really remove unused/applied patches and restore partially resonable one

This commit is contained in:
Jakub Jelen 2017-07-13 14:19:01 +02:00
parent db035e1fec
commit edd601075d
10 changed files with 9 additions and 333 deletions

View File

@ -1,17 +1,17 @@
diff -up cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4 cyrus-sasl-2.1.22/config/kerberos_v4.m4
--- cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4 2005-05-07 06:14:55.000000000 +0200
+++ cyrus-sasl-2.1.22/config/kerberos_v4.m4 2008-08-14 23:41:26.000000000 +0200
diff -up cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4.krb4 cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4
--- cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4.krb4 2017-07-13 13:46:08.828825672 +0200
+++ cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4 2017-07-13 13:46:16.709804677 +0200
@@ -102,7 +102,6 @@ AC_DEFUN([SASL_KERBEROS_V4_CHK], [
if test -n "${cyrus_krbinclude}"; then
CPPFLAGS="$CPPFLAGS -I${cyrus_krbinclude}"
if test -n "${cyrus_cv_krbinclude}"; then
CPPFLAGS="$CPPFLAGS -I${cyrus_cv_krbinclude}"
fi
- LDFLAGS="$LDFLAGS -L$krb4/lib"
fi
if test "$with_des" != no; then
diff -up cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4 cyrus-sasl-2.1.22/plugins/kerberos4.c
--- cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4 2005-01-10 08:08:53.000000000 +0100
+++ cyrus-sasl-2.1.22/plugins/kerberos4.c 2008-08-14 23:36:33.000000000 +0200
diff -up cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c.krb4 cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c
--- cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c.krb4 2017-03-03 15:12:10.000000000 +0100
+++ cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c 2017-07-13 13:46:08.829825670 +0200
@@ -49,11 +49,7 @@
#include <krb.h>

View File

@ -1,25 +0,0 @@
commit c9447e1c3ffba88783e5d9396b832be82d3c78fc
Author: Kazuo Ito <ito.kazuo@oss.ntt.co.jp>
Date: Wed Dec 10 12:03:29 2008 +0900
support for LDAP_OPT_TIMEOUT
OpenLDAP since 2.4 implements support for this option in ldap_result(),
among other things.
diff --git a/saslauthd/lak.c b/saslauthd/lak.c
index 803d51f..8714265 100644
--- a/saslauthd/lak.c
+++ b/saslauthd/lak.c
@@ -833,6 +833,11 @@ static int lak_connect(
syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_NETWORK_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec);
}
+ rc = ldap_set_option(lak->ld, LDAP_OPT_TIMEOUT, &(lak->conf->timeout));
+ if (rc != LDAP_OPT_SUCCESS) {
+ syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec);
+ }
+
rc = ldap_set_option(lak->ld, LDAP_OPT_TIMELIMIT, &(lak->conf->time_limit));
if (rc != LDAP_OPT_SUCCESS) {
syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMELIMIT %d.", lak->conf->time_limit);

View File

@ -1,46 +0,0 @@
diff --git a/include/sasl.h b/include/sasl.h
index d52269f..ed208a5 100644
--- a/include/sasl.h
+++ b/include/sasl.h
@@ -177,6 +177,7 @@
because of some constrains/policy violation */
#define SASL_BADBINDING -32 /* channel binding failure */
+#define SASL_CONFIGERR -100 /* error when parsing configuration file */
/* max size of a sasl mechanism name */
#define SASL_MECHNAMEMAX 20
diff --git a/lib/common.c b/lib/common.c
index e0f59eb..1a1715e 100644
--- a/lib/common.c
+++ b/lib/common.c
@@ -1362,6 +1362,7 @@ const char *sasl_errstring(int saslerr,
case SASL_CONSTRAINT_VIOLAT: return "sasl_setpass can't store a property because "
"of a constraint violation";
case SASL_BADBINDING: return "channel binding failure";
+ case SASL_CONFIGERR: return "error when parsing configuration file";
default: return "undefined error!";
}
diff --git a/lib/config.c b/lib/config.c
index 7cae302..fde3757 100644
--- a/lib/config.c
+++ b/lib/config.c
@@ -91,7 +91,7 @@ int sasl_config_init(const char *filename)
}
if (*p != ':') {
fclose(infile);
- return SASL_FAIL;
+ return SASL_CONFIGERR;
}
*p++ = '\0';
@@ -99,7 +99,7 @@ int sasl_config_init(const char *filename)
if (!*p) {
fclose(infile);
- return SASL_FAIL;
+ return SASL_CONFIGERR;
}
/* Now strip trailing spaces, if any */

