rpms
/
cyrus-sasl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9s
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:imports/c9/cyrus-sasl-2.1.27-21.el9
rpms:imports/c9-beta/cyrus-sasl-2.1.27-21.el9
rpms:imports/c9/cyrus-sasl-2.1.27-20.el9
rpms:imports/c9-beta/cyrus-sasl-2.1.27-20.el9
rpms:imports/c8-beta/cyrus-sasl-2.1.27-6.el8_5
rpms:imports/c9-beta/cyrus-sasl-2.1.27-19.el9
rpms:imports/c8/cyrus-sasl-2.1.27-6.el8_5
rpms:imports/c9-beta/cyrus-sasl-2.1.27-17.el9
rpms:imports/c8-beta/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8-beta/cyrus-sasl-2.1.27-1.el8
rpms:imports/c8s/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8/cyrus-sasl-2.1.27-1.el8
rpms:imports/c8/cyrus-sasl-2.1.27-0.3rc7.el8
...
pull from: rpms:c9s
Branches Tags
rpms:c9s
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8
rpms:c8s
rpms:imports/c9/cyrus-sasl-2.1.27-21.el9
rpms:imports/c9-beta/cyrus-sasl-2.1.27-21.el9
rpms:imports/c9/cyrus-sasl-2.1.27-20.el9
rpms:imports/c9-beta/cyrus-sasl-2.1.27-20.el9
rpms:imports/c8-beta/cyrus-sasl-2.1.27-6.el8_5
rpms:imports/c9-beta/cyrus-sasl-2.1.27-19.el9
rpms:imports/c8/cyrus-sasl-2.1.27-6.el8_5
rpms:imports/c9-beta/cyrus-sasl-2.1.27-17.el9
rpms:imports/c8-beta/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8-beta/cyrus-sasl-2.1.27-1.el8
rpms:imports/c8s/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8/cyrus-sasl-2.1.27-1.el8
rpms:imports/c8/cyrus-sasl-2.1.27-0.3rc7.el8

No commits in common. "c8" and "c9s" have entirely different histories.
c8 ... c9s

32 changed files with 2084 additions and 103 deletions
Show Stats Expand all files Collapse all files

2
.cyrus-sasl.metadata
View File

@ -1 +1 @@
c9e6848d9cc6f9588e0e7a75423f9a3aed3f10db SOURCES/cyrus-sasl-2.1.27-nodlcompatorsrp.tar.gz
c9e6848d9cc6f9588e0e7a75423f9a3aed3f10db cyrus-sasl-2.1.27-nodlcompatorsrp.tar.gz

6
.gitignore vendored
View File

@ -1 +1,5 @@
SOURCES/cyrus-sasl-2.1.27-nodlcompatorsrp.tar.gz
cyrus-sasl-2.1.23-nodlcompatorsrp.tar.gz
/cyrus-sasl-2.1.25-nodlcompatorsrp.tar.gz
/cyrus-sasl-2.1.26-nodlcompatorsrp.tar.gz
/cyrus-sasl-2.1.27-rc7-nodlcompatorsrp.tar.gz
/cyrus-sasl-2.1.27-nodlcompatorsrp.tar.gz

0
SOURCES/0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch → 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
View File

0
SOURCES/autogen.sh → autogen.sh
View File

0
SOURCES/cyrus-sasl-2.1.20-saslauthd.conf-path.patch → cyrus-sasl-2.1.20-saslauthd.conf-path.patch
View File

0
SOURCES/cyrus-sasl-2.1.21-sizes.patch → cyrus-sasl-2.1.21-sizes.patch
View File

22
cyrus-sasl-2.1.23-db5.patch Normal file
View File

@ -0,0 +1,22 @@
--- a/sasldb/db_berkeley.c
+++ b/sasldb/db_berkeley.c
@@ -100,7 +100,7 @@ static int berkeleydb_open(const sasl_ut
ret = db_create(mbdb, NULL, 0);
if (ret == 0 && *mbdb != NULL)
{
-#if DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1
+#if (DB_VERSION_MAJOR > 4) || ((DB_VERSION_MAJOR == 4) && (DB_VERSION_MINOR >= 1))
ret = (*mbdb)->open(*mbdb, NULL, path, NULL, DB_HASH, flags, 0660);
#else
ret = (*mbdb)->open(*mbdb, path, NULL, DB_HASH, flags, 0660);
--- a/utils/dbconverter-2.c
+++ b/utils/dbconverter-2.c
@@ -214,7 +214,7 @@ static int berkeleydb_open(const char *p
ret = db_create(mbdb, NULL, 0);
if (ret == 0 && *mbdb != NULL)
{
-#if DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1
+#if (DB_VERSION_MAJOR > 4) || ((DB_VERSION_MAJOR == 4) && (DB_VERSION_MINOR >= 1))
ret = (*mbdb)->open(*mbdb, NULL, path, NULL, DB_HASH, DB_CREATE, 0664);
#else
ret = (*mbdb)->open(*mbdb, path, NULL, DB_HASH, DB_CREATE, 0664);

0
SOURCES/cyrus-sasl-2.1.23-man.patch → cyrus-sasl-2.1.23-man.patch
View File

16
cyrus-sasl-2.1.23-race.patch Normal file
View File

@ -0,0 +1,16 @@
diff -up cyrus-sasl-2.1.23/lib/common.c.race cyrus-sasl-2.1.23/lib/common.c
--- cyrus-sasl-2.1.23/lib/common.c.race 2010-02-22 09:57:28.000000000 +0100
+++ cyrus-sasl-2.1.23/lib/common.c 2010-02-22 09:59:30.000000000 +0100
@@ -794,7 +794,11 @@ void sasl_dispose(sasl_conn_t **pconn)
if (result!=SASL_OK) return;
/* *pconn might have become NULL by now */
- if (! (*pconn)) return;
+ if (! (*pconn))
+ {
+ sasl_MUTEX_UNLOCK(free_mutex);
+ return;
+ }
(*pconn)->destroy_conn(*pconn);
sasl_FREE(*pconn);

70
cyrus-sasl-2.1.23-rimap2.patch Normal file
View File

@ -0,0 +1,70 @@
diff -up cyrus-sasl-2.1.23/saslauthd/auth_rimap.c.rimap2 cyrus-sasl-2.1.23/saslauthd/auth_rimap.c
--- cyrus-sasl-2.1.23/saslauthd/auth_rimap.c.rimap2 2011-06-01 05:54:13.339252378 +0200
+++ cyrus-sasl-2.1.23/saslauthd/auth_rimap.c 2011-06-01 05:54:39.626252337 +0200
@@ -1,3 +1,4 @@
+
/* MODULE: auth_rimap */
/* COPYRIGHT
@@ -368,6 +369,30 @@ auth_rimap (
alarm(NETWORK_IO_TIMEOUT);
rc = read(s, rbuf, sizeof(rbuf));
alarm(0);
+ if ( rc>0 ) {
+ /* check if there is more to read */
+ fd_set perm;
+ int fds, ret;
+ struct timeval timeout;
+
+ FD_ZERO(&perm);
+ FD_SET(s, &perm);
+ fds = s +1;
+
+ timeout.tv_sec = 1;
+ timeout.tv_usec = 0;
+ while( select (fds, &perm, NULL, NULL, &timeout ) >0 ) {
+ if ( FD_ISSET(s, &perm) ) {
+ ret = read(s, rbuf+rc, sizeof(rbuf)-rc);
+ if ( ret<0 ) {
+ rc = ret;
+ break;
+ } else {
+ rc += ret;
+ }
+ }
+ }
+ }
if (rc == -1) {
syslog(LOG_WARNING, "auth_rimap: read (banner): %m");
(void) close(s);
@@ -457,6 +482,30 @@ auth_rimap (
alarm(NETWORK_IO_TIMEOUT);
rc = read(s, rbuf, sizeof(rbuf));
alarm(0);
+ if ( rc>0 ) {
+ /* check if there is more to read */
+ fd_set perm;
+ int fds, ret;
+ struct timeval timeout;
+
+ FD_ZERO(&perm);
+ FD_SET(s, &perm);
+ fds = s +1;
+
+ timeout.tv_sec = 1;
+ timeout.tv_usec = 0;
+ while( select (fds, &perm, NULL, NULL, &timeout ) >0 ) {
+ if ( FD_ISSET(s, &perm) ) {
+ ret = read(s, rbuf+rc, sizeof(rbuf)-rc);
+ if ( ret<0 ) {
+ rc = ret;
+ break;
+ } else {
+ rc += ret;
+ }
+ }
+ }
+ }
(void) close(s); /* we're done with the remote */
if (rc == -1) {
syslog(LOG_WARNING, "auth_rimap: read (response): %m");

0
SOURCES/cyrus-sasl-2.1.25-no_rpath.patch → cyrus-sasl-2.1.25-no_rpath.patch
View File

0
SOURCES/cyrus-sasl-2.1.26-md5global.patch → cyrus-sasl-2.1.26-md5global.patch
View File

0
SOURCES/cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch → cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch
View File

0
SOURCES/cyrus-sasl-2.1.27-Add-basic-test-infrastructure.patch → cyrus-sasl-2.1.27-Add-basic-test-infrastructure.patch
View File

