diff --git a/.cyrus-sasl.metadata b/.cyrus-sasl.metadata new file mode 100644 index 0000000..9777141 --- /dev/null +++ b/.cyrus-sasl.metadata @@ -0,0 +1 @@ +b77ef8bd7e31923bdc7632a4c9a40cc79ec12681 SOURCES/cyrus-sasl-2.1.26-nodlcompatorsrp.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8716f4f --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/cyrus-sasl-2.1.26-nodlcompatorsrp.tar.gz diff --git a/SOURCES/cyrus-sasl-2.1.20-saslauthd.conf-path.patch b/SOURCES/cyrus-sasl-2.1.20-saslauthd.conf-path.patch new file mode 100644 index 0000000..8e025d2 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.20-saslauthd.conf-path.patch @@ -0,0 +1,38 @@ +diff -up cyrus-sasl-2.1.25/saslauthd/saslauthd.8.path cyrus-sasl-2.1.25/saslauthd/saslauthd.8 +--- cyrus-sasl-2.1.25/saslauthd/saslauthd.8.path 2012-02-08 17:02:25.143783451 +0100 ++++ cyrus-sasl-2.1.25/saslauthd/saslauthd.8 2012-02-08 17:04:31.775795190 +0100 +@@ -177,7 +177,7 @@ NNOOTTEESS + anyway.) + + FFIILLEESS +- /var/run/saslauthd/mux The default communications socket. ++ /run/saslauthd/mux The default communications socket. + + /usr/local/etc/saslauthd.conf + The default configuration file for ldap support. +diff -up cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc.path cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc +--- cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc.path 2009-12-03 20:07:03.000000000 +0100 ++++ cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc 2012-02-08 17:01:39.400986561 +0100 +@@ -216,7 +216,7 @@ instead. + .Em (All platforms that support OpenLDAP 2.0 or higher) + .Pp + Authenticate against an ldap server. The ldap configuration parameters are +-read from /usr/local/etc/saslauthd.conf. The location of this file can be ++read from /etc/saslauthd.conf. The location of this file can be + changed with the -O parameter. See the LDAP_SASLAUTHD file included with the + distribution for the list of available parameters. + .It Li sia +@@ -246,10 +246,10 @@ these ticket files can cause serious per + servers. (Kerberos + was never intended to be used in this manner, anyway.) + .Sh FILES +-.Bl -tag -width "/var/run/saslauthd/mux" +-.It Pa /var/run/saslauthd/mux ++.Bl -tag -width "/run/saslauthd/mux" ++.It Pa /run/saslauthd/mux + The default communications socket. +-.It Pa /usr/local/etc/saslauthd.conf ++.It Pa /etc/saslauthd.conf + The default configuration file for ldap support. + .El + .Sh SEE ALSO diff --git a/SOURCES/cyrus-sasl-2.1.21-sizes.patch b/SOURCES/cyrus-sasl-2.1.21-sizes.patch new file mode 100644 index 0000000..45f1800 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.21-sizes.patch @@ -0,0 +1,249 @@ +Prefer types in to our own, because it removes file content +conflicts between 32- and 64-bit architectures. RFEd as #2829. + +--- cyrus-sasl-2.1.21/configure.in 2006-05-16 07:37:52.000000000 -0400 ++++ cyrus-sasl-2.1.21/configure.in 2006-05-16 07:37:52.000000000 -0400 +@@ -1083,6 +1083,10 @@ + AC_HEADER_DIRENT + AC_HEADER_SYS_WAIT + AC_CHECK_HEADERS(des.h dlfcn.h fcntl.h limits.h malloc.h paths.h strings.h sys/file.h sys/time.h syslog.h unistd.h inttypes.h sys/uio.h sys/param.h sysexits.h stdarg.h varargs.h) ++AC_CHECK_TYPES([long long, int8_t, uint8_t, int16_t, uint16_t, int32_t, uint32_t, int64_t, uint64_t],,,[ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif]) + + IPv6_CHECK_SS_FAMILY() + IPv6_CHECK_SA_LEN() +diff -up cyrus-sasl-2.1.26/configure.sizes cyrus-sasl-2.1.26/configure +--- cyrus-sasl-2.1.26/configure.sizes 2013-11-13 16:40:44.492792539 +0100 ++++ cyrus-sasl-2.1.26/configure 2013-11-13 16:40:47.489777836 +0100 +@@ -18166,6 +18166,124 @@ fi + + done + ++ac_fn_c_check_type "$LINENO" "long long" "ac_cv_type_long_long" " ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++" ++if test "x$ac_cv_type_long_long" = xyes; then : ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_LONG_LONG 1 ++_ACEOF ++ ++ ++fi ++ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" " ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++" ++if test "x$ac_cv_type_int8_t" = xyes; then : ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_INT8_T 1 ++_ACEOF ++ ++ ++fi ++ac_fn_c_check_type "$LINENO" "uint8_t" "ac_cv_type_uint8_t" " ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++" ++if test "x$ac_cv_type_uint8_t" = xyes; then : ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_UINT8_T 1 ++_ACEOF ++ ++ ++fi ++ac_fn_c_check_type "$LINENO" "int16_t" "ac_cv_type_int16_t" " ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++" ++if test "x$ac_cv_type_int16_t" = xyes; then : ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_INT16_T 1 ++_ACEOF ++ ++ ++fi ++ac_fn_c_check_type "$LINENO" "uint16_t" "ac_cv_type_uint16_t" " ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++" ++if test "x$ac_cv_type_uint16_t" = xyes; then : ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_UINT16_T 1 ++_ACEOF ++ ++ ++fi ++ac_fn_c_check_type "$LINENO" "int32_t" "ac_cv_type_int32_t" " ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++" ++if test "x$ac_cv_type_int32_t" = xyes; then : ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_INT32_T 1 ++_ACEOF ++ ++ ++fi ++ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" " ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++" ++if test "x$ac_cv_type_uint32_t" = xyes; then : ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_UINT32_T 1 ++_ACEOF ++ ++ ++fi ++ac_fn_c_check_type "$LINENO" "int64_t" "ac_cv_type_int64_t" " ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++" ++if test "x$ac_cv_type_int64_t" = xyes; then : ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_INT64_T 1 ++_ACEOF ++ ++ ++fi ++ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" " ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++" ++if test "x$ac_cv_type_uint64_t" = xyes; then : ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_UINT64_T 1 ++_ACEOF ++ ++ ++fi ++ + + + { $as_echo "$as_me:$LINENO: checking whether you have ss_family in struct sockaddr_storage" >&5 +diff -up cyrus-sasl-2.1.26/include/makemd5.c.sizes cyrus-sasl-2.1.26/include/makemd5.c +--- cyrus-sasl-2.1.26/include/makemd5.c.sizes 2012-01-28 00:31:36.000000000 +0100 ++++ cyrus-sasl-2.1.26/include/makemd5.c 2013-11-13 16:22:24.195981512 +0100 +@@ -82,12 +82,19 @@ + */ + + ++#ifdef HAVE_CONFIG_H ++#include "../config.h" ++#endif + + #include + #include + #include + #include + ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ + + static void + my_strupr(char *s) +@@ -122,6 +129,18 @@ + static void + try_signed(FILE *f, int len) + { ++#ifdef HAVE_INT8_T ++ BITSIZE(int8_t); ++#endif ++#ifdef HAVE_INT16_T ++ BITSIZE(int16_t); ++#endif ++#ifdef HAVE_INT32_T ++ BITSIZE(int32_t); ++#endif ++#ifdef HAVE_INT64_T ++ BITSIZE(int64_t); ++#endif + BITSIZE(signed char); + BITSIZE(short); + BITSIZE(int); +@@ -135,6 +154,18 @@ + static void + try_unsigned(FILE *f, int len) + { ++#ifdef HAVE_UINT8_T ++ BITSIZE(uint8_t); ++#endif ++#ifdef HAVE_UINT16_T ++ BITSIZE(uint16_t); ++#endif ++#ifdef HAVE_UINT32_T ++ BITSIZE(uint32_t); ++#endif ++#ifdef HAVE_UINT64_T ++ BITSIZE(uint64_t); ++#endif + BITSIZE(unsigned char); + BITSIZE(unsigned short); + BITSIZE(unsigned int); +@@ -165,6 +196,11 @@ + "/* POINTER defines a generic pointer type */\n" + "typedef unsigned char *POINTER;\n" + "\n" ++#ifdef HAVE_INTTYPES_H ++ "/* We try to define integer types for our use */\n" ++ "#include \n" ++ "\n" ++#endif + ); + return 1; + } +@@ -212,31 +248,15 @@ + + print_pre(f); + +-#ifndef HAVE_INT8_T + try_signed (f, 8); +-#endif /* HAVE_INT8_T */ +-#ifndef HAVE_INT16_T + try_signed (f, 16); +-#endif /* HAVE_INT16_T */ +-#ifndef HAVE_INT32_T + try_signed (f, 32); +-#endif /* HAVE_INT32_T */ +-#ifndef HAVE_INT64_T + try_signed (f, 64); +-#endif /* HAVE_INT64_T */ + +-#ifndef HAVE_U_INT8_T + try_unsigned (f, 8); +-#endif /* HAVE_INT8_T */ +-#ifndef HAVE_U_INT16_T + try_unsigned (f, 16); +-#endif /* HAVE_U_INT16_T */ +-#ifndef HAVE_U_INT32_T + try_unsigned (f, 32); +-#endif /* HAVE_U_INT32_T */ +-#ifndef HAVE_U_INT64_T + try_unsigned (f, 64); +-#endif /* HAVE_U_INT64_T */ + + print_post(f); + diff --git a/SOURCES/cyrus-sasl-2.1.22-kerberos4.patch b/SOURCES/cyrus-sasl-2.1.22-kerberos4.patch new file mode 100644 index 0000000..09e23d7 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.22-kerberos4.patch @@ -0,0 +1,26 @@ +diff -up cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4 cyrus-sasl-2.1.22/config/kerberos_v4.m4 +--- cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4 2005-05-07 06:14:55.000000000 +0200 ++++ cyrus-sasl-2.1.22/config/kerberos_v4.m4 2008-08-14 23:41:26.000000000 +0200 +@@ -102,7 +102,6 @@ AC_DEFUN([SASL_KERBEROS_V4_CHK], [ + if test -n "${cyrus_krbinclude}"; then + CPPFLAGS="$CPPFLAGS -I${cyrus_krbinclude}" + fi +- LDFLAGS="$LDFLAGS -L$krb4/lib" + fi + + if test "$with_des" != no; then +diff -up cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4 cyrus-sasl-2.1.22/plugins/kerberos4.c +--- cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4 2005-01-10 08:08:53.000000000 +0100 ++++ cyrus-sasl-2.1.22/plugins/kerberos4.c 2008-08-14 23:36:33.000000000 +0200 +@@ -49,11 +49,7 @@ + #include + + #ifdef WITH_DES +-# ifdef WITH_SSL_DES +-# include +-# else + # include +-# endif /* WITH_SSL_DES */ + #endif /* WITH_DES */ + + #ifdef WIN32 diff --git a/SOURCES/cyrus-sasl-2.1.22-ldap-timeout.patch b/SOURCES/cyrus-sasl-2.1.22-ldap-timeout.patch new file mode 100644 index 0000000..82c6c82 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.22-ldap-timeout.patch @@ -0,0 +1,25 @@ +commit c9447e1c3ffba88783e5d9396b832be82d3c78fc +Author: Kazuo Ito +Date: Wed Dec 10 12:03:29 2008 +0900 + + support for LDAP_OPT_TIMEOUT + + OpenLDAP since 2.4 implements support for this option in ldap_result(), + among other things. + +diff --git a/saslauthd/lak.c b/saslauthd/lak.c +index 803d51f..8714265 100644 +--- a/saslauthd/lak.c ++++ b/saslauthd/lak.c +@@ -833,6 +833,11 @@ static int lak_connect( + syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_NETWORK_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec); + } + ++ rc = ldap_set_option(lak->ld, LDAP_OPT_TIMEOUT, &(lak->conf->timeout)); ++ if (rc != LDAP_OPT_SUCCESS) { ++ syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec); ++ } ++ + rc = ldap_set_option(lak->ld, LDAP_OPT_TIMELIMIT, &(lak->conf->time_limit)); + if (rc != LDAP_OPT_SUCCESS) { + syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMELIMIT %d.", lak->conf->time_limit); diff --git a/SOURCES/cyrus-sasl-2.1.23-man.patch b/SOURCES/cyrus-sasl-2.1.23-man.patch new file mode 100644 index 0000000..21c63cd --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.23-man.patch @@ -0,0 +1,24 @@ +diff -up cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8.man cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8 +--- cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8.man 2013-09-03 15:25:26.818042047 +0200 ++++ cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8 2013-09-03 15:25:26.818042047 +0200 +@@ -0,0 +1,20 @@ ++.\" Hey, EMACS: -*- nroff -*- ++.TH TESTSASLAUTHD 8 "14 October 2006" ++.SH NAME ++testsaslauthd \- test utility for the SASL authentication server ++.SH SYNOPSIS ++.B testsaslauthd ++.RI "[ " \(hyr " " realm " ] [ " \(hys " " servicename " ] [ " \(hyf " " socket " " path " ] [ " \(hyR " " repeatnum " ]" ++.SH DESCRIPTION ++This manual page documents briefly the ++.B testsaslauthd ++command. ++.PP ++.SH SEE ALSO ++.BR saslauthd (8). ++.br ++.SH AUTHOR ++testsaslauthd was written by Carnegie Mellon University. ++.PP ++This manual page was written by Roberto C. Sanchez , ++for the Debian project (but may be used by others). diff --git a/SOURCES/cyrus-sasl-2.1.25-no_rpath.patch b/SOURCES/cyrus-sasl-2.1.25-no_rpath.patch new file mode 100644 index 0000000..33ed15d --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.25-no_rpath.patch @@ -0,0 +1,20 @@ +diff -up cyrus-sasl-2.1.25/cmulocal/cyrus.m4.no_rpath cyrus-sasl-2.1.25/cmulocal/cyrus.m4 +--- cyrus-sasl-2.1.25/cmulocal/cyrus.m4.no_rpath 2010-01-22 16:12:01.000000000 +0100 ++++ cyrus-sasl-2.1.25/cmulocal/cyrus.m4 2012-12-06 14:59:47.956102057 +0100 +@@ -32,14 +32,5 @@ AC_DEFUN([CMU_ADD_LIBPATH_TO], [ + dnl runpath initialization + AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [ + # CMU GUESS RUNPATH SWITCH +- AC_CACHE_CHECK(for runpath switch, andrew_cv_runpath_switch, [ +- # first, try -R +- SAVE_LDFLAGS="${LDFLAGS}" +- LDFLAGS="-R /usr/lib" +- AC_TRY_LINK([],[],[andrew_cv_runpath_switch="-R"], [ +- LDFLAGS="-Wl,-rpath,/usr/lib" +- AC_TRY_LINK([],[],[andrew_cv_runpath_switch="-Wl,-rpath,"], +- [andrew_cv_runpath_switch="none"]) +- ]) +- LDFLAGS="${SAVE_LDFLAGS}" +- ])]) ++ andrew_runpath_switch="none" ++ ]) diff --git a/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch b/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch new file mode 100644 index 0000000..939c4c9 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch @@ -0,0 +1,46 @@ +diff --git a/include/sasl.h b/include/sasl.h +index 8b8a63f..6ae153f 100755 +--- a/include/sasl.h ++++ b/include/sasl.h +@@ -179,6 +179,7 @@ + because of some constrains/policy violation */ + + #define SASL_BADBINDING -32 /* channel binding failure */ ++#define SASL_CONFIGERR -33 /* error when parsing configuration file */ + + /* max size of a sasl mechanism name */ + #define SASL_MECHNAMEMAX 20 +diff --git a/lib/common.c b/lib/common.c +index 672fe2f..de0adfd 100644 +--- a/lib/common.c ++++ b/lib/common.c +@@ -1362,6 +1362,7 @@ const char *sasl_errstring(int saslerr, + case SASL_CONSTRAINT_VIOLAT: return "sasl_setpass can't store a property because " + "of a constraint violation"; + case SASL_BADBINDING: return "channel binding failure"; ++ case SASL_CONFIGERR: return "error when parsing configuration file"; + + default: return "undefined error!"; + } +diff --git a/lib/config.c b/lib/config.c +index 7cae302..fde3757 100644 +--- a/lib/config.c ++++ b/lib/config.c +@@ -91,7 +91,7 @@ int sasl_config_init(const char *filename) + } + if (*p != ':') { + fclose(infile); +- return SASL_FAIL; ++ return SASL_CONFIGERR; + } + *p++ = '\0'; + +@@ -99,7 +99,7 @@ int sasl_config_init(const char *filename) + + if (!