View File

@ -18,32 +18,3 @@ diff -up cyrus-sasl-2.1.27/include/Makefile.am.md5global.h cyrus-sasl-2.1.27/inc
if MACOSX
framedir = /Library/Frameworks/SASL2.framework
diff -up cyrus-sasl-2.1.27/include/md5global.h.md5global.h cyrus-sasl-2.1.27/include/md5global.h
--- cyrus-sasl-2.1.27/include/md5global.h.md5global.h 2015-11-20 15:28:25.932263083 +0100
+++ cyrus-sasl-2.1.27/include/md5global.h 2015-11-20 15:36:16.380184280 +0100
@@ -15,14 +15,17 @@ The following makes PROTOTYPES default t
/* POINTER defines a generic pointer type */
typedef unsigned char *POINTER;
-typedef signed char INT1; /* 8 bits */
-typedef short INT2; /* 16 bits */
-typedef int INT4; /* 32 bits */
-typedef long INT8; /* 64 bits */
-typedef unsigned char UINT1; /* 8 bits */
-typedef unsigned short UINT2; /* 16 bits */
-typedef unsigned int UINT4; /* 32 bits */
-typedef unsigned long UINT8; /* 64 bits */
+/* We try to define integer types for our use */
+#include <inttypes.h>
+
+typedef int8_t INT1; /* 8 bits */
+typedef int16_t INT2; /* 16 bits */
+typedef int32_t INT4; /* 32 bits */
+typedef int64_t INT8; /* 64 bits */
+typedef uint8_t UINT1; /* 8 bits */
+typedef uint16_t UINT2; /* 16 bits */
+typedef uint32_t UINT4; /* 32 bits */
+typedef uint64_t UINT8; /* 64 bits */
/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it

View File

@ -1,86 +0,0 @@
diff -up cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c
--- cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt 2012-01-28 00:31:36.000000000 +0100
+++ cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c 2012-12-20 17:00:14.614580310 +0100
@@ -31,7 +31,7 @@ char *pwcheck(userid, password)
char *userid;
char *password;
{
- char* r;
+ char* r, *cryptbuf;
struct passwd *pwd;
pwd = getpwnam(userid);
@@ -41,11 +41,13 @@ char *password;
else if (pwd->pw_passwd[0] == '*') {
r = "Account disabled";
}
- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
- r = "Incorrect password";
- }
else {
- r = "OK";
+ cryptbuf = crypt(password, pwd->pw_passwd);
+ if((cryptbuf == NULL) || (strcmp(pwd->pw_passwd, cryptbuf) != 0)) {
+ r = "Incorrect password";
+ } else {
+ r = "OK";
+ }
}
endpwent();
diff -up cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c
--- cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt 2012-10-12 16:05:48.000000000 +0200
+++ cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c 2012-12-20 17:03:17.940793653 +0100
@@ -78,6 +78,7 @@ auth_getpwent (
/* VARIABLES */
struct passwd *pw; /* pointer to passwd file entry */
int errnum;
+ char *cryptbuf;
/* END VARIABLES */
errno = 0;
@@ -105,7 +106,8 @@ auth_getpwent (
}
}
- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
+ cryptbuf = crypt(password, pw->pw_passwd);
+ if ((cryptbuf == NULL) || strcmp(pw->pw_passwd, cryptbuf)) {
if (flags & VERBOSE) {
syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
}
diff -up cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_shadow.c
--- cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt 2012-12-20 17:00:14.000000000 +0100
+++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c 2012-12-20 17:16:44.190360006 +0100
@@ -214,8 +214,8 @@ auth_shadow (
RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
}
- cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
- if (strcmp(sp->sp_pwdp, cpw)) {
+ cpw = crypt(password, sp->sp_pwdp);
+ if ((cpw == NULL) || strcmp(sp->sp_pwdp, cpw)) {
if (flags & VERBOSE) {
/*
* This _should_ reveal the SHADOW_PW_LOCKED prefix to an
@@ -225,10 +225,8 @@ auth_shadow (
syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
sp->sp_pwdp, cpw);
}
- free(cpw);
RETURN("NO Incorrect password");
}
- free(cpw);
/*
* The following fields will be set to -1 if:
@@ -290,7 +288,8 @@ auth_shadow (
RETURN("NO Invalid username");
}
- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
+ cpw = crypt(password, upw->upw_passwd);
+ if ((cpw == NULL) || strcmp(upw->upw_passwd, cpw) != 0) {
if (flags & VERBOSE) {
syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
password, upw->upw_passwd);

