rpm/cyrus-sasl
SHA256
1
0
Fork 0
forked from pool/cyrus-sasl
Code Pull Requests Activity

Accepting request 655748 from network

Browse Source 
- removed patches obsoleted by upstream changes:
  * shared_link_on_ppc.patch
  * fix-sasl-header.diff
  * cyrus-sasl-revert_gssapi_flags.patch
  * cyrus-sasl-issue-402.patch
  * cyrus-sasl-2.1.27-openssl-1.1.0.patch
- replaced cumlocal/ with m4/ in patches
- added fix_libpq-fe_include.diff for fixing including libpq-fe.h
- Update to 2.1.27
  * cache.c:
      Don’t use cached credentials if timeout has expired
      Fixed debug logging output
  * ipc_doors.c:
      Fixed potential DoS attack (from Oracle)
  * ipc_unix.c:
      Prevent premature closing of socket
  * auth_rimap.c:
      Added support LOGOUT command
      Added support for unsolicited CAPABILITY responses in LOGIN reply
      Properly detect end of responses (don’t needlessly wait)
      Properly handle backslash in passwords
  * auth_httpform:
      Fix off-by-one error in string termination
      Added support for 204 success response
  * auth_krb5.c:
      Added krb5_conv_krb4_instance option
      Added more verbose error logging

- removed patches obsoleted by upstream changes:
  * shared_link_on_ppc.patch

OBS-URL: https://build.opensuse.org/request/show/655748
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cyrus-sasl?expand=0&rev=57
This commit is contained in:
Dominique Leuenberger 2018-12-11 14:45:12 +00:00 committed by Git OBS Bridge
commit 558cc08d50
15 changed files with 107 additions and 667 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cyrus-sasl-2.1.26.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8fbc5136512b59bb793657f36fadda6359cae3b08f01fd16b3d406f1345b7bc3
size 5220231

