really remove unused/applied patches and restore partially resonable one
This commit is contained in:
parent
db035e1fec
commit
edd601075d
@ -1,17 +1,17 @@
|
||||
diff -up cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4 cyrus-sasl-2.1.22/config/kerberos_v4.m4
|
||||
--- cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4 2005-05-07 06:14:55.000000000 +0200
|
||||
+++ cyrus-sasl-2.1.22/config/kerberos_v4.m4 2008-08-14 23:41:26.000000000 +0200
|
||||
diff -up cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4.krb4 cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4
|
||||
--- cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4.krb4 2017-07-13 13:46:08.828825672 +0200
|
||||
+++ cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/m4/kerberos_v4.m4 2017-07-13 13:46:16.709804677 +0200
|
||||
@@ -102,7 +102,6 @@ AC_DEFUN([SASL_KERBEROS_V4_CHK], [
|
||||
if test -n "${cyrus_krbinclude}"; then
|
||||
CPPFLAGS="$CPPFLAGS -I${cyrus_krbinclude}"
|
||||
if test -n "${cyrus_cv_krbinclude}"; then
|
||||
CPPFLAGS="$CPPFLAGS -I${cyrus_cv_krbinclude}"
|
||||
fi
|
||||
- LDFLAGS="$LDFLAGS -L$krb4/lib"
|
||||
fi
|
||||
|
||||
if test "$with_des" != no; then
|
||||
diff -up cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4 cyrus-sasl-2.1.22/plugins/kerberos4.c
|
||||
--- cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4 2005-01-10 08:08:53.000000000 +0100
|
||||
+++ cyrus-sasl-2.1.22/plugins/kerberos4.c 2008-08-14 23:36:33.000000000 +0200
|
||||
diff -up cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c.krb4 cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c
|
||||
--- cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c.krb4 2017-03-03 15:12:10.000000000 +0100
|
||||
+++ cyrus-sasl-04dd838b2922840c5033c7071e1132e9ac555411/plugins/kerberos4.c 2017-07-13 13:46:08.829825670 +0200
|
||||
@@ -49,11 +49,7 @@
|
||||
#include <krb.h>
|
||||
|
||||
|
@ -1,25 +0,0 @@
|
||||
commit c9447e1c3ffba88783e5d9396b832be82d3c78fc
|
||||
Author: Kazuo Ito <ito.kazuo@oss.ntt.co.jp>
|
||||
Date: Wed Dec 10 12:03:29 2008 +0900
|
||||
|
||||
support for LDAP_OPT_TIMEOUT
|
||||
|
||||
OpenLDAP since 2.4 implements support for this option in ldap_result(),
|
||||
among other things.
|
||||
|
||||
diff --git a/saslauthd/lak.c b/saslauthd/lak.c
|
||||
index 803d51f..8714265 100644
|
||||
--- a/saslauthd/lak.c
|
||||
+++ b/saslauthd/lak.c
|
||||
@@ -833,6 +833,11 @@ static int lak_connect(
|
||||
syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_NETWORK_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec);
|
||||
}
|
||||
|
||||
+ rc = ldap_set_option(lak->ld, LDAP_OPT_TIMEOUT, &(lak->conf->timeout));
|
||||
+ if (rc != LDAP_OPT_SUCCESS) {
|
||||
+ syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec);
|
||||
+ }
|
||||
+
|
||||
rc = ldap_set_option(lak->ld, LDAP_OPT_TIMELIMIT, &(lak->conf->time_limit));
|
||||
if (rc != LDAP_OPT_SUCCESS) {
|
||||
syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMELIMIT %d.", lak->conf->time_limit);
|
@ -1,46 +0,0 @@
|
||||
diff --git a/include/sasl.h b/include/sasl.h
|
||||
index d52269f..ed208a5 100644
|
||||
--- a/include/sasl.h
|
||||
+++ b/include/sasl.h
|
||||
@@ -177,6 +177,7 @@
|
||||
because of some constrains/policy violation */
|
||||
|
||||
#define SASL_BADBINDING -32 /* channel binding failure */
|
||||
+#define SASL_CONFIGERR -100 /* error when parsing configuration file */
|
||||
|
||||
/* max size of a sasl mechanism name */
|
||||
#define SASL_MECHNAMEMAX 20
|
||||
diff --git a/lib/common.c b/lib/common.c