View File

@ -1,13 +0,0 @@
diff --git a/configure.in b/configure.in
index e70c99a..60f366c 100644
--- a/configure.in
+++ b/configure.in
@@ -1416,7 +1416,7 @@ inline static unsigned int sleep(unsigned int seconds) {
#endif /* CONFIG_H */
])
-AM_CONFIG_HEADER(config.h)
+AC_CONFIG_HEADERS(config.h)
AC_OUTPUT(Makefile
libsasl2.pc

View File

@ -1,51 +0,0 @@
commit 26dcfb2d7176b78e70757aa5d01951a28ca217c7
Author: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Fri Jul 5 16:37:59 2013 +0100
Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN when selecting the best client side SASL mechanism
Both SCRAM-SHA-1 & DIGEST-MD5 are lacking SASL_SEC_PASS_CREDENTIALS security
flag, which prevented them from being chosen over PLAIN when PLAIN is selected
as the best mechanism first. For example the problem can be observed when
the server advertises "PLAIN DIGEST-MD5 SCRAM-SHA-1" (PLAIN just has to be
returned before SCRAM/DIGEST.)
Cyrus SASL bug # 3793
diff --git a/lib/client.c b/lib/client.c
index 62dfb0b..31fe346 100644
--- a/lib/client.c
+++ b/lib/client.c
@@ -658,6 +658,20 @@ _sasl_cbinding_disp(sasl_client_params_t *cparams,
return SASL_OK;
}
+static int
+_sasl_are_current_security_flags_worse_then_best(unsigned best_security_flags,
+ unsigned current_security_flags)
+{
+ /* We don't qualify SASL_SEC_PASS_CREDENTIALS as "secure" flag */
+ best_security_flags &= ~SASL_SEC_PASS_CREDENTIALS;
+
+ if ((current_security_flags ^ best_security_flags) & best_security_flags) {
+ return 1;
+ } else {
+ return 0;
+ }
+}
+
/* select a mechanism for a connection
* mechlist -- mechanisms server has available (punctuation ignored)
* secret -- optional secret from previous session
@@ -823,8 +837,9 @@ int sasl_client_start(sasl_conn_t *conn,
*/
if (bestm &&
- ((m->m.plug->security_flags ^ bestm->m.plug->security_flags) &
- bestm->m.plug->security_flags)) {
+ _sasl_are_current_security_flags_worse_then_best(
+ bestm->m.plug->security_flags,
+ m->m.plug->security_flags)) {
break;
}

View File

@ -1,13 +0,0 @@
diff --git a/sample/server.c b/sample/server.c
index f5aff68..6c684af 100644
--- a/sample/server.c
+++ b/sample/server.c
@@ -227,6 +227,8 @@ int mysasl_negotiate(FILE *in, FILE *out, sasl_conn_t *conn)
/* send capability list to client */
send_string(out, data, len);
+ if (mech)
+ free(data);
dprintf(1, "waiting for client mechanism...\n");
len = recv_string(in, chosenmech, sizeof chosenmech);

