diff --git a/cyrus-sasl-2.1.20-saslauthd.conf-path.patch b/cyrus-sasl-2.1.20-saslauthd.conf-path.patch index b85af08..1e414ff 100644 --- a/cyrus-sasl-2.1.20-saslauthd.conf-path.patch +++ b/cyrus-sasl-2.1.20-saslauthd.conf-path.patch @@ -1,15 +1,3 @@ -diff -up cyrus-sasl-2.1.27/saslauthd/saslauthd.8.path cyrus-sasl-2.1.27/saslauthd/saslauthd.8 ---- cyrus-sasl-2.1.27/saslauthd/saslauthd.8.path 2015-11-20 15:05:30.421377527 +0100 -+++ cyrus-sasl-2.1.27/saslauthd/saslauthd.8 2015-11-20 15:06:58.779178999 +0100 -@@ -179,7 +179,7 @@ SASLAUTHD(8) BSD System Man - anyway.) - - FILES -- /var/run/saslauthd/mux The default communications socket. -+ /run/saslauthd/mux The default communications socket. - - /usr/local/etc/saslauthd.conf - The default configuration file for ldap support. diff -up cyrus-sasl-2.1.27/saslauthd/saslauthd.mdoc.path cyrus-sasl-2.1.27/saslauthd/saslauthd.mdoc --- cyrus-sasl-2.1.27/saslauthd/saslauthd.mdoc.path 2015-10-15 15:44:43.000000000 +0200 +++ cyrus-sasl-2.1.27/saslauthd/saslauthd.mdoc 2015-11-20 15:05:30.421377527 +0100 diff --git a/cyrus-sasl-2.1.21-sizes.patch b/cyrus-sasl-2.1.21-sizes.patch index 79963f0..6373924 100644 --- a/cyrus-sasl-2.1.21-sizes.patch +++ b/cyrus-sasl-2.1.21-sizes.patch @@ -1,10 +1,10 @@ diff -up cyrus-sasl-2.1.27/configure.ac.sizes cyrus-sasl-2.1.27/configure.ac --- cyrus-sasl-2.1.27/configure.ac.sizes 2015-11-18 09:46:24.000000000 +0100 +++ cyrus-sasl-2.1.27/configure.ac 2015-11-20 15:11:20.474588247 +0100 -@@ -1197,6 +1197,10 @@ AC_HEADER_STDC +@@ -1312,6 +1312,10 @@ AC_HEADER_STDC AC_HEADER_DIRENT AC_HEADER_SYS_WAIT - AC_CHECK_HEADERS(des.h dlfcn.h fcntl.h limits.h malloc.h paths.h strings.h sys/file.h sys/time.h syslog.h unistd.h inttypes.h sys/uio.h sys/param.h sysexits.h stdarg.h varargs.h) + AC_CHECK_HEADERS(crypt.h des.h dlfcn.h fcntl.h limits.h malloc.h paths.h strings.h sys/file.h sys/time.h syslog.h unistd.h inttypes.h sys/uio.h sys/param.h sysexits.h stdarg.h varargs.h krb5.h) +AC_CHECK_TYPES([long long, int8_t, uint8_t, int16_t, uint16_t, int32_t, uint32_t, int64_t, uint64_t],,,[ +#ifdef HAVE_INTTYPES_H +#include diff --git a/cyrus-sasl-2.1.25-no_rpath.patch b/cyrus-sasl-2.1.25-no_rpath.patch index 33ed15d..3ff180c 100644 --- a/cyrus-sasl-2.1.25-no_rpath.patch +++ b/cyrus-sasl-2.1.25-no_rpath.patch @@ -1,6 +1,6 @@ -diff -up cyrus-sasl-2.1.25/cmulocal/cyrus.m4.no_rpath cyrus-sasl-2.1.25/cmulocal/cyrus.m4 ---- cyrus-sasl-2.1.25/cmulocal/cyrus.m4.no_rpath 2010-01-22 16:12:01.000000000 +0100 -+++ cyrus-sasl-2.1.25/cmulocal/cyrus.m4 2012-12-06 14:59:47.956102057 +0100 +diff -up cyrus-sasl-2.1.25/m4/cyrus.m4.no_rpath cyrus-sasl-2.1.25/m4/cyrus.m4 +--- cyrus-sasl-2.1.25/m4/cyrus.m4.no_rpath 2010-01-22 16:12:01.000000000 +0100 ++++ cyrus-sasl-2.1.25/m4/cyrus.m4 2012-12-06 14:59:47.956102057 +0100 @@ -32,14 +32,5 @@ AC_DEFUN([CMU_ADD_LIBPATH_TO], [ dnl runpath initialization AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [ diff --git a/cyrus-sasl-2.1.26-keytab.patch b/cyrus-sasl-2.1.26-keytab.patch deleted file mode 100644 index 390b517..0000000 --- a/cyrus-sasl-2.1.26-keytab.