rpms/cyrus-sasl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c8
Branches Tags
rpms:c8
rpms:c10s
rpms:c9
rpms:c9-beta
rpms:c8s
rpms:c9s
rpms:c8-beta
rpms:imports/c10s/cyrus-sasl-2.1.28-25.el10
rpms:imports/c10s/cyrus-sasl-2.1.28-1.el10
rpms:imports/c10s/cyrus-sasl-2.1.28-23.el10
rpms:imports/c9/cyrus-sasl-2.1.27-21.el9
rpms:imports/c9-beta/cyrus-sasl-2.1.27-21.el9
rpms:imports/c9/cyrus-sasl-2.1.27-20.el9
rpms:imports/c9-beta/cyrus-sasl-2.1.27-20.el9
rpms:imports/c8-beta/cyrus-sasl-2.1.27-6.el8_5
rpms:imports/c9-beta/cyrus-sasl-2.1.27-19.el9
rpms:imports/c8/cyrus-sasl-2.1.27-6.el8_5
rpms:imports/c9-beta/cyrus-sasl-2.1.27-17.el9
rpms:imports/c8-beta/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8-beta/cyrus-sasl-2.1.27-1.el8
rpms:imports/c8s/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8/cyrus-sasl-2.1.27-1.el8
rpms:imports/c8/cyrus-sasl-2.1.27-0.3rc7.el8
..
compare: rpms:c9-beta
Branches Tags
rpms:c10s
rpms:c9
rpms:c9-beta
rpms:c8s
rpms:c9s
rpms:c8-beta
rpms:c8
rpms:imports/c10s/cyrus-sasl-2.1.28-25.el10
rpms:imports/c10s/cyrus-sasl-2.1.28-1.el10
rpms:imports/c10s/cyrus-sasl-2.1.28-23.el10
rpms:imports/c9/cyrus-sasl-2.1.27-21.el9
rpms:imports/c9-beta/cyrus-sasl-2.1.27-21.el9
rpms:imports/c9/cyrus-sasl-2.1.27-20.el9
rpms:imports/c9-beta/cyrus-sasl-2.1.27-20.el9
rpms:imports/c8-beta/cyrus-sasl-2.1.27-6.el8_5
rpms:imports/c9-beta/cyrus-sasl-2.1.27-19.el9
rpms:imports/c8/cyrus-sasl-2.1.27-6.el8_5
rpms:imports/c9-beta/cyrus-sasl-2.1.27-17.el9
rpms:imports/c8-beta/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8-beta/cyrus-sasl-2.1.27-1.el8
rpms:imports/c8s/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8/cyrus-sasl-2.1.27-5.el8
rpms:imports/c8/cyrus-sasl-2.1.27-1.el8
rpms:imports/c8/cyrus-sasl-2.1.27-0.3rc7.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

11 changed files with 1962 additions and 101 deletions
Show Stats Expand all files Collapse all files

