From 5a6b4eb1c6e2a26e285defb31d182df0f801870b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:26:39 +0000 Subject: import cyrus-sasl-2.1.26-23.el7 --- diff --git a/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch b/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch new file mode 100644 index 0000000..72e18b7 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch @@ -0,0 +1,549 @@ +From 862b60c249c8a51095315062b22c0702a6500d80 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 11 Apr 2017 18:31:46 -0400 +Subject: [PATCH 1/3] Drop unused parameter from gssapi_spnego_ssf() + +Signed-off-by: Simo Sorce +--- + plugins/gssapi.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/plugins/gssapi.c b/plugins/gssapi.c +index 010c236d..3050962e 100644 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c +@@ -652,7 +652,7 @@ static void gssapi_common_mech_free(void *global_context __attribute__((unused)) + * flags negotiated by GSSAPI to determine If confidentiality or integrity are + * used. These flags are stored in text->qop transalated as layers by the + * caller */ +-static int gssapi_spnego_ssf(context_t *text, const sasl_utils_t *utils, ++static int gssapi_spnego_ssf(context_t *text, + sasl_security_properties_t *props, + sasl_out_params_t *oparams) + { +@@ -1019,7 +1019,7 @@ gssapi_server_mech_authneg(context_t *text, + text->state = SASL_GSSAPI_STATE_AUTHENTICATED; + ret = SASL_OK; + } else if (text->mech_type && text->mech_type == &gss_spnego_oid) { +- ret = gssapi_spnego_ssf(text, params->utils, ¶ms->props, oparams); ++ ret = gssapi_spnego_ssf(text, ¶ms->props, oparams); + } else { + /* Switch to ssf negotiation */ + text->state = SASL_GSSAPI_STATE_SSFCAP; +@@ -1825,8 +1825,7 @@ static int gssapi_client_mech_step(void *conn_context, + return SASL_OK; + } else if (text->mech_type && text->mech_type == &gss_spnego_oid) { + oparams->doneflag = 1; +- return gssapi_spnego_ssf(text, params->utils, ¶ms->props, +- oparams); ++ return gssapi_spnego_ssf(text, ¶ms->props, oparams); + } + + /* Switch to ssf negotiation */ + +From 72181257d77bda09afa7d0d640d322c4472f4833 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 10 Apr 2017 18:35:10 -0400 +Subject: [PATCH 2/3] Check return error from gss_wrap_size_limit() + +The return error of this function is ignored and potentially +uninitialized values returned by this function are used. + +Fix this by moving the function into a proper helper as it is used in an +identical way in 3 different places. + +Signed-off-by: Simo Sorce +--- + plugins/gssapi.c | 104 +++++++++++++++++++++++++++---------------------------- + 1 file changed, 51 insertions(+), 53 deletions(-) + +diff --git a/plugins/gssapi.c b/plugins/gssapi.c +index 3050962e..348debe0 100644 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c +@@ -648,6 +648,32 @@ static void gssapi_common_mech_free(void *global_context __attribute__((unused)) + #endif + } + ++static int gssapi_wrap_sizes(context_t *text, sasl_out_params_t *oparams) ++{ ++ OM_uint32 maj_stat = 0, min_stat = 0; ++ OM_uint32 max_input = 0; ++ ++ maj_stat = gss_wrap_size_limit(&min_stat, ++ text->gss_ctx, ++ 1, ++ GSS_C_QOP_DEFAULT, ++ (OM_uint32)oparams->maxoutbuf, ++ &max_input); ++ if (maj_stat != GSS_S_COMPLETE) { ++ return SASL_FAIL; ++ } ++ ++ if (max_input > oparams->maxoutbuf) { ++ /* Heimdal appears to get this wrong */ ++ oparams->maxoutbuf -= (max_input - oparams->maxoutbuf); ++ } else { ++ /* This code is actually correct */ ++ oparams->maxoutbuf = max_input; ++ } ++ ++ return SASL_OK; ++} ++ + /* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the + * flags negotiated by GSSAPI to determine If confidentiality or integrity are + * used. These flags are stored in text->qop transalated as layers by the +@@ -656,8 +682,7 @@ static int gssapi_spnego_ssf(context_t *text, + sasl_security_properties_t *props, + sasl_out_params_t *oparams) + { +- OM_uint32 maj_stat = 0, min_stat = 0; +- OM_uint32 max_input; ++ int ret; + + if (text->qop & LAYER_CONFIDENTIALITY) { + oparams->encode = &gssapi_privacy_encode; +@@ -674,20 +699,10 @@ static int gssapi_spnego_ssf(context_t *text, + } + + if (oparams->mech_ssf) { +- maj_stat = gss_wrap_size_limit(&min_stat, +- text->gss_ctx, +- 1, +- GSS_C_QOP_DEFAULT, +- (OM_uint32)oparams->maxoutbuf, +- &max_input); +- +- if (max_input > oparams->maxoutbuf) { +- /* Heimdal appears to get this wrong */ +- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf); +- } else { +- /* This code is actually correct */ +- oparams->maxoutbuf = max_input; +- } ++ ret = gssapi_wrap_sizes(text, oparams); ++ if (ret != SASL_OK) { ++ return ret; ++ } + } + + text->state = SASL_GSSAPI_STATE_AUTHENTICATED; +@@ -1208,7 +1223,6 @@ gssapi_server_mech_ssfreq(context_t *text, + gss_buffer_t input_token, output_token; + gss_buffer_desc real_input_token, real_output_token; + OM_uint32 maj_stat = 0, min_stat = 0; +- OM_uint32 max_input; + int layerchoice; + + input_token = &real_input_token; +@@ -1297,27 +1311,20 @@ gssapi_server_mech_ssfreq(context_t *text, + (((unsigned char *) output_token->value)[2] << 8) | + (((unsigned char *) output_token->value)[3] << 0); + +- if (oparams->mech_ssf) { +- maj_stat = gss_wrap_size_limit( &min_stat, +- text->gss_ctx, +- 1, +- GSS_C_QOP_DEFAULT, +- (OM_uint32) oparams->maxoutbuf, +- &max_input); +- +- if(max_input > oparams->maxoutbuf) { +- /* Heimdal appears to get this wrong */ +- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf); +- } else { +- /* This code is actually correct */ +- oparams->maxoutbuf = max_input; +- } +- } +- + GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); + GSS_UNLOCK_MUTEX_CTX(params->utils, text); + ++ if (oparams->mech_ssf) { ++ int ret; ++ ++ ret = gssapi_wrap_sizes(text, oparams); ++ if (ret != SASL_OK) { ++ sasl_gss_free_context_contents(text); ++ return ret; ++ } ++ } ++ + text->state = SASL_GSSAPI_STATE_AUTHENTICATED; + + /* used by layers */ +@@ -1569,7 +1576,6 @@ static int gssapi_client_mech_step(void *conn_context, + gss_buffer_t input_token, output_token; + gss_buffer_desc real_input_token, real_output_token; + OM_uint32 maj_stat = 0, min_stat = 0; +- OM_uint32 max_input; + gss_buffer_desc name_token; + int ret; + OM_uint32 req_flags = 0, out_req_flags = 0; +@@ -1952,27 +1958,19 @@ static int gssapi_client_mech_step(void *conn_context, + (((unsigned char *) output_token->value)[2] << 8) | + (((unsigned char *) output_token->value)[3] << 0); + +- if (oparams->mech_ssf) { +- maj_stat = gss_wrap_size_limit( &min_stat, +- text->gss_ctx, +- 1, +- GSS_C_QOP_DEFAULT, +- (OM_uint32) oparams->maxoutbuf, +- &max_input); +- +- if (max_input > oparams->maxoutbuf) { +- /* Heimdal appears to get this wrong */ +- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf); +- } else { +- /* This code is actually correct */ +- oparams->maxoutbuf = max_input; +- } +- } +- + GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); + GSS_UNLOCK_MUTEX_CTX(params->utils, text); +- ++ ++ if (oparams->mech_ssf) { ++ int ret; ++ ++ ret = gssapi_wrap_sizes(text, oparams); ++ if (ret != SASL_OK) { ++ sasl_gss_free_context_contents(text); ++ return ret; ++ } ++ } + /* oparams->user is always set, due to canon_user requirements. + * Make sure the client actually requested it though, by checking + * if our context was set. + +From ff9f9caeb6db6d7513128fff9321f9bd445f58b7 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 10 Apr 2017 19:54:19 -0400 +Subject: [PATCH 3/3] Add support for retrieving the mech_ssf + +In the latest MIT Kerberos implementation it is possible to extract +the calculated SSF wich is based on the encryption type that has been +used to establish the GSSAPI security context. + +Use this method if available or fall back to the old "DES" value. + +Signed-off-by: Simo Sorce +--- + cmulocal/sasl2.m4 | 20 +++++++++++ + plugins/gssapi.c | 102 +++++++++++++++++++++++++++++++++++++++++++++++++------ + 2 files changed, 111 insertions(+), 11 deletions(-) + +diff --git a/cmulocal/sasl2.m4 b/cmulocal/sasl2.m4 +index 66b291b0..686c4bc7 100644 +--- a/cmulocal/sasl2.m4 ++++ b/cmulocal/sasl2.m4 +@@ -290,6 +290,26 @@ if test "$gssapi" != no; then + + cmu_save_LIBS="$LIBS" + LIBS="$LIBS $GSSAPIBASE_LIBS" ++ AC_CHECK_FUNCS(gss_inquire_sec_context_by_oid) ++ if test "$ac_cv_func_gss_inquire_sec_context_by_oid" = no ; then ++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then ++ AC_CHECK_DECL(gss_inquire_sec_context_by_oid, ++ [AC_DEFINE(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID,1, ++ [Define if your GSSAPI implementation defines gss_inquire_sec_context_by_oid])],, ++ [ ++ AC_INCLUDES_DEFAULT ++ #include ++ ]) ++ fi ++ fi ++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then ++ AC_EGREP_HEADER(GSS_C_SEC_CONTEXT_SASL_SSF, gssapi/gssapi_ext.h, ++ [AC_DEFINE(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF,, ++ [Define if your GSSAPI implementation defines GSS_C_SEC_CONTEXT_SASL_SSF])]) ++ fi ++ cmu_save_LIBS="$LIBS" ++ LIBS="$LIBS $GSSAPIBASE_LIBS" ++ + AC_MSG_CHECKING([for SPNEGO support in GSSAPI libraries]) + AC_TRY_RUN([ + #ifdef HAVE_GSSAPI_H +diff --git a/plugins/gssapi.c b/plugins/gssapi.c +index 348debe0..5f554ce3 100644 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c +@@ -51,6 +51,9 @@ + #endif + + #include ++#ifdef HAVE_GSSAPI_GSSAPI_EXT_H ++#include ++#endif + + #ifdef WIN32 + # include +@@ -98,18 +103,25 @@ extern gss_OID gss_nt_service_name; + /* Check if CyberSafe flag is defined */ + #ifdef CSF_GSS_C_DES3_FLAG + #define K5_MAX_SSF 112 ++#define K5_MIN_SSF 112 + #endif + + /* Heimdal and MIT use the following */ + #ifdef