View File

@ -1,40 +0,0 @@
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index 70a4157..7eb88d2 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -1267,7 +1267,7 @@ gssapi_server_mech_step(void *conn_context,
if (text == NULL) return SASL_BADPROT;
- params->utils->log(NULL, SASL_LOG_DEBUG,
+ params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
"GSSAPI server step %d\n", text->state);
switch (text->state) {
@@ -1293,7 +1293,7 @@ gssapi_server_mech_step(void *conn_context,
break;
default:
- params->utils->log(NULL, SASL_LOG_ERR,
+ params->utils->log(params->utils->conn, SASL_LOG_ERR,
"Invalid GSSAPI server step %d\n", text->state);
return SASL_FAIL;
}
@@ -1499,7 +1499,7 @@ static int gssapi_client_mech_step(void *conn_context,
*clientout = NULL;
*clientoutlen = 0;
- params->utils->log(NULL, SASL_LOG_DEBUG,
+ params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
"GSSAPI client step %d", text->state);
switch (text->state) {
@@ -1992,7 +1992,7 @@ static int gssapi_client_mech_step(void *conn_context,
}
default:
- params->utils->log(NULL, SASL_LOG_ERR,
+ params->utils->log(params->utils->conn, SASL_LOG_ERR,
"Invalid GSSAPI client step %d\n", text->state);
return SASL_FAIL;
}

View File

@ -27,30 +27,16 @@ Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch
Patch23: cyrus-sasl-2.1.23-man.patch
Patch24: cyrus-sasl-2.1.21-sizes.patch
Patch31: cyrus-sasl-2.1.22-kerberos4.patch
Patch34: cyrus-sasl-2.1.22-ldap-timeout.patch
# removed due to #759334
#Patch38: cyrus-sasl-2.1.23-pam_rhosts.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=816250
Patch43: cyrus-sasl-2.1.26-null-crypt.patch
# AM_CONFIG_HEADER is obsolete, use AC_CONFIG_HEADERS instead
Patch45: cyrus-sasl-2.1.26-obsolete-macro.patch
# disable incorrect check for MkLinux
Patch47: cyrus-sasl-2.1.26-ppc.patch
# detect gsskrb5_register_acceptor_identity macro (#976538)
#Patch49: cyrus-sasl-2.1.26-md5global.patch
# revert upstream commit 080e51c7fa0421eb2f0210d34cf0ac48a228b1e9 (#984079)
# https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
Patch50: cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch
# improve configuration error message
Patch52: cyrus-sasl-2.1.26-config-error.patch
# Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
Patch53: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
# Do not leak memory in sample server (#852755)
Patch54: cyrus-sasl-2.1.26-sample-leak.patch
# Document ability to run saslauthd unprivileged (#1189203)
Patch55: cyrus-sasl-2.1.26-saslauthd-user.patch
# Too much loogging in GSSAPI resolved (#1187097)
Patch56: cyrus-sasl-2.1.26-user-specified-logging.patch
# OpenSSL 1.1.0 support
Patch57: cyrus-sasl-2.1.27-openssl-1.1.0.patch
# Fix support for GSS SPNEGO to be compatible with windows (#1421663)
@ -190,18 +176,11 @@ chmod -x include/*.h
%patch15 -p1 -b .path
%patch23 -p1 -b .man
%patch24 -p1 -b .sizes
#%patch31 -p1 -b .krb4
#%patch34 -p1 -b .ldap-timeout
#%patch43 -p1 -b .null-crypt
#%patch45 -p1 -b .obsolete-macro
%patch31 -p1 -b .krb4
#%patch47 -p1 -b .ppc
#%patch49 -p1 -b .md5global.h
%patch50 -p1 -b .gssapi
#%patch52 -p1 -b .configerr
#%patch53 -p1 -b .sha1vsplain
#%patch54 -p1 -b .leak
%patch55 -p1 -b .man-unprivileged
#%patch56 -p1 -b .too-much-logging
%patch57 -p1 -b .openssl110
%patch58 -p1 -b .spnego
%patch59 -p1 -b .mutex