import cyrus-sasl-2.1.27-1.el8

2019-11-05 17:01:49 -05:00 · 2019-11-05 17:01:49 -05:00 · 9e8c8d78e1
commit 9e8c8d78e1
parent 3510d3d3d1
6 changed files with 197 additions and 28 deletions
--- a/.cyrus-sasl.metadata
+++ b/.cyrus-sasl.metadata
@ -1 +1 @@
-98988c2d3b8f055f6346d8d55ca806a8dbd2dc59 SOURCES/cyrus-sasl-2.1.27-rc7-nodlcompatorsrp.tar.gz
+c9e6848d9cc6f9588e0e7a75423f9a3aed3f10db SOURCES/cyrus-sasl-2.1.27-nodlcompatorsrp.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/cyrus-sasl-2.1.27-rc7-nodlcompatorsrp.tar.gz
+SOURCES/cyrus-sasl-2.1.27-nodlcompatorsrp.tar.gz
--- a/SOURCES/cyrus-sasl-2.1.26-md5global.patch
+++ b/SOURCES/cyrus-sasl-2.1.26-md5global.patch
@ -0,0 +1,24 @@
+diff -up cyrus-sasl-2.1.27/include/Makefile.am.md5global.h cyrus-sasl-2.1.27/include/Makefile.am
+--- cyrus-sasl-2.1.27/include/Makefile.am.md5global.h	2018-05-17 13:33:49.588368350 +0200
+++ cyrus-sasl-2.1.27/include/Makefile.am	2018-05-17 13:38:19.377316869 +0200
+@@ -49,20 +49,7 @@ saslinclude_HEADERS = hmac-md5.h md5.h m
+ 
+ noinst_PROGRAMS = makemd5
+ 
+-makemd5_SOURCES = makemd5.c
+-
+-makemd5$(BUILD_EXEEXT) $(makemd5_OBJECTS): CC=$(CC_FOR_BUILD)
+-makemd5$(BUILD_EXEEXT) $(makemd5_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+-makemd5$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
+-
+-md5global.h: makemd5$(BUILD_EXEEXT) Makefile
+-	-rm -f $@
+-	./$< $@
+-
+-BUILT_SOURCES = md5global.h
+-
+ EXTRA_DIST = NTMakefile
+-DISTCLEANFILES = md5global.h
+ 
+ if MACOSX
+ framedir = /Library/Frameworks/SASL2.framework
--- a/SOURCES/cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch
+++ b/SOURCES/cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch
@ -1,17 +0,0 @@
-diff --git a/plugins/gssapi.c b/plugins/gssapi.c
-index e6fcf46..a27eb2b 100644
--- a/plugins/gssapi.c
-+++ b/plugins/gssapi.c
-@@ -1594,10 +1594,10 @@ static int gssapi_client_mech_step(void *conn_context,
- 	}
- 
- 	/* Setup req_flags properly */
-	req_flags = GSS_C_INTEG_FLAG;
-+	req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
- 	if (params->props.max_ssf > params->external_ssf) {
- 	    /* We are requesting a security layer */
-	    req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
-+	    req_flags |= GSS_C_INTEG_FLAG;
- 	    /* Any SSF bigger than 1 is confidentiality. */
- 	    /* Let's check if the client of the API requires confidentiality,
- 	       and it wasn't already provided by an external layer */
--- a/SOURCES/cyrus-sasl-pr559-RC4-openssl.patch
+++ b/SOURCES/cyrus-sasl-pr559-RC4-openssl.patch
@ -0,0 +1,155 @@
+From 8aa9ae816ddf66921b4a8a0f422517e6f2e55ac6 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 27 Mar 2019 14:29:08 -0400
+Subject: [PATCH] Use Openssl RC4 when available
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ configure.ac        |   5 +--
+ plugins/digestmd5.c | 107 +++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 108 insertions(+), 4 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 388f5d02..cfdee4a2 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -1102,12 +1102,11 @@ AC_ARG_WITH(configdir, [   --with-configdir=DIR    set the directory where confi
+ AC_SUBST(configdir)
+ 
+-dnl look for rc4 libraries. we accept the CMU one or one from openSSL
+-AC_ARG_WITH(rc4, [  --with-rc4              use internal rc4 routines [[yes]] ],
+AC_ARG_WITH(rc4, [  --with-rc4              use rc4 routines [[yes]] ],
+ 	with_rc4=$withval,
+ 	with_rc4=yes)
+ 
+ if test "$with_rc4" != no; then
+-    AC_DEFINE(WITH_RC4,[],[Use internal RC4 implementation?])
+    AC_DEFINE(WITH_RC4,[],[Use RC4])
+ fi
+ 
+ building_for_macosx=no
+diff --git a/plugins/digestmd5.c b/plugins/digestmd5.c
+index df35093d..c6b54317 100644
+--- a/plugins/digestmd5.c
+++ b/plugins/digestmd5.c
+@@ -1117,6 +1117,111 @@ static void free_des(context_t *text)
+ #endif /* WITH_DES */
+ 
+ #ifdef WITH_RC4
+#ifdef HAVE_OPENSSL
+#include <openssl/evp.h>
+
+static void free_rc4(context_t *text)
+{
+    if (text->cipher_enc_context) {
+        EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_enc_context);
+        text->cipher_enc_context = NULL;
+    }
+    if (text->cipher_dec_context) {
+        EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_dec_context);
+        text->cipher_dec_context = NULL;
+    }
+}
+
+static int init_rc4(context_t *text,
+		    unsigned char enckey[16],
+		    unsigned char deckey[16])
+{
+    EVP_CIPHER_CTX *ctx;
+    int rc;
+
+    ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) return SASL_NOMEM;
+
+    rc = EVP_EncryptInit_ex(ctx, EVP_rc4(), NULL, enckey, NULL);
+    if (rc != 1) return SASL_FAIL;
+
+    text->cipher_enc_context = (void *)ctx;
+
+    ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) return SASL_NOMEM;
