diff --git a/.cyrus-sasl.metadata b/.cyrus-sasl.metadata
new file mode 100644
index 0000000..9777141
--- /dev/null
+++ b/.cyrus-sasl.metadata
@@ -0,0 +1 @@
+b77ef8bd7e31923bdc7632a4c9a40cc79ec12681 SOURCES/cyrus-sasl-2.1.26-nodlcompatorsrp.tar.gz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..8716f4f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/cyrus-sasl-2.1.26-nodlcompatorsrp.tar.gz
diff --git a/SOURCES/cyrus-sasl-2.1.20-saslauthd.conf-path.patch b/SOURCES/cyrus-sasl-2.1.20-saslauthd.conf-path.patch
new file mode 100644
index 0000000..8e025d2
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.20-saslauthd.conf-path.patch
@@ -0,0 +1,38 @@
+diff -up cyrus-sasl-2.1.25/saslauthd/saslauthd.8.path cyrus-sasl-2.1.25/saslauthd/saslauthd.8
+--- cyrus-sasl-2.1.25/saslauthd/saslauthd.8.path 2012-02-08 17:02:25.143783451 +0100
++++ cyrus-sasl-2.1.25/saslauthd/saslauthd.8 2012-02-08 17:04:31.775795190 +0100
+@@ -177,7 +177,7 @@ N�NO�OT�TE�ES�S
+ anyway.)
+
+ F�FI�IL�LE�ES�S
+- /var/run/saslauthd/mux The default communications socket.
++ /run/saslauthd/mux The default communications socket.
+
+ /usr/local/etc/saslauthd.conf
+ The default configuration file for ldap support.
+diff -up cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc.path cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc
+--- cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc.path 2009-12-03 20:07:03.000000000 +0100
++++ cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc 2012-02-08 17:01:39.400986561 +0100
+@@ -216,7 +216,7 @@ instead.
+ .Em (All platforms that support OpenLDAP 2.0 or higher)
+ .Pp
+ Authenticate against an ldap server. The ldap configuration parameters are
+-read from /usr/local/etc/saslauthd.conf. The location of this file can be
++read from /etc/saslauthd.conf. The location of this file can be
+ changed with the -O parameter. See the LDAP_SASLAUTHD file included with the
+ distribution for the list of available parameters.
+ .It Li sia
+@@ -246,10 +246,10 @@ these ticket files can cause serious per
+ servers. (Kerberos
+ was never intended to be used in this manner, anyway.)
+ .Sh FILES
+-.Bl -tag -width "/var/run/saslauthd/mux"
+-.It Pa /var/run/saslauthd/mux
++.Bl -tag -width "/run/saslauthd/mux"
++.It Pa /run/saslauthd/mux
+ The default communications socket.
+-.It Pa /usr/local/etc/saslauthd.conf
++.It Pa /etc/saslauthd.conf
+ The default configuration file for ldap support.
+ .El
+ .Sh SEE ALSO
diff --git a/SOURCES/cyrus-sasl-2.1.21-sizes.patch b/SOURCES/cyrus-sasl-2.1.21-sizes.patch
new file mode 100644
index 0000000..45f1800
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.21-sizes.patch
@@ -0,0 +1,249 @@
+Prefer types in <inttypes.h> to our own, because it removes file content
+conflicts between 32- and 64-bit architectures. RFEd as #2829.
+
+--- cyrus-sasl-2.1.21/configure.in 2006-05-16 07:37:52.000000000 -0400
++++ cyrus-sasl-2.1.21/configure.in 2006-05-16 07:37:52.000000000 -0400
+@@ -1083,6 +1083,10 @@
+ AC_HEADER_DIRENT
+ AC_HEADER_SYS_WAIT
+ AC_CHECK_HEADERS(des.h dlfcn.h fcntl.h limits.h malloc.h paths.h strings.h sys/file.h sys/time.h syslog.h unistd.h inttypes.h sys/uio.h sys/param.h sysexits.h stdarg.h varargs.h)
++AC_CHECK_TYPES([long long, int8_t, uint8_t, int16_t, uint16_t, int32_t, uint32_t, int64_t, uint64_t],,,[
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif])
+
+ IPv6_CHECK_SS_FAMILY()
+ IPv6_CHECK_SA_LEN()
+diff -up cyrus-sasl-2.1.26/configure.sizes cyrus-sasl-2.1.26/configure
+--- cyrus-sasl-2.1.26/configure.sizes 2013-11-13 16:40:44.492792539 +0100
++++ cyrus-sasl-2.1.26/configure 2013-11-13 16:40:47.489777836 +0100
+@@ -18166,6 +18166,124 @@ fi
+
+ done
+
++ac_fn_c_check_type "$LINENO" "long long" "ac_cv_type_long_long" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_long_long" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_LONG_LONG 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_int8_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT8_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "uint8_t" "ac_cv_type_uint8_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_uint8_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT8_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "int16_t" "ac_cv_type_int16_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_int16_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT16_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "uint16_t" "ac_cv_type_uint16_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_uint16_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT16_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "int32_t" "ac_cv_type_int32_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_int32_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT32_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_uint32_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT32_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "int64_t" "ac_cv_type_int64_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_int64_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT64_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_uint64_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT64_T 1
++_ACEOF
++
++
++fi
++
+
+
+ { $as_echo "$as_me:$LINENO: checking whether you have ss_family in struct sockaddr_storage" >&5
+diff -up cyrus-sasl-2.1.26/include/makemd5.c.sizes cyrus-sasl-2.1.26/include/makemd5.c
+--- cyrus-sasl-2.1.26/include/makemd5.c.sizes 2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/include/makemd5.c 2013-11-13 16:22:24.195981512 +0100
+@@ -82,12 +82,19 @@
+ */
+
+
++#ifdef HAVE_CONFIG_H
++#include "../config.h"
++#endif
+
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
+ #include <ctype.h>
+
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
+
+ static void
+ my_strupr(char *s)
+@@ -122,6 +129,18 @@
+ static void
+ try_signed(FILE *f, int len)
+ {
++#ifdef HAVE_INT8_T
++ BITSIZE(int8_t);
++#endif
++#ifdef HAVE_INT16_T
++ BITSIZE(int16_t);
++#endif
++#ifdef HAVE_INT32_T
++ BITSIZE(int32_t);
++#endif
++#ifdef HAVE_INT64_T
++ BITSIZE(int64_t);
++#endif
+ BITSIZE(signed char);
+ BITSIZE(short);
+ BITSIZE(int);
+@@ -135,6 +154,18 @@
+ static void
+ try_unsigned(FILE *f, int len)
+ {
++#ifdef HAVE_UINT8_T
++ BITSIZE(uint8_t);
++#endif
++#ifdef HAVE_UINT16_T
++ BITSIZE(uint16_t);
++#endif
++#ifdef HAVE_UINT32_T
++ BITSIZE(uint32_t);
++#endif
++#ifdef HAVE_UINT64_T
++ BITSIZE(uint64_t);
++#endif
+ BITSIZE(unsigned char);
+ BITSIZE(unsigned short);
+ BITSIZE(unsigned int);
+@@ -165,6 +196,11 @@
+ "/* POINTER defines a generic pointer type */\n"
+ "typedef unsigned char *POINTER;\n"
+ "\n"
++#ifdef HAVE_INTTYPES_H
++ "/* We try to define integer types for our use */\n"
++ "#include <inttypes.h>\n"
++ "\n"
++#endif
+ );
+ return 1;
+ }
+@@ -212,31 +248,15 @@
+
+ print_pre(f);
+
+-#ifndef HAVE_INT8_T
+ try_signed (f, 8);
+-#endif /* HAVE_INT8_T */
+-#ifndef HAVE_INT16_T
+ try_signed (f, 16);
+-#endif /* HAVE_INT16_T */
+-#ifndef HAVE_INT32_T
+ try_signed (f, 32);
+-#endif /* HAVE_INT32_T */
+-#ifndef HAVE_INT64_T
+ try_signed (f, 64);
+-#endif /* HAVE_INT64_T */
+
+-#ifndef HAVE_U_INT8_T
+ try_unsigned (f, 8);
+-#endif /* HAVE_INT8_T */
+-#ifndef HAVE_U_INT16_T
+ try_unsigned (f, 16);
+-#endif /* HAVE_U_INT16_T */
+-#ifndef HAVE_U_INT32_T
+ try_unsigned (f, 32);
+-#endif /* HAVE_U_INT32_T */
+-#ifndef HAVE_U_INT64_T
+ try_unsigned (f, 64);
+-#endif /* HAVE_U_INT64_T */
+
+ print_post(f);
+
diff --git a/SOURCES/cyrus-sasl-2.1.22-kerberos4.patch b/SOURCES/cyrus-sasl-2.1.22-kerberos4.patch
new file mode 100644
index 0000000..09e23d7
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.22-kerberos4.patch
@@ -0,0 +1,26 @@
+diff -up cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4 cyrus-sasl-2.1.22/config/kerberos_v4.m4
+--- cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4 2005-05-07 06:14:55.000000000 +0200
++++ cyrus-sasl-2.1.22/config/kerberos_v4.m4 2008-08-14 23:41:26.000000000 +0200
+@@ -102,7 +102,6 @@ AC_DEFUN([SASL_KERBEROS_V4_CHK], [
+ if test -n "${cyrus_krbinclude}"; then
+ CPPFLAGS="$CPPFLAGS -I${cyrus_krbinclude}"
+ fi
+- LDFLAGS="$LDFLAGS -L$krb4/lib"
+ fi
+
+ if test "$with_des" != no; then
+diff -up cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4 cyrus-sasl-2.1.22/plugins/kerberos4.c
+--- cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4 2005-01-10 08:08:53.000000000 +0100
++++ cyrus-sasl-2.1.22/plugins/kerberos4.c 2008-08-14 23:36:33.000000000 +0200
+@@ -49,11 +49,7 @@
+ #include <krb.h>
+
+ #ifdef WITH_DES
+-# ifdef WITH_SSL_DES
+-# include <openssl/des.h>
+-# else
+ # include <des.h>
+-# endif /* WITH_SSL_DES */
+ #endif /* WITH_DES */
+
+ #ifdef WIN32
diff --git a/SOURCES/cyrus-sasl-2.1.22-ldap-timeout.patch b/SOURCES/cyrus-sasl-2.1.22-ldap-timeout.patch
new file mode 100644
index 0000000..82c6c82
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.22-ldap-timeout.patch
@@ -0,0 +1,25 @@
+commit c9447e1c3ffba88783e5d9396b832be82d3c78fc
+Author: Kazuo Ito <ito.kazuo@oss.ntt.co.jp>
+Date: Wed Dec 10 12:03:29 2008 +0900
+
+ support for LDAP_OPT_TIMEOUT
+
+ OpenLDAP since 2.4 implements support for this option in ldap_result(),
+ among other things.
+
+diff --git a/saslauthd/lak.c b/saslauthd/lak.c
+index 803d51f..8714265 100644
+--- a/saslauthd/lak.c
++++ b/saslauthd/lak.c
+@@ -833,6 +833,11 @@ static int lak_connect(
+ syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_NETWORK_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec);
+ }
+
++ rc = ldap_set_option(lak->ld, LDAP_OPT_TIMEOUT, &(lak->conf->timeout));
++ if (rc != LDAP_OPT_SUCCESS) {
++ syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec);
++ }
++
+ rc = ldap_set_option(lak->ld, LDAP_OPT_TIMELIMIT, &(lak->conf->time_limit));
+ if (rc != LDAP_OPT_SUCCESS) {
+ syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMELIMIT %d.", lak->conf->time_limit);
diff --git a/SOURCES/cyrus-sasl-2.1.23-man.patch b/SOURCES/cyrus-sasl-2.1.23-man.patch
new file mode 100644
index 0000000..21c63cd
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.23-man.patch
@@ -0,0 +1,24 @@
+diff -up cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8.man cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8
+--- cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8.man 2013-09-03 15:25:26.818042047 +0200
++++ cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8 2013-09-03 15:25:26.818042047 +0200
+@@ -0,0 +1,20 @@
++.\" Hey, EMACS: -*- nroff -*-
++.TH TESTSASLAUTHD 8 "14 October 2006"
++.SH NAME
++testsaslauthd \- test utility for the SASL authentication server
++.SH SYNOPSIS
++.B testsaslauthd
++.RI "[ " \(hyr " " realm " ] [ " \(hys " " servicename " ] [ " \(hyf " " socket " " path " ] [ " \(hyR " " repeatnum " ]"
++.SH DESCRIPTION
++This manual page documents briefly the
++.B testsaslauthd
++command.
++.PP
++.SH SEE ALSO
++.BR saslauthd (8).
++.br
++.SH AUTHOR
++testsaslauthd was written by Carnegie Mellon University.
++.PP
++This manual page was written by Roberto C. Sanchez <roberto@connexer.com>,
++for the Debian project (but may be used by others).
diff --git a/SOURCES/cyrus-sasl-2.1.25-no_rpath.patch b/SOURCES/cyrus-sasl-2.1.25-no_rpath.patch
new file mode 100644
index 0000000..33ed15d
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.25-no_rpath.patch
@@ -0,0 +1,20 @@
+diff -up cyrus-sasl-2.1.25/cmulocal/cyrus.m4.no_rpath cyrus-sasl-2.1.25/cmulocal/cyrus.m4
+--- cyrus-sasl-2.1.25/cmulocal/cyrus.m4.no_rpath 2010-01-22 16:12:01.000000000 +0100
++++ cyrus-sasl-2.1.25/cmulocal/cyrus.m4 2012-12-06 14:59:47.956102057 +0100
+@@ -32,14 +32,5 @@ AC_DEFUN([CMU_ADD_LIBPATH_TO], [
+ dnl runpath initialization
+ AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [
+ # CMU GUESS RUNPATH SWITCH
+- AC_CACHE_CHECK(for runpath switch, andrew_cv_runpath_switch, [
+- # first, try -R
+- SAVE_LDFLAGS="${LDFLAGS}"
+- LDFLAGS="-R /usr/lib"
+- AC_TRY_LINK([],[],[andrew_cv_runpath_switch="-R"], [
+- LDFLAGS="-Wl,-rpath,/usr/lib"
+- AC_TRY_LINK([],[],[andrew_cv_runpath_switch="-Wl,-rpath,"],
+- [andrew_cv_runpath_switch="none"])
+- ])
+- LDFLAGS="${SAVE_LDFLAGS}"
+- ])])
++ andrew_runpath_switch="none"
++ ])
diff --git a/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch b/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch
new file mode 100644
index 0000000..939c4c9
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch
@@ -0,0 +1,46 @@
+diff --git a/include/sasl.h b/include/sasl.h
+index 8b8a63f..6ae153f 100755
+--- a/include/sasl.h
++++ b/include/sasl.h
+@@ -179,6 +179,7 @@
+ because of some constrains/policy violation */
+
+ #define SASL_BADBINDING -32 /* channel binding failure */
++#define SASL_CONFIGERR -33 /* error when parsing configuration file */
+
+ /* max size of a sasl mechanism name */
+ #define SASL_MECHNAMEMAX 20
+diff --git a/lib/common.c b/lib/common.c
+index 672fe2f..de0adfd 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -1362,6 +1362,7 @@ const char *sasl_errstring(int saslerr,
+ case SASL_CONSTRAINT_VIOLAT: return "sasl_setpass can't store a property because "
+ "of a constraint violation";
+ case SASL_BADBINDING: return "channel binding failure";
++ case SASL_CONFIGERR: return "error when parsing configuration file";
+
+ default: return "undefined error!";
+ }
+diff --git a/lib/config.c b/lib/config.c
+index 7cae302..fde3757 100644
+--- a/lib/config.c
++++ b/lib/config.c
+@@ -91,7 +91,7 @@ int sasl_config_init(const char *filename)
+ }
+ if (*p != ':') {
+ fclose(infile);
+- return SASL_FAIL;
++ return SASL_CONFIGERR;
+ }
+ *p++ = '\0';
+
+@@ -99,7 +99,7 @@ int sasl_config_init(const char *filename)
+
+ if (!*p) {
+ fclose(infile);
+- return SASL_FAIL;
++ return SASL_CONFIGERR;
+ }
+
+ /* Now strip trailing spaces, if any */
diff --git a/SOURCES/cyrus-sasl-2.1.26-gss-spnego.patch b/SOURCES/cyrus-sasl-2.1.26-gss-spnego.patch
new file mode 100644
index 0000000..69ab893
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-gss-spnego.patch
@@ -0,0 +1,139 @@
+From 67ca66685e11acc0f69d5ff8013107d4b172e67f Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 16 Feb 2017 15:25:56 -0500
+Subject: [PATCH] Fix GSS-SPNEGO mechanism's incompatible behavior
+
+The GSS-SPNEGO mechanism has been designed and introduced by Microsoft for use
+by Active Directory clients. It allows to negotiate an underlying
+Security Mechanism like Krb5 or NTLMSSP.
+However, the implementaion in cyrus-sasl is broken and never correctly
+interoperated with Microsoft servers or clients. This patch fixes the
+compatibility issue which is caused by incorrectly trying to negotiate
+SSF layers explicitly instead of using the flags negotiated by GSSAPI
+as required by Microsoft's implementation.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ plugins/gssapi.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 64 insertions(+), 6 deletions(-)
+
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index bfc278d..010c236 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -648,10 +648,62 @@ static void gssapi_common_mech_free(void *global_context __attribute__((unused))
+ #endif
+ }
+
++/* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the
++ * flags negotiated by GSSAPI to determine If confidentiality or integrity are
++ * used. These flags are stored in text->qop transalated as layers by the
++ * caller */
++static int gssapi_spnego_ssf(context_t *text, const sasl_utils_t *utils,
++ sasl_security_properties_t *props,
++ sasl_out_params_t *oparams)
++{
++ OM_uint32 maj_stat = 0, min_stat = 0;
++ OM_uint32 max_input;
++
++ if (text->qop & LAYER_CONFIDENTIALITY) {
++ oparams->encode = &gssapi_privacy_encode;
++ oparams->decode = &gssapi_decode;
++ oparams->mech_ssf = K5_MAX_SSF;
++ } else if (text->qop & LAYER_INTEGRITY) {
++ oparams->encode = &gssapi_integrity_encode;
++ oparams->decode = &gssapi_decode;
++ oparams->mech_ssf = 1;
++ } else {
++ oparams->encode = NULL;
++ oparams->decode = NULL;
++ oparams->mech_ssf = 0;
++ }
++
++ if (oparams->mech_ssf) {
++ maj_stat = gss_wrap_size_limit(&min_stat,
++ text->gss_ctx,
++ 1,
++ GSS_C_QOP_DEFAULT,
++ (OM_uint32)oparams->maxoutbuf,
++ &max_input);
++
++ if (max_input > oparams->maxoutbuf) {
++ /* Heimdal appears to get this wrong */
++ oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
++ } else {
++ /* This code is actually correct */
++ oparams->maxoutbuf = max_input;
++ }
++ }
++
++ text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
++
++ /* used by layers */
++ _plug_decode_init(&text->decode_context, text->utils,
++ (props->maxbufsize > 0xFFFFFF) ? 0xFFFFFF :
++ props->maxbufsize);
++
++ return SASL_OK;
++}
++
+ /***************************** Server Section *****************************/
+
+ static int
+-gssapi_server_mech_new(void *glob_context __attribute__((unused)),
++gssapi_server_mech_new(void *glob_context,
+ sasl_server_params_t *params,
+ const char *challenge __attribute__((unused)),
+ unsigned challen __attribute__((unused)),
+@@ -673,6 +725,7 @@ gssapi_server_mech_new(void *glob_context __attribute__((unused)),
+ text->state = SASL_GSSAPI_STATE_AUTHNEG;
+
+ text->http_mode = (params->flags & SASL_NEED_HTTP);
++ text->mech_type = (gss_OID) glob_context;
+
+ *conn_context = text;
+
+@@ -686,7 +739,7 @@ gssapi_server_mech_authneg(context_t *text,
+ unsigned clientinlen,
+ const char **serverout,
+ unsigned *serveroutlen,
+- sasl_out_params_t *oparams __attribute__((unused)))
++ sasl_out_params_t *oparams)
+ {
+ gss_buffer_t input_token, output_token;
+ gss_buffer_desc real_input_token, real_output_token;
+@@ -965,8 +1018,9 @@ gssapi_server_mech_authneg(context_t *text,
+ /* HTTP doesn't do any ssf negotiation */
+ text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+ ret = SASL_OK;
+- }
+- else {
++ } else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
++ ret = gssapi_spnego_ssf(text, params->utils, ¶ms->props, oparams);
++ } else {
+ /* Switch to ssf negotiation */
+ text->state = SASL_GSSAPI_STATE_SSFCAP;
+ ret = SASL_CONTINUE;
+@@ -1391,7 +1445,7 @@ static sasl_server_plug_t gssapi_server_plugins[] =
+ | SASL_FEAT_ALLOWS_PROXY
+ | SASL_FEAT_DONTUSE_USERPASSWD
+ | SASL_FEAT_SUPPORTS_HTTP, /* features */
+- NULL, /* glob_context */
++ &gss_spnego_oid, /* glob_context */
+ &gssapi_server_mech_new, /* mech_new */
+ &gssapi_server_mech_step, /* mech_step */
+ &gssapi_common_mech_dispose, /* mech_dispose */
+@@ -1769,7 +1823,11 @@ static int gssapi_client_mech_step(void *conn_context,
+ text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+ oparams->doneflag = 1;
+ return SASL_OK;
+- }
++ } else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
++ oparams->doneflag = 1;
++ return gssapi_spnego_ssf(text, params->utils, ¶ms->props,
++ oparams);
++ }
+
+ /* Switch to ssf negotiation */
+ text->state = SASL_GSSAPI_STATE_SSFCAP;
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch b/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch
new file mode 100644
index 0000000..72e18b7
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch
@@ -0,0 +1,549 @@
+From 862b60c249c8a51095315062b22c0702a6500d80 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 11 Apr 2017 18:31:46 -0400
+Subject: [PATCH 1/3] Drop unused parameter from gssapi_spnego_ssf()
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ plugins/gssapi.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 010c236d..3050962e 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -652,7 +652,7 @@ static void gssapi_common_mech_free(void *global_context __attribute__((unused))
+ * flags negotiated by GSSAPI to determine If confidentiality or integrity are
+ * used. These flags are stored in text->qop transalated as layers by the
+ * caller */
+-static int gssapi_spnego_ssf(context_t *text, const sasl_utils_t *utils,
++static int gssapi_spnego_ssf(context_t *text,
+ sasl_security_properties_t *props,
+ sasl_out_params_t *oparams)
+ {
+@@ -1019,7 +1019,7 @@ gssapi_server_mech_authneg(context_t *text,
+ text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+ ret = SASL_OK;
+ } else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
+- ret = gssapi_spnego_ssf(text, params->utils, ¶ms->props, oparams);
++ ret = gssapi_spnego_ssf(text, ¶ms->props, oparams);
+ } else {
+ /* Switch to ssf negotiation */
+ text->state = SASL_GSSAPI_STATE_SSFCAP;
+@@ -1825,8 +1825,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ return SASL_OK;
+ } else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
+ oparams->doneflag = 1;
+- return gssapi_spnego_ssf(text, params->utils, ¶ms->props,
+- oparams);
++ return gssapi_spnego_ssf(text, ¶ms->props, oparams);
+ }
+
+ /* Switch to ssf negotiation */
+
+From 72181257d77bda09afa7d0d640d322c4472f4833 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 10 Apr 2017 18:35:10 -0400
+Subject: [PATCH 2/3] Check return error from gss_wrap_size_limit()
+
+The return error of this function is ignored and potentially
+uninitialized values returned by this function are used.
