rpm/cyrus-sasl
SHA256
1
0
Fork 0
forked from pool/cyrus-sasl
Code Pull Requests Activity

Accepting request 486184 from home:stroeder:branches:network

Browse Source 
added patch for https://github.com/cyrusimap/cyrus-sasl/issues/402

tested with Howard's krb/ test.sh

OBS-URL: https://build.opensuse.org/request/show/486184
OBS-URL: https://build.opensuse.org/package/show/network/cyrus-sasl?expand=0&rev=61
This commit is contained in:
Dirk Mueller 2017-04-07 07:48:19 +00:00 committed by Git OBS Bridge
parent e4a3415715
commit 7d7a6af4f8
3 changed files with 80 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
cyrus-sasl-issue-402.patch Normal file
View File

@ -0,0 +1,70 @@
commit 06260404c047e111f86b67de2862ec124f8fe2ec
Author: Sergio Gelato <Sergio.Gelato@astro.su.se>
Date: Wed Oct 21 20:45:17 2015 +0200
Postpone computing maxbufsize until after security layers have been set.
Prior to this commit it was possible for the GSSAPI mechanism acceptor to
return a zero maxbufsize together with the integrity and/or confidentiality
layer bits set. This is not a workable combination.
Solve this by not zeroing maxbufsize (as required by RFC 4752 when only
the only security layer selected is authentication) until computation of
the security layer mask is complete. The condition for zeroing maxbufsize
then becomes much more straightforward.
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index 2fd1b3b..e861864 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -1007,21 +1007,14 @@ gssapi_server_mech_ssfcap(context_t *text,
}
/* build up our security properties token */
- if (text->requiressf != 0 &&
- (text->qop & (LAYER_INTEGRITY|LAYER_CONFIDENTIALITY))) {
- if (params->props.maxbufsize > 0xFFFFFF) {
- /* make sure maxbufsize isn't too large */
- /* maxbufsize = 0xFFFFFF */
- sasldata[1] = sasldata[2] = sasldata[3] = 0xFF;
- } else {
- sasldata[1] = (params->props.maxbufsize >> 16) & 0xFF;
- sasldata[2] = (params->props.maxbufsize >> 8) & 0xFF;
- sasldata[3] = (params->props.maxbufsize >> 0) & 0xFF;
- }
+ if (params->props.maxbufsize > 0xFFFFFF) {
+ /* make sure maxbufsize isn't too large */
+ /* maxbufsize = 0xFFFFFF */
+ sasldata[1] = sasldata[2] = sasldata[3] = 0xFF;
} else {
- /* From RFC 4752: "The client verifies that the server maximum buffer is 0
- if the server does not advertise support for any security layer." */
- sasldata[1] = sasldata[2] = sasldata[3] = 0;
+ sasldata[1] = (params->props.maxbufsize >> 16) & 0xFF;
+ sasldata[2] = (params->props.maxbufsize >> 8) & 0xFF;
+ sasldata[3] = (params->props.maxbufsize >> 0) & 0xFF;
}
sasldata[0] = 0;
@@ -1047,6 +1040,12 @@ gssapi_server_mech_ssfcap(context_t *text,
sasldata[0] |= LAYER_CONFIDENTIALITY;
}
+ if ((sasldata[0] & ~LAYER_NONE) == 0) {
+ /* From RFC 4752: "The client verifies that the server maximum buffer is 0
+ if the server does not advertise support for any security layer." */
+ sasldata[1] = sasldata[2] = sasldata[3] = 0;
+ }
+
/* Remember what we want and can offer */
text->qop = sasldata[0];
@@ -1401,7 +1400,7 @@ int gssapiv2_server_plug_init(
keytab, errno);
return SASL_FAIL;
}
-
+
if(strlen(keytab) > 1024) {
utils->log(NULL, SASL_LOG_ERR,
"path to keytab is > 1024 characters");

7
cyrus-sasl.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Mar 22 09:56:37 UTC 2017 - michael@stroeder.com
- added cyrus-sasl-issue-402.patch to fix
SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize #402
(see https://github.com/cyrusimap/cyrus-sasl/issues/402)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jan 6 19:02:33 UTC 2015 - varkoly@suse.com Tue Jan 6 19:02:33 UTC 2015 - varkoly@suse.com

3
cyrus-sasl.spec
View File

@ -35,6 +35,8 @@ Patch5: cyrus-sasl-no_rpath.patch
Patch6: cyrus-sasl-lfs.patch Patch6: cyrus-sasl-lfs.patch
Patch7: fix-sasl-header.diff Patch7: fix-sasl-header.diff
Patch8: cyrus-sasl-revert_gssapi_flags.patch Patch8: cyrus-sasl-revert_gssapi_flags.patch
# see https://github.com/cyrusimap/cyrus-sasl/issues/402
Patch9: cyrus-sasl-issue-402.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: db-devel BuildRequires: db-devel
BuildRequires: krb5-mini-devel BuildRequires: krb5-mini-devel
@ -171,6 +173,7 @@ fi
%patch6 %patch6
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1
%build %build
find . -name "*.cvsignore" -exec rm -fv "{}" "+" find . -name "*.cvsignore" -exec rm -fv "{}" "+"