really remove unused/applied patches and restore partially resonable one

2017-07-13 14:19:01 +02:00 · 2017-07-13 14:19:01 +02:00 · edd601075d
commit edd601075d
parent db035e1fec
10 changed files with 9 additions and 333 deletions
--- a/cyrus-sasl-2.1.22-kerberos4.patch
+++ b/cyrus-sasl-2.1.22-kerberos4.patch
@ -1,17 +1,17 @@
-diff -up cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4 cyrus-sasl-2.1.22/config/kerberos_v4.m4
+diff -up cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4.krb4 cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4
--- cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4	2005-05-07 06:14:55.000000000 +0200
+--- cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4.krb4	2017-07-13 13:46:08.828825672 +0200
-+++ cyrus-sasl-2.1.22/config/kerberos_v4.m4	2008-08-14 23:41:26.000000000 +0200
+++ cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4	2017-07-13 13:46:16.709804677 +0200
@@ -102,7 +102,6 @@ AC_DEFUN([SASL_KERBEROS_V4_CHK], [
-        if test -n "${cyrus_krbinclude}"; then
+        if test -n "${cyrus_cv_krbinclude}"; then
-          CPPFLAGS="$CPPFLAGS -I${cyrus_krbinclude}"
+          CPPFLAGS="$CPPFLAGS -I${cyrus_cv_krbinclude}"
        fi
 -       LDFLAGS="$LDFLAGS -L$krb4/lib"
     fi
     if test "$with_des" != no; then
-diff -up cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4 cyrus-sasl-2.1.22/plugins/kerberos4.c
+diff -up cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c.krb4 cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c
--- cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4	2005-01-10 08:08:53.000000000 +0100
+--- cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c.krb4	2017-03-03 15:12:10.000000000 +0100
-+++ cyrus-sasl-2.1.22/plugins/kerberos4.c	2008-08-14 23:36:33.000000000 +0200
+++ cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c	2017-07-13 13:46:08.829825670 +0200
@@ -49,11 +49,7 @@
 #include <krb.h>
--- a/cyrus-sasl-2.1.22-ldap-timeout.patch
+++ b/cyrus-sasl-2.1.22-ldap-timeout.patch
@ -1,25 +0,0 @@
 commit c9447e1c3ffba88783e5d9396b832be82d3c78fc
 Author: Kazuo Ito <ito.kazuo@oss.ntt.co.jp>
 Date:   Wed Dec 10 12:03:29 2008 +0900
    support for LDAP_OPT_TIMEOUT
    OpenLDAP since 2.4 implements support for this option in ldap_result(),
    among other things.
 diff --git a/saslauthd/lak.c b/saslauthd/lak.c
 index 803d51f..8714265 100644
 --- a/saslauthd/lak.c
 +++ b/saslauthd/lak.c
@@ -833,6 +833,11 @@ static int lak_connect(
 		syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_NETWORK_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec);
 	}
 +	rc = ldap_set_option(lak->ld, LDAP_OPT_TIMEOUT, &(lak->conf->timeout));
 +	if (rc != LDAP_OPT_SUCCESS) {
 +		syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec);
 +	}
 +
 	rc = ldap_set_option(lak->ld, LDAP_OPT_TIMELIMIT, &(lak->conf->time_limit));
 	if (rc != LDAP_OPT_SUCCESS) {
 		syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMELIMIT %d.", lak->conf->time_limit);
--- a/cyrus-sasl-2.1.26-config-error.patch
+++ b/cyrus-sasl-2.1.26-config-error.patch
@ -1,46 +0,0 @@
 diff --git a/include/sasl.h b/include/sasl.h
 index d52269f..ed208a5 100644
 --- a/include/sasl.h
 +++ b/include/sasl.h
@@ -177,6 +177,7 @@
 				       because of some constrains/policy violation */
 #define SASL_BADBINDING -32  /* channel binding failure */
 +#define SASL_CONFIGERR  -100 /* error when parsing configuration file */
 /* max size of a sasl mechanism name */
 #define SASL_MECHNAMEMAX 20
 diff --git a/lib/common.c b/lib/common.c
 index e0f59eb..1a1715e 100644
 --- a/lib/common.c
 +++ b/lib/common.c
@@ -1362,6 +1362,7 @@ const char *sasl_errstring(int saslerr,
     case SASL_CONSTRAINT_VIOLAT: return "sasl_setpass can't store a property because "
 			        "of a constraint violation";
     case SASL_BADBINDING: return "channel binding failure";