+
+Fix this by moving the function into a proper helper as it is used in an
+identical way in 3 different places.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ plugins/gssapi.c | 104 +++++++++++++++++++++++++++----------------------------
+ 1 file changed, 51 insertions(+), 53 deletions(-)
+
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 3050962e..348debe0 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -648,6 +648,32 @@ static void gssapi_common_mech_free(void *global_context __attribute__((unused))
+ #endif
+ }
+
++static int gssapi_wrap_sizes(context_t *text, sasl_out_params_t *oparams)
++{
++ OM_uint32 maj_stat = 0, min_stat = 0;
++ OM_uint32 max_input = 0;
++
++ maj_stat = gss_wrap_size_limit(&min_stat,
++ text->gss_ctx,
++ 1,
++ GSS_C_QOP_DEFAULT,
++ (OM_uint32)oparams->maxoutbuf,
++ &max_input);
++ if (maj_stat != GSS_S_COMPLETE) {
++ return SASL_FAIL;
++ }
++
++ if (max_input > oparams->maxoutbuf) {
++ /* Heimdal appears to get this wrong */
++ oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
++ } else {
++ /* This code is actually correct */
++ oparams->maxoutbuf = max_input;
++ }
++
++ return SASL_OK;
++}
++
+ /* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the
+ * flags negotiated by GSSAPI to determine If confidentiality or integrity are
+ * used. These flags are stored in text->qop transalated as layers by the
+@@ -656,8 +682,7 @@ static int gssapi_spnego_ssf(context_t *text,
+ sasl_security_properties_t *props,
+ sasl_out_params_t *oparams)
+ {
+- OM_uint32 maj_stat = 0, min_stat = 0;
+- OM_uint32 max_input;
++ int ret;
+
+ if (text->qop & LAYER_CONFIDENTIALITY) {
+ oparams->encode = &gssapi_privacy_encode;
+@@ -674,20 +699,10 @@ static int gssapi_spnego_ssf(context_t *text,
+ }
+
+ if (oparams->mech_ssf) {
+- maj_stat = gss_wrap_size_limit(&min_stat,
+- text->gss_ctx,
+- 1,
+- GSS_C_QOP_DEFAULT,
+- (OM_uint32)oparams->maxoutbuf,
+- &max_input);
+-
+- if (max_input > oparams->maxoutbuf) {
+- /* Heimdal appears to get this wrong */
+- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
+- } else {
+- /* This code is actually correct */
+- oparams->maxoutbuf = max_input;
+- }
++ ret = gssapi_wrap_sizes(text, oparams);
++ if (ret != SASL_OK) {
++ return ret;
++ }
+ }
+
+ text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+@@ -1208,7 +1223,6 @@ gssapi_server_mech_ssfreq(context_t *text,
+ gss_buffer_t input_token, output_token;
+ gss_buffer_desc real_input_token, real_output_token;
+ OM_uint32 maj_stat = 0, min_stat = 0;
+- OM_uint32 max_input;
+ int layerchoice;
+
+ input_token = &real_input_token;
+@@ -1297,27 +1311,20 @@ gssapi_server_mech_ssfreq(context_t *text,
+ (((unsigned char *) output_token->value)[2] << 8) |
+ (((unsigned char *) output_token->value)[3] << 0);
+
+- if (oparams->mech_ssf) {
+- maj_stat = gss_wrap_size_limit( &min_stat,
+- text->gss_ctx,
+- 1,
+- GSS_C_QOP_DEFAULT,
+- (OM_uint32) oparams->maxoutbuf,
+- &max_input);
+-
+- if(max_input > oparams->maxoutbuf) {
+- /* Heimdal appears to get this wrong */
+- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
+- } else {
+- /* This code is actually correct */
+- oparams->maxoutbuf = max_input;
+- }
+- }
+-
+ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
++ if (oparams->mech_ssf) {
++ int ret;
++
++ ret = gssapi_wrap_sizes(text, oparams);
++ if (ret != SASL_OK) {
++ sasl_gss_free_context_contents(text);
++ return ret;
++ }
++ }
++
+ text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+
+ /* used by layers */
+@@ -1569,7 +1576,6 @@ static int gssapi_client_mech_step(void *conn_context,
+ gss_buffer_t input_token, output_token;
+ gss_buffer_desc real_input_token, real_output_token;
+ OM_uint32 maj_stat = 0, min_stat = 0;
+- OM_uint32 max_input;
+ gss_buffer_desc name_token;
+ int ret;
+ OM_uint32 req_flags = 0, out_req_flags = 0;
+@@ -1952,27 +1958,19 @@ static int gssapi_client_mech_step(void *conn_context,
+ (((unsigned char *) output_token->value)[2] << 8) |
+ (((unsigned char *) output_token->value)[3] << 0);
+
+- if (oparams->mech_ssf) {
+- maj_stat = gss_wrap_size_limit( &min_stat,
+- text->gss_ctx,
+- 1,
+- GSS_C_QOP_DEFAULT,
+- (OM_uint32) oparams->maxoutbuf,
+- &max_input);
+-
+- if (max_input > oparams->maxoutbuf) {
+- /* Heimdal appears to get this wrong */
+- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
+- } else {
+- /* This code is actually correct */
+- oparams->maxoutbuf = max_input;
+- }
+- }
+-
+ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+-
++
++ if (oparams->mech_ssf) {
++ int ret;
++
++ ret = gssapi_wrap_sizes(text, oparams);
++ if (ret != SASL_OK) {
++ sasl_gss_free_context_contents(text);
++ return ret;
++ }
++ }
+ /* oparams->user is always set, due to canon_user requirements.
+ * Make sure the client actually requested it though, by checking
+ * if our context was set.
+
+From ff9f9caeb6db6d7513128fff9321f9bd445f58b7 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 10 Apr 2017 19:54:19 -0400
+Subject: [PATCH 3/3] Add support for retrieving the mech_ssf
+
+In the latest MIT Kerberos implementation it is possible to extract
+the calculated SSF wich is based on the encryption type that has been
+used to establish the GSSAPI security context.
+
+Use this method if available or fall back to the old "DES" value.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ cmulocal/sasl2.m4 | 20 +++++++++++
+ plugins/gssapi.c | 102 +++++++++++++++++++++++++++++++++++++++++++++++++------
+ 2 files changed, 111 insertions(+), 11 deletions(-)
+
+diff --git a/cmulocal/sasl2.m4 b/cmulocal/sasl2.m4
+index 66b291b0..686c4bc7 100644
+--- a/cmulocal/sasl2.m4
++++ b/cmulocal/sasl2.m4
+@@ -290,6 +290,26 @@ if test "$gssapi" != no; then
+
+ cmu_save_LIBS="$LIBS"
+ LIBS="$LIBS $GSSAPIBASE_LIBS"
++ AC_CHECK_FUNCS(gss_inquire_sec_context_by_oid)
++ if test "$ac_cv_func_gss_inquire_sec_context_by_oid" = no ; then
++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then
++ AC_CHECK_DECL(gss_inquire_sec_context_by_oid,
++ [AC_DEFINE(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID,1,
++ [Define if your GSSAPI implementation defines gss_inquire_sec_context_by_oid])],,
++ [
++ AC_INCLUDES_DEFAULT
++ #include <gssapi/gssapi_ext.h>
++ ])
++ fi
++ fi
++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then
++ AC_EGREP_HEADER(GSS_C_SEC_CONTEXT_SASL_SSF, gssapi/gssapi_ext.h,
++ [AC_DEFINE(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF,,
++ [Define if your GSSAPI implementation defines GSS_C_SEC_CONTEXT_SASL_SSF])])
++ fi
++ cmu_save_LIBS="$LIBS"
++ LIBS="$LIBS $GSSAPIBASE_LIBS"
++
+ AC_MSG_CHECKING([for SPNEGO support in GSSAPI libraries])
+ AC_TRY_RUN([
+ #ifdef HAVE_GSSAPI_H
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 348debe0..5f554ce3 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -51,6 +51,9 @@
+ #endif
+
+ #include <gssapi/gssapi_krb5.h>
++#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
++#include <gssapi/gssapi_ext.h>
++#endif
+
+ #ifdef WIN32
+ # include <winsock2.h>
+@@ -98,18 +103,25 @@ extern gss_OID gss_nt_service_name;
+ /* Check if CyberSafe flag is defined */
+ #ifdef CSF_GSS_C_DES3_FLAG
+ #define K5_MAX_SSF 112
++#define K5_MIN_SSF 112
+ #endif
+
+ /* Heimdal and MIT use the following */
+ #ifdef GSS_KRB5_CONF_C_QOP_DES3_KD
+ #define K5_MAX_SSF 112
++#define K5_MIN_SSF 112
+ #endif
+
+ #endif
+
+ #ifndef K5_MAX_SSF
++/* All modern Kerberos implementations support AES */
++#define K5_MAX_SSF 256
++#endif
++
+ /* All Kerberos implementations support DES */
+-#define K5_MAX_SSF 56
++#ifndef K5_MIN_SSF
++#define K5_MIN_SSF 56
+ #endif
+
+ /* GSSAPI SASL Mechanism by Leif Johansson <leifj@matematik.su.se>
+@@ -674,6 +686,47 @@ static int gssapi_wrap_sizes(context_t *text, sasl_out_params_t *oparams)
+ return SASL_OK;
+ }
+
++#if !defined(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF)
++gss_OID_desc gss_sasl_ssf = {
++ 11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f"
++};
++gss_OID GSS_C_SEC_CONTEXT_SASL_SSF = &gss_sasl_ssf;
++#endif
++
++static int gssapi_get_ssf(context_t *text, sasl_ssf_t *mech_ssf)
++{
++#ifdef HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID
++ OM_uint32 maj_stat = 0, min_stat = 0;
++ gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
++ gss_OID ssf_oid = GSS_C_SEC_CONTEXT_SASL_SSF;
++ uint32_t ssf;
++
++ maj_stat = gss_inquire_sec_context_by_oid(&min_stat, text->gss_ctx,
++ ssf_oid, &bufset);
++ switch (maj_stat) {
++ case GSS_S_UNAVAILABLE:
++ /* Not supported by the library, fallback to default */
++ goto fallback;
++ case GSS_S_COMPLETE:
++ if ((bufset->count != 1) || (bufset->elements[0].length != 4)) {
++ /* Malformed bufset, fail */
++ (void)gss_release_buffer_set(&min_stat, &bufset);
++ return SASL_FAIL;
++ }
++ memcpy(&ssf, bufset->elements[0].value, 4);
++ (void)gss_release_buffer_set(&min_stat, &bufset);
++ *mech_ssf = ntohl(ssf);
++ return SASL_OK;
++ default:
++ return SASL_FAIL;
++ }
++
++fallback:
++#endif
++ *mech_ssf = K5_MIN_SSF;
++ return SASL_OK;
++}
++
+ /* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the
+ * flags negotiated by GSSAPI to determine If confidentiality or integrity are
+ * used. These flags are stored in text->qop transalated as layers by the
+@@ -687,7 +740,10 @@ static int gssapi_spnego_ssf(context_t *text,
+ if (text->qop & LAYER_CONFIDENTIALITY) {
+ oparams->encode = &gssapi_privacy_encode;
+ oparams->decode = &gssapi_decode;
+- oparams->mech_ssf = K5_MAX_SSF;
++ ret = gssapi_get_ssf(text, &oparams->mech_ssf);
++ if (ret != SASL_OK) {
++ return ret;
++ }
+ } else if (text->qop & LAYER_INTEGRITY) {
+ oparams->encode = &gssapi_integrity_encode;
+ oparams->decode = &gssapi_decode;
+@@ -1089,6 +1145,7 @@ gssapi_server_mech_ssfcap(context_t *text,
+ gss_buffer_desc real_input_token, real_output_token;
+ OM_uint32 maj_stat = 0, min_stat = 0;
+ unsigned char sasldata[4];
++ sasl_ssf_t mech_ssf;
+ int ret;
+
+ input_token = &real_input_token;
+@@ -1149,9 +1206,14 @@ gssapi_server_mech_ssfcap(context_t *text,
+ params->props.maxbufsize) {
+ sasldata[0] |= LAYER_INTEGRITY;
+ }
++ ret = gssapi_get_ssf(text, &mech_ssf);
++ if (ret != SASL_OK) {
++ sasl_gss_free_context_contents(text);
++ return ret;
++ }
+ if ((text->qop & LAYER_CONFIDENTIALITY) &&
+- text->requiressf <= K5_MAX_SSF &&
+- text->limitssf >= K5_MAX_SSF &&
++ text->requiressf <= mech_ssf &&
++ text->limitssf >= mech_ssf &&
+ params->props.maxbufsize) {
+ sasldata[0] |= LAYER_CONFIDENTIALITY;
+ }
+@@ -1271,10 +1333,18 @@ gssapi_server_mech_ssfreq(context_t *text,
+ } else if (/* For compatibility with broken clients setting both bits */
+ (layerchoice & (LAYER_CONFIDENTIALITY | LAYER_INTEGRITY)) &&
+ (text->qop & LAYER_CONFIDENTIALITY)) { /* privacy */
++ int ret;
+ oparams->encode = &gssapi_privacy_encode;
+ oparams->decode = &gssapi_decode;
+- /* FIX ME: Need to extract the proper value here */
+- oparams->mech_ssf = K5_MAX_SSF;
++
++ ret = gssapi_get_ssf(text, &oparams->mech_ssf);
++ if (ret != SASL_OK) {
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
++ gss_release_buffer(&min_stat, output_token);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
++ sasl_gss_free_context_contents(text);
++ return ret;
++ }
+ } else {
+ /* not a supported encryption layer */
+ SETERROR(text->utils,
+@@ -1845,6 +1915,8 @@ static int gssapi_client_mech_step(void *conn_context,
+ unsigned int alen, external = params->external_ssf;
+ sasl_ssf_t need, allowed;
+ char serverhas, mychoice;
++ sasl_ssf_t mech_ssf;
++ int ret;
+
+ real_input_token.value = (void *) serverin;
+ real_input_token.length = serverinlen;
+@@ -1879,8 +1951,17 @@ static int gssapi_client_mech_step(void *conn_context,
+ return SASL_FAIL;
+ }
+
++ ret = gssapi_get_ssf(text, &mech_ssf);
++ if (ret != SASL_OK) {
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
++ gss_release_buffer(&min_stat, output_token);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++
+ /* taken from kerberos.c */
+- if (secprops->min_ssf > (K5_MAX_SSF + external)) {
++ if (secprops->min_ssf > (mech_ssf + external)) {
+ return SASL_TOOWEAK;
+ } else if (secprops->min_ssf > secprops->max_ssf) {
+ return SASL_BADPARAM;
+@@ -1904,8 +1985,8 @@ static int gssapi_client_mech_step(void *conn_context,
+
+ /* use the strongest layer available */
+ if ((text->qop & LAYER_CONFIDENTIALITY) &&
+- allowed >= K5_MAX_SSF &&
+- need <= K5_MAX_SSF &&
++ allowed >= mech_ssf &&
++ need <= mech_ssf &&
+ (serverhas & LAYER_CONFIDENTIALITY)) {
+
+ const char *ad_compat;
+@@ -1913,8 +1994,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ /* encryption */
+ oparams->encode = &gssapi_privacy_encode;
+ oparams->decode = &gssapi_decode;
+- /* FIX ME: Need to extract the proper value here */
+- oparams->mech_ssf = K5_MAX_SSF;
++ oparams->mech_ssf = mech_ssf;
+ mychoice = LAYER_CONFIDENTIALITY;
+
+ if (serverhas & LAYER_INTEGRITY) {
+
+
+
+diff -U3 cyrus-sasl-2.1.26.old/config.h.in cyrus-sasl-2.1.26/config.h.in
+--- cyrus-sasl-2.1.26.old/config.h.in 2012-11-06 20:20:59.000000000 +0100
++++ cyrus-sasl-2.1.26/config.h.in 2017-09-21 10:33:36.225258244 +0200
+@@ -132,6 +135,9 @@
+ /* Define if your GSSAPI implementation defines GSS_C_NT_USER_NAME */
+ #undef HAVE_GSS_C_NT_USER_NAME
+
++/* Define if your GSSAPI implementation defines GSS_C_SEC_CONTEXT_SASL_SSF */
++#undef HAVE_GSS_C_SEC_CONTEXT_SASL_SSF
++
+ /* Define to 1 if you have the `gss_decapsulate_token' function. */
+ #undef HAVE_GSS_DECAPSULATE_TOKEN
+
+@@ -141,6 +147,10 @@
+ /* Define to 1 if you have the `gss_get_name_attribute' function. */
+ #undef HAVE_GSS_GET_NAME_ATTRIBUTE
+
++/* Define if your GSSAPI implementation defines gss_inquire_sec_context_by_oid
++ */
++#undef HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID
++
+ /* Define to 1 if you have the `gss_oid_equal' function. */
+ #undef HAVE_GSS_OID_EQUAL
+
+diff -U3 cyrus-sasl-2.1.26.old/configure cyrus-sasl-2.1.26/configure
+--- cyrus-sasl-2.1.26.old/configure 2017-09-21 10:11:30.557021831 +0200
++++ cyrus-sasl-2.1.26/configure 2017-09-21 10:33:40.389277838 +0200
+@@ -13984,6 +13984,50 @@
+
+ LIBS="$cmu_save_LIBS"
+
++ cmu_save_LIBS="$LIBS"
++ LIBS="$LIBS $GSSAPIBASE_LIBS"
++ for ac_func in gss_inquire_sec_context_by_oid
++do :
++ ac_fn_c_check_func "$LINENO" "gss_inquire_sec_context_by_oid" "ac_cv_func_gss_inquire_sec_context_by_oid"
++if test "x$ac_cv_func_gss_inquire_sec_context_by_oid" = xyes; then :
++ cat >>confdefs.h <<_ACEOF
++#define HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID 1
++_ACEOF
++
++fi
++done
++
++ if test "$ac_cv_func_gss_inquire_sec_context_by_oid" = no ; then
++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then
++ ac_fn_c_check_decl "$LINENO" "gss_inquire_sec_context_by_oid" "ac_cv_have_decl_gss_inquire_sec_context_by_oid" "
++ $ac_includes_default
++ #include <gssapi/gssapi_ext.h>
++
++"
++if test "x$ac_cv_have_decl_gss_inquire_sec_context_by_oid" = xyes; then :
++
++$as_echo "#define HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID 1" >>confdefs.h
++
++fi
++
++ fi
++ fi
++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then
++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++#include <gssapi/gssapi_ext.h>
++
++_ACEOF
++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
++ $EGREP "GSS_C_SEC_CONTEXT_SASL_SSF" >/dev/null 2>&1; then :
++
++$as_echo "#define HAVE_GSS_C_SEC_CONTEXT_SASL_SSF /**/" >>confdefs.h
++
++fi
++rm -f conftest*
++
++ fi
++
+ cmu_save_LIBS="$LIBS"
+ LIBS="$LIBS $GSSAPIBASE_LIBS"
+ { $as_echo "$as_me:$LINENO: checking for SPNEGO support in GSSAPI libraries" >&5
diff --git a/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch b/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch
new file mode 100644
index 0000000..b066258
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch
@@ -0,0 +1,28 @@
+diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.gssapi_non_encrypt cyrus-sasl-2.1.26/plugins/gssapi.c
+--- cyrus-sasl-2.1.26/plugins/gssapi.c.gssapi_non_encrypt 2015-05-19 14:57:57.091212254 +0200
++++ cyrus-sasl-2.1.26/plugins/gssapi.c 2015-05-19 15:01:41.681011361 +0200
+@@ -1159,19 +1159,18 @@ gssapi_server_mech_ssfreq(context_t *tex
+ }
+
+ layerchoice = (int)(((char *)(output_token->value))[0]);
+- if (layerchoice == LAYER_NONE &&
+- (text->qop & LAYER_NONE)) { /* no encryption */
++ if (!(layerchoice & (LAYER_INTEGRITY | LAYER_CONFIDENTIALITY)) &&
++ (text->qop & LAYER_NONE)) { /* no encryption */
+ oparams->encode = NULL;
+ oparams->decode = NULL;
+ oparams->mech_ssf = 0;
+- } else if (layerchoice == LAYER_INTEGRITY &&
++ } else if ((layerchoice & LAYER_INTEGRITY) &&
+ (text->qop & LAYER_INTEGRITY)) { /* integrity */
+ oparams->encode = &gssapi_integrity_encode;
+ oparams->decode = &gssapi_decode;
+ oparams->mech_ssf = 1;
+- } else if ((layerchoice == LAYER_CONFIDENTIALITY ||
+- /* For compatibility with broken clients setting both bits */
+- layerchoice == (LAYER_CONFIDENTIALITY|LAYER_INTEGRITY)) &&
++ } else if (/* For compatibility with broken clients setting both bits */
++ (layerchoice & (LAYER_CONFIDENTIALITY | LAYER_INTEGRITY)) &&
+ (text->qop & LAYER_CONFIDENTIALITY)) { /* privacy */
+ oparams->encode = &gssapi_privacy_encode;
+ oparams->decode = &gssapi_decode;
diff --git a/SOURCES/cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch b/SOURCES/cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch
new file mode 100644
index 0000000..1b3278b
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch
@@ -0,0 +1,710 @@
+From 70a144cc53d09b56aa088fa1f6d433acea31afa7 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 15 Sep 2015 12:21:22 +0300
+Subject: [PATCH] gssapi: use per-connection mutex where possible
+
+If the same application uses SASL GSSAPI for both client and server operations,
+it may be possible to deadlock in plugins/gssapi.c due to use of a
+global mutex by both client and server code. Multiple outstanding connections should
+be possible, thus introduce per-context locking and use it where it
+makes sense. Note that there are still multiple places where context is
+not available and where a global lock should be in use.
