From 01eff975db95fb569970bd55992e87e7335a93e7 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 1 Mar 2022 07:59:55 -0500 Subject: [PATCH] import cyrus-sasl-2.1.27-19.el9 --- ...rus-sasl-2.1.27-cumulative-digestmd5.patch | 544 ++++++++++++++++++ .../cyrus-sasl-2.1.27-cumulative-ossl3.patch | 109 ++++ ...yrus-sasl-2.1.27-fix-for-autoconf270.patch | 74 +++ SOURCES/cyrus-sasl-2.1.27-legacy-init.patch | 73 --- SPECS/cyrus-sasl.spec | 42 +- 5 files changed, 755 insertions(+), 87 deletions(-) create mode 100644 SOURCES/cyrus-sasl-2.1.27-cumulative-digestmd5.patch create mode 100644 SOURCES/cyrus-sasl-2.1.27-cumulative-ossl3.patch create mode 100644 SOURCES/cyrus-sasl-2.1.27-fix-for-autoconf270.patch delete mode 100644 SOURCES/cyrus-sasl-2.1.27-legacy-init.patch diff --git a/SOURCES/cyrus-sasl-2.1.27-cumulative-digestmd5.patch b/SOURCES/cyrus-sasl-2.1.27-cumulative-digestmd5.patch new file mode 100644 index 0000000..d61130f --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.27-cumulative-digestmd5.patch @@ -0,0 +1,544 @@ +diff -uPr cyrus-sasl-2.1.27/plugins/digestmd5.c cyrus-sasl-2.1.27.digestmd5/plugins/digestmd5.c +--- cyrus-sasl-2.1.27/plugins/digestmd5.c 2021-09-30 17:13:06.573093526 -0400 ++++ cyrus-sasl-2.1.27.digestmd5/plugins/digestmd5.c 2021-09-30 17:26:31.818378442 -0400 +@@ -80,6 +80,12 @@ + # endif + #endif /* WITH_DES */ + ++/* legacy provider with openssl 3.0 */ ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++# include ++# include ++#endif ++ + #ifdef WIN32 + # include + #else /* Unix */ +@@ -170,6 +176,12 @@ + + typedef struct cipher_context cipher_context_t; + ++typedef struct crypto_context { ++ void *libctx; ++ cipher_context_t *enc_ctx; ++ cipher_context_t *dec_ctx; ++} crypto_context_t; ++ + /* cached auth info used for fast reauth */ + typedef struct reauth_entry { + char *authid; +@@ -254,12 +266,12 @@ + decode_context_t decode_context; + + /* if privacy mode is used use these functions for encode and decode */ ++ char *cipher_name; + cipher_function_t *cipher_enc; + cipher_function_t *cipher_dec; + cipher_init_t *cipher_init; + cipher_free_t *cipher_free; +- struct cipher_context *cipher_enc_context; +- struct cipher_context *cipher_dec_context; ++ crypto_context_t crypto; + } context_t; + + struct digest_cipher { +@@ -888,7 +900,7 @@ + char *output, + unsigned *outputlen) + { +- des_context_t *c = (des_context_t *) text->cipher_dec_context; ++ des_context_t *c = (des_context_t *) text->crypto.dec_ctx; + int padding, p; + + des_ede2_cbc_encrypt((void *) input, +@@ -925,7 +937,7 @@ + char *output, + unsigned *outputlen) + { +- des_context_t *c = (des_context_t *) text->cipher_enc_context; ++ des_context_t *c = (des_context_t *) text->crypto.enc_ctx; + int len; + int paddinglen; + +@@ -973,7 +985,7 @@ + return SASL_FAIL; + memcpy(c->ivec, ((char *) enckey) + 8, 8); + +- text->cipher_enc_context = (cipher_context_t *) c; ++ text->crypto.enc_ctx = (cipher_context_t *) c; + + /* setup dec context */ + c++; +@@ -987,7 +999,7 @@ + + memcpy(c->ivec, ((char *) deckey) + 8, 8); + +- text->cipher_dec_context = (cipher_context_t *) c; ++ text->crypto.dec_ctx = (cipher_context_t *) c; + + return SASL_OK; + } +@@ -1006,7 +1018,7 @@ + char *output, + unsigned *outputlen) + { +- des_context_t *c = (des_context_t *) text->cipher_dec_context; ++ des_context_t *c = (des_context_t *) text->crypto.dec_ctx; + int p, padding = 0; + + des_cbc_encrypt((void *) input, +@@ -1046,7 +1058,7 @@ + char *output, + unsigned *outputlen) + { +- des_context_t *c = (des_context_t *) text->cipher_enc_context; ++ des_context_t *c = (des_context_t *) text->crypto.enc_ctx; + int len; + int paddinglen; + +@@ -1093,7 +1105,7 @@ + + memcpy(c->ivec, ((char *) enckey) + 8, 8); + +- text->cipher_enc_context = (cipher_context_t *) c; ++ text->crypto.enc_ctx = (cipher_context_t *) c; + + /* setup dec context */ + c++; +@@ -1102,60 +1114,139 @@ + + memcpy(c->ivec, ((char *) deckey) + 8, 8); + +- text->cipher_dec_context = (cipher_context_t *) c; ++ text->crypto.dec_ctx = (cipher_context_t *) c; + + return SASL_OK; + } + + static void free_des(context_t *text) + { +- /* free des contextss. only cipher_enc_context needs to be free'd, +- since cipher_dec_context was allocated at the same time. */ +- if (text->cipher_enc_context) text->utils->free(text->cipher_enc_context); ++ /* free des contextss. only enc_ctx needs to be free'd, ++ since dec_cxt was allocated at the same time. */ ++ if (text->crypto.enc_ctx) { ++ text->utils->free(text->crypto.enc_ctx); ++ } + } + + #endif /* WITH_DES */ + + #ifdef WITH_RC4 +-#ifdef HAVE_OPENSSL + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++typedef struct ossl3_library_context { ++ OSSL_LIB_CTX *libctx; ++ OSSL_PROVIDER *legacy_provider; ++ OSSL_PROVIDER *default_provider; ++} ossl3_context_t; ++ ++static int init_ossl3_ctx(context_t *text) ++{ ++ ossl3_context_t *ctx = text->utils->malloc(sizeof(ossl3_context_t)); ++ if (!ctx) return SASL_NOMEM; ++ ++ ctx->libctx = OSSL_LIB_CTX_new(); ++ if (!ctx->libctx) { ++ text->utils->free(ctx); ++ return SASL_FAIL; ++ } ++ ++ /* Load both legacy and default provider as both may be needed */ ++ /* if they fail keep going and an error will be raised when we try to ++ * fetch the cipher later */ ++ ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy"); ++ ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default"); ++ text->crypto.libctx = (void *)ctx; ++ ++ return SASL_OK; ++} ++ ++static void free_ossl3_ctx(context_t *text) ++{ ++ ossl3_context_t *ctx; ++ ++ if (!text->crypto.libctx) return; ++ ++ ctx = (ossl3_context_t *)text->crypto.libctx; ++ ++ if (ctx->legacy_provider) OSSL_PROVIDER_unload(ctx->legacy_provider); ++ if (ctx->default_provider) OSSL_PROVIDER_unload(ctx->default_provider); ++ if (ctx->libctx) OSSL_LIB_CTX_free(ctx->libctx); ++ ++ text->utils->free(ctx); ++ text->crypto.libctx = NULL; ++} ++#endif ++ + static void free_rc4(context_t *text) + { +- if (text->cipher_enc_context) { +- EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_enc_context); +- text->cipher_enc_context = NULL; +- } +- if (text->cipher_dec_context) { +- EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_dec_context); +- text->cipher_dec_context = NULL; ++ if (text->crypto.enc_ctx) { ++ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->crypto.enc_ctx); ++ text->crypto.enc_ctx = NULL; ++ } ++ if (text->crypto.dec_ctx) { ++ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->crypto.dec_ctx); ++ text->crypto.dec_ctx = NULL; + } ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ free_ossl3_ctx(text); ++#endif + } + + static int init_rc4(context_t *text, + unsigned char enckey[16], + unsigned char deckey[16]) + { ++ const EVP_CIPHER *cipher; + EVP_CIPHER_CTX *ctx; + int rc; + +- ctx = EVP_CIPHER_CTX_new(); +- if (ctx == NULL) return SASL_NOMEM; ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ ossl3_context_t *ossl3_ctx; + +- rc = EVP_EncryptInit_ex(ctx, EVP_rc4(), NULL, enckey, NULL); +- if (rc != 1) return SASL_FAIL; ++ rc = init_ossl3_ctx(text); ++ if (rc != SASL_OK) return rc; ++ ++ ossl3_ctx = (ossl3_context_t *)text->crypto.libctx; ++ cipher = EVP_CIPHER_fetch(ossl3_ctx->libctx, "RC4", ""); ++#else ++ cipher = EVP_rc4(); ++#endif + +- text->cipher_enc_context = (void *)ctx; + + ctx = EVP_CIPHER_CTX_new(); +- if (ctx == NULL) return SASL_NOMEM; ++ if (ctx == NULL) { ++ rc = SASL_NOMEM; ++ goto done; ++ } + +- rc = EVP_DecryptInit_ex(ctx, EVP_rc4(), NULL, deckey, NULL); +- if (rc != 1) return SASL_FAIL; ++ rc = EVP_EncryptInit_ex(ctx, cipher, NULL, enckey, NULL); ++ if (rc != 1) { ++ rc = SASL_FAIL; ++ goto done; ++ } ++ text->crypto.enc_ctx = (void *)ctx; + +- text->cipher_dec_context = (void *)ctx; ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) { ++ rc = SASL_NOMEM; ++ goto done; ++ } + +- return SASL_OK; ++ rc = EVP_DecryptInit_ex(ctx, cipher, NULL, deckey, NULL); ++ if (rc != 1) { ++ rc = SASL_FAIL; ++ goto done; ++ } ++ text->crypto.dec_ctx = (void *)ctx; ++ ++ rc = SASL_OK; ++ ++done: ++ if (rc != SASL_OK) { ++ free_rc4(text); ++ } ++ return rc; + } + + static int dec_rc4(context_t *text, +@@ -1169,14 +1260,14 @@ + int rc; + + /* decrypt the text part & HMAC */ +- rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->cipher_dec_context, ++ rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->crypto.dec_ctx, + (unsigned char *)output, &len, + (const unsigned char *)input, inputlen); + if (rc != 1) return SASL_FAIL; + + *outputlen = len; + +- rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_dec_context, ++ rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->crypto.dec_ctx, + (unsigned char *)output + len, &len); + if (rc != 1) return SASL_FAIL; + +@@ -1198,7 +1289,7 @@ + int len; + int rc; + /* encrypt the text part */ +- rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context, ++ rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->crypto.enc_ctx, + (unsigned char *)output, &len, + (const unsigned char *)input, inputlen); + if (rc != 1) return SASL_FAIL; +@@ -1206,14 +1297,14 @@ + *outputlen = len; + + /* encrypt the `MAC part */ +- rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context, ++ rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->crypto.enc_ctx, + (unsigned char *)output + *outputlen, &len, + digest, 10); + if (rc != 1) return SASL_FAIL; + + *outputlen += len; + +- rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_enc_context, ++ rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->crypto.enc_ctx, + (unsigned char *)output + *outputlen, &len); + if (rc != 1) return SASL_FAIL; + +@@ -1221,188 +1312,11 @@ + + return SASL_OK; + } +-#else +-/* quick generic implementation of RC4 */ +-struct rc4_context_s { +- unsigned char sbox[256]; +- int i, j; +-}; +- +-typedef struct rc4_context_s rc4_context_t; +- +-static void rc4_init(rc4_context_t *text, +- const unsigned char *key, +- unsigned keylen) +-{ +- int i, j; +- +- /* fill in linearly s0=0 s1=1... */ +- for (i=0;i<256;i++) +- text->sbox[i]=i; +- +- j=0; +- for (i = 0; i < 256; i++) { +- unsigned char tmp; +- /* j = (j + Si + Ki) mod 256 */ +- j = (j + text->sbox[i] + key[i % keylen]) % 256; +- +- /* swap Si and Sj */ +- tmp = text->sbox[i]; +- text->sbox[i] = text->sbox[j]; +- text->sbox[j] = tmp; +- } +- +- /* counters initialized to 0 */ +- text->i = 0; +- text->j = 0; +-} +- +-static void rc4_encrypt(rc4_context_t *text, +- const char *input, +- char *output, +- unsigned len) +-{ +- int tmp; +- int i = text->i; +- int j = text->j; +- int t; +- int K; +- const char *input_end = input + len; +- +- while (input < input_end) { +- i = (i + 1) % 256; +- +- j = (j + text->sbox[i]) % 256; +- +- /* swap Si and Sj */ +- tmp = text->sbox[i]; +- text->sbox[i] = text->sbox[j]; +- text->sbox[j] = tmp; +- +- t = (text->sbox[i] + text->sbox[j]) % 256; +- +- K = text->sbox[t]; +- +- /* byte K is Xor'ed with plaintext */ +- *output++ = *input++ ^ K; +- } +- +- text->i = i; +- text->j = j; +-} +- +-static void rc4_decrypt(rc4_context_t *text, +- const char *input, +- char *output, +- unsigned len) +-{ +- int tmp; +- int i = text->i; +- int j = text->j; +- int t; +- int K; +- const char *input_end = input + len; +- +- while (input < input_end) { +- i = (i + 1) % 256; +- +- j = (j + text->sbox[i]) % 256; +- +- /* swap Si and Sj */ +- tmp = text->sbox[i]; +- text->sbox[i] = text->sbox[j]; +- text->sbox[j] = tmp; +- +- t = (text->sbox[i] + text->sbox[j]) % 256; +- +- K = text->sbox[t]; +- +- /* byte K is Xor'ed with plaintext */ +- *output++ = *input++ ^ K; +- } +- +- text->i = i; +- text->j = j; +-} +- +-static void free_rc4(context_t *text) +-{ +- /* free rc4 context structures */ +- +- if(text->cipher_enc_context) text->utils->free(text->cipher_enc_context); +- if(text->cipher_dec_context) text->utils->free(text->cipher_dec_context); +-} +- +-static int init_rc4(context_t *text, +- unsigned char enckey[16], +- unsigned char deckey[16]) +-{ +- /* allocate rc4 context structures */ +- text->cipher_enc_context= +- (cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t)); +- if (text->cipher_enc_context == NULL) return SASL_NOMEM; +- +- text->cipher_dec_context= +- (cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t)); +- if (text->cipher_dec_context == NULL) return SASL_NOMEM; +- +- /* initialize them */ +- rc4_init((rc4_context_t *) text->cipher_enc_context, +- (const unsigned char *) enckey, 16); +- rc4_init((rc4_context_t *) text->cipher_dec_context, +- (const unsigned char *) deckey, 16); +- +- return SASL_OK; +-} +- +-static int dec_rc4(context_t *text, +- const char *input, +- unsigned inputlen, +- unsigned char digest[16] __attribute__((unused)), +- char *output, +- unsigned *outputlen) +-{ +- /* decrypt the text part & HMAC */ +- rc4_decrypt((rc4_context_t *) text->cipher_dec_context, +- input, output, inputlen); +- +- /* no padding so we just subtract the HMAC to get the text length */ +- *outputlen = inputlen - 10; +- +- return SASL_OK; +-} +- +-static int enc_rc4(context_t *text, +- const char *input, +- unsigned inputlen, +- unsigned char digest[16], +- char *output, +- unsigned *outputlen) +-{ +- /* pad is zero */ +- *outputlen = inputlen+10; +- +- /* encrypt the text part */ +- rc4_encrypt((rc4_context_t *) text->cipher_enc_context, +- input, +- output, +- inputlen); +- +- /* encrypt the HMAC part */ +- rc4_encrypt((rc4_context_t *) text->cipher_enc_context, +- (const char *) digest, +- (output)+inputlen, 10); +- +- return SASL_OK; +-} +-#endif /* HAVE_OPENSSL */ + #endif /* WITH_RC4 */ + + struct digest_cipher available_ciphers[] = + { + #ifdef WITH_RC4 +- { "rc4-40", 40, 5, 0x01, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 }, +- { "rc4-56", 56, 7, 0x02, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 }, + { "rc4", 128, 16, 0x04, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 }, + #endif + #ifdef WITH_DES +@@ -2815,6 +2729,7 @@ + } + + if (cptr->name) { ++ text->cipher_name = cptr->name; + text->cipher_enc = cptr->cipher_enc; + text->cipher_dec = cptr->cipher_dec; + text->cipher_init = cptr->cipher_init; +@@ -2958,7 +2873,10 @@ + if (text->cipher_init) { + if (text->cipher_init(text, enckey, deckey) != SASL_OK) { + sparams->utils->seterror(sparams->utils->conn, 0, +- "couldn't init cipher"); ++ "couldn't init cipher '%s'", ++ text->cipher_name); ++ result = SASL_FAIL; ++ goto FreeAllMem; + } + } + } +@@ -3509,6 +3427,7 @@ + oparams->mech_ssf = ctext->cipher->ssf; + + nbits = ctext->cipher->n; ++ text->cipher_name = ctext->cipher->name; + text->cipher_enc = ctext->cipher->cipher_enc; + text->cipher_dec = ctext->cipher->cipher_dec; + text->cipher_free = ctext->cipher->cipher_free; +@@ -3733,7 +3652,13 @@ + + /* initialize cipher if need be */ + if (text->cipher_init) { +- text->cipher_init(text, enckey, deckey); ++ if (text->cipher_init(text, enckey, deckey) != SASL_OK) { ++ params->utils->seterror(params->utils->conn, 0, ++ "internal error: failed to init cipher '%s'", ++ text->cipher_name); ++ result = SASL_FAIL; ++ goto FreeAllocatedMem; ++ } + } + } + diff --git a/SOURCES/cyrus-sasl-2.1.27-cumulative-ossl3.patch b/SOURCES/cyrus-sasl-2.1.27-cumulative-ossl3.patch new file mode 100644 index 0000000..10b57cc --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.27-cumulative-ossl3.patch @@ -0,0 +1,109 @@ +diff -uPr cyrus-sasl-2.1.27/configure.ac cyrus-sasl-2.1.27.ossl3/configure.ac +--- cyrus-sasl-2.1.27/configure.ac 2021-10-06 11:29:53.274375206 -0400 ++++ cyrus-sasl-2.1.27.ossl3/configure.ac 2021-10-06 11:31:19.966726775 -0400 +@@ -1115,7 +1115,11 @@ + with_rc4=yes) + + if test "$with_rc4" != no; then +- AC_DEFINE(WITH_RC4,[],[Use RC4]) ++ if test "$with_openssl" = no; then ++ AC_WARN([OpenSSL not found -- RC4 will be disabled]) ++ else ++ AC_DEFINE(WITH_RC4,[],[Use RC4]) ++ fi + fi + + building_for_macosx=no +diff -uPr cyrus-sasl-2.1.27/plugins/scram.c cyrus-sasl-2.1.27.ossl3/plugins/scram.c +--- cyrus-sasl-2.1.27/plugins/scram.c 2018-11-08 12:29:57.000000000 -0500 ++++ cyrus-sasl-2.1.27.ossl3/plugins/scram.c 2021-10-06 11:31:04.407484201 -0400 +@@ -65,7 +65,9 @@ + + #include + #include ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + #include ++#endif + + /***************************** Common Section *****************************/ + +@@ -267,6 +271,32 @@ + } + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ ++/* Decalre as void given functions never use the result */ ++void *HMAC(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *data, size_t data_len, ++ unsigned char *md, unsigned int *md_len) ++{ ++ const char *digest; ++ size_t digest_size; ++ size_t out_len; ++ void *ret = NULL; ++ ++ digest = EVP_MD_get0_name(evp_md); ++ if (digest == NULL) { ++ return NULL; ++ } ++ digest_size = EVP_MD_size(evp_md); ++ ++ ret = EVP_Q_mac(NULL, "hmac", NULL, digest, NULL, key, key_len, ++ data, data_len, md, digest_size, &out_len); ++ if (ret != NULL) { ++ *md_len = (unsigned int)out_len; ++ } ++ return ret; ++} ++#endif + + /* The result variable need to point to a buffer big enough for the [SHA-1] hash */ + static void +diff -uPr cyrus-sasl-2.1.27/saslauthd/lak.c cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c +--- cyrus-sasl-2.1.27/saslauthd/lak.c 2022-01-09 11:30:50.000000000 -0400 ++++ cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c 2022-01-09 11:30:50.000000001 -0400 +@@ -1806,18 +1806,36 @@ + return