+
+    rc = EVP_DecryptInit_ex(ctx, EVP_rc4(), NULL, deckey, NULL);
+    if (rc != 1) return SASL_FAIL;
+
+    text->cipher_dec_context = (void *)ctx;
+
+    return SASL_OK;
+}
+
+static int dec_rc4(context_t *text,
+		   const char *input,
+		   unsigned inputlen,
+		   unsigned char digest[16] __attribute__((unused)),
+		   char *output,
+		   unsigned *outputlen)
+{
+    int len;
+    int rc;
+
+    /* decrypt the text part & HMAC */
+    rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->cipher_dec_context,
+                           (unsigned char *)output, &len,
+                           (const unsigned char *)input, inputlen);
+    if (rc != 1) return SASL_FAIL;
+
+    *outputlen = len;
+
+    rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_dec_context,
+                             (unsigned char *)output + len, &len);
+    if (rc != 1) return SASL_FAIL;
+
+    *outputlen += len;
+
+    /* subtract the HMAC to get the text length */
+    *outputlen -= 10;
+
+    return SASL_OK;
+}
+
+static int enc_rc4(context_t *text,
+		   const char *input,
+		   unsigned inputlen,
+		   unsigned char digest[16],
+		   char *output,
+		   unsigned *outputlen)
+{
+    int len;
+    int rc;
+    /* encrypt the text part */
+    rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
+                           (unsigned char *)output, &len,
+                           (const unsigned char *)input, inputlen);
+    if (rc != 1) return SASL_FAIL;
+
+    *outputlen = len;
+
+    /* encrypt the `MAC part */
+    rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
+                           (unsigned char *)output + *outputlen, &len,
+                           digest, 10);
+    if (rc != 1) return SASL_FAIL;
+
+    *outputlen += len;
+
+    rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_enc_context,
+                             (unsigned char *)output + *outputlen, &len);
+    if (rc != 1) return SASL_FAIL;
+
+    *outputlen += len;
+
+    return SASL_OK;
+}
+#else
+ /* quick generic implementation of RC4 */
+ struct rc4_context_s {
+     unsigned char sbox[256];
+@@ -1296,7 +1401,7 @@ static int enc_rc4(context_t *text,
+     
+     return SASL_OK;
+ }
+-
+#endif /* HAVE_OPENSSL */
+ #endif /* WITH_RC4 */
+ 
+ struct digest_cipher available_ciphers[] =
--- a/SPECS/cyrus-sasl.spec
+++ b/SPECS/cyrus-sasl.spec
@ -8,13 +8,13 @@
 Summary: The Cyrus SASL library
 Name: cyrus-sasl
 Version: 2.1.27
-Release: 0.3rc7%{?dist}
+Release: 1%{?dist}
 License: BSD with advertising
 Group: System Environment/Libraries
 # Source0 originally comes from https://www.cyrusimap.org/releases/;
 # make-no-dlcompatorsrp-tarball.sh removes the "dlcompat" subdirectory and builds a
 # new tarball.
-Source0: cyrus-sasl-%{version}-rc7-nodlcompatorsrp.tar.gz
+Source0: cyrus-sasl-%{version}-nodlcompatorsrp.tar.gz
 Source5: saslauthd.service
 Source7: sasl-mechlist.c
 Source9: saslauthd.sysconfig
@ -22,16 +22,14 @@ Source10: make-no-dlcompatorsrp-tarball.sh
 # From upstream git, required for reconfigure after applying patches to configure.ac
 # https://raw.githubusercontent.com/cyrusimap/cyrus-sasl/master/autogen.sh
 Source11: autogen.sh
-URL: http://asg.web.cmu.edu/sasl/sasl-library.html
+URL: https://www.cyrusimap.org/sasl/
 Requires: %{name}-lib%{?_isa} = %{version}-%{release}
 Patch11: cyrus-sasl-2.1.25-no_rpath.patch
 Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch
 Patch23: cyrus-sasl-2.1.23-man.patch
 Patch24: cyrus-sasl-2.1.21-sizes.patch
-#Patch49: cyrus-sasl-2.1.26-md5global.patch
-# revert upstream commit 080e51c7fa0421eb2f0210d34cf0ac48a228b1e9 (#984079)
-# https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
-Patch50: cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch
+Patch49: cyrus-sasl-2.1.26-md5global.patch
+Patch60: cyrus-sasl-pr559-RC4-openssl.patch

 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
@ -161,8 +159,8 @@ the GS2 authentication scheme.
 %patch15 -p1 -b .path
 %patch23 -p1 -b .man
 %patch24 -p1 -b .sizes
-#%patch49 -p1 -b .md5global.h
-%patch50 -p1 -b .gssapi
+%patch49 -p1 -b .md5global.h
+%patch60 -p1 -b .openssl_rc4

 %build
 # reconfigure
@ -394,6 +392,15 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 %{_sbindir}/sasl2-shared-mechlist

 %changelog
+* Fri Jun 14 2019 Simo Sorce <simo@redhat.com> - 2.1.27-1
+- Rc7 to final source
+- Resovles bz#1618744
+
+* Thu Jun 13 2019 Simo Sorce <simo@redhat.com> - 2.1.27-0.4rc7
+- Add patch form Upstream PR559 to use RC4 implementation from OpenSSL
+- Resolves bz#1618744
+- Fix multilib issue bz#1663120
+
 * Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 2.1.27-0.3rc7
 - Rebuild with fixed binutils