411
SOURCES/cyrus-sasl-2.1.27-Add-basic-test-plain-auth.patch Normal file
View File

@ -0,0 +1,411 @@
diff -Nru cyrus-sasl-2.1.27/tests/runtests.py cyrus-sasl-2.1.27-beldmit/tests/runtests.py
--- cyrus-sasl-2.1.27/tests/runtests.py 2020-12-23 14:31:35.564537485 +0100
+++ cyrus-sasl-2.1.27-beldmit/tests/runtests.py 2020-12-23 14:30:46.933219377 +0100
@@ -313,6 +313,99 @@
return err
+def setup_plain(testdir):
+ """ Create sasldb file """
+ sasldbfile = os.path.join(testdir, 'testsasldb.db')
+
+ sasldbenv = {'SASL_PATH': os.path.join(testdir, '../../plugins/.libs'),
+ 'LD_LIBRARY_PATH' : os.path.join(testdir, '../../lib/.libs')}
+
+ passwdprog = os.path.join(testdir, '../../utils/saslpasswd2')
+
+ echo = subprocess.Popen(('echo', '1234567'), stdout=subprocess.PIPE)
+ subprocess.check_call([
+ passwdprog, "-f", sasldbfile, "-c", "test",
+ "-u", "host.realm.test", "-p"
+ ], stdin=echo.stdout, env=sasldbenv, timeout=5)
+
+ return (sasldbfile, sasldbenv)
+
+def plain_test(sasldbfile, sasldbenv):
+ try:
+ srv = subprocess.Popen(["../tests/t_gssapi_srv", "-P", sasldbfile],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE, env=sasldbenv)
+ srv.stdout.readline() # Wait for srv to say it is ready
+ cli = subprocess.Popen(["../tests/t_gssapi_cli", "-P", "1234567"],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE, env=sasldbenv)
+ try:
+ cli.wait(timeout=5)
+ srv.wait(timeout=5)
+ except Exception as e:
+ print("Failed on {}".format(e));
+ cli.kill()
+ srv.kill()
+ if cli.returncode != 0 or srv.returncode != 0:
+ raise Exception("CLI ({}): {} --> SRV ({}): {}".format(
+ cli.returncode, cli.stderr.read().decode('utf-8'),
+ srv.returncode, srv.stderr.read().decode('utf-8')))
+ except Exception as e:
+ print("FAIL: {}".format(e))
+ return 1
+
+ print("PASS: PLAIN CLI({}) SRV({})".format(
+ cli.stdout.read().decode('utf-8').strip(),
+ srv.stdout.read().decode('utf-8').strip()))
+ return 0
+
+def plain_mismatch_test(sasldbfile, sasldbenv):
+ result = "FAIL"
+ try:
+ srv = subprocess.Popen(["../tests/t_gssapi_srv", "-P", sasldbfile],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE, env=sasldbenv)
+ srv.stdout.readline() # Wait for srv to say it is ready
+ bindings = base64.b64encode("CLI CBS".encode('utf-8'))
+ cli = subprocess.Popen(["../tests/t_gssapi_cli", "-P", "12345678"],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE, env=sasldbenv)
+ try:
+ cli.wait(timeout=5)
+ srv.wait(timeout=5)
+ except Exception as e:
+ print("Failed on {}".format(e));
+ cli.kill()
+ srv.kill()
+ if cli.returncode != 0 or srv.returncode != 0:
+ cli_err = cli.stderr.read().decode('utf-8').strip()
+ srv_err = srv.stderr.read().decode('utf-8').strip()
+ if "authentication failure" in srv_err:
+ result = "PASS"
+ raise Exception("CLI ({}): {} --> SRV ({}): {}".format(
+ cli.returncode, cli_err, srv.returncode, srv_err))
+ except Exception as e:
+ print("{}: {}".format(result, e))
+ return 0
+
+ print("FAIL: This test should fail [CLI({}) SRV({})]".format(
+ cli.stdout.read().decode('utf-8').strip(),
+ srv.stdout.read().decode('utf-8').strip()))
+ return 1
+
+def plain_tests(testdir):
+ err = 0
+ sasldbfile, sasldbenv = setup_plain(testdir)
+ #print("DB file: {}, ENV: {}".format(sasldbfile, sasldbenv))
+ print('SASLDB PLAIN:')
+ print(' ', end='')
+ err += plain_test(sasldbfile, sasldbenv)
+
+ print('SASLDB PLAIN PASSWORD MISMATCH:')
+ print(' ', end='')
+ err += plain_mismatch_test(sasldbfile, sasldbenv)
+
+ return err
if __name__ == "__main__":
@@ -329,5 +422,9 @@
err = gssapi_tests(T)
if err != 0:
- print('{} test(s) FAILED'.format(err))
+ print('{} GSSAPI test(s) FAILED'.format(err))
+
+ err = plain_tests(T)
+ if err != 0:
+ print('{} PLAIN test(s) FAILED'.format(err))
sys.exit(-1)
diff -Nru cyrus-sasl-2.1.27/tests/t_gssapi_cli.c cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_cli.c
--- cyrus-sasl-2.1.27/tests/t_gssapi_cli.c 2020-12-23 14:31:35.564537485 +0100
+++ cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_cli.c 2021-01-06 11:26:15.460662537 +0100
@@ -16,6 +16,8 @@
#include <saslplug.h>
#include <saslutil.h>
+const char *testpass = NULL;
+
static int setup_socket(void)
{
struct sockaddr_in addr;
@@ -34,9 +36,60 @@
return sock;
}
+static int get_user(void *context __attribute__((unused)),
+ int id,
+ const char **result,
+ unsigned *len)
+{
+ const char *testuser = "test@host.realm.test";
+
+ if (! result)
+ return SASL_BADPARAM;
+
+ switch (id) {
+ case SASL_CB_USER:
+ case SASL_CB_AUTHNAME:
+ *result = testuser;
+ break;
+ default:
+ return SASL_BADPARAM;
+ }
+
+ if (len) *len = strlen(*result);
+
+ return SASL_OK;
+}
+
+static int get_pass(sasl_conn_t *conn __attribute__((unused)),
+ void *context __attribute__((unused)),
+ int id,
+ sasl_secret_t **psecret)
+{
+ size_t len;
+ static sasl_secret_t *x;
+
+ /* paranoia check */
+ if (! conn || ! psecret || id != SASL_CB_PASS)
+ return SASL_BADPARAM;
+
+ len = strlen(testpass);
+
+ x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len);
+
+ if (!x) {
+ return SASL_NOMEM;
+ }
+
+ x->len = len;
+ strcpy((char *)x->data, testpass);
+
+ *psecret = x;
+ return SASL_OK;
+}
+
int main(int argc, char *argv[])
{
- sasl_callback_t callbacks[2] = {};
+ sasl_callback_t callbacks[4] = {};
char buf[8192];
const char *chosenmech;
sasl_conn_t *conn;
@@ -49,8 +102,9 @@
const char *sasl_mech = "GSSAPI";
bool spnego = false;
bool zeromaxssf = false;
+ bool plain = false;
- while ((c = getopt(argc, argv, "c:zN")) != EOF) {
+ while ((c = getopt(argc, argv, "c:zNP:")) != EOF) {
switch (c) {
case 'c':
parse_cb(&cb, cb_buf, 256, optarg);
@@ -61,6 +115,10 @@
case 'N':
spnego = true;
break;
+ case 'P':
+ plain = true;
+ testpass = optarg;
+ break;
default:
break;
}
@@ -73,6 +131,12 @@
callbacks[1].id = SASL_CB_LIST_END;
callbacks[1].proc = NULL;
callbacks[1].context = NULL;
+ callbacks[2].id = SASL_CB_LIST_END;
+ callbacks[2].proc = NULL;
+ callbacks[2].context = NULL;
+ callbacks[3].id = SASL_CB_LIST_END;
+ callbacks[3].proc = NULL;
+ callbacks[3].context = NULL;
r = sasl_client_init(callbacks);
if (r != SASL_OK) exit(-1);
@@ -91,6 +155,16 @@
sasl_mech = "GSS-SPNEGO";
}
+ if (plain) {
+ sasl_mech = "PLAIN";
+
+ callbacks[1].id = SASL_CB_AUTHNAME;
+ callbacks[1].proc = (sasl_callback_ft)&get_user;
+
+ callbacks[2].id = SASL_CB_PASS;
+ callbacks[2].proc = (sasl_callback_ft)&get_pass;
+ }
+
if (zeromaxssf) {
/* set all security properties to 0 including maxssf */
sasl_security_properties_t secprops = { 0 };
@@ -99,9 +173,9 @@
r = sasl_client_start(conn, sasl_mech, NULL, &data, &len, &chosenmech);
if (r != SASL_OK && r != SASL_CONTINUE) {
- saslerr(r, "starting SASL negotiation");
- printf("\n%s\n", sasl_errdetail(conn));
- exit(-1);
+ saslerr(r, "starting SASL negotiation");
+ printf("\n%s\n", sasl_errdetail(conn));
+ exit(-1);
}
sd = setup_socket();
@@ -111,11 +185,11 @@
len = 8192;
recv_string(sd, buf, &len, false);
- r = sasl_client_step(conn, buf, len, NULL, &data, &len);
- if (r != SASL_OK && r != SASL_CONTINUE) {
- saslerr(r, "performing SASL negotiation");
- printf("\n%s\n", sasl_errdetail(conn));
- exit(-1);
+ r = sasl_client_step(conn, buf, len, NULL, &data, &len);
+ if (r != SASL_OK && r != SASL_CONTINUE) {
+ saslerr(r, "performing SASL negotiation");
+ printf("\n%s\n", sasl_errdetail(conn));
+ exit(-1);
}
}
diff -Nru cyrus-sasl-2.1.27/tests/t_gssapi_srv.c cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_srv.c
--- cyrus-sasl-2.1.27/tests/t_gssapi_srv.c 2020-12-23 14:31:35.565537492 +0100
+++ cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_srv.c 2021-01-06 11:27:48.373257373 +0100
@@ -1,4 +1,5 @@
-/* Copyright (C) Simo Sorce <simo@redhat.com>
+/* Copyright (C) Simo Sorce <simo@redhat.com>,
+ * Dmitry Belyavskiy <dbelyavs@redhat.com>
* See COPYING file for License */
#include "t_common.h"
@@ -15,6 +16,10 @@
#include <arpa/inet.h>
#include <saslplug.h>
+const char *sasldb_path = NULL,
+ *auxprop_plugin = "sasldb",
+ *pwcheck_method = "auxprop-hashed";
+
static int setup_socket(void)
{
struct sockaddr_in addr;
@@ -45,9 +50,38 @@
return sd;
}
+static int test_getopt(void *context __attribute__((unused)),
+ const char *plugin_name __attribute__((unused)),
+ const char *option,
+ const char **result,
+ unsigned *len)
+{
+ if (sasldb_path && !strcmp(option, "sasldb_path")) {
+ *result = sasldb_path;
+ if (len)
+ *len = (unsigned) strlen(sasldb_path);
+ return SASL_OK;
+ }
+
+ if (sasldb_path && !strcmp(option, "auxprop_plugin")) {
+ *result = auxprop_plugin;
+ if (len)
+ *len = (unsigned) strlen(auxprop_plugin);
+ return SASL_OK;
+ }
+
+ if (sasldb_path && !strcmp(option, "pwcheck_method")) {
+ *result = pwcheck_method;
+ if (len)
+ *len = (unsigned) strlen(pwcheck_method);
+ return SASL_OK;
+ }
+ return SASL_FAIL;
+}
+
int main(int argc, char *argv[])
{
- sasl_callback_t callbacks[2] = {};
+ sasl_callback_t callbacks[3] = {};
char buf[8192];
sasl_conn_t *conn;
const char *data;
@@ -59,8 +93,9 @@
const char *sasl_mech = "GSSAPI";
bool spnego = false;
bool zeromaxssf = false;
+ bool plain = false;
- while ((c = getopt(argc, argv, "c:zN")) != EOF) {
+ while ((c = getopt(argc, argv, "c:zNP:")) != EOF) {
switch (c) {
case 'c':
parse_cb(&cb, cb_buf, 256, optarg);
@@ -71,6 +106,10 @@
case 'N':
spnego = true;
break;
+ case 'P':
+ plain = true;
+ sasldb_path = optarg;
+ break;
default:
break;
}
@@ -81,9 +120,12 @@
callbacks[0].id = SASL_CB_GETPATH;
callbacks[0].proc = (sasl_callback_ft)&getpath;
callbacks[0].context = NULL;
- callbacks[1].id = SASL_CB_LIST_END;
- callbacks[1].proc = NULL;
+ callbacks[1].id = SASL_CB_GETOPT;
+ callbacks[1].proc = (sasl_callback_ft)&test_getopt;
callbacks[1].context = NULL;
+ callbacks[2].id = SASL_CB_LIST_END;
+ callbacks[2].proc = NULL;
+ callbacks[2].context = NULL;
r = sasl_server_init(callbacks, "t_gssapi_srv");
if (r != SASL_OK) exit(-1);
@@ -103,6 +145,10 @@
sasl_mech = "GSS-SPNEGO";
}
+ if (plain) {
+ sasl_mech = "PLAIN";
+ }
+
if (zeromaxssf) {
/* set all security properties to 0 including maxssf */
sasl_security_properties_t secprops = { 0 };
@@ -116,9 +162,9 @@
r = sasl_server_start(conn, sasl_mech, buf, len, &data, &len);
if (r != SASL_OK && r != SASL_CONTINUE) {
- saslerr(r, "starting SASL negotiation");
- printf("\n%s\n", sasl_errdetail(conn));
- exit(-1);
+ saslerr(r, "starting SASL negotiation");
+ printf("\n%s\n", sasl_errdetail(conn));
+ exit(-1);
}
while (r == SASL_CONTINUE) {
@@ -126,12 +172,12 @@
len = 8192;
recv_string(sd, buf, &len, true);
- r = sasl_server_step(conn, buf, len, &data, &len);
- if (r != SASL_OK && r != SASL_CONTINUE) {
- saslerr(r, "performing SASL negotiation");
- printf("\n%s\n", sasl_errdetail(conn));
- exit(-1);
- }
+ r = sasl_server_step(conn, buf, len, &data, &len);
+ if (r != SASL_OK && r != SASL_CONTINUE) {
+ saslerr(r, "performing SASL negotiation");
+ printf("\n%s\n", sasl_errdetail(conn));
+ exit(-1);
+ }
}
if (r != SASL_OK) exit(-1);

