From 8965b00c7fa7c7caa0cf451551a63b8262abd5e6 Mon Sep 17 00:00:00 2001 From: Carlo Landmeter Date: Wed, 9 Jan 2019 09:08:19 +0000 Subject: main/cyrus-sasl: upgrade to 2.1.27 and cleanup fails to build with ldap (linker issue) should probably be added/fixed in the future. make sasldb the default auth for saslauthd (we do not support pam). --- main/cyrus-sasl/APKBUILD | 130 +++--- main/cyrus-sasl/CVE-2013-4122.patch | 117 ------ .../cyrus-sasl-2.1.25-avoid_pic_overwrite.patch | 27 -- main/cyrus-sasl/cyrus-sasl-2.1.26-size_t.patch | 12 - main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch | 25 ++ .../cyrus-sasl-2.1.27-autotools_fixes.patch | 31 ++ .../cyrus-sasl-2.1.27-avoid_pic_overwrite.patch | 17 + .../cyrus-sasl-2.1.27-doc_build_fix.patch | 11 + ...us-sasl-2.1.27-gss_c_nt_hostbased_service.patch | 16 + main/cyrus-sasl/openssl-1.1.patch | 435 --------------------- main/cyrus-sasl/saslauthd.initd | 19 +- 11 files changed, 178 insertions(+), 662 deletions(-) delete mode 100644 main/cyrus-sasl/CVE-2013-4122.patch delete mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.25-avoid_pic_overwrite.patch delete mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.26-size_t.patch create mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch create mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch create mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch create mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch create mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch delete mode 100644 main/cyrus-sasl/openssl-1.1.patch (limited to 'main/cyrus-sasl') diff --git a/main/cyrus-sasl/APKBUILD b/main/cyrus-sasl/APKBUILD index aaefd7c811..c193314bc3 100644 --- a/main/cyrus-sasl/APKBUILD +++ b/main/cyrus-sasl/APKBUILD @@ -1,25 +1,45 @@ # Contributor: Leonardo Arena # Maintainer: Natanael Copa pkgname=cyrus-sasl -pkgver=2.1.26 -pkgrel=15 +pkgver=2.1.27 +pkgrel=0 pkgdesc="Cyrus Simple Authentication Service Layer (SASL)" url="https://cyrusimap.org/" arch="all" license="custom" options="!check" # No test suite. -subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-gssapi $pkgname-gs2 - $pkgname-scram $pkgname-ntlm $pkgname-crammd5 $pkgname-digestmd5 - libsasl $pkgname-openrc" -depends= -makedepends="db-dev openssl-dev heimdal-dev - autoconf automake libtool" -source="ftp://ftp.cyrusimap.org/$pkgname/$pkgname-$pkgver.tar.gz +subpackages=" + $pkgname-dev + $pkgname-doc + $pkgname-openrc + libsasl + $pkgname-gssapiv2:_plugin + $pkgname-gs2:_plugin + $pkgname-scram:_plugin + $pkgname-ntlm:_plugin + $pkgname-crammd5:_plugin + $pkgname-digestmd5:_plugin + $pkgname-plain:_plugin + $pkgname-login:_plugin + " +makedepends=" + db-dev + openssl-dev + krb5-dev + openldap-dev + py-sphinx + + automake + autoconf + libtool + " +source="https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-$pkgver/cyrus-sasl-$pkgver.tar.gz + cyrus-sasl-2.1.27-as_needed.patch + cyrus-sasl-2.1.27-autotools_fixes.patch + cyrus-sasl-2.1.27-avoid_pic_overwrite.patch + cyrus-sasl-2.1.27-doc_build_fix.patch + cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch saslauthd.initd - cyrus-sasl-2.1.25-avoid_pic_overwrite.patch - cyrus-sasl-2.1.26-size_t.patch - CVE-2013-4122.patch - openssl-1.1.patch " # secfixes: @@ -27,50 +47,48 @@ source="ftp://ftp.cyrusimap.org/$pkgname/$pkgname-$pkgver.tar.gz # - CVE-2013-4122 builddir="$srcdir"/$pkgname-$pkgver -prepare() { - default_prepare - - # the libtool they ship is broken - sed 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' -i configure.in || return 1 - rm -rf config/config.guess config/config.sub config/ltconfig \ - config/ltmain.sh config/libtool.m4 autom4te.cache - libtoolize -c && aclocal -I config -I cmulocal \ - && automake -a -c && autoheader && autoconf -} build() { - cd "$builddir" + autoreconf -vif ./configure \ --build=$CBUILD \ --host=$CHOST \ --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ + --mandir=/usr/share/man \ --enable-static \ --enable-shared \ - --disable-anon \ + --disable-java \ + --with-plugindir=/usr/lib/sasl2 \ + --with-configdir=/etc/sasl2 \ + --with-dbpath=/etc/sasl2/sasldb2 \ + --disable-krb4 \ + --with-gss_impl=mit \ + --enable-gssapi \ + --with-rc4 \ + --with-dblib=berkeley \ + --with-saslauthd=/run/saslauthd \ + --without-pwcheck \ + --with-devrandom=/dev/urandom \ + --enable-anon \ --enable-cram \ --enable-digest \ - --enable-login \ --enable-ntlm \ - --disable-otp \ --enable-plain \ - --with-gss_impl=heimdal \ - --with-devrandom=/dev/urandom \ - --without-ldap \ - --with-saslauthd=/var/run/saslauthd \ - --mandir=/usr/share/man - # parallell builds is broken - make -j1 + --enable-login \ + --enable-auth-sasldb \ + --enable-alwaystrue \ + --disable-otp + make } package() { - cd "$srcdir"/cyrus-sasl-$pkgver + cd "$builddir" make -j1 DESTDIR="$pkgdir" install + mkdir -p "$pkgdir"/etc/sasl2 install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING - - install -Dm755 ../saslauthd.initd "$pkgdir"/etc/init.d/saslauthd - install -d "$pkgdir"/var/run/saslauthd + install -Dm755 "$srcdir"/saslauthd.initd "$pkgdir"/etc/init.d/saslauthd } static() { @@ -79,32 +97,30 @@ static() { mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/ } -_plugindir=usr/lib/sasl2 _plugin() { depends= + local plugin=${subpkgname/$pkgname-/} replaces="libsasl" - pkgdesc="Cyrus SASL plugin for $1" - mkdir -p "$subpkgdir"/$_plugindir - mv "$pkgdir"/$_plugindir/lib${1}.so* "$subpkgdir"/$_plugindir/ + pkgdesc="Cyrus SASL plugin for $plugin" + mkdir -p "$subpkgdir"/usr/lib/sasl2 + mv "$pkgdir"/usr/lib/sasl2/lib${plugin}.so* "$subpkgdir"/usr/lib/sasl2/ } -gssapi() { _plugin gssapiv2; } -gs2() { _plugin gs2; } -scram() { _plugin scram; } -ntlm() { _plugin ntlm; } -crammd5() { _plugin crammd5; } -digestmd5() { _plugin digestmd5; } - libsasl() { depends= pkgdesc="Cyrus Simple Authentication and Security Layer (SASL) library" - mkdir -p "$subpkgdir"/usr - mv "$pkgdir"/usr/lib "$subpkgdir"/usr/ + mkdir -p "$subpkgdir"/usr/lib/sasl2 + local lib= + for lib in anonymous sasldb; do + mv "$pkgdir"/usr/lib/sasl2/*${lib}*.so* "$subpkgdir"/usr/lib/sasl2/ + done + mv "$pkgdir"/usr/lib/libsasl*.so.* "$subpkgdir"/usr/lib/ } -sha512sums="78819cb9bb38bea4537d6770d309deeeef09ff44a67526177609d3e1257ff4334d2b5e5131d5a1e4dea7430d8db1918ea9d171f0dee38b5e8337f4b72ed068f0 cyrus-sasl-2.1.26.tar.gz -71a00a22f91f0fb6ba2796acede321a0f071b1d7a99616f0e36c354213777f30575c340b6df392dcbfc103ba7640d046144882f6a7b505f59709bb5c429b44d8 saslauthd.initd -033e3634116e1d3b316052dbe0b671cca0fcfb6063fca1a97d990c422c2ce05109a1e424e84ed9928dc0312a325a7248f2d2e3f9547f84453b36331c01f63be5 cyrus-sasl-2.1.25-avoid_pic_overwrite.patch -fe4c3e6d5230eb50b9e6885129760a12e7bce316b41a3e58b2c550fa83526b91205cd827f7d1367751313559875d32982b95b024b1a22300ac5b35214e7c2b78 cyrus-sasl-2.1.26-size_t.patch -08964bc3ad713e137b8f05f9bac345d79676d14784bc37525f195e8e2a3e6740428237b64f7eeeacc0c71ed6cf1664c6e9c2267ac6df327761d92174a1853744 CVE-2013-4122.patch -75541cf0a1b52f809ac9073b629a224fdb6e70a13ce0cf10c0ad0a12bf94887a725466e8000c2a412f20d88d8c4b8bc5be5a5bf74d752c529bc76cfa58755d8a openssl-1.1.patch" +sha512sums="d11549a99b3b06af79fc62d5478dba3305d7e7cc0824f4b91f0d2638daafbe940623eab235f85af9be38dcf5d42fc131db531c177040a85187aee5096b8df63b cyrus-sasl-2.1.27.tar.gz +9eefa6d45e3dd9157a5672909acdd88f0ae35e76d64c3723890a474bbb05b22499cfadb0c077924d27f34da3710b2b700094dd7d5704050138c08dabcefdde94 cyrus-sasl-2.1.27-as_needed.patch +0d99ca049e76c11500769079d94f3bdb634bddb4c8d45a83b383e9bb9777edda66b17566800acbd450e1f4842d070ec3fbc236e7f0ef8759c36e6dd5ea8e3c64 cyrus-sasl-2.1.27-autotools_fixes.patch +4ca601839b023ef790e48dae567ffbbd57c632384c980946639ec7437ad23874961451718569455e6e25afaeff1728ecbc71a8686f6b43246f83465f95a2c904 cyrus-sasl-2.1.27-avoid_pic_overwrite.patch +6d723e7ec2c431b45c011b887187b6a670dbe646aa4c39d38171047ab23db529c30c433f8d4dd624181917c5ce4e5271f86e35e2644ede1c40dfb09cb67dccde cyrus-sasl-2.1.27-doc_build_fix.patch +fca4f2b7e427c7613f71daa4a31772c33c8c0fe9d7f85b57b85da71bc5a88a18fc52f7caea463188b4addd31cd041d5349af689d5face2cc45fb50c700a8afd7 cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch +f76bfb61567172428cdbc1ed900d5e0b6e66afc38118db6ba0e2fd8ba01956ad896e56463b2249bdc46d8725384f1b975a2af3601c0735327d3f8bc26ce1ed75 saslauthd.initd" diff --git a/main/cyrus-sasl/CVE-2013-4122.patch b/main/cyrus-sasl/CVE-2013-4122.patch deleted file mode 100644 index 38f2595a5c..0000000000 --- a/main/cyrus-sasl/CVE-2013-4122.patch +++ /dev/null @@ -1,117 +0,0 @@ -From dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d Mon Sep 17 00:00:00 2001 -From: mancha -Date: Thu, 11 Jul 2013 10:08:07 +0100 -Subject: Handle NULL returns from glibc 2.17+ crypt() - -Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL -(w/ NULL return) if the salt violates specifications. Additionally, -on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords -passed to crypt() fail with EPERM (w/ NULL return). - -When using glibc's crypt(), check return value to avoid a possible -NULL pointer dereference. - -Patch by mancha1@hush.com. - -diff --git a/pwcheck/pwcheck_getpwnam.c b/pwcheck/pwcheck_getpwnam.c -index 4b34222..400289c 100644 ---- a/pwcheck/pwcheck_getpwnam.c -+++ b/pwcheck/pwcheck_getpwnam.c -@@ -32,6 +32,7 @@ char *userid; - char *password; - { - char* r; -+ char* crpt_passwd; - struct passwd *pwd; - - pwd = getpwnam(userid); -@@ -41,7 +42,7 @@ char *password; - else if (pwd->pw_passwd[0] == '*') { - r = "Account disabled"; - } -- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) { -+ else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) || strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) { - r = "Incorrect password"; - } - else { -diff --git a/pwcheck/pwcheck_getspnam.c b/pwcheck/pwcheck_getspnam.c -index 2b11286..6d607bb 100644 ---- a/pwcheck/pwcheck_getspnam.c -+++ b/pwcheck/pwcheck_getspnam.c -@@ -32,13 +32,15 @@ char *userid; - char *password; - { - struct spwd *pwd; -+ char *crpt_passwd; - - pwd = getspnam(userid); - if (!pwd) { - return "Userid not found"; - } - -- if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) { -+ crpt_passwd = crypt(password, pwd->sp_pwdp); -+ if (!crpt_passwd || strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) { - return "Incorrect password"; - } - else { -diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c -index fc8029d..d4ebe54 100644 ---- a/saslauthd/auth_getpwent.c -+++ b/saslauthd/auth_getpwent.c -@@ -77,6 +77,7 @@ auth_getpwent ( - { - /* VARIABLES */ - struct passwd *pw; /* pointer to passwd file entry */ -+ char *crpt_passwd; /* encrypted password */ - int errnum; - /* END VARIABLES */ - -@@ -105,7 +106,8 @@ auth_getpwent ( - } - } - -- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) { -+ crpt_passwd = crypt(password, pw->pw_passwd); -+ if (!crpt_passwd || strcmp(pw->pw_passwd, (const char *)crpt_passwd)) { - if (flags & VERBOSE) { - syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login); - } -diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c -index 677131b..1988afd 100644 ---- a/saslauthd/auth_shadow.c -+++ b/saslauthd/auth_shadow.c -@@ -210,8 +210,8 @@ auth_shadow ( - RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)"); - } - -- cpw = strdup((const char *)crypt(password, sp->sp_pwdp)); -- if (strcmp(sp->sp_pwdp, cpw)) { -+ cpw = crypt(password, sp->sp_pwdp); -+ if (!cpw || strcmp(sp->sp_pwdp, (const char *)cpw)) { - if (flags & VERBOSE) { - /* - * This _should_ reveal the SHADOW_PW_LOCKED prefix to an -@@ -221,10 +221,8 @@ auth_shadow ( - syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'", - sp->sp_pwdp, cpw); - } -- free(cpw); - RETURN("NO Incorrect password"); - } -- free(cpw); - - /* - * The following fields will be set to -1 if: -@@ -286,7 +284,7 @@ auth_shadow ( - RETURN("NO Invalid username"); - } - -- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) { -+ if (!