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff --git a/cmulocal/sasl2.m4 b/cmulocal/sasl2.m4 -index 3c2841a..b086b8f 100644 ---- a/cmulocal/sasl2.m4 -+++ b/cmulocal/sasl2.m4 -@@ -269,6 +269,18 @@ if test "$gssapi" != no; then - cmu_save_LIBS="$LIBS" - LIBS="$LIBS $GSSAPIBASE_LIBS" - AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity) -+ if test "$ac_cv_func_gsskrb5_register_acceptor_identity" = no ; then -+ AC_CHECK_HEADERS(gssapi/gssapi_krb5.h) -+ if test "$ac_cv_header_gssapi_gssapi_krb5_h" = "yes"; then -+ AC_CHECK_DECL(gsskrb5_register_acceptor_identity, -+ [AC_DEFINE(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY,1, -+ [Define if your GSSAPI implementation defines gsskrb5_register_acceptor_identity])],, -+ [ -+ AC_INCLUDES_DEFAULT -+ #include -+ ]) -+ fi -+ fi - AC_CHECK_FUNCS(gss_decapsulate_token) - AC_CHECK_FUNCS(gss_encapsulate_token) - AC_CHECK_FUNCS(gss_oid_equal) -diff --git a/plugins/gssapi.c b/plugins/gssapi.c -index 6be9d23..e6fcf46 100644 ---- a/plugins/gssapi.c -+++ b/plugins/gssapi.c -@@ -51,6 +51,8 @@ - #include - #endif - -+#include -+ - #ifdef WIN32 - # include - diff --git a/cyrus-sasl-2.1.26-release-server_creds.patch b/cyrus-sasl-2.1.26-release-server_creds.patch deleted file mode 100644 index 8309f03..0000000 --- a/cyrus-sasl-2.1.26-release-server_creds.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up cyrus-sasl-2.1.27/plugins/gssapi.c.release-server_creds cyrus-sasl-2.1.27/plugins/gssapi.c ---- cyrus-sasl-2.1.27/plugins/gssapi.c.release-server_creds 2015-11-20 15:24:57.706740573 +0100 -+++ cyrus-sasl-2.1.27/plugins/gssapi.c 2015-11-20 15:26:00.310597014 +0100 -@@ -945,6 +945,12 @@ gssapi_server_mech_authneg(context_t *te - ret = SASL_CONTINUE; - } - -+ /* Release server creds which are no longer needed */ -+ if ( text->server_creds != GSS_C_NO_CREDENTIAL) { -+ maj_stat = gss_release_cred(&min_stat, &text->server_creds); -+ text->server_creds = GSS_C_NO_CREDENTIAL; -+ } -+ - cleanup: - if (text->server_creds != GSS_C_NO_CREDENTIAL) { - GSS_LOCK_MUTEX(params->utils); diff --git a/cyrus-sasl-2.1.26-size_t.patch b/cyrus-sasl-2.1.26-size_t.patch deleted file mode 100644 index cde8238..0000000 --- a/cyrus-sasl-2.1.26-size_t.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up cyrus-sasl-2.1.26/include/sasl.h.size_t cyrus-sasl-2.1.26/include/sasl.h ---- cyrus-sasl-2.1.26/include/sasl.h.size_t 2012-10-12 09:05:48.000000000 -0500 -+++ cyrus-sasl-2.1.26/include/sasl.h 2013-01-31 13:21:04.007739327 -0600 -@@ -223,6 +223,8 @@ extern "C" { - * they must be called before all other SASL functions: - */ - -+#include -+ - /* memory allocation functions which may optionally be replaced: - */ - typedef void *sasl_malloc_t(size_t); diff --git a/cyrus-sasl-2.1.26-sql.patch b/cyrus-sasl-2.1.26-sql.patch deleted file mode 100644 index 90fd887..0000000 --- a/cyrus-sasl-2.1.26-sql.patch +++ /dev/null @@ -1,60 +0,0 @@ -diff -up cyrus-sasl-2.1.27/configure.ac.sql cyrus-sasl-2.1.27/configure.ac ---- cyrus-sasl-2.1.27/configure.ac.sql 2015-11-20 15:36:43.343122451 +0100 -+++ cyrus-sasl-2.1.27/configure.ac 2015-11-20 15:37:01.409081023 +0100 -@@ -730,7 +730,18 @@ LIB_MYSQL="" - - case "$with_mysql" in - no) true;; -- notfound) AC_WARN([MySQL Library not found]); true;; -+ notfound) -+ save_LDFLAGS=$LDFLAGS -+ LIB_MYSQL=`mysql_config --libs` -+ LIB_MYSQL="-lmysqlclient" -+ LDFLAGS="$LDFLAGS $LIB_MYSQL" -+ # CPPFLAGS="${CPPFLAGS} `mysql_config --include`" -+ AC_CHECK_LIB(mysqlclient, mysql_select_db, -+ AC_DEFINE(HAVE_MYSQL, [], [Do we have mysql support?]), -+ [AC_WARN([MySQL library mysqlclient does not work]) -+ with_mysql=no]) -+ LDFLAGS=$save_LDFLAGS -+ ;; - *) - if test -d ${with_mysql}/lib/mysql; then - CMU_ADD_LIBPATH_TO(${with_mysql}/lib/mysql, LIB_MYSQL) -@@ -751,6 +762,8 @@ case "$with_mysql" in - CPPFLAGS="${CPPFLAGS} -I${with_mysql}/mysql/include" - elif test -d ${with_mysql}/include; then - CPPFLAGS="${CPPFLAGS} -I${with_mysql}/include" -+ elif test -d ${prefix}/include/mysql; then -+ CPPFLAGS="${CPPFLAGS} -I${prefix}/include/mysql" - else - CPPFLAGS="${CPPFLAGS} -I${with_mysql}" - fi -@@ -794,7 +807,17 @@ LIB_PGSQL="" - - case "$with_pgsql" in - no) true;; -- notfound) AC_WARN([PostgreSQL Library not found]); true;; -+ notfound) -+ LIB_PGSQL="-lpq" -+ # CPPFLAGS="${CPPFLAGS} -I`pg_config --includedir`" -+ save_LDFLAGS=$LDFLAGS -+ LDFLAGS="$LDFLAGS $LIB_PGSQL" -+ AC_CHECK_LIB(pq, PQsetdbLogin, AC_DEFINE(HAVE_PGSQL,[], -+ [Do we have Postgres support?]), -+ [AC_WARN([PostgreSQL Library pq does not work]) -+ with_pgsql=no]) -+ LDFLAGS=$save_LDFLAGS -+ ;; - *) - if test -d ${with_pgsql}/lib/pgsql; then - CMU_ADD_LIBPATH_TO(${with_pgsql}/lib/pgsql, LIB_PGSQL) -@@ -815,6 +838,8 @@ case "$with_pgsql" in - CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/pgsql/include" - elif test -d ${with_pgsql}/include; then - CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include" -+ elif test -d ${prefix}/include; then -+ CPPFLAGS="${CPPFLAGS} -I${prefix}/include" - else - CPPFLAGS="${CPPFLAGS} -I${with_pgsql}" - fi diff --git a/cyrus-sasl-2.1.26-warnings.patch b/cyrus-sasl-2.1.26-warnings.patch deleted file mode 100644 index f7127bb..0000000 --- a/cyrus-sasl-2.1.26-warnings.patch +++ /dev/null @@ -1,74 +0,0 @@ -diff -up cyrus-sasl-2.1.26/lib/server.c.warnings cyrus-sasl-2.1.26/lib/server.c ---- cyrus-sasl-2.1.26/lib/server.c.warnings 2012-10-12 16:05:48.000000000 +0200 -+++ cyrus-sasl-2.1.26/lib/server.c 2012-12-20 17:49:39.620254792 +0100 -@@ -650,7 +650,7 @@ static int load_config(const sasl_callba - goto done; - } - -- snprintf(config_filename, len, "%.*s%c%s.conf", path_len, path_to_config, -+ snprintf(config_filename, len, "%.*s%c%s.conf", (int)path_len, path_to_config, - HIER_DELIMITER, global_callbacks.appname); - - /* Ask the application if it's safe to use this file */ -diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.warnings cyrus-sasl-2.1.26/plugins/gssapi.c ---- cyrus-sasl-2.1.26/plugins/gssapi.c.warnings 2012-01-28 00:31:36.000000000 +0100 -+++ cyrus-sasl-2.1.26/plugins/gssapi.c 2012-12-20 17:49:39.620254792 +0100 -@@ -202,7 +202,8 @@ sasl_gss_seterror_(const sasl_utils_t *u - OM_uint32 msg_ctx; - int ret; - char *out = NULL; -- size_t len, curlen = 0; -+ size_t len; -+ unsigned curlen = 0; - const char prefix[] = "GSSAPI Error: "; - - if (!utils) return SASL_OK; -diff -up cyrus-sasl-2.1.26/plugins/ldapdb.c.warnings cyrus-sasl-2.1.26/plugins/ldapdb.c ---- cyrus-sasl-2.1.26/plugins/ldapdb.c.warnings 2012-01-28 00:31:36.000000000 +0100 -+++ cyrus-sasl-2.1.26/plugins/ldapdb.c 