rc; + } + +- EVP_DigestInit(mdctx, md); +- EVP_DigestUpdate(mdctx, passwd, strlen(passwd)); ++ rc = EVP_DigestInit(mdctx, md); ++ if (rc != 1) { ++ rc = LAK_FAIL; ++ goto done; ++ } ++ rc = EVP_DigestUpdate(mdctx, passwd, strlen(passwd)); ++ if (rc != 1) { ++ rc = LAK_FAIL; ++ goto done; ++ } + if (hrock->salted) { +- EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)], +- clen - EVP_MD_size(md)); ++ rc = EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)], ++ clen - EVP_MD_size(md)); ++ if (rc != 1) { ++ rc = LAK_FAIL; ++ goto done; ++ } ++ } ++ rc = EVP_DigestFinal(mdctx, digest, NULL); ++ if (rc != 1) { ++ rc = LAK_FAIL; ++ goto done; + } +- EVP_DigestFinal(mdctx, digest, NULL); +- EVP_MD_CTX_free(mdctx); + + rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md)); ++ rc = rc ? LAK_INVALID_PASSWORD : LAK_OK; ++done: ++ EVP_MD_CTX_free(mdctx); + free(cred); +- return rc ? LAK_INVALID_PASSWORD : LAK_OK; ++ return rc; + } + + #endif /* HAVE_OPENSSL */ diff --git a/SOURCES/cyrus-sasl-2.1.27-fix-for-autoconf270.patch b/SOURCES/cyrus-sasl-2.1.27-fix-for-autoconf270.patch new file mode 100644 index 0000000..3c6e7be --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.27-fix-for-autoconf270.patch @@ -0,0 +1,74 @@ +From 3b0149cf3d235247b051b7cb7663bc3dadbb999b Mon Sep 17 00:00:00 2001 +From: Pavel Raiskup +Date: Thu, 1 Apr 2021 17:17:52 +0200 +Subject: [PATCH] configure.ac: avoid side-effects in AC_CACHE_VAL + +In the COMMANDS-TO-SET-IT argument, per Autoconf docs: +https://www.gnu.org/software/autoconf/manual/autoconf-2.63/html_node/Caching-Results.html +--- + configure.ac | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index a106d35e..d333496d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -220,11 +220,14 @@ void foo() { int i=0;} + int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY); + if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo"); + if(ptr1 && !ptr2) exit(0); } exit(1); } +-], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no +- AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?]), ++], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no, + AC_MSG_WARN(cross-compiler, we'll do our best))) + LIBS="$cmu_save_LIBS" + AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore) ++ ++ if test "$sasl_cv_dlsym_adds_uscore" = no; then ++ AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?]) ++ fi + fi + fi + +From d3bcaf62f6213e7635e9c4a574f39a831e333980 Mon Sep 17 00:00:00 2001 +From: Pavel Raiskup +Date: Thu, 1 Apr 2021 17:26:28 +0200 +Subject: [PATCH] configure.ac: properly quote macro arguments + +Autoconf 2.70+ is more picky about the quotation (even though with +previous versions the arguments should have been quoted, too). When we +don't quote macros inside the AC_CACHE_VAL macro - some of the Autoconf +initialization is wrongly ordered in ./configure script and we keep +seeing bugs like: + + ./configure: line 2165: ac_fn_c_try_run: command not found + +Original report: https://bugzilla.redhat.com/1943013 +--- + configure.ac | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index d333496d..7281cba0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -213,15 +213,16 @@ if test $sasl_cv_uscore = yes; then + AC_MSG_CHECKING(whether dlsym adds the underscore for us) + cmu_save_LIBS="$LIBS" + LIBS="$LIBS $SASL_DL_LIB" +- AC_CACHE_VAL(sasl_cv_dlsym_adds_uscore,AC_TRY_RUN( [ ++ AC_CACHE_VAL([sasl_cv_dlsym_adds_uscore], ++ [AC_TRY_RUN([ + #include + #include + void foo() { int