438
cyrus-sasl-2.1.27-openssl-1.1.0.patch
View File

@ -1,438 +0,0 @@
Index: cyrus-sasl-2.1.26/plugins/ntlm.c
===================================================================
--- cyrus-sasl-2.1.26.orig/plugins/ntlm.c 2012-01-28 00:31:36.000000000 +0100
+++ cyrus-sasl-2.1.26/plugins/ntlm.c 2017-09-04 12:00:57.773615637 +0200
@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char
return P24;
}
+static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils)
+{
+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()");
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ return HMAC_CTX_new();
+#else
+ return utils->malloc(sizeof(HMAC_CTX));
+#endif
+}
+
+static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils)
+{
+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()");
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX_free(ctx);
+#else
+ HMAC_cleanup(ctx);
+ utils->free(ctx);
+#endif
+}
+
static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
const char *authid, const char *target,
const unsigned char *challenge,
@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char *
const sasl_utils_t *utils,
char **buf, unsigned *buflen, int *result)
{
- HMAC_CTX ctx;
+ HMAC_CTX *ctx = NULL;
unsigned char hash[EVP_MAX_MD_SIZE];
char *upper;
unsigned int len;
@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char *
SETERROR(utils, "cannot allocate NTLMv2 hash");
*result = SASL_NOMEM;
}
+ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) {
+ SETERROR(utils, "cannot allocate HMAC CTX");
+ *result = SASL_NOMEM;
+ }
else {
/* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */
P16_nt(hash, passwd, utils, buf, buflen, result);
@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char *
HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len);
/* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */
- HMAC_Init(&ctx, hash, len, EVP_md5());
- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH);
- HMAC_Update(&ctx, blob, bloblen);
- HMAC_Final(&ctx, V2, &len);
- HMAC_cleanup(&ctx);
+ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL);
+ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH);
+ HMAC_Update(ctx, blob, bloblen);
+ HMAC_Final(ctx, V2, &len);
/* the blob is concatenated outside of this function */
*result = SASL_OK;
}
+ if (ctx) _plug_HMAC_CTX_free(ctx, utils);
+
return V2;
}
Index: cyrus-sasl-2.1.26/plugins/otp.c
===================================================================
--- cyrus-sasl-2.1.26.orig/plugins/otp.c 2012-10-12 16:05:48.000000000 +0200
+++ cyrus-sasl-2.1.26/plugins/otp.c 2017-09-04 12:00:57.773615637 +0200
@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_opti
{NULL, 0, NULL}
};
+static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils)
+{
+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()");
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ return EVP_MD_CTX_new();
+#else
+ return utils->malloc(sizeof(EVP_MD_CTX));
+#endif
+}
+
+static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils)
+{
+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()");
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX_free(ctx);
+#else
+ utils->free(ctx);
+#endif
+}
+
/* Convert the binary data into ASCII hex */
void bin2hex(unsigned char *bin, int binlen, char *hex)
{
@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int bin
* swabbing bytes if necessary.
*/
static void otp_hash(const EVP_MD *md, char *in, size_t inlen,
- unsigned char *out, int swab)
+ unsigned char *out, int swab, EVP_MD_CTX *mdctx)
{
- EVP_MD_CTX mdctx;
- char hash[EVP_MAX_MD_SIZE];
+ unsigned char hash[EVP_MAX_MD_SIZE];
unsigned int i;
int j;
unsigned hashlen;
- EVP_DigestInit(&mdctx, md);
- EVP_DigestUpdate(&mdctx, in, inlen);
- EVP_DigestFinal(&mdctx, hash, &hashlen);
+ EVP_DigestInit(mdctx, md);
+ EVP_DigestUpdate(mdctx, in, inlen);
+ EVP_DigestFinal(mdctx, hash, &hashlen);
/* Fold the result into 64 bits */
for (i = OTP_HASH_SIZE; i < hashlen; i++) {
@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils
char *secret, char *otp)
{
const EVP_MD *md;
- char *key;
+ EVP_MD_CTX *mdctx = NULL;
+ char *key = NULL;
+ int r = SASL_OK;
if (!(md = EVP_get_digestbyname(alg->evp_name))) {
utils->seterror(utils->conn, 0,
@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils
return SASL_FAIL;
}
+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
+ SETERROR(utils, "cannot allocate MD CTX");
+ r = SASL_NOMEM;
+ goto done;
+ }
+
if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) {
SETERROR(utils, "cannot allocate OTP key");
- return SASL_NOMEM;
+ r = SASL_NOMEM;
+ goto done;
}
/* initial step */
strcpy(key, seed);
strcat(key, secret);
- otp_hash(md, key, strlen(key), otp, alg->swab);
+ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx);
/* computation step */
while (seq-- > 0)
- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab);
-
- utils->free(key);
+ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx);
+
+ done:
+ if (key) utils->free(key);
+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
- return SASL_OK;
+ return r;
}
static int parse_challenge(const sasl_utils_t *utils,
@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg
/* Convert the 6 words into binary data */
static int word2bin(const sasl_utils_t *utils,
- char *words, unsigned char *bin, const EVP_MD *md)
+ char *words, unsigned char *bin, const EVP_MD *md,
+ EVP_MD_CTX *mdctx)
{
int i, j;
char *c, *word, buf[OTP_RESPONSE_MAX+1];
@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t *
/* alternate dictionary */
if (alt_dict) {
- EVP_MD_CTX mdctx;
- char hash[EVP_MAX_MD_SIZE];
- int hashlen;
+ unsigned char hash[EVP_MAX_MD_SIZE];
+ unsigned hashlen;
- EVP_DigestInit(&mdctx, md);
- EVP_DigestUpdate(&mdctx, word, strlen(word));
- EVP_DigestFinal(&mdctx, hash, &hashlen);
+ EVP_DigestInit(mdctx, md);
+ EVP_DigestUpdate(mdctx, word, strlen(word));
+ EVP_DigestFinal(mdctx, hash, &hashlen);
/* use lowest 11 bits */