411
cyrus-sasl-2.1.27-Add-basic-test-plain-auth.patch Normal file
View File

@ -0,0 +1,411 @@
diff -Nru cyrus-sasl-2.1.27/tests/runtests.py cyrus-sasl-2.1.27-beldmit/tests/runtests.py
--- cyrus-sasl-2.1.27/tests/runtests.py 2020-12-23 14:31:35.564537485 +0100
+++ cyrus-sasl-2.1.27-beldmit/tests/runtests.py 2020-12-23 14:30:46.933219377 +0100
@@ -313,6 +313,99 @@
return err
+def setup_plain(testdir):
+ """ Create sasldb file """
+ sasldbfile = os.path.join(testdir, 'testsasldb.db')
+
+ sasldbenv = {'SASL_PATH': os.path.join(testdir, '../../plugins/.libs'),
+ 'LD_LIBRARY_PATH' : os.path.join(testdir, '../../lib/.libs')}
+
+ passwdprog = os.path.join(testdir, '../../utils/saslpasswd2')
+
+ echo = subprocess.Popen(('echo', '1234567'), stdout=subprocess.PIPE)
+ subprocess.check_call([
+ passwdprog, "-f", sasldbfile, "-c", "test",
+ "-u", "host.realm.test", "-p"
+ ], stdin=echo.stdout, env=sasldbenv, timeout=5)
+
+ return (sasldbfile, sasldbenv)
+
+def plain_test(sasldbfile, sasldbenv):
+ try:
+ srv = subprocess.Popen(["../tests/t_gssapi_srv", "-P", sasldbfile],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE, env=sasldbenv)
+ srv.stdout.readline() # Wait for srv to say it is ready
+ cli = subprocess.Popen(["../tests/t_gssapi_cli", "-P", "1234567"],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE, env=sasldbenv)
+ try:
+ cli.wait(timeout=5)
+ srv.wait(timeout=5)
+ except Exception as e:
+ print("Failed on {}".format(e));
+ cli.kill()
+ srv.kill()
+ if cli.returncode != 0 or srv.returncode != 0:
+ raise Exception("CLI ({}): {} --> SRV ({}): {}".format(
+ cli.returncode, cli.stderr.read().decode('utf-8'),
+ srv.returncode, srv.stderr.read().decode('utf-8')))
+ except Exception as e:
+ print("FAIL: {}".format(e))
+ return 1
+
+ print("PASS: PLAIN CLI({}) SRV({})".format(
+ cli.stdout.read().decode('utf-8').strip(),
+ srv.stdout.read().decode('utf-8').strip()))
+ return 0
+
+def plain_mismatch_test(sasldbfile, sasldbenv):
+ result = "FAIL"
+ try:
+ srv = subprocess.Popen(["../tests/t_gssapi_srv", "-P", sasldbfile],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE, env=sasldbenv)
+ srv.stdout.readline() # Wait for srv to say it is ready
+ bindings = base64.b64encode("CLI CBS".encode('utf-8'))
+ cli = subprocess.Popen(["../tests/t_gssapi_cli", "-P", "12345678"],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE, env=sasldbenv)
+ try:
+ cli.wait(timeout=5)
+ srv.wait(timeout=5)
+ except Exception as e:
+ print("Failed on {}".format(e));
+ cli.kill()
+ srv.kill()
+ if cli.returncode != 0 or srv.returncode != 0:
+ cli_err = cli.stderr.read().decode('utf-8').strip()
+ srv_err = srv.stderr.read().decode('utf-8').strip()
+ if "authentication failure" in srv_err:
+ result = "PASS"
+ raise Exception("CLI ({}): {} --> SRV ({}): {}".format(
+ cli.returncode, cli_err, srv.returncode, srv_err))
+ except Exception as e:
+ print("{}: {}".format(result, e))
+ return 0
+
+ print("FAIL: This test should fail [CLI({}) SRV({})]".format(
+ cli.stdout.read().decode('utf-8').strip(),
+ srv.stdout.read().decode('utf-8').strip()))
+ return 1
+
+def plain_tests(testdir):
+ err = 0
+ sasldbfile, sasldbenv = setup_plain(testdir)
+ #print("DB file: {}, ENV: {}".format(sasldbfile, sasldbenv))
+ print('SASLDB PLAIN:')
+ print(' ', end='')
+ err += plain_test(sasldbfile, sasldbenv)
+
+ print('SASLDB PLAIN PASSWORD MISMATCH:')
+ print(' ', end='')
+ err += plain_mismatch_test(sasldbfile, sasldbenv)
+
+ return err
if __name__ == "__main__":
@@ -329,5 +422,9 @@
err = gssapi_tests(T)
if err != 0:
- print('{} test(s) FAILED'.format(err))
+ print('{} GSSAPI test(s) FAILED'.format(err))
+
+ err = plain_tests(T)
+ if err != 0:
+ print('{} PLAIN test(s) FAILED'.format(err))
sys.exit(-1)
diff -Nru cyrus-sasl-2.1.27/tests/t_gssapi_cli.c cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_cli.c
--- cyrus-sasl-2.1.27/tests/t_gssapi_cli.c 2020-12-23 14:31:35.564537485 +0100
+++ cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_cli.c 2021-01-06 11:26:15.460662537 +0100
@@ -16,6 +16,8 @@
#include <saslplug.h>
#include <saslutil.h>
+const char *testpass = NULL;
+
static int setup_socket(void)
{
struct sockaddr_in addr;
@@ -34,9 +36,60 @@
return sock;
}
+static int get_user(void *context __attribute__((unused)),
+ int id,
+ const char **result,
+ unsigned *len)
+{
+ const char *testuser = "test@host.realm.test";
+
+ if (! result)
+ return SASL_BADPARAM;
+
+ switch (id) {
+ case SASL_CB_USER:
+ case SASL_CB_AUTHNAME:
+ *result = testuser;
+ break;
+ default:
+ return SASL_BADPARAM;
+ }
+
+ if (len) *len = strlen(*result);
+
+ return SASL_OK;
+}
+
+static int get_pass(sasl_conn_t *conn __attribute__((unused)),
+ void *context __attribute__((unused)),
+ int id,
+ sasl_secret_t **psecret)
+{
+ size_t len;
+ static sasl_secret_t *x;
+
+ /* paranoia check */
+ if (! conn || ! psecret || id != SASL_CB_PASS)
+ return SASL_BADPARAM;
+
+ len = strlen(testpass);
+
+ x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len);
+
+ if (!x) {
+ return SASL_NOMEM;
+ }
+
+ x->len = len;
+ strcpy((char *)x->data, testpass);
+
+ *psecret = x;
+ return SASL_OK;
+}
+
int main(int argc, char *argv[])
{
- sasl_callback_t callbacks[2] = {};
+ sasl_callback_t callbacks[4] = {};
char buf[8192];
const char *chosenmech;
sasl_conn_t *conn;
@@ -49,8 +102,9 @@
const char *sasl_mech = "GSSAPI";
bool spnego = false;
bool zeromaxssf = false;
+ bool plain = false;
- while ((c = getopt(argc, argv, "c:zN")) != EOF) {
+ while ((c = getopt(argc, argv, "c:zNP:")) != EOF) {
switch (c) {
case 'c':
parse_cb(&cb, cb_buf, 256, optarg);
@@ -61,6 +115,10 @@
case 'N':
spnego = true;
break;
+ case 'P':
+ plain = true;
+ testpass = optarg;
+ break;
default:
break;
}
@@ -73,6 +131,12 @@
callbacks[1].id = SASL_CB_LIST_END;
callbacks[1].proc = NULL;
callbacks[1].context = NULL;
+ callbacks[2].id = SASL_CB_LIST_END;
+ callbacks[2].proc = NULL;
+ callbacks[2].context = NULL;
+ callbacks[3].id = SASL_CB_LIST_END;
+ callbacks[3].proc = NULL;
+ callbacks[3].context = NULL;
r = sasl_client_init(callbacks);
if (r != SASL_OK) exit(-1);
@@ -91,6 +155,16 @@
sasl_mech = "GSS-SPNEGO";
}
+ if (plain) {
+ sasl_mech = "PLAIN";
+
+ callbacks[1].id = SASL_CB_AUTHNAME;
+ callbacks[1].proc = (sasl_callback_ft)&get_user;
+
+ callbacks[2].id = SASL_CB_PASS;
+ callbacks[2].proc = (sasl_callback_ft)&get_pass;
+ }
+
if (zeromaxssf) {
/* set all security properties to 0 including maxssf */
sasl_security_properties_t secprops = { 0 };
@@ -99,9 +173,9 @@
r = sasl_client_start(conn, sasl_mech, NULL, &data, &len, &chosenmech);
if (r != SASL_OK && r != SASL_CONTINUE) {
- saslerr(r, "starting SASL negotiation");
- printf("\n%s\n", sasl_errdetail(conn));
- exit(-1);
+ saslerr(r, "starting SASL negotiation");
+ printf("\n%s\n", sasl_errdetail(conn));
+ exit(-1);
}
sd = setup_socket();
@@ -111,11 +185,11 @@
len = 8192;
recv_string(sd, buf, &len, false);
- r = sasl_client_step(conn, buf, len, NULL, &data, &len);
- if (r != SASL_OK && r != SASL_CONTINUE) {
- saslerr(r, "performing SASL negotiation");
- printf("\n%s\n", sasl_errdetail(conn));
- exit(-1);
+ r = sasl_client_step(conn, buf, len, NULL, &data, &len);
+ if (r != SASL_OK && r != SASL_CONTINUE) {
+ saslerr(r, "performing SASL negotiation");
+ printf("\n%s\n", sasl_errdetail(conn));
+ exit(-1);
}
}
diff -Nru cyrus-sasl-2.1.27/tests/t_gssapi_srv.c cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_srv.c
--- cyrus-sasl-2.1.27/tests/t_gssapi_srv.c 2020-12-23 14:31:35.565537492 +0100
+++ cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_srv.c 2021-01-06 11:27:48.373257373 +0100
@@ -1,4 +1,5 @@
-/* Copyright (C) Simo Sorce <simo@redhat.com>
+/* Copyright (C) Simo Sorce <simo@redhat.com>,
+ * Dmitry Belyavskiy <dbelyavs@redhat.com>
* See COPYING file for License */
#include "t_common.h"
@@ -15,6 +16,10 @@
#include <arpa/inet.h>
#include <saslplug.h>
+const char *sasldb_path = NULL,
+ *auxprop_plugin = "sasldb",
+ *pwcheck_method = "auxprop-hashed";
+
static int setup_socket(void)
{
struct sockaddr_in addr;
@@ -45,9 +50,38 @@
return sd;
}
+static int test_getopt(void *context __attribute__((unused)),
+ const char *plugin_name __attribute__((unused)),
+ const char *option,
+ const char **result,
+ unsigned *len)
+{
+ if (sasldb_path && !strcmp(option, "sasldb_path")) {
+ *result = sasldb_path;
+ if (len)
+ *len = (unsigned) strlen(sasldb_path);
+ return SASL_OK;
+ }
+
+ if (sasldb_path && !strcmp(option, "auxprop_plugin")) {
+ *result = auxprop_plugin;
+ if (len)
+ *len = (unsigned) strlen(auxprop_plugin);
+ return SASL_OK;
+ }
+
+ if (sasldb_path && !strcmp(option, "pwcheck_method")) {
+ *result = pwcheck_method;
+ if (len)
+ *len = (unsigned) strlen(pwcheck_method);
+ return SASL_OK;
+ }
+ return SASL_FAIL;
+}
+
int main(int argc, char *argv[])
{
- sasl_callback_t callbacks[2] = {};
+ sasl_callback_t callbacks[3] = {};
char buf[8192];
sasl_conn_t *conn;
const char *data;
@@ -59,8 +93,9 @@
const char *sasl_mech = "GSSAPI";
bool spnego = false;
bool zeromaxssf = false;
+ bool plain = false;
- while ((c = getopt(argc, argv, "c:zN")) != EOF) {
+ while ((c = getopt(argc, argv, "c:zNP:")) != EOF) {
switch (c) {
case 'c':
parse_cb(&cb, cb_buf, 256, optarg);
@@ -71,6 +106,10 @@
case 'N':
spnego = true;
break;
+ case 'P':
+ plain = true;
+ sasldb_path = optarg;
+ break;
default:
break;
}
@@ -81,9 +120,12 @@
callbacks[0].id = SASL_CB_GETPATH;
callbacks[0].proc = (sasl_callback_ft)&getpath;
callbacks[0].context = NULL;
- callbacks[1].id = SASL_CB_LIST_END;
- callbacks[1].proc = NULL;
+ callbacks[1].id = SASL_CB_GETOPT;
+ callbacks[1].proc = (sasl_callback_ft)&test_getopt;
callbacks[1].context = NULL;
+ callbacks[2].id = SASL_CB_LIST_END;
+ callbacks[2].proc = NULL;
+ callbacks[2].context = NULL;
r = sasl_server_init(callbacks, "t_gssapi_srv");
if (r != SASL_OK) exit(-1);
@@ -103,6 +145,10 @@
sasl_mech = "GSS-SPNEGO";
}
+ if (plain) {
+ sasl_mech = "PLAIN";
+ }
+
if (zeromaxssf) {
/* set all security properties to 0 including maxssf */
sasl_security_properties_t secprops = { 0 };
@@ -116,9 +162,9 @@
r = sasl_server_start(conn, sasl_mech, buf, len, &data, &len);
if (r != SASL_OK && r != SASL_CONTINUE) {
- saslerr(r, "starting SASL negotiation");
- printf("\n%s\n", sasl_errdetail(conn));
- exit(-1);
+ saslerr(r, "starting SASL negotiation");
+ printf("\n%s\n", sasl_errdetail(conn));
+ exit(-1);
}
while (r == SASL_CONTINUE) {
@@ -126,12 +172,12 @@
len = 8192;
recv_string(sd, buf, &len, true);
- r = sasl_server_step(conn, buf, len, &data, &len);
- if (r != SASL_OK && r != SASL_CONTINUE) {
- saslerr(r, "performing SASL negotiation");
- printf("\n%s\n", sasl_errdetail(conn));
- exit(-1);
- }
+ r = sasl_server_step(conn, buf, len, &data, &len);
+ if (r != SASL_OK && r != SASL_CONTINUE) {
+ saslerr(r, "performing SASL negotiation");
+ printf("\n%s\n", sasl_errdetail(conn));
+ exit(-1);
+ }
}
if (r != SASL_OK) exit(-1);

