import cyrus-sasl-2.1.27-19.el9

This commit is contained in:
CentOS Sources 2022-03-01 07:59:55 -05:00 committed by Stepan Oksanichenko
parent 6f6f3f825e
commit 01eff975db
5 changed files with 755 additions and 87 deletions

View File

@ -0,0 +1,544 @@
diff -uPr cyrus-sasl-2.1.27/plugins/digestmd5.c cyrus-sasl-2.1.27.digestmd5/plugins/digestmd5.c
--- cyrus-sasl-2.1.27/plugins/digestmd5.c 2021-09-30 17:13:06.573093526 -0400
+++ cyrus-sasl-2.1.27.digestmd5/plugins/digestmd5.c 2021-09-30 17:26:31.818378442 -0400
@@ -80,6 +80,12 @@
# endif
#endif /* WITH_DES */
+/* legacy provider with openssl 3.0 */
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+# include <openssl/provider.h>
+# include <openssl/crypto.h>
+#endif
+
#ifdef WIN32
# include <winsock2.h>
#else /* Unix */
@@ -170,6 +176,12 @@
typedef struct cipher_context cipher_context_t;
+typedef struct crypto_context {
+ void *libctx;
+ cipher_context_t *enc_ctx;
+ cipher_context_t *dec_ctx;
+} crypto_context_t;
+
/* cached auth info used for fast reauth */
typedef struct reauth_entry {
char *authid;
@@ -254,12 +266,12 @@
decode_context_t decode_context;
/* if privacy mode is used use these functions for encode and decode */
+ char *cipher_name;
cipher_function_t *cipher_enc;
cipher_function_t *cipher_dec;
cipher_init_t *cipher_init;
cipher_free_t *cipher_free;
- struct cipher_context *cipher_enc_context;
- struct cipher_context *cipher_dec_context;
+ crypto_context_t crypto;
} context_t;
struct digest_cipher {
@@ -888,7 +900,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_dec_context;
+ des_context_t *c = (des_context_t *) text->crypto.dec_ctx;
int padding, p;
des_ede2_cbc_encrypt((void *) input,
@@ -925,7 +937,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_enc_context;
+ des_context_t *c = (des_context_t *) text->crypto.enc_ctx;
int len;
int paddinglen;
@@ -973,7 +985,7 @@
return SASL_FAIL;
memcpy(c->ivec, ((char *) enckey) + 8, 8);
- text->cipher_enc_context = (cipher_context_t *) c;
+ text->crypto.enc_ctx = (cipher_context_t *) c;
/* setup dec context */
c++;
@@ -987,7 +999,7 @@
memcpy(c->ivec, ((char *) deckey) + 8, 8);
- text->cipher_dec_context = (cipher_context_t *) c;
+ text->crypto.dec_ctx = (cipher_context_t *) c;
return SASL_OK;
}
@@ -1006,7 +1018,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_dec_context;
+ des_context_t *c = (des_context_t *) text->crypto.dec_ctx;
int p, padding = 0;
des_cbc_encrypt((void *) input,
@@ -1046,7 +1058,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_enc_context;
+ des_context_t *c = (des_context_t *) text->crypto.enc_ctx;
int len;
int paddinglen;
@@ -1093,7 +1105,7 @@
memcpy(c->ivec, ((char *) enckey) + 8, 8);
- text->cipher_enc_context = (cipher_context_t *) c;
+ text->crypto.enc_ctx = (cipher_context_t *) c;
/* setup dec context */
c++;
@@ -1102,60 +1114,139 @@
memcpy(c->ivec, ((char *) deckey) + 8, 8);
- text->cipher_dec_context = (cipher_context_t *) c;
+ text->crypto.dec_ctx = (cipher_context_t *) c;
return SASL_OK;
}
static void free_des(context_t *text)
{
- /* free des contextss. only cipher_enc_context needs to be free'd,
- since cipher_dec_context was allocated at the same time. */
- if (text->cipher_enc_context) text->utils->free(text->cipher_enc_context);
+ /* free des contextss. only enc_ctx needs to be free'd,
+ since dec_cxt was allocated at the same time. */
+ if (text->crypto.enc_ctx) {
+ text->utils->free(text->crypto.enc_ctx);
+ }
}
#endif /* WITH_DES */
#ifdef WITH_RC4
-#ifdef HAVE_OPENSSL