569
SOURCES/cyrus-sasl-2.1.27-Migration-from-BerkeleyDB.patch Normal file
View File

@ -0,0 +1,569 @@
diff -up cyrus-sasl-2.1.27/configure.ac.frombdb cyrus-sasl-2.1.27/configure.ac
--- cyrus-sasl-2.1.27/configure.ac.frombdb 2021-06-04 13:02:07.790112263 +0200
+++ cyrus-sasl-2.1.27/configure.ac 2021-06-04 13:02:07.798112327 +0200
@@ -1091,6 +1091,9 @@ AC_SUBST(SASL_STATIC_SRCS)
AC_SUBST(SASL_STATIC_OBJS)
AC_SUBST(SASL_STATIC_LIBS)
+CYRUS_BERKELEY_DB_STATIC_LIB()
+AC_SUBST(BDB_STATIC_LIBADD)
+
AC_ARG_WITH(plugindir, [ --with-plugindir=DIR set the directory where plugins will
be found [[LIBDIR/sasl2]] ],
plugindir=$withval,
diff -up cyrus-sasl-2.1.27/m4/berkdb.m4.frombdb cyrus-sasl-2.1.27/m4/berkdb.m4
--- cyrus-sasl-2.1.27/m4/berkdb.m4.frombdb 2016-01-29 18:35:35.000000000 +0100
+++ cyrus-sasl-2.1.27/m4/berkdb.m4 2021-06-04 13:02:07.798112327 +0200
@@ -286,3 +286,10 @@ AC_DEFUN([CYRUS_BERKELEY_DB_CHK],
CPPFLAGS=$cmu_save_CPPFLAGS
])
+
+AC_DEFUN([CYRUS_BERKELEY_DB_STATIC_LIB],
+[
+BDB_STATIC_LIBADD="/dev/null -lpthread"
+AC_CHECK_FILE([/usr/lib64/libdb-5.3.a],[BDB_STATIC_LIBADD="/usr/lib64/libdb-5.3.a -lpthread "],[])
+AC_CHECK_FILE([/usr/lib/libdb-5.3.a],[BDB_STATIC_LIBADD="/usr/lib/libdb-5.3.a -lpthread"],[])
+])
diff -up cyrus-sasl-2.1.27/m4/sasldb.m4.frombdb cyrus-sasl-2.1.27/m4/sasldb.m4
--- cyrus-sasl-2.1.27/m4/sasldb.m4.frombdb 2017-07-13 20:45:19.000000000 +0200
+++ cyrus-sasl-2.1.27/m4/sasldb.m4 2021-06-04 13:02:07.798112327 +0200
@@ -111,7 +111,7 @@ AC_MSG_RESULT($dblib)
SASL_DB_BACKEND="db_${dblib}.lo"
SASL_DB_BACKEND_STATIC="db_${dblib}.o allockey.o"
SASL_DB_BACKEND_STATIC_SRCS="\$(top_srcdir)/sasldb/db_${dblib}.c \$(top_srcdir)/sasldb/allockey.c"
-SASL_DB_UTILS="saslpasswd2 sasldblistusers2"
+SASL_DB_UTILS="cyrusbdb2current saslpasswd2 sasldblistusers2"
SASL_DB_MANS="saslpasswd2.8 sasldblistusers2.8"
case "$dblib" in
diff -up cyrus-sasl-2.1.27/sasldb/db_gdbm.c.frombdb cyrus-sasl-2.1.27/sasldb/db_gdbm.c
--- cyrus-sasl-2.1.27/sasldb/db_gdbm.c.frombdb 2017-07-13 14:34:03.000000000 +0200
+++ cyrus-sasl-2.1.27/sasldb/db_gdbm.c 2021-06-04 13:04:24.098206887 +0200
@@ -67,6 +67,7 @@ int _sasldb_getdata(const sasl_utils_t *
void *cntxt;
sasl_getopt_t *getopt;
const char *path = SASL_DB_PATH;
+ int fetch_errno = 0;
if (!utils) return SASL_BADPARAM;
if (!authid || !propName || !realm || !out || !max_out) {
@@ -99,6 +100,9 @@ int _sasldb_getdata(const sasl_utils_t *
}
db = gdbm_open((char *)path, 0, GDBM_READER, S_IRUSR | S_IWUSR, NULL);
if (! db) {
+ utils->log(conn, SASL_LOG_ERR,
+ "SASL error opening password file. "
+ "Have you performed the migration from db2 using cyrusbdb2current?\n");
utils->seterror(cntxt, 0, "Could not open %s: gdbm_errno=%d",
path, gdbm_errno);
result = SASL_FAIL;
@@ -107,9 +111,10 @@ int _sasldb_getdata(const sasl_utils_t *
gkey.dptr = key;
gkey.dsize = key_len;
gvalue = gdbm_fetch(db, gkey);
+ fetch_errno = gdbm_errno;
gdbm_close(db);
if (! gvalue.dptr) {
- if (gdbm_errno == GDBM_ITEM_NOT_FOUND) {
+ if (fetch_errno == GDBM_ITEM_NOT_FOUND) {
utils->seterror(conn, SASL_NOLOG,
"user: %s@%s property: %s not found in %s",
authid, realm, propName, path);
@@ -186,7 +191,8 @@ int _sasldb_putdata(const sasl_utils_t *
if (! db) {
utils->log(conn, SASL_LOG_ERR,
"SASL error opening password file. "
- "Do you have write permissions?\n");
+ "Do you have write permissions?\n"
+ "Have you performed the migration from db2 using cyrusbdb2current?\n");
utils->seterror(conn, 0, "Could not open %s for write: gdbm_errno=%d",
path, gdbm_errno);
result = SASL_FAIL;
@@ -298,6 +304,9 @@ sasldb_handle _sasldb_getkeyhandle(const
db = gdbm_open((char *)path, 0, GDBM_READER, S_IRUSR | S_IWUSR, NULL);
if(!db) {
+ utils->log(conn, SASL_LOG_ERR,
+ "SASL error opening password file. "
+ "Have you performed the migration from db2 using cyrusbdb2current?\n");
utils->seterror(conn, 0, "Could not open %s: gdbm_errno=%d",
path, gdbm_errno);
return NULL;
diff -up cyrus-sasl-2.1.27/utils/cyrusbdb2current.8.frombdb cyrus-sasl-2.1.27/utils/cyrusbdb2current.8
--- cyrus-sasl-2.1.27/utils/cyrusbdb2current.8.frombdb 2021-06-04 13:02:07.798112327 +0200
+++ cyrus-sasl-2.1.27/utils/cyrusbdb2current.8 2021-06-04 13:02:07.798112327 +0200
@@ -0,0 +1,159 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C` ""
+. ds C' ""
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+. ds C`
+. ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+. if \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
+. \}
+. \}
+.\}
+.rr rF
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "CYRUSBDB2CURRENT 1"
+.TH CYRUSBDB2CURRENT 1 "2021-04-28" "perl v5.30.3" "User Contributed Perl Documentation"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+cyrusbdb2current \- command\-line utility converting the SASLDB database from
+BerkeleyDB to the database format currently used bys sasldb.
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+cyrusbdb2current <sasldb_old_path> <sasldb_new_path>
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fBcyrusbdb2current\fR converts the current sasldb database from BerkeleyDB format to the
+currently used database format. It is \fB\s-1STRONGLY RECOMMENDED\s0\fR to make a backup
+of the current database before the conversion.
+.PP
+We expect that the old path is \fB/etc/sasldb2\fR and the new one is
+\&\fB/etc/sasl2/sasldb2\fR
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBsaslpasswd2\fR\|(8)
+.PP
+rfc4422 \- Simple Authentication and Security Layer (\s-1SASL\s0)
diff -up cyrus-sasl-2.1.27/utils/cyrusbdb2current.c.frombdb cyrus-sasl-2.1.27/utils/cyrusbdb2current.c
--- cyrus-sasl-2.1.27/utils/cyrusbdb2current.c.frombdb 2021-06-04 13:02:07.798112327 +0200
+++ cyrus-sasl-2.1.27/utils/cyrusbdb2current.c 2021-06-04 13:02:07.798112327 +0200
@@ -0,0 +1,282 @@
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <sasl.h>
+#include <saslplug.h>
+#include "../sasldb/sasldb.h"
+
+/* Cheating to make the utils work out right */
+extern const sasl_utils_t *sasl_global_utils;
+sasl_conn_t *globalconn;
+
+typedef void *listcb_t(const char *, const char *, const char *,
+ const char *, unsigned);
+
+void listusers_cb(const char *authid, const char *realm,
+ const char *propName, const char *secret,
+ unsigned seclen)
+{
+ if (!authid || !propName || !realm) {
+ fprintf(stderr,"userlist callback has bad param");
+ return;
+ }
+
+ /* the entries that just say the mechanism exists */
+ if (strlen(authid)==0) return;
+
+ printf("Converting: %s@%s (%s)...",authid,realm,propName);
+
+ _sasldb_putdata(sasl_global_utils, globalconn,
+ authid, realm, propName,
+ secret, seclen);
+
+ printf("ok\n");
+}
+
+/*
+ * List all users in database
+ */
+
+#include <db.h>
+
+#define DB_VERSION_FULL ((DB_VERSION_MAJOR << 24) | (DB_VERSION_MINOR << 16) | DB_VERSION_PATCH)
+/*
+ * Open the database
+ *
+ */
+static int berkeleydb_open(const char *path,DB **mbdb)
+{
+ int ret;
+
+#if DB_VERSION_FULL < 0x03000000
+ ret = db_open(path, DB_HASH, DB_CREATE, 0664, NULL, NULL, mbdb);
+#else /* DB_VERSION_FULL < 0x03000000 */
+ ret = db_create(mbdb, NULL, 0);
+ if (ret == 0 && *mbdb != NULL)
+ {
+#if DB_VERSION_FULL >= 0x04010000
+ ret = (*mbdb)->open(*mbdb, NULL, path, NULL, DB_HASH, DB_CREATE, 0664);
+#else
+ ret = (*mbdb)->open(*mbdb, path, NULL, DB_HASH, DB_CREATE, 0664);
+#endif
+ if (ret != 0)
+ {
+ (void) (*mbdb)->close(*mbdb, 0);
+ *mbdb = NULL;
+ }
+ }
+#endif /* DB_VERSION_FULL < 0x03000000 */
+
+ if (ret != 0) {
+ fprintf(stderr,"Error opening password file %s\n", path);
+ return SASL_FAIL;
+ }
+
+ return SASL_OK;
+}
+
+/*
+ * Close the database
+ *
+ */
+
+static void berkeleydb_close(DB *mbdb)
+{
+ int ret;
+
+ ret = mbdb->close(mbdb, 0);
+ if (ret!=0) {
+ fprintf(stderr,"error closing sasldb: %s",
+ db_strerror(ret));
+ }
+}
+
+int listusers(const char *path, listcb_t *cb)
+{
+ int result;
+ DB *mbdb = NULL;
+ DBC *cursor;
+ DBT key, data;
+
+ /* open the db */
+ result=berkeleydb_open(path, &mbdb);
+ if (result!=SASL_OK) goto cleanup;
+
+ /* make cursor */
+#if DB_VERSION_FULL < 0x03060000
+ result = mbdb->cursor(mbdb, NULL,&cursor);
+#else
+ result = mbdb->cursor(mbdb, NULL,&cursor, 0);
+#endif /* DB_VERSION_FULL < 0x03060000 */
+
+ if (result!=0) {
+ fprintf(stderr,"Making cursor failure: %s\n",db_strerror(result));
+ result = SASL_FAIL;
+ goto cleanup;
+ }
+
+ memset(&key,0, sizeof(key));
+ memset(&data,0,sizeof(data));
+
+ /* loop thru */
+ result = cursor->c_get(cursor, &key, &data,
+ DB_FIRST);
+
+ while (result != DB_NOTFOUND)
+ {
+ char *authid;
+ char *realm;
+ char *tmp;
+ unsigned int len;
+ char prop[1024];
+ int numnulls = 0;
+ unsigned int lup;
+
+ /* make sure there are exactly 2 null's */
+ for (lup=0;lup<key.size;lup++)
+ if (((char *)key.data)[lup]=='\0')
+ numnulls++;
+
+ if (numnulls != 2) {
+ fprintf(stderr,"warning: probable database corruption\n");
+ result = cursor->c_get(cursor, &key, &data, DB_NEXT);
+ continue;
+ }
+
+ authid = key.data;
+ realm = authid + strlen(authid)+1;
+ tmp = realm + strlen(realm)+1;
+ len = key.size - (tmp - authid);
+
+ /* make sure we have enough space of prop */
+ if (len >=sizeof(prop)) {
+ fprintf(stderr,"warning: absurdly long prop name\n");
+ result = cursor->c_get(cursor, &key, &data, DB_NEXT);
+ continue;
+ }
+
+ memcpy(prop, tmp, key.size - (tmp - ((char *)key.data)));
+ prop[key.size - (tmp - ((char *)key.data))] = '\0';
+
+ if (*authid) {
+ /* don't check return values */
+ cb(authid,realm,prop,data.data,data.size);
+ }
+
+ result = cursor->c_get(cursor, &key, &data, DB_NEXT);
+ }
+
+ if (result != DB_NOTFOUND) {
+ fprintf(stderr,"failure: %s\n",db_strerror(result));
+ result = SASL_FAIL;
+ goto cleanup;
+ }
+
+ result = cursor->c_close(cursor);
+ if (result != 0) {
+ result = SASL_FAIL;
+ goto cleanup;
+ }
+
+ result = SASL_OK;
+
+ cleanup:
+
+ if (mbdb != NULL) berkeleydb_close(mbdb);
+ return result;
+}
+
+
+char *db = NULL, *db_new=NULL;
+
+int good_getopt(void *context __attribute__((unused)),
+ const char *plugin_name __attribute__((unused)),
+ const char *option,
+ const char **result,
+ unsigned *len)
+{
+ if (db_new && !strcmp(option, "sasldb_path")) {
+ *result = db_new;
+ if (len)
+ *len = strlen(db_new);
+ return SASL_OK;
+ }
+
+ return SASL_FAIL;
+}
+
+static struct sasl_callback goodsasl_cb[] = {
+ { SASL_CB_GETOPT, (int (*)(void))&good_getopt, NULL },
+ { SASL_CB_LIST_END, NULL, NULL }
+};
+
+int main(int argc, char **argv)
+{
+ int result;
+ FILE *f;
+
+ if (argc != 3) {
+ fprintf(stderr, "Usage: cyrusbdb2current old_sasldb new_sasldb\n");
+ fprintf(stderr, "old_sasldb is presumably /etc/sasldb2\n");
+ fprintf(stderr, "new_sasldb is presumably /etc/sasl2/sasldb2\n");
+ return 1;
+ }
+
+ db = argv[1];
+ db_new = argv[2];
+
+ if (strcmp(db, db_new) == 0) {
+ fprintf(stderr, "Old and new files should be different\n");
+ return 1;
+ }
+
+
+ f = fopen(db_new, "rb");
+ if (f != NULL) {
+ fprintf(stderr, "The specified target file %s already exists\n", db_new);
+ fclose(f);
+ return 1;
+ }
+
+ result = sasl_server_init(goodsasl_cb, "dbconverter");
+ if (result != SASL_OK) {
+ fprintf(stderr, "couldn't init saslv2\n");
+ return 1;
+ }
+
+ result = sasl_server_new("sasldb",
+ "localhost",
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ 0,
+ &globalconn);
+ if (result != SASL_OK) {
+ fprintf(stderr, "couldn't create globalconn\n");
+ return 1;
+ }
+
+ if(_sasl_check_db(sasl_global_utils,globalconn) != SASL_OK) {
+ fprintf(stderr, "target DB %s is not OK\n", db_new);
+ return 1;
+ }
+
+ printf("\nThis program will take the sasldb file specified on the\n"
+ "command line and convert it to a new sasldb specified\n"
+ "on the command line. It is STRONGLY RECOMMENDED that you\n"
+ "backup sasldb before allowing this program to run\n\n"
+ "We are going to convert %s and our output will be in %s\n\n"
+ "Press return to continue\n", db, db_new);
+
+ getchar();
+
+ listusers(db, (listcb_t *) &listusers_cb);
+
+ sasl_dispose(&globalconn);
+ sasl_done();
+
+ exit(0);
+}
diff -up cyrus-sasl-2.1.27/utils/Makefile.am.frombdb cyrus-sasl-2.1.27/utils/Makefile.am
--- cyrus-sasl-2.1.27/utils/Makefile.am.frombdb 2018-10-05 16:40:16.000000000 +0200
+++ cyrus-sasl-2.1.27/utils/Makefile.am 2021-06-04 13:02:07.798112327 +0200
@@ -46,14 +46,14 @@ all_sasl_libs = ../lib/libsasl2.la $(SAS
all_sasl_static_libs = ../lib/.libs/libsasl2.a $(SASL_DB_LIB) $(LIB_SOCKET) $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(SASL_KRB_LIB) $(LIB_DES) $(PLAIN_LIBS) $(SRP_LIBS) $(LIB_MYSQL) $(LIB_PGSQL) $(LIB_SQLITE)
sbin_PROGRAMS = @SASL_DB_UTILS@ @SMTPTEST_PROGRAM@ pluginviewer
-EXTRA_PROGRAMS = saslpasswd2 sasldblistusers2 testsuite testsuitestatic smtptest pluginviewer
+EXTRA_PROGRAMS = saslpasswd2 sasldblistusers2 testsuite testsuitestatic smtptest pluginviewer cyrusbdb2current
noinst_PROGRAMS = dbconverter-2
if NO_SASL_DB_MANS
man_MANS =
else
-man_MANS = saslpasswd2.8 sasldblistusers2.8 pluginviewer.8
+man_MANS = saslpasswd2.8 sasldblistusers2.8 pluginviewer.8 cyrusbdb2current.8
endif
saslpasswd2_LDADD = ../sasldb/libsasldb.la $(all_sasl_libs)
@@ -63,6 +63,7 @@ sasldblistusers2_SOURCES = sasldblistuse
dbconverter_2_LDADD = ../sasldb/libsasldb.la $(all_sasl_libs)
pluginviewer_LDADD = $(all_sasl_libs)
pluginviewer_SOURCES = pluginviewer.c
+cyrusbdb2current_LDADD = ../sasldb/libsasldb.la @BDB_STATIC_LIBADD@ $(all_sasl_libs)
testsuite_LDADD = $(all_sasl_libs) @DMALLOC_LIBS@

