diff --git a/.cyrus-sasl.metadata b/.cyrus-sasl.metadata index 7b7b3b8..82b591b 100644 --- a/.cyrus-sasl.metadata +++ b/.cyrus-sasl.metadata @@ -1 +1 @@ -98988c2d3b8f055f6346d8d55ca806a8dbd2dc59 SOURCES/cyrus-sasl-2.1.27-rc7-nodlcompatorsrp.tar.gz +c9e6848d9cc6f9588e0e7a75423f9a3aed3f10db SOURCES/cyrus-sasl-2.1.27-nodlcompatorsrp.tar.gz diff --git a/.gitignore b/.gitignore index 6bff0bc..07c8f97 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/cyrus-sasl-2.1.27-rc7-nodlcompatorsrp.tar.gz +SOURCES/cyrus-sasl-2.1.27-nodlcompatorsrp.tar.gz diff --git a/SOURCES/cyrus-sasl-2.1.26-md5global.patch b/SOURCES/cyrus-sasl-2.1.26-md5global.patch new file mode 100644 index 0000000..605c8ec --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-md5global.patch @@ -0,0 +1,24 @@ +diff -up cyrus-sasl-2.1.27/include/Makefile.am.md5global.h cyrus-sasl-2.1.27/include/Makefile.am +--- cyrus-sasl-2.1.27/include/Makefile.am.md5global.h 2018-05-17 13:33:49.588368350 +0200 ++++ cyrus-sasl-2.1.27/include/Makefile.am 2018-05-17 13:38:19.377316869 +0200 +@@ -49,20 +49,7 @@ saslinclude_HEADERS = hmac-md5.h md5.h m + + noinst_PROGRAMS = makemd5 + +-makemd5_SOURCES = makemd5.c +- +-makemd5$(BUILD_EXEEXT) $(makemd5_OBJECTS): CC=$(CC_FOR_BUILD) +-makemd5$(BUILD_EXEEXT) $(makemd5_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +-makemd5$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD) +- +-md5global.h: makemd5$(BUILD_EXEEXT) Makefile +- -rm -f $@ +- ./$< $@ +- +-BUILT_SOURCES = md5global.h +- + EXTRA_DIST = NTMakefile +-DISTCLEANFILES = md5global.h + + if MACOSX + framedir = /Library/Frameworks/SASL2.framework diff --git a/SOURCES/cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch b/SOURCES/cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch deleted file mode 100644 index 2f5c5c7..0000000 --- a/SOURCES/cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/plugins/gssapi.c b/plugins/gssapi.c -index e6fcf46..a27eb2b 100644 ---- a/plugins/gssapi.c -+++ b/plugins/gssapi.c -@@ -1594,10 +1594,10 @@ static int gssapi_client_mech_step(void *conn_context, - } - - /* Setup req_flags properly */ -- req_flags = GSS_C_INTEG_FLAG; -+ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; - if (params->props.max_ssf > params->external_ssf) { - /* We are requesting a security layer */ -- req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; -+ req_flags |= GSS_C_INTEG_FLAG; - /* Any SSF bigger than 1 is confidentiality. */ - /* Let's check if the client of the API requires confidentiality, - and it wasn't already provided by an external layer */ diff --git a/SOURCES/cyrus-sasl-pr559-RC4-openssl.patch b/SOURCES/cyrus-sasl-pr559-RC4-openssl.patch new file mode 100644 index 0000000..1993639 --- /dev/null +++ b/SOURCES/cyrus-sasl-pr559-RC4-openssl.patch @@ -0,0 +1,155 @@ +From 8aa9ae816ddf66921b4a8a0f422517e6f2e55ac6 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Wed, 27 Mar 2019 14:29:08 -0400 +Subject: [PATCH] Use Openssl RC4 when available + +Signed-off-by: Simo Sorce +--- + configure.ac | 5 +-- + plugins/digestmd5.c | 107 +++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 108 insertions(+), 4 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 388f5d02..cfdee4a2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1102,12 +1102,11 @@ AC_ARG_WITH(configdir, [ --with-configdir=DIR set the directory where confi + AC_SUBST(configdir) + +-dnl look for rc4 libraries. we accept the CMU one or one from openSSL +-AC_ARG_WITH(rc4, [ --with-rc4 use internal rc4 routines [[yes]] ], ++AC_ARG_WITH(rc4, [ --with-rc4 use rc4 routines [[yes]] ], + with_rc4=$withval, + with_rc4=yes) + + if test "$with_rc4" != no; then +- AC_DEFINE(WITH_RC4,[],[Use internal RC4 implementation?]) ++ AC_DEFINE(WITH_RC4,[],[Use RC4]) + fi + + building_for_macosx=no +diff --git a/plugins/digestmd5.c b/plugins/digestmd5.c +index df35093d..c6b54317 100644 +--- a/plugins/digestmd5.c ++++ b/plugins/digestmd5.c +@@ -1117,6 +1117,111 @@ static void free_des(context_t *text) + #endif /* WITH_DES */ + + #ifdef WITH_RC4 ++#ifdef HAVE_OPENSSL ++#include ++ ++static void free_rc4(context_t *text) ++{ ++ if (text->cipher_enc_context) { ++ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_enc_context); ++ text->cipher_enc_context = NULL; ++ } ++ if (text->cipher_dec_context) { ++ EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_dec_context); ++ text->cipher_dec_context = NULL; ++ } ++} ++ ++static int init_rc4(context_t *text, ++ unsigned char enckey[16], ++ unsigned char deckey[16]) ++{ ++ EVP_CIPHER_CTX *ctx; ++ int rc; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) return SASL_NOMEM; ++ ++ rc = EVP_EncryptInit_ex(ctx, EVP_rc4(), NULL, enckey, NULL); ++ if (rc != 1) return SASL_FAIL; ++ ++ text->cipher_enc_context = (void *)ctx; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) return SASL_NOMEM; ++ ++ rc = EVP_DecryptInit_ex(ctx, EVP_rc4(), NULL, deckey, NULL); ++ if (rc != 1) return SASL_FAIL; ++ ++ text->cipher_dec_context = (void *)ctx; ++ ++ return SASL_OK; ++} ++ ++static int dec_rc4(context_t *text, ++ const char *input, ++ unsigned inputlen, ++ unsigned char digest[16] __attribute__((unused)), ++ char *output, ++ unsigned *outputlen) ++{ ++ int len; ++ int rc; ++ ++ /* decrypt the text part & HMAC */ ++ rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->cipher_dec_context, ++ (unsigned char *)output, &len, ++ (const unsigned char *)input, inputlen); ++ if (rc != 1) return SASL_FAIL; ++ ++ *outputlen = len; ++ ++ rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_dec_context, ++ (unsigned char *)output + len, &len); ++ if (rc != 1) return SASL_FAIL; ++ ++ *outputlen += len; ++ ++ /* subtract the HMAC to get the text length */ ++ *outputlen -= 10; ++ ++ return SASL_OK; ++} ++ ++static int enc_rc4(context_t *text, ++ const char *input, ++ unsigned inputlen, ++ unsigned char digest[16], ++ char *output, ++ unsigned *outputlen) ++{ ++ int len; ++ int rc; ++ /* encrypt the text part */ ++ rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context, ++ (unsigned char *)output, &len, ++ (const unsigned char *)input, inputlen); ++ if (rc != 1) return SASL_FAIL; ++ ++ *outputlen = len; ++ ++ /* encrypt the `MAC part */ ++ rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context, ++ (unsigned char *)output + *outputlen, &len, ++ digest, 10); ++ if (rc != 1) return SASL_FAIL; ++ ++ *outputlen += len; ++ ++ rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_enc_context, ++ (unsigned char *)output + *outputlen, &len); ++ if (rc != 1) return SASL_FAIL; ++ ++ *outputlen += len; ++ ++ return SASL_OK; ++} ++#else + /* quick generic implementation of RC4 */ + struct rc4_context_s { + unsigned char sbox[256]; +@@ -1296,7 +1401,7 @@ static int enc_rc4(context_t *text, + + return SASL_OK; + } +- ++#endif /* HAVE_OPENSSL */ + #endif /* WITH_RC4 */ + + struct digest_cipher available_ciphers[] = diff --git a/SPECS/cyrus-sasl.spec b/SPECS/cyrus-sasl.spec index 41064c5..103a782 100644 --- a/SPECS/cyrus-sasl.spec +++ b/SPECS/cyrus-sasl.spec @@ -8,13 +8,13 @@ Summary: The Cyrus SASL library Name: cyrus-sasl Version: 2.1.27 -Release: 0.3rc7%{?dist} +Release: 1%{?dist} License: BSD with advertising Group: System Environment/Libraries # Source0 originally comes from https://www.cyrusimap.org/releases/; # make-no-dlcompatorsrp-tarball.sh removes the "dlcompat" subdirectory and builds a # new tarball. -Source0: cyrus-sasl-%{version}-rc7-nodlcompatorsrp.tar.gz +Source0: cyrus-sasl-%{version}-nodlcompatorsrp.tar.gz Source5: saslauthd.service Source7: sasl-mechlist.c Source9: saslauthd.sysconfig @@ -22,16 +22,14 @@ Source10: make-no-dlcompatorsrp-tarball.sh # From upstream git, required for reconfigure after applying patches to configure.ac # https://raw.githubusercontent.com/cyrusimap/cyrus-sasl/master/autogen.sh Source11: autogen.sh -URL: http://asg.web.cmu.edu/sasl/sasl-library.html +URL: https://www.cyrusimap.org/sasl/ Requires: %{name}-lib%{?_isa} = %{version}-%{release} Patch11: cyrus-sasl-2.1.25-no_rpath.patch Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch Patch23: cyrus-sasl-2.1.23-man.patch Patch24: cyrus-sasl-2.1.21-sizes.patch -#Patch49: cyrus-sasl-2.1.26-md5global.patch -# revert upstream commit 080e51c7fa0421eb2f0210d34cf0ac48a228b1e9 (#984079) -# https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480 -Patch50: cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch +Patch49: cyrus-sasl-2.1.26-md5global.patch +Patch60: cyrus-sasl-pr559-RC4-openssl.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf, automake, libtool, gdbm-devel, groff @@ -161,8 +159,8 @@ the GS2 authentication scheme. %patch15 -p1 -b .path %patch23 -p1 -b .man %patch24 -p1 -b .sizes -#%patch49 -p1 -b .md5global.h -%patch50 -p1 -b .gssapi +%patch49 -p1 -b .md5global.h +%patch60 -p1 -b .openssl_rc4 %build # reconfigure @@ -394,6 +392,15 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} %{_sbindir}/sasl2-shared-mechlist %changelog +* Fri Jun 14 2019 Simo Sorce - 2.1.27-1 +- Rc7 to final source +- Resovles bz#1618744 + +* Thu Jun 13 2019 Simo Sorce - 2.1.27-0.4rc7 +- Add patch form Upstream PR559 to use RC4 implementation from OpenSSL +- Resolves bz#1618744 +- Fix multilib issue bz#1663120 + * Mon Jul 30 2018 Florian Weimer - 2.1.27-0.3rc7 - Rebuild with fixed binutils