#include <openssl/evp.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+typedef struct ossl3_library_context {
+ OSSL_LIB_CTX *libctx;
+ OSSL_PROVIDER *legacy_provider;
+ OSSL_PROVIDER *default_provider;
+} ossl3_context_t;
+
+static int init_ossl3_ctx(context_t *text)
+{
+ ossl3_context_t *ctx = text->utils->malloc(sizeof(ossl3_context_t));
+ if (!ctx) return SASL_NOMEM;
+
+ ctx->libctx = OSSL_LIB_CTX_new();
+ if (!ctx->libctx) {
+ text->utils->free(ctx);
+ return SASL_FAIL;
+ }
+
+ /* Load both legacy and default provider as both may be needed */
+ /* if they fail keep going and an error will be raised when we try to
+ * fetch the cipher later */
+ ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy");
+ ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default");
+ text->crypto.libctx = (void *)ctx;
+
+ return SASL_OK;
+}
+
+static void free_ossl3_ctx(context_t *text)
+{
+ ossl3_context_t *ctx;
+
+ if (!text->crypto.libctx) return;
+
+ ctx = (ossl3_context_t *)text->crypto.libctx;
+
+ if (ctx->legacy_provider) OSSL_PROVIDER_unload(ctx->legacy_provider);
+ if (ctx->default_provider) OSSL_PROVIDER_unload(ctx->default_provider);
+ if (ctx->libctx) OSSL_LIB_CTX_free(ctx->libctx);
+
+ text->utils->free(ctx);
+ text->crypto.libctx = NULL;
+}
+#endif
+
static void free_rc4(context_t *text)
{
- if (text->cipher_enc_context) {
- EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_enc_context);
- text->cipher_enc_context = NULL;
- }
- if (text->cipher_dec_context) {
- EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_dec_context);
- text->cipher_dec_context = NULL;
+ if (text->crypto.enc_ctx) {
+ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->crypto.enc_ctx);
+ text->crypto.enc_ctx = NULL;
+ }
+ if (text->crypto.dec_ctx) {
+ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->crypto.dec_ctx);
+ text->crypto.dec_ctx = NULL;
}
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ free_ossl3_ctx(text);
+#endif
}
static int init_rc4(context_t *text,
unsigned char enckey[16],
unsigned char deckey[16])
{
+ const EVP_CIPHER *cipher;
EVP_CIPHER_CTX *ctx;
int rc;
- ctx = EVP_CIPHER_CTX_new();
- if (ctx == NULL) return SASL_NOMEM;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ ossl3_context_t *ossl3_ctx;
- rc = EVP_EncryptInit_ex(ctx, EVP_rc4(), NULL, enckey, NULL);
- if (rc != 1) return SASL_FAIL;
+ rc = init_ossl3_ctx(text);
+ if (rc != SASL_OK) return rc;
+
+ ossl3_ctx = (ossl3_context_t *)text->crypto.libctx;
+ cipher = EVP_CIPHER_fetch(ossl3_ctx->libctx, "RC4", "");
+#else
+ cipher = EVP_rc4();
+#endif
- text->cipher_enc_context = (void *)ctx;
ctx = EVP_CIPHER_CTX_new();
- if (ctx == NULL) return SASL_NOMEM;
+ if (ctx == NULL) {
+ rc = SASL_NOMEM;
+ goto done;
+ }
- rc = EVP_DecryptInit_ex(ctx, EVP_rc4(), NULL, deckey, NULL);
- if (rc != 1) return SASL_FAIL;
+ rc = EVP_EncryptInit_ex(ctx, cipher, NULL, enckey, NULL);
+ if (rc != 1) {
+ rc = SASL_FAIL;
+ goto done;
+ }
+ text->crypto.enc_ctx = (void *)ctx;
- text->cipher_dec_context = (void *)ctx;
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL) {
+ rc = SASL_NOMEM;
+ goto done;
+ }
- return SASL_OK;
+ rc = EVP_DecryptInit_ex(ctx, cipher, NULL, deckey, NULL);
+ if (rc != 1) {
+ rc = SASL_FAIL;
+ goto done;
+ }
+ text->crypto.dec_ctx = (void *)ctx;
+
+ rc = SASL_OK;
+
+done:
+ if (rc != SASL_OK) {
+ free_rc4(text);
+ }
+ return rc;
}
static int dec_rc4(context_t *text,
@@ -1169,14 +1260,14 @@
int rc;
/* decrypt the text part & HMAC */
- rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->cipher_dec_context,
+ rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->crypto.dec_ctx,
(unsigned char *)output, &len,
(const unsigned char *)input, inputlen);
if (rc != 1) return SASL_FAIL;
*outputlen = len;
- rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_dec_context,
+ rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->crypto.dec_ctx,
(unsigned char *)output + len, &len);
if (rc != 1) return SASL_FAIL;
@@ -1198,7 +1289,7 @@
int len;
int rc;
/* encrypt the text part */
- rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
+ rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
(unsigned char *)output, &len,
(const unsigned char *)input, inputlen);
if (rc != 1) return SASL_FAIL;
@@ -1206,14 +1297,14 @@
*outputlen = len;
/* encrypt the `MAC part */
- rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
+ rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
(unsigned char *)output + *outputlen, &len,
digest, 10);
if (rc != 1) return SASL_FAIL;
*outputlen += len;
- rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_enc_context,
+ rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
(unsigned char *)output + *outputlen, &len);
if (rc != 1) return SASL_FAIL;
@@ -1221,188 +1312,11 @@
return SASL_OK;
}
-#else
-/* quick generic implementation of RC4 */
-struct rc4_context_s {
- unsigned char sbox[256];
- int i, j;
-};
-
-typedef struct rc4_context_s rc4_context_t;
-
-static void rc4_init(rc4_context_t *text,
- const unsigned char *key,
- unsigned keylen)
-{
- int i, j;
-
- /* fill in linearly s0=0 s1=1... */
- for (i=0;i<256;i++)
- text->sbox[i]=i;
-
- j=0;
- for (i = 0; i < 256; i++) {
- unsigned char tmp;
- /* j = (j + Si + Ki) mod 256 */
- j = (j + text->sbox[i] + key[i % keylen]) % 256;
-
- /* swap Si and Sj */
- tmp = text->sbox[i];
- text->sbox[i] = text->sbox[j];
- text->sbox[j] = tmp;
- }
-
- /* counters initialized to 0 */
- text->i = 0;
- text->j = 0;
-}
-
-static void rc4_encrypt(rc4_context_t *text,
- const char *input,
- char *output,
- unsigned len)
-{
- int tmp;
- int i = text->i;
- int j = text->j;
- int t;
- int K;
- const char *input_end = input + len;
-
- while (input < input_end) {
- i = (i + 1) % 256;
-
- j = (j + text->sbox[i]) % 256;
-
- /* swap Si and Sj */
- tmp = text->sbox[i];
- text->sbox[i] = text->sbox[j];
- text->sbox[j] = tmp;
-
- t = (text->sbox[i] + text->sbox[j]) % 256;
-
- K = text->sbox[t];
-
- /* byte K is Xor'ed with plaintext */
- *output++ = *input++ ^ K;
- }
-
- text->i = i;
- text->j = j;
-}
-
-static void rc4_decrypt(rc4_context_t *text,
- const char *input,
- char *output,
- unsigned len)
-{
- int tmp;
- int i = text->i;
- int j = text->j;
- int t;
- int K;
- const char *input_end = input + len;
-
- while (input < input_end) {
- i = (i + 1) % 256;
-
- j = (j + text->sbox[i]) % 256;
-
- /* swap Si and Sj */
- tmp = text->sbox[i];
- text->sbox[i] = text->sbox[j];
- text->sbox[j] = tmp;
-
- t = (text->sbox[i] + text->sbox[j]) % 256;
-
- K = text->sbox[t];
-
- /* byte K is Xor'ed with plaintext */
- *output++ = *input++ ^ K;
- }
-
- text->i = i;
- text->j = j;
-}
-
-static void free_rc4(context_t *text)
-{
- /* free rc4 context structures */
-
- if(text->cipher_enc_context) text->utils->free(text->cipher_enc_context);
- if(text->cipher_dec_context) text->utils->free(text->cipher_dec_context);
-}
-
-static int init_rc4(context_t *text,
- unsigned char enckey[16],
- unsigned char deckey[16])
-{
- /* allocate rc4 context structures */
- text->cipher_enc_context=