x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1];
@@ -802,6 +834,7 @@ static int verify_response(server_contex
char *response)
{
const EVP_MD *md;
+ EVP_MD_CTX *mdctx = NULL;
char *c;
int do_init = 0;
unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE];
@@ -815,6 +848,11 @@ static int verify_response(server_contex
return SASL_FAIL;
}
+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
+ SETERROR(utils, "cannot allocate MD CTX");
+ return SASL_NOMEM;
+ }
+
/* eat leading whitespace */
c = response;
while (isspace((int) *c)) c++;
@@ -824,7 +862,7 @@ static int verify_response(server_contex
r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE);
}
else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) {
- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md);
+ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx);
}
else if (!strncasecmp(c, OTP_INIT_HEX_TYPE,
strlen(OTP_INIT_HEX_TYPE))) {
@@ -834,7 +872,7 @@ static int verify_response(server_contex
else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
strlen(OTP_INIT_WORD_TYPE))) {
do_init = 1;
- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md);
+ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx);
}
else {
SETERROR(utils, "unknown OTP extended response type");
@@ -843,14 +881,15 @@ static int verify_response(server_contex
}
else {
/* standard response, try word first, and then hex */
- r = word2bin(utils, c, cur_otp, md);
+ r = word2bin(utils, c, cur_otp, md, mdctx);
if (r != SASL_OK)
r = hex2bin(c, cur_otp, OTP_HASH_SIZE);
}
if (r == SASL_OK) {
/* do one more hash (previous otp) and compare to stored otp */
- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab);
+ otp_hash(md, (char *) cur_otp, OTP_HASH_SIZE,
+ prev_otp, text->alg->swab, mdctx);
if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) {
/* update the secret with this seq/otp */
@@ -879,23 +918,28 @@ static int verify_response(server_contex
*new_resp++ = '\0';
}
- if (!(new_chal && new_resp))
- return SASL_BADAUTH;
+ if (!(new_chal && new_resp)) {
+ r = SASL_BADAUTH;
+ goto done;
+ }
if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1))
!= SASL_OK) {
- return r;
+ goto done;
}
- if (seq < 1 || !strcasecmp(seed, text->seed))
- return SASL_BADAUTH;
+ if (seq < 1 || !strcasecmp(seed, text->seed)) {
+ r = SASL_BADAUTH;
+ goto done;
+ }
/* find the MDA */
if (!(md = EVP_get_digestbyname(alg->evp_name))) {
utils->seterror(utils->conn, 0,
"OTP algorithm %s is not available",
alg->evp_name);
- return SASL_BADAUTH;
+ r = SASL_BADAUTH;
+ goto done;
}
if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) {
@@ -903,7 +947,7 @@ static int verify_response(server_contex
}
else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
strlen(OTP_INIT_WORD_TYPE))) {
- r = word2bin(utils, new_resp, new_otp, md);
+ r = word2bin(utils, new_resp, new_otp, md, mdctx);
}
if (r == SASL_OK) {
@@ -914,7 +958,10 @@ static int verify_response(server_contex
memcpy(text->otp, new_otp, OTP_HASH_SIZE);
}
}
-
+
+ done:
+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
+
return r;
}
Index: cyrus-sasl-2.1.26/saslauthd/lak.c
===================================================================
--- cyrus-sasl-2.1.26.orig/saslauthd/lak.c 2012-10-12 16:05:48.000000000 +0200
+++ cyrus-sasl-2.1.26/saslauthd/lak.c 2017-09-04 12:00:57.773615637 +0200
@@ -61,6 +61,35 @@
#include <sasl.h>
#include "lak.h"
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+static EVP_MD_CTX *EVP_MD_CTX_new(void)
+{
+ return EVP_MD_CTX_create();
+}
+static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
+{
+ if (ctx == NULL)
+ return;
+
+ EVP_MD_CTX_destroy(ctx);
+}
+
+static EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void)
+{
+ EVP_ENCODE_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
+
+ if (ctx != NULL) {
+ memset(ctx, 0, sizeof(*ctx));
+ }
+ return ctx;
+}
+static void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx)
+{
+ OPENSSL_free(ctx);
+ return;
+}
+#endif
+
typedef struct lak_auth_method {
int method;
int (*check) (LAK *lak, const char *user, const char *service, const char *realm, const char *password) ;
@@ -1715,20 +1744,28 @@ static int lak_base64_decode(
int rc, i, tlen = 0;
char *text;
- EVP_ENCODE_CTX EVP_ctx;
+ EVP_ENCODE_CTX *enc_ctx = EVP_ENCODE_CTX_new();
- text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1);
if (text == NULL)
return LAK_NOMEM;
- EVP_DecodeInit(&EVP_ctx);
- rc = EVP_DecodeUpdate(&EVP_ctx, text, &i, (char *)src, strlen(src));
+ text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1);
+ if (text == NULL) {
+ EVP_ENCODE_CTX_free(enc_ctx);
+ return LAK_NOMEM;
+ }
+
+ EVP_DecodeInit(enc_ctx);
+ rc = EVP_DecodeUpdate(enc_ctx, (unsigned char *) text, &i, (const unsigned char *)src, strlen(src));
if (rc < 0) {
+ EVP_ENCODE_CTX_free(enc_ctx);
free(text);
return LAK_FAIL;
}
tlen += i;
- EVP_DecodeFinal(&EVP_ctx, text, &i);
+ EVP_DecodeFinal(enc_ctx, (unsigned char *) text, &i);
+
+ EVP_ENCODE_CTX_free(enc_ctx);
*ret = text;
if (rlen != NULL)
@@ -1744,7 +1781,7 @@ static int lak_check_hashed(
{
int rc, clen;
LAK_HASH_ROCK *hrock = (LAK_HASH_ROCK *) rock;
- EVP_MD_CTX mdctx;
+ EVP_MD_CTX *mdctx;
const EVP_MD *md;
unsigned char digest[EVP_MAX_MD_SIZE];
char *cred;
@@ -1753,17 +1790,24 @@ static int lak_check_hashed(
if (!md)
return LAK_FAIL;
+ mdctx = EVP_MD_CTX_new();
+ if (!mdctx)
+ return LAK_NOMEM;
+
rc = lak_base64_decode(hash, &cred, &clen);
- if (rc != LAK_OK)
+ if (rc != LAK_OK) {
+ EVP_MD_CTX_free(mdctx);
return rc;
+ }
- EVP_DigestInit(&mdctx, md);
- EVP_DigestUpdate(&mdctx, passwd, strlen(passwd));
+ EVP_DigestInit(mdctx, md);
+ EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
if (hrock->salted) {
- EVP_DigestUpdate(&mdctx, &cred[EVP_MD_size(md)],
+ EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
clen - EVP_MD_size(md));
}
- EVP_DigestFinal(&mdctx, digest, NULL);
+ EVP_DigestFinal(mdctx, digest, NULL);
+ EVP_MD_CTX_free(mdctx);
rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md));
free(cred);