*p) { + fclose(infile); +- return SASL_FAIL; ++ return SASL_CONFIGERR; + } + + /* Now strip trailing spaces, if any */ diff --git a/SOURCES/cyrus-sasl-2.1.26-gss-spnego.patch b/SOURCES/cyrus-sasl-2.1.26-gss-spnego.patch new file mode 100644 index 0000000..69ab893 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-gss-spnego.patch @@ -0,0 +1,139 @@ +From 67ca66685e11acc0f69d5ff8013107d4b172e67f Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 16 Feb 2017 15:25:56 -0500 +Subject: [PATCH] Fix GSS-SPNEGO mechanism's incompatible behavior + +The GSS-SPNEGO mechanism has been designed and introduced by Microsoft for use +by Active Directory clients. It allows to negotiate an underlying +Security Mechanism like Krb5 or NTLMSSP. +However, the implementaion in cyrus-sasl is broken and never correctly +interoperated with Microsoft servers or clients. This patch fixes the +compatibility issue which is caused by incorrectly trying to negotiate +SSF layers explicitly instead of using the flags negotiated by GSSAPI +as required by Microsoft's implementation. + +Signed-off-by: Simo Sorce +--- + plugins/gssapi.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 64 insertions(+), 6 deletions(-) + +diff --git a/plugins/gssapi.c b/plugins/gssapi.c +index bfc278d..010c236 100644 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c +@@ -648,10 +648,62 @@ static void gssapi_common_mech_free(void *global_context __attribute__((unused)) + #endif + } + ++/* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the ++ * flags negotiated by GSSAPI to determine If confidentiality or integrity are ++ * used. These flags are stored in text->qop transalated as layers by the ++ * caller */ ++static int gssapi_spnego_ssf(context_t *text, const sasl_utils_t *utils, ++ sasl_security_properties_t *props, ++ sasl_out_params_t *oparams) ++{ ++ OM_uint32 maj_stat = 0, min_stat = 0; ++ OM_uint32 max_input; ++ ++ if (text->qop & LAYER_CONFIDENTIALITY) { ++ oparams->encode = &gssapi_privacy_encode; ++ oparams->decode = &gssapi_decode; ++ oparams->mech_ssf = K5_MAX_SSF; ++ } else if (text->qop & LAYER_INTEGRITY) { ++ oparams->encode = &gssapi_integrity_encode; ++ oparams->decode = &gssapi_decode; ++ oparams->mech_ssf = 1; ++ } else { ++ oparams->encode = NULL; ++ oparams->decode = NULL; ++ oparams->mech_ssf = 0; ++ } ++ ++ if (oparams->mech_ssf) { ++ maj_stat = gss_wrap_size_limit(&min_stat, ++ text->gss_ctx, ++ 1, ++ GSS_C_QOP_DEFAULT, ++ (OM_uint32)oparams->maxoutbuf, ++ &max_input); ++ ++ if (max_input > oparams->maxoutbuf) { ++ /* Heimdal appears to get this wrong */ ++ oparams->maxoutbuf -= (max_input - oparams->maxoutbuf); ++ } else { ++ /* This code is actually correct */ ++ oparams->maxoutbuf = max_input; ++ } ++ } ++ ++ text->state = SASL_GSSAPI_STATE_AUTHENTICATED; ++ ++ /* used by layers */ ++ _plug_decode_init(&text->decode_context, text->utils, ++ (props->maxbufsize > 0xFFFFFF) ? 0xFFFFFF : ++ props->maxbufsize); ++ ++ return SASL_OK; ++} ++ + /***************************** Server Section *****************************/ + + static int +-gssapi_server_mech_new(void *glob_context __attribute__((unused)), ++gssapi_server_mech_new(void *glob_context, + sasl_server_params_t *params, + const char *challenge __attribute__((unused)), + unsigned challen __attribute__((unused)), +@@ -673,6 +725,7 @@ gssapi_server_mech_new(void *glob_context __attribute__((unused)), + text->state = SASL_GSSAPI_STATE_AUTHNEG; + + text->http_mode = (params->flags & SASL_NEED_HTTP); ++ text->mech_type = (gss_OID) glob_context; + + *conn_context = text; + +@@ -686,7 +739,7 @@ gssapi_server_mech_authneg(context_t *text, + unsigned clientinlen, + const char **serverout, + unsigned *serveroutlen, +- sasl_out_params_t *oparams __attribute__((unused))) ++ sasl_out_params_t *oparams) + { + gss_buffer_t input_token, output_token; + gss_buffer_desc real_input_token, real_output_token; +@@ -965,8 +1018,9 @@ gssapi_server_mech_authneg(context_t *text, + /* HTTP doesn't do any ssf negotiation */ + text->state = SASL_GSSAPI_STATE_AUTHENTICATED; + ret = SASL_OK; +- } +- else { ++ } else if (text->mech_type && text->mech_type == &gss_spnego_oid) { ++ ret = gssapi_spnego_ssf(text, params->utils, ¶ms->props, oparams); ++ } else { + /* Switch to ssf negotiation */ + text->state = SASL_GSSAPI_STATE_SSFCAP; + ret = SASL_CONTINUE; +@@ -1391,7 +1445,7 @@ static sasl_server_plug_t gssapi_server_plugins[] = + | SASL_FEAT_ALLOWS_PROXY + | SASL_FEAT_DONTUSE_USERPASSWD + | SASL_FEAT_SUPPORTS_HTTP, /* features */ +- NULL, /* glob_context */ ++ &gss_spnego_oid, /* glob_context */ + &gssapi_server_mech_new, /* mech_new */ + &gssapi_server_mech_step, /* mech_step */ + &gssapi_common_mech_dispose, /* mech_dispose */ +@@ -1769,7 +1823,11 @@ static int gssapi_client_mech_step(void *conn_context, + text->state = SASL_GSSAPI_STATE_AUTHENTICATED; + oparams->doneflag = 1; + return SASL_OK; +- } ++ } else if (text->mech_type && text->mech_type == &gss_spnego_oid) { ++ oparams->doneflag = 1; ++ return gssapi_spnego_ssf(text, params->utils, ¶ms->props, ++ oparams); ++ } + + /* Switch to ssf negotiation */ + text->state = SASL_GSSAPI_STATE_SSFCAP; + diff --git a/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch b/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch new file mode 100644 index 0000000..72e18b7 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch @@ -0,0 +1,549 @@ +From 862b60c249c8a51095315062b22c0702a6500d80 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 11 Apr 2017 18:31:46 -0400 +Subject: [PATCH 1/3] Drop unused parameter from gssapi_spnego_ssf() + +Signed-off-by: Simo Sorce +--- + plugins/gssapi.