- (cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t));
- if (text->cipher_enc_context == NULL) return SASL_NOMEM;
-
- text->cipher_dec_context=
- (cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t));
- if (text->cipher_dec_context == NULL) return SASL_NOMEM;
-
- /* initialize them */
- rc4_init((rc4_context_t *) text->cipher_enc_context,
- (const unsigned char *) enckey, 16);
- rc4_init((rc4_context_t *) text->cipher_dec_context,
- (const unsigned char *) deckey, 16);
-
- return SASL_OK;
-}
-
-static int dec_rc4(context_t *text,
- const char *input,
- unsigned inputlen,
- unsigned char digest[16] __attribute__((unused)),
- char *output,
- unsigned *outputlen)
-{
- /* decrypt the text part & HMAC */
- rc4_decrypt((rc4_context_t *) text->cipher_dec_context,
- input, output, inputlen);
-
- /* no padding so we just subtract the HMAC to get the text length */
- *outputlen = inputlen - 10;
-
- return SASL_OK;
-}
-
-static int enc_rc4(context_t *text,
- const char *input,
- unsigned inputlen,
- unsigned char digest[16],
- char *output,
- unsigned *outputlen)
-{
- /* pad is zero */
- *outputlen = inputlen+10;
-
- /* encrypt the text part */
- rc4_encrypt((rc4_context_t *) text->cipher_enc_context,
- input,
- output,
- inputlen);
-
- /* encrypt the HMAC part */
- rc4_encrypt((rc4_context_t *) text->cipher_enc_context,
- (const char *) digest,
- (output)+inputlen, 10);
-
- return SASL_OK;
-}
-#endif /* HAVE_OPENSSL */
#endif /* WITH_RC4 */
struct digest_cipher available_ciphers[] =
{
#ifdef WITH_RC4
- { "rc4-40", 40, 5, 0x01, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
- { "rc4-56", 56, 7, 0x02, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
{ "rc4", 128, 16, 0x04, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
#endif
#ifdef WITH_DES
@@ -2815,6 +2729,7 @@
}
if (cptr->name) {
+ text->cipher_name = cptr->name;
text->cipher_enc = cptr->cipher_enc;
text->cipher_dec = cptr->cipher_dec;
text->cipher_init = cptr->cipher_init;
@@ -2958,7 +2873,10 @@
if (text->cipher_init) {
if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
sparams->utils->seterror(sparams->utils->conn, 0,
- "couldn't init cipher");
+ "couldn't init cipher '%s'",
+ text->cipher_name);
+ result = SASL_FAIL;
+ goto FreeAllMem;
}
}
}
@@ -3509,6 +3427,7 @@
oparams->mech_ssf = ctext->cipher->ssf;
nbits = ctext->cipher->n;
+ text->cipher_name = ctext->cipher->name;
text->cipher_enc = ctext->cipher->cipher_enc;
text->cipher_dec = ctext->cipher->cipher_dec;
text->cipher_free = ctext->cipher->cipher_free;
@@ -3733,7 +3652,13 @@
/* initialize cipher if need be */
if (text->cipher_init) {
- text->cipher_init(text, enckey, deckey);
+ if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
+ params->utils->seterror(params->utils->conn, 0,
+ "internal error: failed to init cipher '%s'",
+ text->cipher_name);
+ result = SASL_FAIL;
+ goto FreeAllocatedMem;
+ }
}
}

View File

@ -0,0 +1,109 @@
diff -uPr cyrus-sasl-2.1.27/configure.ac cyrus-sasl-2.1.27.ossl3/configure.ac
--- cyrus-sasl-2.1.27/configure.ac 2021-10-06 11:29:53.274375206 -0400
+++ cyrus-sasl-2.1.27.ossl3/configure.ac 2021-10-06 11:31:19.966726775 -0400
@@ -1115,7 +1115,11 @@
with_rc4=yes)
if test "$with_rc4" != no; then
- AC_DEFINE(WITH_RC4,[],[Use RC4])
+ if test "$with_openssl" = no; then
+ AC_WARN([OpenSSL not found -- RC4 will be disabled])
+ else
+ AC_DEFINE(WITH_RC4,[],[Use RC4])
+ fi
fi
building_for_macosx=no
diff -uPr cyrus-sasl-2.1.27/plugins/scram.c cyrus-sasl-2.1.27.ossl3/plugins/scram.c