GSS_KRB5_CONF_C_QOP_DES3_KD + #define K5_MAX_SSF 112 ++#define K5_MIN_SSF 112 + #endif + + #endif + + #ifndef K5_MAX_SSF ++/* All modern Kerberos implementations support AES */ ++#define K5_MAX_SSF 256 ++#endif ++ + /* All Kerberos implementations support DES */ +-#define K5_MAX_SSF 56 ++#ifndef K5_MIN_SSF ++#define K5_MIN_SSF 56 + #endif + + /* GSSAPI SASL Mechanism by Leif Johansson +@@ -674,6 +686,47 @@ static int gssapi_wrap_sizes(context_t *text, sasl_out_params_t *oparams) + return SASL_OK; + } + ++#if !defined(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF) ++gss_OID_desc gss_sasl_ssf = { ++ 11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f" ++}; ++gss_OID GSS_C_SEC_CONTEXT_SASL_SSF = &gss_sasl_ssf; ++#endif ++ ++static int gssapi_get_ssf(context_t *text, sasl_ssf_t *mech_ssf) ++{ ++#ifdef HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID ++ OM_uint32 maj_stat = 0, min_stat = 0; ++ gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET; ++ gss_OID ssf_oid = GSS_C_SEC_CONTEXT_SASL_SSF; ++ uint32_t ssf; ++ ++ maj_stat = gss_inquire_sec_context_by_oid(&min_stat, text->gss_ctx, ++ ssf_oid, &bufset); ++ switch (maj_stat) { ++ case GSS_S_UNAVAILABLE: ++ /* Not supported by the library, fallback to default */ ++ goto fallback; ++ case GSS_S_COMPLETE: ++ if ((bufset->count != 1) || (bufset->elements[0].length != 4)) { ++ /* Malformed bufset, fail */ ++ (void)gss_release_buffer_set(&min_stat, &bufset); ++ return SASL_FAIL; ++ } ++ memcpy(&ssf, bufset->elements[0].value, 4); ++ (void)gss_release_buffer_set(&min_stat, &bufset); ++ *mech_ssf = ntohl(ssf); ++ return SASL_OK; ++ default: ++ return SASL_FAIL; ++ } ++ ++fallback: ++#endif ++ *mech_ssf = K5_MIN_SSF; ++ return SASL_OK; ++} ++ + /* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the + * flags negotiated by GSSAPI to determine If confidentiality or integrity are + * used. These flags are stored in text->qop transalated as layers by the +@@ -687,7 +740,10 @@ static int gssapi_spnego_ssf(context_t *text, + if (text->qop & LAYER_CONFIDENTIALITY) { + oparams->encode = &gssapi_privacy_encode; + oparams->decode = &gssapi_decode; +- oparams->mech_ssf = K5_MAX_SSF; ++ ret = gssapi_get_ssf(text, &oparams->mech_ssf); ++ if (ret != SASL_OK) { ++ return ret; ++ } + } else if (text->qop & LAYER_INTEGRITY) { + oparams->encode = &gssapi_integrity_encode; + oparams->decode = &gssapi_decode; +@@ -1089,6 +1145,7 @@ gssapi_server_mech_ssfcap(context_t *text, + gss_buffer_desc real_input_token, real_output_token; + OM_uint32 maj_stat = 0, min_stat = 0; + unsigned char sasldata[4]; ++ sasl_ssf_t mech_ssf; + int ret; + + input_token = &real_input_token; +@@ -1149,9 +1206,14 @@ gssapi_server_mech_ssfcap(context_t *text, + params->props.maxbufsize) { + sasldata[0] |= LAYER_INTEGRITY; + } ++ ret = gssapi_get_ssf(text, &mech_ssf); ++ if (ret != SASL_OK) { ++ sasl_gss_free_context_contents(text); ++ return ret; ++ } + if ((text->qop & LAYER_CONFIDENTIALITY) && +- text->requiressf <= K5_MAX_SSF && +- text->limitssf >= K5_MAX_SSF && ++ text->requiressf <= mech_ssf && ++ text->limitssf >= mech_ssf && + params->props.maxbufsize) { + sasldata[0] |= LAYER_CONFIDENTIALITY; + } +@@ -1271,10 +1333,18 @@ gssapi_server_mech_ssfreq(context_t *text, + } else if (/* For compatibility with broken clients setting both bits */ + (layerchoice & (LAYER_CONFIDENTIALITY | LAYER_INTEGRITY)) && + (text->qop & LAYER_CONFIDENTIALITY)) { /* privacy */ ++ int ret; + oparams->encode = &gssapi_privacy_encode; + oparams->decode = &gssapi_decode; +- /* FIX ME: Need to extract the proper value here */ +- oparams->mech_ssf = K5_MAX_SSF; ++ ++ ret = gssapi_get_ssf(text, &oparams->mech_ssf); ++ if (ret != SASL_OK) { ++ GSS_LOCK_MUTEX_CTX(params->utils, text); ++ gss_release_buffer(&min_stat, output_token); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); ++ sasl_gss_free_context_contents(text); ++ return ret; ++ } + } else { + /* not a supported encryption layer */ + SETERROR(text->utils, +@@ -1845,6 +1915,8 @@ static int gssapi_client_mech_step(void *conn_context, + unsigned int alen, external = params->external_ssf; + sasl_ssf_t need, allowed; + char serverhas, mychoice; ++ sasl_ssf_t mech_ssf; ++ int ret; + + real_input_token.value = (void *) serverin; + real_input_token.length = serverinlen; +@@ -1879,8 +1951,17 @@ static int gssapi_client_mech_step(void *conn_context, + return SASL_FAIL; + } + ++ ret = gssapi_get_ssf(text, &mech_ssf); ++ if (ret != SASL_OK) { ++ GSS_LOCK_MUTEX_CTX(params->utils, text); ++ gss_release_buffer(&min_stat, output_token); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); ++ sasl_gss_free_context_contents(text); ++ return SASL_FAIL; ++ } ++ + /* taken from kerberos.c */ +- if (secprops->min_ssf > (K5_MAX_SSF + external)) { ++ if (secprops->min_ssf > (mech_ssf + external)) { + return SASL_TOOWEAK; + } else if (secprops->min_ssf > secprops->max_ssf) { + return SASL_BADPARAM; +@@ -1904,8 +1985,8 @@ static int gssapi_client_mech_step(void *conn_context, + + /* use the strongest layer available */ + if ((text->qop & LAYER_CONFIDENTIALITY) && +- allowed >= K5_MAX_SSF && +- need <= K5_MAX_SSF && ++ allowed >= mech_ssf && ++ need <= mech_ssf && + (serverhas & LAYER_CONFIDENTIALITY)) { + + const char *ad_compat; +@@ -1913,8 +1994,7 @@ static int gssapi_client_mech_step(void *conn_context, + /* encryption */ + oparams->encode = &gssapi_privacy_encode; + oparams->decode = &gssapi_decode; +- /* FIX ME: Need to extract the proper value here */ +- oparams->mech_ssf = K5_MAX_SSF; ++ oparams->mech_ssf = mech_ssf; + mychoice = LAYER_CONFIDENTIALITY; + + if (serverhas & LAYER_INTEGRITY) { + + + +diff -U3 cyrus-sasl-2.1.26.old/config.h.in cyrus-sasl-2.1.26/config.h.in +--- cyrus-sasl-2.1.26.old/config.h.in 2012-11-06 20:20:59.000000000 +0100 ++++ cyrus-sasl-2.1.26/config.h.in 2017-09-21 10:33:36.225258244 +0200 +@@ -132,6 +135,9 @@ + /* Define if your GSSAPI implementation defines GSS_C_NT_USER_NAME */ + #undef HAVE_GSS_C_NT_USER_NAME + ++/* Define if your GSSAPI implementation defines GSS_C_SEC_CONTEXT_SASL_SSF */ ++#undef HAVE_GSS_C_SEC_CONTEXT_SASL_SSF ++ + /* Define to 1 if you have the `gss_decapsulate_token' function. */ + #undef HAVE_GSS_DECAPSULATE_TOKEN + +@@ -141,6 +147,10 @@ + /* Define to 1 if you have the `gss_get_name_attribute' function. */ + #undef HAVE_GSS_GET_NAME_ATTRIBUTE + ++/* Define if your GSSAPI implementation defines