2012-12-20 17:49:39.621254788 +0100 -@@ -22,6 +22,7 @@ - - #include "plugin_common.h" - -+#define LDAP_DEPRECATED 1 - #include - - static char ldapdb[] = "ldapdb"; -diff -up cyrus-sasl-2.1.26/plugins/plugin_common.c.warnings cyrus-sasl-2.1.26/plugins/plugin_common.c ---- cyrus-sasl-2.1.26/plugins/plugin_common.c.warnings 2013-09-03 14:40:35.181455452 +0200 -+++ cyrus-sasl-2.1.26/plugins/plugin_common.c 2013-09-03 14:40:38.320441024 +0200 -@@ -94,7 +94,7 @@ static void sockaddr_unmapped( - if (!IN6_IS_ADDR_V4MAPPED((&sin6->sin6_addr))) - return; - sin4 = (struct sockaddr_in *)sa; -- addr = *(uint32_t *)&sin6->sin6_addr.s6_addr[12]; -+ addr = *(uint32_t *)&sin6->sin6_addr.s6_addr32[3]; - port = sin6->sin6_port; - memset(sin4, 0, sizeof(struct sockaddr_in)); - sin4->sin_addr.s_addr = addr; -diff -up cyrus-sasl-2.1.26/saslauthd/auth_httpform.c.warnings cyrus-sasl-2.1.26/saslauthd/auth_httpform.c ---- cyrus-sasl-2.1.26/saslauthd/auth_httpform.c.warnings 2012-10-12 16:05:48.000000000 +0200 -+++ cyrus-sasl-2.1.26/saslauthd/auth_httpform.c 2013-09-03 14:39:25.411776109 +0200 -@@ -574,7 +574,7 @@ auth_httpform ( - "Content-Type: application/x-www-form-urlencoded" CRLF - "Content-Length: %d" TWO_CRLF - "%s", -- r_uri, r_host, r_port, strlen(req), req); -+ r_uri, r_host, r_port, (int)strlen(req), req); - - if (flags & VERBOSE) { - syslog(LOG_DEBUG, "auth_httpform: sending %s %s %s", -diff -up cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.warnings cyrus-sasl-2.1.26/saslauthd/auth_shadow.c ---- cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.warnings 2012-10-12 16:05:48.000000000 +0200 -+++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c 2012-12-20 17:49:39.621254788 +0100 -@@ -70,6 +70,10 @@ - # include - # endif /* ! HAVE_GETUSERPW */ - -+# ifdef HAVE_CRYPT_H -+# include -+# endif -+ - # include "auth_shadow.h" - # include "globals.h" - /* END PUBLIC DEPENDENCIES */ diff --git a/cyrus-sasl-2.1.27-openssl-1.1.0.patch b/cyrus-sasl-2.1.27-openssl-1.1.0.patch deleted file mode 100644 index c02a214..0000000 --- a/cyrus-sasl-2.1.27-openssl-1.1.0.patch +++ /dev/null @@ -1,435 +0,0 @@ -diff -up cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 cyrus-sasl-2.1.26/plugins/ntlm.c ---- cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 2012-01-28 00:31:36.000000000 +0100 -+++ cyrus-sasl-2.1.26/plugins/ntlm.c 2016-11-07 16:15:57.498259304 +0100 -@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char - return P24; - } - -+static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ return HMAC_CTX_new(); -+#else -+ return utils->malloc(sizeof(HMAC_CTX)); -+#endif -+} -+ -+static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ HMAC_CTX_free(ctx); -+#else -+ HMAC_cleanup(ctx); -+ utils->free(ctx); -+#endif -+} -+ - static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, - const char *authid, const char *target, - const unsigned char *challenge, -@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char * - const sasl_utils_t *utils, - char **buf, unsigned *buflen, int *result) - { -- HMAC_CTX ctx; -+ HMAC_CTX *ctx = NULL; - unsigned char hash[EVP_MAX_MD_SIZE]; - char *upper; - unsigned int len; -@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char * - SETERROR(utils, "cannot allocate NTLMv2 hash"); - *result = SASL_NOMEM; - } -+ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate HMAC CTX"); -+ *result = SASL_NOMEM; -+ } - else { - /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */ - P16_nt(hash, passwd, utils, buf, buflen, result); -@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char * - HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len); - - /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */ -- HMAC_Init(&ctx, hash, len, EVP_md5()); -- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH); -- HMAC_Update(&ctx, blob, bloblen); -- HMAC_Final(&ctx, V2, &len); -- HMAC_cleanup(&ctx); -+ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL); -+ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH); -+ HMAC_Update(ctx, blob, bloblen); -+ HMAC_Final(ctx, V2, &len); - - /* the blob is concatenated outside of this function */ - - *result = SASL_OK; - } - -+ if (ctx) _plug_HMAC_CTX_free(ctx, utils); -+ - return V2; - } - -diff -up cyrus-sasl-2.1.26/plugins/otp.c.openssl110 cyrus-sasl-2.1.26/plugins/otp.c ---- cyrus-sasl-2.1.26/plugins/otp.c.openssl110 2012-10-12 16:05:48.000000000 +0200 -+++ cyrus-sasl-2.1.26/plugins/otp.c 2016-11-07 16:13:54.374327601 +0100 -@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_opti - {NULL, 0, NULL} - }; - -+static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ return EVP_MD_CTX_new(); -+#else -+ return utils->malloc(sizeof(EVP_MD_CTX)); -+#endif -+} -+ -+static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ EVP_MD_CTX_free(ctx); -+#else -+ utils->free(ctx); -+#endif -+} -+ - /* Convert the binary data into ASCII hex */ - void bin2hex(unsigned char *bin, int binlen, char *hex) - { -@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int bin - * swabbing bytes if necessary. - */ - static void otp_hash(const EVP_MD *md, char *in, size_t inlen, -- unsigned char *out, int swab) -+ unsigned char *out, int swab, EVP_MD_CTX *mdctx) - { -- EVP_MD_CTX mdctx; -- char hash[EVP_MAX_MD_SIZE]; -+ unsigned char hash[EVP_MAX_MD_SIZE]; - unsigned int i; - int j; - unsigned hashlen; - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, in, inlen); -- EVP_DigestFinal(&mdctx, hash, &hashlen); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, in, inlen); -+ EVP_DigestFinal(mdctx, hash, &hashlen); - - /* Fold the result into 64 bits */ - for (i = OTP_HASH_SIZE; i < hashlen; i++) { -@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils - char *secret, char *otp) - { - const EVP_MD *md; -- char *key; -+ EVP_MD_CTX *mdctx = NULL; -+ char *key = NULL; -+ int r = SASL_OK; - - if (!(md = EVP_get_digestbyname(alg->evp_name))) { - utils->seterror(utils->conn, 0, -@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils - return SASL_FAIL; - } - -+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate MD CTX"); -+ r = SASL_NOMEM; -+ goto done; -+ } -+ - if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) { - SETERROR(utils, "cannot allocate OTP key"); -- return SASL_NOMEM; -+ r = SASL_NOMEM; -+ goto done; - } - - /* initial step */ - strcpy(key, seed); - strcat(key, secret); -- otp_hash(md, key, strlen(key), otp, alg->swab); -+ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx); - - /* computation