LIBRARIES = libsasl2.a ---- saslauthd/Makefile.am.orig -+++ saslauthd/Makefile.am -@@ -26,7 +26,7 @@ saslcache_SOURCES = saslcache.c - - EXTRA_DIST = saslauthd.8 saslauthd.mdoc config include \ - getnameinfo.c getaddrinfo.c LDAP_SASLAUTHD --INCLUDES = -I$(top_srcdir)/include -I$(top_builddir)/include -I$(top_srcdir)/../include -+AM_CPPFLAGS = -include $(top_builddir)/config.h -I$(top_srcdir)/include -I$(top_builddir)/include -I$(top_srcdir)/../include - DEFS = @DEFS@ -DSASLAUTHD_CONF_FILE_DEFAULT=\"@sysconfdir@/saslauthd.conf\" -I. -I$(srcdir) -I.. - - ---- utils/Makefile.am.orig -+++ utils/Makefile.am -@@ -89,7 +89,7 @@ libsfsasl2_la_SOURCES = - libsfsasl2_la_LIBADD = sfsasl.lo - libsfsasl2_la_LDFLAGS = -version-info 1:0:0 -export-dynamic -rpath $(libdir) - --INCLUDES=-I$(top_srcdir)/include -I$(top_builddir)/include @SASL_DB_INC@ -+AM_CPPFLAGS = -include $(top_builddir)/config.h -I$(top_srcdir)/include -I$(top_builddir)/include @SASL_DB_INC@ - EXTRA_DIST = saslpasswd2.8 sasldblistusers2.8 pluginviewer.8 sfsasl.h sfsasl.c smtptest.c testsuite.c pluginviewer.c NTMakefile - - sfsasl.lo: sfsasl.c ---- sasldb/Makefile.am.orig -+++ sasldb/Makefile.am -@@ -44,7 +44,7 @@ - # Note that this doesn't necessaraly follow the libsasl2 verison info - sasl_version = 1:25:0 - --INCLUDES=-I$(top_srcdir)/include -I$(top_builddir)/include @SASL_DB_INC@ -+AM_CPPFLAGS= -include $(top_builddir)/config.h -I$(top_srcdir)/include -I$(top_builddir)/include @SASL_DB_INC@ - - extra_common_sources = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c - diff --git a/cyrus-sasl-no_rpath.patch b/cyrus-sasl-no_rpath.patch index 157fd56..03f0a46 100644 --- a/cyrus-sasl-no_rpath.patch +++ b/cyrus-sasl-no_rpath.patch @@ -1,7 +1,7 @@ -Index: cyrus-sasl-2.1.26/cmulocal/cyrus.m4 +Index: cyrus-sasl-2.1.26/m4/cyrus.m4 =================================================================== ---- cyrus-sasl-2.1.26.orig/cmulocal/cyrus.m4 -+++ cyrus-sasl-2.1.26/cmulocal/cyrus.m4 +--- cyrus-sasl-2.1.26.orig/m4/cyrus.m4 ++++ cyrus-sasl-2.1.26/m4/cyrus.m4 @@ -32,14 +32,5 @@ AC_DEFUN([CMU_ADD_LIBPATH_TO], [ dnl runpath initialization AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [ diff --git a/cyrus-sasl-revert_gssapi_flags.patch b/cyrus-sasl-revert_gssapi_flags.patch deleted file mode 100644 index 6dd6c79..0000000 --- a/cyrus-sasl-revert_gssapi_flags.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- a/plugins/gssapi.c -+++ b/plugins/gssapi.c -@@ -1583,10 +1583,10 @@ static int gssapi_client_mech_step(void *conn_context, - } - - /* Setup req_flags properly */ -- req_flags = GSS_C_INTEG_FLAG; -+ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; - if (params->props.max_ssf > params->external_ssf) { - /* We are requesting a security layer */ -- req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; -+ req_flags |= GSS_C_INTEG_FLAG; - /* Any SSF bigger than 1 is confidentiality. */ - /* Let's check if the client of the API requires confidentiality, - and it wasn't already provided by an external layer */ diff --git a/cyrus-sasl-saslauthd.changes b/cyrus-sasl-saslauthd.changes index 087a0cf..72bc603 100644 --- a/cyrus-sasl-saslauthd.changes +++ b/cyrus-sasl-saslauthd.changes @@ -1,3 +1,34 @@ +------------------------------------------------------------------- +Sat Nov 17 10:14:14 UTC 2018 - Michael Ströder + +- removed patches obsoleted by upstream changes: + * shared_link_on_ppc.patch + * fix-sasl-header.diff + * cyrus-sasl-revert_gssapi_flags.patch + * cyrus-sasl-issue-402.patch + * cyrus-sasl-2.1.27-openssl-1.1.0.patch +- replaced cumlocal/ with m4/ in patches +- added fix_libpq-fe_include.diff for fixing including libpq-fe.h +- Update to 2.1.27 + * cache.c: + Don’t use cached credentials if timeout has expired + Fixed debug logging output + * ipc_doors.c: + Fixed potential DoS attack (from Oracle) + * ipc_unix.c: + Prevent premature closing of socket + * auth_rimap.c: + Added support LOGOUT command + Added support for unsolicited CAPABILITY responses