From ee86c7df66c797f09969509ad086ec539ad0134c Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 19 Jul 2021 05:12:03 -0400
Subject: [PATCH] Fix crashs on missing legacy algorithms Resolves:
 rhbz#1974354

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 cyrus-sasl-2.1.27-legacy-init.patch | 73 +++++++++++++++++++++++++++++
 cyrus-sasl.spec                     |  8 +++-
 2 files changed, 80 insertions(+), 1 deletion(-)
 create mode 100644 cyrus-sasl-2.1.27-legacy-init.patch

diff --git a/cyrus-sasl-2.1.27-legacy-init.patch b/cyrus-sasl-2.1.27-legacy-init.patch
new file mode 100644
index 0000000..371408e
--- /dev/null
+++ b/cyrus-sasl-2.1.27-legacy-init.patch
@@ -0,0 +1,73 @@
+From 4edb8ce82ac530f473a8728bae01d9fc8535c9cb Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 21 Jun 2021 14:24:18 -0400
+Subject: [PATCH] Gracefully handle failed initializations
+
+In OpenSSL 3.0 these algorithms have been moved to the legacy provider
+which is not enabled by default. This means allocation can and do fail.
+Handle failed allocations by returning an actual error instead of
+crashing later with a NULL context.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ plugins/digestmd5.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/digestmd5.c b/plugins/digestmd5.c
+index c6b54317..b2617536 100644
+--- a/plugins/digestmd5.c
++++ b/plugins/digestmd5.c
+@@ -254,6 +254,7 @@ typedef struct context {
+     decode_context_t decode_context;
+ 
+     /* if privacy mode is used use these functions for encode and decode */
++    char *cipher_name;
+     cipher_function_t *cipher_enc;
+     cipher_function_t *cipher_dec;
+     cipher_init_t *cipher_init;
+@@ -2821,6 +2822,7 @@ static int digestmd5_server_mech_step2(server_context_t *stext,
+ 	}
+ 	
+ 	if (cptr->name) {
++	    text->cipher_name = cptr->name;
+ 	    text->cipher_enc = cptr->cipher_enc;
+ 	    text->cipher_dec = cptr->cipher_dec;
+ 	    text->cipher_init = cptr->cipher_init;
+@@ -2964,7 +2966,10 @@ static int digestmd5_server_mech_step2(server_context_t *stext,
+ 	if (text->cipher_init) {
+ 	    if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
+ 		sparams->utils->seterror(sparams->utils->conn, 0,
+-					 "couldn't init cipher");
++					 "couldn't init cipher '%s'",
++                                         text->cipher_name);
++                result = SASL_FAIL;
++                goto FreeAllMem;
+ 	    }
+ 	}
+     }
+@@ -3515,6 +3520,7 @@ static int make_client_response(context_t *text,
+ 	oparams->mech_ssf = ctext->cipher->ssf;
+ 
+ 	nbits = ctext->cipher->n;
++	text->cipher_name = ctext->cipher->name;
+ 	text->cipher_enc = ctext->cipher->cipher_enc;
+ 	text->cipher_dec = ctext->cipher->cipher_dec;
+ 	text->cipher_free = ctext->cipher->cipher_free;
+@@ -3739,7 +3745,13 @@ static int make_client_response(context_t *text,
+ 	
+ 	/* initialize cipher if need be */
+ 	if (text->cipher_init) {
+-	    text->cipher_init(text, enckey, deckey);
++	    if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
++	        params->utils->seterror(params->utils->conn, 0,
++		         "internal error: failed to init cipher '%s'",
++                         text->cipher_name);
++                result = SASL_FAIL;
++                goto FreeAllocatedMem;
++            }
+ 	}
+     }
+     
+-- 
+2.31.1
+
diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec
index a008edf..a9dd49f 100644
--- a/cyrus-sasl.spec
+++ b/cyrus-sasl.spec
@@ -9,7 +9,7 @@
 Summary: The Cyrus SASL library
 Name: cyrus-sasl
 Version: 2.1.27
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: BSD with advertising
 URL: https://www.cyrusimap.org/sasl/
 
@@ -46,6 +46,7 @@ Patch106: cyrus-sasl-2.1.27-Migration-from-BerkeleyDB.patch
 # Upstream PR: https://github.com/cyrusimap/cyrus-sasl/pull/635
 Patch107: cyrus-sasl-2.1.27-Add-basic-test-plain-auth.patch
 Patch500: cyrus-sasl-2.1.27-coverity.patch
+Patch501: cyrus-sasl-2.1.27-legacy-init.patch
 
 BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
 BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig
@@ -178,6 +179,7 @@ the GS2 authentication scheme.
 %patch106 -p1 -b .frombdb
 %patch107 -p1 -b .plaintests
 %patch500 -p1 -b .coverity
+%patch501 -p1 -b .legacy_init
 
 %build
 # reconfigure
@@ -389,6 +391,10 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 %{_sbindir}/sasl2-shared-mechlist
 
 %changelog
+* Mon Jul 19 2021 Simo Sorce <simo@redhat.com> - 2.1.27-14
+- Fix crashs on missing legacy algorithms
+  Resolves: rhbz#1974354
+
 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.27-13
 - Rebuilt for RHEL 9 BETA for openssl 3.0
   Related: rhbz#1971065