0
SOURCES/cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch → cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch
View File

0
SOURCES/cyrus-sasl-2.1.27-Emit-debug-log-only-in-case-of-errors.patch → cyrus-sasl-2.1.27-Emit-debug-log-only-in-case-of-errors.patch
View File

569
cyrus-sasl-2.1.27-Migration-from-BerkeleyDB.patch Normal file
View File

@ -0,0 +1,569 @@
diff -up cyrus-sasl-2.1.27/configure.ac.frombdb cyrus-sasl-2.1.27/configure.ac
--- cyrus-sasl-2.1.27/configure.ac.frombdb 2021-06-04 13:02:07.790112263 +0200
+++ cyrus-sasl-2.1.27/configure.ac 2021-06-04 13:02:07.798112327 +0200
@@ -1091,6 +1091,9 @@ AC_SUBST(SASL_STATIC_SRCS)
AC_SUBST(SASL_STATIC_OBJS)
AC_SUBST(SASL_STATIC_LIBS)
+CYRUS_BERKELEY_DB_STATIC_LIB()
+AC_SUBST(BDB_STATIC_LIBADD)
+
AC_ARG_WITH(plugindir, [ --with-plugindir=DIR set the directory where plugins will
be found [[LIBDIR/sasl2]] ],
plugindir=$withval,
diff -up cyrus-sasl-2.1.27/m4/berkdb.m4.frombdb cyrus-sasl-2.1.27/m4/berkdb.m4
--- cyrus-sasl-2.1.27/m4/berkdb.m4.frombdb 2016-01-29 18:35:35.000000000 +0100
+++ cyrus-sasl-2.1.27/m4/berkdb.m4 2021-06-04 13:02:07.798112327 +0200
@@ -286,3 +286,10 @@ AC_DEFUN([CYRUS_BERKELEY_DB_CHK],
CPPFLAGS=$cmu_save_CPPFLAGS
])
+
+AC_DEFUN([CYRUS_BERKELEY_DB_STATIC_LIB],
+[
+BDB_STATIC_LIBADD="/dev/null -lpthread"
+AC_CHECK_FILE([/usr/lib64/libdb-5.3.a],[BDB_STATIC_LIBADD="/usr/lib64/libdb-5.3.a -lpthread "],[])
+AC_CHECK_FILE([/usr/lib/libdb-5.3.a],[BDB_STATIC_LIBADD="/usr/lib/libdb-5.3.a -lpthread"],[])
+])
diff -up cyrus-sasl-2.1.27/m4/sasldb.m4.frombdb cyrus-sasl-2.1.27/m4/sasldb.m4
--- cyrus-sasl-2.1.27/m4/sasldb.m4.frombdb 2017-07-13 20:45:19.000000000 +0200
+++ cyrus-sasl-2.1.27/m4/sasldb.m4 2021-06-04 13:02:07.798112327 +0200
@@ -111,7 +111,7 @@ AC_MSG_RESULT($dblib)
SASL_DB_BACKEND="db_${dblib}.lo"
SASL_DB_BACKEND_STATIC="db_${dblib}.o allockey.o"
SASL_DB_BACKEND_STATIC_SRCS="\$(top_srcdir)/sasldb/db_${dblib}.c \$(top_srcdir)/sasldb/allockey.c"
-SASL_DB_UTILS="saslpasswd2 sasldblistusers2"
+SASL_DB_UTILS="cyrusbdb2current saslpasswd2 sasldblistusers2"
SASL_DB_MANS="saslpasswd2.8 sasldblistusers2.8"
case "$dblib" in
diff -up cyrus-sasl-2.1.27/sasldb/db_gdbm.c.frombdb cyrus-sasl-2.1.27/sasldb/db_gdbm.c
--- cyrus-sasl-2.1.27/sasldb/db_gdbm.c.frombdb 2017-07-13 14:34:03.000000000 +0200
+++ cyrus-sasl-2.1.27/sasldb/db_gdbm.c 2021-06-04 13:04:24.098206887 +0200
@@ -67,6 +67,7 @@ int _sasldb_getdata(const sasl_utils_t *
void *cntxt;
sasl_getopt_t *getopt;
const char *path = SASL_DB_PATH;
+ int fetch_errno = 0;
if (!utils) return SASL_BADPARAM;
if (!authid || !propName || !realm || !out || !max_out) {
@@ -99,6 +100,9 @@ int _sasldb_getdata(const sasl_utils_t *
}
db = gdbm_open((char *)path, 0, GDBM_READER, S_IRUSR | S_IWUSR, NULL);
if (! db) {
+ utils->log(conn, SASL_LOG_ERR,
+ "SASL error opening password file. "
+ "Have you performed the migration from db2 using cyrusbdb2current?\n");
utils->seterror(cntxt, 0, "Could not open %s: gdbm_errno=%d",
path, gdbm_errno);
result = SASL_FAIL;
@@ -107,9 +111,10 @@ int _sasldb_getdata(const sasl_utils_t *
gkey.dptr = key;
gkey.dsize = key_len;
gvalue = gdbm_fetch(db, gkey);
+ fetch_errno = gdbm_errno;
gdbm_close(db);
if (! gvalue.dptr) {
- if (gdbm_errno == GDBM_ITEM_NOT_FOUND) {
+ if (fetch_errno == GDBM_ITEM_NOT_FOUND) {
utils->seterror(conn, SASL_NOLOG,
"user: %s@%s property: %s not found in %s",
authid, realm, propName, path);
@@ -186,7 +191,8 @@ int _sasldb_putdata(const sasl_utils_t *
if (! db) {
utils->log(conn, SASL_LOG_ERR,
"SASL error opening password file. "
- "Do you have write permissions?\n");
+ "Do you have write permissions?\n"
+ "Have you performed the migration from db2 using cyrusbdb2current?\n");
utils->seterror(conn, 0, "Could not open %s for write: gdbm_errno=%d",
path, gdbm_errno);
result = SASL_FAIL;
@@ -298,6 +304,9 @@ sasldb_handle _sasldb_getkeyhandle(const
db = gdbm_open((char *)path, 0, GDBM_READER, S_IRUSR | S_IWUSR, NULL);
if(!db) {
+ utils->log(conn, SASL_LOG_ERR,
+ "SASL error opening password file. "
+ "Have you performed the migration from db2 using cyrusbdb2current?\n");
utils->seterror(conn, 0, "Could not open %s: gdbm_errno=%d",
path, gdbm_errno);
return NULL;
diff -up cyrus-sasl-2.1.27/utils/cyrusbdb2current.8.frombdb cyrus-sasl-2.1.27/utils/cyrusbdb2current.8
--- cyrus-sasl-2.1.27/utils/cyrusbdb2current.8.frombdb 2021-06-04 13:02:07.798112327 +0200
+++ cyrus-sasl-2.1.27/utils/cyrusbdb2current.8 2021-06-04 13:02:07.798112327 +0200
@@ -0,0 +1,159 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C` ""
+. ds C' ""
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+. ds C`
+. ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+. if \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
+. \}
+. \}
+.\}
+.rr rF
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "CYRUSBDB2CURRENT 1"
+.TH CYRUSBDB2CURRENT 1 "2021-04-28" "perl v5.30.3" "User Contributed Perl Documentation"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+cyrusbdb2current \- command\-line utility converting the SASLDB database from
+BerkeleyDB to the database format currently used bys sasldb.
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+cyrusbdb2current <sasldb_old_path> <sasldb_new_path>
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fBcyrusbdb2current\fR converts the current sasldb database from BerkeleyDB format to the
+currently used database format. It is \fB\s-1STRONGLY RECOMMENDED\s0\fR to make a backup
+of the current database before the conversion.
+.PP
+We expect that the old path is \fB/etc/sasldb2\fR and the new one is
+\&\fB/etc/sasl2/sasldb2\fR
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBsaslpasswd2\fR\|(8)
+.PP
+rfc4422 \- Simple Authentication and Security Layer (\s-1SASL\s0)
diff -up cyrus-sasl-2.1.27/utils/cyrusbdb2current.c.frombdb cyrus-sasl-2.1.27/utils/cyrusbdb2current.c
--- cyrus-sasl-2.1.27/utils/cyrusbdb2current.c.frombdb 2021-06-04 13:02:07.798112327 +0200
+++ cyrus-sasl-2.1.27/utils/cyrusbdb2current.c 2021-06-04 13:02:07.798112327 +0200
@@ -0,0 +1,282 @@
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <sasl.h>
+#include <saslplug.h>
+#include "../sasldb/sasldb.h"
+
+/* Cheating to make the utils work out right */
+extern const sasl_utils_t *sasl_global_utils;
+sasl_conn_t *globalconn;
+
+typedef void *listcb_t(const char *, const char *, const char *,
+ const char *, unsigned);
+
+void listusers_cb(const char *authid, const char *realm,
+ const char *propName, const char *secret,
+ unsigned seclen)
+{
+ if (!authid || !propName || !realm) {
+ fprintf(stderr,"userlist callback has bad param");
+ return;
+ }
+
+ /* the entries that just say the mechanism exists */
+ if (strlen(authid)==0) return;
+
+ printf("Converting: %s@%s (%s)...",authid,realm,propName);
+
+ _sasldb_putdata(sasl_global_utils, globalconn,