step */ - while (seq-- > 0) -- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab); -- -- utils->free(key); -+ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx); -+ -+ done: -+ if (key) utils->free(key); -+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); - -- return SASL_OK; -+ return r; - } - - static int parse_challenge(const sasl_utils_t *utils, -@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg - - /* Convert the 6 words into binary data */ - static int word2bin(const sasl_utils_t *utils, -- char *words, unsigned char *bin, const EVP_MD *md) -+ char *words, unsigned char *bin, const EVP_MD *md, -+ EVP_MD_CTX *mdctx) - { - int i, j; - char *c, *word, buf[OTP_RESPONSE_MAX+1]; -@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t * - - /* alternate dictionary */ - if (alt_dict) { -- EVP_MD_CTX mdctx; -- char hash[EVP_MAX_MD_SIZE]; -- int hashlen; -+ unsigned char hash[EVP_MAX_MD_SIZE]; -+ unsigned hashlen; - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, word, strlen(word)); -- EVP_DigestFinal(&mdctx, hash, &hashlen); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, word, strlen(word)); -+ EVP_DigestFinal(mdctx, hash, &hashlen); - - /* use lowest 11 bits */ - x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1]; -@@ -802,6 +834,7 @@ static int verify_response(server_contex - char *response) - { - const EVP_MD *md; -+ EVP_MD_CTX *mdctx = NULL; - char *c; - int do_init = 0; - unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE]; -@@ -815,6 +848,11 @@ static int verify_response(server_contex - return SASL_FAIL; - } - -+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate MD CTX"); -+ return SASL_NOMEM; -+ } -+ - /* eat leading whitespace */ - c = response; - while (isspace((int) *c)) c++; -@@ -824,7 +862,7 @@ static int verify_response(server_contex - r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE); - } - else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) { -- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md); -+ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx); - } - else if (!strncasecmp(c, OTP_INIT_HEX_TYPE, - strlen(OTP_INIT_HEX_TYPE))) { -@@ -834,7 +872,7 @@ static int verify_response(server_contex - else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, - strlen(OTP_INIT_WORD_TYPE))) { - do_init = 1; -- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md); -+ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx); - } - else { - SETERROR(utils, "unknown OTP extended response type"); -@@ -843,14 +881,15 @@ static int verify_response(server_contex - } - else { - /* standard response, try word first, and then hex */ -- r = word2bin(utils, c, cur_otp, md); -+ r = word2bin(utils, c, cur_otp, md, mdctx); - if (r != SASL_OK) - r = hex2bin(c, cur_otp, OTP_HASH_SIZE); - } - - if (r == SASL_OK) { - /* do one more hash (previous otp) and compare to stored otp */ -- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab); -+ otp_hash(md, (char *) cur_otp, OTP_HASH_SIZE, -+ prev_otp, text->alg->swab, mdctx); - - if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) { - /* update the secret with this seq/otp */ -@@ -879,23 +918,28 @@ static int verify_response(server_contex - *new_resp++ = '\0'; - } - -- if (!