(cpw = crypt(password, upw->upw_passwd)) || (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) { - if (flags & VERBOSE) { - syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s", - password, upw->upw_passwd); --- -cgit v0.10.2 - diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.25-avoid_pic_overwrite.patch b/main/cyrus-sasl/cyrus-sasl-2.1.25-avoid_pic_overwrite.patch deleted file mode 100644 index 2e5b1750d0..0000000000 --- a/main/cyrus-sasl/cyrus-sasl-2.1.25-avoid_pic_overwrite.patch +++ /dev/null @@ -1,27 +0,0 @@ -Author: Fabian Fagerholm -Description: This patch makes sure the non-PIC version of libsasldb.a, which -is created out of non-PIC objects, is not going to overwrite the PIC version, -which is created out of PIC objects. The PIC version is placed in .libs, and -the non-PIC version in the current directory. This ensures that both non-PIC -and PIC versions are available in the correct locations. ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -78,7 +78,7 @@ endif - - libsasl2.a: libsasl2.la $(SASL_STATIC_OBJS) - @echo adding static plugins and dependencies -- $(AR) cru .libs/$@ $(SASL_STATIC_OBJS) -+ $(AR) cru $@ $(SASL_STATIC_OBJS) - @for i in ./libsasl2.la ../sasldb/libsasldb.la ../plugins/lib*.la; do \ - if test ! -f $$i; then continue; fi; . $$i; \ - for j in $$dependency_libs foo; do \ ---- a/sasldb/Makefile.am -+++ b/sasldb/Makefile.am -@@ -63,6 +63,6 @@ libsasldb_a_SOURCES = - EXTRA_libsasldb_a_SOURCES = - - libsasldb.a: libsasldb.la $(SASL_DB_BACKEND_STATIC) -- $(AR) cru .libs/$@ $(SASL_DB_BACKEND_STATIC) -+ $(AR) cru $@ $(SASL_DB_BACKEND_STATIC) - - diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.26-size_t.patch b/main/cyrus-sasl/cyrus-sasl-2.1.26-size_t.patch deleted file mode 100644 index cde823835b..0000000000 --- a/main/cyrus-sasl/cyrus-sasl-2.1.26-size_t.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up cyrus-sasl-2.1.26/include/sasl.h.size_t cyrus-sasl-2.1.26/include/sasl.h ---- cyrus-sasl-2.1.26/include/sasl.h.size_t 2012-10-12 09:05:48.000000000 -0500 -+++ cyrus-sasl-2.1.26/include/sasl.h 2013-01-31 13:21:04.007739327 -0600 -@@ -223,6 +223,8 @@ extern "C" { - * they must be called before all other SASL functions: - */ - -+#include -+ - /* memory allocation functions which may optionally be replaced: - */ - typedef void *sasl_malloc_t(size_t); diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch new file mode 100644 index 0000000000..7cd9e151fb --- /dev/null +++ b/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch @@ -0,0 +1,25 @@ +Author: Matthias Klose +Desription: Fix FTBFS, add $(SASL_DB_LIB) as dependency to libsasldb, and use +it. +--- cyrus-sasl-2.1.27/saslauthd/Makefile.am ++++ cyrus-sasl-2.1.27/saslauthd/Makefile.am +@@ -25,7 +25,7 @@ + saslauthd_DEPENDENCIES = saslauthd-main.o $(LTLIBOBJS_FULL) + saslauthd_LDADD = @SASL_KRB_LIB@ \ + @GSSAPIBASE_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \ +- @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS) ++ @LIB_SOCKET@ ../sasldb/libsasldb.la @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS) + + testsaslauthd_SOURCES = testsaslauthd.c utils.c + testsaslauthd_LDADD = @LIB_SOCKET@ +--- cyrus-sasl-2.1.27/sasldb/Makefile.am ++++ cyrus-sasl-2.1.27/sasldb/Makefile.am +@@ -54,6 +54,6 @@ + + libsasldb_la_SOURCES = allockey.c sasldb.h + EXTRA_libsasldb_la_SOURCES = $(extra_common_sources) +-libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) +-libsasldb_la_LIBADD = $(SASL_DB_BACKEND) ++libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) $(SASL_DB_LIB) ++libsasldb_la_LIBADD = $(SASL_DB_BACKEND) $(SASL_DB_LIB) + libsasldb_la_LDFLAGS = -no-undefined diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch new file mode 100644 index 0000000000..2ce971efc5 --- /dev/null +++ b/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch @@ -0,0 +1,31 @@ +--- cyrus-sasl-2.1.27/configure.ac ++++ cyrus-sasl-2.1.27/configure.ac +@@ -44,6 +44,8 @@ + + AC_PREREQ(2.63) + ++AC_CONFIG_MACRO_DIR([config]) ++ + dnl + dnl REMINDER: When changing the version number here, please also update + dnl the values in