i=0;} + int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY); + if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo"); + if(ptr1 && !ptr2) exit(0); } exit(1); } +-], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no, +- AC_MSG_WARN(cross-compiler, we'll do our best))) ++], [sasl_cv_dlsym_adds_uscore=yes], [sasl_cv_dlsym_adds_uscore=no], ++ [AC_MSG_WARN(cross-compiler, we'll do our best)])]) + LIBS="$cmu_save_LIBS" + AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore) + diff --git a/SOURCES/cyrus-sasl-2.1.27-legacy-init.patch b/SOURCES/cyrus-sasl-2.1.27-legacy-init.patch deleted file mode 100644 index 371408e..0000000 --- a/SOURCES/cyrus-sasl-2.1.27-legacy-init.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 4edb8ce82ac530f473a8728bae01d9fc8535c9cb Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Mon, 21 Jun 2021 14:24:18 -0400 -Subject: [PATCH] Gracefully handle failed initializations - -In OpenSSL 3.0 these algorithms have been moved to the legacy provider -which is not enabled by default. This means allocation can and do fail. -Handle failed allocations by returning an actual error instead of -crashing later with a NULL context. - -Signed-off-by: Simo Sorce ---- - plugins/digestmd5.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/plugins/digestmd5.c b/plugins/digestmd5.c -index c6b54317..b2617536 100644 ---- a/plugins/digestmd5.c -+++ b/plugins/digestmd5.c -@@ -254,6 +254,7 @@ typedef struct context { - decode_context_t decode_context; - - /* if privacy mode is used use these functions for encode and decode */ -+ char *cipher_name; - cipher_function_t *cipher_enc; - cipher_function_t *cipher_dec; - cipher_init_t *cipher_init; -@@ -2821,6 +2822,7 @@ static int digestmd5_server_mech_step2(server_context_t *stext, - } - - if (cptr->name) { -+ text->cipher_name = cptr->name; - text->cipher_enc = cptr->cipher_enc; - text->cipher_dec = cptr->cipher_dec; - text->cipher_init = cptr->cipher_init; -@@ -2964,7 +2966,10 @@ static int digestmd5_server_mech_step2(server_context_t *stext, - if (text->cipher_init) { - if (text->cipher_init(text, enckey, deckey) != SASL_OK) { - sparams->utils->seterror(sparams->utils->conn, 0, -- "couldn't init cipher"); -+ "couldn't init cipher '%s'", -+ text->cipher_name); -+ result = SASL_FAIL; -+ goto FreeAllMem; - } - } - } -@@ -3515,6 +3520,7 @@ static int make_client_response(context_t *text, - oparams->mech_ssf = ctext->cipher->ssf; - - nbits = ctext->cipher->n; -+ text->cipher_name = ctext->cipher->name; - text->cipher_enc = ctext->cipher->cipher_enc; - text->cipher_dec = ctext->cipher->cipher_dec; - text->cipher_free = ctext->cipher->cipher_free; -@@ -3739,7 +3745,13 @@ static int make_client_response(context_t *text, - - /* initialize cipher if need be */ - if (text->cipher_init) { -- text->cipher_init(text, enckey, deckey); -+ if (text->cipher_init(text, enckey, deckey) != SASL_OK) { -+ params->utils->seterror(params->utils->conn, 0, -+ "internal error: failed to init cipher '%s'", -+ text->cipher_name); -+ result = SASL_FAIL; -+ goto FreeAllocatedMem; -+ } - } - } - --- -2.31.1 - diff --git a/SPECS/cyrus-sasl.spec b/SPECS/cyrus-sasl.spec index 0b62996..7475aa3 100644 --- a/SPECS/cyrus-sasl.spec +++ b/SPECS/cyrus-sasl.spec @@ -9,7 +9,7 @@ Summary: The Cyrus SASL library Name: cyrus-sasl Version: 2.1.27 -Release: 17%{?dist} +Release: 19%{?dist} License: BSD with advertising URL: https://www.cyrusimap.org/sasl/ @@ -25,7 +25,6 @@ Source10: make-no-dlcompatorsrp-tarball.sh # https://raw.githubusercontent.com/cyrusimap/cyrus-sasl/master/autogen.sh Source11: autogen.sh -Requires: %{name}-lib%{?