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/plugins/gssapi.c b/plugins/gssapi.c +index 010c236d..3050962e 100644 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c +@@ -652,7 +652,7 @@ static void gssapi_common_mech_free(void *global_context __attribute__((unused)) + * flags negotiated by GSSAPI to determine If confidentiality or integrity are + * used. These flags are stored in text->qop transalated as layers by the + * caller */ +-static int gssapi_spnego_ssf(context_t *text, const sasl_utils_t *utils, ++static int gssapi_spnego_ssf(context_t *text, + sasl_security_properties_t *props, + sasl_out_params_t *oparams) + { +@@ -1019,7 +1019,7 @@ gssapi_server_mech_authneg(context_t *text, + text->state = SASL_GSSAPI_STATE_AUTHENTICATED; + ret = SASL_OK; + } else if (text->mech_type && text->mech_type == &gss_spnego_oid) { +- ret = gssapi_spnego_ssf(text, params->utils, ¶ms->props, oparams); ++ ret = gssapi_spnego_ssf(text, ¶ms->props, oparams); + } else { + /* Switch to ssf negotiation */ + text->state = SASL_GSSAPI_STATE_SSFCAP; +@@ -1825,8 +1825,7 @@ static int gssapi_client_mech_step(void *conn_context, + return SASL_OK; + } else if (text->mech_type && text->mech_type == &gss_spnego_oid) { + oparams->doneflag = 1; +- return gssapi_spnego_ssf(text, params->utils, ¶ms->props, +- oparams); ++ return gssapi_spnego_ssf(text, ¶ms->props, oparams); + } + + /* Switch to ssf negotiation */ + +From 72181257d77bda09afa7d0d640d322c4472f4833 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 10 Apr 2017 18:35:10 -0400 +Subject: [PATCH 2/3] Check return error from gss_wrap_size_limit() + +The return error of this function is ignored and potentially +uninitialized values returned by this function are used. + +Fix this by moving the function into a proper helper as it is used in an +identical way in 3 different places. + +Signed-off-by: Simo Sorce +--- + plugins/gssapi.c | 104 +++++++++++++++++++++++++++---------------------------- + 1 file changed, 51 insertions(+), 53 deletions(-) + +diff --git a/plugins/gssapi.c b/plugins/gssapi.c +index 3050962e..348debe0 100644 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c +@@ -648,6 +648,32 @@ static void gssapi_common_mech_free(void *global_context __attribute__((unused)) + #endif + } + ++static int gssapi_wrap_sizes(context_t *text, sasl_out_params_t *oparams) ++{ ++ OM_uint32 maj_stat = 0, min_stat = 0; ++ OM_uint32 max_input = 0; ++ ++ maj_stat = gss_wrap_size_limit(&min_stat, ++ text->gss_ctx, ++ 1, ++ GSS_C_QOP_DEFAULT, ++ (OM_uint32)oparams->maxoutbuf, ++ &max_input); ++ if (maj_stat != GSS_S_COMPLETE) { ++ return SASL_FAIL; ++ } ++ ++ if (max_input > oparams->maxoutbuf) { ++ /* Heimdal appears to get this wrong */ ++ oparams->maxoutbuf -= (max_input - oparams->maxoutbuf); ++ } else { ++ /* This code is actually correct */ ++ oparams->maxoutbuf = max_input; ++ } ++ ++ return SASL_OK; ++} ++ + /* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the + * flags negotiated by GSSAPI to determine If confidentiality or integrity are + * used. These flags are stored in text->qop transalated as layers by the +@@ -656,8 +682,7 @@ static int gssapi_spnego_ssf(context_t *text, + sasl_security_properties_t *props, + sasl_out_params_t *oparams) + { +- OM_uint32 maj_stat = 0, min_stat = 0; +- OM_uint32 max_input; ++ int ret; + + if (text->qop & LAYER_CONFIDENTIALITY) { + oparams->encode = &gssapi_privacy_encode; +@@ -674,20 +699,10 @@ static int gssapi_spnego_ssf(context_t *text, + } + + if (oparams->mech_ssf) { +- maj_stat = gss_wrap_size_limit(&min_stat, +- text->gss_ctx, +- 1, +- GSS_C_QOP_DEFAULT, +- (OM_uint32)oparams->maxoutbuf, +- &max_input); +- +- if (max_input > oparams->maxoutbuf) { +- /* Heimdal appears to get this wrong */ +- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf); +- } else { +- /* This code is actually correct */ +- oparams->maxoutbuf = max_input; +- } ++ ret = gssapi_wrap_sizes(text, oparams); ++ if (ret != SASL_OK) { ++ return ret; ++ } + } + + text->state = SASL_GSSAPI_STATE_AUTHENTICATED; +@@ -1208,7 +1223,6 @@ gssapi_server_mech_ssfreq(context_t *text, + gss_buffer_t input_token, output_token; + gss_buffer_desc real_input_token, real_output_token; + OM_uint32 maj_stat = 0, min_stat = 0; +- OM_uint32 max_input; + int layerchoice; + + input_token = &real_input_token; +@@ -1297,27 +1311,20 @@ gssapi_server_mech_ssfreq(context_t *text, + (((unsigned char *) output_token->value)[2] << 8) | + (((unsigned char *) output_token->value)[3] << 0); + +- if (oparams->mech_ssf) { +- maj_stat = gss_wrap_size_limit( &min_stat, +- text->gss_ctx, +- 1, +- GSS_C_QOP_DEFAULT, +- (OM_uint32) oparams->maxoutbuf, +- &max_input); +- +- if(max_input > oparams->maxoutbuf) { +- /* Heimdal appears to get this wrong */ +- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf); +- } else { +- /* This code is actually correct */ +- oparams->maxoutbuf = max_input; +- } +- } +- + GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); + GSS_UNLOCK_MUTEX_CTX(params->utils, text); + ++ if (oparams->mech_ssf) { ++ int ret; ++ ++ ret = gssapi_wrap_sizes(text, oparams); ++ if (ret != SASL_OK) { ++ sasl_gss_free_context_contents(text); ++ return ret; ++ } ++ } ++ + text->state = SASL_GSSAPI_STATE_AUTHENTICATED; + + /* used by layers */ +@@ -1569,7 +1576,6 @@ static int gssapi_client_mech_step(void *conn_context, + gss_buffer_t input_token, output_token; + gss_buffer_desc real_input_token, real_output_token; + OM_uint32 maj_stat = 0, min_stat = 0; +- OM_uint32 max_input; + gss_buffer_desc name_token; + int ret; + OM_uint32 req_flags = 0, out_req_flags = 0; +@@ -1952,27 +1958,19 @@ static int gssapi_client_mech_step(void *conn_context, + (((unsigned char *) output_token->value)[2] << 8) | + (((unsigned char *) output_token->value)[3] << 0); + +- if (oparams->mech_ssf) { +- maj_stat = gss_wrap_size_limit( &min_stat, +- text->gss_ctx, +- 1, +- GSS_C_QOP_DEFAULT, +- (OM_uint32) oparams->maxoutbuf, +- &max_input); +- +- if (max_input > oparams->maxoutbuf) { +- /* Heimdal appears to get this wrong */ +- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf); +- } else { +- /* This code is actually correct */ +- oparams->maxoutbuf = max_input; +- } +- } +- + GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); + GSS_UNLOCK_MUTEX_CTX(params->utils, text); +- ++ ++ if (oparams->mech_ssf) { ++ int ret; ++ ++ ret = gssapi_wrap_sizes(text, oparams); ++ if (ret != SASL_OK) { ++ sasl_gss_free_context_contents(text); ++ return ret; ++ } ++ } + /* oparams->user is always set, due to canon_user requirements. + * Make sure the client actually requested it though, by checking + * if