Accepting request 486184 from home:stroeder:branches:network

added patch for https://github.com/cyrusimap/cyrus-sasl/issues/402

tested with Howard's krb/ test.sh

OBS-URL: https://build.opensuse.org/request/show/486184
OBS-URL: https://build.opensuse.org/package/show/network/cyrus-sasl?expand=0&rev=61

cyrus-sasl-issue-402.patch

@@ -0,0 +1,70 @@
+commit 06260404c047e111f86b67de2862ec124f8fe2ec
+Author: Sergio Gelato <Sergio.Gelato@astro.su.se>
+Date:   Wed Oct 21 20:45:17 2015 +0200
+
+    Postpone computing maxbufsize until after security layers have been set.
+    
+    Prior to this commit it was possible for the GSSAPI mechanism acceptor to
+    return a zero maxbufsize together with the integrity and/or confidentiality
+    layer bits set. This is not a workable combination.
+    
+    Solve this by not zeroing maxbufsize (as required by RFC 4752 when only
+    the only security layer selected is authentication) until computation of
+    the security layer mask is complete. The condition for zeroing maxbufsize
+    then becomes much more straightforward.
+
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 2fd1b3b..e861864 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -1007,21 +1007,14 @@ gssapi_server_mech_ssfcap(context_t *text,
+     }
+ 
+     /* build up our security properties token */
+-    if (text->requiressf != 0 &&
+-	(text->qop & (LAYER_INTEGRITY|LAYER_CONFIDENTIALITY))) {
+-	if (params->props.maxbufsize > 0xFFFFFF) {
+-	    /* make sure maxbufsize isn't too large */
+-	    /* maxbufsize = 0xFFFFFF */
+-	    sasldata[1] = sasldata[2] = sasldata[3] = 0xFF;
+-	} else {
+-	    sasldata[1] = (params->props.maxbufsize >> 16) & 0xFF;
+-	    sasldata[2] = (params->props.maxbufsize >> 8) & 0xFF;
+-	    sasldata[3] = (params->props.maxbufsize >> 0) & 0xFF;
+-	}
++    if (params->props.maxbufsize > 0xFFFFFF) {
++	/* make sure maxbufsize isn't too large */
++	/* maxbufsize = 0xFFFFFF */
++	sasldata[1] = sasldata[2] = sasldata[3] = 0xFF;
+     } else {
+-	/* From RFC 4752: "The client verifies that the server maximum buffer is 0
+-	   if the server does not advertise support for any security layer." */
+-	sasldata[1] = sasldata[2] = sasldata[3] = 0;
++	sasldata[1] = (params->props.maxbufsize >> 16) & 0xFF;
++	sasldata[2] = (params->props.maxbufsize >> 8) & 0xFF;
++	sasldata[3] = (params->props.maxbufsize >> 0) & 0xFF;
+     }
+ 
+     sasldata[0] = 0;
+@@ -1047,6 +1040,12 @@ gssapi_server_mech_ssfcap(context_t *text,
+ 	sasldata[0] |= LAYER_CONFIDENTIALITY;
+     }
+ 
++    if ((sasldata[0] & ~LAYER_NONE) == 0) {
++	/* From RFC 4752: "The client verifies that the server maximum buffer is 0
++	   if the server does not advertise support for any security layer." */
++	sasldata[1] = sasldata[2] = sasldata[3] = 0;
++    }
++
+     /* Remember what we want and can offer */
+     text->qop = sasldata[0];
+ 
+@@ -1401,7 +1400,7 @@ int gssapiv2_server_plug_init(
+ 		       keytab, errno);
+ 	    return SASL_FAIL;
+ 	}
+-	
++
+ 	if(strlen(keytab) > 1024) {
+ 	    utils->log(NULL, SASL_LOG_ERR,
+ 		       "path to keytab is > 1024 characters");

cyrus-sasl.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar 22 09:56:37 UTC 2017 - michael@stroeder.com
+
+- added cyrus-sasl-issue-402.patch to fix
+  SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize #402
+  (see https://github.com/cyrusimap/cyrus-sasl/issues/402)
+
 -------------------------------------------------------------------
 Tue Jan  6 19:02:33 UTC 2015 - varkoly@suse.com
 

cyrus-sasl.spec

@@ -35,6 +35,8 @@ Patch5:         cyrus-sasl-no_rpath.patch
 Patch6:         cyrus-sasl-lfs.patch
 Patch7:         fix-sasl-header.diff
 Patch8:         cyrus-sasl-revert_gssapi_flags.patch
+# see https://github.com/cyrusimap/cyrus-sasl/issues/402
+Patch9:         cyrus-sasl-issue-402.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  db-devel
 BuildRequires:  krb5-mini-devel
@@ -171,6 +173,7 @@ fi
 %patch6
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 find . -name "*.cvsignore" -exec rm -fv "{}" "+"