+
+Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1263017
+---
+ plugins/gssapi.c | 225 +++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 126 insertions(+), 99 deletions(-)
+
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 2fd1b3b..f5d3354 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -126,20 +126,29 @@ extern gss_OID gss_nt_service_name;
+ */
+
+ #ifdef GSS_USE_MUTEXES
+-#define GSS_LOCK_MUTEX(utils) \
+- if(((sasl_utils_t *)(utils))->mutex_lock(gss_mutex) != 0) { \
++#define GSS_LOCK_MUTEX_EXT(utils, mutex) \
++ if(((sasl_utils_t *)(utils))->mutex_lock(mutex) != 0) { \
+ return SASL_FAIL; \
+ }
+
+-#define GSS_UNLOCK_MUTEX(utils) \
+- if(((sasl_utils_t *)(utils))->mutex_unlock(gss_mutex) != 0) { \
++#define GSS_UNLOCK_MUTEX_EXT(utils, mutex) \
++ if(((sasl_utils_t *)(utils))->mutex_unlock(mutex) != 0) { \
+ return SASL_FAIL; \
+ }
+
++#define GSS_LOCK_MUTEX(utils) GSS_LOCK_MUTEX_EXT(utils, gss_mutex)
++#define GSS_UNLOCK_MUTEX(utils) GSS_UNLOCK_MUTEX_EXT(utils, gss_mutex)
++
++#define GSS_LOCK_MUTEX_CTX(utils, ctx) GSS_LOCK_MUTEX_EXT(utils, (ctx)->ctx_mutex)
++#define GSS_UNLOCK_MUTEX_CTX(utils, ctx) GSS_UNLOCK_MUTEX_EXT(utils, (ctx)->ctx_mutex)
++
++
+ static void *gss_mutex = NULL;
+ #else
+ #define GSS_LOCK_MUTEX(utils)
+ #define GSS_UNLOCK_MUTEX(utils)
++#define GSS_LOCK_MUTEX_CTX(utils, ctx)
++#define GSS_UNLOCK_MUTEX_CTX(utils, ctx)
+ #endif
+
+ typedef struct context {
+@@ -176,6 +185,7 @@ typedef struct context {
+
+ char *authid; /* hold the authid between steps - server */
+ const char *user; /* hold the userid between steps - client */
++ void *ctx_mutex; /* A per-context mutex */
+ } context_t;
+
+ enum {
+@@ -355,7 +365,7 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov,
+ output_token->value = NULL;
+ output_token->length = 0;
+
+- GSS_LOCK_MUTEX(text->utils);
++ GSS_LOCK_MUTEX_CTX(text->utils, text);
+ maj_stat = gss_wrap (&min_stat,
+ text->gss_ctx,
+ privacy,
+@@ -363,14 +373,14 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov,
+ input_token,
+ NULL,
+ output_token);
+- GSS_UNLOCK_MUTEX(text->utils);
++ GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ sasl_gss_seterror(text->utils, maj_stat, min_stat);
+ if (output_token->value) {
+- GSS_LOCK_MUTEX(text->utils);
++ GSS_LOCK_MUTEX_CTX(text->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(text->utils);
++ GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+ }
+ return SASL_FAIL;
+ }
+@@ -384,9 +394,9 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov,
+ output_token->length + 4);
+
+ if (ret != SASL_OK) {
+- GSS_LOCK_MUTEX(text->utils);
++ GSS_LOCK_MUTEX_CTX(text->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(text->utils);
++ GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+ return ret;
+ }
+
+@@ -407,9 +417,9 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov,
+ *output = text->encode_buf;
+
+ if (output_token->value) {
+- GSS_LOCK_MUTEX(text->utils);
++ GSS_LOCK_MUTEX_CTX(text->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(text->utils);
++ GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+ }
+
+ return SASL_OK;
+@@ -455,21 +465,21 @@ gssapi_decode_packet(void *context,
+ output_token->value = NULL;
+ output_token->length = 0;
+
+- GSS_LOCK_MUTEX(text->utils);
++ GSS_LOCK_MUTEX_CTX(text->utils, text);
+ maj_stat = gss_unwrap (&min_stat,
+ text->gss_ctx,
+ input_token,
+ output_token,
+ NULL,
+ NULL);
+- GSS_UNLOCK_MUTEX(text->utils);
++ GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ sasl_gss_seterror(text->utils,maj_stat,min_stat);
+ if (output_token->value) {
+- GSS_LOCK_MUTEX(text->utils);
++ GSS_LOCK_MUTEX_CTX(text->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(text->utils);
++ GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+ }
+ return SASL_FAIL;
+ }
+@@ -484,17 +494,17 @@ gssapi_decode_packet(void *context,
+ &text->decode_once_buf_len,
+ *outputlen);
+ if (result != SASL_OK) {
+- GSS_LOCK_MUTEX(text->utils);
++ GSS_LOCK_MUTEX_CTX(text->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(text->utils);
++ GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+ return result;
+ }
+ *output = text->decode_once_buf;
+ memcpy(*output, output_token->value, *outputlen);
+ }
+- GSS_LOCK_MUTEX(text->utils);
++ GSS_LOCK_MUTEX_CTX(text->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(text->utils);
++ GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+ }
+
+ return SASL_OK;
+@@ -525,7 +535,14 @@ static context_t *sasl_gss_new_context(const sasl_utils_t *utils)
+
+ memset(ret,0,sizeof(context_t));
+ ret->utils = utils;
+-
++#ifdef GSS_USE_MUTEXES
++ ret->ctx_mutex = utils->mutex_alloc();
++ if (!ret->ctx_mutex) {
++ utils->free(ret);
++ return NULL;
++ }
++#endif
++
+ return ret;
+ }
+
+@@ -535,7 +552,11 @@ static int sasl_gss_free_context_contents(context_t *text)
+
+ if (!text) return SASL_OK;
+
+- GSS_LOCK_MUTEX(text->utils);
++#ifdef GSS_USE_MUTEXES
++ if (text->ctx_mutex) {
++ GSS_LOCK_MUTEX_CTX(text->utils, text);
++ }
++#endif
+
+ if (text->gss_ctx != GSS_C_NO_CONTEXT) {
+ maj_stat = gss_delete_sec_context(&min_stat,&text->gss_ctx,
+@@ -563,8 +584,6 @@ static int sasl_gss_free_context_contents(context_t *text)
+ text->client_creds = GSS_C_NO_CREDENTIAL;
+ }
+
+- GSS_UNLOCK_MUTEX(text->utils);
+-
+ if (text->out_buf) {
+ text->utils->free(text->out_buf);
+ text->out_buf = NULL;
+@@ -598,6 +617,14 @@ static int sasl_gss_free_context_contents(context_t *text)
+ text->authid = NULL;
+ }
+
++#ifdef GSS_USE_MUTEXES
++ if (text->ctx_mutex) {
++ GSS_UNLOCK_MUTEX_CTX(text->utils, text);
++ text->utils->mutex_free(text->ctx_mutex);
++ text->ctx_mutex = NULL;
++ }
++#endif
++
+ return SASL_OK;
+
+ }
+@@ -692,12 +719,12 @@ gssapi_server_mech_authneg(context_t *text,
+ }
+ sprintf(name_token.value,"%s@%s", params->service, params->serverFQDN);
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_import_name (&min_stat,
+ &name_token,
+ GSS_C_NT_HOSTBASED_SERVICE,
+ &text->server_name);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ params->utils->free(name_token.value);
+ name_token.value = NULL;
+@@ -709,15 +736,15 @@ gssapi_server_mech_authneg(context_t *text,
+ }
+
+ if ( text->server_creds != GSS_C_NO_CREDENTIAL) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_release_cred(&min_stat, &text->server_creds);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ text->server_creds = GSS_C_NO_CREDENTIAL;
+ }
+
+ /* If caller didn't provide creds already */
+ if ( server_creds == GSS_C_NO_CREDENTIAL) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_acquire_cred(&min_stat,
+ text->server_name,
+ GSS_C_INDEFINITE,
+@@ -726,7 +753,7 @@ gssapi_server_mech_authneg(context_t *text,
+ &text->server_creds,
+ NULL,
+ NULL);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ sasl_gss_seterror(text->utils, maj_stat, min_stat);
+@@ -743,7 +770,7 @@ gssapi_server_mech_authneg(context_t *text,
+ }
+
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat =
+ gss_accept_sec_context(&min_stat,
+ &(text->gss_ctx),
+@@ -756,15 +783,15 @@ gssapi_server_mech_authneg(context_t *text,
+ &out_flags,
+ NULL, /* context validity period */
+ &(text->client_creds));
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ sasl_gss_log(text->utils, maj_stat, min_stat);
+ text->utils->seterror(text->utils->conn, SASL_NOLOG, "GSSAPI Failure: gss_accept_sec_context");
+ if (output_token->value) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ }
+ sasl_gss_free_context_contents(text);
+ return SASL_BADAUTH;
+@@ -778,18 +805,18 @@ gssapi_server_mech_authneg(context_t *text,
+ ret = _plug_buf_alloc(text->utils, &(text->out_buf),
+ &(text->out_buf_len), *serveroutlen);
+ if(ret != SASL_OK) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ return ret;
+ }
+ memcpy(text->out_buf, output_token->value, *serveroutlen);
+ *serverout = text->out_buf;
+ }
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ } else {
+ /* No output token, send an empty string */
+ *serverout = GSSAPI_BLANK_STRING;
+@@ -832,12 +859,12 @@ gssapi_server_mech_authneg(context_t *text,
+ /* continue with authentication */
+ }
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_canonicalize_name(&min_stat,
+ text->client_name,
+ mech_type,
+ &client_name_MN);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ SETERROR(text->utils, "GSSAPI Failure: gss_canonicalize_name");
+@@ -848,12 +875,12 @@ gssapi_server_mech_authneg(context_t *text,
+ name_token.value = NULL;
+ name_without_realm.value = NULL;
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_display_name (&min_stat,
+ client_name_MN,
+ &name_token,
+ NULL);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ SETERROR(text->utils, "GSSAPI Failure: gss_display_name");
+@@ -883,7 +910,7 @@ gssapi_server_mech_authneg(context_t *text,
+
+ name_without_realm.length = strlen( (char *) name_without_realm.value );
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_import_name (&min_stat,
+ &name_without_realm,
+ /* Solaris 8/9 gss_import_name doesn't accept GSS_C_NULL_OID here,
+@@ -894,7 +921,7 @@ gssapi_server_mech_authneg(context_t *text,
+ GSS_C_NULL_OID,
+ #endif
+ &without);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ SETERROR(text->utils, "GSSAPI Failure: gss_import_name");
+@@ -903,12 +930,12 @@ gssapi_server_mech_authneg(context_t *text,
+ goto cleanup;
+ }
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_compare_name(&min_stat,
+ client_name_MN,
+ without,
+ &equal);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ SETERROR(text->utils, "GSSAPI Failure: gss_compare_name");
+@@ -1053,7 +1080,7 @@ gssapi_server_mech_ssfcap(context_t *text,
+ real_input_token.value = (void *)sasldata;
+ real_input_token.length = 4;
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_wrap(&min_stat,
+ text->gss_ctx,
+ 0, /* Just integrity checking here */
+@@ -1061,14 +1088,14 @@ gssapi_server_mech_ssfcap(context_t *text,
+ input_token,
+ NULL,
+ output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ sasl_gss_seterror(text->utils, maj_stat, min_stat);
+ if (output_token->value) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ }
+ sasl_gss_free_context_contents(text);
+ return SASL_FAIL;
+@@ -1082,18 +1109,18 @@ gssapi_server_mech_ssfcap(context_t *text,
+ ret = _plug_buf_alloc(text->utils, &(text->out_buf),
+ &(text->out_buf_len), *serveroutlen);
+ if(ret != SASL_OK) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ return ret;
+ }
+ memcpy(text->out_buf, output_token->value, *serveroutlen);
+ *serverout = text->out_buf;
+ }
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ }
+
+ /* Wait for ssf request and authid */
+@@ -1124,14 +1151,14 @@ gssapi_server_mech_ssfreq(context_t *text,
+ real_input_token.value = (void *)clientin;
+ real_input_token.length = clientinlen;
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_unwrap(&min_stat,
+ text->gss_ctx,
+ input_token,
+ output_token,
+ NULL,
+ NULL);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ sasl_gss_seterror(text->utils, maj_stat, min_stat);
+@@ -1142,9 +1169,9 @@ gssapi_server_mech_ssfreq(context_t *text,
+ if (output_token->length < 4) {
+ SETERROR(text->utils,
+ "token too short");
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ sasl_gss_free_context_contents(text);
+ return SASL_FAIL;
+ }
+@@ -1175,9 +1202,9 @@ gssapi_server_mech_ssfreq(context_t *text,
+ /* Mark that we attempted negotiation */
+ oparams->mech_ssf = 2;
+ if (output_token->value) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ }
+ sasl_gss_free_context_contents(text);
+ return SASL_FAIL;
+@@ -1221,9 +1248,9 @@ gssapi_server_mech_ssfreq(context_t *text,
+ }
+ }
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+
+@@ -1547,12 +1574,12 @@ static int gssapi_client_mech_step(void *conn_context,
+
+ sprintf(name_token.value,"%s@%s", params->service, params->serverFQDN);
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_import_name (&min_stat,
+ &name_token,
+ GSS_C_NT_HOSTBASED_SERVICE,
+ &text->server_name);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ params->utils->free(name_token.value);
+ name_token.value = NULL;
+@@ -1576,9 +1603,9 @@ static int gssapi_client_mech_step(void *conn_context,
+ * and no input from the server. However, thanks to Imap,
+ * which discards our first output, this happens all the time.
+ * Throw away the context and try again. */
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_delete_sec_context (&min_stat,&text->gss_ctx,GSS_C_NO_BUFFER);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ text->gss_ctx = GSS_C_NO_CONTEXT;
+ }
+
+@@ -1600,7 +1627,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ req_flags = req_flags | GSS_C_DELEG_FLAG;
+ }
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_init_sec_context(&min_stat,
+ client_creds, /* GSS_C_NO_CREDENTIAL */
+ &text->gss_ctx,
+@@ -1614,14 +1641,14 @@ static int gssapi_client_mech_step(void *conn_context,
+ output_token,
+ &out_req_flags,
+ NULL);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ sasl_gss_seterror(text->utils, maj_stat, min_stat);
+ if (output_token->value) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ }
+ sasl_gss_free_context_contents(text);
+ return SASL_FAIL;
+@@ -1652,22 +1679,22 @@ static int gssapi_client_mech_step(void *conn_context,
+ ret = _plug_buf_alloc(text->utils, &(text->out_buf),
+ &(text->out_buf_len), *clientoutlen);
+ if(ret != SASL_OK) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ return ret;
+ }
+ memcpy(text->out_buf, output_token->value, *clientoutlen);
+ *clientout = text->out_buf;
+ }
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ }
+
+ if (maj_stat == GSS_S_COMPLETE) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_inquire_context(&min_stat,
+ text->gss_ctx,
+ &text->client_name,
+@@ -1678,7 +1705,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ NULL, /* flags */
+ NULL, /* local init */
+ NULL); /* open */
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ sasl_gss_seterror(text->utils, maj_stat, min_stat);
+@@ -1687,18 +1714,18 @@ static int gssapi_client_mech_step(void *conn_context,
+ }
+
+ name_token.length = 0;
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_display_name(&min_stat,
+ text->client_name,
+ &name_token,
+ NULL);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ if (name_token.value) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, &name_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ }
+ SETERROR(text->utils, "GSSAPI Failure");
+ sasl_gss_free_context_contents(text);
+@@ -1719,9 +1746,9 @@ static int gssapi_client_mech_step(void *conn_context,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ oparams);
+ }
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, &name_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (ret != SASL_OK) return ret;
+
+@@ -1747,32 +1774,32 @@ static int gssapi_client_mech_step(void *conn_context,
+ real_input_token.value = (void *) serverin;
+ real_input_token.length = serverinlen;
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_unwrap(&min_stat,
+ text->gss_ctx,
+ input_token,
+ output_token,
+ NULL,
+ NULL);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ if (GSS_ERROR(maj_stat)) {
+ sasl_gss_seterror(text->utils, maj_stat, min_stat);
+- sasl_gss_free_context_contents(text);
+ if (output_token->value) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ }
++ sasl_gss_free_context_contents(text);
+ return SASL_FAIL;
+ }
+
+ if (output_token->length != 4) {
+ SETERROR(text->utils,
+ (output_token->length < 4) ? "token too short" : "token too long");
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ sasl_gss_free_context_contents(text);
+ return SASL_FAIL;
+ }
+@@ -1873,9 +1900,9 @@ static int gssapi_client_mech_step(void *conn_context,
+ }
+ }
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ /* oparams->user is always set, due to canon_user requirements.
+ * Make sure the client actually requested it though, by checking
+@@ -1921,7 +1948,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ }
+ ((unsigned char *)input_token->value)[0] = mychoice;
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ maj_stat = gss_wrap (&min_stat,
+ text->gss_ctx,
+ 0, /* Just integrity checking here */
+@@ -1929,7 +1956,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ input_token,
+ NULL,
+ output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ params->utils->free(input_token->value);
+ input_token->value = NULL;
+@@ -1937,9 +1964,9 @@ static int gssapi_client_mech_step(void *conn_context,
+ if (GSS_ERROR(maj_stat)) {
+ sasl_gss_seterror(text->utils, maj_stat, min_stat);
+ if (output_token->value) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ }
+ sasl_gss_free_context_contents(text);
+ return SASL_FAIL;
+@@ -1955,18 +1982,18 @@ static int gssapi_client_mech_step(void *conn_context,
+ &(text->out_buf_len),
+ *clientoutlen);
+ if (ret != SASL_OK) {
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ return ret;
+ }
+ memcpy(text->out_buf, output_token->value, *clientoutlen);
+ *clientout = text->out_buf;
+ }
+
+- GSS_LOCK_MUTEX(params->utils);
++ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+- GSS_UNLOCK_MUTEX(params->utils);
++ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+
+ }
+
+--
+2.4.3
+
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch b/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch
new file mode 100644
index 0000000..6931d4d
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch
@@ -0,0 +1,29 @@
+From 7739268e775e6ed91509727b014cc1d367ad386d Mon Sep 17 00:00:00 2001
+From: Alexey Melnikov <alexey.melnikov@isode.com>
+Date: Sun, 30 Mar 2014 15:13:34 +0100
+Subject: When processing a list of mechanism names, we shouldn't allow a short
+ prefix match the whole mechanism name
+
+"A", "AN", etc where matching "ANONYMOUS". This patch fixes that.
+
+As reported by plautrba@redhat.com
+
+diff --git a/lib/common.c b/lib/common.c
+index e0f59eb..672fe2f 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -2428,6 +2428,11 @@ int _sasl_is_equal_mech(const char *req_mech,
+ *plus = 0;
+ }
+
++ if (n < strlen(plug_mech)) {
++ /* Don't allow arbitrary prefix match */
++ return 0;
++ }
++
+ return (strncasecmp(req_mech, plug_mech, n) == 0);
+ }
+
+--
+cgit v0.10.2
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-keytab.patch b/SOURCES/cyrus-sasl-2.1.26-keytab.patch
new file mode 100644
index 0000000..390b517
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-keytab.patch
@@ -0,0 +1,36 @@
+diff --git a/cmulocal/sasl2.m4 b/cmulocal/sasl2.m4
+index 3c2841a..b086b8f 100644
+--- a/cmulocal/sasl2.m4
++++ b/cmulocal/sasl2.m4
+@@ -269,6 +269,18 @@ if test "$gssapi" != no; then
+ cmu_save_LIBS="$LIBS"
+ LIBS="$LIBS $GSSAPIBASE_LIBS"
+ AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity)
++ if test "$ac_cv_func_gsskrb5_register_acceptor_identity" = no ; then
++ AC_CHECK_HEADERS(gssapi/gssapi_krb5.h)
++ if test "$ac_cv_header_gssapi_gssapi_krb5_h" = "yes"; then
++ AC_CHECK_DECL(gsskrb5_register_acceptor_identity,
++ [AC_DEFINE(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY,1,
++ [Define if your GSSAPI implementation defines gsskrb5_register_acceptor_identity])],,
++ [
++ AC_INCLUDES_DEFAULT
++ #include <gssapi/gssapi_krb5.h>
++ ])
++ fi
++ fi
+ AC_CHECK_FUNCS(gss_decapsulate_token)
+ AC_CHECK_FUNCS(gss_encapsulate_token)
+ AC_CHECK_FUNCS(gss_oid_equal)
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 6be9d23..e6fcf46 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -51,6 +51,8 @@
+ #include <gssapi/gssapi.h>
+ #endif
+
++#include <gssapi/gssapi_krb5.h>
++
+ #ifdef WIN32
+ # include <winsock2.h>
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch b/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch
new file mode 100644
index 0000000..9deee8b
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch
@@ -0,0 +1,66 @@
+From 3d48a475054911856b736ca2720b82f529dd68cf Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Wed, 1 Oct 2014 14:20:27 -0700
+Subject: [PATCH] Bug 1147659 - cyrus-sasl client library (client.c) is not
+ thread safe
+
+Description: client_dispose (lib/clinet.c) which closes a connection
+of a sasl client frees mech_list if the head of the list differs
+from the head of the global cmechlist->mech_list. But there was a
+possibility that the list appears in the middle of the global mech
+list. By freeing the mech, it crashed a multi-threaded sasl client.
+
+This patch checks each mech if it is in the global mech list or not.
+Only if it is not, the mech is freed.
+---
+ lib/client.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/lib/client.c b/lib/client.c
+index 31fe346..3f76483 100644
+--- a/lib/client.c
++++ b/lib/client.c
+@@ -324,6 +324,26 @@ int sasl_client_init(const sasl_callback_t *callbacks)
+ return ret;
+ }
+
++/*
++ * If mech is in cmechlist->mech_list, return 1
++ * Otherwise, return 0
++ */
++static int mech_is_in_cmechlist(cmechanism_t *mech)
++{
++ cmechanism_t *m = cmechlist->mech_list;
++ if (NULL == mech) {
++ return 0;
++ }
++
++ while (m && mech) {
++ if (m == mech) {
++ return 1;
++ }
++ m = m->next;
++ }
++ return 0;
++}
++
+ static void client_dispose(sasl_conn_t *pconn)
+ {
+ sasl_client_conn_t *c_conn=(sasl_client_conn_t *) pconn;
+@@ -352,6 +372,13 @@ static void client_dispose(sasl_conn_t *pconn)
+ while (m) {
+ prevm = m;
+ m = m->next;
++ if (mech_is_in_cmechlist(prevm)) {
++ /*
++ * If prevm exists in the global mech_list cmechlist->mech_list,
++ * we should not free it as well as the rest of the list.
++ */
++ break;
++ }
+ sasl_FREE(prevm);
+ }
+ }
+--
+1.9.3
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-md5global.patch b/SOURCES/cyrus-sasl-2.1.26-md5global.patch
new file mode 100644
index 0000000..744962f
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-md5global.patch
@@ -0,0 +1,385 @@
+diff -up cyrus-sasl-2.1.26/include/Makefile.am.md5global.h cyrus-sasl-2.1.26/include/Makefile.am
+--- cyrus-sasl-2.1.26/include/Makefile.am.md5global.h 2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/include/Makefile.am 2013-09-03 13:12:17.623999149 +0200
+@@ -47,16 +47,7 @@ noinst_HEADERS = gai.h exits.h
+ saslincludedir = $(includedir)/sasl
+ saslinclude_HEADERS = hmac-md5.h md5.h md5global.h sasl.h saslplug.h saslutil.h prop.h
+
+-noinst_PROGRAMS = makemd5
+-
+-makemd5_SOURCES = makemd5.c
+-
+-md5global.h: makemd5
+- -rm -f md5global.h
+- ./makemd5 md5global.h
+-
+ EXTRA_DIST = NTMakefile
+-DISTCLEANFILES = md5global.h
+
+ if MACOSX
+ framedir = /Library/Frameworks/SASL2.framework
+diff -up cyrus-sasl-2.1.26/include/Makefile.in.md5global.h cyrus-sasl-2.1.26/include/Makefile.in
+--- cyrus-sasl-2.1.26/include/Makefile.in.md5global.h 2013-09-03 13:09:27.860999892 +0200
++++ cyrus-sasl-2.1.26/include/Makefile.in 2013-09-03 13:12:21.726000002 +0200
+@@ -1,4 +1,4 @@
+-# Makefile.in generated by automake 1.11 from Makefile.am.
++# Makefile.in generated by automake 1.11.1 from Makefile.am.