|
||||
index e0f59eb..1a1715e 100644
|
||||
--- a/lib/common.c
|
||||
+++ b/lib/common.c
|
||||
@@ -1362,6 +1362,7 @@ const char *sasl_errstring(int saslerr,
|
||||
case SASL_CONSTRAINT_VIOLAT: return "sasl_setpass can't store a property because "
|
||||
"of a constraint violation";
|
||||
case SASL_BADBINDING: return "channel binding failure";
|
||||
+ case SASL_CONFIGERR: return "error when parsing configuration file";
|
||||
|
||||
default: return "undefined error!";
|
||||
}
|
||||
diff --git a/lib/config.c b/lib/config.c
|
||||
index 7cae302..fde3757 100644
|
||||
--- a/lib/config.c
|
||||
+++ b/lib/config.c
|
||||
@@ -91,7 +91,7 @@ int sasl_config_init(const char *filename)
|
||||
}
|
||||
if (*p != ':') {
|
||||
fclose(infile);
|
||||
- return SASL_FAIL;
|
||||
+ return SASL_CONFIGERR;
|
||||
}
|
||||
*p++ = '\0';
|
||||
|
||||
@@ -99,7 +99,7 @@ int sasl_config_init(const char *filename)
|
||||
|
||||
if (!*p) {
|
||||
fclose(infile);
|
||||
- return SASL_FAIL;
|
||||
+ return SASL_CONFIGERR;
|
||||
}
|
||||
|
||||
/* Now strip trailing spaces, if any */
|
@ -18,32 +18,3 @@ diff -up cyrus-sasl-2.1.27/include/Makefile.am.md5global.h cyrus-sasl-2.1.27/inc
|
||||
|
||||
if MACOSX
|
||||
framedir = /Library/Frameworks/SASL2.framework
|
||||
diff -up cyrus-sasl-2.1.27/include/md5global.h.md5global.h cyrus-sasl-2.1.27/include/md5global.h
|
||||
--- cyrus-sasl-2.1.27/include/md5global.h.md5global.h 2015-11-20 15:28:25.932263083 +0100
|
||||
+++ cyrus-sasl-2.1.27/include/md5global.h 2015-11-20 15:36:16.380184280 +0100
|
||||
@@ -15,14 +15,17 @@ The following makes PROTOTYPES default t
|
||||
/* POINTER defines a generic pointer type */
|
||||
typedef unsigned char *POINTER;
|
||||
|
||||
-typedef signed char INT1; /* 8 bits */
|
||||
-typedef short INT2; /* 16 bits */
|
||||
-typedef int INT4; /* 32 bits */
|
||||
-typedef long INT8; /* 64 bits */
|
||||
-typedef unsigned char UINT1; /* 8 bits */
|
||||
-typedef unsigned short UINT2; /* 16 bits */
|
||||
-typedef unsigned int UINT4; /* 32 bits */
|
||||
-typedef unsigned long UINT8; /* 64 bits */
|
||||
+/* We try to define integer types for our use */
|
||||
+#include <inttypes.h>
|
||||
+
|
||||
+typedef int8_t INT1; /* 8 bits */
|
||||
+typedef int16_t INT2; /* 16 bits */
|
||||
+typedef int32_t INT4; /* 32 bits */
|
||||
+typedef int64_t INT8; /* 64 bits */
|
||||
+typedef uint8_t UINT1; /* 8 bits */
|
||||
+typedef uint16_t UINT2; /* 16 bits */
|
||||
+typedef uint32_t UINT4; /* 32 bits */
|
||||
+typedef uint64_t UINT8; /* 64 bits */
|
||||
|
||||
/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
|
||||
If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
|
||||
|
@ -1,86 +0,0 @@
|
||||
diff -up cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c
|
||||
--- cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt 2012-01-28 00:31:36.000000000 +0100
|
||||
+++ cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c 2012-12-20 17:00:14.614580310 +0100
|
||||
@@ -31,7 +31,7 @@ char *pwcheck(userid, password)
|
||||
char *userid;
|
||||
char *password;
|
||||
{
|
||||
- char* r;
|
||||
+ char* r, *cryptbuf;
|
||||
struct passwd *pwd;
|
||||
|
||||
pwd = getpwnam(userid);
|
||||
@@ -41,11 +41,13 @@ char *password;
|
||||
else if (pwd->pw_passwd[0] == '*') {
|
||||
r = "Account disabled";
|
||||
}
|
||||
- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
|
||||
- r = "Incorrect password";
|
||||
- }
|
||||
else {
|
||||
- r = "OK";
|
||||
+ cryptbuf = crypt(password, pwd->pw_passwd);