+ authid, realm, propName,
+ secret, seclen);
+
+ printf("ok\n");
+}
+
+/*
+ * List all users in database
+ */
+
+#include <db.h>
+
+#define DB_VERSION_FULL ((DB_VERSION_MAJOR << 24) | (DB_VERSION_MINOR << 16) | DB_VERSION_PATCH)
+/*
+ * Open the database
+ *
+ */
+static int berkeleydb_open(const char *path,DB **mbdb)
+{
+ int ret;
+
+#if DB_VERSION_FULL < 0x03000000
+ ret = db_open(path, DB_HASH, DB_CREATE, 0664, NULL, NULL, mbdb);
+#else /* DB_VERSION_FULL < 0x03000000 */
+ ret = db_create(mbdb, NULL, 0);
+ if (ret == 0 && *mbdb != NULL)
+ {
+#if DB_VERSION_FULL >= 0x04010000
+ ret = (*mbdb)->open(*mbdb, NULL, path, NULL, DB_HASH, DB_CREATE, 0664);
+#else
+ ret = (*mbdb)->open(*mbdb, path, NULL, DB_HASH, DB_CREATE, 0664);
+#endif
+ if (ret != 0)
+ {
+ (void) (*mbdb)->close(*mbdb, 0);
+ *mbdb = NULL;
+ }
+ }
+#endif /* DB_VERSION_FULL < 0x03000000 */
+
+ if (ret != 0) {
+ fprintf(stderr,"Error opening password file %s\n", path);
+ return SASL_FAIL;
+ }
+
+ return SASL_OK;
+}
+
+/*
+ * Close the database
+ *
+ */
+
+static void berkeleydb_close(DB *mbdb)
+{
+ int ret;
+
+ ret = mbdb->close(mbdb, 0);
+ if (ret!=0) {
+ fprintf(stderr,"error closing sasldb: %s",
+ db_strerror(ret));
+ }
+}
+
+int listusers(const char *path, listcb_t *cb)
+{
+ int result;
+ DB *mbdb = NULL;
+ DBC *cursor;
+ DBT key, data;
+
+ /* open the db */
+ result=berkeleydb_open(path, &mbdb);
+ if (result!=SASL_OK) goto cleanup;
+
+ /* make cursor */
+#if DB_VERSION_FULL < 0x03060000
+ result = mbdb->cursor(mbdb, NULL,&cursor);
+#else
+ result = mbdb->cursor(mbdb, NULL,&cursor, 0);
+#endif /* DB_VERSION_FULL < 0x03060000 */
+
+ if (result!=0) {
+ fprintf(stderr,"Making cursor failure: %s\n",db_strerror(result));
+ result = SASL_FAIL;
+ goto cleanup;
+ }
+
+ memset(&key,0, sizeof(key));
+ memset(&data,0,sizeof(data));
+
+ /* loop thru */
+ result = cursor->c_get(cursor, &key, &data,
+ DB_FIRST);
+
+ while (result != DB_NOTFOUND)
+ {
+ char *authid;
+ char *realm;
+ char *tmp;
+ unsigned int len;
+ char prop[1024];
+ int numnulls = 0;
+ unsigned int lup;
+
+ /* make sure there are exactly 2 null's */
+ for (lup=0;lup<key.size;lup++)
+ if (((char *)key.data)[lup]=='\0')
+ numnulls++;
+
+ if (numnulls != 2) {
+ fprintf(stderr,"warning: probable database corruption\n");
+ result = cursor->c_get(cursor, &key, &data, DB_NEXT);
+ continue;
+ }
+
+ authid = key.data;
+ realm = authid + strlen(authid)+1;
+ tmp = realm + strlen(realm)+1;
+ len = key.size - (tmp - authid);
+
+ /* make sure we have enough space of prop */
+ if (len >=sizeof(prop)) {
+ fprintf(stderr,"warning: absurdly long prop name\n");
+ result = cursor->c_get(cursor, &key, &data, DB_NEXT);
+ continue;
+ }
+
+ memcpy(prop, tmp, key.size - (tmp - ((char *)key.data)));
+ prop[key.size - (tmp - ((char *)key.data))] = '\0';
+
+ if (*authid) {
+ /* don't check return values */
+ cb(authid,realm,prop,data.data,data.size);
+ }
+
+ result = cursor->c_get(cursor, &key, &data, DB_NEXT);
+ }
+
+ if (result != DB_NOTFOUND) {
+ fprintf(stderr,"failure: %s\n",db_strerror(result));
+ result = SASL_FAIL;
+ goto cleanup;
+ }
+
+ result = cursor->c_close(cursor);
+ if (result != 0) {
+ result = SASL_FAIL;
+ goto cleanup;
+ }
+
+ result = SASL_OK;
+
+ cleanup:
+
+ if (mbdb != NULL) berkeleydb_close(mbdb);
+ return result;
+}
+
+
+char *db = NULL, *db_new=NULL;
+
+int good_getopt(void *context __attribute__((unused)),
+ const char *plugin_name __attribute__((unused)),
+ const char *option,
+ const char **result,
+ unsigned *len)
+{
+ if (db_new && !strcmp(option, "sasldb_path")) {
+ *result = db_new;
+ if (len)
+ *len = strlen(db_new);
+ return SASL_OK;
+ }
+
+ return SASL_FAIL;
+}
+
+static struct sasl_callback goodsasl_cb[] = {
+ { SASL_CB_GETOPT, (int (*)(void))&good_getopt, NULL },
+ { SASL_CB_LIST_END, NULL, NULL }
+};
+
+int main(int argc, char **argv)
+{
+ int result;
+ FILE *f;
+
+ if (argc != 3) {
+ fprintf(stderr, "Usage: cyrusbdb2current old_sasldb new_sasldb\n");
+ fprintf(stderr, "old_sasldb is presumably /etc/sasldb2\n");
+ fprintf(stderr, "new_sasldb is presumably /etc/sasl2/sasldb2\n");
+ return 1;
+ }
+
+ db = argv[1];
+ db_new = argv[2];
+
+ if (strcmp(db, db_new) == 0) {
+ fprintf(stderr, "Old and new files should be different\n");
+ return 1;
+ }
+
+
+ f = fopen(db_new, "rb");
+ if (f != NULL) {
+ fprintf(stderr, "The specified target file %s already exists\n", db_new);
+ fclose(f);
+ return 1;
+ }
+
+ result = sasl_server_init(goodsasl_cb, "dbconverter");
+ if (result != SASL_OK) {
+ fprintf(stderr, "couldn't init saslv2\n");
+ return 1;
+ }
+
+ result = sasl_server_new("sasldb",
+ "localhost",
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ 0,
+ &globalconn);
+ if (result != SASL_OK) {
+ fprintf(stderr, "couldn't create globalconn\n");
+ return 1;
+ }
+
+ if(_sasl_check_db(sasl_global_utils,globalconn) != SASL_OK) {
+ fprintf(stderr, "target DB %s is not OK\n", db_new);
+ return 1;
+ }
+
+ printf("\nThis program will take the sasldb file specified on the\n"
+ "command line and convert it to a new sasldb specified\n"
+ "on the command line. It is STRONGLY RECOMMENDED that you\n"
+ "backup sasldb before allowing this program to run\n\n"
+ "We are going to convert %s and our output will be in %s\n\n"
+ "Press return to continue\n", db, db_new);
+
+ getchar();
+
+ listusers(db, (listcb_t *) &listusers_cb);
+
+ sasl_dispose(&globalconn);
+ sasl_done();
+
+ exit(0);
+}
diff -up cyrus-sasl-2.1.27/utils/Makefile.am.frombdb cyrus-sasl-2.1.27/utils/Makefile.am
--- cyrus-sasl-2.1.27/utils/Makefile.am.frombdb 2018-10-05 16:40:16.000000000 +0200
+++ cyrus-sasl-2.1.27/utils/Makefile.am 2021-06-04 13:02:07.798112327 +0200
@@ -46,14 +46,14 @@ all_sasl_libs = ../lib/libsasl2.la $(SAS
all_sasl_static_libs = ../lib/.libs/libsasl2.a $(SASL_DB_LIB) $(LIB_SOCKET) $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(SASL_KRB_LIB) $(LIB_DES) $(PLAIN_LIBS) $(SRP_LIBS) $(LIB_MYSQL) $(LIB_PGSQL) $(LIB_SQLITE)
sbin_PROGRAMS = @SASL_DB_UTILS@ @SMTPTEST_PROGRAM@ pluginviewer
-EXTRA_PROGRAMS = saslpasswd2 sasldblistusers2 testsuite testsuitestatic smtptest pluginviewer
+EXTRA_PROGRAMS = saslpasswd2 sasldblistusers2 testsuite testsuitestatic smtptest pluginviewer cyrusbdb2current
noinst_PROGRAMS = dbconverter-2
if NO_SASL_DB_MANS
man_MANS =
else
-man_MANS = saslpasswd2.8 sasldblistusers2.8 pluginviewer.8
+man_MANS = saslpasswd2.8 sasldblistusers2.8 pluginviewer.8 cyrusbdb2current.8
endif
saslpasswd2_LDADD = ../sasldb/libsasldb.la $(all_sasl_libs)
@@ -63,6 +63,7 @@ sasldblistusers2_SOURCES = sasldblistuse
dbconverter_2_LDADD = ../sasldb/libsasldb.la $(all_sasl_libs)
pluginviewer_LDADD = $(all_sasl_libs)
pluginviewer_SOURCES = pluginviewer.c
+cyrusbdb2current_LDADD = ../sasldb/libsasldb.la @BDB_STATIC_LIBADD@ $(all_sasl_libs)
testsuite_LDADD = $(all_sasl_libs) @DMALLOC_LIBS@