+ # @configure_input@
+
+ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+@@ -60,7 +60,6 @@
+ ################################################################
+
+
+-
+ VPATH = @srcdir@
+ pkgdatadir = $(datadir)/@PACKAGE@
+ pkgincludedir = $(includedir)/@PACKAGE@
+@@ -81,48 +80,19 @@ POST_UNINSTALL = :
+ build_triplet = @build@
+ host_triplet = @host@
+ target_triplet = @target@
+-noinst_PROGRAMS = makemd5$(EXEEXT)
+ subdir = include
+ DIST_COMMON = $(noinst_HEADERS) $(saslinclude_HEADERS) \
+ $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+-am__aclocal_m4_deps = $(top_srcdir)/config/kerberos_v4.m4 \
+- $(top_srcdir)/config/libtool.m4 $(top_srcdir)/config/plain.m4 \
+- $(top_srcdir)/config/sasldb.m4 \
+- $(top_srcdir)/cmulocal/berkdb.m4 \
+- $(top_srcdir)/cmulocal/bsd_sockets.m4 \
+- $(top_srcdir)/cmulocal/c-attribute.m4 \
+- $(top_srcdir)/cmulocal/common.m4 \
+- $(top_srcdir)/cmulocal/cyrus.m4 \
+- $(top_srcdir)/cmulocal/init_automake.m4 \
+- $(top_srcdir)/cmulocal/ipv6.m4 \
+- $(top_srcdir)/cmulocal/openldap.m4 \
+- $(top_srcdir)/cmulocal/openssl.m4 \
+- $(top_srcdir)/cmulocal/sasl2.m4 $(top_srcdir)/configure.in
++am__aclocal_m4_deps = $(top_srcdir)/configure.in
+ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+ mkinstalldirs = $(SHELL) $(top_srcdir)/config/mkinstalldirs
+ CONFIG_HEADER = $(top_builddir)/config.h
+ CONFIG_CLEAN_FILES =
+ CONFIG_CLEAN_VPATH_FILES =
+-PROGRAMS = $(noinst_PROGRAMS)
+-am_makemd5_OBJECTS = makemd5.$(OBJEXT)
+-makemd5_OBJECTS = $(am_makemd5_OBJECTS)
+-makemd5_LDADD = $(LDADD)
+-DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+-depcomp = $(SHELL) $(top_srcdir)/config/depcomp
+-am__depfiles_maybe = depfiles
+-am__mv = mv -f
+-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+- $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+-LTCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+- --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+- $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+-CCLD = $(CC)
+-LINK = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link \
+- $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+-SOURCES = $(makemd5_SOURCES)
+-DIST_SOURCES = $(makemd5_SOURCES)
++SOURCES =
++DIST_SOURCES =
+ am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+ am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+@@ -153,6 +123,7 @@ CTAGS = ctags
+ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ ACLOCAL = @ACLOCAL@
+ AMTAR = @AMTAR@
++AR = @AR@
+ AUTOCONF = @AUTOCONF@
+ AUTOHEADER = @AUTOHEADER@
+ AUTOMAKE = @AUTOMAKE@
+@@ -160,7 +131,6 @@ AWK = @AWK@
+ CC = @CC@
+ CCDEPMODE = @CCDEPMODE@
+ CFLAGS = @CFLAGS@
+-CMU_LIB_SUBDIR = @CMU_LIB_SUBDIR@
+ CPP = @CPP@
+ CPPFLAGS = @CPPFLAGS@
+ CYGPATH_W = @CYGPATH_W@
+@@ -168,17 +138,18 @@ DEFS = @DEFS@
+ DEPDIR = @DEPDIR@
+ DIRS = @DIRS@
+ DMALLOC_LIBS = @DMALLOC_LIBS@
++DSYMUTIL = @DSYMUTIL@
++DUMPBIN = @DUMPBIN@
+ ECHO_C = @ECHO_C@
+ ECHO_N = @ECHO_N@
+ ECHO_T = @ECHO_T@
+ EGREP = @EGREP@
+ EXEEXT = @EXEEXT@
++FGREP = @FGREP@
+ GETADDRINFOOBJS = @GETADDRINFOOBJS@
+ GETNAMEINFOOBJS = @GETNAMEINFOOBJS@
+ GETSUBOPT = @GETSUBOPT@
+ GREP = @GREP@
+-GSSAPIBASE_LIBS = @GSSAPIBASE_LIBS@
+-GSSAPI_LIBS = @GSSAPI_LIBS@
+ INSTALL = @INSTALL@
+ INSTALL_DATA = @INSTALL_DATA@
+ INSTALL_PROGRAM = @INSTALL_PROGRAM@
+@@ -190,19 +161,18 @@ JAVADOC = @JAVADOC@
+ JAVAH = @JAVAH@
+ JAVAROOT = @JAVAROOT@
+ JAVA_INCLUDES = @JAVA_INCLUDES@
++LD = @LD@
+ LDFLAGS = @LDFLAGS@
+ LIBOBJS = @LIBOBJS@
+ LIBS = @LIBS@
+ LIBTOOL = @LIBTOOL@
+-LIB_CRYPT = @LIB_CRYPT@
+-LIB_DES = @LIB_DES@
+ LIB_DOOR = @LIB_DOOR@
+ LIB_LDAP = @LIB_LDAP@
+ LIB_MYSQL = @LIB_MYSQL@
+ LIB_PGSQL = @LIB_PGSQL@
+-LIB_SOCKET = @LIB_SOCKET@
+ LIB_SQLITE = @LIB_SQLITE@
+ LIB_SQLITE3 = @LIB_SQLITE3@
++LIPO = @LIPO@
+ LN_S = @LN_S@
+ LTGETADDRINFOOBJS = @LTGETADDRINFOOBJS@
+ LTGETNAMEINFOOBJS = @LTGETNAMEINFOOBJS@
+@@ -211,8 +181,12 @@ LTSNPRINTFOBJS = @LTSNPRINTFOBJS@
+ MAKEINFO = @MAKEINFO@
+ MKDIR_P = @MKDIR_P@
+ NM = @NM@
++NMEDIT = @NMEDIT@
+ NTLM_LIBS = @NTLM_LIBS@
++OBJDUMP = @OBJDUMP@
+ OBJEXT = @OBJEXT@
++OTOOL = @OTOOL@
++OTOOL64 = @OTOOL64@
+ OTP_LIBS = @OTP_LIBS@
+ PACKAGE = @PACKAGE@
+ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+@@ -222,19 +196,11 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
+ PACKAGE_VERSION = @PACKAGE_VERSION@
+ PASSDSS_LIBS = @PASSDSS_LIBS@
+ PATH_SEPARATOR = @PATH_SEPARATOR@
+-PLAIN_LIBS = @PLAIN_LIBS@
+ PURECOV = @PURECOV@
+ PURIFY = @PURIFY@
+ PWCHECKMETH = @PWCHECKMETH@
+ RANLIB = @RANLIB@
+-SASL_DB_BACKEND = @SASL_DB_BACKEND@
+-SASL_DB_BACKEND_STATIC = @SASL_DB_BACKEND_STATIC@
+-SASL_DB_INC = @SASL_DB_INC@
+-SASL_DB_LIB = @SASL_DB_LIB@
+-SASL_DB_MANS = @SASL_DB_MANS@
+-SASL_DB_UTILS = @SASL_DB_UTILS@
+ SASL_DL_LIB = @SASL_DL_LIB@
+-SASL_KRB_LIB = @SASL_KRB_LIB@
+ SASL_MECHS = @SASL_MECHS@
+ SASL_STATIC_LIBS = @SASL_STATIC_LIBS@
+ SASL_STATIC_OBJS = @SASL_STATIC_OBJS@
+@@ -242,6 +208,7 @@ SASL_STATIC_SRCS = @SASL_STATIC_SRCS@
+ SASL_UTIL_HEADERS_EXTRA = @SASL_UTIL_HEADERS_EXTRA@
+ SASL_UTIL_LIBS_EXTRA = @SASL_UTIL_LIBS_EXTRA@
+ SCRAM_LIBS = @SCRAM_LIBS@
++SED = @SED@
+ SET_MAKE = @SET_MAKE@
+ SFIO_INC_FLAGS = @SFIO_INC_FLAGS@
+ SFIO_LIB_FLAGS = @SFIO_LIB_FLAGS@
+@@ -256,6 +223,7 @@ abs_srcdir = @abs_srcdir@
+ abs_top_builddir = @abs_top_builddir@
+ abs_top_srcdir = @abs_top_srcdir@
+ ac_ct_CC = @ac_ct_CC@
++ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+ am__include = @am__include@
+ am__leading_dot = @am__leading_dot@
+ am__quote = @am__quote@
+@@ -287,6 +255,7 @@ libdir = @libdir@
+ libexecdir = @libexecdir@
+ localedir = @localedir@
+ localstatedir = @localstatedir@
++lt_ECHO = @lt_ECHO@
+ mandir = @mandir@
+ mkdir_p = @mkdir_p@
+ oldincludedir = @oldincludedir@
+@@ -311,16 +280,13 @@ top_srcdir = @top_srcdir@
+ noinst_HEADERS = gai.h exits.h
+ saslincludedir = $(includedir)/sasl
+ saslinclude_HEADERS = hmac-md5.h md5.h md5global.h sasl.h saslplug.h saslutil.h prop.h
+-makemd5_SOURCES = makemd5.c
+ EXTRA_DIST = NTMakefile
+-DISTCLEANFILES = md5global.h
+ @MACOSX_TRUE@framedir = /Library/Frameworks/SASL2.framework
+ @MACOSX_TRUE@frameheaderdir = $(framedir)/Versions/A/Headers
+ @MACOSX_TRUE@frameheader_DATA = $(saslinclude_HEADERS)
+ all: all-am
+
+ .SUFFIXES:
+-.SUFFIXES: .c .lo .o .obj
+ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+@@ -352,47 +318,6 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+ $(am__aclocal_m4_deps):
+
+-clean-noinstPROGRAMS:
+- @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+- echo " rm -f" $$list; \
+- rm -f $$list || exit $$?; \
+- test -n "$(EXEEXT)" || exit 0; \
+- list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+- echo " rm -f" $$list; \
+- rm -f $$list
+-makemd5$(EXEEXT): $(makemd5_OBJECTS) $(makemd5_DEPENDENCIES)
+- @rm -f makemd5$(EXEEXT)
+- $(LINK) $(makemd5_OBJECTS) $(makemd5_LDADD) $(LIBS)
+-
+-mostlyclean-compile:
+- -rm -f *.$(OBJEXT)
+-
+-distclean-compile:
+- -rm -f *.tab.c
+-
+-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/makemd5.Po@am__quote@
+-
+-.c.o:
+-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+-@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+-
+-.c.obj:
+-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+-@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+-
+-.c.lo:
+-@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+-@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+-
+ mostlyclean-libtool:
+ -rm -f *.lo
+
+@@ -523,7 +448,7 @@ distdir: $(DISTFILES)
+ done
+ check-am: all-am
+ check: check-am
+-all-am: Makefile $(PROGRAMS) $(DATA) $(HEADERS)
++all-am: Makefile $(DATA) $(HEADERS)
+ installdirs:
+ for dir in "$(DESTDIR)$(frameheaderdir)" "$(DESTDIR)$(saslincludedir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+@@ -549,21 +474,17 @@ clean-generic:
+ distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+- -test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES)
+
+ maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+ clean: clean-am
+
+-clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
+- mostlyclean-am
++clean-am: clean-generic clean-libtool mostlyclean-am
+
+ distclean: distclean-am
+- -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+-distclean-am: clean-am distclean-compile distclean-generic \
+- distclean-tags
++distclean-am: clean-am distclean-generic distclean-tags
+
+ dvi: dvi-am
+
+@@ -606,14 +527,12 @@ install-ps-am:
+ installcheck-am:
+
+ maintainer-clean: maintainer-clean-am
+- -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+ maintainer-clean-am: distclean-am maintainer-clean-generic
+
+ mostlyclean: mostlyclean-am
+
+-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+- mostlyclean-libtool
++mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+ pdf: pdf-am
+
+@@ -628,26 +547,21 @@ uninstall-am: uninstall-frameheaderDATA
+ .MAKE: install-am install-strip
+
+ .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+- clean-libtool clean-noinstPROGRAMS ctags distclean \
+- distclean-compile distclean-generic distclean-libtool \
+- distclean-tags distdir dvi dvi-am html html-am info info-am \
+- install install-am install-data install-data-am install-dvi \
+- install-dvi-am install-exec install-exec-am \
+- install-frameheaderDATA install-html install-html-am \
+- install-info install-info-am install-man install-pdf \
+- install-pdf-am install-ps install-ps-am \
++ clean-libtool ctags distclean distclean-generic \
++ distclean-libtool distclean-tags distdir dvi dvi-am html \
++ html-am info info-am install install-am install-data \
++ install-data-am install-dvi install-dvi-am install-exec \
++ install-exec-am install-frameheaderDATA install-html \
++ install-html-am install-info install-info-am install-man \
++ install-pdf install-pdf-am install-ps install-ps-am \
+ install-saslincludeHEADERS install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+- maintainer-clean-generic mostlyclean mostlyclean-compile \
+- mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+- tags uninstall uninstall-am uninstall-frameheaderDATA \
++ maintainer-clean-generic mostlyclean mostlyclean-generic \
++ mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
++ uninstall-am uninstall-frameheaderDATA \
+ uninstall-saslincludeHEADERS
+
+
+-md5global.h: makemd5
+- -rm -f md5global.h
+- ./makemd5 md5global.h
+-
+ # Tell versions [3.59,3.63) of GNU make to not export all variables.
+ # Otherwise a system limit (for SysV at least) may be exceeded.
+ .NOEXPORT:
+diff -up cyrus-sasl-2.1.26/include/md5global.h.md5global.h cyrus-sasl-2.1.26/include/md5global.h
+--- cyrus-sasl-2.1.26/include/md5global.h.md5global.h 2012-10-15 20:17:34.000000000 +0200
++++ cyrus-sasl-2.1.26/include/md5global.h 2013-09-03 13:09:19.562000004 +0200
+@@ -15,14 +15,17 @@ The following makes PROTOTYPES default t
+ /* POINTER defines a generic pointer type */
+ typedef unsigned char *POINTER;
+
+-typedef signed char INT1; /* 8 bits */
+-typedef short INT2; /* 16 bits */
+-typedef int INT4; /* 32 bits */
+-/* There is no 64 bit type */
+-typedef unsigned char UINT1; /* 8 bits */
+-typedef unsigned short UINT2; /* 16 bits */
+-typedef unsigned int UINT4; /* 32 bits */
+-/* There is no 64 bit type */
++/* We try to define integer types for our use */
++#include <inttypes.h>
++
++typedef int8_t INT1; /* 8 bits */
++typedef int16_t INT2; /* 16 bits */
++typedef int32_t INT4; /* 32 bits */
++typedef int64_t INT8; /* 64 bits */
++typedef uint8_t UINT1; /* 8 bits */
++typedef uint16_t UINT2; /* 16 bits */
++typedef uint32_t UINT4; /* 32 bits */
++typedef uint64_t UINT8; /* 64 bits */
+
+ /* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
+ If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
diff --git a/SOURCES/cyrus-sasl-2.1.26-null-crypt.patch b/SOURCES/cyrus-sasl-2.1.26-null-crypt.patch
new file mode 100644
index 0000000..ce9b5e2
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-null-crypt.patch
@@ -0,0 +1,86 @@
+diff -up cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c
+--- cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt 2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c 2012-12-20 17:00:14.614580310 +0100
+@@ -31,7 +31,7 @@ char *pwcheck(userid, password)
+ char *userid;
+ char *password;
+ {
+- char* r;
++ char* r, *cryptbuf;
+ struct passwd *pwd;
+
+ pwd = getpwnam(userid);
+@@ -41,11 +41,13 @@ char *password;
+ else if (pwd->pw_passwd[0] == '*') {
+ r = "Account disabled";
+ }
+- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
+- r = "Incorrect password";
+- }
+ else {
+- r = "OK";
++ cryptbuf = crypt(password, pwd->pw_passwd);
++ if((cryptbuf == NULL) || (strcmp(pwd->pw_passwd, cryptbuf) != 0)) {
++ r = "Incorrect password";
++ } else {
++ r = "OK";
++ }
+ }
+
+ endpwent();
+diff -up cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c
+--- cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt 2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c 2012-12-20 17:03:17.940793653 +0100
+@@ -78,6 +78,7 @@ auth_getpwent (
+ /* VARIABLES */
+ struct passwd *pw; /* pointer to passwd file entry */
+ int errnum;
++ char *cryptbuf;
+ /* END VARIABLES */
+
+ errno = 0;
+@@ -105,7 +106,8 @@ auth_getpwent (
+ }
+ }
+
+- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
++ cryptbuf = crypt(password, pw->pw_passwd);
++ if ((cryptbuf == NULL) || strcmp(pw->pw_passwd, cryptbuf)) {
+ if (flags & VERBOSE) {
+ syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
+ }
+diff -up cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_shadow.c
+--- cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt 2012-12-20 17:00:14.000000000 +0100
++++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c 2012-12-20 17:16:44.190360006 +0100
+@@ -214,8 +214,8 @@ auth_shadow (
+ RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
+ }
+
+- cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
+- if (strcmp(sp->sp_pwdp, cpw)) {
++ cpw = crypt(password, sp->sp_pwdp);
++ if ((cpw == NULL) || strcmp(sp->sp_pwdp, cpw)) {
+ if (flags & VERBOSE) {
+ /*
+ * This _should_ reveal the SHADOW_PW_LOCKED prefix to an
+@@ -225,10 +225,8 @@ auth_shadow (
+ syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
+ sp->sp_pwdp, cpw);
+ }
+- free(cpw);
+ RETURN("NO Incorrect password");
+ }
+- free(cpw);
+
+ /*
+ * The following fields will be set to -1 if:
+@@ -290,7 +288,8 @@ auth_shadow (
+ RETURN("NO Invalid username");
+ }
+
+- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
++ cpw = crypt(password, upw->upw_passwd);
++ if ((cpw == NULL) || strcmp(upw->upw_passwd, cpw) != 0) {
+ if (flags & VERBOSE) {
+ syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
+ password, upw->upw_passwd);
diff --git a/SOURCES/cyrus-sasl-2.1.26-obsolete-macro.patch b/SOURCES/cyrus-sasl-2.1.26-obsolete-macro.patch
new file mode 100644
index 0000000..a836d8f
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-obsolete-macro.patch
@@ -0,0 +1,13 @@
+diff --git a/configure.in b/configure.in
+index e70c99a..60f366c 100644
+--- a/configure.in
++++ b/configure.in
+@@ -1416,7 +1416,7 @@ inline static unsigned int sleep(unsigned int seconds) {
+ #endif /* CONFIG_H */
+ ])
+
+-AM_CONFIG_HEADER(config.h)
++AC_CONFIG_HEADERS(config.h)
+
+ AC_OUTPUT(Makefile
+ libsasl2.pc
diff --git a/SOURCES/cyrus-sasl-2.1.26-ppc.patch b/SOURCES/cyrus-sasl-2.1.26-ppc.patch
new file mode 100644
index 0000000..0ebba70
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-ppc.patch
@@ -0,0 +1,24 @@
+diff -up cyrus-sasl-2.1.26/config/ltconfig.ppc cyrus-sasl-2.1.26/config/ltconfig
+--- cyrus-sasl-2.1.26/config/ltconfig.ppc 2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/config/ltconfig 2013-06-04 15:38:53.695401296 +0200
+@@ -2040,7 +2040,7 @@ linux-gnu*)
+ else
+ # Only the GNU ld.so supports shared libraries on MkLinux.
+ case "$host_cpu" in
+- powerpc*) dynamic_linker=no ;;
++# powerpc*) dynamic_linker=no ;;
+ *) dynamic_linker='Linux ld.so' ;;
+ esac
+ fi
+diff -up cyrus-sasl-2.1.26/saslauthd/config/ltconfig.ppc cyrus-sasl-2.1.26/saslauthd/config/ltconfig
+--- cyrus-sasl-2.1.26/saslauthd/config/ltconfig.ppc 2013-06-04 15:39:49.849463707 +0200
++++ cyrus-sasl-2.1.26/saslauthd/config/ltconfig 2013-06-04 15:39:12.826741036 +0200
+@@ -2040,7 +2040,7 @@ linux-gnu*)
+ else
+ # Only the GNU ld.so supports shared libraries on MkLinux.
+ case "$host_cpu" in
+- powerpc*) dynamic_linker=no ;;
++ #powerpc*) dynamic_linker=no ;;
+ *) dynamic_linker='Linux ld.so' ;;
+ esac
+ fi
diff --git a/SOURCES/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch b/SOURCES/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
new file mode 100644
index 0000000..af88e81
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
@@ -0,0 +1,51 @@
+commit 26dcfb2d7176b78e70757aa5d01951a28ca217c7
+Author: Alexey Melnikov <alexey.melnikov@isode.com>
+Date: Fri Jul 5 16:37:59 2013 +0100
+
+ Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN when selecting the best client side SASL mechanism
+
+ Both SCRAM-SHA-1 & DIGEST-MD5 are lacking SASL_SEC_PASS_CREDENTIALS security
+ flag, which prevented them from being chosen over PLAIN when PLAIN is selected
+ as the best mechanism first. For example the problem can be observed when
+ the server advertises "PLAIN DIGEST-MD5 SCRAM-SHA-1" (PLAIN just has to be
+ returned before SCRAM/DIGEST.)
+
+ Cyrus SASL bug # 3793
+
+diff --git a/lib/client.c b/lib/client.c
+index 62dfb0b..31fe346 100644
+--- a/lib/client.c
++++ b/lib/client.c
+@@ -658,6 +658,20 @@ _sasl_cbinding_disp(sasl_client_params_t *cparams,
+ return SASL_OK;
+ }
+
++static int
++_sasl_are_current_security_flags_worse_then_best(unsigned best_security_flags,
++ unsigned current_security_flags)
++{
++ /* We don't qualify SASL_SEC_PASS_CREDENTIALS as "secure" flag */
++ best_security_flags &= ~SASL_SEC_PASS_CREDENTIALS;
++
++ if ((current_security_flags ^ best_security_flags) & best_security_flags) {
++ return 1;
++ } else {
++ return 0;
++ }
++}
++
+ /* select a mechanism for a connection
+ * mechlist -- mechanisms server has available (punctuation ignored)
+ * secret -- optional secret from previous session
+@@ -823,8 +837,9 @@ int sasl_client_start(sasl_conn_t *conn,
+ */
+
+ if (bestm &&
+- ((m->m.plug->security_flags ^ bestm->m.plug->security_flags) &
+- bestm->m.plug->security_flags)) {
++ _sasl_are_current_security_flags_worse_then_best(
++ bestm->m.plug->security_flags,
++ m->m.plug->security_flags)) {
+ break;
+ }
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-release-server_creds.patch b/SOURCES/cyrus-sasl-2.1.26-release-server_creds.patch
new file mode 100644
index 0000000..a84bf9f
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-release-server_creds.patch
@@ -0,0 +1,16 @@
+diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.release-server_creds cyrus-sasl-2.1.26/plugins/gssapi.c
+--- cyrus-sasl-2.1.26/plugins/gssapi.c.release-server_creds 2012-12-20 17:17:37.000000000 +0100
++++ cyrus-sasl-2.1.26/plugins/gssapi.c 2012-12-20 17:42:11.498138999 +0100
+@@ -945,6 +945,12 @@ gssapi_server_mech_authneg(context_t *te
+ ret = SASL_CONTINUE;
+ }
+
++ /* Release server creds which are no longer needed */
++ if ( text->server_creds != GSS_C_NO_CREDENTIAL) {
++ maj_stat = gss_release_cred(&min_stat, &text->server_creds);
++ text->server_creds = GSS_C_NO_CREDENTIAL;
++ }
++
+ cleanup:
+ if (client_name_MN) {
+ GSS_LOCK_MUTEX(params->utils);
diff --git a/SOURCES/cyrus-sasl-2.1.26-relro.patch b/SOURCES/cyrus-sasl-2.1.26-relro.patch
new file mode 100644
index 0000000..f8b6027
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-relro.patch
@@ -0,0 +1,70 @@
+diff -up cyrus-sasl-2.1.26/lib/Makefile.am.relro cyrus-sasl-2.1.26/lib/Makefile.am
+--- cyrus-sasl-2.1.26/lib/Makefile.am.relro 2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/lib/Makefile.am 2013-02-11 14:18:01.749053772 +0100
+@@ -64,7 +64,7 @@ LIB_DOOR= @LIB_DOOR@
+ lib_LTLIBRARIES = libsasl2.la
+
+ libsasl2_la_SOURCES = $(common_sources) $(common_headers)
+-libsasl2_la_LDFLAGS = -version-info $(sasl_version)
++libsasl2_la_LDFLAGS = -Wl,-z,relro -version-info $(sasl_version)
+ libsasl2_la_DEPENDENCIES = $(LTLIBOBJS)
+ libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR)
+
+diff -up cyrus-sasl-2.1.26/lib/Makefile.in.relro cyrus-sasl-2.1.26/lib/Makefile.in
+--- cyrus-sasl-2.1.26/lib/Makefile.in.relro 2013-11-13 16:55:09.606555125 +0100
++++ cyrus-sasl-2.1.26/lib/Makefile.in 2013-11-13 16:56:43.331096795 +0100
+@@ -330,7 +330,7 @@ common_headers = saslint.h
+ common_sources = auxprop.c canonusr.c checkpw.c client.c common.c config.c external.c md5.c saslutil.c server.c seterror.c dlopen.c ../plugins/plugin_common.c
+ lib_LTLIBRARIES = libsasl2.la
+ libsasl2_la_SOURCES = $(common_sources) $(common_headers)
+-libsasl2_la_LDFLAGS = -version-info $(sasl_version)
++libsasl2_la_LDFLAGS = -Wl,-z,relro -version-info $(sasl_version)
+ libsasl2_la_DEPENDENCIES = $(LTLIBOBJS)
+ libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR)
+ @MACOSX_TRUE@framedir = /Library/Frameworks/SASL2.framework
+diff -up cyrus-sasl-2.1.26/plugins/Makefile.am.relro cyrus-sasl-2.1.26/plugins/Makefile.am
+--- cyrus-sasl-2.1.26/plugins/Makefile.am.relro 2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/plugins/Makefile.am 2013-02-11 14:18:01.749053772 +0100
+@@ -50,7 +50,7 @@
+ plugin_version = 3:0:0
+
+ INCLUDES=-I$(top_srcdir)/include -I$(top_srcdir)/lib -I$(top_srcdir)/sasldb -I$(top_builddir)/include
+-AM_LDFLAGS = -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version)
++AM_LDFLAGS = -Wl,-z,relro -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version)
+
+ COMPAT_OBJS = @LTGETADDRINFOOBJS@ @LTGETNAMEINFOOBJS@ @LTSNPRINTFOBJS@
+
+diff -up cyrus-sasl-2.1.26/plugins/Makefile.in.relro cyrus-sasl-2.1.26/plugins/Makefile.in
+--- cyrus-sasl-2.1.26/plugins/Makefile.in.relro 2013-11-13 16:57:08.430974081 +0100
++++ cyrus-sasl-2.1.26/plugins/Makefile.in 2013-11-13 16:57:58.911727846 +0100
+@@ -364,7 +364,7 @@ top_srcdir = @top_srcdir@
+ # CURRENT:REVISION:AGE
+ plugin_version = 3:0:0
+ INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/lib -I$(top_srcdir)/sasldb -I$(top_builddir)/include
+-AM_LDFLAGS = -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version)
++AM_LDFLAGS = -Wl,-z,relro -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version)
+ COMPAT_OBJS = @LTGETADDRINFOOBJS@ @LTGETNAMEINFOOBJS@ @LTSNPRINTFOBJS@
+ EXTRA_DIST = makeinit.sh NTMakefile
+ noinst_SCRIPTS = makeinit.sh
+diff -up cyrus-sasl-2.1.26/saslauthd/Makefile.am.relro cyrus-sasl-2.1.26/saslauthd/Makefile.am
+--- cyrus-sasl-2.1.26/saslauthd/Makefile.am.relro 2013-02-11 14:18:36.910900647 +0100
++++ cyrus-sasl-2.1.26/saslauthd/Makefile.am 2013-02-11 14:20:17.336463915 +0100
+@@ -17,6 +17,7 @@ saslauthd_DEPENDENCIES = saslauthd-main.
+ saslauthd_LDADD = @SASL_KRB_LIB@ \
+ @GSSAPIBASE_LIBS@ @GSSAPI_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \
+ @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ @LTLIBOBJS@
++saslauthd_LDFLAGS = -pie -Wl,-z,now
+
+ testsaslauthd_SOURCES = testsaslauthd.c utils.c
+ testsaslauthd_LDADD = @LIB_SOCKET@
+diff -up cyrus-sasl-2.1.26/saslauthd/Makefile.in.relro cyrus-sasl-2.1.26/saslauthd/Makefile.in
+--- cyrus-sasl-2.1.26/saslauthd/Makefile.in.relro 2013-11-13 16:58:13.085659148 +0100
++++ cyrus-sasl-2.1.26/saslauthd/Makefile.in 2013-11-13 16:58:49.679481841 +0100
+@@ -234,6 +234,7 @@ saslauthd_DEPENDENCIES = saslauthd-main.
+ saslauthd_LDADD = @SASL_KRB_LIB@ \
+ @GSSAPIBASE_LIBS@ @GSSAPI_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \
+ @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ @LTLIBOBJS@
++saslauthd_LDFLAGS = -pie -Wl,-z,now
+
+ testsaslauthd_SOURCES = testsaslauthd.c utils.c
+ testsaslauthd_LDADD = @LIB_SOCKET@
diff --git a/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch b/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch
new file mode 100644
index 0000000..1a1d259
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch
@@ -0,0 +1,16 @@
+--- cyrus-sasl2.orig/plugins/gssapi.c
++++ cyrus-sasl2/plugins/gssapi.c
+@@ -1583,10 +1583,10 @@ static int gssapi_client_mech_step(void
+ }
+
+ /* Setup req_flags properly */
+- req_flags = GSS_C_INTEG_FLAG;
++ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
+ if (params->props.max_ssf > params->external_ssf) {
+ /* We are requesting a security layer */
+- req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
++ req_flags |= GSS_C_INTEG_FLAG;
+ /* Any SSF bigger than 1 is confidentiality. */
+ /* Let's check if the client of the API requires confidentiality,
+ and it wasn't already provided by an external layer */
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch b/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch
new file mode 100644
index 0000000..cace375
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch
@@ -0,0 +1,33 @@
+diff --git a/saslauthd/saslauthd.mdoc b/saslauthd/saslauthd.mdoc
+index 37c6f6e..5b635ab 100644
+--- a/saslauthd/saslauthd.mdoc
++++ b/saslauthd/saslauthd.mdoc
+@@ -44,7 +44,27 @@ multi-user mode. When running against a protected authentication
+ database (e.g. the
+ .Li shadow
+ mechanism),
+-it must be run as the superuser.