56
SOURCES/cyrus-sasl-2.1.27-coverity.patch Normal file
View File

@ -0,0 +1,56 @@
diff -up cyrus-sasl-2.1.27/include/makemd5.c.coverity cyrus-sasl-2.1.27/include/makemd5.c
--- cyrus-sasl-2.1.27/include/makemd5.c.coverity 2021-04-12 15:10:25.421431535 +0200
+++ cyrus-sasl-2.1.27/include/makemd5.c 2021-04-12 15:56:46.752827737 +0200
@@ -107,7 +107,6 @@ my_strupr(char *s)
}
}
-
#define BITSIZE(TYPE) \
{ \
int b = 0; TYPE x = 1, zero = 0; char *pre = "U"; \
@@ -129,6 +128,8 @@ my_strupr(char *s)
static void
try_signed(FILE *f, int len)
{
+/* Local macros for not-installed program. No coverity/compiler issues! */
+#pragma GCC diagnostic ignored "-Wformat-overflow"
#ifdef HAVE_INT8_T
BITSIZE(int8_t);
#endif
@@ -149,6 +150,7 @@ try_signed(FILE *f, int len)
BITSIZE(long long);
#endif
fprintf(f, "/* There is no %d bit type */\n", len);
+#pragma GCC pop
}
static void
diff -up cyrus-sasl-2.1.27/saslauthd/lak.c.coverity cyrus-sasl-2.1.27/saslauthd/lak.c
--- cyrus-sasl-2.1.27/saslauthd/lak.c.coverity 2018-11-08 18:29:57.000000000 +0100
+++ cyrus-sasl-2.1.27/saslauthd/lak.c 2021-04-12 15:10:25.433431630 +0200
@@ -337,9 +337,9 @@ static int lak_config_read(
EMPTY(conf->group_search_base) )
strlcpy(conf->group_search_base, conf->search_base, LAK_DN_LEN);
- fclose(infile);
+ fclose(infile);
- return LAK_OK;
+ return LAK_OK;
}
static int lak_config_int(
diff -up cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c.coverity cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c
--- cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c.coverity 2018-01-19 15:13:40.000000000 +0100
+++ cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c 2021-04-12 15:10:25.433431630 +0200
@@ -833,7 +833,8 @@ void detach_tty() {
}
logger(L_INFO, L_FUNC, "master pid is: %lu", (unsigned long)master_pid);
-
+ /* null_fd expected to be more than 2, so it is closed after dups, no leaks occur */
+ /* coverity[leaked_handle : FALSE]*/
return;
}