(new_chal && new_resp)) -- return SASL_BADAUTH; -+ if (!(new_chal && new_resp)) { -+ r = SASL_BADAUTH; -+ goto done; -+ } - - if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1)) - != SASL_OK) { -- return r; -+ goto done; - } - -- if (seq < 1 || !strcasecmp(seed, text->seed)) -- return SASL_BADAUTH; -+ if (seq < 1 || !strcasecmp(seed, text->seed)) { -+ r = SASL_BADAUTH; -+ goto done; -+ } - - /* find the MDA */ - if (!(md = EVP_get_digestbyname(alg->evp_name))) { - utils->seterror(utils->conn, 0, - "OTP algorithm %s is not available", - alg->evp_name); -- return SASL_BADAUTH; -+ r = SASL_BADAUTH; -+ goto done; - } - - if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) { -@@ -903,7 +947,7 @@ static int verify_response(server_contex - } - else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, - strlen(OTP_INIT_WORD_TYPE))) { -- r = word2bin(utils, new_resp, new_otp, md); -+ r = word2bin(utils, new_resp, new_otp, md, mdctx); - } - - if (r == SASL_OK) { -@@ -914,7 +958,10 @@ static int verify_response(server_contex - memcpy(text->otp, new_otp, OTP_HASH_SIZE); - } - } -- -+ -+ done: -+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); -+ - return r; - } - -diff -up cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 cyrus-sasl-2.1.26/saslauthd/lak.c ---- cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 2016-11-07 16:13:54.347327616 +0100 -+++ cyrus-sasl-2.1.26/saslauthd/lak.c 2016-11-07 16:18:42.283167898 +0100 -@@ -61,6 +61,35 @@ - #include - #include "lak.h" - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+static EVP_MD_CTX *EVP_MD_CTX_new(void) -+{ -+ return EVP_MD_CTX_create(); -+} -+static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) -+{ -+ if (ctx == NULL) -+ return; -+ -+ EVP_MD_CTX_destroy(ctx); -+} -+ -+static EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) -+{ -+ EVP_ENCODE_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); -+ -+ if (ctx != NULL) { -+ memset(ctx, 0, sizeof(*ctx)); -+ } -+ return ctx; -+} -+static void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) -+{ -+ OPENSSL_free(ctx); -+ return; -+} -+#endif -+ - typedef struct lak_auth_method { - int method; - int (*check) (LAK *lak, const char *user, const char *service, const char *realm, const char *password) ; -@@ -1720,20 +1749,28 @@ static int lak_base64_decode( - - int rc, i, tlen = 0; - char *text; -- EVP_ENCODE_CTX EVP_ctx; -+ EVP_ENCODE_CTX *enc_ctx = EVP_ENCODE_CTX_new(); - -- text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1); - if (text == NULL) - return LAK_NOMEM; - -- EVP_DecodeInit(&EVP_ctx); -- rc = EVP_DecodeUpdate(&EVP_ctx, text, &i, (char *)src, strlen(src)); -+ text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1); -+ if (text == NULL) { -+ EVP_ENCODE_CTX_free(enc_ctx); -+ return LAK_NOMEM; -+ } -+ -+ EVP_DecodeInit(enc_ctx); -+ rc = EVP_DecodeUpdate(enc_ctx, (unsigned char *) text, &i, (const unsigned char *)src, strlen(src)); - if (rc < 0) { -+ EVP_ENCODE_CTX_free(enc_ctx); - free(text); - return LAK_FAIL; - } - tlen += i; -- EVP_DecodeFinal(&EVP_ctx, text, &i); -+ EVP_DecodeFinal(enc_ctx, (unsigned char *) text, &i); -+ -+ EVP_ENCODE_CTX_free(enc_ctx); - - *ret = text; - if (rlen != NULL) -@@ -1749,7 +1786,7 @@ static int lak_check_hashed( - { - int rc, clen; - LAK_HASH_ROCK *hrock = (LAK_HASH_ROCK *) rock; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx; - const EVP_MD *md; - unsigned char digest[EVP_MAX_MD_SIZE]; - char *cred; -@@ -1758,17 +1795,24 @@ static int lak_check_hashed( - if (!md) - return LAK_FAIL; - -+ mdctx = EVP_MD_CTX_new(); -+ if (!mdctx) -+ return LAK_NOMEM; -+ - rc = lak_base64_decode(hash, &cred, &clen); -- if (rc != LAK_OK) -+ if (rc != LAK_OK) { -+ EVP_MD_CTX_free(mdctx); - return rc; -+ } - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, passwd, strlen(passwd)); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, passwd, strlen(passwd)); - if (hrock->salted) { -- EVP_DigestUpdate(&mdctx, &cred[EVP_MD_size(md)], -+ EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)], - clen - EVP_MD_size(md)); - } -- EVP_DigestFinal(&mdctx, digest, NULL); -+ EVP_DigestFinal(mdctx, digest, NULL); -+ EVP_MD_CTX_free(mdctx); - - rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md)); - free(cred); diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec index c3f4045..ac1071d 100644 --- a/cyrus-sasl.spec +++ b/cyrus-sasl.spec @@ -27,27 +27,20 @@ Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch Patch23: cyrus-sasl-2.1.23-man.patch Patch24: cyrus-sasl-2.1.21-sizes.patch Patch31: cyrus-sasl-2.1.22-kerberos4.patch -Patch32: cyrus-sasl-2.1.26-warnings.patch Patch34: cyrus-sasl-2.1.22-ldap-timeout.patch # removed due to #759334 #Patch38: cyrus-sasl-2.1.23-pam_rhosts.patch # https://bugzilla.redhat.com/show_bug.cgi?id=816250 Patch43: cyrus-sasl-2.1.26-null-crypt.patch -Patch44: cyrus-sasl-2.1.26-release-server_creds.patch # AM_CONFIG_HEADER is obsolete, use AC_CONFIG_HEADERS instead Patch45: cyrus-sasl-2.1.26-obsolete-macro.patch -# missing size_t declaration in sasl.h -Patch46: cyrus-sasl-2.1.26-size_t.patch # disable incorrect check for MkLinux Patch47: cyrus-sasl-2.1.26-ppc.patch # detect gsskrb5_register_acceptor_identity macro (#976538) -Patch48: cyrus-sasl-2.1.26-keytab.patch -Patch49: cyrus-sasl-2.1.26-md5global.patch +#Patch49: cyrus-sasl-2.1.26-md5global.patch # revert upstream commit 080e51c7fa0421eb2f0210d34cf0ac48a228b1e9 (#984079) # https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480 Patch50: cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch -# improve sql libraries detection -Patch51: cyrus-sasl-2.1.26-sql.patch # improve configuration error message Patch52: cyrus-sasl-2.1.26-config-error.patch # Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718) @@ -198,17 +191,12 @@ chmod -x include/*.h %patch23 -p1 -b .man %patch24 -p1 -b .sizes #%patch31 -p1 -b .krb4 -%patch32 -p1 -b .warnings #%patch34 -p1 -b .ldap-timeout #%patch43 -p1 -b .null-crypt -%patch44 -p1 -b .release-server_creds #%patch45 -p1 -b .obsolete-macro -%patch46 -p1 -b .size_t #%patch47 -p1 -b .ppc -%patch48 -p1 -b .keytab -%patch49 -p1 -b .md5global.h +#%patch49 -p1 -b .md5global.h %patch50 -p1 -b .gssapi -%patch51 -p1 -b .sql #%patch52 -p1 -b .configerr #%patch53 -p1 -b .sha1vsplain #%patch54 -p1 -b .leak