++it must be run as the superuser. Otherwise it is recommended to run
++daemon unprivileged as saslauth:saslauth. You can do so by following
++these steps:
++.Bl -enum -compact
++.It
++create directory
++.Pa /etc/systemd/system/saslauthd.service.d/
++.It
++create file
++.Pa /etc/systemd/system/saslauthd.service.d/user.conf
++with content
++.Bd -literal
++[Service]
++User=saslauth
++Group=saslauth
++
++.Ed
++.It
++Reload systemd service file: run
++.Dq systemctl daemon-reload
++.El
+ .Ss Options
+ Options named by lower\-case letters configure the server itself.
+ Upper\-case options control the behavior of specific authentication
diff --git a/SOURCES/cyrus-sasl-2.1.26-size_t.patch b/SOURCES/cyrus-sasl-2.1.26-size_t.patch
new file mode 100644
index 0000000..cde8238
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-size_t.patch
@@ -0,0 +1,12 @@
+diff -up cyrus-sasl-2.1.26/include/sasl.h.size_t cyrus-sasl-2.1.26/include/sasl.h
+--- cyrus-sasl-2.1.26/include/sasl.h.size_t 2012-10-12 09:05:48.000000000 -0500
++++ cyrus-sasl-2.1.26/include/sasl.h 2013-01-31 13:21:04.007739327 -0600
+@@ -223,6 +223,8 @@ extern "C" {
+ * they must be called before all other SASL functions:
+ */
+
++#include <sys/types.h>
++
+ /* memory allocation functions which may optionally be replaced:
+ */
+ typedef void *sasl_malloc_t(size_t);
diff --git a/SOURCES/cyrus-sasl-2.1.26-sql.patch b/SOURCES/cyrus-sasl-2.1.26-sql.patch
new file mode 100644
index 0000000..b7f3db4
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-sql.patch
@@ -0,0 +1,2296 @@
+diff -up ./configure.in.sql ./configure.in
+--- ./configure.in.sql 2013-11-14 13:19:19.231000002 +0100
++++ ./configure.in 2013-11-14 14:10:44.728997789 +0100
+@@ -729,7 +729,18 @@ LIB_MYSQL=""
+
+ case "$with_mysql" in
+ no) true;;
+- notfound) AC_WARN([MySQL Library not found]); true;;
++ notfound)
++ save_LDFLAGS=$LDFLAGS
++ LIB_MYSQL=`mysql_config --libs`
++ LIB_MYSQL="-lmysqlclient"
++ LDFLAGS="$LDFLAGS $LIB_MYSQL"
++ # CPPFLAGS="${CPPFLAGS} `mysql_config --include`"
++ AC_CHECK_LIB(mysqlclient, mysql_select_db,
++ AC_DEFINE(HAVE_MYSQL, [], [Do we have mysql support?]),
++ [AC_WARN([MySQL library mysqlclient does not work])
++ with_mysql=no])
++ LDFLAGS=$save_LDFLAGS
++ ;;
+ *)
+ if test -d ${with_mysql}/lib/mysql; then
+ CMU_ADD_LIBPATH_TO(${with_mysql}/lib/mysql, LIB_MYSQL)
+@@ -750,6 +761,8 @@ case "$with_mysql" in
+ CPPFLAGS="${CPPFLAGS} -I${with_mysql}/mysql/include"
+ elif test -d ${with_mysql}/include; then
+ CPPFLAGS="${CPPFLAGS} -I${with_mysql}/include"
++ elif test -d ${prefix}/include/mysql; then
++ CPPFLAGS="${CPPFLAGS} -I${prefix}/include/mysql"
+ else
+ CPPFLAGS="${CPPFLAGS} -I${with_mysql}"
+ fi
+@@ -793,7 +806,17 @@ LIB_PGSQL=""
+
+ case "$with_pgsql" in
+ no) true;;
+- notfound) AC_WARN([PostgreSQL Library not found]); true;;
++ notfound)
++ LIB_PGSQL="-lpq"
++ # CPPFLAGS="${CPPFLAGS} -I`pg_config --includedir`"
++ save_LDFLAGS=$LDFLAGS
++ LDFLAGS="$LDFLAGS $LIB_PGSQL"
++ AC_CHECK_LIB(pq, PQsetdbLogin, AC_DEFINE(HAVE_PGSQL,[],
++ [Do we have Postgres support?]),
++ [AC_WARN([PostgreSQL Library pq does not work])
++ with_pgsql=no])
++ LDFLAGS=$save_LDFLAGS
++ ;;
+ *)
+ if test -d ${with_pgsql}/lib/pgsql; then
+ CMU_ADD_LIBPATH_TO(${with_pgsql}/lib/pgsql, LIB_PGSQL)
+@@ -814,6 +837,8 @@ case "$with_pgsql" in
+ CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/pgsql/include"
+ elif test -d ${with_pgsql}/include; then
+ CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include"
++ elif test -d ${prefix}/include; then
++ CPPFLAGS="${CPPFLAGS} -I${prefix}/include"
+ else
+ CPPFLAGS="${CPPFLAGS} -I${with_pgsql}"
+ fi
+diff -up ./configure.sql ./configure
+--- ./configure.sql 2013-11-14 13:19:19.177000002 +0100
++++ ./configure 2013-11-14 14:10:50.848000001 +0100
+@@ -4340,116 +4340,8 @@ $as_echo "$ac_cv___attribute__" >&6; }
+
+
+ # CMU GUESS RUNPATH SWITCH
+- { $as_echo "$as_me:$LINENO: checking for runpath switch" >&5
+-$as_echo_n "checking for runpath switch... " >&6; }
+-if test "${andrew_cv_runpath_switch+set}" = set; then
+- $as_echo_n "(cached) " >&6
+-else
+-
+- # first, try -R
+- SAVE_LDFLAGS="${LDFLAGS}"
+- LDFLAGS="-R /usr/lib"
+- cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h. */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
+-/* end confdefs.h. */
+-
+-int
+-main ()
+-{
+-
+- ;
+- return 0;
+-}
+-_ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (ac_try="$ac_link"
+-case "(($ac_try" in
+- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+- *) ac_try_echo=$ac_try;;
+-esac
+-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+-$as_echo "$ac_try_echo") >&5
+- (eval "$ac_link") 2>conftest.er1
+- ac_status=$?
+- grep -v '^ *+' conftest.er1 >conftest.err
+- rm -f conftest.er1
+- cat conftest.err >&5
+- $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); } && {
+- test -z "$ac_c_werror_flag" ||
+- test ! -s conftest.err
+- } && test -s conftest$ac_exeext && {
+- test "$cross_compiling" = yes ||
+- $as_test_x conftest$ac_exeext
+- }; then
+- andrew_cv_runpath_switch="-R"
+-else
+- $as_echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-
+- LDFLAGS="-Wl,-rpath,/usr/lib"
+- cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h. */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
+-/* end confdefs.h. */
+-
+-int
+-main ()
+-{
+-
+- ;
+- return 0;
+-}
+-_ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (ac_try="$ac_link"
+-case "(($ac_try" in
+- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+- *) ac_try_echo=$ac_try;;
+-esac
+-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+-$as_echo "$ac_try_echo") >&5
+- (eval "$ac_link") 2>conftest.er1
+- ac_status=$?
+- grep -v '^ *+' conftest.er1 >conftest.err
+- rm -f conftest.er1
+- cat conftest.err >&5
+- $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); } && {
+- test -z "$ac_c_werror_flag" ||
+- test ! -s conftest.err
+- } && test -s conftest$ac_exeext && {
+- test "$cross_compiling" = yes ||
+- $as_test_x conftest$ac_exeext
+- }; then
+- andrew_cv_runpath_switch="-Wl,-rpath,"
+-else
+- $as_echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+- andrew_cv_runpath_switch="none"
+-fi
+-
+-rm -rf conftest.dSYM
+-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+- conftest$ac_exeext conftest.$ac_ext
+-
+-fi
+-
+-rm -rf conftest.dSYM
+-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+- conftest$ac_exeext conftest.$ac_ext
+- LDFLAGS="${SAVE_LDFLAGS}"
++ andrew_runpath_switch="none"
+
+-fi
+-{ $as_echo "$as_me:$LINENO: result: $andrew_cv_runpath_switch" >&5
+-$as_echo "$andrew_cv_runpath_switch" >&6; }
+
+
+ # Check whether --with-staticsasl was given.
+@@ -4784,7 +4676,7 @@ test x"$silent" = xyes && libtool_flags=
+ case "$lt_target" in
+ *-*-irix6*)
+ # Find out which ABI we are using.
+- echo '#line 4787 "configure"' > conftest.$ac_ext
++ echo '#line 4679 "configure"' > conftest.$ac_ext
+ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+ (eval $ac_compile) 2>&5
+ ac_status=$?
+@@ -11239,7 +11131,6 @@ $as_echo "$cyrus_krbinclude" >&6; }
+ if test -n "${cyrus_krbinclude}"; then
+ CPPFLAGS="$CPPFLAGS -I${cyrus_krbinclude}"
+ fi
+- LDFLAGS="$LDFLAGS -L$krb4/lib"
+ fi
+
+ if test "$with_des" != no; then
+@@ -13467,69 +13358,43 @@ _ACEOF
+ fi
+ done
+
++ if test "$ac_cv_func_gsskrb5_register_acceptor_identity" = no ; then
+
+-for ac_func in gss_decapsulate_token
++for ac_header in gssapi/gssapi_krb5.h
+ do
+-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+-$as_echo_n "checking for $ac_func... " >&6; }
+-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
++as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
++ { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
++$as_echo_n "checking for $ac_header... " >&6; }
++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ $as_echo_n "(cached) " >&6
++fi
++ac_res=`eval 'as_val=${'$as_ac_Header'}
++ $as_echo "$as_val"'`
++ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
+ else
+- cat >conftest.$ac_ext <<_ACEOF
++ # Is the header compilable?
++{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
++$as_echo_n "checking $ac_header usability... " >&6; }
++cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h. */
+ _ACEOF
+ cat confdefs.h >>conftest.$ac_ext
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h. */
+-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+- For example, HP-UX 11i <limits.h> declares gettimeofday. */
+-#define $ac_func innocuous_$ac_func
+-
+-/* System header to define __stub macros and hopefully few prototypes,
+- which can conflict with char $ac_func (); below.
+- Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+- <limits.h> exists even on freestanding compilers. */
+-
+-#ifdef __STDC__
+-# include <limits.h>
+-#else
+-# include <assert.h>
+-#endif
+-
+-#undef $ac_func
+-
+-/* Override any GCC internal prototype to avoid an error.
+- Use char because int might match the return type of a GCC
+- builtin and then its argument prototype would still apply. */
+-#ifdef __cplusplus
+-extern "C"
+-#endif
+-char $ac_func ();
+-/* The GNU C library defines this for functions which it implements
+- to always fail with ENOSYS. Some functions are actually named
+- something starting with __ and the normal name is an alias. */
+-#if defined __stub_$ac_func || defined __stub___$ac_func
+-choke me
+-#endif
+-
+-int
+-main ()
+-{
+-return $ac_func ();
+- ;
+- return 0;
+-}
++$ac_includes_default
++#include <$ac_header>
+ _ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (ac_try="$ac_link"
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
+ case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+ esac
+ eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+ $as_echo "$ac_try_echo") >&5
+- (eval "$ac_link") 2>conftest.er1
++ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+@@ -13538,139 +13403,178 @@ $as_echo "$ac_try_echo") >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+- } && test -s conftest$ac_exeext && {
+- test "$cross_compiling" = yes ||
+- $as_test_x conftest$ac_exeext
+- }; then
+- eval "$as_ac_var=yes"
++ } && test -s conftest.$ac_objext; then
++ ac_header_compiler=yes
+ else
+ $as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+
+- eval "$as_ac_var=no"
+-fi
+-
+-rm -rf conftest.dSYM
+-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+- conftest$ac_exeext conftest.$ac_ext
+-fi
+-ac_res=`eval 'as_val=${'$as_ac_var'}
+- $as_echo "$as_val"'`
+- { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+-$as_echo "$ac_res" >&6; }
+-as_val=`eval 'as_val=${'$as_ac_var'}
+- $as_echo "$as_val"'`
+- if test "x$as_val" = x""yes; then
+- cat >>confdefs.h <<_ACEOF
+-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+-_ACEOF
+-
++ ac_header_compiler=no
+ fi
+-done
+
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
++$as_echo "$ac_header_compiler" >&6; }
+
+-for ac_func in gss_encapsulate_token
+-do
+-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+-$as_echo_n "checking for $ac_func... " >&6; }
+-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+- $as_echo_n "(cached) " >&6
+-else
+- cat >conftest.$ac_ext <<_ACEOF
++# Is the header present?
++{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
++$as_echo_n "checking $ac_header presence... " >&6; }
++cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h. */
+ _ACEOF
+ cat confdefs.h >>conftest.$ac_ext
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h. */
+-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+- For example, HP-UX 11i <limits.h> declares gettimeofday. */
+-#define $ac_func innocuous_$ac_func
+-
+-/* System header to define __stub macros and hopefully few prototypes,
+- which can conflict with char $ac_func (); below.
+- Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+- <limits.h> exists even on freestanding compilers. */
+-
+-#ifdef __STDC__
+-# include <limits.h>
+-#else
+-# include <assert.h>
+-#endif
+-
+-#undef $ac_func
+-
+-/* Override any GCC internal prototype to avoid an error.
+- Use char because int might match the return type of a GCC
+- builtin and then its argument prototype would still apply. */
+-#ifdef __cplusplus
+-extern "C"
+-#endif
+-char $ac_func ();
+-/* The GNU C library defines this for functions which it implements
+- to always fail with ENOSYS. Some functions are actually named
+- something starting with __ and the normal name is an alias. */
+-#if defined __stub_$ac_func || defined __stub___$ac_func
+-choke me
+-#endif
+-
+-int
+-main ()
+-{
+-return $ac_func ();
+- ;
+- return 0;
+-}
++#include <$ac_header>
+ _ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (ac_try="$ac_link"
++if { (ac_try="$ac_cpp conftest.$ac_ext"
+ case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+ esac
+ eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+ $as_echo "$ac_try_echo") >&5
+- (eval "$ac_link") 2>conftest.er1
++ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); } && {
+- test -z "$ac_c_werror_flag" ||
++ (exit $ac_status); } >/dev/null && {
++ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+- } && test -s conftest$ac_exeext && {
+- test "$cross_compiling" = yes ||
+- $as_test_x conftest$ac_exeext
+ }; then
+- eval "$as_ac_var=yes"
++ ac_header_preproc=yes
+ else
+ $as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+
+- eval "$as_ac_var=no"
++ ac_header_preproc=no
+ fi
+
+-rm -rf conftest.dSYM
+-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+- conftest$ac_exeext conftest.$ac_ext
++rm -f conftest.err conftest.$ac_ext
++{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
++$as_echo "$ac_header_preproc" >&6; }
++
++# So? What about this header?
++case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
++ yes:no: )
++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
++$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
++$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
++ ac_header_preproc=yes
++ ;;
++ no:yes:* )
++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
++$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
++$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
++$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5
++$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;}
++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
++$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
++$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
++
++ ;;
++esac
++{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
++$as_echo_n "checking for $ac_header... " >&6; }
++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
++ $as_echo_n "(cached) " >&6
++else
++ eval "$as_ac_Header=\$ac_header_preproc"
+ fi
+-ac_res=`eval 'as_val=${'$as_ac_var'}
++ac_res=`eval 'as_val=${'$as_ac_Header'}
+ $as_echo "$as_val"'`
+ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+ $as_echo "$ac_res" >&6; }
+-as_val=`eval 'as_val=${'$as_ac_var'}
++
++fi
++as_val=`eval 'as_val=${'$as_ac_Header'}
+ $as_echo "$as_val"'`
+ if test "x$as_val" = x""yes; then
+ cat >>confdefs.h <<_ACEOF
+-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
++#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+ _ACEOF
+
+ fi
++
+ done
+
++ if test "$ac_cv_header_gssapi_gssapi_krb5_h" = "yes"; then
++ { $as_echo "$as_me:$LINENO: checking whether gsskrb5_register_acceptor_identity is declared" >&5
++$as_echo_n "checking whether gsskrb5_register_acceptor_identity is declared... " >&6; }
++if test "${ac_cv_have_decl_gsskrb5_register_acceptor_identity+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++ $ac_includes_default
++ #include <gssapi/gssapi_krb5.h>
+
+-for ac_func in gss_oid_equal
++
++int
++main ()
++{
++#ifndef gsskrb5_register_acceptor_identity
++ (void) gsskrb5_register_acceptor_identity;
++#endif
++
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ ac_cv_have_decl_gsskrb5_register_acceptor_identity=yes
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_have_decl_gsskrb5_register_acceptor_identity=no
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_have_decl_gsskrb5_register_acceptor_identity" >&5
++$as_echo "$ac_cv_have_decl_gsskrb5_register_acceptor_identity" >&6; }
++if test "x$ac_cv_have_decl_gsskrb5_register_acceptor_identity" = x""yes; then
++
++cat >>confdefs.h <<\_ACEOF
++#define HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY 1
++_ACEOF
++
++fi
++
++ fi
++ fi
++
++for ac_func in gss_decapsulate_token
+ do
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ { $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+@@ -13770,12 +13674,8 @@ _ACEOF
+ fi
+ done
+
+- LIBS="$cmu_save_LIBS"
+-
+- cmu_save_LIBS="$LIBS"
+- LIBS="$LIBS $GSSAPIBASE_LIBS"
+
+-for ac_func in gss_get_name_attribute
++for ac_func in gss_encapsulate_token
+ do
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ { $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+@@ -13875,20 +13775,14 @@ _ACEOF
+ fi
+ done
+
+- LIBS="$cmu_save_LIBS"
+
+- cmu_save_LIBS="$LIBS"
+- LIBS="$LIBS $GSSAPIBASE_LIBS"
+- { $as_echo "$as_me:$LINENO: checking for SPNEGO support in GSSAPI libraries" >&5
+-$as_echo_n "checking for SPNEGO support in GSSAPI libraries... " >&6; }
+- if test "$cross_compiling" = yes; then
+- { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+-{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+-See \`config.log' for more details." >&5
+-$as_echo "$as_me: error: cannot run test program while cross compiling
+-See \`config.log' for more details." >&2;}
+- { (exit 1); exit 1; }; }; }
++for ac_func in gss_oid_equal
++do
++as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
++{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
++$as_echo_n "checking for $ac_func... " >&6; }
++if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
++ $as_echo_n "(cached) " >&6
+ else
+ cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h. */
+@@ -13896,30 +13790,46 @@ _ACEOF
+ cat confdefs.h >>conftest.$ac_ext
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h. */
++/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
++ For example, HP-UX 11i <limits.h> declares gettimeofday. */
++#define $ac_func innocuous_$ac_func
+
+-#ifdef HAVE_GSSAPI_H
+-#include <gssapi.h>
++/* System header to define __stub macros and hopefully few prototypes,
++ which can conflict with char $ac_func (); below.
++ Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
++ <limits.h> exists even on freestanding compilers. */
++
++#ifdef __STDC__
++# include <limits.h>
+ #else
+-#include <gssapi/gssapi.h>
++# include <assert.h>
+ #endif
+
+-int main(void)
+-{
+- gss_OID_desc spnego_oid = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
+- gss_OID_set mech_set;
+- OM_uint32 min_stat;
+- int have_spnego = 0;
++#undef $ac_func
+
+- if (gss_indicate_mechs(&min_stat, &mech_set) == GSS_S_COMPLETE) {
+- gss_test_oid_set_member(&min_stat, &spnego_oid, mech_set, &have_spnego);
+- gss_release_oid_set(&min_stat, &mech_set);
+- }
++/* Override any GCC internal prototype to avoid an error.
++ Use char because int might match the return type of a GCC
++ builtin and then its argument prototype would still apply. */
++#ifdef __cplusplus
++extern "C"
++#endif
++char $ac_func ();
++/* The GNU C library defines this for functions which it implements
++ to always fail with ENOSYS. Some functions are actually named
++ something starting with __ and the normal name is an alias. */
++#if defined __stub_$ac_func || defined __stub___$ac_func
++choke me
++#endif
+
+- return (!have_spnego); // 0 = success, 1 = failure
++int
++main ()
++{
++return $ac_func ();
++ ;
++ return 0;
+ }
+-
+ _ACEOF
+-rm -f conftest$ac_exeext
++rm -f conftest.$ac_objext conftest$ac_exeext
+ if { (ac_try="$ac_link"
+ case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+@@ -13927,63 +13837,259 @@ case "(($ac_try" in
+ esac
+ eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+ $as_echo "$ac_try_echo") >&5
+- (eval "$ac_link") 2>&5
+- ac_status=$?
+- $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+- { (case "(($ac_try" in
+- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+- *) ac_try_echo=$ac_try;;
+-esac
+-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+-$as_echo "$ac_try_echo") >&5
+- (eval "$ac_try") 2>&5
++ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+- (exit $ac_status); }; }; then
+-
+-cat >>confdefs.h <<\_ACEOF
+-#define HAVE_GSS_SPNEGO /**/
+-_ACEOF
+-
+- { $as_echo "$as_me:$LINENO: result: yes" >&5
+-$as_echo "yes" >&6; }
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest$ac_exeext && {
++ test "$cross_compiling" = yes ||
++ $as_test_x conftest$ac_exeext
++ }; then
++ eval "$as_ac_var=yes"
+ else
+- $as_echo "$as_me: program exited with status $ac_status" >&5
+-$as_echo "$as_me: failed program was:" >&5
++ $as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+
+-( exit $ac_status )
+-{ $as_echo "$as_me:$LINENO: result: no" >&5
+-$as_echo "no" >&6; }
++ eval "$as_ac_var=no"
+ fi
++
+ rm -rf conftest.dSYM
+-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
++ conftest$ac_exeext conftest.$ac_ext
+ fi
++ac_res=`eval 'as_val=${'$as_ac_var'}
++ $as_echo "$as_val"'`
++ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++as_val=`eval 'as_val=${'$as_ac_var'}
++ $as_echo "$as_val"'`
++ if test "x$as_val" = x""yes; then
++ cat >>confdefs.h <<_ACEOF
++#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
++_ACEOF
+
+-
+- LIBS="$cmu_save_LIBS"
+-
+-else
+- { $as_echo "$as_me:$LINENO: result: disabled" >&5
+-$as_echo "disabled" >&6; }
+ fi
++done
+
++ LIBS="$cmu_save_LIBS"
+
++ cmu_save_LIBS="$LIBS"
++ LIBS="$LIBS $GSSAPIBASE_LIBS"
+
+-
+-if test "$gssapi" != "no"; then
+-
+-cat >>confdefs.h <<\_ACEOF
+-#define STATIC_GSSAPIV2 /**/
+-_ACEOF
+-
+- mutex_default="no"
+- if test "$gss_impl" = "mit"; then
+- mutex_default="yes"
+- fi
+- { $as_echo "$as_me:$LINENO: checking to use mutexes aroung GSS calls" >&5
+-$as_echo_n "checking to use mutexes aroung GSS calls... " >&6; }
++for ac_func in gss_get_name_attribute
++do
++as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
++{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
++$as_echo_n "checking for $ac_func... " >&6; }
++if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
++ $as_echo_n "(cached) " >&6
++else
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
++ For example, HP-UX 11i <limits.h> declares gettimeofday. */
++#define $ac_func innocuous_$ac_func
++
++/* System header to define __stub macros and hopefully few prototypes,
++ which can conflict with char $ac_func (); below.
++ Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
++ <limits.h> exists even on freestanding compilers. */
++
++#ifdef __STDC__
++# include <limits.h>
++#else
++# include <assert.h>
++#endif
++
++#undef $ac_func
++
++/* Override any GCC internal prototype to avoid an error.