546
SOURCES/cyrus-sasl-2.1.27-cumulative-digestmd5.patch Normal file
View File

@ -0,0 +1,546 @@
diff -uPr cyrus-sasl-2.1.27/plugins/digestmd5.c cyrus-sasl-2.1.27.digestmd5/plugins/digestmd5.c
--- cyrus-sasl-2.1.27/plugins/digestmd5.c 2022-09-08 12:22:03.782961573 -0400
+++ cyrus-sasl-2.1.27.digestmd5/plugins/digestmd5.c 2022-09-08 12:24:20.289994669 -0400
@@ -80,6 +80,12 @@
# endif
#endif /* WITH_DES */
+/* legacy provider with openssl 3.0 */
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+# include <openssl/provider.h>
+# include <openssl/crypto.h>
+#endif
+
#ifdef WIN32
# include <winsock2.h>
#else /* Unix */
@@ -170,6 +176,12 @@
typedef struct cipher_context cipher_context_t;
+typedef struct crypto_context {
+ void *libctx;
+ cipher_context_t *enc_ctx;
+ cipher_context_t *dec_ctx;
+} crypto_context_t;
+
/* cached auth info used for fast reauth */
typedef struct reauth_entry {
char *authid;
@@ -254,12 +266,12 @@
decode_context_t decode_context;
/* if privacy mode is used use these functions for encode and decode */
+ char *cipher_name;
cipher_function_t *cipher_enc;
cipher_function_t *cipher_dec;
cipher_init_t *cipher_init;
cipher_free_t *cipher_free;
- struct cipher_context *cipher_enc_context;
- struct cipher_context *cipher_dec_context;
+ crypto_context_t crypto;
} context_t;
struct digest_cipher {
@@ -888,7 +900,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_dec_context;
+ des_context_t *c = (des_context_t *) text->crypto.dec_ctx;
int padding, p;
des_ede2_cbc_encrypt((void *) input,
@@ -925,7 +937,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_enc_context;
+ des_context_t *c = (des_context_t *) text->crypto.enc_ctx;
int len;
int paddinglen;
@@ -973,7 +985,7 @@
return SASL_FAIL;
memcpy(c->ivec, ((char *) enckey) + 8, 8);
- text->cipher_enc_context = (cipher_context_t *) c;
+ text->crypto.enc_ctx = (cipher_context_t *) c;
/* setup dec context */
c++;
@@ -987,7 +999,7 @@
memcpy(c->ivec, ((char *) deckey) + 8, 8);
- text->cipher_dec_context = (cipher_context_t *) c;
+ text->crypto.dec_ctx = (cipher_context_t *) c;
return SASL_OK;
}
@@ -1006,7 +1018,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_dec_context;
+ des_context_t *c = (des_context_t *) text->crypto.dec_ctx;
int p, padding = 0;
des_cbc_encrypt((void *) input,
@@ -1046,7 +1058,7 @@
char *output,
unsigned *outputlen)
{
- des_context_t *c = (des_context_t *) text->cipher_enc_context;
+ des_context_t *c = (des_context_t *) text->crypto.enc_ctx;
int len;
int paddinglen;
@@ -1093,7 +1105,7 @@
memcpy(c->ivec, ((char *) enckey) + 8, 8);
- text->cipher_enc_context = (cipher_context_t *) c;
+ text->crypto.enc_ctx = (cipher_context_t *) c;
/* setup dec context */
c++;
@@ -1102,34 +1114,83 @@
memcpy(c->ivec, ((char *) deckey) + 8, 8);
- text->cipher_dec_context = (cipher_context_t *) c;
+ text->crypto.dec_ctx = (cipher_context_t *) c;
return SASL_OK;
}
static void free_des(context_t *text)
{
- /* free des contextss. only cipher_enc_context needs to be free'd,
- since cipher_dec_context was allocated at the same time. */
- if (text->cipher_enc_context) text->utils->free(text->cipher_enc_context);
+ /* free des contextss. only enc_ctx needs to be free'd,
+ since dec_cxt was allocated at the same time. */
+ if (text->crypto.enc_ctx) {
+ text->utils->free(text->crypto.enc_ctx);
+ }
}
#endif /* WITH_DES */
#ifdef WITH_RC4
-#ifdef HAVE_OPENSSL
#include <openssl/evp.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+typedef struct ossl3_library_context {
+ OSSL_LIB_CTX *libctx;
+ OSSL_PROVIDER *legacy_provider;
+ OSSL_PROVIDER *default_provider;
+} ossl3_context_t;
+
+static int init_ossl3_ctx(context_t *text)
+{
+ ossl3_context_t *ctx = text->utils->malloc(sizeof(ossl3_context_t));
+ if (!ctx) return SASL_NOMEM;
+
+ ctx->libctx = OSSL_LIB_CTX_new();
+ if (!ctx->libctx) {
+ text->utils->free(ctx);
+ return SASL_FAIL;
+ }
+
+ /* Load both legacy and default provider as both may be needed */
+ /* if they fail keep going and an error will be raised when we try to
+ * fetch the cipher later */
+ ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy");
+ ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default");
+ text->crypto.libctx = (void *)ctx;
+
+ return SASL_OK;
+}
+
+static void free_ossl3_ctx(context_t *text)
+{
+ ossl3_context_t *ctx;
+
+ if (!text->crypto.libctx) return;
+
+ ctx = (ossl3_context_t *)text->crypto.libctx;
+
+ if (ctx->legacy_provider) OSSL_PROVIDER_unload(ctx->legacy_provider);
+ if (ctx->default_provider) OSSL_PROVIDER_unload(ctx->default_provider);
+ if (ctx->libctx) OSSL_LIB_CTX_free(ctx->libctx);
+
+ text->utils->free(ctx);
+ text->crypto.libctx = NULL;
+}
+#endif
+
static void free_rc4(context_t *text)
{
- if (text->cipher_enc_context) {
- EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_enc_context);
- text->cipher_enc_context = NULL;
- }
- if (text->cipher_dec_context) {
- EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_dec_context);
- text->cipher_dec_context = NULL;
+ if (text->crypto.enc_ctx) {
+ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->crypto.enc_ctx);
+ text->crypto.enc_ctx = NULL;
+ }
+ if (text->crypto.dec_ctx) {
+ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->crypto.dec_ctx);
+ text->crypto.dec_ctx = NULL;
}
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ free_ossl3_ctx(text);
+#endif
}
static int init_rc4(context_t *text,
@@ -1139,23 +1200,57 @@
EVP_CIPHER_CTX *ctx;
int rc;
- ctx = EVP_CIPHER_CTX_new();
- if (ctx == NULL) return SASL_NOMEM;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_CIPHER *cipher;
+ ossl3_context_t *ossl3_ctx;
- rc = EVP_EncryptInit_ex(ctx, EVP_rc4(), NULL, enckey, NULL);
- if (rc != 1) return SASL_FAIL;
+ rc = init_ossl3_ctx(text);
+ if (rc != SASL_OK) return rc;
+
+ ossl3_ctx = (ossl3_context_t *)text->crypto.libctx;
+ cipher = EVP_CIPHER_fetch(ossl3_ctx->libctx, "RC4", "");
+#else
+ const EVP_CIPHER *cipher;
+ cipher = EVP_rc4();
+#endif
- text->cipher_enc_context = (void *)ctx;
ctx = EVP_CIPHER_CTX_new();
- if (ctx == NULL) return SASL_NOMEM;
+ if (ctx == NULL) {
+ rc = SASL_NOMEM;
+ goto done;
+ }
- rc = EVP_DecryptInit_ex(ctx, EVP_rc4(), NULL, deckey, NULL);
- if (rc != 1) return SASL_FAIL;
+ rc = EVP_EncryptInit_ex(ctx, cipher, NULL, enckey, NULL);
+ if (rc != 1) {
+ rc = SASL_FAIL;
+ goto done;
+ }
+ text->crypto.enc_ctx = (void *)ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL) {
+ rc = SASL_NOMEM;
+ goto done;
+ }
+
+ rc = EVP_DecryptInit_ex(ctx, cipher, NULL, deckey, NULL);
+ if (rc != 1) {
+ rc = SASL_FAIL;
+ goto done;
+ }
+ text->crypto.dec_ctx = (void *)ctx;
- text->cipher_dec_context = (void *)ctx;
+ rc = SASL_OK;
- return SASL_OK;
+done:
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_CIPHER_free(cipher);
+#endif
+ if (rc != SASL_OK) {
+ free_rc4(text);
+ }
+ return rc;
}
static int dec_rc4(context_t *text,
@@ -1169,14 +1264,14 @@
int rc;
/* decrypt the text part & HMAC */
- rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->cipher_dec_context,
+ rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->crypto.dec_ctx,
(unsigned char *)output, &len,
(const unsigned char *)input, inputlen);
if (rc != 1) return SASL_FAIL;
*outputlen = len;
- rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_dec_context,
+ rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->crypto.dec_ctx,
(unsigned char *)output + len, &len);
if (rc != 1) return SASL_FAIL;
@@ -1198,7 +1293,7 @@
int len;
int rc;
/* encrypt the text part */
- rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
+ rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
(unsigned char *)output, &len,
(const unsigned char *)input, inputlen);
if (rc != 1) return SASL_FAIL;
@@ -1206,14 +1301,14 @@
*outputlen = len;
/* encrypt the `MAC part */
- rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
+ rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
(unsigned char *)output + *outputlen, &len,
digest, 10);
if (rc != 1) return SASL_FAIL;
*outputlen += len;
- rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_enc_context,
+ rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
(unsigned char *)output + *outputlen, &len);
if (rc != 1) return SASL_FAIL;
@@ -1221,188 +1316,11 @@
return SASL_OK;
}
-#else
-/* quick generic implementation of RC4 */
-struct rc4_context_s {
- unsigned char sbox[256];
- int i, j;
-};
-
-typedef struct rc4_context_s rc4_context_t;
-
-static void rc4_init(rc4_context_t *text,
- const unsigned char *key,
- unsigned keylen)
-{
- int i, j;
-
- /* fill in linearly s0=0 s1=1... */
- for (i=0;i<256;i++)
- text->sbox[i]=i;
-
- j=0;
- for (i = 0; i < 256; i++) {
- unsigned char tmp;
- /* j = (j + Si + Ki) mod 256 */
- j = (j + text->sbox[i] + key[i % keylen]) % 256;
-
- /* swap Si and Sj */
- tmp = text->sbox[i];
- text->sbox[i] = text->sbox[j];
- text->sbox[j] = tmp;
- }
-
- /* counters initialized to 0 */
- text->i = 0;
- text->j = 0;
-}
-
-static void rc4_encrypt(rc4_context_t *text,
- const char *input,
- char *output,
- unsigned len)
-{
- int tmp;
- int i = text->i;
- int j = text->j;
- int t;
- int K;
- const char *input_end = input + len;
-
- while (input < input_end) {
- i = (i + 1) % 256;
-
- j = (j + text->sbox[i]) % 256;
-
- /* swap Si and Sj */
- tmp = text->sbox[i];
- text->sbox[i] = text->sbox[j];
- text->sbox[j] = tmp;
-
- t = (text->sbox[i] + text->sbox[j]) % 256;
-
- K = text->sbox[t];
-
- /* byte K is Xor'ed with plaintext */
- *output++ = *input++ ^ K;
- }
-
- text->i = i;
- text->j = j;
-}
-
-static void rc4_decrypt(rc4_context_t *text,
- const char *input,
- char *output,
- unsigned len)
-{
- int tmp;
- int i = text->i;
- int j = text->j;
- int t;
- int K;
- const char *input_end = input + len;
-
- while (input < input_end) {
- i = (i + 1) % 256;
-
- j = (j + text->sbox[i]) % 256;
-
- /* swap Si and Sj */
- tmp = text->sbox[i];
- text->sbox[i] = text->sbox[j];
- text->sbox[j] = tmp;
-
- t = (text->sbox[i] + text->sbox[j]) % 256;
-
- K = text->sbox[t];
-
- /* byte K is Xor'ed with plaintext */
- *output++ = *input++ ^ K;
- }
-
- text->i = i;
- text->j = j;
-}
-
-static void free_rc4(context_t *text)
-{
- /* free rc4 context structures */
-
- if(text->cipher_enc_context) text->utils->free(text->cipher_enc_context);
- if(text->cipher_dec_context) text->utils->free(text->cipher_dec_context);
-}
-
-static int init_rc4(context_t *text,
- unsigned char enckey[16],
- unsigned char deckey[16])
-{
- /* allocate rc4 context structures */
- text->cipher_enc_context=
- (cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t));
- if (text->cipher_enc_context == NULL) return SASL_NOMEM;
-
- text->cipher_dec_context=
- (cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t));
- if (text->cipher_dec_context == NULL) return SASL_NOMEM;
-
- /* initialize them */
- rc4_init((rc4_context_t *) text->cipher_enc_context,
- (const unsigned char *) enckey, 16);
- rc4_init((rc4_context_t *) text->cipher_dec_context,
- (const unsigned char *) deckey, 16);
-
- return SASL_OK;
-}
-
-static int dec_rc4(context_t *text,
- const char *input,
- unsigned inputlen,
- unsigned char digest[16] __attribute__((unused)),
- char *output,
- unsigned *outputlen)
-{
- /* decrypt the text part & HMAC */
- rc4_decrypt((rc4_context_t *) text->cipher_dec_context,
- input, output, inputlen);
-
- /* no padding so we just subtract the HMAC to get the text length */
- *outputlen = inputlen - 10;
-
- return SASL_OK;
-}
-
-static int enc_rc4(context_t *text,
- const char *input,
- unsigned inputlen,
- unsigned char digest[16],
- char *output,
- unsigned *outputlen)
-{
- /* pad is zero */
- *outputlen = inputlen+10;
-
- /* encrypt the text part */
- rc4_encrypt((rc4_context_t *) text->cipher_enc_context,
- input,
- output,
- inputlen);
-
- /* encrypt the HMAC part */
- rc4_encrypt((rc4_context_t *) text->cipher_enc_context,
- (const char *) digest,
- (output)+inputlen, 10);
-
- return SASL_OK;
-}
-#endif /* HAVE_OPENSSL */
#endif /* WITH_RC4 */
struct digest_cipher available_ciphers[] =
{
#ifdef WITH_RC4
- { "rc4-40", 40, 5, 0x01, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
- { "rc4-56", 56, 7, 0x02, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
{ "rc4", 128, 16, 0x04, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
#endif
#ifdef WITH_DES
@@ -2815,6 +2733,7 @@
}
if (cptr->name) {
+ text->cipher_name = cptr->name;
text->cipher_enc = cptr->cipher_enc;
text->cipher_dec = cptr->cipher_dec;
text->cipher_init = cptr->cipher_init;
@@ -2958,7 +2877,10 @@
if (text->cipher_init) {
if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
sparams->utils->seterror(sparams->utils->conn, 0,
- "couldn't init cipher");
+ "couldn't init cipher '%s'",
+ text->cipher_name);
+ result = SASL_FAIL;
+ goto FreeAllMem;
}
}
}
@@ -3509,6 +3431,7 @@
oparams->mech_ssf = ctext->cipher->ssf;
nbits = ctext->cipher->n;
+ text->cipher_name = ctext->cipher->name;
text->cipher_enc = ctext->cipher->cipher_enc;
text->cipher_dec = ctext->cipher->cipher_dec;
text->cipher_free = ctext->cipher->cipher_free;
@@ -3733,7 +3656,13 @@
/* initialize cipher if need be */
if (text->cipher_init) {
- text->cipher_init(text, enckey, deckey);
+ if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
+ params->utils->seterror(params->utils->conn, 0,
+ "internal error: failed to init cipher '%s'",
+ text->cipher_name);
+ result = SASL_FAIL;
+ goto FreeAllocatedMem;
+ }
}
}

