eba3ea5ff9
Fixes CVE-2022-24407 Drop patches that have been included (possibly modified) upstream Adjust backports that upstream decided not to put in 2.1 but are accepted in the master branch Adjust backports that are still in PRs Adjust downstream patches (migration to GDBM) Signed-off-by: Simo Sorce <simo@redhat.com>
110 lines
3.1 KiB
Diff
110 lines
3.1 KiB
Diff
diff -uPr cyrus-sasl-2.1.27/configure.ac cyrus-sasl-2.1.27.ossl3/configure.ac
|
|
--- cyrus-sasl-2.1.27/configure.ac 2021-10-06 11:29:53.274375206 -0400
|
|
+++ cyrus-sasl-2.1.27.ossl3/configure.ac 2021-10-06 11:31:19.966726775 -0400
|
|
@@ -1115,7 +1115,11 @@
|
|
with_rc4=yes)
|
|
|
|
if test "$with_rc4" != no; then
|
|
- AC_DEFINE(WITH_RC4,[],[Use RC4])
|
|
+ if test "$with_openssl" = no; then
|
|
+ AC_WARN([OpenSSL not found -- RC4 will be disabled])
|
|
+ else
|
|
+ AC_DEFINE(WITH_RC4,[],[Use RC4])
|
|
+ fi
|
|
fi
|
|
|
|
building_for_macosx=no
|
|
diff -uPr cyrus-sasl-2.1.27/plugins/scram.c cyrus-sasl-2.1.27.ossl3/plugins/scram.c
|
|
--- cyrus-sasl-2.1.27/plugins/scram.c 2018-11-08 12:29:57.000000000 -0500
|
|
+++ cyrus-sasl-2.1.27.ossl3/plugins/scram.c 2021-10-06 11:31:04.407484201 -0400
|
|
@@ -65,7 +65,9 @@
|
|
|
|
#include <openssl/sha.h>
|
|
#include <openssl/evp.h>
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
#include <openssl/hmac.h>
|
|
+#endif
|
|
|
|
/***************************** Common Section *****************************/
|
|
|
|
@@ -291,6 +293,32 @@
|
|
}
|
|
#endif
|
|
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+
|
|
+/* Decalre as void given functions never use the result */
|
|
+void *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
|
|
+ const unsigned char *data, size_t data_len,
|
|
+ unsigned char *md, unsigned int *md_len)
|
|
+{
|
|
+ const char *digest;
|
|
+ size_t digest_size;
|
|
+ size_t out_len;
|
|
+ void *ret = NULL;
|
|
+
|
|
+ digest = EVP_MD_get0_name(evp_md);
|
|
+ if (digest == NULL) {
|
|
+ return NULL;
|
|
+ }
|
|
+ digest_size = EVP_MD_size(evp_md);
|
|
+
|
|
+ ret = EVP_Q_mac(NULL, "hmac", NULL, digest, NULL, key, key_len,
|
|
+ data, data_len, md, digest_size, &out_len);
|
|
+ if (ret != NULL) {
|
|
+ *md_len = (unsigned int)out_len;
|
|
+ }
|
|
+ return ret;
|
|
+}
|
|
+#endif
|
|
|
|
/* The result variable need to point to a buffer big enough for the [SHA-*] hash */
|
|
static void
|
|
diff -uPr cyrus-sasl-2.1.27/saslauthd/lak.c cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c
|
|
--- cyrus-sasl-2.1.27/saslauthd/lak.c 2022-01-09 11:30:50.000000000 -0400
|
|
+++ cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c 2022-01-09 11:30:50.000000001 -0400
|
|
@@ -1806,18 +1806,36 @@
|
|
return rc;
|
|
}
|
|
|
|
- EVP_DigestInit(mdctx, md);
|
|
- EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
|
|
+ rc = EVP_DigestInit(mdctx, md);
|
|
+ if (rc != 1) {
|
|
+ rc = LAK_FAIL;
|
|
+ goto done;
|
|
+ }
|
|
+ rc = EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
|
|
+ if (rc != 1) {
|
|
+ rc = LAK_FAIL;
|
|
+ goto done;
|
|
+ }
|
|
if (hrock->salted) {
|
|
- EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
|
|
- clen - EVP_MD_size(md));
|
|
+ rc = EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
|
|
+ clen - EVP_MD_size(md));
|
|
+ if (rc != 1) {
|
|
+ rc = LAK_FAIL;
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
+ rc = EVP_DigestFinal(mdctx, digest, NULL);
|
|
+ if (rc != 1) {
|
|
+ rc = LAK_FAIL;
|
|
+ goto done;
|
|
}
|
|
- EVP_DigestFinal(mdctx, digest, NULL);
|
|
- EVP_MD_CTX_free(mdctx);
|
|
|
|
rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md));
|
|
+ rc = rc ? LAK_INVALID_PASSWORD : LAK_OK;
|
|
+done:
|
|
+ EVP_MD_CTX_free(mdctx);
|
|
free(cred);
|
|
- return rc ? LAK_INVALID_PASSWORD : LAK_OK;
|
|
+ return rc;
|
|
}
|
|
|
|
#endif /* HAVE_OPENSSL */
|