--- cyrus-sasl-2.1.27/plugins/scram.c 2018-11-08 12:29:57.000000000 -0500
+++ cyrus-sasl-2.1.27.ossl3/plugins/scram.c 2021-10-06 11:31:04.407484201 -0400
@@ -65,7 +65,9 @@
#include <openssl/sha.h>
#include <openssl/evp.h>
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
#include <openssl/hmac.h>
+#endif
/***************************** Common Section *****************************/
@@ -267,6 +271,32 @@
}
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+/* Decalre as void given functions never use the result */
+void *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+ const unsigned char *data, size_t data_len,
+ unsigned char *md, unsigned int *md_len)
+{
+ const char *digest;
+ size_t digest_size;
+ size_t out_len;
+ void *ret = NULL;
+
+ digest = EVP_MD_get0_name(evp_md);
+ if (digest == NULL) {
+ return NULL;
+ }
+ digest_size = EVP_MD_size(evp_md);
+
+ ret = EVP_Q_mac(NULL, "hmac", NULL, digest, NULL, key, key_len,
+ data, data_len, md, digest_size, &out_len);
+ if (ret != NULL) {
+ *md_len = (unsigned int)out_len;
+ }
+ return ret;
+}
+#endif
/* The result variable need to point to a buffer big enough for the [SHA-1] hash */
static void
diff -uPr cyrus-sasl-2.1.27/saslauthd/lak.c cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c
--- cyrus-sasl-2.1.27/saslauthd/lak.c 2022-01-09 11:30:50.000000000 -0400
+++ cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c 2022-01-09 11:30:50.000000001 -0400
@@ -1806,18 +1806,36 @@
return rc;
}
- EVP_DigestInit(mdctx, md);
- EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
+ rc = EVP_DigestInit(mdctx, md);
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
+ }
+ rc = EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
+ }
if (hrock->salted) {
- EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
- clen - EVP_MD_size(md));
+ rc = EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
+ clen - EVP_MD_size(md));
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
+ }
+ }
+ rc = EVP_DigestFinal(mdctx, digest, NULL);
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
}
- EVP_DigestFinal(mdctx, digest, NULL);
- EVP_MD_CTX_free(mdctx);
rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md));
+ rc = rc ? LAK_INVALID_PASSWORD : LAK_OK;
+done:
+ EVP_MD_CTX_free(mdctx);
free(cred);
- return rc ? LAK_INVALID_PASSWORD : LAK_OK;
+ return rc;
}
#endif /* HAVE_OPENSSL */

View File

@ -0,0 +1,74 @@
From 3b0149cf3d235247b051b7cb7663bc3dadbb999b Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Thu, 1 Apr 2021 17:17:52 +0200
Subject: [PATCH] configure.ac: avoid side-effects in AC_CACHE_VAL
In the COMMANDS-TO-SET-IT argument, per Autoconf docs:
https://www.gnu.org/software/autoconf/manual/autoconf-2.63/html_node/Caching-Results.html
---
configure.ac | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index a106d35e..d333496d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -220,11 +220,14 @@ void foo() { int i=0;}
int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY);
if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo");
if(ptr1 && !ptr2) exit(0); } exit(1); }
-], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no
- AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?]),
+], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no,
AC_MSG_WARN(cross-compiler, we'll do our best)))
LIBS="$cmu_save_LIBS"
AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore)
+
+ if test "$sasl_cv_dlsym_adds_uscore" = no; then
+ AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?])