++ Use char because int might match the return type of a GCC
++ builtin and then its argument prototype would still apply. */
++#ifdef __cplusplus
++extern "C"
++#endif
++char $ac_func ();
++/* The GNU C library defines this for functions which it implements
++ to always fail with ENOSYS. Some functions are actually named
++ something starting with __ and the normal name is an alias. */
++#if defined __stub_$ac_func || defined __stub___$ac_func
++choke me
++#endif
++
++int
++main ()
++{
++return $ac_func ();
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (ac_try="$ac_link"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_link") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest$ac_exeext && {
++ test "$cross_compiling" = yes ||
++ $as_test_x conftest$ac_exeext
++ }; then
++ eval "$as_ac_var=yes"
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ eval "$as_ac_var=no"
++fi
++
++rm -rf conftest.dSYM
++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
++ conftest$ac_exeext conftest.$ac_ext
++fi
++ac_res=`eval 'as_val=${'$as_ac_var'}
++ $as_echo "$as_val"'`
++ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++as_val=`eval 'as_val=${'$as_ac_var'}
++ $as_echo "$as_val"'`
++ if test "x$as_val" = x""yes; then
++ cat >>confdefs.h <<_ACEOF
++#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
++_ACEOF
++
++fi
++done
++
++ LIBS="$cmu_save_LIBS"
++
++ cmu_save_LIBS="$LIBS"
++ LIBS="$LIBS $GSSAPIBASE_LIBS"
++ { $as_echo "$as_me:$LINENO: checking for SPNEGO support in GSSAPI libraries" >&5
++$as_echo_n "checking for SPNEGO support in GSSAPI libraries... " >&6; }
++ if test "$cross_compiling" = yes; then
++ { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling
++See \`config.log' for more details." >&5
++$as_echo "$as_me: error: cannot run test program while cross compiling
++See \`config.log' for more details." >&2;}
++ { (exit 1); exit 1; }; }; }
++else
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_GSSAPI_H
++#include <gssapi.h>
++#else
++#include <gssapi/gssapi.h>
++#endif
++
++int main(void)
++{
++ gss_OID_desc spnego_oid = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
++ gss_OID_set mech_set;
++ OM_uint32 min_stat;
++ int have_spnego = 0;
++
++ if (gss_indicate_mechs(&min_stat, &mech_set) == GSS_S_COMPLETE) {
++ gss_test_oid_set_member(&min_stat, &spnego_oid, mech_set, &have_spnego);
++ gss_release_oid_set(&min_stat, &mech_set);
++ }
++
++ return (!have_spnego); // 0 = success, 1 = failure
++}
++
++_ACEOF
++rm -f conftest$ac_exeext
++if { (ac_try="$ac_link"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_link") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
++ { (case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_try") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); }; }; then
++
++cat >>confdefs.h <<\_ACEOF
++#define HAVE_GSS_SPNEGO /**/
++_ACEOF
++
++ { $as_echo "$as_me:$LINENO: result: yes" >&5
++$as_echo "yes" >&6; }
++else
++ $as_echo "$as_me: program exited with status $ac_status" >&5
++$as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++( exit $ac_status )
++{ $as_echo "$as_me:$LINENO: result: no" >&5
++$as_echo "no" >&6; }
++fi
++rm -rf conftest.dSYM
++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
++fi
++
++
++ LIBS="$cmu_save_LIBS"
++
++else
++ { $as_echo "$as_me:$LINENO: result: disabled" >&5
++$as_echo "disabled" >&6; }
++fi
++
++
++
++
++if test "$gssapi" != "no"; then
++
++cat >>confdefs.h <<\_ACEOF
++#define STATIC_GSSAPIV2 /**/
++_ACEOF
++
++ mutex_default="no"
++ if test "$gss_impl" = "mit"; then
++ mutex_default="yes"
++ fi
++ { $as_echo "$as_me:$LINENO: checking to use mutexes aroung GSS calls" >&5
++$as_echo_n "checking to use mutexes aroung GSS calls... " >&6; }
+ # Check whether --enable-gss_mutexes was given.
+ if test "${enable_gss_mutexes+set}" = set; then
+ enableval=$enable_gss_mutexes; use_gss_mutexes=$enableval
+@@ -14246,44 +14352,127 @@ LIB_MYSQL=""
+
+ case "$with_mysql" in
+ no) true;;
+- notfound) { $as_echo "$as_me:$LINENO: WARNING: MySQL Library not found" >&5
+-$as_echo "$as_me: WARNING: MySQL Library not found" >&2;}; true;;
+- *)
+- if test -d ${with_mysql}/lib/mysql; then
+-
+- # this is CMU ADD LIBPATH TO
+- if test "$andrew_cv_runpath_switch" = "none" ; then
+- LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL}"
+- else
+- LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib/mysql"
+- fi
+-
+- elif test -d ${with_mysql}/mysql/lib; then
+-
+- # this is CMU ADD LIBPATH TO
+- if test "$andrew_cv_runpath_switch" = "none" ; then
+- LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL}"
+- else
+- LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/mysql/lib"
+- fi
+-
+- elif test -d ${with_mysql}/lib; then
+-
+- # this is CMU ADD LIBPATH TO
+- if test "$andrew_cv_runpath_switch" = "none" ; then
+- LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL}"
+- else
+- LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib"
+- fi
+-
+- else
++ notfound)
++ save_LDFLAGS=$LDFLAGS
++ LIB_MYSQL=`mysql_config --libs`
++ LIB_MYSQL="-lmysqlclient"
++ LDFLAGS="$LDFLAGS $LIB_MYSQL"
++ # CPPFLAGS="${CPPFLAGS} `mysql_config --include`"
++ { $as_echo "$as_me:$LINENO: checking for mysql_select_db in -lmysqlclient" >&5
++$as_echo_n "checking for mysql_select_db in -lmysqlclient... " >&6; }
++if test "${ac_cv_lib_mysqlclient_mysql_select_db+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ ac_check_lib_save_LIBS=$LIBS
++LIBS="-lmysqlclient $LIBS"
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
+
+- # this is CMU ADD LIBPATH TO
+- if test "$andrew_cv_runpath_switch" = "none" ; then
+- LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL}"
+- else
+- LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}"
+- fi
++/* Override any GCC internal prototype to avoid an error.
++ Use char because int might match the return type of a GCC
++ builtin and then its argument prototype would still apply. */
++#ifdef __cplusplus
++extern "C"
++#endif
++char mysql_select_db ();
++int
++main ()
++{
++return mysql_select_db ();
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (ac_try="$ac_link"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_link") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest$ac_exeext && {
++ test "$cross_compiling" = yes ||
++ $as_test_x conftest$ac_exeext
++ }; then
++ ac_cv_lib_mysqlclient_mysql_select_db=yes
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_lib_mysqlclient_mysql_select_db=no
++fi
++
++rm -rf conftest.dSYM
++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
++ conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_mysqlclient_mysql_select_db" >&5
++$as_echo "$ac_cv_lib_mysqlclient_mysql_select_db" >&6; }
++if test "x$ac_cv_lib_mysqlclient_mysql_select_db" = x""yes; then
++
++cat >>confdefs.h <<\_ACEOF
++#define HAVE_MYSQL /**/
++_ACEOF
++
++else
++ { $as_echo "$as_me:$LINENO: WARNING: MySQL library mysqlclient does not work" >&5
++$as_echo "$as_me: WARNING: MySQL library mysqlclient does not work" >&2;}
++ with_mysql=no
++fi
++
++ LDFLAGS=$save_LDFLAGS
++ ;;
++ *)
++ if test -d ${with_mysql}/lib/mysql; then
++
++ # this is CMU ADD LIBPATH TO
++ if test "$andrew_cv_runpath_switch" = "none" ; then
++ LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL}"
++ else
++ LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib/mysql"
++ fi
++
++ elif test -d ${with_mysql}/mysql/lib; then
++
++ # this is CMU ADD LIBPATH TO
++ if test "$andrew_cv_runpath_switch" = "none" ; then
++ LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL}"
++ else
++ LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/mysql/lib"
++ fi
++
++ elif test -d ${with_mysql}/lib; then
++
++ # this is CMU ADD LIBPATH TO
++ if test "$andrew_cv_runpath_switch" = "none" ; then
++ LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL}"
++ else
++ LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib"
++ fi
++
++ else
++
++ # this is CMU ADD LIBPATH TO
++ if test "$andrew_cv_runpath_switch" = "none" ; then
++ LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL}"
++ else
++ LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}"
++ fi
+
+ fi
+
+@@ -14296,6 +14485,8 @@ $as_echo "$as_me: WARNING: MySQL Library
+ CPPFLAGS="${CPPFLAGS} -I${with_mysql}/mysql/include"
+ elif test -d ${with_mysql}/include; then
+ CPPFLAGS="${CPPFLAGS} -I${with_mysql}/include"
++ elif test -d ${prefix}/include/mysql; then
++ CPPFLAGS="${CPPFLAGS} -I${prefix}/include/mysql"
+ else
+ CPPFLAGS="${CPPFLAGS} -I${with_mysql}"
+ fi
+@@ -14416,8 +14607,90 @@ LIB_PGSQL=""
+
+ case "$with_pgsql" in
+ no) true;;
+- notfound) { $as_echo "$as_me:$LINENO: WARNING: PostgreSQL Library not found" >&5
+-$as_echo "$as_me: WARNING: PostgreSQL Library not found" >&2;}; true;;
++ notfound)
++ LIB_PGSQL="-lpq"
++ # CPPFLAGS="${CPPFLAGS} -I`pg_config --includedir`"
++ save_LDFLAGS=$LDFLAGS
++ LDFLAGS="$LDFLAGS $LIB_PGSQL"
++ { $as_echo "$as_me:$LINENO: checking for PQsetdbLogin in -lpq" >&5
++$as_echo_n "checking for PQsetdbLogin in -lpq... " >&6; }
++if test "${ac_cv_lib_pq_PQsetdbLogin+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ ac_check_lib_save_LIBS=$LIBS
++LIBS="-lpq $LIBS"
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++/* Override any GCC internal prototype to avoid an error.
++ Use char because int might match the return type of a GCC
++ builtin and then its argument prototype would still apply. */
++#ifdef __cplusplus
++extern "C"
++#endif
++char PQsetdbLogin ();
++int
++main ()
++{
++return PQsetdbLogin ();
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (ac_try="$ac_link"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_link") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest$ac_exeext && {
++ test "$cross_compiling" = yes ||
++ $as_test_x conftest$ac_exeext
++ }; then
++ ac_cv_lib_pq_PQsetdbLogin=yes
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_lib_pq_PQsetdbLogin=no
++fi
++
++rm -rf conftest.dSYM
++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
++ conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pq_PQsetdbLogin" >&5
++$as_echo "$ac_cv_lib_pq_PQsetdbLogin" >&6; }
++if test "x$ac_cv_lib_pq_PQsetdbLogin" = x""yes; then
++
++cat >>confdefs.h <<\_ACEOF
++#define HAVE_PGSQL /**/
++_ACEOF
++
++else
++ { $as_echo "$as_me:$LINENO: WARNING: PostgreSQL Library pq does not work" >&5
++$as_echo "$as_me: WARNING: PostgreSQL Library pq does not work" >&2;}
++ with_pgsql=no
++fi
++
++ LDFLAGS=$save_LDFLAGS
++ ;;
+ *)
+ if test -d ${with_pgsql}/lib/pgsql; then
+
+@@ -14466,6 +14739,8 @@ $as_echo "$as_me: WARNING: PostgreSQL Li
+ CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/pgsql/include"
+ elif test -d ${with_pgsql}/include; then
+ CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include"
++ elif test -d ${prefix}/include; then
++ CPPFLAGS="${CPPFLAGS} -I${prefix}/include"
+ else
+ CPPFLAGS="${CPPFLAGS} -I${with_pgsql}"
+ fi
+@@ -18166,116 +18441,989 @@ fi
+
+ done
+
+-ac_fn_c_check_type "$LINENO" "long long" "ac_cv_type_long_long" "
+-#ifdef HAVE_INTTYPES_H
+-#include <inttypes.h>
+-#endif
+-"
+-if test "x$ac_cv_type_long_long" = xyes; then :
+-
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_LONG_LONG 1
++{ $as_echo "$as_me:$LINENO: checking for long long" >&5
++$as_echo_n "checking for long long... " >&6; }
++if test "${ac_cv_type_long_long+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ ac_cv_type_long_long=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
+ _ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
+
+-
+-fi
+-ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" "
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_int8_t" = xyes; then :
+
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_INT8_T 1
++int
++main ()
++{
++if (sizeof (long long))
++ return 0;
++ ;
++ return 0;
++}
+ _ACEOF
+-
+-
+-fi
+-ac_fn_c_check_type "$LINENO" "uint8_t" "ac_cv_type_uint8_t" "
+-#ifdef HAVE_INTTYPES_H
+-#include <inttypes.h>
+-#endif
+-"
+-if test "x$ac_cv_type_uint8_t" = xyes; then :
+-
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_UINT8_T 1
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
+ _ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
+
+-
+-fi
+-ac_fn_c_check_type "$LINENO" "int16_t" "ac_cv_type_int16_t" "
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_int16_t" = xyes; then :
+
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_INT16_T 1
++int
++main ()
++{
++if (sizeof ((long long)))
++ return 0;
++ ;
++ return 0;
++}
+ _ACEOF
+-
+-
+-fi
+-ac_fn_c_check_type "$LINENO" "uint16_t" "ac_cv_type_uint16_t" "
+-#ifdef HAVE_INTTYPES_H
+-#include <inttypes.h>
+-#endif
+-"
+-if test "x$ac_cv_type_uint16_t" = xyes; then :
+-
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_UINT16_T 1
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ :
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_type_long_long=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_long_long" >&5
++$as_echo "$ac_cv_type_long_long" >&6; }
++if test "x$ac_cv_type_long_long" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_LONG_LONG 1
+ _ACEOF
+
+
+ fi
+-ac_fn_c_check_type "$LINENO" "int32_t" "ac_cv_type_int32_t" "
++{ $as_echo "$as_me:$LINENO: checking for int8_t" >&5
++$as_echo_n "checking for int8_t... " >&6; }
++if test "${ac_cv_type_int8_t+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ ac_cv_type_int8_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_int32_t" = xyes; then :
+
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_INT32_T 1
++int
++main ()
++{
++if (sizeof (int8_t))
++ return 0;
++ ;
++ return 0;
++}
+ _ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
+
+-
+-fi
+-ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_uint32_t" = xyes; then :
++
++int
++main ()
++{
++if (sizeof ((int8_t)))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ :
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_type_int8_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int8_t" >&5
++$as_echo "$ac_cv_type_int8_t" >&6; }
++if test "x$ac_cv_type_int8_t" = x""yes; then
+
+ cat >>confdefs.h <<_ACEOF
+-#define HAVE_UINT32_T 1
++#define HAVE_INT8_T 1
+ _ACEOF
+
+
+ fi
+-ac_fn_c_check_type "$LINENO" "int64_t" "ac_cv_type_int64_t" "
++{ $as_echo "$as_me:$LINENO: checking for uint8_t" >&5
++$as_echo_n "checking for uint8_t... " >&6; }
++if test "${ac_cv_type_uint8_t+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ ac_cv_type_uint8_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_int64_t" = xyes; then :
++
++int
++main ()
++{
++if (sizeof (uint8_t))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((uint8_t)))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ :
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_type_uint8_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint8_t" >&5
++$as_echo "$ac_cv_type_uint8_t" >&6; }
++if test "x$ac_cv_type_uint8_t" = x""yes; then
+
+ cat >>confdefs.h <<_ACEOF
+-#define HAVE_INT64_T 1
++#define HAVE_UINT8_T 1
+ _ACEOF
+
+
+ fi
+-ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "
++{ $as_echo "$as_me:$LINENO: checking for int16_t" >&5
++$as_echo_n "checking for int16_t... " >&6; }
++if test "${ac_cv_type_int16_t+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ ac_cv_type_int16_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_uint64_t" = xyes; then :
++
++int
++main ()
++{
++if (sizeof (int16_t))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((int16_t)))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ :
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_type_int16_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int16_t" >&5
++$as_echo "$ac_cv_type_int16_t" >&6; }
++if test "x$ac_cv_type_int16_t" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT16_T 1
++_ACEOF
++
++
++fi
++{ $as_echo "$as_me:$LINENO: checking for uint16_t" >&5
++$as_echo_n "checking for uint16_t... " >&6; }
++if test "${ac_cv_type_uint16_t+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ ac_cv_type_uint16_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof (uint16_t))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((uint16_t)))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ :
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_type_uint16_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint16_t" >&5
++$as_echo "$ac_cv_type_uint16_t" >&6; }
++if test "x$ac_cv_type_uint16_t" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT16_T 1
++_ACEOF
++
++
++fi
++{ $as_echo "$as_me:$LINENO: checking for int32_t" >&5
++$as_echo_n "checking for int32_t... " >&6; }
++if test "${ac_cv_type_int32_t+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ ac_cv_type_int32_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof (int32_t))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((int32_t)))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ :
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_type_int32_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int32_t" >&5
++$as_echo "$ac_cv_type_int32_t" >&6; }
++if test "x$ac_cv_type_int32_t" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT32_T 1
++_ACEOF
++
++
++fi
++{ $as_echo "$as_me:$LINENO: checking for uint32_t" >&5
++$as_echo_n "checking for uint32_t... " >&6; }
++if test "${ac_cv_type_uint32_t+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ ac_cv_type_uint32_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof (uint32_t))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((uint32_t)))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ :
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_type_uint32_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint32_t" >&5
++$as_echo "$ac_cv_type_uint32_t" >&6; }
++if test "x$ac_cv_type_uint32_t" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT32_T 1
++_ACEOF
++
++
++fi
++{ $as_echo "$as_me:$LINENO: checking for int64_t" >&5
++$as_echo_n "checking for int64_t... " >&6; }
++if test "${ac_cv_type_int64_t+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ ac_cv_type_int64_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof (int64_t))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((int64_t)))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ :
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_type_int64_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int64_t" >&5
++$as_echo "$ac_cv_type_int64_t" >&6; }
++if test "x$ac_cv_type_int64_t" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT64_T 1
++_ACEOF
++
++
++fi
++{ $as_echo "$as_me:$LINENO: checking for uint64_t" >&5
++$as_echo_n "checking for uint64_t... " >&6; }
++if test "${ac_cv_type_uint64_t+set}" = set; then
++ $as_echo_n "(cached) " >&6
++else
++ ac_cv_type_uint64_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof (uint64_t))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((uint64_t)))
++ return 0;
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ :
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_cv_type_uint64_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint64_t" >&5
++$as_echo "$ac_cv_type_uint64_t" >&6; }
++if test "x$ac_cv_type_uint64_t" = x""yes; then
+
+ cat >>confdefs.h <<_ACEOF
+ #define HAVE_UINT64_T 1
diff --git a/SOURCES/cyrus-sasl-2.1.26-warnings.patch b/SOURCES/cyrus-sasl-2.1.26-warnings.patch
new file mode 100644
index 0000000..f7127bb
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-warnings.patch
@@ -0,0 +1,74 @@
+diff -up cyrus-sasl-2.1.26/lib/server.c.warnings cyrus-sasl-2.1.26/lib/server.c
+--- cyrus-sasl-2.1.26/lib/server.c.warnings 2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/lib/server.c 2012-12-20 17:49:39.620254792 +0100
+@@ -650,7 +650,7 @@ static int load_config(const sasl_callba
+ goto done;
+ }
+
+- snprintf(config_filename, len, "%.*s%c%s.conf", path_len, path_to_config,
++ snprintf(config_filename, len, "%.*s%c%s.conf", (int)path_len, path_to_config,
+ HIER_DELIMITER, global_callbacks.appname);
+
+ /* Ask the application if it's safe to use this file */
+diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.warnings cyrus-sasl-2.1.26/plugins/gssapi.c
+--- cyrus-sasl-2.1.26/plugins/gssapi.c.warnings 2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/plugins/gssapi.c 2012-12-20 17:49:39.620254792 +0100
+@@ -202,7 +202,8 @@ sasl_gss_seterror_(const sasl_utils_t *u
+ OM_uint32 msg_ctx;
+ int ret;
+ char *out = NULL;
+- size_t len, curlen = 0;
++ size_t len;
++ unsigned curlen = 0;
+ const char prefix[] = "GSSAPI Error: ";
+
+ if (!utils) return SASL_OK;
+diff -up cyrus-sasl-2.1.26/plugins/ldapdb.c.warnings cyrus-sasl-2.1.26/plugins/ldapdb.c
+--- cyrus-sasl-2.1.26/plugins/ldapdb.c.warnings 2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/plugins/ldapdb.c 2012-12-20 17:49:39.621254788 +0100
+@@ -22,6 +22,7 @@
+
+ #include "plugin_common.h"
+
++#define LDAP_DEPRECATED 1
+ #include <ldap.h>
+
+ static char ldapdb[] = "ldapdb";
+diff -up cyrus-sasl-2.1.26/plugins/plugin_common.c.warnings cyrus-sasl-2.1.26/plugins/plugin_common.c
+--- cyrus-sasl-2.1.26/plugins/plugin_common.c.warnings 2013-09-03 14:40:35.181455452 +0200
++++ cyrus-sasl-2.1.26/plugins/plugin_common.c 2013-09-03 14:40:38.320441024 +0200
+@@ -94,7 +94,7 @@ static void sockaddr_unmapped(
+ if (!IN6_IS_ADDR_V4MAPPED((&sin6->sin6_addr)))
+ return;
+ sin4 = (struct sockaddr_in *)sa;
+- addr = *(uint32_t *)&sin6->sin6_addr.s6_addr[12];
++ addr = *(uint32_t *)&sin6->sin6_addr.s6_addr32[3];
+ port = sin6->sin6_port;
+ memset(sin4, 0, sizeof(struct sockaddr_in));
+ sin4->sin_addr.s_addr = addr;
+diff -up cyrus-sasl-2.1.26/saslauthd/auth_httpform.c.warnings cyrus-sasl-2.1.26/saslauthd/auth_httpform.c
+--- cyrus-sasl-2.1.26/saslauthd/auth_httpform.c.warnings 2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/saslauthd/auth_httpform.c 2013-09-03 14:39:25.411776109 +0200
+@@ -574,7 +574,7 @@ auth_httpform (
+ "Content-Type: application/x-www-form-urlencoded" CRLF
+ "Content-Length: %d" TWO_CRLF
+ "%s",
+- r_uri, r_host, r_port, strlen(req), req);
++ r_uri, r_host, r_port, (int)strlen(req), req);
+
+ if (flags & VERBOSE) {
+ syslog(LOG_DEBUG, "auth_httpform: sending %s %s %s",
+diff -up cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.warnings cyrus-sasl-2.1.26/saslauthd/auth_shadow.c
+--- cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.warnings 2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c 2012-12-20 17:49:39.621254788 +0100
+@@ -70,6 +70,10 @@
+ # include <shadow.h>
+ # endif /* ! HAVE_GETUSERPW */
+
++# ifdef HAVE_CRYPT_H
++# include <crypt.h>
++# endif
++
+ # include "auth_shadow.h"
+ # include "globals.h"
+ /* END PUBLIC DEPENDENCIES */
diff --git a/SOURCES/make-no-dlcompatorsrp-tarball.sh b/SOURCES/make-no-dlcompatorsrp-tarball.sh
new file mode 100755
index 0000000..a0a3245
--- /dev/null
+++ b/SOURCES/make-no-dlcompatorsrp-tarball.sh
@@ -0,0 +1,41 @@
+#!/bin/bash -e
+#
+# See ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ for unmodified sources.
+#
+
+tmppath=`mktemp -d ${TMPDIR:-/tmp}/make-no-dlcompat-tarball-XXXXXX`
+if test -z "$tmppath" ; then
+ echo Error creating temporary directory.
+ exit 1
+fi
+trap "rm -fr $tmppath" EXIT
+
+initialdir=`pwd`
+
+for tarball in ${initialdir}/cyrus-sasl-*.tar.{gz,bz2} ; do
+ if ! test -s "$tarball" ; then
+ continue
+ fi
+ rm -fr $tmppath/*
+ pushd $tmppath > /dev/null
+ case "$tarball" in
+ *nodlcompat*)
+ : Do nothing.