3
cyrus-sasl-2.1.27.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:26866b1549b00ffd020f188a43c258017fa1c382b3ddadd8201536f72efb05d5
size 4111249

70
cyrus-sasl-issue-402.patch
View File

@ -1,70 +0,0 @@
commit 06260404c047e111f86b67de2862ec124f8fe2ec
Author: Sergio Gelato <Sergio.Gelato@astro.su.se>
Date: Wed Oct 21 20:45:17 2015 +0200
Postpone computing maxbufsize until after security layers have been set.
Prior to this commit it was possible for the GSSAPI mechanism acceptor to
return a zero maxbufsize together with the integrity and/or confidentiality
layer bits set. This is not a workable combination.
Solve this by not zeroing maxbufsize (as required by RFC 4752 when only
the only security layer selected is authentication) until computation of
the security layer mask is complete. The condition for zeroing maxbufsize
then becomes much more straightforward.
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index 2fd1b3b..e861864 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -1007,21 +1007,14 @@ gssapi_server_mech_ssfcap(context_t *text,
}
/* build up our security properties token */
- if (text->requiressf != 0 &&
- (text->qop & (LAYER_INTEGRITY|LAYER_CONFIDENTIALITY))) {
- if (params->props.maxbufsize > 0xFFFFFF) {
- /* make sure maxbufsize isn't too large */
- /* maxbufsize = 0xFFFFFF */
- sasldata[1] = sasldata[2] = sasldata[3] = 0xFF;
- } else {
- sasldata[1] = (params->props.maxbufsize >> 16) & 0xFF;
- sasldata[2] = (params->props.maxbufsize >> 8) & 0xFF;
- sasldata[3] = (params->props.maxbufsize >> 0) & 0xFF;
- }
+ if (params->props.maxbufsize > 0xFFFFFF) {
+ /* make sure maxbufsize isn't too large */
+ /* maxbufsize = 0xFFFFFF */
+ sasldata[1] = sasldata[2] = sasldata[3] = 0xFF;
} else {
- /* From RFC 4752: "The client verifies that the server maximum buffer is 0
- if the server does not advertise support for any security layer." */
- sasldata[1] = sasldata[2] = sasldata[3] = 0;
+ sasldata[1] = (params->props.maxbufsize >> 16) & 0xFF;
+ sasldata[2] = (params->props.maxbufsize >> 8) & 0xFF;
+ sasldata[3] = (params->props.maxbufsize >> 0) & 0xFF;
}
sasldata[0] = 0;
@@ -1047,6 +1040,12 @@ gssapi_server_mech_ssfcap(context_t *text,
sasldata[0] |= LAYER_CONFIDENTIALITY;
}
+ if ((sasldata[0] & ~LAYER_NONE) == 0) {
+ /* From RFC 4752: "The client verifies that the server maximum buffer is 0
+ if the server does not advertise support for any security layer." */
+ sasldata[1] = sasldata[2] = sasldata[3] = 0;
+ }
+
/* Remember what we want and can offer */
text->qop = sasldata[0];
@@ -1401,7 +1400,7 @@ int gssapiv2_server_plug_init(
keytab, errno);
return SASL_FAIL;
}
-
+
if(strlen(keytab) > 1024) {
utils->log(NULL, SASL_LOG_ERR,
"path to keytab is > 1024 characters");