109
SOURCES/cyrus-sasl-2.1.27-cumulative-ossl3.patch Normal file
View File

@ -0,0 +1,109 @@
diff -uPr cyrus-sasl-2.1.27/configure.ac cyrus-sasl-2.1.27.ossl3/configure.ac
--- cyrus-sasl-2.1.27/configure.ac 2021-10-06 11:29:53.274375206 -0400
+++ cyrus-sasl-2.1.27.ossl3/configure.ac 2021-10-06 11:31:19.966726775 -0400
@@ -1115,7 +1115,11 @@
with_rc4=yes)
if test "$with_rc4" != no; then
- AC_DEFINE(WITH_RC4,[],[Use RC4])
+ if test "$with_openssl" = no; then
+ AC_WARN([OpenSSL not found -- RC4 will be disabled])
+ else
+ AC_DEFINE(WITH_RC4,[],[Use RC4])
+ fi
fi
building_for_macosx=no
diff -uPr cyrus-sasl-2.1.27/plugins/scram.c cyrus-sasl-2.1.27.ossl3/plugins/scram.c
--- cyrus-sasl-2.1.27/plugins/scram.c 2018-11-08 12:29:57.000000000 -0500
+++ cyrus-sasl-2.1.27.ossl3/plugins/scram.c 2021-10-06 11:31:04.407484201 -0400
@@ -65,7 +65,9 @@
#include <openssl/sha.h>
#include <openssl/evp.h>
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
#include <openssl/hmac.h>
+#endif
/***************************** Common Section *****************************/
@@ -267,6 +271,32 @@
}
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+/* Decalre as void given functions never use the result */
+void *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+ const unsigned char *data, size_t data_len,
+ unsigned char *md, unsigned int *md_len)
+{
+ const char *digest;
+ size_t digest_size;
+ size_t out_len;
+ void *ret = NULL;
+
+ digest = EVP_MD_get0_name(evp_md);
+ if (digest == NULL) {
+ return NULL;
+ }
+ digest_size = EVP_MD_size(evp_md);
+
+ ret = EVP_Q_mac(NULL, "hmac", NULL, digest, NULL, key, key_len,
+ data, data_len, md, digest_size, &out_len);
+ if (ret != NULL) {
+ *md_len = (unsigned int)out_len;
+ }
+ return ret;
+}
+#endif
/* The result variable need to point to a buffer big enough for the [SHA-1] hash */
static void
diff -uPr cyrus-sasl-2.1.27/saslauthd/lak.c cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c
--- cyrus-sasl-2.1.27/saslauthd/lak.c 2022-01-09 11:30:50.000000000 -0400
+++ cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c 2022-01-09 11:30:50.000000001 -0400
@@ -1806,18 +1806,36 @@
return rc;
}
- EVP_DigestInit(mdctx, md);
- EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
+ rc = EVP_DigestInit(mdctx, md);
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
+ }
+ rc = EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
+ }
if (hrock->salted) {
- EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
- clen - EVP_MD_size(md));
+ rc = EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
+ clen - EVP_MD_size(md));
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
+ }
+ }
+ rc = EVP_DigestFinal(mdctx, digest, NULL);
+ if (rc != 1) {
+ rc = LAK_FAIL;
+ goto done;
}
- EVP_DigestFinal(mdctx, digest, NULL);
- EVP_MD_CTX_free(mdctx);
rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md));
+ rc = rc ? LAK_INVALID_PASSWORD : LAK_OK;
+done:
+ EVP_MD_CTX_free(mdctx);
free(cred);
- return rc ? LAK_INVALID_PASSWORD : LAK_OK;
+ return rc;
}
#endif /* HAVE_OPENSSL */

74
SOURCES/cyrus-sasl-2.1.27-fix-for-autoconf270.patch Normal file
View File

@ -0,0 +1,74 @@
From 3b0149cf3d235247b051b7cb7663bc3dadbb999b Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Thu, 1 Apr 2021 17:17:52 +0200
Subject: [PATCH] configure.ac: avoid side-effects in AC_CACHE_VAL
In the COMMANDS-TO-SET-IT argument, per Autoconf docs:
https://www.gnu.org/software/autoconf/manual/autoconf-2.63/html_node/Caching-Results.html
---
configure.ac | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index a106d35e..d333496d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -220,11 +220,14 @@ void foo() { int i=0;}
int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY);
if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo");
if(ptr1 && !ptr2) exit(0); } exit(1); }
-], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no
- AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?]),
+], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no,
AC_MSG_WARN(cross-compiler, we'll do our best)))
LIBS="$cmu_save_LIBS"
AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore)
+
+ if test "$sasl_cv_dlsym_adds_uscore" = no; then
+ AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?])
+ fi
fi
fi
From d3bcaf62f6213e7635e9c4a574f39a831e333980 Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Thu, 1 Apr 2021 17:26:28 +0200
Subject: [PATCH] configure.ac: properly quote macro arguments
Autoconf 2.70+ is more picky about the quotation (even though with
previous versions the arguments should have been quoted, too). When we
don't quote macros inside the AC_CACHE_VAL macro - some of the Autoconf
initialization is wrongly ordered in ./configure script and we keep
seeing bugs like:
./configure: line 2165: ac_fn_c_try_run: command not found
Original report: https://bugzilla.redhat.com/1943013
---
configure.ac | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index d333496d..7281cba0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -213,15 +213,16 @@ if test $sasl_cv_uscore = yes; then
AC_MSG_CHECKING(whether dlsym adds the underscore for us)
cmu_save_LIBS="$LIBS"
LIBS="$LIBS $SASL_DL_LIB"
- AC_CACHE_VAL(sasl_cv_dlsym_adds_uscore,AC_TRY_RUN( [
+ AC_CACHE_VAL([sasl_cv_dlsym_adds_uscore],
+ [AC_TRY_RUN([
#include <dlfcn.h>
#include <stdio.h>
void foo() { int i=0;}
int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY);
if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo");
if(ptr1 && !ptr2) exit(0); } exit(1); }
-], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no,
- AC_MSG_WARN(cross-compiler, we'll do our best)))
+], [sasl_cv_dlsym_adds_uscore=yes], [sasl_cv_dlsym_adds_uscore=no],
+ [AC_MSG_WARN(cross-compiler, we'll do our best)])])
LIBS="$cmu_save_LIBS"
AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore)