our context was set. + +From ff9f9caeb6db6d7513128fff9321f9bd445f58b7 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 10 Apr 2017 19:54:19 -0400 +Subject: [PATCH 3/3] Add support for retrieving the mech_ssf + +In the latest MIT Kerberos implementation it is possible to extract +the calculated SSF wich is based on the encryption type that has been +used to establish the GSSAPI security context. + +Use this method if available or fall back to the old "DES" value. + +Signed-off-by: Simo Sorce +--- + cmulocal/sasl2.m4 | 20 +++++++++++ + plugins/gssapi.c | 102 +++++++++++++++++++++++++++++++++++++++++++++++++------ + 2 files changed, 111 insertions(+), 11 deletions(-) + +diff --git a/cmulocal/sasl2.m4 b/cmulocal/sasl2.m4 +index 66b291b0..686c4bc7 100644 +--- a/cmulocal/sasl2.m4 ++++ b/cmulocal/sasl2.m4 +@@ -290,6 +290,26 @@ if test "$gssapi" != no; then + + cmu_save_LIBS="$LIBS" + LIBS="$LIBS $GSSAPIBASE_LIBS" ++ AC_CHECK_FUNCS(gss_inquire_sec_context_by_oid) ++ if test "$ac_cv_func_gss_inquire_sec_context_by_oid" = no ; then ++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then ++ AC_CHECK_DECL(gss_inquire_sec_context_by_oid, ++ [AC_DEFINE(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID,1, ++ [Define if your GSSAPI implementation defines gss_inquire_sec_context_by_oid])],, ++ [ ++ AC_INCLUDES_DEFAULT ++ #include ++ ]) ++ fi ++ fi ++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then ++ AC_EGREP_HEADER(GSS_C_SEC_CONTEXT_SASL_SSF, gssapi/gssapi_ext.h, ++ [AC_DEFINE(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF,, ++ [Define if your GSSAPI implementation defines GSS_C_SEC_CONTEXT_SASL_SSF])]) ++ fi ++ cmu_save_LIBS="$LIBS" ++ LIBS="$LIBS $GSSAPIBASE_LIBS" ++ + AC_MSG_CHECKING([for SPNEGO support in GSSAPI libraries]) + AC_TRY_RUN([ + #ifdef HAVE_GSSAPI_H +diff --git a/plugins/gssapi.c b/plugins/gssapi.c +index 348debe0..5f554ce3 100644 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c +@@ -51,6 +51,9 @@ + #endif + + #include ++#ifdef HAVE_GSSAPI_GSSAPI_EXT_H ++#include ++#endif + + #ifdef WIN32 + # include +@@ -98,18 +103,25 @@ extern gss_OID gss_nt_service_name; + /* Check if CyberSafe flag is defined */ + #ifdef CSF_GSS_C_DES3_FLAG + #define K5_MAX_SSF 112 ++#define K5_MIN_SSF 112 + #endif + + /* Heimdal and MIT use the following */ + #ifdef GSS_KRB5_CONF_C_QOP_DES3_KD + #define K5_MAX_SSF 112 ++#define K5_MIN_SSF 112 + #endif + + #endif + + #ifndef K5_MAX_SSF ++/* All modern Kerberos implementations support AES */ ++#define K5_MAX_SSF 256 ++#endif ++ + /* All Kerberos implementations support DES */ +-#define K5_MAX_SSF 56 ++#ifndef K5_MIN_SSF ++#define K5_MIN_SSF 56 + #endif + + /* GSSAPI SASL Mechanism by Leif Johansson +@@ -674,6 +686,47 @@ static int gssapi_wrap_sizes(context_t *text, sasl_out_params_t *oparams) + return SASL_OK; + } + ++#if !defined(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF) ++gss_OID_desc gss_sasl_ssf = { ++ 11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f" ++}; ++gss_OID GSS_C_SEC_CONTEXT_SASL_SSF = &gss_sasl_ssf; ++#endif ++ ++static int gssapi_get_ssf(context_t *text, sasl_ssf_t *mech_ssf) ++{ ++#ifdef HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID ++ OM_uint32 maj_stat = 0, min_stat = 0; ++ gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET; ++ gss_OID ssf_oid = GSS_C_SEC_CONTEXT_SASL_SSF; ++ uint32_t ssf; ++ ++ maj_stat = gss_inquire_sec_context_by_oid(&min_stat, text->gss_ctx, ++ ssf_oid, &bufset); ++ switch (maj_stat) { ++ case GSS_S_UNAVAILABLE: ++ /* Not supported by the library, fallback to default */ ++ goto fallback; ++ case GSS_S_COMPLETE: ++ if ((bufset->count != 1) || (bufset->elements[0].length != 4)) { ++ /* Malformed bufset, fail */ ++ (void)gss_release_buffer_set(&min_stat, &bufset); ++ return SASL_FAIL; ++ } ++ memcpy(&ssf, bufset->elements[0].value, 4); ++ (void)gss_release_buffer_set(&min_stat, &bufset); ++ *mech_ssf = ntohl(ssf); ++ return SASL_OK; ++ default: ++ return SASL_FAIL; ++ } ++ ++fallback: ++#endif ++ *mech_ssf = K5_MIN_SSF; ++ return SASL_OK; ++} ++ + /* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the + * flags negotiated by GSSAPI to determine If confidentiality or integrity are + * used. These flags are stored in text->qop transalated as layers by the +@@ -687,7 +740,10 @@ static int gssapi_spnego_ssf(context_t *text, + if (text->qop & LAYER_CONFIDENTIALITY) { + oparams->encode = &gssapi_privacy_encode; + oparams->decode = &gssapi_decode; +- oparams->mech_ssf = K5_MAX_SSF; ++ ret = gssapi_get_ssf(text, &oparams->mech_ssf); ++ if (ret != SASL_OK) { ++ return ret; ++ } + } else if (text->qop & LAYER_INTEGRITY) { + oparams->encode = &gssapi_integrity_encode; + oparams->decode = &gssapi_decode; +@@ -1089,6 +1145,7 @@ gssapi_server_mech_ssfcap(context_t *text, + gss_buffer_desc real_input_token, real_output_token; + OM_uint32 maj_stat = 0, min_stat = 0; + unsigned char sasldata[4]; ++ sasl_ssf_t mech_ssf; + int ret; + + input_token = &real_input_token; +@@ -1149,9 +1206,14 @@ gssapi_server_mech_ssfcap(context_t *text, + params->props.maxbufsize) { + sasldata[0] |= LAYER_INTEGRITY; + } ++ ret = gssapi_get_ssf(text, &mech_ssf); ++ if (ret != SASL_OK) { ++ sasl_gss_free_context_contents(text); ++ return ret; ++ } + if ((text->qop & LAYER_CONFIDENTIALITY) && +- text->requiressf <= K5_MAX_SSF && +- text->limitssf >= K5_MAX_SSF && ++ text->requiressf <= mech_ssf && ++ text->limitssf >= mech_ssf && + params->props.maxbufsize) { + sasldata[0] |= LAYER_CONFIDENTIALITY; + } +@@ -1271,10 +1333,18 @@ gssapi_server_mech_ssfreq(context_t *text, + } else if (/* For compatibility with broken clients setting both bits */ + (layerchoice & (LAYER_CONFIDENTIALITY | LAYER_INTEGRITY)) && + (text->qop & LAYER_CONFIDENTIALITY)) { /* privacy */ ++ int ret; + oparams->encode = &gssapi_privacy_encode; + oparams->decode = &gssapi_decode; +- /* FIX ME: Need to extract the proper value here */ +- oparams->mech_ssf = K5_MAX_SSF; ++ ++ ret = gssapi_get_ssf(text, &oparams->mech_ssf); ++ if (ret != SASL_OK) { ++ GSS_LOCK_MUTEX_CTX(params->utils, text); ++ gss_release_buffer(&min_stat, output_token); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); ++ sasl_gss_free_context_contents(text); ++ return ret; ++ } + } else { + /* not a supported encryption layer */ + SETERROR(text->utils, +@@ -1845,6 +1915,8 @@ static int gssapi_client_mech_step(void *conn_context, + unsigned int alen, external = params->external_ssf; + sasl_ssf_t need, allowed; + char serverhas, mychoice; ++ sasl_ssf_t mech_ssf; ++ int ret; + + real_input_token.value = (void *) serverin; + real_input_token.length = serverinlen; +@@ -1879,8 +1951,17 @@ static int gssapi_client_mech_step(void *conn_context, + return SASL_FAIL; + } + ++ ret = gssapi_get_ssf(text, &mech_ssf); ++ if (ret != SASL_OK) { ++ GSS_LOCK_MUTEX_CTX(params->utils, text); ++ gss_release_buffer(&min_stat, output_token); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); ++ sasl_gss_free_context_contents(text); ++ return SASL_FAIL; ++ } ++ + /* taken from kerberos.c */ +- if (secprops->min_ssf > (K5_MAX_SSF + external)) { ++ if (secprops->min_ssf > (mech_ssf + external)) { + return SASL_TOOWEAK; + } else if (secprops->min_ssf > secprops->max_ssf) { + return SASL_BADPARAM; +@@ -1904,8 +1985,8 @@ static int gssapi_client_mech_step(void *conn_context, + + /* use the strongest layer available */ + if ((text->qop & LAYER_CONFIDENTIALITY) && +- allowed >= K5_MAX_SSF && +- need <= K5_MAX_SSF && ++ allowed >= mech_ssf && ++ need <= mech_ssf && + (serverhas & LAYER_CONFIDENTIALITY)) { + + const char *ad_compat; +@@ -1913,8 +1994,7 @@ static int gssapi_client_mech_step(void *conn_context, + /* encryption */ + oparams->encode = &gssapi_privacy_encode; + oparams->decode = &gssapi_decode; +- /* FIX ME: Need to extract the proper value here */ +- oparams->mech_ssf = K5_MAX_SSF; ++ oparams->mech_ssf = mech_ssf; + mychoice = LAYER_CONFIDENTIALITY; + + if (serverhas & LAYER_INTEGRITY) { + + + +diff -U3 cyrus-sasl-2.1.26.old/config.h.in cyrus-sasl-2.1.26/config.h.in +--- cyrus-sasl-2.1.26.old/config.h.in 2012-11-06 20:20:59.000000000 +0100 ++++ cyrus-sasl-2.1.26/config.h.in 2017-09-21 10:33:36.225258244 +0200 +@@ -132,6 +135,9 @@ + /* Define if your GSSAPI implementation defines GSS_C_NT_USER_NAME */ + #undef HAVE_GSS_C_NT_USER_NAME + ++/* Define if your GSSAPI implementation defines GSS_C_SEC_CONTEXT_SASL_SSF */ ++#undef HAVE_GSS_C_SEC_CONTEXT_SASL_SSF ++ + /* Define to 1 if you have the `gss_decapsulate_token' function. */ + #undef HAVE_GSS_DECAPSULATE_TOKEN + +@@ -141,6 +147,10 @@ + /* Define to 1 if you have the `gss_get_name_attribute' function. */ + #undef HAVE_GSS_GET_NAME_ATTRIBUTE + ++/* Define if your GSSAPI implementation defines gss_inquire_sec_context_by_oid ++ */ ++#undef HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID ++ + /* Define to 1 if you have the `gss_oid_equal' function. */ + #undef HAVE_GSS_OID_EQUAL + +diff -U3 cyrus-sasl-2.1.26.old/configure cyrus-sasl-2.1.26/configure +--- cyrus-sasl-2.1.26.old/configure 2017-09-21 10:11:30.557021831 +0200 ++++ cyrus-sasl-2.1.26/configure 2017-09-21 10:33:40.389277838 +0200 +@@ -13984,6 +13984,50 @@ + + LIBS="$cmu_save_LIBS" + ++ cmu_save_LIBS="$LIBS" ++ LIBS="$LIBS $GSSAPIBASE_LIBS" ++ for ac_func in gss_inquire_sec_context_by_oid ++do : ++ ac_fn_c_check_func "$LINENO" "gss_inquire_sec_context_by_oid" "ac_cv_func_gss_inquire_sec_context_by_oid" ++if test "x$ac_cv_func_gss_inquire_sec_context_by_oid" = xyes; then : ++ cat >>confdefs.h <<_ACEOF ++#define HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID 1 ++_ACEOF ++ ++fi ++done ++ ++ if test "$ac_cv_func_gss_inquire_sec_context_by_oid" = no ; then ++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then ++ ac_fn_c_check_decl "$LINENO" "gss_inquire_sec_context_by_oid" "ac_cv_have_decl_gss_inquire_sec_context_by_oid" " ++ $ac_includes_default ++ #include ++ ++" ++if test "x$ac_cv_have_decl_gss_inquire_sec_context_by_oid" = xyes; then : ++ ++$as_echo "#define HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID 1" >>confdefs.h ++ ++fi ++ ++ fi ++ fi ++ if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++#include ++ ++_ACEOF ++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | ++ $EGREP "GSS_C_SEC_CONTEXT_SASL_SSF" >/dev/null 2>&1; then : ++ ++$as_echo "#define HAVE_GSS_C_SEC_CONTEXT_SASL_SSF /**/" >>confdefs.h ++ ++fi ++rm -f conftest* ++ ++ fi ++ + cmu_save_LIBS="$LIBS" + LIBS="$LIBS $GSSAPIBASE_LIBS" + { $as_echo "$as_me:$LINENO: checking for SPNEGO support in GSSAPI libraries" >&5 diff --git a/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch b/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch new file mode 100644 index 0000000..b066258 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch @@ -0,0 +1,28 @@ +diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.gssapi_non_encrypt cyrus-sasl-2.1.26/plugins/gssapi.c +--- cyrus-sasl-2.1.26/plugins/gssapi.c.gssapi_non_encrypt 2015-05-19 14:57:57.091212254 +0200 ++++ cyrus-sasl-2.1.26/plugins/gssapi.c 2015-05-19 15:01:41.681011361 +0200 +@@ -1159,19 +1159,18 @@ gssapi_server_mech_ssfreq(context_t *tex + } + + layerchoice = (int)(((char *)(output_token->value))[0]); +- if (layerchoice == LAYER_NONE && +- (text->qop & LAYER_NONE)) { /* no encryption */ ++ if (!(layerchoice & (LAYER_INTEGRITY | LAYER_CONFIDENTIALITY)) && ++ (text->qop & LAYER_NONE)) { /* no encryption */ + oparams->encode = NULL; + oparams->decode = NULL; + oparams->mech_ssf = 0; +- } else if (layerchoice == LAYER_INTEGRITY && ++ } else if ((layerchoice & LAYER_INTEGRITY) && + (text->qop & LAYER_INTEGRITY)) { /* integrity */ + oparams->encode = &gssapi_integrity_encode; + oparams->decode = &gssapi_decode; + oparams->mech_ssf = 1; +- } else if ((layerchoice == LAYER_CONFIDENTIALITY || +- /* For compatibility with broken clients setting both bits */ +- layerchoice == (LAYER_CONFIDENTIALITY|LAYER_INTEGRITY)) && ++ } else if (/* For compatibility with broken clients setting both bits */ ++ (layerchoice & (LAYER_CONFIDENTIALITY | LAYER_INTEGRITY)) && + (text->qop & LAYER_CONFIDENTIALITY)) { /* privacy */ + oparams->encode = &gssapi_privacy_encode; + oparams->decode = &gssapi_decode; diff --git a/SOURCES/cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch b/SOURCES/cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch new file mode 100644 index 0000000..1b3278b --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch @@ -0,0 +1,710 @@ +From 70a144cc53d09b56aa088fa1f6d433acea31afa7 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 15 Sep 2015 12:21:22 +0300 +Subject: [PATCH] gssapi: use per-connection mutex where possible + +If the same application uses SASL GSSAPI for both client and server operations, +it may be possible to deadlock in plugins/gssapi.c due to use of a +global mutex by both client and server code. Multiple outstanding connections should +be possible, thus introduce per-context locking and use it where it +makes sense. Note that there are still multiple places where context is +not available and where a global lock should be in use. + +Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1263017 +--- + plugins/gssapi.c | 225 +++++++++++++++++++++++++++++++------------------------ + 1 