82
cyrus-sasl-lfs.patch
View File

@ -1,83 +1,13 @@
--- configure.in.orig
+++ configure.in
@@ -84,7 +84,9 @@ AC_ARG_ENABLE(obsolete_cram_attr,
enable_obsolete_cram_attr=$enableval,
enable_obsolete_cram_attr=yes)
--- cyrus-sasl-2.1.27.orig/configure.ac 2018-10-09 16:58:04.000000000 +0200
+++ cyrus-sasl-2.1.27/configure.ac 2018-11-17 13:05:26.475631124 +0100
@@ -95,7 +95,9 @@
enable_obsolete_digest_attr=$enableval,
enable_obsolete_digest_attr=yes)
-AC_PROG_CC
+AC_PROG_CC_STDC
+AC_USE_SYSTEM_EXTENSIONS
+AC_SYS_LARGEFILE
AX_PROG_CC_FOR_BUILD
AC_PROG_CPP
AC_PROG_AWK
AC_PROG_LN_S
--- saslauthd/configure.in.orig
+++ saslauthd/configure.in
@@ -19,7 +19,9 @@ AM_INIT_AUTOMAKE(saslauthd,2.1.25)
CMU_INIT_AUTOMAKE
dnl Checks for programs.
-AC_PROG_CC
+AC_PROG_CC_STDC
+AC_USE_SYSTEM_EXTENSIONS
+AC_SYS_LARGEFILE
AC_PROG_CPP
AC_PROG_AWK
AC_PROG_MAKE_SET
--- plugins/Makefile.am.orig
+++ plugins/Makefile.am
@@ -49,7 +49,8 @@
plugin_version = 3:0:0
INCLUDES=-I$(top_srcdir)/include -I$(top_srcdir)/lib -I$(top_srcdir)/sasldb -I$(top_builddir)/include
-AM_LDFLAGS = -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version)
+AM_CPPFLAGS = -include $(top_builddir)/config.h
+AM_LDFLAGS = -module -shared -export-dynamic -rpath $(plugindir) -version-info $(plugin_version)
COMPAT_OBJS = @LTGETADDRINFOOBJS@ @LTGETNAMEINFOOBJS@ @LTSNPRINTFOBJS@
--- lib/Makefile.am.orig
+++ lib/Makefile.am
@@ -43,7 +43,8 @@
# CURRENT:REVISION:AGE
sasl_version = 3:0:0
-INCLUDES=-DLIBSASL_EXPORTS=1 -I$(top_srcdir)/include -I$(top_srcdir)/plugins -I$(top_builddir)/include -I$(top_srcdir)/sasldb
+
+AM_CPPFLAGS=-DLIBSASL_EXPORTS=1 -include $(top_builddir)/config.h -I$(top_srcdir)/include -I$(top_srcdir)/plugins -I$(top_builddir)/include -I$(top_srcdir)/sasldb
EXTRA_DIST = windlopen.c staticopen.h NTMakefile
EXTRA_LIBRARIES = libsasl2.a
--- saslauthd/Makefile.am.orig
+++ saslauthd/Makefile.am
@@ -26,7 +26,7 @@ saslcache_SOURCES = saslcache.c
EXTRA_DIST = saslauthd.8 saslauthd.mdoc config include \
getnameinfo.c getaddrinfo.c LDAP_SASLAUTHD
-INCLUDES = -I$(top_srcdir)/include -I$(top_builddir)/include -I$(top_srcdir)/../include
+AM_CPPFLAGS = -include $(top_builddir)/config.h -I$(top_srcdir)/include -I$(top_builddir)/include -I$(top_srcdir)/../include
DEFS = @DEFS@ -DSASLAUTHD_CONF_FILE_DEFAULT=\"@sysconfdir@/saslauthd.conf\" -I. -I$(srcdir) -I..
--- utils/Makefile.am.orig
+++ utils/Makefile.am
@@ -89,7 +89,7 @@ libsfsasl2_la_SOURCES =
libsfsasl2_la_LIBADD = sfsasl.lo
libsfsasl2_la_LDFLAGS = -version-info 1:0:0 -export-dynamic -rpath $(libdir)
-INCLUDES=-I$(top_srcdir)/include -I$(top_builddir)/include @SASL_DB_INC@
+AM_CPPFLAGS = -include $(top_builddir)/config.h -I$(top_srcdir)/include -I$(top_builddir)/include @SASL_DB_INC@
EXTRA_DIST = saslpasswd2.8 sasldblistusers2.8 pluginviewer.8 sfsasl.h sfsasl.c smtptest.c testsuite.c pluginviewer.c NTMakefile
sfsasl.lo: sfsasl.c
--- sasldb/Makefile.am.orig
+++ sasldb/Makefile.am
@@ -44,7 +44,7 @@
# Note that this doesn't necessaraly follow the libsasl2 verison info
sasl_version = 1:25:0
-INCLUDES=-I$(top_srcdir)/include -I$(top_builddir)/include @SASL_DB_INC@
+AM_CPPFLAGS= -include $(top_builddir)/config.h -I$(top_srcdir)/include -I$(top_builddir)/include @SASL_DB_INC@
extra_common_sources = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c