|
||||
+ if((cryptbuf == NULL) || (strcmp(pwd->pw_passwd, cryptbuf) != 0)) {
|
||||
+ r = "Incorrect password";
|
||||
+ } else {
|
||||
+ r = "OK";
|
||||
+ }
|
||||
}
|
||||
|
||||
endpwent();
|
||||
diff -up cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c
|
||||
--- cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt 2012-10-12 16:05:48.000000000 +0200
|
||||
+++ cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c 2012-12-20 17:03:17.940793653 +0100
|
||||
@@ -78,6 +78,7 @@ auth_getpwent (
|
||||
/* VARIABLES */
|
||||
struct passwd *pw; /* pointer to passwd file entry */
|
||||
int errnum;
|
||||
+ char *cryptbuf;
|
||||
/* END VARIABLES */
|
||||
|
||||
errno = 0;
|
||||
@@ -105,7 +106,8 @@ auth_getpwent (
|
||||
}
|
||||
}
|
||||
|
||||
- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
|
||||
+ cryptbuf = crypt(password, pw->pw_passwd);
|
||||
+ if ((cryptbuf == NULL) || strcmp(pw->pw_passwd, cryptbuf)) {
|
||||
if (flags & VERBOSE) {
|
||||
syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
|
||||
}
|
||||
diff -up cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_shadow.c
|
||||
--- cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt 2012-12-20 17:00:14.000000000 +0100
|
||||
+++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c 2012-12-20 17:16:44.190360006 +0100
|
||||
@@ -214,8 +214,8 @@ auth_shadow (
|
||||
RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
|
||||
}
|
||||
|
||||
- cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
|
||||
- if (strcmp(sp->sp_pwdp, cpw)) {
|
||||
+ cpw = crypt(password, sp->sp_pwdp);
|
||||
+ if ((cpw == NULL) || strcmp(sp->sp_pwdp, cpw)) {
|
||||
if (flags & VERBOSE) {
|
||||
/*
|
||||
* This _should_ reveal the SHADOW_PW_LOCKED prefix to an
|
||||
@@ -225,10 +225,8 @@ auth_shadow (
|
||||
syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
|
||||
sp->sp_pwdp, cpw);
|
||||
}
|
||||
- free(cpw);
|
||||
RETURN("NO Incorrect password");
|
||||
}
|
||||
- free(cpw);
|
||||
|
||||
/*
|
||||
* The following fields will be set to -1 if:
|
||||
@@ -290,7 +288,8 @@ auth_shadow (
|
||||
RETURN("NO Invalid username");
|
||||
}
|
||||
|
||||
- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
|
||||
+ cpw = crypt(password, upw->upw_passwd);
|
||||
+ if ((cpw == NULL) || strcmp(upw->upw_passwd, cpw) != 0) {
|
||||
if (flags & VERBOSE) {
|
||||
syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
|
||||
password, upw->upw_passwd);
|
@ -1,13 +0,0 @@
|
||||
diff --git a/configure.in b/configure.in
|
||||
index e70c99a..60f366c 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -1416,7 +1416,7 @@ inline static unsigned int sleep(unsigned int seconds) {
|
||||
#endif /* CONFIG_H */
|
||||
])
|
||||
|
||||
-AM_CONFIG_HEADER(config.h)
|
||||
+AC_CONFIG_HEADERS(config.h)
|
||||
|
||||
AC_OUTPUT(Makefile
|
||||
libsasl2.pc
|
@ -1,51 +0,0 @@
|
||||
commit 26dcfb2d7176b78e70757aa5d01951a28ca217c7
|
||||
Author: Alexey Melnikov <alexey.melnikov@isode.com>
|
||||
Date: Fri Jul 5 16:37:59 2013 +0100
|
||||
|
||||
Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN when selecting the best client side SASL mechanism
|
||||
|
||||
Both SCRAM-SHA-1 & DIGEST-MD5 are lacking SASL_SEC_PASS_CREDENTIALS security
|
||||
flag, which prevented them from being chosen over PLAIN when PLAIN is selected
|
||||
as the best mechanism first. For example the problem can be observed when
|
||||
the server advertises "PLAIN DIGEST-MD5 SCRAM-SHA-1" (PLAIN just has to be
|
||||
returned before SCRAM/DIGEST.)