56
cyrus-sasl-2.1.27-coverity.patch Normal file
View File

@ -0,0 +1,56 @@
diff -up cyrus-sasl-2.1.27/include/makemd5.c.coverity cyrus-sasl-2.1.27/include/makemd5.c
--- cyrus-sasl-2.1.27/include/makemd5.c.coverity 2021-04-12 15:10:25.421431535 +0200
+++ cyrus-sasl-2.1.27/include/makemd5.c 2021-04-12 15:56:46.752827737 +0200
@@ -107,7 +107,6 @@ my_strupr(char *s)
}
}
-
#define BITSIZE(TYPE) \
{ \
int b = 0; TYPE x = 1, zero = 0; char *pre = "U"; \
@@ -129,6 +128,8 @@ my_strupr(char *s)
static void
try_signed(FILE *f, int len)
{
+/* Local macros for not-installed program. No coverity/compiler issues! */
+#pragma GCC diagnostic ignored "-Wformat-overflow"
#ifdef HAVE_INT8_T
BITSIZE(int8_t);
#endif
@@ -149,6 +150,7 @@ try_signed(FILE *f, int len)
BITSIZE(long long);
#endif
fprintf(f, "/* There is no %d bit type */\n", len);
+#pragma GCC pop
}
static void
diff -up cyrus-sasl-2.1.27/saslauthd/lak.c.coverity cyrus-sasl-2.1.27/saslauthd/lak.c
--- cyrus-sasl-2.1.27/saslauthd/lak.c.coverity 2018-11-08 18:29:57.000000000 +0100
+++ cyrus-sasl-2.1.27/saslauthd/lak.c 2021-04-12 15:10:25.433431630 +0200
@@ -337,9 +337,9 @@ static int lak_config_read(
EMPTY(conf->group_search_base) )
strlcpy(conf->group_search_base, conf->search_base, LAK_DN_LEN);
- fclose(infile);
+ fclose(infile);
- return LAK_OK;
+ return LAK_OK;
}
static int lak_config_int(
diff -up cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c.coverity cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c
--- cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c.coverity 2018-01-19 15:13:40.000000000 +0100
+++ cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c 2021-04-12 15:10:25.433431630 +0200
@@ -833,7 +833,8 @@ void detach_tty() {
}
logger(L_INFO, L_FUNC, "master pid is: %lu", (unsigned long)master_pid);
-
+ /* null_fd expected to be more than 2, so it is closed after dups, no leaks occur */
+ /* coverity[leaked_handle : FALSE]*/
return;
}

546
cyrus-sasl-2.1.27-cumulative-digestmd5.patch Normal file
View File

@ -0,0 +1,546 @@
diff -uPr cyrus-sasl-2.1.27/plugins/digestmd5.c cyrus-sasl-2.1.27.digestmd5/plugins/digestmd5.c
--- cyrus-sasl-2.1.27/plugins/digestmd5.c 2022-09-08 12:22:03.782961573 -0400
+++ cyrus-sasl-2.1.27.digestmd5/plugins/digestmd5.c 2022-09-08 12:24:20.289994669 -0400
@@ -80,6 +80,12 @@
# endif
#endif /* WITH_DES */
+/* legacy provider with openssl 3.0 */
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+# include <openssl/provider.h>
+# include <openssl/crypto.h>
+#endif
+
#ifdef WIN32
# include <winsock2.h>
#else /* Unix */
@@ -170,6 +176,12 @@
typedef struct cipher_context cipher_context_t;
+typedef struct crypto_context {
+ void *libctx;
+ cipher_context_t *enc_ctx;
+ cipher_context_t *dec_ctx;
+} crypto_context_t;
+
/* cached auth info used for fast reauth */
typedef struct reauth_entry {
char *authid;
@@ -254,12 +266,12 @@
decode_context_t decode_context;
/* if privacy mode is used use these functions for encode and decode */
+ char *cipher_name;
cipher_function_t *cipher_enc;
cipher_function_t *cipher_dec;
cipher_init_t *cipher_init;
cipher_free_t *cipher_free;
- struct cipher_context *cipher_enc_context;
- struct cipher_context *cipher_dec_context;
+ crypto_context_t crypto;
} context_t;
struct digest_cipher {
@@ -888,7 +900,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_dec_context;
+ des_context_t *c = (des_context_t *) text->crypto.dec_ctx;
int padding, p;
des_ede2_cbc_encrypt((void *) input,
@@ -925,7 +937,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_enc_context;
+ des_context_t *c = (des_context_t *) text->crypto.enc_ctx;
int len;
int paddinglen;
@@ -973,7 +985,7 @@
return SASL_FAIL;
memcpy(c->ivec, ((char *) enckey) + 8, 8);
- text->cipher_enc_context = (cipher_context_t *) c;
+ text->crypto.enc_ctx = (cipher_context_t *) c;
/* setup dec context */
c++;
@@ -987,7 +999,7 @@
memcpy(c->ivec, ((char *) deckey) + 8, 8);
- text->cipher_dec_context = (cipher_context_t *) c;
+ text->crypto.dec_ctx = (cipher_context_t *) c;
return SASL_OK;
}
@@ -1006,7 +1018,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_dec_context;
+ des_context_t *c = (des_context_t *) text->crypto.dec_ctx;
int p, padding = 0;
des_cbc_encrypt((void *) input,
@@ -1046,7 +1058,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_enc_context;
+ des_context_t *c = (des_context_t *) text->crypto.enc_ctx;
int len;
int paddinglen;
@@ -1093,7 +1105,7 @@
memcpy(c->ivec, ((char *) enckey) + 8, 8);
- text->cipher_enc_context = (cipher_context_t *) c;
+ text->crypto.enc_ctx = (cipher_context_t *) c;
/* setup dec context */
c++;
@@ -1102,34 +1114,83 @@
memcpy(c->ivec, ((char *) deckey) + 8, 8);
- text->cipher_dec_context = (cipher_context_t *) c;
+ text->crypto.dec_ctx = (cipher_context_t *) c;
return SASL_OK;
}
static void free_des(context_t *text)
{
- /* free des contextss. only cipher_enc_context needs to be free'd,
- since cipher_dec_context was allocated at the same time. */
- if (text->cipher_enc_context) text->utils->free(text->cipher_enc_context);
+ /* free des contextss. only enc_ctx needs to be free'd,
+ since dec_cxt was allocated at the same time. */
+ if (text->crypto.enc_ctx) {
+ text->utils->free(text->crypto.enc_ctx);
+ }
}
#endif /* WITH_DES */
#ifdef WITH_RC4
-#ifdef HAVE_OPENSSL
#include <openssl/evp.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+typedef struct ossl3_library_context {
+ OSSL_LIB_CTX *libctx;
+ OSSL_PROVIDER *legacy_provider;
+ OSSL_PROVIDER *default_provider;
+} ossl3_context_t;
+
+static int init_ossl3_ctx(context_t *text)
+{
+ ossl3_context_t *ctx = text->utils->malloc(sizeof(ossl3_context_t));
+ if (!ctx) return SASL_NOMEM;
+
+ ctx->libctx = OSSL_LIB_CTX_new();
+ if (!ctx->libctx) {
+ text->utils->free(ctx);
+ return SASL_FAIL;
+ }
+
+ /* Load both legacy and default provider as both may be needed */
+ /* if they fail keep going and an error will be raised when we try to
+ * fetch the cipher later */
+ ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy");
+ ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default");
+ text->crypto.libctx = (void *)ctx;
+
+ return SASL_OK;
+}
+
+static void free_ossl3_ctx(context_t *text)
+{
+ ossl3_context_t *ctx;
+
+ if (!text->crypto.libctx) return;
+
+ ctx = (ossl3_context_t *)text->crypto.libctx;
+
+ if (ctx->legacy_provider) OSSL_PROVIDER_unload(ctx->legacy_provider);
+ if (ctx->default_provider) OSSL_PROVIDER_unload(ctx->default_provider);
+ if (ctx->libctx) OSSL_LIB_CTX_free(ctx->libctx);
+
+ text->utils->free(ctx);
+ text->crypto.libctx = NULL;
+}
+#endif
+
static void free_rc4(context_t *text)
{
- if (text->cipher_enc_context) {
- EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_enc_context);
- text->cipher_enc_context = NULL;
- }
- if (text->cipher_dec_context) {
- EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_dec_context);
- text->cipher_dec_context = NULL;
+ if (text->crypto.enc_ctx) {
+ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->crypto.enc_ctx);
+ text->crypto.enc_ctx = NULL;
+ }
+ if (text->crypto.dec_ctx) {
+ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->crypto.dec_ctx);
+ text->crypto.dec_ctx = NULL;
}
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ free_ossl3_ctx(text);
+#endif
}
static int init_rc4(context_t *text,
@@ -1139,23 +1200,57 @@
EVP_CIPHER_CTX *ctx;
int rc;
- ctx = EVP_CIPHER_CTX_new();
- if (ctx == NULL) return SASL_NOMEM;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_CIPHER *cipher;
+ ossl3_context_t *ossl3_ctx;
- rc = EVP_EncryptInit_ex(ctx, EVP_rc4(), NULL, enckey, NULL);
- if (rc != 1) return SASL_FAIL;
+ rc = init_ossl3_ctx(text);
+ if (rc != SASL_OK) return rc;
+
+ ossl3_ctx = (ossl3_context_t *)text->crypto.libctx;
+ cipher = EVP_CIPHER_fetch(ossl3_ctx->libctx, "RC4", "");
+#else
+ const EVP_CIPHER *cipher;
+ cipher = EVP_rc4();
+#endif
- text->cipher_enc_context = (void *)ctx;
ctx = EVP_CIPHER_CTX_new();
- if (ctx == NULL) return SASL_NOMEM;
+ if (ctx == NULL) {
+ rc = SASL_NOMEM;
+ goto done;
+ }
- rc = EVP_DecryptInit_ex(ctx, EVP_rc4(), NULL, deckey, NULL);
- if (rc != 1) return SASL_FAIL;
+ rc = EVP_EncryptInit_ex(ctx, cipher, NULL, enckey, NULL);
+ if (rc != 1) {
+ rc = SASL_FAIL;
+ goto done;
+ }
+ text->crypto.enc_ctx = (void *)ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL) {
+ rc = SASL_NOMEM;
+ goto done;
+ }
+
+ rc = EVP_DecryptInit_ex(ctx, cipher, NULL, deckey, NULL);
+ if (rc != 1) {
+ rc = SASL_FAIL;
+ goto done;
+ }
+ text->crypto.dec_ctx = (void *)ctx;
- text->cipher_dec_context = (void *)ctx;
+ rc = SASL_OK;
- return SASL_OK;
+done:
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_CIPHER_free(cipher);
+#endif
+ if (rc != SASL_OK) {
+ free_rc4(text);
+ }
+ return rc;
}
static int dec_rc4(context_t *text,
@@ -1169,14 +1264,14 @@
int rc;
/* decrypt the text part & HMAC */
- rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->cipher_dec_context,
+ rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->crypto.dec_ctx,
(unsigned char *)output, &len,
(const unsigned char *)input, inputlen);
if (rc != 1) return SASL_FAIL;
*outputlen = len;
- rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_dec_context,
+ rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->crypto.dec_ctx,
(unsigned char *)output + len, &len);
if (rc != 1) return SASL_FAIL;
@@ -1198,7 +1293,7 @@
int len;
int rc;
/* encrypt the text part */
- rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
+ rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
(unsigned char *)output, &len,
(const unsigned char *)input, inputlen);
if (rc != 1) return SASL_FAIL;
@@ -1206,14 +1301,14 @@
*outputlen = len;
/* encrypt the `MAC part */
- rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
+ rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
(unsigned char *)output + *outputlen, &len,
digest, 10);
if (rc != 1) return SASL_FAIL;
*outputlen += len;
- rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_enc_context,
+ rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
(unsigned char *)output + *outputlen, &len);
if (rc != 1) return SASL_FAIL;
@@ -1221,188 +1316,11 @@
return SASL_OK;
}
-#else
-/* quick generic implementation of RC4 */
-struct rc4_context_s {
- unsigned char sbox[256];
- int i, j;
-};
-
-typedef struct rc4_context_s rc4_context_t;
-
-static void rc4_init(rc4_context_t *text,
- const unsigned char *key,
- unsigned keylen)
-{
- int i, j;
-
- /* fill in linearly s0=0 s1=1... */
- for (i=0;i<256;i++)
- text->sbox[i]=i;
-
- j=0;
- for (i = 0; i < 256; i++) {
- unsigned char tmp;
- /* j = (j + Si + Ki) mod 256 */
- j = (j + text->sbox[i] + key[i % keylen]) % 256;
-
- /* swap Si and Sj */
- tmp = text->sbox[i];
- text->sbox[i] = text->sbox[j];
- text->sbox[j] = tmp;
- }
-
- /* counters initialized to 0 */
- text->i = 0;
- text->j = 0;
-}
-
-static void rc4_encrypt(rc4_context_t *text,
- const char *input,
- char *output,
- unsigned len)
-{
- int tmp;
- int i = text->i;
- int j = text->j;
- int t;
- int K;
- const char *input_end = input + len;
-
- while (input < input_end) {
- i = (i + 1) % 256;
-
- j = (j + text->sbox[i]) % 256;
-
- /* swap Si and Sj */
- tmp = text->sbox[i];
- text->sbox[i] = text->sbox[j];
- text->sbox[j] = tmp;
-
- t = (text->sbox[i] + text->sbox[j]) % 256;
-
- K = text->sbox[t];
-
- /* byte K is Xor'ed with plaintext */
- *output++ = *input++ ^ K;
- }
-
- text->i = i;
- text->j = j;
-}
-
-static void rc4_decrypt(rc4_context_t *text,
- const char *input,
- char *output,
- unsigned len)
-{
- int tmp;
- int i = text->i;
- int j = text->j;
- int t;
- int K;
- const char *input_end = input + len;
-
- while (input < input_end) {
- i = (i + 1) % 256;
-
- j = (j + text->sbox[i]) % 256;
-
- /* swap Si and Sj */
- tmp = text->sbox[i];
- text->sbox[i] = text->sbox[j];
- text->sbox[j] = tmp;
-
- t = (text->sbox[i] + text->sbox[j]) % 256;
-
- K = text->sbox[t];
-
- /* byte K is Xor'ed with plaintext */
- *output++ = *input++ ^ K;
- }
-
- text->i = i;
- text->j = j;
-}
-
-static void free_rc4(context_t *text)
-{
- /* free rc4 context structures */
-
- if(text->cipher_enc_context) text->utils->free(text->cipher_enc_context);
- if(text->cipher_dec_context) text->utils->free(text->cipher_dec_context);
-}
-
-static int init_rc4(context_t *text,
- unsigned char enckey[16],
- unsigned char deckey[16])
-{
- /* allocate rc4 context structures */
- text->cipher_enc_context=
- (cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t));
- if (text->cipher_enc_context == NULL) return SASL_NOMEM;
-
- text->cipher_dec_context=
- (cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t));
- if (text->cipher_dec_context == NULL) return SASL_NOMEM;
-
- /* initialize them */
- rc4_init((rc4_context_t *) text->cipher_enc_context,
- (const unsigned char *) enckey, 16);
- rc4_init((rc4_context_t *) text->cipher_dec_context,
- (const unsigned char *) deckey, 16);
-
- return SASL_OK;
-}
-
-static int dec_rc4(context_t *text,
- const char *input,
- unsigned inputlen,
- unsigned char digest[16] __attribute__((unused)),
- char *output,
- unsigned *outputlen)
-{
- /* decrypt the text part & HMAC */
- rc4_decrypt((rc4_context_t *) text->cipher_dec_context,
- input, output, inputlen);
-
- /* no padding so we just subtract the HMAC to get the text length */
- *outputlen = inputlen - 10;
-
- return SASL_OK;
-}
-
-static int enc_rc4(context_t *text,
- const char *input,
- unsigned inputlen,
- unsigned char digest[16],
- char *output,
- unsigned *outputlen)
-{
- /* pad is zero */
- *outputlen = inputlen+10;
-
- /* encrypt the text part */
- rc4_encrypt((rc4_context_t *) text->cipher_enc_context,
- input,
- output,
- inputlen);
-
- /* encrypt the HMAC part */
- rc4_encrypt((rc4_context_t *) text->cipher_enc_context,
- (const char *) digest,
- (output)+inputlen, 10);
-
- return SASL_OK;
-}
-#endif /* HAVE_OPENSSL */
#endif /* WITH_RC4 */
struct digest_cipher available_ciphers[] =
{
#ifdef WITH_RC4
- { "rc4-40", 40, 5, 0x01, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
- { "rc4-56", 56, 7, 0x02, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
{ "rc4", 128, 16, 0x04, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
#endif
#ifdef WITH_DES
@@ -2815,6 +2733,7 @@
}
if (cptr->name) {
+ text->cipher_name = cptr->name;
text->cipher_enc = cptr->cipher_enc;
text->cipher_dec = cptr->cipher_dec;
text->cipher_init = cptr->cipher_init;
@@ -2958,7 +2877,10 @@
if (text->cipher_init) {
if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
sparams->utils->seterror(sparams->utils->conn, 0,
- "couldn't init cipher");
+ "couldn't init cipher '%s'",
+ text->cipher_name);
+ result = SASL_FAIL;
+ goto FreeAllMem;
}
}
}
@@ -3509,6 +3431,7 @@
oparams->mech_ssf = ctext->cipher->ssf;
nbits = ctext->cipher->n;
+ text->cipher_name = ctext->cipher->name;
text->cipher_enc = ctext->cipher->cipher_enc;
text->cipher_dec = ctext->cipher->cipher_dec;
text->cipher_free = ctext->cipher->cipher_free;
@@ -3733,7 +3656,13 @@
/* initialize cipher if need be */
if (text->cipher_init) {
- text->cipher_init(text, enckey, deckey);
+ if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
+ params->utils->seterror(params->utils->conn, 0,
+ "internal error: failed to init cipher '%s'",
+ text->cipher_name);
+ result = SASL_FAIL;
+ goto FreeAllocatedMem;
+ }
}
}