6
cyrus-sasl-no_rpath.patch
View File

@ -1,7 +1,7 @@
Index: cyrus-sasl-2.1.26/cmulocal/cyrus.m4
Index: cyrus-sasl-2.1.26/m4/cyrus.m4
===================================================================
--- cyrus-sasl-2.1.26.orig/cmulocal/cyrus.m4
+++ cyrus-sasl-2.1.26/cmulocal/cyrus.m4
--- cyrus-sasl-2.1.26.orig/m4/cyrus.m4
+++ cyrus-sasl-2.1.26/m4/cyrus.m4
@@ -32,14 +32,5 @@ AC_DEFUN([CMU_ADD_LIBPATH_TO], [
dnl runpath initialization
AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [

15
cyrus-sasl-revert_gssapi_flags.patch
View File

@ -1,15 +0,0 @@
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -1583,10 +1583,10 @@ static int gssapi_client_mech_step(void *conn_context,
}
/* Setup req_flags properly */
- req_flags = GSS_C_INTEG_FLAG;
+ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
if (params->props.max_ssf > params->external_ssf) {
/* We are requesting a security layer */
- req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
+ req_flags |= GSS_C_INTEG_FLAG;
/* Any SSF bigger than 1 is confidentiality. */
/* Let's check if the client of the API requires confidentiality,
and it wasn't already provided by an external layer */

31
cyrus-sasl-saslauthd.changes
View File

@ -1,3 +1,34 @@
-------------------------------------------------------------------
Sat Nov 17 10:14:14 UTC 2018 - Michael Ströder <michael@stroeder.com>
- removed patches obsoleted by upstream changes:
* shared_link_on_ppc.patch
* fix-sasl-header.diff
* cyrus-sasl-revert_gssapi_flags.patch
* cyrus-sasl-issue-402.patch
* cyrus-sasl-2.1.27-openssl-1.1.0.patch
- replaced cumlocal/ with m4/ in patches
- added fix_libpq-fe_include.diff for fixing including libpq-fe.h
- Update to 2.1.27
* cache.c:
Dont use cached credentials if timeout has expired
Fixed debug logging output
* ipc_doors.c:
Fixed potential DoS attack (from Oracle)
* ipc_unix.c:
Prevent premature closing of socket
* auth_rimap.c:
Added support LOGOUT command
Added support for unsolicited CAPABILITY responses in LOGIN reply
Properly detect end of responses (dont needlessly wait)
Properly handle backslash in passwords
* auth_httpform:
Fix off-by-one error in string termination
Added support for 204 success response
* auth_krb5.c:
Added krb5_conv_krb4_instance option
Added more verbose error logging
-------------------------------------------------------------------
Tue Feb 13 08:59:21 UTC 2018 - varkoly@suse.com