+ ;;
+ *.gz)
+ gzip -dc "$tarball" | tar xf -
+ rm -fr cyrus-sasl-*/dlcompat*
+ rm -fr cyrus-sasl-*/plugins/srp*
+ tar cf - * | gzip -9c > \
+ $initialdir/`basename $tarball .tar.gz`-nodlcompatorsrp.tar.gz
+ ;;
+ *.bz2)
+ bzip2 -dc "$tarball" | tar xf -
+ rm -fr cyrus-sasl-*/dlcompat*
+ rm -fr cyrus-sasl-*/plugins/srp*
+ tar cf - * | bzip2 -9c > \
+ $initialdir/`basename $tarball .tar.bz2`-nodlcompatorsrp.tar.bz2
+ ;;
+ esac
+ popd > /dev/null
+done
diff --git a/SOURCES/sasl-checkpass.c b/SOURCES/sasl-checkpass.c
new file mode 100644
index 0000000..27a0b94
--- /dev/null
+++ b/SOURCES/sasl-checkpass.c
@@ -0,0 +1,185 @@
+#include <errno.h>
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "sasl.h"
+#ifdef SASL2
+static int main_requested_sasl_version = 2;
+#else
+static int main_requested_sasl_version = 1;
+#endif
+
+static int main_verbose = 0;
+
+static int
+my_getopt(void *context, const char *plugin_name,
+ const char *option, const char **result, unsigned *len)
+{
+ if (result) {
+ *result = NULL;
+ if (strcmp(option, "pwcheck_method") == 0) {
+ *result = "saslauthd";
+ }
+ if (strcmp(option, "saslauthd_version") == 0) {
+ switch (main_requested_sasl_version) {
+ case 1:
+ *result = "1";
+ break;
+ case 2:
+ *result = "2";
+ break;
+ default:
+#ifdef SASL2
+ *result = "2";
+#else
+ *result = "1";
+#endif
+ break;
+ }
+ }
+ if (main_verbose) {
+ fprintf(stderr, "Getopt plugin=%s%s%s/option=%s%s%s -> ",
+ plugin_name ? "\"" : "",
+ plugin_name ? plugin_name : "(null)",
+ plugin_name ? "\"" : "",
+ option ? "\"" : "",
+ option ? option : "(null)",
+ option ? "\"" : "");
+ fprintf(stderr, "'%s'.\n", *result ? *result : "");
+ }
+ }
+ if (len) {
+ *len = 0;
+ }
+ return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+ const char *user, *realm, *passwd, *service, *mechs, **globals, *err;
+ int c, ret;
+ sasl_callback_t callbacks[] = {
+ {SASL_CB_GETOPT, my_getopt, NULL},
+ {SASL_CB_LIST_END},
+ };
+ sasl_conn_t *connection;
+ char hostname[512];
+ char fulluser[512]; /* XXX: may overflow */
+
+ user = realm = passwd = service = "";
+ strcpy(hostname, "localhost");
+ gethostname(hostname, sizeof(hostname));
+
+ while ((c = getopt(argc, argv, "u:r:p:s:h:12v")) != -1) {
+ switch (c) {
+ case 'u':
+ user = optarg;
+ break;
+ case 'r':
+ realm = optarg;
+ break;
+ case 'p':
+ passwd = optarg;
+ break;
+ case 's':
+ service = optarg;
+ break;
+ case 'h':
+ strncpy(hostname, optarg, sizeof(hostname) - 1);
+ hostname[sizeof(hostname) - 1] = '\0';
+ break;
+ case '1':
+ main_requested_sasl_version = 1;
+ break;
+ case '2':
+ main_requested_sasl_version = 2;
+ break;
+ case 'v':
+ main_verbose++;
+ break;
+ default:
+ printf("Usage: %s [-v] [-1] [-2] "
+ "[-h hostname] "
+ "[-u user] "
+ "[-r realm] "
+ "[-p password] "
+ "[-s service] "
+ "\n", argv[0]);
+ return 2;
+ break;
+ }
+ }
+ if ((strlen(user) == 0) || (strlen(passwd) == 0)) {
+ printf("Usage: %s [-v] [-1] [-2] "
+ "[-h hostname] "
+ "[-u user] "
+ "[-r realm] "
+ "[-p password] "
+ "[-s service] "
+ "\n", argv[0]);
+ return 2;
+ }
+ if (realm && (strlen(realm) > 0)) {
+ sprintf(fulluser, "%s@%s", user, realm);
+ } else {
+ sprintf(fulluser, "%s", user);
+ }
+
+ ret = sasl_server_init(callbacks,
+ strlen(service) ? service : "sasl-checkpass");
+ if (ret != SASL_OK) {
+ fprintf(stderr, "Error in sasl_server_init(): %s\n",
+ sasl_errstring(ret, NULL, NULL));
+ }
+
+ connection = NULL;
+ ret = sasl_server_new(strlen(service) ? service : "sasl-checkpass",
+ hostname,
+ NULL,
+#ifdef SASL2
+ NULL,
+ NULL,
+#endif
+ callbacks,
+ 0,
+ &connection);
+ if (ret != SASL_OK) {
+ fprintf(stderr, "Error in sasl_server_new(): %s\n",
+ sasl_errstring(ret, NULL, NULL));
+ }
+
+ err = NULL;
+ ret = sasl_checkpass(connection,
+ fulluser, strlen(fulluser),
+ passwd, strlen(passwd)
+#ifndef SASL2
+ , &err
+#endif
+ );
+ switch (ret) {
+ case SASL_OK:
+ printf("OK\n");
+ break;
+ default:
+ printf("NO: %d", ret);
+ switch (ret) {
+ case SASL_FAIL:
+ err = "generic failure";
+ break;
+ case SASL_BADAUTH:
+ err = "authentication failure";
+ break;
+ default:
+ err = NULL;
+ break;
+ }
+ if (err) {
+ printf(" (%s)", err);
+ }
+ printf("\n");
+ break;
+ }
+ return ret;
+}
diff --git a/SOURCES/sasl-mechlist.c b/SOURCES/sasl-mechlist.c
new file mode 100644
index 0000000..680e983
--- /dev/null
+++ b/SOURCES/sasl-mechlist.c
@@ -0,0 +1,99 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "sasl.h"
+
+static int
+my_getopt(void *context, const char *plugin_name,
+ const char *option, const char **result, unsigned *len)
+{
+ if (result) {
+ *result = NULL;
+#if 0
+ fprintf(stderr, "Getopt plugin=%s%s%s/option=%s%s%s -> ",
+ plugin_name ? "\"" : "",
+ plugin_name ? plugin_name : "(null)",
+ plugin_name ? "\"" : "",
+ option ? "\"" : "",
+ option ? option : "(null)",
+ option ? "\"" : "");
+ fprintf(stderr, "'%s'.\n", *result ? *result : "");
+#endif
+ }
+ if (len) {
+ *len = 0;
+ }
+ return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+ int ret, i;
+ const char *mechs, **globals;
+ sasl_callback_t callbacks[] = {
+ {SASL_CB_GETOPT, my_getopt, NULL},
+ {SASL_CB_LIST_END},
+ };
+ sasl_conn_t *connection;
+ char hostname[512];
+
+ if ((argc > 1) && (argv[1][0] == '-')) {
+ fprintf(stderr, "Usage: %s [appname [hostname] ]\n", argv[0]);
+ return 0;
+ }
+
+ ret = sasl_server_init(callbacks, argc > 1 ? argv[1] : "sasl-mechlist");
+ if (ret != SASL_OK) {
+ fprintf(stderr, "Error in sasl_server_init(): %s\n",
+ sasl_errstring(ret, NULL, NULL));
+ }
+
+ connection = NULL;
+ strcpy(hostname, "localhost");
+ gethostname(hostname, sizeof(hostname));
+ ret = sasl_server_new(argc > 2 ? argv[2] : "host",
+ hostname,
+ NULL,
+ NULL,
+ NULL,
+ callbacks,
+ 0,
+ &connection);
+ if (ret != SASL_OK) {
+ fprintf(stderr, "Error in sasl_server_new(): %s\n",
+ sasl_errstring(ret, NULL, NULL));
+ }
+
+ ret = sasl_listmech(connection,
+ getenv("USER") ? getenv("USER") : "root",
+ "Available mechanisms: ",
+ ",",
+ "\n",
+ &mechs,
+ NULL,
+ NULL);
+ if (ret != SASL_OK) {
+ fprintf(stderr, "Error in sasl_listmechs(): %s\n",
+ sasl_errstring(ret, NULL, NULL));
+ } else {
+ fprintf(stdout, "%s", mechs);
+ }
+
+ globals = sasl_global_listmech();
+ for (i = 0; (globals != NULL) && (globals[i] != NULL); i++) {
+ if (i == 0) {
+ fprintf(stdout, "Library supports: ");
+ }
+ fprintf(stdout, "%s", globals[i]);
+ if (globals[i + 1] != NULL) {
+ fprintf(stdout, ",");
+ } else {
+ fprintf(stdout, "\n");
+ }
+ }
+
+ return 0;
+}
diff --git a/SOURCES/saslauthd.service b/SOURCES/saslauthd.service
new file mode 100644
index 0000000..f59ab3e
--- /dev/null
+++ b/SOURCES/saslauthd.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=SASL authentication daemon.
+After=syslog.target
+
+[Service]
+Type=forking
+PIDFile=/run/saslauthd/saslauthd.pid
+EnvironmentFile=/etc/sysconfig/saslauthd
+ExecStart=/usr/sbin/saslauthd -m $SOCKETDIR -a $MECH $FLAGS
+RuntimeDirectory=saslauthd
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/saslauthd.sysconfig b/SOURCES/saslauthd.sysconfig
new file mode 100644
index 0000000..5413c36
--- /dev/null
+++ b/SOURCES/saslauthd.sysconfig
@@ -0,0 +1,11 @@
+# Directory in which to place saslauthd's listening socket, pid file, and so
+# on. This directory must already exist.
+SOCKETDIR=/run/saslauthd
+
+# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
+# of which mechanism your installation was compiled with the ablity to use.
+MECH=pam
+
+# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
+# for the list of accepted flags.
+FLAGS=
diff --git a/SPECS/cyrus-sasl.spec b/SPECS/cyrus-sasl.spec
new file mode 100644
index 0000000..30c6bbf
--- /dev/null
+++ b/SPECS/cyrus-sasl.spec
@@ -0,0 +1,1120 @@
+%define username saslauth
+%define hint Saslauthd user
+%define homedir /run/saslauthd
+
+%define _plugindir2 %{_libdir}/sasl2
+%define bootstrap_cyrus_sasl 0
+
+%global _performance_build 1
+
+Summary: The Cyrus SASL library
+Name: cyrus-sasl
+Version: 2.1.26
+Release: 23%{?dist}
+License: BSD with advertising
+Group: System Environment/Libraries
+# Source0 originally comes from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/;
+# make-no-dlcompatorsrp-tarball.sh removes the "dlcompat" subdirectory and builds a
+# new tarball.
+Source0: cyrus-sasl-%{version}-nodlcompatorsrp.tar.gz
+Source5: saslauthd.service
+Source7: sasl-mechlist.c
+Source8: sasl-checkpass.c
+Source9: saslauthd.sysconfig
+Source10: make-no-dlcompatorsrp-tarball.sh
+URL: http://asg.web.cmu.edu/sasl/sasl-library.html
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Patch11: cyrus-sasl-2.1.25-no_rpath.patch
+Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch
+Patch23: cyrus-sasl-2.1.23-man.patch
+Patch24: cyrus-sasl-2.1.21-sizes.patch
+Patch31: cyrus-sasl-2.1.22-kerberos4.patch
+Patch32: cyrus-sasl-2.1.26-warnings.patch
+Patch34: cyrus-sasl-2.1.22-ldap-timeout.patch
+# removed due to #759334
+#Patch38: cyrus-sasl-2.1.23-pam_rhosts.patch
+Patch42: cyrus-sasl-2.1.26-relro.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=816250
+Patch43: cyrus-sasl-2.1.26-null-crypt.patch
+Patch44: cyrus-sasl-2.1.26-release-server_creds.patch
+# AM_CONFIG_HEADER is obsolete, use AC_CONFIG_HEADERS instead
+Patch45: cyrus-sasl-2.1.26-obsolete-macro.patch
+# missing size_t declaration in sasl.h
+Patch46: cyrus-sasl-2.1.26-size_t.patch
+# disable incorrect check for MkLinux
+Patch47: cyrus-sasl-2.1.26-ppc.patch
+# detect gsskrb5_register_acceptor_identity macro (#976538)
+Patch48: cyrus-sasl-2.1.26-keytab.patch
+Patch49: cyrus-sasl-2.1.26-md5global.patch
+# improve sql libraries detection (#1029918)
+Patch50: cyrus-sasl-2.1.26-sql.patch
+# Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
+Patch51: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
+# Revert updated GSSAPI flags as in RFC 4752 to restore backward compatibility (#1154566)
+Patch52: cyrus-sasl-2.1.26-revert-gssapi-flags.patch
+# Document ability to run saslauthd unprivileged (#1188065)
+Patch53: cyrus-sasl-2.1.26-saslauthd-user.patch
+# Support non-confidentiality/non-integrity requests from AIX SASL GSSAPI implementation (#1174322)
+Patch54: cyrus-sasl-2.1.26-gssapi-non-encrypt.patch
+# Update client library to be thread safe (#1147659)
+Patch55: cyrus-sasl-2.1.26-make-client-thread-sage.patch
+# Parsing short prefix matches the whole mechanism name (#1089267)
+Patch56: cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch
+# Fix confusing message when config file has typo (#1022479)
+Patch57: cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch
+# GSSAPI: Use per-connection mutex where possible (#1263017)
+Patch58: cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch
+# GSS-SPNEGO compatible with Windows clients (#1421663)
+Patch59: cyrus-sasl-2.1.26-gss-spnego.patch
+# Allow cyrus sasl to get the ssf from gssapi (#1431586)
+Patch60: cyrus-sasl-2.1.26-gss-ssf.patch
+
+Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
+BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig
+BuildRequires: mysql-devel, postgresql-devel, zlib-devel
+BuildRequires: libdb-devel
+%if ! %{bootstrap_cyrus_sasl}
+BuildRequires: openldap-devel
+%endif
+Requires(post): chkconfig, /sbin/service systemd-units
+Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd systemd-units
+Requires(postun): /usr/sbin/userdel /usr/sbin/groupdel systemd-units
+Requires: /sbin/nologin
+Requires: systemd >= 219
+Provides: user(%username)
+Provides: group(%username)
+
+
+%description
+The %{name} package contains the Cyrus implementation of SASL.
+SASL is the Simple Authentication and Security Layer, a method for
+adding authentication support to connection-based protocols.
+
+%package lib
+Group: System Environment/Libraries
+Summary: Shared libraries needed by applications which use Cyrus SASL
+
+%description lib
+The %{name}-lib package contains shared libraries which are needed by
+applications which use the Cyrus SASL library.
+
+%package devel
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: pkgconfig
+Group: Development/Libraries
+Summary: Files needed for developing applications with Cyrus SASL
+
+%description devel
+The %{name}-devel package contains files needed for developing and
+compiling applications which use the Cyrus SASL library.
+
+%package gssapi
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: GSSAPI authentication support for Cyrus SASL
+
+%description gssapi
+The %{name}-gssapi package contains the Cyrus SASL plugins which
+support GSSAPI authentication. GSSAPI is commonly used for Kerberos
+authentication.
+
+%package plain
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: PLAIN and LOGIN authentication support for Cyrus SASL
+
+%description plain
+The %{name}-plain package contains the Cyrus SASL plugins which support
+PLAIN and LOGIN authentication schemes.
+
+%package md5
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: CRAM-MD5 and DIGEST-MD5 authentication support for Cyrus SASL
+
+%description md5
+The %{name}-md5 package contains the Cyrus SASL plugins which support
+CRAM-MD5 and DIGEST-MD5 authentication schemes.
+
+%package ntlm
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: NTLM authentication support for Cyrus SASL
+
+%description ntlm
+The %{name}-ntlm package contains the Cyrus SASL plugin which supports
+the NTLM authentication scheme.
+
+# This would more appropriately be named cyrus-sasl-auxprop-sql.
+%package sql
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: SQL auxprop support for Cyrus SASL
+
+%description sql
+The %{name}-sql package contains the Cyrus SASL plugin which supports
+using a RDBMS for storing shared secrets.
+
+%if ! %{bootstrap_cyrus_sasl}
+# This was *almost* named cyrus-sasl-auxprop-ldapdb, but that's a lot of typing.
+%package ldap
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: LDAP auxprop support for Cyrus SASL
+
+%description ldap
+The %{name}-ldap package contains the Cyrus SASL plugin which supports using
+a directory server, accessed using LDAP, for storing shared secrets.
+%endif
+
+%package scram
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: SCRAM auxprop support for Cyrus SASL
+
+%description scram
+The %{name}-scram package contains the Cyrus SASL plugin which supports
+the SCRAM authentication scheme.
+
+%package gs2
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: GS2 support for Cyrus SASL
+
+%description gs2
+The %{name}-gs2 package contains the Cyrus SASL plugin which supports
+the GS2 authentication scheme.
+
+###
+
+
+%prep
+%setup -q
+chmod -x doc/*.html
+chmod -x include/*.h
+%patch11 -p1 -b .no_rpath
+%patch15 -p1 -b .path
+%patch23 -p1 -b .man
+%patch24 -p1 -b .sizes
+%patch31 -p1 -b .krb4
+%patch32 -p1 -b .warnings
+%patch34 -p1 -b .ldap-timeout
+%patch42 -p1 -b .relro
+%patch43 -p1 -b .null-crypt
+%patch44 -p1 -b .release-server_creds
+%patch45 -p1 -b .obsolete-macro
+%patch46 -p1 -b .size_t
+%patch47 -p1 -b .ppc
+%patch48 -p1 -b .keytab
+%patch49 -p1 -b .md5global.h
+%patch50 -p1 -b .sql
+%patch51 -p1 -b .sha1vsplain
+%patch52 -p1 -b .revert
+%patch53 -p1 -b .man-unprivileged
+%patch54 -p1 -b .gssapi_non_encrypt
+%patch55 -p1 -b .threads
+%patch56 -p1 -b .prefix
+%patch57 -p1 -b .typo
+%patch58 -p1 -b .mutex
+%patch59 -p1 -b .spnego
+%patch60 -p1 -b .ssf
+
+
+%build
+# Find Kerberos.
+krb5_prefix=`krb5-config --prefix`
+if test x$krb5_prefix = x%{_prefix} ; then
+ krb5_prefix=
+else
+ CPPFLAGS="-I${krb5_prefix}/include $CPPFLAGS"; export CPPFLAGS
+ LDFLAGS="-L${krb5_prefix}/%{_lib} $LDFLAGS"; export LDFLAGS
+fi
+
+# Find OpenSSL.
+LIBS="-lcrypt"; export LIBS
+if pkg-config openssl ; then
+ CPPFLAGS="`pkg-config --cflags-only-I openssl` $CPPFLAGS"; export CPPFLAGS
+ LDFLAGS="`pkg-config --libs-only-L openssl` $LDFLAGS"; export LDFLAGS
+fi
+
+# Find the MySQL libraries used needed by the SQL auxprop plugin.
+INC_DIR="`mysql_config --include`"
+if test x"$INC_DIR" != "x-I%{_includedir}"; then
+ CPPFLAGS="$INC_DIR $CPPFLAGS"; export CPPFLAGS
+fi
+LIB_DIR="`mysql_config --libs | sed -e 's,-[^L][^ ]*,,g' -e 's,^ *,,' -e 's, *$,,' -e 's, *, ,g'`"
+if test x"$LIB_DIR" != "x-L%{_libdir}"; then
+ LDFLAGS="$LIB_DIR $LDFLAGS"; export LDFLAGS
+fi
+
+# Find the PostgreSQL libraries used needed by the SQL auxprop plugin.
+INC_DIR="-I`pg_config --includedir`"
+if test x"$INC_DIR" != "x-I%{_includedir}"; then
+ CPPFLAGS="$INC_DIR $CPPFLAGS"; export CPPFLAGS
+fi
+LIB_DIR="-L`pg_config --libdir`"
+if test x"$LIB_DIR" != "x-L%{_libdir}"; then
+ LDFLAGS="$LIB_DIR $LDFLAGS"; export LDFLAGS
+fi
+
+CFLAGS="$RPM_OPT_FLAGS $CFLAGS $CPPFLAGS -fPIE"; export CFLAGS
+LDFLAGS="$LDFLAGS -pie -Wl,-z,now"; export LDFLAGS
+
+echo "$CFLAGS"
+echo "$CPPFLAGS"
+echo "$LDFLAGS"
+
+%configure \
+ --enable-shared --disable-static \
+ --disable-java \
+ --with-plugindir=%{_plugindir2} \
+ --with-configdir=%{_plugindir2}:%{_sysconfdir}/sasl2 \
+ --disable-krb4 \
+ --enable-gssapi${krb5_prefix:+=${krb5_prefix}} \
+ --with-gss_impl=mit \
+ --with-rc4 \
+ --with-dblib=berkeley \
+ --with-bdb=db \
+ --with-saslauthd=/run/saslauthd --without-pwcheck \
+%if ! %{bootstrap_cyrus_sasl}
+ --with-ldap \
+%endif
+ --with-devrandom=/dev/urandom \
+ --enable-anon \
+ --enable-cram \
+ --enable-digest \
+ --enable-ntlm \
+ --enable-plain \
+ --enable-login \
+ --enable-alwaystrue \
+ --enable-httpform \
+ --disable-otp \
+%if ! %{bootstrap_cyrus_sasl}
+ --enable-ldapdb \
+%endif
+ --enable-sql --with-mysql=yes --with-pgsql=yes \
+ --without-sqlite \
+ "$@"
+ # --enable-auth-sasldb -- EXPERIMENTAL
+make sasldir=%{_plugindir2}
+make -C saslauthd testsaslauthd
+make -C sample
+
+# Build a small program to list the available mechanisms, because I need it.
+pushd lib
+../libtool --mode=link %{__cc} -o sasl2-shared-mechlist -I../include $CFLAGS %{SOURCE7} $LDFLAGS ./libsasl2.la
+
+
+%install
+test "$RPM_BUILD_ROOT" != "/" && rm -rf $RPM_BUILD_ROOT
+
+make install DESTDIR=$RPM_BUILD_ROOT sasldir=%{_plugindir2}
+make install DESTDIR=$RPM_BUILD_ROOT sasldir=%{_plugindir2} -C plugins
+
+install -m755 -d $RPM_BUILD_ROOT%{_bindir}
+./libtool --mode=install \
+install -m755 sample/client $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-client
+./libtool --mode=install \
+install -m755 sample/server $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-server
+./libtool --mode=install \
+install -m755 saslauthd/testsaslauthd $RPM_BUILD_ROOT%{_sbindir}/testsaslauthd
+
+# Install the saslauthd mdoc page in the expected location. Sure, it's not
+# really a man page, but groff seems to be able to cope with it.
+install -m755 -d $RPM_BUILD_ROOT%{_mandir}/man8/
+install -m644 -p saslauthd/saslauthd.mdoc $RPM_BUILD_ROOT%{_mandir}/man8/saslauthd.8
+install -m644 -p saslauthd/testsaslauthd.8 $RPM_BUILD_ROOT%{_mandir}/man8/testsaslauthd.8
+
+# Install the init script for saslauthd and the init script's config file.
+install -m755 -d $RPM_BUILD_ROOT/etc/rc.d/init.d $RPM_BUILD_ROOT/etc/sysconfig
+install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
+install -m644 -p %{SOURCE5} $RPM_BUILD_ROOT/%{_unitdir}/saslauthd.service
+install -m644 -p %{SOURCE9} $RPM_BUILD_ROOT/etc/sysconfig/saslauthd
+
+# Install the config dirs if they're not already there.
+install -m755 -d $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2
+install -m755 -d $RPM_BUILD_ROOT/%{_plugindir2}
+
+# Provide an easy way to query the list of available mechanisms.
+./libtool --mode=install \
+install -m755 lib/sasl2-shared-mechlist $RPM_BUILD_ROOT/%{_sbindir}/
+
+# Remove unpackaged files from the buildroot.