109
cyrus-sasl-2.1.27-cumulative-ossl3.patch Normal file
View File

@ -0,0 +1,109 @@
diff -uPr cyrus-sasl-2.1.27/configure.ac cyrus-sasl-2.1.27.ossl3/configure.ac
--- cyrus-sasl-2.1.27/configure.ac 2021-10-06 11:29:53.274375206 -0400
+++ cyrus-sasl-2.1.27.ossl3/configure.ac 2021-10-06 11:31:19.966726775 -0400
@@ -1115,7 +1115,11 @@
with_rc4=yes)
if test "$with_rc4" != no; then
- AC_DEFINE(WITH_RC4,[],[Use RC4])
+ if test "$with_openssl" = no; then
+ AC_WARN([OpenSSL not found -- RC4 will be disabled])
+ else
+ AC_DEFINE(WITH_RC4,[],[Use RC4])
+ fi
fi
building_for_macosx=no
diff -uPr cyrus-sasl-2.1.27/plugins/scram.c cyrus-sasl-2.1.27.ossl3/plugins/scram.c
--- cyrus-sasl-2.1.27/plugins/scram.c 2018-11-08 12:29:57.000000000 -0500
+++ cyrus-sasl-2.1.27.ossl3/plugins/scram.c 2021-10-06 11:31:04.407484201 -0400
@@ -65,7 +65,9 @@
#include <openssl/sha.h>
#include <openssl/evp.h>
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
#include <openssl/hmac.h>
+#endif
/***************************** Common Section *****************************/
@@ -267,6 +271,32 @@
}
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+/* Decalre as void given functions never use the result */
+void *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+ const unsigned char *data, size_t data_len,
+ unsigned char *md, unsigned int *md_len)
+{
+ const char *digest;
+ size_t digest_size;
+ size_t out_len;
+ void *ret = NULL;
+
+ digest = EVP_MD_get0_name(evp_md);
+ if (digest == NULL) {
+ return NULL;
+ }
+ digest_size = EVP_MD_size(evp_md);
+
+ ret = EVP_Q_mac(NULL, "hmac", NULL, digest, NULL, key, key_len,
+ data, data_len, md, digest_size, &out_len);
+ if (ret != NULL) {
+ *md_len = (unsigned int)out_len;
+ }
+ return ret;
+}
+#endif
/* The result variable need to point to a buffer big enough for the [SHA-1] hash */
static void
diff -uPr cyrus-sasl-2.1.27/saslauthd/lak.c cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c
--- cyrus-sasl-2.1.27/saslauthd/lak.c 2022-01-09 11:30:50.000000000 -0400
+++ cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c 2022-01-09 11:30:50.000000001 -0400
@@ -1806,18 +1806,36 @@
return rc;
}
- EVP_DigestInit(mdctx, md);
- EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
+ rc = EVP_DigestInit(mdctx, md);
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
+ }
+ rc = EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
+ }
if (hrock->salted) {
- EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
- clen - EVP_MD_size(md));
+ rc = EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
+ clen - EVP_MD_size(md));
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
+ }
+ }
+ rc = EVP_DigestFinal(mdctx, digest, NULL);
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
}
- EVP_DigestFinal(mdctx, digest, NULL);
- EVP_MD_CTX_free(mdctx);
rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md));
+ rc = rc ? LAK_INVALID_PASSWORD : LAK_OK;
+done:
+ EVP_MD_CTX_free(mdctx);
free(cred);
- return rc ? LAK_INVALID_PASSWORD : LAK_OK;
+ return rc;
}
#endif /* HAVE_OPENSSL */