 +    case SASL_CONFIGERR:  return "error when parsing configuration file";
     default:   return "undefined error!";
     }
 diff --git a/lib/config.c b/lib/config.c
 index 7cae302..fde3757 100644
 --- a/lib/config.c
 +++ b/lib/config.c
@@ -91,7 +91,7 @@ int sasl_config_init(const char *filename)
 	}
 	if (*p != ':') {
 	    fclose(infile);
 -	    return SASL_FAIL;
 +	    return SASL_CONFIGERR;
 	}
 	*p++ = '\0';
@@ -99,7 +99,7 @@ int sasl_config_init(const char *filename)
 	if (!*p) {
 	    fclose(infile);
 -	    return SASL_FAIL;
 +	    return SASL_CONFIGERR;
 	}
 	/* Now strip trailing spaces, if any */
--- a/cyrus-sasl-2.1.26-md5global.patch
+++ b/cyrus-sasl-2.1.26-md5global.patch
@ -18,32 +18,3 @@ diff -up cyrus-sasl-2.1.27/include/Makefile.am.md5global.h cyrus-sasl-2.1.27/inc
 if MACOSX
 framedir = /Library/Frameworks/SASL2.framework
 diff -up cyrus-sasl-2.1.27/include/md5global.h.md5global.h cyrus-sasl-2.1.27/include/md5global.h
 --- cyrus-sasl-2.1.27/include/md5global.h.md5global.h	2015-11-20 15:28:25.932263083 +0100
 +++ cyrus-sasl-2.1.27/include/md5global.h	2015-11-20 15:36:16.380184280 +0100
@@ -15,14 +15,17 @@ The following makes PROTOTYPES default t
 /* POINTER defines a generic pointer type */
 typedef unsigned char *POINTER;
 -typedef signed char INT1;		/*  8 bits */
 -typedef short INT2;			/* 16 bits */
 -typedef int INT4;			/* 32 bits */
 -typedef long INT8;			/* 64 bits */
 -typedef unsigned char UINT1;		/*  8 bits */
 -typedef unsigned short UINT2;		/* 16 bits */
 -typedef unsigned int UINT4;		/* 32 bits */
 -typedef unsigned long UINT8;		/* 64 bits */
 +/* We try to define integer types for our use */
 +#include <inttypes.h>
 +
 +typedef int8_t INT1;			/*  8 bits */
 +typedef int16_t INT2;			/* 16 bits */
 +typedef int32_t INT4;			/* 32 bits */
 +typedef int64_t INT8;			/* 64 bits */
 +typedef uint8_t UINT1;			/*  8 bits */
 +typedef uint16_t UINT2;			/* 16 bits */
 +typedef uint32_t UINT4;			/* 32 bits */
 +typedef uint64_t UINT8;			/* 64 bits */
 /* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
 If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
--- a/cyrus-sasl-2.1.26-null-crypt.patch
+++ b/cyrus-sasl-2.1.26-null-crypt.patch
@ -1,86 +0,0 @@
 diff -up cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c
 --- cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt	2012-01-28 00:31:36.000000000 +0100
 +++ cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c	2012-12-20 17:00:14.614580310 +0100
@@ -31,7 +31,7 @@ char *pwcheck(userid, password)
 char *userid;
 char *password;
 {
 -    char* r;
 +    char* r, *cryptbuf;
     struct passwd *pwd;
     pwd = getpwnam(userid);
@@ -41,11 +41,13 @@ char *password;
     else if (pwd->pw_passwd[0] == '*') {
 	r = "Account disabled";
     }
 -    else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
 -	r = "Incorrect password";
 -    }
     else {
 -	r = "OK";
 +	cryptbuf = crypt(password, pwd->pw_passwd);
 +	if((cryptbuf == NULL) || (strcmp(pwd->pw_passwd, cryptbuf) != 0)) {
 +	   r = "Incorrect password";
 +	} else {
 +	   r = "OK";
 +	}
     }
     endpwent();
 diff -up cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c
 --- cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt	2012-10-12 16:05:48.000000000 +0200
 +++ cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c	2012-12-20 17:03:17.940793653 +0100
@@ -78,6 +78,7 @@ auth_getpwent (
     /* VARIABLES */
     struct passwd *pw;			/* pointer to passwd file entry */
     int errnum;
 +    char *cryptbuf;
     /* END VARIABLES */
     errno = 0;
@@ -105,7 +106,8 @@ auth_getpwent (
 	}
     }
 -    if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
 +    cryptbuf = crypt(password, pw->pw_passwd);
 +    if ((cryptbuf == NULL) || strcmp(pw->pw_passwd, cryptbuf)) {
 	if (flags & VERBOSE) {
 	    syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
 	}