|
||||
|
||||
Cyrus SASL bug # 3793
|
||||
|
||||
diff --git a/lib/client.c b/lib/client.c
|
||||
index 62dfb0b..31fe346 100644
|
||||
--- a/lib/client.c
|
||||
+++ b/lib/client.c
|
||||
@@ -658,6 +658,20 @@ _sasl_cbinding_disp(sasl_client_params_t *cparams,
|
||||
return SASL_OK;
|
||||
}
|
||||
|
||||
+static int
|
||||
+_sasl_are_current_security_flags_worse_then_best(unsigned best_security_flags,
|
||||
+ unsigned current_security_flags)
|
||||
+{
|
||||
+ /* We don't qualify SASL_SEC_PASS_CREDENTIALS as "secure" flag */
|
||||
+ best_security_flags &= ~SASL_SEC_PASS_CREDENTIALS;
|
||||
+
|
||||
+ if ((current_security_flags ^ best_security_flags) & best_security_flags) {
|
||||
+ return 1;
|
||||
+ } else {
|
||||
+ return 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* select a mechanism for a connection
|
||||
* mechlist -- mechanisms server has available (punctuation ignored)
|
||||
* secret -- optional secret from previous session
|
||||
@@ -823,8 +837,9 @@ int sasl_client_start(sasl_conn_t *conn,
|
||||
*/
|
||||
|
||||
if (bestm &&
|
||||
- ((m->m.plug->security_flags ^ bestm->m.plug->security_flags) &
|
||||
- bestm->m.plug->security_flags)) {
|
||||
+ _sasl_are_current_security_flags_worse_then_best(
|
||||
+ bestm->m.plug->security_flags,
|
||||
+ m->m.plug->security_flags)) {
|
||||
break;
|
||||
}
|
||||
|
@ -1,13 +0,0 @@
|
||||
diff --git a/sample/server.c b/sample/server.c
|
||||
index f5aff68..6c684af 100644
|
||||
--- a/sample/server.c
|
||||
+++ b/sample/server.c
|
||||
@@ -227,6 +227,8 @@ int mysasl_negotiate(FILE *in, FILE *out, sasl_conn_t *conn)
|
||||
|
||||
/* send capability list to client */
|
||||
send_string(out, data, len);
|
||||
+ if (mech)
|
||||
+ free(data);
|
||||
|
||||
dprintf(1, "waiting for client mechanism...\n");
|
||||
len = recv_string(in, chosenmech, sizeof chosenmech);
|
@ -1,40 +0,0 @@
|
||||
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
|
||||
index 70a4157..7eb88d2 100644
|
||||
--- a/plugins/gssapi.c
|
||||
+++ b/plugins/gssapi.c
|
||||
@@ -1267,7 +1267,7 @@ gssapi_server_mech_step(void *conn_context,
|
||||
|
||||
if (text == NULL) return SASL_BADPROT;
|
||||
|
||||
- params->utils->log(NULL, SASL_LOG_DEBUG,
|
||||
+ params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
|
||||
"GSSAPI server step %d\n", text->state);
|
||||
|
||||
switch (text->state) {
|
||||
@@ -1293,7 +1293,7 @@ gssapi_server_mech_step(void *conn_context,
|
||||
break;
|
||||
|
||||
default:
|
||||
- params->utils->log(NULL, SASL_LOG_ERR,
|
||||
+ params->utils->log(params->utils->conn, SASL_LOG_ERR,
|
||||
"Invalid GSSAPI server step %d\n", text->state);
|
||||
return SASL_FAIL;
|
||||
}
|
||||
@@ -1499,7 +1499,7 @@ static int gssapi_client_mech_step(void *conn_context,
|
||||
*clientout = NULL;
|
||||
*clientoutlen = 0;
|
||||
|
||||
- params->utils->log(NULL, SASL_LOG_DEBUG,
|
||||
+ params->utils->log(params->utils->conn, SASL_LOG_DEBUG,