74
cyrus-sasl-2.1.27-fix-for-autoconf270.patch Normal file
View File

@ -0,0 +1,74 @@
From 3b0149cf3d235247b051b7cb7663bc3dadbb999b Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Thu, 1 Apr 2021 17:17:52 +0200
Subject: [PATCH] configure.ac: avoid side-effects in AC_CACHE_VAL
In the COMMANDS-TO-SET-IT argument, per Autoconf docs:
https://www.gnu.org/software/autoconf/manual/autoconf-2.63/html_node/Caching-Results.html
---
configure.ac | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index a106d35e..d333496d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -220,11 +220,14 @@ void foo() { int i=0;}
int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY);
if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo");
if(ptr1 && !ptr2) exit(0); } exit(1); }
-], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no
- AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?]),
+], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no,
AC_MSG_WARN(cross-compiler, we'll do our best)))
LIBS="$cmu_save_LIBS"
AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore)
+
+ if test "$sasl_cv_dlsym_adds_uscore" = no; then
+ AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?])
+ fi
fi
fi
From d3bcaf62f6213e7635e9c4a574f39a831e333980 Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Thu, 1 Apr 2021 17:26:28 +0200
Subject: [PATCH] configure.ac: properly quote macro arguments
Autoconf 2.70+ is more picky about the quotation (even though with
previous versions the arguments should have been quoted, too). When we
don't quote macros inside the AC_CACHE_VAL macro - some of the Autoconf
initialization is wrongly ordered in ./configure script and we keep
seeing bugs like:
./configure: line 2165: ac_fn_c_try_run: command not found
Original report: https://bugzilla.redhat.com/1943013
---
configure.ac | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index d333496d..7281cba0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -213,15 +213,16 @@ if test $sasl_cv_uscore = yes; then
AC_MSG_CHECKING(whether dlsym adds the underscore for us)
cmu_save_LIBS="$LIBS"
LIBS="$LIBS $SASL_DL_LIB"
- AC_CACHE_VAL(sasl_cv_dlsym_adds_uscore,AC_TRY_RUN( [
+ AC_CACHE_VAL([sasl_cv_dlsym_adds_uscore],
+ [AC_TRY_RUN([
#include <dlfcn.h>
#include <stdio.h>
void foo() { int i=0;}
int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY);
if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo");
if(ptr1 && !ptr2) exit(0); } exit(1); }
-], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no,
- AC_MSG_WARN(cross-compiler, we'll do our best)))
+], [sasl_cv_dlsym_adds_uscore=yes], [sasl_cv_dlsym_adds_uscore=no],
+ [AC_MSG_WARN(cross-compiler, we'll do our best)])])
LIBS="$cmu_save_LIBS"
AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore)

51
cyrus-sasl-2.1.27-nostrncpy.patch Normal file
View File

@ -0,0 +1,51 @@
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index 5d900c5e..4688bb9a 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -1567,7 +1567,6 @@ int gssapiv2_server_plug_init(
{
#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
const char *keytab = NULL;
- char keytab_path[1024];
unsigned int rl;
#endif
@@ -1589,15 +1588,7 @@ int gssapiv2_server_plug_init(
return SASL_FAIL;
}
- if(strlen(keytab) > 1024) {
- utils->log(NULL, SASL_LOG_ERR,
- "path to keytab is > 1024 characters");
- return SASL_BUFOVER;
- }
-
- strncpy(keytab_path, keytab, 1024);
-
- gsskrb5_register_acceptor_identity(keytab_path);
+ gsskrb5_register_acceptor_identity(keytab);
}
#endif
diff --git a/plugins/ntlm.c b/plugins/ntlm.c
index aeb3ac34..8a7d9065 100644
--- a/plugins/ntlm.c
+++ b/plugins/ntlm.c
@@ -375,10 +375,15 @@ static unsigned char *P16_lm(unsigned char *P16, sasl_secret_t *passwd,
unsigned *buflen __attribute__((unused)),
int *result)
{
- char P14[14];
+ char P14[14] = { 0 };
+ int Plen;
unsigned char S8[] = { 0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
- strncpy(P14, (const char *) passwd->data, sizeof(P14));
+ Plen = sizeof(P14);
+ if (passwd->len < Plen) {
+ Plen = passwd->len;
+ }
+ memcpy(P14, (const char *) passwd->data, Plen);
ucase(P14, sizeof(P14));
E(P16, (unsigned char *) P14, sizeof(P14), S8, sizeof(S8));

18
SOURCES/cyrus-sasl-2.1.27-CVE-2019-19906.patch → cyrus-sasl-cve-2019-19906.patch
View File

@ -1,18 +1,17 @@
From bcb6c06ec17728f7c9c492dc257b1e541a6830da Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 5 May 2020 14:41:06 -0400
Subject: [PATCH] CVE-2019-19906
From dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Tue, 18 Feb 2020 19:05:12 +0000
Subject: [PATCH] Fix #587
Backport of commit id:
dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1
Off by one error in common.c, CVE-2019-19906.
Signed-off-by: Simo Sorce <simo@redhat.com>
Thanks to Stephan Zeisberg for reporting
---
lib/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/common.c b/lib/common.c
index bc3bf1d..9969d6a 100644
index bc3bf1df..9969d6aa 100644
--- a/lib/common.c
+++ b/lib/common.c
@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
@ -24,6 +23,3 @@ index bc3bf1d..9969d6a 100644
if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
return SASL_NOMEM;
--
2.18.2

3
SOURCES/cyrus-sasl-pr559-RC4-openssl.patch → cyrus-sasl-pr559-RC4-openssl.patch
View File

@ -13,7 +13,8 @@ diff --git a/configure.ac b/configure.ac
index 388f5d02..cfdee4a2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1102,12 +1102,11 @@ AC_ARG_WITH(configdir, [ --with-configdir=DIR set the directory where confi
@@ -1103,13 +1103,12 @@ AC_ARG_WITH(configdir, [ --with-configdir=DIR set the directory where confi
configdir='${plugindir}:${sysconfdir}/sasl2')
AC_SUBST(configdir)
-dnl look for rc4 libraries. we accept the CMU one or one from openSSL