 diff -up cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_shadow.c
 --- cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt	2012-12-20 17:00:14.000000000 +0100
 +++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c	2012-12-20 17:16:44.190360006 +0100
@@ -214,8 +214,8 @@ auth_shadow (
 	RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
     }
 -    cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
 -    if (strcmp(sp->sp_pwdp, cpw)) {
 +    cpw = crypt(password, sp->sp_pwdp);
 +    if ((cpw == NULL) || strcmp(sp->sp_pwdp, cpw)) {
 	if (flags & VERBOSE) {
 	    /*
 	     * This _should_ reveal the SHADOW_PW_LOCKED prefix to an
@@ -225,10 +225,8 @@ auth_shadow (
 	    syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
 		   sp->sp_pwdp, cpw);
 	}
 -	free(cpw);
 	RETURN("NO Incorrect password");
     }
 -    free(cpw);
     /*
      * The following fields will be set to -1 if:
@@ -290,7 +288,8 @@ auth_shadow (
 	RETURN("NO Invalid username");
     }
 -    if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
 +    cpw = crypt(password, upw->upw_passwd);
 +    if ((cpw == NULL) || strcmp(upw->upw_passwd, cpw) != 0) {
 	if (flags & VERBOSE) {
 	    syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
 		   password, upw->upw_passwd);
--- a/cyrus-sasl-2.1.26-obsolete-macro.patch
+++ b/cyrus-sasl-2.1.26-obsolete-macro.patch
@ -1,13 +0,0 @@
 diff --git a/configure.in b/configure.in
 index e70c99a..60f366c 100644
 --- a/configure.in
 +++ b/configure.in
@@ -1416,7 +1416,7 @@ inline static unsigned int sleep(unsigned int seconds) {
 #endif /* CONFIG_H */
 ])
 -AM_CONFIG_HEADER(config.h)
 +AC_CONFIG_HEADERS(config.h)
 AC_OUTPUT(Makefile
 libsasl2.pc
--- a/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
+++ b/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
@ -1,51 +0,0 @@
 commit 26dcfb2d7176b78e70757aa5d01951a28ca217c7
 Author: Alexey Melnikov <alexey.melnikov@isode.com>
 Date:   Fri Jul 5 16:37:59 2013 +0100
    Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN when selecting the best client side SASL mechanism
    Both SCRAM-SHA-1 & DIGEST-MD5 are lacking SASL_SEC_PASS_CREDENTIALS security
    flag, which prevented them from being chosen over PLAIN when PLAIN is selected
    as the best mechanism first. For example the problem can be observed when
    the server advertises "PLAIN DIGEST-MD5 SCRAM-SHA-1" (PLAIN just has to be
    returned before SCRAM/DIGEST.)
    Cyrus SASL bug # 3793
 diff --git a/lib/client.c b/lib/client.c
 index 62dfb0b..31fe346 100644
 --- a/lib/client.c
 +++ b/lib/client.c
@@ -658,6 +658,20 @@ _sasl_cbinding_disp(sasl_client_params_t *cparams,
     return SASL_OK;
 }
 +static int
 +_sasl_are_current_security_flags_worse_then_best(unsigned best_security_flags,
 +						 unsigned current_security_flags)
 +{
 +    /* We don't qualify SASL_SEC_PASS_CREDENTIALS as "secure" flag */
 +    best_security_flags &= ~SASL_SEC_PASS_CREDENTIALS;
 +
 +    if ((current_security_flags ^ best_security_flags) & best_security_flags) {
 +	return 1;
 +    } else {
 +	return 0;
 +    }
 +}
 +
 /* select a mechanism for a connection
  *  mechlist      -- mechanisms server has available (punctuation ignored)
  *  secret        -- optional secret from previous session
@@ -823,8 +837,9 @@ int sasl_client_start(sasl_conn_t *conn,
 	     */
 	    if (bestm &&
 -		((m->m.plug->security_flags ^ bestm->m.plug->security_flags) &
 -		 bestm->m.plug->security_flags)) {
 +		_sasl_are_current_security_flags_worse_then_best(
 +		    bestm->m.plug->security_flags,
 +		    m->m.plug->security_flags)) {
 		break;
 	    }
--- a/cyrus-sasl-2.1.26-sample-leak.patch
+++ b/cyrus-sasl-2.1.26-sample-leak.patch
@ -1,13 +0,0 @@
 diff --git a/sample/server.c b/sample/server.c
 index f5aff68..6c684af 100644
 --- a/sample/server.c
 +++ b/sample/server.c