+rm -f $RPM_BUILD_ROOT%{_libdir}/sasl2/libotp.*
+rm -f $RPM_BUILD_ROOT%{_libdir}/sasl2/*.a
+rm -f $RPM_BUILD_ROOT%{_libdir}/sasl2/*.la
+rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
+rm -f $RPM_BUILD_ROOT%{_mandir}/cat8/saslauthd.8
+
+
+%clean
+test "$RPM_BUILD_ROOT" != "/" && rm -rf $RPM_BUILD_ROOT
+
+%pre
+getent group %{username} >/dev/null || groupadd -g 76 -r %{username}
+getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} -s /sbin/nologin -c "%{hint}" %{username}
+
+%post
+%systemd_post saslauthd.service
+
+%preun
+%systemd_preun saslauthd.service
+
+%postun
+%systemd_postun_with_restart saslauthd.service
+
+%triggerun -n cyrus-sasl -- cyrus-sasl < 2.1.23-32
+/usr/bin/systemd-sysv-convert --save saslauthd >/dev/null 2>&1 || :
+/sbin/chkconfig --del saslauthd >/dev/null 2>&1 || :
+/bin/systemctl try-restart saslauthd.service >/dev/null 2>&1 || :
+
+%post lib -p /sbin/ldconfig
+%postun lib -p /sbin/ldconfig
+
+%files
+%defattr(-,root,root)
+%doc saslauthd/LDAP_SASLAUTHD
+%{_mandir}/man8/*
+%{_sbindir}/pluginviewer
+%{_sbindir}/saslauthd
+%{_sbindir}/testsaslauthd
+%config(noreplace) /etc/sysconfig/saslauthd
+%{_unitdir}/saslauthd.service
+%ghost /run/saslauthd
+
+%files lib
+%defattr(-,root,root)
+%doc AUTHORS COPYING NEWS README doc/*.html
+%{_libdir}/libsasl*.so.*
+%dir %{_sysconfdir}/sasl2
+%dir %{_plugindir2}/
+%{_plugindir2}/*anonymous*.so*
+%{_plugindir2}/*sasldb*.so*
+%{_sbindir}/saslpasswd2
+%{_sbindir}/sasldblistusers2
+
+%files plain
+%defattr(-,root,root)
+%{_plugindir2}/*plain*.so*
+%{_plugindir2}/*login*.so*
+
+%if ! %{bootstrap_cyrus_sasl}
+%files ldap
+%defattr(-,root,root)
+%{_plugindir2}/*ldapdb*.so*
+%endif
+
+%files md5
+%defattr(-,root,root)
+%{_plugindir2}/*crammd5*.so*
+%{_plugindir2}/*digestmd5*.so*
+
+%files ntlm
+%defattr(-,root,root)
+%{_plugindir2}/*ntlm*.so*
+
+%files sql
+%defattr(-,root,root)
+%{_plugindir2}/*sql*.so*
+
+%files gssapi
+%defattr(-,root,root)
+%{_plugindir2}/*gssapi*.so*
+
+%files scram
+%defattr(-,root,root)
+%{_plugindir2}/libscram.so*
+
+%files gs2
+%defattr(-,root,root)
+%{_plugindir2}/libgs2.so*
+
+%files devel
+%defattr(-,root,root)
+%doc doc/*.txt
+%{_bindir}/sasl2-sample-client
+%{_bindir}/sasl2-sample-server
+%{_includedir}/*
+%{_libdir}/libsasl*.*so
+%{_libdir}/pkgconfig/*.pc
+%{_mandir}/man3/*
+%{_sbindir}/sasl2-shared-mechlist
+
+%changelog
+* Wed Nov 22 2017 Jakub Jelen <jjelen@redhat.com> - 2.1.26-23
+- Avoid undefined symbols on s390x (#1516193)
+
+* Thu Sep 21 2017 Jakub Jelen <jjelen@redhat.com> - 2.1.26-22
+- Allow cyrus sasl to get the ssf from gssapi (#1431586)
+
+* Mon Mar 06 2017 Jakub Jelen <jjelen@redhat.com> - 2.1.26-21
+- support proper SASL GSS-SPNEGO (#1421663)
+
+* Fri Dec 04 2015 Jakub Jelen <jjelen@redhat.com> 2.1.26-20
+- GSSAPI: Use per-connection mutex where possible (#1263017)
+
+* Thu Jul 16 2015 Jakub Jelen <jjelen@redhat.com> 2.1.26-19.2
+- Revert tmpfiles.d and use new systemd feature RuntimeDirectory (#1188065)
+
+* Wed May 20 2015 Jakub Jelen <jjelen@redhat.com> 2.1.26-18
+- Revert updated GSSAPI flags as in RFC 4752 to restore backward compatibility (#1154566)
+- Add and document ability to run saslauth as non-root user (#1188065)
+- Support AIX SASL GSSAPI (#1174322)
+- Update client library to be thread safe (#1147659)
+- Fix problem, that parsing short prefix matches the whole mechanism name (#1089267)
+- Don't use unnecessary quotes around user description (#1082564)
+- Fix confusing message when config file has typo (#1022479)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.1.26-17
+- Mass rebuild 2014-01-24
+
+* Wed Jan 15 2014 Honza Horak <hhorak@redhat.com> - 2.1.26-16
+- Rebuild for mariadb-libs
+ Related: #1045013
+
+* Tue Jan 14 2014 Petr Lautrbach <plautrba@redhat.com> 2.1.26-15
+- compile cyrus-sasl with -O3 on ppc64 (#1051063)
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.1.26-14
+- Mass rebuild 2013-12-27
+
+* Tue Nov 19 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-13
+- Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
+
+* Tue Oct 01 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-12.1
+- rebuild for https://bugzilla.redhat.com/show_bug.cgi?id=1002625
+
+* Mon Sep 09 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-11
+- build with RPM_OPT_FLAGS <ville.skytta@iki.fi> (#1005535)
+
+* Tue Sep 03 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-10
+- fix hardening for /usr/sbin/saslauthd
+- add testsaslauthd.8 man page to the package
+- use static md5global.h file
+
+* Mon Jun 24 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-9
+- detect gsskrb5_register_acceptor_identity macro <nalin@redhat.com> (#976538)
+
+* Tue Jun 04 2013 Karsten Hopp <karsten@redhat.com> 2.1.26-8
+- disable incorrect check for MkLinux to allow building with shared libraries on PPC
+
+* Tue May 21 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-7
+- fix the spec file in order to build the cyrus-sasl-sql plugin
+ with support for PostgreSQL and MySQL
+
+* Thu Feb 21 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-6
+- don't include system sasl2 library needed for rebuilds after rebase
+
+* Mon Feb 11 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-5
+- enable full relro and PIE compiler flags for saslauthd
+
+* Fri Feb 01 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-4
+- fix library symlinks
+
+* Thu Jan 31 2013 Rex Dieter <rdieter@fedoraproject.org> 2.1.26-3
+- actually apply size_t patch (#906519)
+
+* Thu Jan 31 2013 Rex Dieter <rdieter@fedoraproject.org> 2.1.26-2
+- sasl.h: +#include<sys/types.h> for missing size_t type (#906519)
+- tighten subpkg deps via %%?_isa
+
+* Thu Dec 20 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.26-1
+- update to 2.1.26
+- fix segfaults in sasl_gss_encode (#886140)
+
+* Mon Dec 10 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.25-2
+- always use the current external Berkeley DB when linking
+
+* Fri Dec 07 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.25-1
+- update to 2.1.25
+- add cyrus-sasl-scram and cyrus-sasl-gs2 packages
+
+* Fri Sep 14 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.23-36
+- replace scriptlets with systemd macros (#856666)
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.23-35
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Jul 17 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.23-34
+- move /etc/tmpfiles.d/saslauthd.conf to /usr/lib/tmpfiles.d/saslauthd.conf (#840193)
+
+* Wed Jun 20 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.23-33
+- properly deal with crypt() returning NULL (#816250)
+- use fixed gid 76 for saslauth
+
+* Mon Apr 16 2012 Jindrich Novy <jnovy@redhat.com> 2.1.23-32
+- re-enable libdb support and utilities
+
+* Wed Apr 04 2012 Jindrich Novy <jnovy@redhat.com> 2.1.23-31
+- temporarily disable libdb support to resolve cyrus-sasl
+ chicken and egg build problem against libdb
+
+* Tue Apr 03 2012 Jindrich Novy <jnovy@redhat.com> 2.1.23-30
+- rebuild against new libdb
+
+* Wed Feb 08 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.23-29
+- Change saslauth user homedir to /run/saslauthd (#752889)
+- Change all /var/run/ to /run/
+- DAEMONOPTS are not supported any more in systemd units
+
+* Mon Jan 09 2012 Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> - 2.1.23-28
+- Ship with sasl_pwcheck_method: alwaystrue
+
+* Mon Dec 12 2011 Petr Lautrbach <plautrba@redhat.com> 2.1.23-27
+- remove support for logging of the remote host via PAM (#759334)
+- fix systemd files (#750436)
+
+* Wed Aug 10 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-26
+- Add partial relro support for libraries
+
+* Mon Jul 25 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-25
+- Add support for berkeley db 5
+
+* Wed Jun 29 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-23
+- Migrate the package to full native systemd unit files, according to the Fedora
+ packaging guidelines.
+
+* Wed Jun 1 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-22
+- repair rimap support (more packets in response)
+
+* Wed May 25 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-21
+- repair ntlm support
+
+* Mon May 23 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-20
+- add logging of the remote host via PAM
+
+* Thu Apr 28 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-19
+- temporarilly revert systemd units
+
+* Tue Apr 26 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-18
+- update scriptlets
+
+* Fri Apr 22 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-17
+- Add systemd units
+
+* Wed Mar 23 2011 Tomas Mraz <tmraz@redhat.com> - 2.1.23-16
+- Rebuilt with new mysqlclient
+
+* Fri Feb 25 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-15
+- set correct license tag
+- add ghost to /var/run/saslauthd
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.23-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Fri Apr 9 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-13
+- Add /etc/tmpfiles.d element (#662734)
+
+* Fri Apr 9 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-12
+- Update init script to impeach pid file
+
+* Thu Mar 11 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-11
+- Update pre post preun and postun scripts (#572399)
+
+* Wed Mar 10 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-10
+- Rewrite spec file, make corect CFLAGS, CPPFLAGS and LDFLAGS
+
+* Mon Feb 22 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-9
+- solve race condition (#566875)
+
+* Wed Feb 17 2010 Stepan Kasal <skasal@redhat.com> - 2.1.23-8
+- improve m4 quoting to fix saslauthd/configure (#566088)
+- call autotools in build, not in prep
+
+* Fri Feb 5 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-7
+- Add man page to testtcpauthd (#526189)
+
+* Fri Oct 16 2009 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-6
+- Create the saslauth user according to fedora packaging guide
+
+* Thu Sep 24 2009 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-5
+- Repair initscript to make condrestart working properly (#522103)
+
+* Wed Sep 23 2009 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-3
+- Add possibility to run the saslauth without root privilegies (#185614)
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.1.23-2
+- rebuilt with new openssl
+
+* Fri Aug 7 2009 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-1
+- update to 2.1.23
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.22-25
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon May 11 2009 Jan F. Chadima <jchadima@redhat.com> - 2.1.22-24
+- repair sasl_encode64 nul termination (#487251)
+
+* Thu Apr 16 2009 Robert Scheck <robert@fedoraproject.org> - 2.1.22-23
+- Don't build the krb4 plugin as krb5 1.7 will drop it (#225974 #c6)
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.22-22
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Fri Feb 6 2009 Tomas Mraz <tmraz@redhat.com> - 2.1.22-21
+- fix build with gcc-4.4
+
+* Fri Jan 23 2009 Tomas Mraz <tmraz@redhat.com> - 2.1.22-20
+- set LDAP_OPT_TIMEOUT (#326452)
+- provide LSB compatible init script (#246900)
+
+* Fri Sep 26 2008 Tomas Mraz <tmraz@redhat.com> - 2.1.22-19
+- always use the current external db4 when linking,
+ thanks to Dan Horak for the original patch (#464098)
+
+* Wed Sep 10 2008 Tomas Mraz <tmraz@redhat.com> - 2.1.22-18
+- fix most critical build warnings (#433583)
+- use external db4
+
+* Fri Aug 29 2008 Tomas Mraz <tmraz@redhat.com> - 2.1.22-17
+- always link against the internal db4 (#459163)
+- rediff patches for no fuzz
+
+* Wed Jul 9 2008 Tomas Mraz <tmraz@redhat.com> - 2.1.22-16
+- update internal db4 (#449737)
+
+* Tue Jul 1 2008 Tomas Mraz <tmraz@redhat.com> - 2.1.22-15
+- drop reload from initscript help (#448154)
+- fix hang in rimap auth method (#438533)
+- build the krb4 plugin (#154675)
+
+* Fri May 23 2008 Dennis Gilmore <dennis@ausil.us> - 2.1.22-14
+- make it so that bootstrap actually works
+
+* Thu May 22 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 2.1.22-13.1
+- minor release bump for sparc rebuild
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.1.22-13
+- Autorebuild for GCC 4.3
+
+* Thu Feb 14 2008 Steve Conklin <sconklin@redhat.com> - 2.1.22-12
+- rebuild for gcc4.3
+
+* Fri Jan 25 2008 Steve Conklin <sconklin@redhat.com> - 2.1.22-11
+- Cleanup after merge review bz #225673
+- no longer mark /etc/rc.d/init.d/saslauthd as config file
+- removed -x permissions on include files
+- added devel package dependency on cyrus-sasl
+- removed some remaining .la files that were being delivered
+
+* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 2.1.22-10
+ - Rebuild for deps
+
+* Wed Nov 7 2007 Steve Conklin <sconklin@redhat.com> - 2.1.22-9
+- Fixed a typo in the spec file
+
+* Wed Nov 7 2007 Steve Conklin <sconklin@redhat.com> - 2.1.22-8
+- Removed srp plugin source and added dist to NVR
+
+* Tue Sep 18 2007 Steve Conklin <sconklin@redhat.com> 2.1.22-7
+- use db4 version 4.6.19 bz#249737
+
+* Mon Feb 26 2007 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-6
+- install config files and init scripts using -p
+- pull in patch to build with current automake (#229010, Jacek Konieczny
+ and Robert Scheck)
+- remove prereq on ldconfig, RPM should pick it up based on the -libs
+ scriptlets
+- pull in patch to correctly detect gsskrb5_register_acceptor_identity
+ (#200892, Mirko Streckenbach)
+- move sasldb auxprop modules into the -lib subpackage, so that we'll pick
+ it up for multilib systems
+
+* Thu Feb 22 2007 Nalin Dahyabhai <nalin@redhat.com>
+- pull CVS fix for not tripping over extra commas in digest-md5
+ challenges (#229640)
+
+* Fri Feb 16 2007 Nalin Dahyabhai <nalin@redhat.com>
+- remove static build, which is no longer a useful option because not all of
+ our dependencies are available as static libraries
+- drop patches which were needed to keep static builds going
+- drop gssapi-generic patch due to lack of interest
+- update the bundled copy of db to 4.5.20 (#229012)
+- drop dbconverter-2, as we haven't bundled v1 libraries since FC4
+
+* Tue Dec 5 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-5
+- rebuild
+- add 'authentication' or 'auxprop' to summaries for plugin packages to
+ better indicate what the plugin provides
+- switch from automake 1.9 to automake 1.7
+
+* Fri Sep 29 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-4
+- rebuild without 'dlcompat' bits (#206119)
+
+* Mon Jul 17 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-3
+- rebuild
+
+* Tue Jun 20 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-2
+- fix a typo in sasl_client_start(3) (#196066)
+
+* Mon May 22 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-1
+- update to 2.1.22, adding pluginviewer to %%{_sbindir}
+
+* Tue May 16 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-12
+- add conditionalized build dependency on openldap-devel (#191855)
+- patch md5global.h to be the same on all architectures
+
+* Thu Apr 27 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-11
+- add unapplied patch which makes the DIGEST-MD5 plugin omit the realm
+ argument when the environment has $CYRUS_SASL_DIGEST_MD5_OMIT_REALM set to a
+ non-zero value, for testing purposes
+- add missing buildrequires on zlib-devel (#190113)
+
+* Mon Feb 20 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-10
+- add missing buildrequires on gdbm-devel (Karsten Hopp)
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 2.1.21-9.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 2.1.21-9.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Mon Dec 19 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-9
+- use --as-needed to avoid linking dbconverter-2 with SQL libraries, which
+ it doesn't use because it manipulates files directly (#173321)
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Mon Nov 14 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-8
+- rebuild with new OpenLDAP, overriding the version checks to assume that
+ 2.3.11 is acceptable
+- remove a lingering patch for 1.x which we no longer use
+
+* Sat Nov 12 2005 Tom Lane <tgl@redhat.com> 2.1.21-7
+- Rebuild due to mysql update.
+
+* Tue Nov 8 2005 Tomas Mraz <tmraz@redhat.com> 2.1.21-6
+- rebuilt with new openssl
+
+* Fri Sep 9 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-5
+- add missing buildrequires: on groff (#163032)
+
+* Thu Sep 1 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-4
+- move the ldapdb auxprop support into a subpackage (#167300)
+ (note: the ldap password check support in saslauthd doesn't use auxprop)
+
+* Tue Aug 30 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-3
+- correct a use of uninitialized memory in the bundled libdb (Arjan van de Ven)
+
+* Mon Aug 29 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-2
+- move the ANONYMOUS mech plugin to the -lib subpackage so that multilib
+ systems can use it without installing the main package
+- build the static libraries without sql auxprop support
+
+* Mon Aug 29 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-1
+- update to 2.1.21
+- turn off compilation of libsasl v1 (finally)
+- explicitly disable sqlite to avoid the build warning
+- change the default mechanism which is set for saslauthd from "shadow" to
+ "pam" (#159194)
+- split the shared library up from saslauthd so that multilib systems don't
+ have to pull in every dependency of saslauthd for the compat arch (#166749)
+
+* Wed Apr 13 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-5
+- rebuild with new deps
+
+* Tue Mar 1 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-4
+- rebuild with new deps
+
+* Thu Nov 11 2004 Jeff Johnson <jbj@jbj.org> 2.1.20-3
+- rebuild against db-4.3.21.
+
+* Thu Nov 11 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-2
+- build with mysql-devel instead of mysqlclient10
+
+* Mon Nov 1 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-1
+- build with mysqlclient10 instead of mysql-devel
+
+* Wed Oct 27 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-0
+- update to 2.1.20, including the fix for CAN-2004-0884
+
+* Tue Oct 5 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.19-3
+- use notting's fix for incorrect patch for CAN-2004-0884 for 1.5.28
+
+* Tue Oct 5 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.19-2
+- don't trust the environment in setuid/setgid contexts (CAN-2004-0884, #134660)
+
+* Thu Aug 19 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.19-1
+- rebuild (the 2.1.19 changelog for fixing a buffer overflow referred to a CVS
+ revision between 2.1.18 and 2.1.19)
+
+* Mon Jul 19 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.19-0
+- update to 2.1.19, maybe for update
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Mon Jun 7 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-4
+- enable sql auxprop support in a subpackage
+- include LDAP_SASLAUTHD documentation file (#124830)
+
+* Fri Jun 4 2004 Nalin Dahyabhai <nalin@redhat.com>
+- turn on ntlm in a subpackage
+
+* Thu May 13 2004 Thomas Woerner <twoerner@redhat.com> 2.1.18-3
+- removed rpath
+
+* Tue Mar 16 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2
+- turn on building of libsasl v1 again
+
+* Fri Mar 12 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-1
+- update to 2.1.18
+- saslauthd's ldap code is no longer marked experimental, so we build it
+
+* Mon Mar 8 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.17-4
+- rebuild
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Feb 3 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.17-2
+- include default /etc/sysconfig/saslauthd configuration file for the init
+ script (#114868)
+
+* Thu Jan 29 2004 Nalin Dahyabhai <nalin@redhat.com>
+- drop saslauthd_version patch for libsasl2
+
+* Thu Jan 29 2004 Nalin Dahyabhai <nalin@redhat.com>
+- add a saslauthd_version option to libsasl's saslauthd client and teach it to
+ do the right thing
+- enable the saslauthd client code in libsasl version 1 (it's still going away!)
+- add saslauthd1-checkpass/saslauthd2-checkpass for testing the above change
+
+* Wed Jan 7 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.17-1
+- forcibly disable otp and sql plugins at compile-time
+
+* Fri Dec 19 2003 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.17, forcing the gssapi plugin to be shared now, as before
+- use a bundled libdb (#112215)
+- build static-with-all-plugins and normal-shared libsasl versions
+- add sasl2-{shared,static}-mechlist for very basic sanity checking
+- make inclusion of sasl1 stuffs conditional, because it's so going away
+
+* Sat Dec 13 2003 Jeff Johnson <jbj@jbj.org> 2.1.15-7
+- rebuild against db-4.2.52.
+
+* Thu Oct 23 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-6
+- use /dev/urandom instead of /dev/random for SASL2 (docs indicate that this is
+ safe if you aren't using OTP or SRP, and we build neither); SASL1 appears to
+ use it to seed the libc RNG only (#103378)
+
+* Mon Oct 20 2003 Nalin Dahyabhai <nalin@redhat.com>
+- obey RPM_OPT_FLAGS again when krb5_prefix != %%{_prefix}
+
+* Fri Oct 17 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-5
+- install saslauthd's mdoc page instead of the pre-formatted man page, which
+ would get formatted again
+
+* Thu Sep 25 2003 Jeff Johnson <jbj@jbj.org> 2.1.15-5
+- rebuild against db-4.2.42.
+
+* Mon Sep 15 2003 Nalin Dahyabhai <nalin@redhat.com>
+- include testsaslauthd
+- note in the README that the saslauthd protocol is different for v1 and v2,
+ so v1's clients can't talk to the v2 server
+
+* Thu Aug 21 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-4
+- rebuild
+
+* Thu Aug 21 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-3
+- add logic to build with gssapi libs in either /usr or /usr/kerberos
+
+* Mon Jul 21 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-2
+- rebuild
+
+* Tue Jul 15 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-1
+- update to 2.1.15
+
+* Mon Jul 14 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.14-1
+- update to 2.1.14
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Fri May 9 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.13-3
+- change -m argument to saslauthd to be a directory instead of a path
+
+* Thu May 8 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.13-2
+- link libsasl2 with -lpthread to ensure that the sasldb plug-in can always
+ be loaded
+
+* Tue Apr 29 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.13-1
+- update to 2.1.13
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Tue Jan 7 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.10-3
+- rebuild
+
+* Thu Dec 12 2002 Nalin Dahyabhai <nalin@redhat.com>
+- consider either des_cbc_encrypt or DES_cbc_encrypt to be sufficient when
+ searching for a DES implementation in libcrypto
+- pull in CPPFLAGS and LDFLAGS from openssl's pkg-config data, if it exists
+
+* Mon Dec 9 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.10-2
+- rebuild
+
+* Mon Dec 9 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.10-1
+- update to 2.1.10, fixing buffer overflows in libsasl2 noted by Timo Sirainen
+
+* Tue Nov 12 2002 Tim Powers <timp@redhat.com> 2.1.7-5
+- remove files from $RPM_BUILD_ROOT that we don't intend to include
+
+* Wed Oct 9 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.7-4
+- update to SASLv1 to final 1.5.28
+
+* Fri Sep 13 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.7-3
+- rebuild, overriding sasldir when running make so that on multilib systems
+ applications will be able to load modules for the right arch
+
+* Mon Sep 2 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.7-2
+- include dbconverter-2 (#68741)
+
+* Fri Aug 9 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.7-1
+- update to 2.1.7, fixing a race condition in digest-md5
+
+* Wed Jul 17 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.6-1
+- update to 2.1.6 and 1.5.28
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu Jun 13 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.5-1
+- update to 2.1.5
+
+* Mon Jun 10 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.4-1
+- update to 2.1.4
+
+* Sun May 26 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu May 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.2-1
+- modify to build with db 4.x
+
+* Thu Apr 18 2002 Nalin Dahyabhai <nalin@redhat.com>
+- update cyrus-sasl 2 to 2.1.2
+- change buildreq to db3-devel
+
+* Tue Feb 12 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.1-3
+- suppress output to stdout/stderr in %%postun
+
+* Sun Feb 10 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.1-2
+- configure sasldb2 to use berkeley DB instead of gdbm
+
+* Wed Feb 6 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.1-1
+- update to 2.1.1
+
+* Thu Jan 31 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.0-1
+- marge 1.5.24 back in, making a note that it should be removed at some
+ point in the future
+
+* Wed Jan 30 2002 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.0, which is designed to be installed in parallel with cyrus sasl
+ 1.x, so fork the package and rename it to cyrus-sasl2
+- add the sasldb auxprop plugin to the main package
+- add disabled-by-default saslauthd init script
+- move the .la files for plugins into their respective packages -- they're
+ needed by the library
+
+* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 1.5.24-24
+- free ride through the build system
+
+* Fri Nov 2 2001 Nalin Dahyabhai <nalin@redhat.com> 1.5.24-23
+- patch to fix possible syslog format-string vulnerability
+
+* Mon Oct 29 2001 Nalin Dahyabhai <nalin@redhat.com> 1.5.24-22
+- add pam-devel as a buildprereq
+
+* Wed Aug 29 2001 Nalin Dahyabhai <nalin@redhat.com> 1.5.24-21
+- include sample programs in the -devel subpackage, prefixing their names
+ with "sasl-" to reduce future potential naming conflicts
+
+* Tue Aug 14 2001 Nalin Dahyabhai <nalin@redhat.com> 1.5.24-20
+- build without -ggdb
+
+* Fri Aug 3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add gdbm-devel as a build dependency (#44990)
+- split off CRAM-MD5 and DIGEST-MD5 into a subpackage of their own (#43079,
+ and dialogs with David L. Parsley)
+
+* Fri Apr 27 2001 Nalin Dahyabhai <nalin@redhat.com>
+- split out the PLAIN and LOGIN mechanisms into their own package (this allows
+ an administrator to disable them by simply removing the package)
+
+* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Wed Dec 6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix gssapi-over-tls
+
+* Fri Oct 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- enable static libraries, but always build with -fPIC
+
+* Wed Oct 25 2000 Nalin Dahyabhai <nalin@redhat.com>
+- make sure the version of 1.5.24 in the package matches the masters (#18968)
+
+* Mon Oct 9 2000 Nalin Dahyabhai <nalin@redhat.com>
+- re-add the libsasl.so symlink to the -devel package (oops)
+
+* Fri Oct 6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- move .so files for modules to their respective packages -- they're not -devel
+ links meant for use by ld anyway
+
+* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- split off -devel subpackage
+- add a -gssapi subpackage for the gssapi plugins
+
+* Wed Aug 16 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix the summary text
+
+* Sun Aug 13 2000 Nalin Dahyabhai <nalin@redhat.com>
+- re-enable arcfour and CRAM
+
+* Fri Aug 4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- force use of gdbm for database files to avoid DB migration weirdness
+- enable login mechanism
+- disable gssapi until it can coexist peacefully with non-gssapi setups
+- actually do a make in the build section (#15410)
+
+* Fri Jul 21 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 1.5.24
+
+* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment (release 3)
+
+* Mon Jun 19 2000 Nalin Dahyabhai <nalin@redhat.com>
+- don't muck with syslogd in post
+- remove patch for db-3.0 wackiness, no longer needed
+
+* Thu Jun 8 2000 Nalin Dahyabhai <nalin@redhat.com>
+- FHS cleanup
+- don't strip anything by default
+
+* Fri Feb 11 2000 Tim Powers <timp@redhat.com>
+- fixed man pages not being gzipped
+
+* Tue Nov 16 1999 Tim Powers <timp@redhat.com>
+- incorporated changes from Mads Kiilerich
+- release number is 1, not mk1
+
+* Wed Nov 10 1999 Mads Kiilerich <mads@kiilerich.com>
+- updated to sasl 1.5.11
+- configure --disable-krb4 --without-rc4 --disable-cram
+ because of missing libraries and pine having cram as default...
+- handle changing libsasl.so versions
+
+* Mon Aug 30 1999 Tim Powers <timp@redhat.com>
+- changed group
+
+* Fri Aug 13 1999 Tim Powers <timp@redhat.com>
+- first build for Powertools