224
SPECS/cyrus-sasl.spec → cyrus-sasl.spec
View File

@ -4,13 +4,15 @@
%global _plugindir2 %{_libdir}/sasl2
%global bootstrap_cyrus_sasl 0
%global gdbm_db_file /etc/sasl2/sasldb2
Summary: The Cyrus SASL library
Name: cyrus-sasl
Version: 2.1.27
Release: 6%{?dist}
Release: 21%{?dist}
License: BSD with advertising
Group: System Environment/Libraries
URL: https://www.cyrusimap.org/sasl/
# Source0 originally comes from https://www.cyrusimap.org/releases/;
# make-no-dlcompatorsrp-tarball.sh removes the "dlcompat" subdirectory and builds a
# new tarball.
@ -22,38 +24,53 @@ Source10: make-no-dlcompatorsrp-tarball.sh
# From upstream git, required for reconfigure after applying patches to configure.ac
# https://raw.githubusercontent.com/cyrusimap/cyrus-sasl/master/autogen.sh
Source11: autogen.sh
URL: https://www.cyrusimap.org/sasl/
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Patch11: cyrus-sasl-2.1.25-no_rpath.patch
Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch
Patch23: cyrus-sasl-2.1.23-man.patch
Patch24: cyrus-sasl-2.1.21-sizes.patch
# The 64 bit *INT8 type is not used anywhere and other types match
Patch49: cyrus-sasl-2.1.26-md5global.patch
Patch60: cyrus-sasl-pr559-RC4-openssl.patch
Patch830: cyrus-sasl-2.1.27-CVE-2019-19906.patch
Patch831: cyrus-sasl-2.1.27-Add-basic-test-infrastructure.patch
Patch832: cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch
Patch833: cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch
Patch834: cyrus-sasl-2.1.27-Emit-debug-log-only-in-case-of-errors.patch
Patch100: cyrus-sasl-cve-2019-19906.patch
Patch101: cyrus-sasl-2.1.27-Add-basic-test-infrastructure.patch
Patch102: cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch
Patch103: cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch
Patch104: cyrus-sasl-2.1.27-Emit-debug-log-only-in-case-of-errors.patch
Patch105: cyrus-sasl-2.1.27-fix-for-autoconf270.patch
#https://github.com/simo5/cyrus-sasl/commit/ebd2387f06c84c7f9aac3167ec041bb01e5c6e48
Patch106: cyrus-sasl-2.1.27-nostrncpy.patch
# Upstream PR: https://github.com/cyrusimap/cyrus-sasl/pull/635
Patch107: cyrus-sasl-2.1.27-Add-basic-test-plain-auth.patch
#Migration tool should be removed from RHEL10
Patch108: cyrus-sasl-2.1.27-Migration-from-BerkeleyDB.patch
Patch500: cyrus-sasl-2.1.27-coverity.patch
Patch501: cyrus-sasl-2.1.27-cumulative-digestmd5.patch
Patch502: cyrus-sasl-2.1.27-cumulative-ossl3.patch
Patch900: 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig
BuildRequires: mariadb-connector-c-devel, postgresql-devel, zlib-devel
BuildRequires: libdb-devel
BuildRequires: krb5-devel >= 1.19, openssl-devel, pam-devel, pkgconfig
BuildRequires: mariadb-connector-c-devel, libpq-devel, zlib-devel
%if ! %{bootstrap_cyrus_sasl}
BuildRequires: openldap-devel
%endif
#build reqs for migration from BerkeleyDB
#should be removed from RHEL10
BuildRequires: libdb-devel-static
#build reqs for make check
BuildRequires: python36 nss_wrapper socket_wrapper krb5-server
BuildRequires: python3 nss_wrapper socket_wrapper krb5-server
%{?systemd_requires}
Requires(post): chkconfig
Requires: %{name}-lib = %{version}-%{release}
Requires: systemd
#Requires/Provides related to the saslauthd user creation
Requires: /sbin/nologin
Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd
Requires(postun): /usr/sbin/userdel /usr/sbin/groupdel
Requires: /sbin/nologin
Requires: systemd >= 211
Provides: user(%username)
Provides: group(%username)
@ -64,7 +81,6 @@ SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols.
%package lib
Group: System Environment/Libraries
Summary: Shared libraries needed by applications which use Cyrus SASL
%description lib
@ -72,10 +88,9 @@ The %{name}-lib package contains shared libraries which are needed by
applications which use the Cyrus SASL library.
%package devel
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-lib = %{version}-%{release}
Requires: %{name} = %{version}-%{release}
Requires: pkgconfig
Group: Development/Libraries
Summary: Files needed for developing applications with Cyrus SASL
%description devel
@ -84,7 +99,6 @@ compiling applications which use the Cyrus SASL library.
%package gssapi
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: GSSAPI authentication support for Cyrus SASL
%description gssapi
@ -94,7 +108,6 @@ authentication.
%package plain
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: PLAIN and LOGIN authentication support for Cyrus SASL
%description plain
@ -103,7 +116,6 @@ PLAIN and LOGIN authentication schemes.
%package md5
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: CRAM-MD5 and DIGEST-MD5 authentication support for Cyrus SASL
%description md5
@ -112,7 +124,6 @@ CRAM-MD5 and DIGEST-MD5 authentication schemes.
%package ntlm
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: NTLM authentication support for Cyrus SASL
%description ntlm
@ -122,7 +133,6 @@ the NTLM authentication scheme.
# This would more appropriately be named cyrus-sasl-auxprop-sql.
%package sql
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: SQL auxprop support for Cyrus SASL
%description sql
@ -133,7 +143,6 @@ using a RDBMS for storing shared secrets.
# This was *almost* named cyrus-sasl-auxprop-ldapdb, but that's a lot of typing.
%package ldap
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: LDAP auxprop support for Cyrus SASL
%description ldap
@ -143,7 +152,6 @@ a directory server, accessed using LDAP, for storing shared secrets.
%package scram
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: SCRAM auxprop support for Cyrus SASL
%description scram
@ -152,7 +160,6 @@ the SCRAM authentication scheme.
%package gs2
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: GS2 support for Cyrus SASL
%description gs2
@ -170,11 +177,18 @@ the GS2 authentication scheme.
%patch24 -p1 -b .sizes
%patch49 -p1 -b .md5global.h
%patch60 -p1 -b .openssl_rc4
%patch830 -p1 -b .CVE-2019-19906
%patch831 -p1 -b .tests
%patch832 -p1 -b .gssapi_cbs
%patch833 -p1 -b .maxssf0
%patch834 -p1 -b .nolog
%patch100 -p1 -b .cve_2019_19906
%patch101 -p1 -b .tests
%patch102 -p1 -b .gssapi_cbs
%patch103 -p1 -b .maxssf0
%patch104 -p1 -b .nolog
%patch105 -p1 -b .autoconf270
%patch106 -p1 -b .nostrncpy
%patch107 -p1 -b .plaintests
%patch108 -p1 -b .frombdb
%patch500 -p1 -b .coverity
%patch501 -p1 -b .digestmd5
%patch502 -p1 -b .ossl3
%patch900 -p1 -b .CVE-2022-24407
%build
@ -220,14 +234,7 @@ if test x"$LIB_DIR" != "x-L%{_libdir}"; then
LDFLAGS="$LIB_DIR $LDFLAGS"; export LDFLAGS
fi
# Patch config.sub to support ppc64p7 subarch (Fedora specific)
# This is similar to what the config.sub from automake has
for i in `find . -name config.sub`; do
perl -pi -e "s/ppc64-\*/ppc64-\* \| ppc64p7-\*/" $i
done
CFLAGS="$RPM_OPT_FLAGS $CFLAGS $CPPFLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now"; export CFLAGS
LDFLAGS="$LDFLAGS -pie -Wl,-z,now"; export LDFLAGS
echo "$CFLAGS"
echo "$CPPFLAGS"
@ -242,8 +249,8 @@ echo "$LDFLAGS"
--enable-gssapi${krb5_prefix:+=${krb5_prefix}} \
--with-gss_impl=mit \
--with-rc4 \
--with-dblib=berkeley \
--with-bdb=db \
--with-dblib=gdbm \
--with-dbpath=%{gdbm_db_file} \
--with-saslauthd=/run/saslauthd --without-pwcheck \
%if ! %{bootstrap_cyrus_sasl}
--with-ldap \
@ -285,6 +292,8 @@ install -m755 -d $RPM_BUILD_ROOT%{_bindir}
install -m755 sample/client $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-client
./libtool --mode=install \
install -m755 sample/server $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-server
#Migration tool should be removed from RHEL10
mv $RPM_BUILD_ROOT%{_sbindir}/cyrusbdb2current $RPM_BUILD_ROOT%{_bindir}/cyrusbdb2current
./libtool --mode=install \
install -m755 saslauthd/testsaslauthd $RPM_BUILD_ROOT%{_sbindir}/testsaslauthd
@ -294,9 +303,8 @@ install -m755 -d $RPM_BUILD_ROOT%{_mandir}/man8/
install -m644 -p saslauthd/saslauthd.mdoc $RPM_BUILD_ROOT%{_mandir}/man8/saslauthd.8
install -m644 -p saslauthd/testsaslauthd.8 $RPM_BUILD_ROOT%{_mandir}/man8/testsaslauthd.8
# Install the init script for saslauthd and the init script's config file.
install -m755 -d $RPM_BUILD_ROOT/etc/rc.d/init.d $RPM_BUILD_ROOT/etc/sysconfig
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
# Install the systemd unit file for saslauthd and the config file.
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} $RPM_BUILD_ROOT/etc/sysconfig
install -m644 -p %{SOURCE5} $RPM_BUILD_ROOT/%{_unitdir}/saslauthd.service
install -m644 -p %{SOURCE9} $RPM_BUILD_ROOT/etc/sysconfig/saslauthd
@ -331,16 +339,9 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%postun
%systemd_postun_with_restart saslauthd.service
%triggerun -n cyrus-sasl -- cyrus-sasl < 2.1.23-32
/usr/bin/systemd-sysv-convert --save saslauthd >/dev/null 2>&1 || :
/sbin/chkconfig --del saslauthd >/dev/null 2>&1 || :
/bin/systemctl try-restart saslauthd.service >/dev/null 2>&1 || :
%post lib -p /sbin/ldconfig
%postun lib -p /sbin/ldconfig
%ldconfig_scriptlets lib
%files
%defattr(-,root,root)
%doc saslauthd/LDAP_SASLAUTHD
%{_mandir}/man8/*
%{_sbindir}/pluginviewer
@ -351,7 +352,6 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%ghost /run/saslauthd
%files lib
%defattr(-,root,root)
%license COPYING
%doc AUTHORS doc/html/*.html
%{_libdir}/libsasl*.so.*
@ -361,45 +361,37 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%{_plugindir2}/*sasldb*.so*
%{_sbindir}/saslpasswd2
%{_sbindir}/sasldblistusers2
%{_bindir}/cyrusbdb2current
%files plain
%defattr(-,root,root)
%{_plugindir2}/*plain*.so*
%{_plugindir2}/*login*.so*
%if ! %{bootstrap_cyrus_sasl}
%files ldap
%defattr(-,root,root)
%{_plugindir2}/*ldapdb*.so*
%endif
%files md5
%defattr(-,root,root)
%{_plugindir2}/*crammd5*.so*
%{_plugindir2}/*digestmd5*.so*
%files ntlm
%defattr(-,root,root)
%{_plugindir2}/*ntlm*.so*
%files sql
%defattr(-,root,root)
%{_plugindir2}/*sql*.so*
%files gssapi
%defattr(-,root,root)
%{_plugindir2}/*gssapi*.so*
%files scram
%defattr(-,root,root)
%{_plugindir2}/libscram.so*
%files gs2
%defattr(-,root,root)
%{_plugindir2}/libgs2.so*
%files devel
%defattr(-,root,root)
%{_bindir}/sasl2-sample-client
%{_bindir}/sasl2-sample-server
%{_includedir}/*
@ -409,40 +401,96 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%{_sbindir}/sasl2-shared-mechlist
%changelog
* Thu Feb 17 2022 Simo Sorce <simo@redhat.com> - 2.1.27-6
* Mon Aug 1 2022 Simo Sorce <simo@redhat.com> - 2.1.27-21
- Fix memleak
* Wed Feb 23 2022 Simo Sorce <simo@redhat.com> - 2.1.27-20
- Fix for CVE-2022-24407
- Resolves: rhbz#2055846
- Resolves: rhbz#2055848
* Tue May 5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-5
- Reduce excessive GSSAPI plugin logging
- Resolves: rhbz#1274734
* Wed Feb 9 2022 Simo Sorce <simo@redhat.com> - 2.1.27-19
- Fix a memleak in one of the OpenSSL 3 compat patches
found by covscan
* Tue May 5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-4
- Add support for setting maxssf=0 in GSS-SPNEGO
- Resolves: rhbz#1822133
* Mon Feb 7 2022 Simo Sorce <simo@redhat.com> - 2.1.27-18
- Update OpenSSL 3 related compatibility patch backports
* Tue May 5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-3
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.27-17
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 28 2021 Simo Sorce <simo@redhat.com> - 2.1.27-16
- Rebuild to pass gating after fixing rhbz#1983928
* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 2.1.27-15
- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
* Mon Jul 19 2021 Simo Sorce <simo@redhat.com> - 2.1.27-14
- Fix crashs on missing legacy algorithms
Resolves: rhbz#1974354
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.27-13
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Jun 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 2.1.27-12
- Incorporate the upstream gdbm specific patch from
https://github.com/cyrusimap/cyrus-sasl/pull/554
- Resolves rhbz#1947971
* Wed Apr 28 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 2.1.27-11
- Set default sasldb database to GDBM instead of BerkeleyDB
- Add the migration tool from BerkeleyDB
- Add some PLAIN auth tests
- Resolves rhbz#1947971
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.27-10
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Apr 12 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 2.1.27-9
- Coverity-related fixes (#1938700)
* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 2.1.27-8
- rebuild for libpq ABI fix rhbz#1908268
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu May 7 2020 Simo Sorce <simo@redhat.com> - 2.1.27-5
- Backport GSSAPI Channel Bindings support
- Resolves: rhbz#1817054
- Add support for setting maxssf=0 in GSS-SPNEGO
- Reduce excessive GSSAPI plugin logging
* Tue May 5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-2
- Backport fix for CVE-2019-19906
- Resolves: rhbz#1804036
* Thu Mar 19 2020 Simo Sorce - 2.1.27-4
- Fix CVE 2019 19906
* Fri Jun 14 2019 Simo Sorce <simo@redhat.com> - 2.1.27-1
- Rc7 to final source
- Resovles bz#1618744
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jun 13 2019 Simo Sorce <simo@redhat.com> - 2.1.27-0.4rc7
- Add patch form Upstream PR559 to use RC4 implementation from OpenSSL
- Resolves bz#1618744
- Fix multilib issue bz#1663120
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 2.1.27-0.3rc7
- Rebuild with fixed binutils
* Thu Jun 13 2019 Simo Sorce - 2.1.27-1
- Update to final 2.1.27 sources
- Also add patch to use OpenSSL RC4, currently proposed as PR 559
* Wed Jul 25 2018 Petr Kubat <pkubat@redhat.com> - 2.1.27-0.2rc7
- Rebuilt for gdbm
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-0.6rc7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2.1.27-0.5rc7
- Rebuilt for libcrypt.so.2 (#1666033)
* Sun Oct 14 2018 Peter Robinson <pbrobinson@fedoraproject.org> 2.1.27-0.4rc7
- Clean up remanents of sys-v, spec cleanups
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-0.3rc7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu May 17 2018 Jakub Jelen <jjelen@redhat.com> - 2.1.27-0.2rc7
- Avoid multilib conflicts between devel subpackages (#1577675)
* Mon Mar 05 2018 Jakub Jelen <jjelen@redhat.com> - 2.1.27-0.1rc7
- New upstream (pre-)release

7
gating.yaml Normal file
View File

@ -0,0 +1,7 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}

2
SOURCES/make-no-dlcompatorsrp-tarball.sh → make-no-dlcompatorsrp-tarball.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash -e
#
# See ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ for unmodified sources.
# See https://github.com/cyrusimap/cyrus-sasl/releases for unmodified sources.
#
tmppath=`mktemp -d ${TMPDIR:-/tmp}/make-no-dlcompat-tarball-XXXXXX`

0
SOURCES/sasl-mechlist.c → sasl-mechlist.c
View File

0
SOURCES/saslauthd.service → saslauthd.service
View File

0
SOURCES/saslauthd.sysconfig → saslauthd.sysconfig
View File

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (cyrus-sasl-2.1.27-nodlcompatorsrp.tar.gz) = 86c45f729d5cf0aacc20c880d1cea5d927536c602d5d5866838036f00babfd5b89cb94d14a2c6ca4d78073f8f5c08da0f1f64a9a32b26c5f1e28b0d9246fd38e