in LOGIN reply + Properly detect end of responses (don’t needlessly wait) + Properly handle backslash in passwords + * auth_httpform: + Fix off-by-one error in string termination + Added support for 204 success response + * auth_krb5.c: + Added krb5_conv_krb4_instance option + Added more verbose error logging + ------------------------------------------------------------------- Tue Feb 13 08:59:21 UTC 2018 - varkoly@suse.com diff --git a/cyrus-sasl-saslauthd.spec b/cyrus-sasl-saslauthd.spec index a32276f..edd290b 100644 --- a/cyrus-sasl-saslauthd.spec +++ b/cyrus-sasl-saslauthd.spec @@ -22,7 +22,7 @@ %endif Name: cyrus-sasl-saslauthd -Version: 2.1.26 +Version: 2.1.27 Release: 0 Summary: The SASL Authentication Server License: BSD-4-Clause @@ -34,12 +34,11 @@ Source1: cyrus-sasl-rc.tar.bz2 Source2: README.Source Source3: baselibs.conf Source4: saslauthd.service + Patch: cyrus-sasl.dif -Patch1: shared_link_on_ppc.patch Patch5: cyrus-sasl-no_rpath.patch Patch6: cyrus-sasl-lfs.patch -Patch7: fix-sasl-header.diff -Patch10: cyrus-sasl-2.1.27-openssl-1.1.0.patch +Patch7: fix_libpq-fe_include.diff PreReq: %fillup_prereq BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: db-devel @@ -77,15 +76,13 @@ The SQL auxprop plugin supports PostgreSQL and MySQL %prep %setup -n cyrus-sasl-%{version} -a 1 %patch -%patch1 %patch5 -p1 -%patch6 +%patch6 -p1 %patch7 -p1 -%patch10 -p1 %build find . -name "*.cvsignore" -exec rm -fv "{}" "+" -autoreconf -f -i +autoreconf -f export CFLAGS="-fno-strict-aliasing $RPM_OPT_FLAGS -DLDAP_DEPRECATED" %configure --with-plugindir=%{_libdir}/sasl2 \ --with-configdir=/etc/sasl2/:%{_libdir}/sasl2 \ @@ -159,7 +156,7 @@ install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir} /usr/sbin/* /usr/bin/* %doc %{_mandir}/man8/*.gz -%doc saslauthd/AUTHORS saslauthd/COPYING saslauthd/ChangeLog saslauthd/LDAP_SASLAUTHD saslauthd/NEWS saslauthd/README +%doc saslauthd/COPYING saslauthd/ChangeLog saslauthd/LDAP_SASLAUTHD %files -n cyrus-sasl-sqlauxprop %defattr(-,root,root) diff --git a/cyrus-sasl.changes b/cyrus-sasl.changes index 087a0cf..5d8a0fa 100644 --- a/cyrus-sasl.changes +++ b/cyrus-sasl.changes @@ -1,3 +1,35 @@ +------------------------------------------------------------------- +Sat Nov 17 10:14:14 UTC 2018 - Michael Ströder + +- removed patches obsoleted by upstream changes: + * shared_link_on_ppc.patch + * fix-sasl-header.diff + * cyrus-sasl-revert_gssapi_flags.patch + * cyrus-sasl-issue-402.patch + * cyrus-sasl-2.1.27-openssl-1.1.0.patch +- replaced cumlocal/ with m4/ in patches +- added fix_libpq-fe_include.diff for fixing including libpq-fe.h +- Update to 2.1.27 + * Added support for OpenSSL 1.1 + * Added support for lmdb + * Lots of build fixes + * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting client mech + * DIGEST-MD5 plugin: + Fixed memory leaks + Fixed a segfault when looking for non-existent reauth cache + Prevent client from going from step 3 back to step 2 + Allow cmusaslsecretDIGEST-MD5 property to be disabled + * GSSAPI plugin: + Added support for retrieving negotiated SSF + Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF + Properly compute maxbufsize AFTER security layers have been set + * SCRAM plugin: + Added support for SCRAM-SHA-256 + * LOGIN plugin: + Don’t prompt client for password until requested by server + * NTLM plugin: + Fixed crash due to uninitialized HMAC context + ------------------------------------------------------------------- Tue Feb 13 08:59:21 UTC 2018 - varkoly@suse.com diff --git a/cyrus-sasl.dif b/cyrus-sasl.dif index e5fb6b9..5b4a6af 100644 --- a/cyrus-sasl.dif +++ b/cyrus-sasl.dif @@ -1,7 +1,7 @@ -Index: cmulocal/cyrus.m4 +Index: m4/cyrus.m4 =================================================================== ---- cmulocal/cyrus.m4.orig -+++ cmulocal/cyrus.m4 +--- m4/cyrus.m4.orig ++++ m4/cyrus.m4 @@ -37,7 +37,7 @@ AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [ SAVE_LDFLAGS="${LDFLAGS}" LDFLAGS="-R /usr/lib" @@ -25,20 +25,13 @@ Index: Makefile.am else Index: sasldb/Makefile.am =================================================================== ---- sasldb/Makefile.am.orig -+++ sasldb/Makefile.am -@@ -48,6 +48,7 @@ INCLUDES=-I$(top_srcdir)/include -I$(top - - extra_common_sources = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c - -+AM_CFLAGS = "-fPIC" - EXTRA_DIST = NTMakefile - - noinst_LTLIBRARIES = libsasldb.la -@@ -66,3 +67,8 @@ libsasldb.a: libsasldb.la $(SASL_DB_BACK - $(AR) cru .libs/$@ $(SASL_DB_BACKEND_STATIC) - - +--- sasldb/Makefile.am 2016-01-29 18:35:35.000000000 +0100 ++++ sasldb/Makefile.am 2018-11-17 12:51:05.800696917 +0100 +@@ -57,3 +57,9 @@ + libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) + libsasldb_la_LIBADD = $(SASL_DB_BACKEND) + libsasldb_la_LDFLAGS = -no-undefined ++ +# avoid these two files created at the same time, they use both the same +# dep file +db_berkeley.lo: db_berkeley.o diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec index 564fc13..eb4ac7a 100644 --- a/cyrus-sasl.spec +++ b/cyrus-sasl.spec @@ -18,7 +18,7 @@ Name: cyrus-sasl %define lname libsasl2-3 -Version: 2.1.26 +Version: 2.1.27 Release: 0 Url: http://asg.web.cmu.edu/sasl/ Summary: Implementation of Cyrus SASL API @@ -30,14 +30,9 @@ Source1: cyrus-sasl-rc.tar.bz2 Source2: README.Source Source3: baselibs.conf Patch: cyrus-sasl.dif -Patch1: shared_link_on_ppc.patch Patch5: cyrus-sasl-no_rpath.patch Patch6: cyrus-sasl-lfs.patch -Patch7: fix-sasl-header.diff -Patch8: cyrus-sasl-revert_gssapi_flags.patch -# see https://github.com/cyrusimap/cyrus-sasl/issues/402 -Patch9: cyrus-sasl-issue-402.patch -Patch10: cyrus-sasl-2.1.27-openssl-1.1.0.patch +Patch7: fix_libpq-fe_include.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: db-devel BuildRequires: krb5-mini-devel @@ -169,17 +164,13 @@ then rm -rf %{_builddir}/%{name}-%{version}/dlcompat-* fi %patch -%patch1 %patch5 -p1 -%patch6 +%patch6 -p1 %patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 %build find . -name "*.cvsignore" -exec rm -fv "{}" "+" -autoreconf -f -i +autoreconf -f export CFLAGS="%optflags -fno-strict-aliasing" %configure --with-pic \ --with-plugindir=%{_libdir}/sasl2 \ @@ -271,7 +262,7 @@ find "%buildroot" -type f -name "*.la" -print -delete %files devel %defattr(-,root,root) -%doc AUTHORS COPYING ChangeLog NEWS README doc +%doc AUTHORS COPYING ChangeLog README doc %_includedir/sasl/ %doc %{_mandir}/man3/sasl_*.gz %{_libdir}/libsasl2.so diff --git a/fix-sasl-header.diff b/fix-sasl-header.diff deleted file mode 100644 index 3529ed4..0000000 --- a/fix-sasl-header.diff +++ /dev/null @@ -1,12 +0,0 @@ ---- cyrus-sasl-2.1.26/include/sasl.h 2012-10-12 09:05:48.000000000 -0500 -+++ cyrus-sasl-2.1.26/include/sasl.h 2013-01-31 13:21:04.007739327 -0600 -@@ -223,6 +223,8 @@ extern "C" { - * they must be called before all other SASL functions: - */ - -+#include -+ - /* memory allocation functions which may optionally be replaced: - */ - typedef void *sasl_malloc_t(size_t); - diff --git a/fix_libpq-fe_include.diff b/fix_libpq-fe_include.diff new file mode 100644 index 0000000..1d95017 --- /dev/null +++ b/fix_libpq-fe_include.diff @@ -0,0 +1,11 @@ +--- cyrus-sasl-2.1.27.orig/plugins/sql.c 2016-12-10 16:45:55.000000000 +0100 ++++ cyrus-sasl-2.1.27/plugins/sql.c 2018-11-17 14:04:33.821540573 +0100 +@@ -188,7 +188,7 @@ + #endif /* HAVE_MYSQL */ + + #ifdef HAVE_PGSQL +-#include ++#include + + static void *_pgsql_open(char *host, char *port, int usessl, + const char *user, const char *password, diff --git a/shared_link_on_ppc.patch b/shared_link_on_ppc.patch deleted file mode 100644 index e65cfb2..0000000 --- a/shared_link_on_ppc.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- config/ltconfig.orig 2003-01-23 09:20:31.000000000 +0100 -+++ config/ltconfig 2003-01-23 09:20:49.000000000 +0100 -@@ -2029,7 +2029,6 @@ - else - # Only the GNU ld.so supports shared libraries on MkLinux. - case "$host_cpu" in -- powerpc*) dynamic_linker=no ;; - *) dynamic_linker='Linux ld.so' ;; - esac - fi