51
SOURCES/cyrus-sasl-2.1.27-nostrncpy.patch Normal file
View File

@ -0,0 +1,51 @@
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index 5d900c5e..4688bb9a 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -1567,7 +1567,6 @@ int gssapiv2_server_plug_init(
{
#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
const char *keytab = NULL;
- char keytab_path[1024];
unsigned int rl;
#endif
@@ -1589,15 +1588,7 @@ int gssapiv2_server_plug_init(
return SASL_FAIL;
}
- if(strlen(keytab) > 1024) {
- utils->log(NULL, SASL_LOG_ERR,
- "path to keytab is > 1024 characters");
- return SASL_BUFOVER;
- }
-
- strncpy(keytab_path, keytab, 1024);
-
- gsskrb5_register_acceptor_identity(keytab_path);
+ gsskrb5_register_acceptor_identity(keytab);
}
#endif
diff --git a/plugins/ntlm.c b/plugins/ntlm.c
index aeb3ac34..8a7d9065 100644
--- a/plugins/ntlm.c
+++ b/plugins/ntlm.c
@@ -375,10 +375,15 @@ static unsigned char *P16_lm(unsigned char *P16, sasl_secret_t *passwd,
unsigned *buflen __attribute__((unused)),
int *result)
{
- char P14[14];
+ char P14[14] = { 0 };
+ int Plen;
unsigned char S8[] = { 0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
- strncpy(P14, (const char *) passwd->data, sizeof(P14));
+ Plen = sizeof(P14);
+ if (passwd->len < Plen) {
+ Plen = passwd->len;
+ }
+ memcpy(P14, (const char *) passwd->data, Plen);
ucase(P14, sizeof(P14));
E(P16, (unsigned char *) P14, sizeof(P14), S8, sizeof(S8));

18
SOURCES/cyrus-sasl-2.1.27-CVE-2019-19906.patch → SOURCES/cyrus-sasl-cve-2019-19906.patch
View File

@ -1,18 +1,17 @@
From bcb6c06ec17728f7c9c492dc257b1e541a6830da Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 5 May 2020 14:41:06 -0400
Subject: [PATCH] CVE-2019-19906
From dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Tue, 18 Feb 2020 19:05:12 +0000
Subject: [PATCH] Fix #587
Backport of commit id:
dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1
Off by one error in common.c, CVE-2019-19906.
Signed-off-by: Simo Sorce <simo@redhat.com>
Thanks to Stephan Zeisberg for reporting
---
lib/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/common.c b/lib/common.c
index bc3bf1d..9969d6a 100644
index bc3bf1df..9969d6aa 100644
--- a/lib/common.c
+++ b/lib/common.c
@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
@ -24,6 +23,3 @@ index bc3bf1d..9969d6a 100644
if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
return SASL_NOMEM;
--
2.18.2

3
SOURCES/cyrus-sasl-pr559-RC4-openssl.patch
View File

@ -13,7 +13,8 @@ diff --git a/configure.ac b/configure.ac
index 388f5d02..cfdee4a2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1102,12 +1102,11 @@ AC_ARG_WITH(configdir, [ --with-configdir=DIR set the directory where confi
@@ -1103,13 +1103,12 @@ AC_ARG_WITH(configdir, [ --with-configdir=DIR set the directory where confi
configdir='${plugindir}:${sysconfdir}/sasl2')
AC_SUBST(configdir)
-dnl look for rc4 libraries. we accept the CMU one or one from openSSL

2
SOURCES/make-no-dlcompatorsrp-tarball.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash -e
#
# See ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ for unmodified sources.
# See https://github.com/cyrusimap/cyrus-sasl/releases for unmodified sources.
#
tmppath=`mktemp -d ${TMPDIR:-/tmp}/make-no-dlcompat-tarball-XXXXXX`