gss_inquire_sec_context_by_oid ++ */ ++#undef HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID ++ + /* Define to 1 if you have the `gss_oid_equal' function. */ + #undef HAVE_GSS_OID_EQUAL + +diff -U3 cyrus-sasl-2.1.26.old/configure cyrus-sasl-2.1.26/configure +--- cyrus-sasl-2.1.26.old/configure 2017-09-21 10:11:30.557021831 +0200 ++++ cyrus-sasl-2.1.26/configure 2017-09-21 10:33:40.389277838 +0200 +@@ -13984,6 +13984,50 @@ + + LIBS="$cmu_save_LIBS" + ++ cmu_save_LIBS="$LIBS" ++ LIBS="$LIBS $GSSAPIBASE_LIBS" ++ for ac_func in gss_inquire_sec_context_by_oid ++do : ++ ac_fn_c_check_func "$LINENO" "gss_inquire_sec_context_by_oid" "ac_cv_func_gss_inquire_sec_context_by_oid" ++if test "x$ac_cv_func_gss_inquire_sec_context_by_oid" = xyes; then : ++ cat >>confdefs.h <<_ACEOF ++#define HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID 1 ++_ACEOF ++ ++fi ++done ++ ++ if test "$ac_cv_func_gss_inquire_sec_context_by_oid" = no ; then ++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then ++ ac_fn_c_check_decl "$LINENO" "gss_inquire_sec_context_by_oid" "ac_cv_have_decl_gss_inquire_sec_context_by_oid" " ++ $ac_includes_default ++ #include ++ ++" ++if test "x$ac_cv_have_decl_gss_inquire_sec_context_by_oid" = xyes; then : ++ ++$as_echo "#define HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID 1" >>confdefs.h ++ ++fi ++ ++ fi ++ fi ++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++#include ++ ++_ACEOF ++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | ++ $EGREP "GSS_C_SEC_CONTEXT_SASL_SSF" >/dev/null 2>&1; then : ++ ++$as_echo "#define HAVE_GSS_C_SEC_CONTEXT_SASL_SSF /**/" >>confdefs.h ++ ++fi ++rm -f conftest* ++ ++ fi ++ + cmu_save_LIBS="$LIBS" + LIBS="$LIBS $GSSAPIBASE_LIBS" + { $as_echo "$as_me:$LINENO: checking for SPNEGO support in GSSAPI libraries" >&5 diff --git a/SPECS/cyrus-sasl.spec b/SPECS/cyrus-sasl.spec index 8c60980..30c6bbf 100644 --- a/SPECS/cyrus-sasl.spec +++ b/SPECS/cyrus-sasl.spec @@ -10,7 +10,7 @@ Summary: The Cyrus SASL library Name: cyrus-sasl Version: 2.1.26 -Release: 21%{?dist} +Release: 23%{?dist} License: BSD with advertising Group: System Environment/Libraries # Source0 originally comes from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/; @@ -66,6 +66,8 @@ Patch57: cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch Patch58: cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch # GSS-SPNEGO compatible with Windows clients (#1421663) Patch59: cyrus-sasl-2.1.26-gss-spnego.patch +# Allow cyrus sasl to get the ssf from gssapi (#1431586) +Patch60: cyrus-sasl-2.1.26-gss-ssf.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf, automake, libtool, gdbm-devel, groff @@ -217,6 +219,7 @@ chmod -x include/*.h %patch57 -p1 -b .typo %patch58 -p1 -b .mutex %patch59 -p1 -b .spnego +%patch60 -p1 -b .ssf %build @@ -440,6 +443,12 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} %{_sbindir}/sasl2-shared-mechlist %changelog +* Wed Nov 22 2017 Jakub Jelen - 2.1.26-23 +- Avoid undefined symbols on s390x (#1516193) + +* Thu Sep 21 2017 Jakub Jelen - 2.1.26-22 +- Allow cyrus sasl to get the ssf from gssapi (#1431586) + * Mon Mar 06 2017 Jakub Jelen - 2.1.26-21 - support proper SASL GSS-SPNEGO (#1421663)