diff --git a/cyrus-sasl-issue-402.patch b/cyrus-sasl-issue-402.patch new file mode 100644 index 0000000..d20eaa6 --- /dev/null +++ b/cyrus-sasl-issue-402.patch @@ -0,0 +1,70 @@ +commit 06260404c047e111f86b67de2862ec124f8fe2ec +Author: Sergio Gelato +Date: Wed Oct 21 20:45:17 2015 +0200 + + Postpone computing maxbufsize until after security layers have been set. + + Prior to this commit it was possible for the GSSAPI mechanism acceptor to + return a zero maxbufsize together with the integrity and/or confidentiality + layer bits set. This is not a workable combination. + + Solve this by not zeroing maxbufsize (as required by RFC 4752 when only + the only security layer selected is authentication) until computation of + the security layer mask is complete. The condition for zeroing maxbufsize + then becomes much more straightforward. + +diff --git a/plugins/gssapi.c b/plugins/gssapi.c +index 2fd1b3b..e861864 100644 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c +@@ -1007,21 +1007,14 @@ gssapi_server_mech_ssfcap(context_t *text, + } + + /* build up our security properties token */ +- if (text->requiressf != 0 && +- (text->qop & (LAYER_INTEGRITY|LAYER_CONFIDENTIALITY))) { +- if (params->props.maxbufsize > 0xFFFFFF) { +- /* make sure maxbufsize isn't too large */ +- /* maxbufsize = 0xFFFFFF */ +- sasldata[1] = sasldata[2] = sasldata[3] = 0xFF; +- } else { +- sasldata[1] = (params->props.maxbufsize >> 16) & 0xFF; +- sasldata[2] = (params->props.maxbufsize >> 8) & 0xFF; +- sasldata[3] = (params->props.maxbufsize >> 0) & 0xFF; +- } ++ if (params->props.maxbufsize > 0xFFFFFF) { ++ /* make sure maxbufsize isn't too large */ ++ /* maxbufsize = 0xFFFFFF */ ++ sasldata[1] = sasldata[2] = sasldata[3] = 0xFF; + } else { +- /* From RFC 4752: "The client verifies that the server maximum buffer is 0 +- if the server does not advertise support for any security layer." */ +- sasldata[1] = sasldata[2] = sasldata[3] = 0; ++ sasldata[1] = (params->props.maxbufsize >> 16) & 0xFF; ++ sasldata[2] = (params->props.maxbufsize >> 8) & 0xFF; ++ sasldata[3] = (params->props.maxbufsize >> 0) & 0xFF; + } + + sasldata[0] = 0; +@@ -1047,6 +1040,12 @@ gssapi_server_mech_ssfcap(context_t *text, + sasldata[0] |= LAYER_CONFIDENTIALITY; + } + ++ if ((sasldata[0] & ~LAYER_NONE) == 0) { ++ /* From RFC 4752: "The client verifies that the server maximum buffer is 0 ++ if the server does not advertise support for any security layer." */ ++ sasldata[1] = sasldata[2] = sasldata[3] = 0; ++ } ++ + /* Remember what we want and can offer */ + text->qop = sasldata[0]; + +@@ -1401,7 +1400,7 @@ int gssapiv2_server_plug_init( + keytab, errno); + return SASL_FAIL; + } +- ++ + if(strlen(keytab) > 1024) { + utils->log(NULL, SASL_LOG_ERR, + "path to keytab is > 1024 characters"); diff --git a/cyrus-sasl.changes b/cyrus-sasl.changes index b108f02..d3c5e0c 100644 --- a/cyrus-sasl.changes +++ b/cyrus-sasl.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Mar 22 09:56:37 UTC 2017 - michael@stroeder.com + +- added cyrus-sasl-issue-402.patch to fix + SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize #402 + (see https://github.com/cyrusimap/cyrus-sasl/issues/402) + ------------------------------------------------------------------- Tue Jan 6 19:02:33 UTC 2015 - varkoly@suse.com diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec index f1d772c..f3ebf29 100644 --- a/cyrus-sasl.spec +++ b/cyrus-sasl.spec @@ -35,6 +35,8 @@ Patch5: cyrus-sasl-no_rpath.patch Patch6: cyrus-sasl-lfs.patch Patch7: fix-sasl-header.diff Patch8: cyrus-sasl-revert_gssapi_flags.patch +# see https://github.com/cyrusimap/cyrus-sasl/issues/402 +Patch9: cyrus-sasl-issue-402.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: db-devel BuildRequires: krb5-mini-devel @@ -171,6 +173,7 @@ fi %patch6 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build find . -name "*.cvsignore" -exec rm -fv "{}" "+"