224
SPECS/cyrus-sasl.spec
View File

@ -4,13 +4,15 @@
%global _plugindir2 %{_libdir}/sasl2
%global bootstrap_cyrus_sasl 0
%global gdbm_db_file /etc/sasl2/sasldb2
Summary: The Cyrus SASL library
Name: cyrus-sasl
Version: 2.1.27
Release: 6%{?dist}
Release: 21%{?dist}
License: BSD with advertising
Group: System Environment/Libraries
URL: https://www.cyrusimap.org/sasl/
# Source0 originally comes from https://www.cyrusimap.org/releases/;
# make-no-dlcompatorsrp-tarball.sh removes the "dlcompat" subdirectory and builds a
# new tarball.
@ -22,38 +24,53 @@ Source10: make-no-dlcompatorsrp-tarball.sh
# From upstream git, required for reconfigure after applying patches to configure.ac
# https://raw.githubusercontent.com/cyrusimap/cyrus-sasl/master/autogen.sh
Source11: autogen.sh
URL: https://www.cyrusimap.org/sasl/
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Patch11: cyrus-sasl-2.1.25-no_rpath.patch
Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch
Patch23: cyrus-sasl-2.1.23-man.patch
Patch24: cyrus-sasl-2.1.21-sizes.patch
# The 64 bit *INT8 type is not used anywhere and other types match
Patch49: cyrus-sasl-2.1.26-md5global.patch
Patch60: cyrus-sasl-pr559-RC4-openssl.patch
Patch830: cyrus-sasl-2.1.27-CVE-2019-19906.patch
Patch831: cyrus-sasl-2.1.27-Add-basic-test-infrastructure.patch
Patch832: cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch
Patch833: cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch
Patch834: cyrus-sasl-2.1.27-Emit-debug-log-only-in-case-of-errors.patch
Patch100: cyrus-sasl-cve-2019-19906.patch
Patch101: cyrus-sasl-2.1.27-Add-basic-test-infrastructure.patch
Patch102: cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch
Patch103: cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch
Patch104: cyrus-sasl-2.1.27-Emit-debug-log-only-in-case-of-errors.patch
Patch105: cyrus-sasl-2.1.27-fix-for-autoconf270.patch
#https://github.com/simo5/cyrus-sasl/commit/ebd2387f06c84c7f9aac3167ec041bb01e5c6e48
Patch106: cyrus-sasl-2.1.27-nostrncpy.patch
# Upstream PR: https://github.com/cyrusimap/cyrus-sasl/pull/635
Patch107: cyrus-sasl-2.1.27-Add-basic-test-plain-auth.patch
#Migration tool should be removed from RHEL10
Patch108: cyrus-sasl-2.1.27-Migration-from-BerkeleyDB.patch
Patch500: cyrus-sasl-2.1.27-coverity.patch
Patch501: cyrus-sasl-2.1.27-cumulative-digestmd5.patch
Patch502: cyrus-sasl-2.1.27-cumulative-ossl3.patch
Patch900: 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig
BuildRequires: mariadb-connector-c-devel, postgresql-devel, zlib-devel
BuildRequires: libdb-devel
BuildRequires: krb5-devel >= 1.19, openssl-devel, pam-devel, pkgconfig
BuildRequires: mariadb-connector-c-devel, libpq-devel, zlib-devel
%if ! %{bootstrap_cyrus_sasl}
BuildRequires: openldap-devel
%endif
#build reqs for migration from BerkeleyDB
#should be removed from RHEL10
BuildRequires: libdb-devel-static
#build reqs for make check
BuildRequires: python36 nss_wrapper socket_wrapper krb5-server
BuildRequires: python3 nss_wrapper socket_wrapper krb5-server
%{?systemd_requires}
Requires(post): chkconfig
Requires: %{name}-lib = %{version}-%{release}
Requires: systemd
#Requires/Provides related to the saslauthd user creation
Requires: /sbin/nologin
Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd
Requires(postun): /usr/sbin/userdel /usr/sbin/groupdel
Requires: /sbin/nologin
Requires: systemd >= 211
Provides: user(%username)
Provides: group(%username)
@ -64,7 +81,6 @@ SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols.
%package lib
Group: System Environment/Libraries
Summary: Shared libraries needed by applications which use Cyrus SASL
%description lib
@ -72,10 +88,9 @@ The %{name}-lib package contains shared libraries which are needed by
applications which use the Cyrus SASL library.
%package devel
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-lib = %{version}-%{release}
Requires: %{name} = %{version}-%{release}
Requires: pkgconfig
Group: Development/Libraries
Summary: Files needed for developing applications with Cyrus SASL
%description devel
@ -84,7 +99,6 @@ compiling applications which use the Cyrus SASL library.
%package gssapi
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: GSSAPI authentication support for Cyrus SASL
%description gssapi
@ -94,7 +108,6 @@ authentication.
%package plain
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: PLAIN and LOGIN authentication support for Cyrus SASL
%description plain
@ -103,7 +116,6 @@ PLAIN and LOGIN authentication schemes.
%package md5
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: CRAM-MD5 and DIGEST-MD5 authentication support for Cyrus SASL
%description md5
@ -112,7 +124,6 @@ CRAM-MD5 and DIGEST-MD5 authentication schemes.
%package ntlm
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: NTLM authentication support for Cyrus SASL
%description ntlm
@ -122,7 +133,6 @@ the NTLM authentication scheme.
# This would more appropriately be named cyrus-sasl-auxprop-sql.
%package sql
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: SQL auxprop support for Cyrus SASL
%description sql
@ -133,7 +143,6 @@ using a RDBMS for storing shared secrets.
# This was *almost* named cyrus-sasl-auxprop-ldapdb, but that's a lot of typing.
%package ldap
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: LDAP auxprop support for Cyrus SASL
%description ldap
@ -143,7 +152,6 @@ a directory server, accessed using LDAP, for storing shared secrets.
%package scram
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: SCRAM auxprop support for Cyrus SASL
%description scram
@ -152,7 +160,6 @@ the SCRAM authentication scheme.
%package gs2
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Group: System Environment/Libraries
Summary: GS2 support for Cyrus SASL
%description gs2
@ -170,11 +177,18 @@ the GS2 authentication scheme.
%patch24 -p1 -b .sizes
%patch49 -p1 -b .md5global.h
%patch60 -p1 -b .openssl_rc4
%patch830 -p1 -b .CVE-2019-19906
%patch831 -p1 -b .tests
%patch832 -p1 -b .gssapi_cbs
%patch833 -p1 -b .maxssf0
%patch834 -p1 -b .nolog
%patch100 -p1 -b .cve_2019_19906
%patch101 -p1 -b .tests
%patch102 -p1 -b .gssapi_cbs
%patch103 -p1 -b .maxssf0
%patch104 -p1 -b .nolog
%patch105 -p1 -b .autoconf270
%patch106 -p1 -b .nostrncpy
%patch107 -p1 -b .plaintests
%patch108 -p1 -b .frombdb
%patch500 -p1 -b .coverity
%patch501 -p1 -b .digestmd5
%patch502 -p1 -b .ossl3
%patch900 -p1 -b .CVE-2022-24407
%build
@ -220,14 +234,7 @@ if test x"$LIB_DIR" != "x-L%{_libdir}"; then
LDFLAGS="$LIB_DIR $LDFLAGS"; export LDFLAGS
fi
# Patch config.sub to support ppc64p7 subarch (Fedora specific)
# This is similar to what the config.sub from automake has
for i in `find . -name config.sub`; do
perl -pi -e "s/ppc64-\*/ppc64-\* \| ppc64p7-\*/" $i
done
CFLAGS="$RPM_OPT_FLAGS $CFLAGS $CPPFLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now"; export CFLAGS
LDFLAGS="$LDFLAGS -pie -Wl,-z,now"; export LDFLAGS
echo "$CFLAGS"
echo "$CPPFLAGS"
@ -242,8 +249,8 @@ echo "$LDFLAGS"
--enable-gssapi${krb5_prefix:+=${krb5_prefix}} \
--with-gss_impl=mit \
--with-rc4 \
--with-dblib=berkeley \
--with-bdb=db \
--with-dblib=gdbm \
--with-dbpath=%{gdbm_db_file} \
--with-saslauthd=/run/saslauthd --without-pwcheck \
%if ! %{bootstrap_cyrus_sasl}
--with-ldap \
@ -285,6 +292,8 @@ install -m755 -d $RPM_BUILD_ROOT%{_bindir}
install -m755 sample/client $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-client
./libtool --mode=install \
install -m755 sample/server $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-server
#Migration tool should be removed from RHEL10
mv $RPM_BUILD_ROOT%{_sbindir}/cyrusbdb2current $RPM_BUILD_ROOT%{_bindir}/cyrusbdb2current
./libtool --mode=install \
install -m755 saslauthd/testsaslauthd $RPM_BUILD_ROOT%{_sbindir}/testsaslauthd
@ -294,9 +303,8 @@ install -m755 -d $RPM_BUILD_ROOT%{_mandir}/man8/
install -m644 -p saslauthd/saslauthd.mdoc $RPM_BUILD_ROOT%{_mandir}/man8/saslauthd.8
install -m644 -p saslauthd/testsaslauthd.8 $RPM_BUILD_ROOT%{_mandir}/man8/testsaslauthd.8
# Install the init script for saslauthd and the init script's config file.
install -m755 -d $RPM_BUILD_ROOT/etc/rc.d/init.d $RPM_BUILD_ROOT/etc/sysconfig
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
# Install the systemd unit file for saslauthd and the config file.
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} $RPM_BUILD_ROOT/etc/sysconfig
install -m644 -p %{SOURCE5} $RPM_BUILD_ROOT/%{_unitdir}/saslauthd.service
install -m644 -p %{SOURCE9} $RPM_BUILD_ROOT/etc/sysconfig/saslauthd
@ -331,16 +339,9 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%postun
%systemd_postun_with_restart saslauthd.service
%triggerun -n cyrus-sasl -- cyrus-sasl < 2.1.23-32
/usr/bin/systemd-sysv-convert --save saslauthd >/dev/null 2>&1 || :
/sbin/chkconfig --del saslauthd >/dev/null 2>&1 || :
/bin/systemctl try-restart saslauthd.service >/dev/null 2>&1 || :
%post lib -p /sbin/ldconfig
%postun lib -p /sbin/ldconfig
%ldconfig_scriptlets lib
%files
%defattr(-,root,root)
%doc saslauthd/LDAP_SASLAUTHD
%{_mandir}/man8/*
%{_sbindir}/pluginviewer
@ -351,7 +352,6 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%ghost /run/saslauthd
%files lib
%defattr(-,root,root)
%license COPYING
%doc AUTHORS doc/html/*.html
%{_libdir}/libsasl*.so.*
@ -361,45 +361,37 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%{_plugindir2}/*sasldb*.so*
%{_sbindir}/saslpasswd2
%{_sbindir}/sasldblistusers2
%{_bindir}/cyrusbdb2current
%files plain
%defattr(-,root,root)
%{_plugindir2}/*plain*.so*
%{_plugindir2}/*login*.so*
%if ! %{bootstrap_cyrus_sasl}
%files ldap
%defattr(-,root,root)
%{_plugindir2}/*ldapdb*.so*
%endif
%files md5
%defattr(-,root,root)
%{_plugindir2}/*crammd5*.so*
%{_plugindir2}/*digestmd5*.so*
%files ntlm
%defattr(-,root,root)
%{_plugindir2}/*ntlm*.so*
%files sql
%defattr(-,root,root)
%{_plugindir2}/*sql*.so*
%files gssapi
%defattr(-,root,root)
%{_plugindir2}/*gssapi*.so*
%files scram
%defattr(-,root,root)
%{_plugindir2}/libscram.so*
%files gs2
%defattr(-,root,root)
%{_plugindir2}/libgs2.so*
%files devel
%defattr(-,root,root)
%{_bindir}/sasl2-sample-client
%{_bindir}/sasl2-sample-server
%{_includedir}/*
@ -409,40 +401,96 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%{_sbindir}/sasl2-shared-mechlist
%changelog
* Thu Feb 17 2022 Simo Sorce <simo@redhat.com> - 2.1.27-6
* Mon Aug 1 2022 Simo Sorce <simo@redhat.com> - 2.1.27-21
- Fix memleak
* Wed Feb 23 2022 Simo Sorce <simo@redhat.com> - 2.1.27-20
- Fix for CVE-2022-24407
- Resolves: rhbz#2055846
- Resolves: rhbz#2055848
* Tue May 5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-5
- Reduce excessive GSSAPI plugin logging
- Resolves: rhbz#1274734
* Wed Feb 9 2022 Simo Sorce <simo@redhat.com> - 2.1.27-19
- Fix a memleak in one of the OpenSSL 3 compat patches
found by covscan
* Tue May 5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-4
- Add support for setting maxssf=0 in GSS-SPNEGO
- Resolves: rhbz#1822133
* Mon Feb 7 2022 Simo Sorce <simo@redhat.com> - 2.1.27-18
- Update OpenSSL 3 related compatibility patch backports
* Tue May 5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-3
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.27-17
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 28 2021 Simo Sorce <simo@redhat.com> - 2.1.27-16
- Rebuild to pass gating after fixing rhbz#1983928
* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 2.1.27-15
- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
* Mon Jul 19 2021 Simo Sorce <simo@redhat.com> - 2.1.27-14
- Fix crashs on missing legacy algorithms
Resolves: rhbz#1974354
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.27-13
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Jun 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 2.1.27-12
- Incorporate the upstream gdbm specific patch from
https://github.com/cyrusimap/cyrus-sasl/pull/554
- Resolves rhbz#1947971
* Wed Apr 28 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 2.1.27-11
- Set default sasldb database to GDBM instead of BerkeleyDB
- Add the migration tool from BerkeleyDB
- Add some PLAIN auth tests
- Resolves rhbz#1947971
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.27-10
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Apr 12 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 2.1.27-9
- Coverity-related fixes (#1938700)
* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 2.1.27-8
- rebuild for libpq ABI fix rhbz#1908268
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu May 7 2020 Simo Sorce <simo@redhat.com> - 2.1.27-5
- Backport GSSAPI Channel Bindings support
- Resolves: rhbz#1817054
- Add support for setting maxssf=0 in GSS-SPNEGO
- Reduce excessive GSSAPI plugin logging
* Tue May 5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-2
- Backport fix for CVE-2019-19906
- Resolves: rhbz#1804036
* Thu Mar 19 2020 Simo Sorce - 2.1.27-4
- Fix CVE 2019 19906
* Fri Jun 14 2019 Simo Sorce <simo@redhat.com> - 2.1.27-1
- Rc7 to final source
- Resovles bz#1618744
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jun 13 2019 Simo Sorce <simo@redhat.com> - 2.1.27-0.4rc7
- Add patch form Upstream PR559 to use RC4 implementation from OpenSSL
- Resolves bz#1618744
- Fix multilib issue bz#1663120
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 2.1.27-0.3rc7
- Rebuild with fixed binutils
* Thu Jun 13 2019 Simo Sorce - 2.1.27-1
- Update to final 2.1.27 sources
- Also add patch to use OpenSSL RC4, currently proposed as PR 559
* Wed Jul 25 2018 Petr Kubat <pkubat@redhat.com> - 2.1.27-0.2rc7
- Rebuilt for gdbm
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-0.6rc7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2.1.27-0.5rc7
- Rebuilt for libcrypt.so.2 (#1666033)
* Sun Oct 14 2018 Peter Robinson <pbrobinson@fedoraproject.org> 2.1.27-0.4rc7
- Clean up remanents of sys-v, spec cleanups
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-0.3rc7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu May 17 2018 Jakub Jelen <jjelen@redhat.com> - 2.1.27-0.2rc7
- Avoid multilib conflicts between devel subpackages (#1577675)
* Mon Mar 05 2018 Jakub Jelen <jjelen@redhat.com> - 2.1.27-0.1rc7
- New upstream (pre-)release