|
||||
"GSSAPI client step %d", text->state);
|
||||
|
||||
switch (text->state) {
|
||||
@@ -1992,7 +1992,7 @@ static int gssapi_client_mech_step(void *conn_context,
|
||||
}
|
||||
|
||||
default:
|
||||
- params->utils->log(NULL, SASL_LOG_ERR,
|
||||
+ params->utils->log(params->utils->conn, SASL_LOG_ERR,
|
||||
"Invalid GSSAPI client step %d\n", text->state);
|
||||
return SASL_FAIL;
|
||||
}
|
@ -27,30 +27,16 @@ Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch
|
||||
Patch23: cyrus-sasl-2.1.23-man.patch
|
||||
Patch24: cyrus-sasl-2.1.21-sizes.patch
|
||||
Patch31: cyrus-sasl-2.1.22-kerberos4.patch
|
||||
Patch34: cyrus-sasl-2.1.22-ldap-timeout.patch
|
||||
# removed due to #759334
|
||||
#Patch38: cyrus-sasl-2.1.23-pam_rhosts.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=816250
|
||||
Patch43: cyrus-sasl-2.1.26-null-crypt.patch
|
||||
# AM_CONFIG_HEADER is obsolete, use AC_CONFIG_HEADERS instead
|
||||
Patch45: cyrus-sasl-2.1.26-obsolete-macro.patch
|
||||
# disable incorrect check for MkLinux
|
||||
Patch47: cyrus-sasl-2.1.26-ppc.patch
|
||||
# detect gsskrb5_register_acceptor_identity macro (#976538)
|
||||
#Patch49: cyrus-sasl-2.1.26-md5global.patch
|
||||
# revert upstream commit 080e51c7fa0421eb2f0210d34cf0ac48a228b1e9 (#984079)
|
||||
# https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
|
||||
Patch50: cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch
|
||||
# improve configuration error message
|
||||
Patch52: cyrus-sasl-2.1.26-config-error.patch
|
||||
# Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
|
||||
Patch53: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
|
||||
# Do not leak memory in sample server (#852755)
|
||||
Patch54: cyrus-sasl-2.1.26-sample-leak.patch
|
||||
# Document ability to run saslauthd unprivileged (#1189203)
|
||||
Patch55: cyrus-sasl-2.1.26-saslauthd-user.patch
|
||||
# Too much loogging in GSSAPI resolved (#1187097)
|
||||
Patch56: cyrus-sasl-2.1.26-user-specified-logging.patch
|
||||
# OpenSSL 1.1.0 support
|
||||
Patch57: cyrus-sasl-2.1.27-openssl-1.1.0.patch
|
||||
# Fix support for GSS SPNEGO to be compatible with windows (#1421663)
|
||||
@ -190,18 +176,11 @@ chmod -x include/*.h
|
||||
%patch15 -p1 -b .path
|
||||
%patch23 -p1 -b .man
|
||||
%patch24 -p1 -b .sizes
|
||||
#%patch31 -p1 -b .krb4
|
||||
#%patch34 -p1 -b .ldap-timeout
|
||||
#%patch43 -p1 -b .null-crypt
|
||||
#%patch45 -p1 -b .obsolete-macro
|
||||
%patch31 -p1 -b .krb4
|
||||
#%patch47 -p1 -b .ppc
|
||||
#%patch49 -p1 -b .md5global.h
|
||||
%patch50 -p1 -b .gssapi
|
||||
#%patch52 -p1 -b .configerr
|
||||
#%patch53 -p1 -b .sha1vsplain
|
||||
#%patch54 -p1 -b .leak
|
||||
%patch55 -p1 -b .man-unprivileged
|
||||
#%patch56 -p1 -b .too-much-logging
|
||||
%patch57 -p1 -b .openssl110
|
||||
%patch58 -p1 -b .spnego
|
||||
%patch59 -p1 -b .mutex
|
||||
|
Loading…
Reference in New Issue
Block a user