15
cyrus-sasl-saslauthd.spec
View File

@ -22,7 +22,7 @@
%endif
Name: cyrus-sasl-saslauthd
Version: 2.1.26
Version: 2.1.27
Release: 0
Summary: The SASL Authentication Server
License: BSD-4-Clause
@ -34,12 +34,11 @@ Source1: cyrus-sasl-rc.tar.bz2
Source2: README.Source
Source3: baselibs.conf
Source4: saslauthd.service
Patch: cyrus-sasl.dif
Patch1: shared_link_on_ppc.patch
Patch5: cyrus-sasl-no_rpath.patch
Patch6: cyrus-sasl-lfs.patch
Patch7: fix-sasl-header.diff
Patch10: cyrus-sasl-2.1.27-openssl-1.1.0.patch
Patch7: fix_libpq-fe_include.diff
PreReq: %fillup_prereq
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: db-devel
@ -77,15 +76,13 @@ The SQL auxprop plugin supports PostgreSQL and MySQL
%prep
%setup -n cyrus-sasl-%{version} -a 1
%patch
%patch1
%patch5 -p1
%patch6
%patch6 -p1
%patch7 -p1
%patch10 -p1
%build
find . -name "*.cvsignore" -exec rm -fv "{}" "+"
autoreconf -f -i
autoreconf -f
export CFLAGS="-fno-strict-aliasing $RPM_OPT_FLAGS -DLDAP_DEPRECATED"
%configure --with-plugindir=%{_libdir}/sasl2 \
--with-configdir=/etc/sasl2/:%{_libdir}/sasl2 \
@ -159,7 +156,7 @@ install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}
/usr/sbin/*
/usr/bin/*
%doc %{_mandir}/man8/*.gz
%doc saslauthd/AUTHORS saslauthd/COPYING saslauthd/ChangeLog saslauthd/LDAP_SASLAUTHD saslauthd/NEWS saslauthd/README
%doc saslauthd/COPYING saslauthd/ChangeLog saslauthd/LDAP_SASLAUTHD
%files -n cyrus-sasl-sqlauxprop
%defattr(-,root,root)

32
cyrus-sasl.changes
View File

@ -1,3 +1,35 @@
-------------------------------------------------------------------
Sat Nov 17 10:14:14 UTC 2018 - Michael Ströder <michael@stroeder.com>
- removed patches obsoleted by upstream changes:
* shared_link_on_ppc.patch
* fix-sasl-header.diff
* cyrus-sasl-revert_gssapi_flags.patch
* cyrus-sasl-issue-402.patch
* cyrus-sasl-2.1.27-openssl-1.1.0.patch
- replaced cumlocal/ with m4/ in patches
- added fix_libpq-fe_include.diff for fixing including libpq-fe.h
- Update to 2.1.27
* Added support for OpenSSL 1.1
* Added support for lmdb
* Lots of build fixes
* Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting client mech
* DIGEST-MD5 plugin:
Fixed memory leaks
Fixed a segfault when looking for non-existent reauth cache
Prevent client from going from step 3 back to step 2
Allow cmusaslsecretDIGEST-MD5 property to be disabled
* GSSAPI plugin:
Added support for retrieving negotiated SSF
Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
Properly compute maxbufsize AFTER security layers have been set
* SCRAM plugin:
Added support for SCRAM-SHA-256
* LOGIN plugin:
Dont prompt client for password until requested by server
* NTLM plugin:
Fixed crash due to uninitialized HMAC context
-------------------------------------------------------------------
Tue Feb 13 08:59:21 UTC 2018 - varkoly@suse.com

27
cyrus-sasl.dif
View File

@ -1,7 +1,7 @@
Index: cmulocal/cyrus.m4
Index: m4/cyrus.m4
===================================================================
--- cmulocal/cyrus.m4.orig
+++ cmulocal/cyrus.m4
--- m4/cyrus.m4.orig
+++ m4/cyrus.m4
@@ -37,7 +37,7 @@ AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [
SAVE_LDFLAGS="${LDFLAGS}"
LDFLAGS="-R /usr/lib"
@ -25,20 +25,13 @@ Index: Makefile.am
else
Index: sasldb/Makefile.am
===================================================================
--- sasldb/Makefile.am.orig
+++ sasldb/Makefile.am
@@ -48,6 +48,7 @@ INCLUDES=-I$(top_srcdir)/include -I$(top
extra_common_sources = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c
+AM_CFLAGS = "-fPIC"
EXTRA_DIST = NTMakefile
noinst_LTLIBRARIES = libsasldb.la
@@ -66,3 +67,8 @@ libsasldb.a: libsasldb.la $(SASL_DB_BACK
$(AR) cru .libs/$@ $(SASL_DB_BACKEND_STATIC)
--- sasldb/Makefile.am 2016-01-29 18:35:35.000000000 +0100
+++ sasldb/Makefile.am 2018-11-17 12:51:05.800696917 +0100
@@ -57,3 +57,9 @@
libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND)
libsasldb_la_LIBADD = $(SASL_DB_BACKEND)
libsasldb_la_LDFLAGS = -no-undefined
+
+# avoid these two files created at the same time, they use both the same
+# dep file
+db_berkeley.lo: db_berkeley.o