win32/include/config.h and include/sasl.h as well. +--- cyrus-sasl-2.1.27/Makefile.am ++++ cyrus-sasl-2.1.27/Makefile.am +@@ -44,6 +44,8 @@ + # + ################################################################ + ++ACLOCAL_AMFLAGS = -I config ++ + if SASLAUTHD + SAD = saslauthd + else +--- cyrus-sasl-2.1.27/saslauthd/Makefile.am ++++ cyrus-sasl-2.1.27/saslauthd/Makefile.am +@@ -1,4 +1,6 @@ + AUTOMAKE_OPTIONS = 1.7 ++ACLOCAL_AMFLAGS = -I ../config ++ + sbin_PROGRAMS = saslauthd testsaslauthd + EXTRA_PROGRAMS = saslcache + diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch new file mode 100644 index 0000000000..c331039e2f --- /dev/null +++ b/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch @@ -0,0 +1,17 @@ +Author: Fabian Fagerholm +Description: This patch makes sure the non-PIC version of libsasldb.a, which +is created out of non-PIC objects, is not going to overwrite the PIC version, +which is created out of PIC objects. The PIC version is placed in .libs, and +the non-PIC version in the current directory. This ensures that both non-PIC +and PIC versions are available in the correct locations. +--- cyrus-sasl-2.1.27/lib/Makefile.am ++++ cyrus-sasl-2.1.27/lib/Makefile.am +@@ -98,7 +98,7 @@ + + libsasl2.a: libsasl2.la $(SASL_STATIC_OBJS) + @echo adding static plugins and dependencies +- $(AR) cru .libs/$@ $(SASL_STATIC_OBJS) ++ $(AR) cru $@ $(SASL_STATIC_OBJS) + @for i in ./libsasl2.la ../common/libplugin_common.la ../sasldb/libsasldb.la ../plugins/lib*.la; do \ + if test ! -f $$i; then continue; fi; . $$i; \ + for j in $$dependency_libs foo; do \ diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch new file mode 100644 index 0000000000..bdd02f7796 --- /dev/null +++ b/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch @@ -0,0 +1,11 @@ +--- cyrus-sasl-2.1.27/docsrc/exts/sphinxlocal/writers/manpage.py ++++ cyrus-sasl-2.1.27/docsrc/exts/sphinxlocal/writers/manpage.py +@@ -23,7 +23,7 @@ + from sphinx import addnodes + from sphinx.locale import admonitionlabels, _ + from sphinx.util.osutil import ustrftime +-from sphinx.util.compat import docutils_version ++#from sphinx.util.compat import docutils_version + + class CyrusManualPageWriter(ManualPageWriter): + diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch new file mode 100644 index 0000000000..c585cb158e --- /dev/null +++ b/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch @@ -0,0 +1,16 @@ +Gentoo bug #389349 +--- cyrus-sasl-2.1.27/m4/sasl2.m4 ++++ cyrus-sasl-2.1.27/m4/sasl2.m4 +@@ -220,7 +220,11 @@ + [AC_WARN([Cybersafe define not found])]) + + elif test "$ac_cv_header_gssapi_h" = "yes"; then +- AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi.h, ++ AC_EGREP_CPP(hostbased_service_gss_nt_yes, gssapi.h, ++ [#include ++ #ifdef GSS_C_NT_HOSTBASED_SERVICE ++ hostbased_service_gss_nt_yes ++ #endif], + [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,, + [Define if your GSSAPI implementation defines GSS_C_NT_HOSTBASED_SERVICE])]) + elif test "$ac_cv_header_gssapi_gssapi_h"; then diff --git a/main/cyrus-sasl/openssl-1.1.patch b/main/cyrus-sasl/openssl-1.1.patch deleted file mode 100644 index c02a2141d2..0000000000 --- a/main/cyrus-sasl/openssl-1.1.patch +++ /dev/null @@ -1,435 +0,0 @@ -diff -up cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 cyrus-sasl-2.1.26/plugins/ntlm.c ---- cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 2012-01-28 00:31:36.000000000 +0100 -+++ cyrus-sasl-2.1.26/plugins/ntlm.c 2016-11-07 16:15:57.498259304 +0100 -@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char - return P24; - } - -+static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ return HMAC_CTX_new(); -+#else -+ return utils->malloc(sizeof(HMAC_CTX)); -+#endif -+} -+ -+static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ HMAC_CTX_free(ctx); -+#else -+ HMAC_cleanup(ctx); -+ utils->free(ctx); -+#endif -+} -+ - static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, - const char *authid, const char *target, - const unsigned char *challenge, -@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char * - const sasl_utils_t *utils, - char **buf, unsigned *buflen, int *result) - { -- HMAC_CTX ctx; -+ HMAC_CTX *ctx = NULL; - unsigned char hash[EVP_MAX_MD_SIZE]; - char *upper; - unsigned int len; -@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char * - SETERROR(utils, "cannot allocate NTLMv2 hash"); - *result = SASL_NOMEM; - } -+ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate HMAC CTX"); -+ *result = SASL_NOMEM; -+ } - else { - /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */ - P16_nt(hash, passwd, utils, buf, buflen, result); -@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char * - HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len); - - /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */ -- HMAC_Init(&ctx, hash, len, EVP_md5()); -- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH); -- HMAC_Update(&ctx, blob, bloblen); -- HMAC_Final(&ctx, V2, &len); -- HMAC_cleanup(&ctx); -+ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL); -+ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH); -+ HMAC_Update(ctx, blob, bloblen); -+ HMAC_Final(ctx, V2, &len); - - /* the blob is concatenated outside of this function */ - - *result = SASL_OK; - } - -+ if (ctx) _plug_HMAC_CTX_free(ctx, utils); -+ - return V2; - } - -diff -up cyrus-sasl-2.1.26/plugins/otp.c.openssl110 cyrus-sasl-2.1.26/plugins/otp.c ---- cyrus-sasl-2.1.26/plugins/otp.c.openssl110 2012-10-12 16:05:48.000000000 +0200 -+++ cyrus-sasl-2.1.26/plugins/otp.c 2016-11-07 16:13:54.374327601 +0100 -@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_opti - {NULL, 0, NULL} - }; - -+static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ return EVP_MD_CTX_new(); -+#else -+ return utils->malloc(sizeof(EVP_MD_CTX)); -+#endif -+} -+ -+static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ EVP_MD_CTX_free(ctx); -+#else -+ utils->free(ctx); -+#endif -+} -+ - /* Convert the binary data into ASCII hex */ - void bin2hex(unsigned char *bin, int binlen, char *hex) - { -@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int bin - * swabbing bytes if necessary. - */ - static void otp_hash(const EVP_MD *md, char *in, size_t inlen, -- unsigned char *out, int swab) -+ unsigned char *out, int swab, EVP_MD_CTX *mdctx) - { -- EVP_MD_CTX mdctx; -- char hash[EVP_MAX_MD_SIZE]; -+ unsigned char hash[EVP_MAX_MD_SIZE]; - unsigned int i; - int j; - unsigned hashlen; - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, in, inlen); -- EVP_DigestFinal(&mdctx, hash, &hashlen); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, in, inlen); -+ EVP_DigestFinal(mdctx, hash, &hashlen); - - /* Fold the result into 64 bits */ - for (i = OTP_HASH_SIZE; i < hashlen; i++) { -@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils - char *secret, char *otp) - { - const EVP_MD *md; -- char *key; -+ EVP_MD_CTX *mdctx = NULL; -+ char *key = NULL; -+ int r = SASL_OK; - - if (!(md = EVP_get_digestbyname(alg->evp_name))) { - utils->seterror(utils->conn, 0, -@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils - return SASL_FAIL; - } - -+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate MD CTX"); -+ r = SASL_NOMEM; -+ goto done; -+ } -+ - if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) { - SETERROR(utils, "cannot allocate OTP key"); -- return SASL_NOMEM; -+ r = SASL_NOMEM; -+ goto done; - } - - /* initial step */ - strcpy(key, seed); - strcat(key, secret); -- otp_hash(md, key, strlen(key), otp, alg->swab); -+ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx); - - /* computation step */ - while (seq-- > 0) -- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab); -- -- utils->free(key); -+ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx); -+ -+ done: -+ if (key) utils->free(key); -+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); - -- return SASL_OK; -+ return r; - } - - static int parse_challenge(const sasl_utils_t *utils, -@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg - - /* Convert the 6 words into binary data */ - static int word2bin(const sasl_utils_t *utils, -- char *words, unsigned char *bin, const EVP_MD *md) -+ char *words, unsigned char *bin, const EVP_MD *md, -+ EVP_MD_CTX *mdctx) - { - int i, j; - char *c, *word, buf[OTP_RESPONSE_MAX+1]; -@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t * - - /* alternate dictionary */ - if (alt_dict) { -- EVP_MD_CTX mdctx; -- char hash[EVP_MAX_MD_SIZE]; -- int hashlen; -+ unsigned char hash[EVP_MAX_MD_SIZE]; -+ unsigned hashlen; - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, word, strlen(word)); -- EVP_DigestFinal(&mdctx, hash, &hashlen); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, word, strlen(word)); -+ EVP_DigestFinal(mdctx, hash, &hashlen); - - /* use lowest 11 bits */ - x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1]; -@@ -802,6 +834,7 @@ static int verify_response(server_contex - char *response) - { - const EVP_MD *md; -+ EVP_MD_CTX *mdctx = NULL; - char *c; - int do_init = 0; - unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE]; -@@ -815,6 +848,11 @@ static int verify_response(server_contex - return SASL_FAIL; - } - -+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate MD CTX"); -+ return SASL_NOMEM; -+ } -+ - /* eat leading whitespace */ - c = response; - while (isspace((int) *c)) c++; -@@ -824,7 +862,7 @@ static int verify_response(server_contex - r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE); - } - else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) { -- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md); -+ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx); - } - else if (!strncasecmp(c, OTP_INIT_HEX_TYPE, - strlen(OTP_INIT_HEX_TYPE))) { -@@ -834,7 +872,7 @@ static int verify_response(server_contex - else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, - strlen(OTP_INIT_WORD_TYPE))) { - do_init = 1; -- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md); -+ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx); - } - else { - SETERROR(utils, "unknown OTP extended response type"); -@@ -843,14 +881,15 @@ static int verify_response(server_contex - } - else { - /* standard response, try word first, and then hex */ -- r = word2bin(utils, c, cur_otp, md); -+ r = word2bin(utils, c, cur_otp, md, mdctx); - if (r != SASL_OK) - r = hex2bin(c, cur_otp, OTP_HASH_SIZE); - } - - if (r == SASL_OK) { - /* do one more hash (previous otp) and compare to stored otp */ -- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab); -+ otp_hash(md, (char *) cur_otp, OTP_HASH_SIZE, -+ prev_otp, text->alg->swab, mdctx); - - if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) { - /* update the secret with this seq/otp */ -@@ -879,23 +918,28 @@ static int verify_response(server_contex - *new_resp++ = '\0'; - } - -- if (!(new_chal && new_resp)) -- return SASL_BADAUTH; -+ if (!(new_chal && new_resp)) { -+ r = SASL_BADAUTH; -+ goto done; -+ } - - if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1)) - != SASL_OK) { -- return r; -+ goto done; - } - -- if (seq < 1 || !strcasecmp(seed, text->seed)) -- return SASL_BADAUTH; -+ if (seq < 1 || !strcasecmp(seed, text->seed)) { -+ r = SASL_BADAUTH; -+ goto done; -+ } - - /* find the MDA */ - if (!(md = EVP_get_digestbyname(alg->evp_name))) { - utils->seterror(utils->conn, 0, - "OTP algorithm %s is not available", - alg->evp_name); -- return SASL_BADAUTH; -+ r = SASL_BADAUTH; -+ goto done; - } - - if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) { -@@ -903,7 +947,7 @@ static int verify_response(server_contex - } - else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, - strlen(OTP_INIT_WORD_TYPE))) { -- r = word2bin(utils, new_resp, new_otp, md); -+ r = word2bin(utils, new_resp, new_otp, md, mdctx); - } - - if (r == SASL_OK) { -@@ -914,7 +958,10 @@ static int verify_response(server_contex - memcpy(text->otp, new_otp, OTP_HASH_SIZE); - } - } -- -+ -+ done: -+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); -+ - return r; - } - -diff -up cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 cyrus-sasl-2.1.26/saslauthd/lak.c ---- cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 2016-11-07 16:13:54.347327616 +0100 -+++ cyrus-sasl-2.1.26/saslauthd/lak.c 2016-11-07 16:18:42.283167898 +0100 -@@ -61,6 +61,35 @@ - #include - #include "lak.h" - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+static EVP_MD_CTX *EVP_MD_CTX_new(void) -+{ -+ return EVP_MD_CTX_create(); -+} -+static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) -+{ -+ if (ctx == NULL) -+ return; -+ -+ EVP_MD_CTX_destroy(ctx); -+} -+ -+static EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) -+{ -+ EVP_ENCODE_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); -+ -+ if (ctx != NULL) { -+ memset(ctx, 0, sizeof(*ctx)); -+ } -+ return ctx; -+} -+static void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) -+{ -+ OPENSSL_free(ctx); -+ return; -+} -+#endif -+ - typedef struct lak_auth_method { - int method; - int (*check) (LAK *lak, const char *user, const char *service, const char *realm, const char *password) ; -@@ -1720,20 +1749,28 @@ static int lak_base64_decode( - - int rc, i, tlen = 0; - char *text; -- EVP_ENCODE_CTX EVP_ctx; -+ EVP_ENCODE_CTX *enc_ctx = EVP_ENCODE_CTX_new(); - -- text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1); - if (text == NULL) - return LAK_NOMEM; - -- EVP_DecodeInit(&EVP_ctx); -- rc = EVP_DecodeUpdate(&EVP_ctx, text, &i, (char *)src, strlen(src)); -+ text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1); -+ if (text == NULL) { -+ EVP_ENCODE_CTX_free(enc_ctx); -+ return LAK_NOMEM; -+ } -+ -+ EVP_DecodeInit(enc_ctx); -+ rc = EVP_DecodeUpdate(enc_ctx, (unsigned char *) text, &i, (const unsigned char *)src, strlen(src)); - if (rc < 0) { -+ EVP_ENCODE_CTX_free(enc_ctx); - free(text); - return LAK_FAIL; - } - tlen += i; -- EVP_DecodeFinal(&EVP_ctx, text, &i); -+ EVP_DecodeFinal(enc_ctx, (unsigned char *) text, &i); -+ -+ EVP_ENCODE_CTX_free(enc_ctx); - - *ret = text; - if (rlen != NULL) -@@ -1749,7 +1786,7 @@ static int lak_check_hashed( - { - int rc, clen; - LAK_HASH_ROCK *hrock = (LAK_HASH_ROCK *) rock; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx; - const EVP_MD *md; - unsigned char digest[EVP_MAX_MD_SIZE]; - char *cred; -@@ -1758,17 +1795,24 @@ static int lak_check_hashed( - if (!md) - return LAK_FAIL; - -+ mdctx = EVP_MD_CTX_new(); -+ if (!mdctx) -+ return LAK_NOMEM; -+ - rc = lak_base64_decode(hash, &cred, &clen); -- if (rc != LAK_OK) -+ if (rc != LAK_OK) { -+ EVP_MD_CTX_free(mdctx); - return rc; -+ } - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, passwd, strlen(passwd)); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, passwd, strlen(passwd)); - if (hrock->salted) { -- EVP_DigestUpdate(&mdctx, &cred[EVP_MD_size(md)], -+ EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)], - clen - EVP_MD_size(md)); - } -- EVP_DigestFinal(&mdctx, digest, NULL); -+ EVP_DigestFinal(mdctx, digest, NULL); -+ EVP_MD_CTX_free(mdctx); - - rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md)); - free(cred); diff --git a/main/cyrus-sasl/saslauthd.initd b/main/cyrus-sasl/saslauthd.initd index 2707f533d6..7285770040 100644 --- a/main/cyrus-sasl/saslauthd.initd +++ b/main/cyrus-sasl/saslauthd.initd @@ -1,22 +1,13 @@ #!/sbin/openrc-run -# Copyright 1999-2007 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/cyrus-sasl/files/saslauthd2.rc6,v 1.7 2007/04/07 13:03:55 chtekk Exp $ +command="/usr/sbin/saslauthd" +command_args=${SASLAUTHD_OPTS:--a sasldb} +pidfile="/run/saslauthd/saslauthd.pid" depend() { need net after firewall } -start() { - ebegin "Starting saslauthd" - start-stop-daemon --start --quiet --exec /usr/sbin/saslauthd \ - -- ${SASLAUTHD_OPTS} - eend $? -} - -stop() { - ebegin "Stopping saslauthd" - start-stop-daemon --stop --quiet --pidfile /var/run/saslauthd/saslauthd.pid - eend $? +start_pre() { + checkpath --directory --mode 0775 /run/saslauthd } -- cgit v1.2.3