@@ -227,6 +227,8 @@ int mysasl_negotiate(FILE *in, FILE *out, sasl_conn_t *conn)
     /* send capability list to client */
     send_string(out, data, len);
 +    if (mech)
 +		free(data);
     dprintf(1, "waiting for client mechanism...\n");
     len = recv_string(in, chosenmech, sizeof chosenmech);
--- a/cyrus-sasl-2.1.26-user-specified-logging.patch
+++ b/cyrus-sasl-2.1.26-user-specified-logging.patch
@ -1,40 +0,0 @@
 diff --git a/plugins/gssapi.c b/plugins/gssapi.c
 index 70a4157..7eb88d2 100644
 --- a/plugins/gssapi.c
 +++ b/plugins/gssapi.c
@@ -1267,7 +1267,7 @@ gssapi_server_mech_step(void *conn_context,
     if (text == NULL) return SASL_BADPROT;
 -    params->utils->log(NULL, SASL_LOG_DEBUG,
 +    params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
 		       "GSSAPI server step %d\n", text->state);
     switch (text->state) {
@@ -1293,7 +1293,7 @@ gssapi_server_mech_step(void *conn_context,
 	break;
     default:
 -	params->utils->log(NULL, SASL_LOG_ERR,
 +	params->utils->log(params->utils->conn, SASL_LOG_ERR,
 			   "Invalid GSSAPI server step %d\n", text->state);
 	return SASL_FAIL;
     }
@@ -1499,7 +1499,7 @@ static int gssapi_client_mech_step(void *conn_context,
     *clientout = NULL;
     *clientoutlen = 0;
 -    params->utils->log(NULL, SASL_LOG_DEBUG,
 +    params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
 		       "GSSAPI client step %d", text->state);
     switch (text->state) {
@@ -1992,7 +1992,7 @@ static int gssapi_client_mech_step(void *conn_context,
     }
     default:
 -	params->utils->log(NULL, SASL_LOG_ERR,
 +	params->utils->log(params->utils->conn, SASL_LOG_ERR,
 			   "Invalid GSSAPI client step %d\n", text->state);
 	return SASL_FAIL;
     }
--- a/cyrus-sasl.spec
+++ b/cyrus-sasl.spec
@ -27,30 +27,16 @@ Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch
 Patch23: cyrus-sasl-2.1.23-man.patch
 Patch24: cyrus-sasl-2.1.21-sizes.patch
 Patch31: cyrus-sasl-2.1.22-kerberos4.patch
 Patch34: cyrus-sasl-2.1.22-ldap-timeout.patch
 # removed due to #759334
 #Patch38: cyrus-sasl-2.1.23-pam_rhosts.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=816250
 Patch43: cyrus-sasl-2.1.26-null-crypt.patch
 # AM_CONFIG_HEADER is obsolete, use AC_CONFIG_HEADERS instead
 Patch45: cyrus-sasl-2.1.26-obsolete-macro.patch
 # disable incorrect check for MkLinux
 Patch47: cyrus-sasl-2.1.26-ppc.patch
 # detect gsskrb5_register_acceptor_identity macro (#976538)
 #Patch49: cyrus-sasl-2.1.26-md5global.patch
 # revert upstream commit 080e51c7fa0421eb2f0210d34cf0ac48a228b1e9 (#984079)
 # https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
 Patch50: cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch
 # improve configuration error message
 Patch52: cyrus-sasl-2.1.26-config-error.patch
 # Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
 Patch53: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
 # Do not leak memory in sample server (#852755)
 Patch54: cyrus-sasl-2.1.26-sample-leak.patch
 # Document ability to run saslauthd unprivileged (#1189203)
 Patch55: cyrus-sasl-2.1.26-saslauthd-user.patch
 # Too much loogging in GSSAPI resolved (#1187097)
 Patch56: cyrus-sasl-2.1.26-user-specified-logging.patch
 # OpenSSL 1.1.0 support
 Patch57: cyrus-sasl-2.1.27-openssl-1.1.0.patch
 # Fix support for GSS SPNEGO to be compatible with windows (#1421663)
@ -190,18 +176,11 @@ chmod -x include/*.h
 %patch15 -p1 -b .path
 %patch23 -p1 -b .man
 %patch24 -p1 -b .sizes
-#%patch31 -p1 -b .krb4
+%patch31 -p1 -b .krb4
 #%patch34 -p1 -b .ldap-timeout
 #%patch43 -p1 -b .null-crypt
 #%patch45 -p1 -b .obsolete-macro
 #%patch47 -p1 -b .ppc
 #%patch49 -p1 -b .md5global.h
 %patch50 -p1 -b .gssapi
 #%patch52 -p1 -b .configerr
 #%patch53 -p1 -b .sha1vsplain
 #%patch54 -p1 -b .leak
 %patch55 -p1 -b .man-unprivileged
 #%patch56 -p1 -b .too-much-logging
 %patch57 -p1 -b .openssl110
 %patch58 -p1 -b .spnego
 %patch59 -p1 -b .mutex