19
cyrus-sasl.spec
View File

@ -18,7 +18,7 @@
Name: cyrus-sasl
%define lname libsasl2-3
Version: 2.1.26
Version: 2.1.27
Release: 0
Url: http://asg.web.cmu.edu/sasl/
Summary: Implementation of Cyrus SASL API
@ -30,14 +30,9 @@ Source1: cyrus-sasl-rc.tar.bz2
Source2: README.Source
Source3: baselibs.conf
Patch: cyrus-sasl.dif
Patch1: shared_link_on_ppc.patch
Patch5: cyrus-sasl-no_rpath.patch
Patch6: cyrus-sasl-lfs.patch
Patch7: fix-sasl-header.diff
Patch8: cyrus-sasl-revert_gssapi_flags.patch
# see https://github.com/cyrusimap/cyrus-sasl/issues/402
Patch9: cyrus-sasl-issue-402.patch
Patch10: cyrus-sasl-2.1.27-openssl-1.1.0.patch
Patch7: fix_libpq-fe_include.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: db-devel
BuildRequires: krb5-mini-devel
@ -169,17 +164,13 @@ then
rm -rf %{_builddir}/%{name}-%{version}/dlcompat-*
fi
%patch
%patch1
%patch5 -p1
%patch6
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%build
find . -name "*.cvsignore" -exec rm -fv "{}" "+"
autoreconf -f -i
autoreconf -f
export CFLAGS="%optflags -fno-strict-aliasing"
%configure --with-pic \
--with-plugindir=%{_libdir}/sasl2 \
@ -271,7 +262,7 @@ find "%buildroot" -type f -name "*.la" -print -delete
%files devel
%defattr(-,root,root)
%doc AUTHORS COPYING ChangeLog NEWS README doc
%doc AUTHORS COPYING ChangeLog README doc
%_includedir/sasl/
%doc %{_mandir}/man3/sasl_*.gz
%{_libdir}/libsasl2.so

12
fix-sasl-header.diff
View File

@ -1,12 +0,0 @@
--- cyrus-sasl-2.1.26/include/sasl.h 2012-10-12 09:05:48.000000000 -0500
+++ cyrus-sasl-2.1.26/include/sasl.h 2013-01-31 13:21:04.007739327 -0600
@@ -223,6 +223,8 @@ extern "C" {
* they must be called before all other SASL functions:
*/
+#include <sys/types.h>
+
/* memory allocation functions which may optionally be replaced:
*/
typedef void *sasl_malloc_t(size_t);

11
fix_libpq-fe_include.diff Normal file
View File

@ -0,0 +1,11 @@
--- cyrus-sasl-2.1.27.orig/plugins/sql.c 2016-12-10 16:45:55.000000000 +0100
+++ cyrus-sasl-2.1.27/plugins/sql.c 2018-11-17 14:04:33.821540573 +0100
@@ -188,7 +188,7 @@
#endif /* HAVE_MYSQL */
#ifdef HAVE_PGSQL
-#include <libpq-fe.h>
+#include <pgsql/libpq-fe.h>
static void *_pgsql_open(char *host, char *port, int usessl,
const char *user, const char *password,

10
shared_link_on_ppc.patch
View File

@ -1,10 +0,0 @@
--- config/ltconfig.orig 2003-01-23 09:20:31.000000000 +0100
+++ config/ltconfig 2003-01-23 09:20:49.000000000 +0100
@@ -2029,7 +2029,6 @@
else
# Only the GNU ld.so supports shared libraries on MkLinux.
case "$host_cpu" in
- powerpc*) dynamic_linker=no ;;
*) dynamic_linker='Linux ld.so' ;;
esac
fi