+ fi
fi
fi
From d3bcaf62f6213e7635e9c4a574f39a831e333980 Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Thu, 1 Apr 2021 17:26:28 +0200
Subject: [PATCH] configure.ac: properly quote macro arguments
Autoconf 2.70+ is more picky about the quotation (even though with
previous versions the arguments should have been quoted, too). When we
don't quote macros inside the AC_CACHE_VAL macro - some of the Autoconf
initialization is wrongly ordered in ./configure script and we keep
seeing bugs like:
./configure: line 2165: ac_fn_c_try_run: command not found
Original report: https://bugzilla.redhat.com/1943013
---
configure.ac | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index d333496d..7281cba0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -213,15 +213,16 @@ if test $sasl_cv_uscore = yes; then
AC_MSG_CHECKING(whether dlsym adds the underscore for us)
cmu_save_LIBS="$LIBS"
LIBS="$LIBS $SASL_DL_LIB"
- AC_CACHE_VAL(sasl_cv_dlsym_adds_uscore,AC_TRY_RUN( [
+ AC_CACHE_VAL([sasl_cv_dlsym_adds_uscore],
+ [AC_TRY_RUN([
#include <dlfcn.h>
#include <stdio.h>
void foo() { int i=0;}
int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY);
if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo");
if(ptr1 && !ptr2) exit(0); } exit(1); }
-], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no,
- AC_MSG_WARN(cross-compiler, we'll do our best)))
+], [sasl_cv_dlsym_adds_uscore=yes], [sasl_cv_dlsym_adds_uscore=no],
+ [AC_MSG_WARN(cross-compiler, we'll do our best)])])
LIBS="$cmu_save_LIBS"
AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore)

View File

@ -1,73 +0,0 @@
From 4edb8ce82ac530f473a8728bae01d9fc8535c9cb Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 21 Jun 2021 14:24:18 -0400
Subject: [PATCH] Gracefully handle failed initializations
In OpenSSL 3.0 these algorithms have been moved to the legacy provider
which is not enabled by default. This means allocation can and do fail.
Handle failed allocations by returning an actual error instead of
crashing later with a NULL context.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
plugins/digestmd5.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/plugins/digestmd5.c b/plugins/digestmd5.c
index c6b54317..b2617536 100644
--- a/plugins/digestmd5.c
+++ b/plugins/digestmd5.c
@@ -254,6 +254,7 @@ typedef struct context {
decode_context_t decode_context;
/* if privacy mode is used use these functions for encode and decode */
+ char *cipher_name;
cipher_function_t *cipher_enc;
cipher_function_t *cipher_dec;
cipher_init_t *cipher_init;
@@ -2821,6 +2822,7 @@ static int digestmd5_server_mech_step2(server_context_t *stext,
}
if (cptr->name) {
+ text->cipher_name = cptr->name;
text->cipher_enc = cptr->cipher_enc;
text->cipher_dec = cptr->cipher_dec;
text->cipher_init = cptr->cipher_init;
@@ -2964,7 +2966,10 @@ static int digestmd5_server_mech_step2(server_context_t *stext,
if (text->cipher_init) {
if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
sparams->utils->seterror(sparams->utils->conn, 0,
- "couldn't init cipher");
+ "couldn't init cipher '%s'",
+ text->cipher_name);
+ result = SASL_FAIL;
+ goto FreeAllMem;
}
}
}
@@ -3515,6 +3520,7 @@ static int make_client_response(context_t *text,
oparams->mech_ssf = ctext->cipher->ssf;
nbits = ctext->cipher->n;
+ text->cipher_name = ctext->cipher->name;
text->cipher_enc = ctext->cipher->cipher_enc;
text->cipher_dec = ctext->cipher->cipher_dec;
text->cipher_free = ctext->cipher->cipher_free;
@@ -3739,7 +3745,13 @@ static int make_client_response(context_t *text,
/* initialize cipher if need be */
if (text->cipher_init) {
- text->cipher_init(text, enckey, deckey);
+ if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
+ params->utils->seterror(params->utils->conn, 0,