_isa} = %{version}-%{release} Patch11: cyrus-sasl-2.1.25-no_rpath.patch Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch Patch23: cyrus-sasl-2.1.23-man.patch @@ -39,17 +38,19 @@ Patch101: cyrus-sasl-2.1.27-Add-basic-test-infrastructure.patch Patch102: cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch Patch103: cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch Patch104: cyrus-sasl-2.1.27-Emit-debug-log-only-in-case-of-errors.patch +Patch105: cyrus-sasl-2.1.27-fix-for-autoconf270.patch #https://github.com/simo5/cyrus-sasl/commit/ebd2387f06c84c7f9aac3167ec041bb01e5c6e48 -Patch105: cyrus-sasl-2.1.27-nostrncpy.patch -#Migration tool should be removed from RHEL10 -Patch106: cyrus-sasl-2.1.27-Migration-from-BerkeleyDB.patch +Patch106: cyrus-sasl-2.1.27-nostrncpy.patch # Upstream PR: https://github.com/cyrusimap/cyrus-sasl/pull/635 Patch107: cyrus-sasl-2.1.27-Add-basic-test-plain-auth.patch +#Migration tool should be removed from RHEL10 +Patch108: cyrus-sasl-2.1.27-Migration-from-BerkeleyDB.patch Patch500: cyrus-sasl-2.1.27-coverity.patch -Patch501: cyrus-sasl-2.1.27-legacy-init.patch +Patch501: cyrus-sasl-2.1.27-cumulative-digestmd5.patch +Patch502: cyrus-sasl-2.1.27-cumulative-ossl3.patch BuildRequires: autoconf, automake, libtool, gdbm-devel, groff -BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig +BuildRequires: krb5-devel >= 1.19, openssl-devel, pam-devel, pkgconfig BuildRequires: mariadb-connector-c-devel, libpq-devel, zlib-devel %if ! %{bootstrap_cyrus_sasl} BuildRequires: openldap-devel @@ -60,10 +61,14 @@ BuildRequires: libdb-devel-static #build reqs for make check BuildRequires: python3 nss_wrapper socket_wrapper krb5-server %{?systemd_requires} + +Requires: %{name}-lib = %{version}-%{release} +Requires: systemd + +#Requires/Provides related to the saslauthd user creation +Requires: /sbin/nologin Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd Requires(postun): /usr/sbin/userdel /usr/sbin/groupdel -Requires: /sbin/nologin -Requires: systemd >= 211 Provides: user(%username) Provides: group(%username) @@ -81,8 +86,8 @@ The %{name}-lib package contains shared libraries which are needed by applications which use the Cyrus SASL library. %package devel -Requires: %{name}-lib%{?_isa} = %{version}-%{release} -Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-lib = %{version}-%{release} +Requires: %{name} = %{version}-%{release} Requires: pkgconfig Summary: Files needed for developing applications with Cyrus SASL @@ -175,11 +180,13 @@ the GS2 authentication scheme. %patch102 -p1 -b .gssapi_cbs %patch103 -p1 -b .maxssf0 %patch104 -p1 -b .nolog -%patch105 -p1 -b .nostrncpy -%patch106 -p1 -b .frombdb +%patch105 -p1 -b .autoconf270 +%patch106 -p1 -b .nostrncpy %patch107 -p1 -b .plaintests +%patch108 -p1 -b .frombdb %patch500 -p1 -b .coverity -%patch501 -p1 -b .legacy_init +%patch501 -p1 -b .digestmd5 +%patch502 -p1 -b .ossl3 %build # reconfigure @@ -391,6 +398,13 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} %{_sbindir}/sasl2-shared-mechlist %changelog +* Mon Feb 9 2022 Simo Sorce - 2.1.27-19 +- Fix a memleak in one of the OpenSSL 3 compat patches + found by covscan + +* Mon Feb 7 2022 Simo Sorce - 2.1.27-18 +- Update OpenSSL 3 related compatibility patch backports + * Mon Aug 09 2021 Mohan Boddu - 2.1.27-17 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688