+ "internal error: failed to init cipher '%s'",
+ text->cipher_name);
+ result = SASL_FAIL;
+ goto FreeAllocatedMem;
+ }
}
}
--
2.31.1

View File

@ -9,7 +9,7 @@
Summary: The Cyrus SASL library
Name: cyrus-sasl
Version: 2.1.27
Release: 17%{?dist}
Release: 19%{?dist}
License: BSD with advertising
URL: https://www.cyrusimap.org/sasl/
@ -25,7 +25,6 @@ Source10: make-no-dlcompatorsrp-tarball.sh
# https://raw.githubusercontent.com/cyrusimap/cyrus-sasl/master/autogen.sh
Source11: autogen.sh
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Patch11: cyrus-sasl-2.1.25-no_rpath.patch
Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch
Patch23: cyrus-sasl-2.1.23-man.patch
@ -39,17 +38,19 @@ Patch101: cyrus-sasl-2.1.27-Add-basic-test-infrastructure.patch
Patch102: cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch
Patch103: cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch
Patch104: cyrus-sasl-2.1.27-Emit-debug-log-only-in-case-of-errors.patch
Patch105: cyrus-sasl-2.1.27-fix-for-autoconf270.patch
#https://github.com/simo5/cyrus-sasl/commit/ebd2387f06c84c7f9aac3167ec041bb01e5c6e48
Patch105: cyrus-sasl-2.1.27-nostrncpy.patch
#Migration tool should be removed from RHEL10
Patch106: cyrus-sasl-2.1.27-Migration-from-BerkeleyDB.patch
Patch106: cyrus-sasl-2.1.27-nostrncpy.patch
# Upstream PR: https://github.com/cyrusimap/cyrus-sasl/pull/635
Patch107: cyrus-sasl-2.1.27-Add-basic-test-plain-auth.patch
#Migration tool should be removed from RHEL10
Patch108: cyrus-sasl-2.1.27-Migration-from-BerkeleyDB.patch
Patch500: cyrus-sasl-2.1.27-coverity.patch
Patch501: cyrus-sasl-2.1.27-legacy-init.patch
Patch501: cyrus-sasl-2.1.27-cumulative-digestmd5.patch
Patch502: cyrus-sasl-2.1.27-cumulative-ossl3.patch
BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig
BuildRequires: krb5-devel >= 1.19, openssl-devel, pam-devel, pkgconfig
BuildRequires: mariadb-connector-c-devel, libpq-devel, zlib-devel
%if ! %{bootstrap_cyrus_sasl}
BuildRequires: openldap-devel
@ -60,10 +61,14 @@ BuildRequires: libdb-devel-static
#build reqs for make check
BuildRequires: python3 nss_wrapper socket_wrapper krb5-server
%{?systemd_requires}
Requires: %{name}-lib = %{version}-%{release}
Requires: systemd
#Requires/Provides related to the saslauthd user creation
Requires: /sbin/nologin
Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd
Requires(postun): /usr/sbin/userdel /usr/sbin/groupdel
Requires: /sbin/nologin
Requires: systemd >= 211
Provides: user(%username)
Provides: group(%username)
@ -81,8 +86,8 @@ The %{name}-lib package contains shared libraries which are needed by
applications which use the Cyrus SASL library.
%package devel
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-lib = %{version}-%{release}
Requires: %{name} = %{version}-%{release}
Requires: pkgconfig
Summary: Files needed for developing applications with Cyrus SASL
@ -175,11 +180,13 @@ the GS2 authentication scheme.
%patch102 -p1 -b .gssapi_cbs
%patch103 -p1 -b .maxssf0
%patch104 -p1 -b .nolog
%patch105 -p1 -b .nostrncpy
%patch106 -p1 -b .frombdb
%patch105 -p1 -b .autoconf270
%patch106 -p1 -b .nostrncpy
%patch107 -p1 -b .plaintests
%patch108 -p1 -b .frombdb
%patch500 -p1 -b .coverity
%patch501 -p1 -b .legacy_init
%patch501 -p1 -b .digestmd5
%patch502 -p1 -b .ossl3
%build
# reconfigure
@ -391,6 +398,13 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%{_sbindir}/sasl2-shared-mechlist
%changelog
* Mon Feb 9 2022 Simo Sorce <simo@redhat.com> - 2.1.27-19
- Fix a memleak in one of the OpenSSL 3 compat patches
found by covscan
* Mon Feb 7 2022 Simo Sorce <simo@redhat.com> - 2.1.27-18
- Update OpenSSL 3 related compatibility patch backports
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.27-17
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688