file changed, 126 insertions(+), 99 deletions(-) + +diff --git a/plugins/gssapi.c b/plugins/gssapi.c +index 2fd1b3b..f5d3354 100644 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c +@@ -126,20 +126,29 @@ extern gss_OID gss_nt_service_name; + */ + + #ifdef GSS_USE_MUTEXES +-#define GSS_LOCK_MUTEX(utils) \ +- if(((sasl_utils_t *)(utils))->mutex_lock(gss_mutex) != 0) { \ ++#define GSS_LOCK_MUTEX_EXT(utils, mutex) \ ++ if(((sasl_utils_t *)(utils))->mutex_lock(mutex) != 0) { \ + return SASL_FAIL; \ + } + +-#define GSS_UNLOCK_MUTEX(utils) \ +- if(((sasl_utils_t *)(utils))->mutex_unlock(gss_mutex) != 0) { \ ++#define GSS_UNLOCK_MUTEX_EXT(utils, mutex) \ ++ if(((sasl_utils_t *)(utils))->mutex_unlock(mutex) != 0) { \ + return SASL_FAIL; \ + } + ++#define GSS_LOCK_MUTEX(utils) GSS_LOCK_MUTEX_EXT(utils, gss_mutex) ++#define GSS_UNLOCK_MUTEX(utils) GSS_UNLOCK_MUTEX_EXT(utils, gss_mutex) ++ ++#define GSS_LOCK_MUTEX_CTX(utils, ctx) GSS_LOCK_MUTEX_EXT(utils, (ctx)->ctx_mutex) ++#define GSS_UNLOCK_MUTEX_CTX(utils, ctx) GSS_UNLOCK_MUTEX_EXT(utils, (ctx)->ctx_mutex) ++ ++ + static void *gss_mutex = NULL; + #else + #define GSS_LOCK_MUTEX(utils) + #define GSS_UNLOCK_MUTEX(utils) ++#define GSS_LOCK_MUTEX_CTX(utils, ctx) ++#define GSS_UNLOCK_MUTEX_CTX(utils, ctx) + #endif + + typedef struct context { +@@ -176,6 +185,7 @@ typedef struct context { + + char *authid; /* hold the authid between steps - server */ + const char *user; /* hold the userid between steps - client */ ++ void *ctx_mutex; /* A per-context mutex */ + } context_t; + + enum { +@@ -355,7 +365,7 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov, + output_token->value = NULL; + output_token->length = 0; + +- GSS_LOCK_MUTEX(text->utils); ++ GSS_LOCK_MUTEX_CTX(text->utils, text); + maj_stat = gss_wrap (&min_stat, + text->gss_ctx, + privacy, +@@ -363,14 +373,14 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov, + input_token, + NULL, + output_token); +- GSS_UNLOCK_MUTEX(text->utils); ++ GSS_UNLOCK_MUTEX_CTX(text->utils, text); + + if (GSS_ERROR(maj_stat)) { + sasl_gss_seterror(text->utils, maj_stat, min_stat); + if (output_token->value) { +- GSS_LOCK_MUTEX(text->utils); ++ GSS_LOCK_MUTEX_CTX(text->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(text->utils); ++ GSS_UNLOCK_MUTEX_CTX(text->utils, text); + } + return SASL_FAIL; + } +@@ -384,9 +394,9 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov, + output_token->length + 4); + + if (ret != SASL_OK) { +- GSS_LOCK_MUTEX(text->utils); ++ GSS_LOCK_MUTEX_CTX(text->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(text->utils); ++ GSS_UNLOCK_MUTEX_CTX(text->utils, text); + return ret; + } + +@@ -407,9 +417,9 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov, + *output = text->encode_buf; + + if (output_token->value) { +- GSS_LOCK_MUTEX(text->utils); ++ GSS_LOCK_MUTEX_CTX(text->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(text->utils); ++ GSS_UNLOCK_MUTEX_CTX(text->utils, text); + } + + return SASL_OK; +@@ -455,21 +465,21 @@ gssapi_decode_packet(void *context, + output_token->value = NULL; + output_token->length = 0; + +- GSS_LOCK_MUTEX(text->utils); ++ GSS_LOCK_MUTEX_CTX(text->utils, text); + maj_stat = gss_unwrap (&min_stat, + text->gss_ctx, + input_token, + output_token, + NULL, + NULL); +- GSS_UNLOCK_MUTEX(text->utils); ++ GSS_UNLOCK_MUTEX_CTX(text->utils, text); + + if (GSS_ERROR(maj_stat)) { + sasl_gss_seterror(text->utils,maj_stat,min_stat); + if (output_token->value) { +- GSS_LOCK_MUTEX(text->utils); ++ GSS_LOCK_MUTEX_CTX(text->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(text->utils); ++ GSS_UNLOCK_MUTEX_CTX(text->utils, text); + } + return SASL_FAIL; + } +@@ -484,17 +494,17 @@ gssapi_decode_packet(void *context, + &text->decode_once_buf_len, + *outputlen); + if (result != SASL_OK) { +- GSS_LOCK_MUTEX(text->utils); ++ GSS_LOCK_MUTEX_CTX(text->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(text->utils); ++ GSS_UNLOCK_MUTEX_CTX(text->utils, text); + return result; + } + *output = text->decode_once_buf; + memcpy(*output, output_token->value, *outputlen); + } +- GSS_LOCK_MUTEX(text->utils); ++ GSS_LOCK_MUTEX_CTX(text->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(text->utils); ++ GSS_UNLOCK_MUTEX_CTX(text->utils, text); + } + + return SASL_OK; +@@ -525,7 +535,14 @@ static context_t *sasl_gss_new_context(const sasl_utils_t *utils) + + memset(ret,0,sizeof(context_t)); + ret->utils = utils; +- ++#ifdef GSS_USE_MUTEXES ++ ret->ctx_mutex = utils->mutex_alloc(); ++ if (!ret->ctx_mutex) { ++ utils->free(ret); ++ return NULL; ++ } ++#endif ++ + return ret; + } + +@@ -535,7 +552,11 @@ static int sasl_gss_free_context_contents(context_t *text) + + if (!text) return SASL_OK; + +- GSS_LOCK_MUTEX(text->utils); ++#ifdef GSS_USE_MUTEXES ++ if (text->ctx_mutex) { ++ GSS_LOCK_MUTEX_CTX(text->utils, text); ++ } ++#endif + + if (text->gss_ctx != GSS_C_NO_CONTEXT) { + maj_stat = gss_delete_sec_context(&min_stat,&text->gss_ctx, +@@ -563,8 +584,6 @@ static int sasl_gss_free_context_contents(context_t *text) + text->client_creds = GSS_C_NO_CREDENTIAL; + } + +- GSS_UNLOCK_MUTEX(text->utils); +- + if (text->out_buf) { + text->utils->free(text->out_buf); + text->out_buf = NULL; +@@ -598,6 +617,14 @@ static int sasl_gss_free_context_contents(context_t *text) + text->authid = NULL; + } + ++#ifdef GSS_USE_MUTEXES ++ if (text->ctx_mutex) { ++ GSS_UNLOCK_MUTEX_CTX(text->utils, text); ++ text->utils->mutex_free(text->ctx_mutex); ++ text->ctx_mutex = NULL; ++ } ++#endif ++ + return SASL_OK; + + } +@@ -692,12 +719,12 @@ gssapi_server_mech_authneg(context_t *text, + } + sprintf(name_token.value,"%s@%s", params->service, params->serverFQDN); + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_import_name (&min_stat, + &name_token, + GSS_C_NT_HOSTBASED_SERVICE, + &text->server_name); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + params->utils->free(name_token.value); + name_token.value = NULL; +@@ -709,15 +736,15 @@ gssapi_server_mech_authneg(context_t *text, + } + + if ( text->server_creds != GSS_C_NO_CREDENTIAL) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_release_cred(&min_stat, &text->server_creds); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + text->server_creds = GSS_C_NO_CREDENTIAL; + } + + /* If caller didn't provide creds already */ + if ( server_creds == GSS_C_NO_CREDENTIAL) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_acquire_cred(&min_stat, + text->server_name, + GSS_C_INDEFINITE, +@@ -726,7 +753,7 @@ gssapi_server_mech_authneg(context_t *text, + &text->server_creds, + NULL, + NULL); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + sasl_gss_seterror(text->utils, maj_stat, min_stat); +@@ -743,7 +770,7 @@ gssapi_server_mech_authneg(context_t *text, + } + + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = + gss_accept_sec_context(&min_stat, + &(text->gss_ctx), +@@ -756,15 +783,15 @@ gssapi_server_mech_authneg(context_t *text, + &out_flags, + NULL, /* context validity period */ + &(text->client_creds)); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + sasl_gss_log(text->utils, maj_stat, min_stat); + text->utils->seterror(text->utils->conn, SASL_NOLOG, "GSSAPI Failure: gss_accept_sec_context"); + if (output_token->value) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + } + sasl_gss_free_context_contents(text); + return SASL_BADAUTH; +@@ -778,18 +805,18 @@ gssapi_server_mech_authneg(context_t *text, + ret = _plug_buf_alloc(text->utils, &(text->out_buf), + &(text->out_buf_len), *serveroutlen); + if(ret != SASL_OK) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + return ret; + } + memcpy(text->out_buf, output_token->value, *serveroutlen); + *serverout = text->out_buf; + } + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + } else { + /* No output token, send an empty string */ + *serverout = GSSAPI_BLANK_STRING; +@@ -832,12 +859,12 @@ gssapi_server_mech_authneg(context_t *text, + /* continue with authentication */ + } + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_canonicalize_name(&min_stat, + text->client_name, + mech_type, + &client_name_MN); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + SETERROR(text->utils, "GSSAPI Failure: gss_canonicalize_name"); +@@ -848,12 +875,12 @@ gssapi_server_mech_authneg(context_t *text, + name_token.value = NULL; + name_without_realm.value = NULL; + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_display_name (&min_stat, + client_name_MN, + &name_token, + NULL); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + SETERROR(text->utils, "GSSAPI Failure: gss_display_name"); +@@ -883,7 +910,7 @@ gssapi_server_mech_authneg(context_t *text, + + name_without_realm.length = strlen( (char *) name_without_realm.value ); + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_import_name (&min_stat, + &name_without_realm, + /* Solaris 8/9 gss_import_name doesn't accept GSS_C_NULL_OID here, +@@ -894,7 +921,7 @@ gssapi_server_mech_authneg(context_t *text, + GSS_C_NULL_OID, + #endif + &without); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + SETERROR(text->utils, "GSSAPI Failure: gss_import_name"); +@@ -903,12 +930,12 @@ gssapi_server_mech_authneg(context_t *text, + goto cleanup; + } + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_compare_name(&min_stat, + client_name_MN, + without, + &equal); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + SETERROR(text->utils, "GSSAPI Failure: gss_compare_name"); +@@ -1053,7 +1080,7 @@ gssapi_server_mech_ssfcap(context_t *text, + real_input_token.value = (void *)sasldata; + real_input_token.length = 4; + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_wrap(&min_stat, + text->gss_ctx, + 0, /* Just integrity checking here */ +@@ -1061,14 +1088,14 @@ gssapi_server_mech_ssfcap(context_t *text, + input_token, + NULL, + output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + sasl_gss_seterror(text->utils, maj_stat, min_stat); + if (output_token->value) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + } + sasl_gss_free_context_contents(text); + return SASL_FAIL; +@@ -1082,18 +1109,18 @@ gssapi_server_mech_ssfcap(context_t *text, + ret = _plug_buf_alloc(text->utils, &(text->out_buf), + &(text->out_buf_len), *serveroutlen); + if(ret != SASL_OK) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + return ret; + } + memcpy(text->out_buf, output_token->value, *serveroutlen); + *serverout = text->out_buf; + } + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + } + + /* Wait for ssf request and authid */ +@@ -1124,14 +1151,14 @@ gssapi_server_mech_ssfreq(context_t *text, + real_input_token.value = (void *)clientin; + real_input_token.length = clientinlen; + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_unwrap(&min_stat, + text->gss_ctx, + input_token, + output_token, + NULL, + NULL); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + sasl_gss_seterror(text->utils, maj_stat, min_stat); +@@ -1142,9 +1169,9 @@ gssapi_server_mech_ssfreq(context_t *text, + if (output_token->length < 4) { + SETERROR(text->utils, + "token too short"); +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + sasl_gss_free_context_contents(text); + return SASL_FAIL; + } +@@ -1175,9 +1202,9 @@ gssapi_server_mech_ssfreq(context_t *text, + /* Mark that we attempted negotiation */ + oparams->mech_ssf = 2; + if (output_token->value) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + } + sasl_gss_free_context_contents(text); + return SASL_FAIL; +@@ -1221,9 +1248,9 @@ gssapi_server_mech_ssfreq(context_t *text, + } + } + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + text->state = SASL_GSSAPI_STATE_AUTHENTICATED; + +@@ -1547,12 +1574,12 @@ static int gssapi_client_mech_step(void *conn_context, + + sprintf(name_token.value,"%s@%s", params->service, params->serverFQDN); + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_import_name (&min_stat, + &name_token, + GSS_C_NT_HOSTBASED_SERVICE, + &text->server_name); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + params->utils->free(name_token.value); + name_token.value = NULL; +@@ -1576,9 +1603,9 @@ static int gssapi_client_mech_step(void *conn_context, + * and no input from the server. However, thanks to Imap, + * which discards our first output, this happens all the time. + * Throw away the context and try again. */ +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_delete_sec_context (&min_stat,&text->gss_ctx,GSS_C_NO_BUFFER); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + text->gss_ctx = GSS_C_NO_CONTEXT; + } + +@@ -1600,7 +1627,7 @@ static int gssapi_client_mech_step(void *conn_context, + req_flags = req_flags | GSS_C_DELEG_FLAG; + } + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_init_sec_context(&min_stat, + client_creds, /* GSS_C_NO_CREDENTIAL */ + &text->gss_ctx, +@@ -1614,14 +1641,14 @@ static int gssapi_client_mech_step(void *conn_context, + output_token, + &out_req_flags, + NULL); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + sasl_gss_seterror(text->utils, maj_stat, min_stat); + if (output_token->value) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + } + sasl_gss_free_context_contents(text); + return SASL_FAIL; +@@ -1652,22 +1679,22 @@ static int gssapi_client_mech_step(void *conn_context, + ret = _plug_buf_alloc(text->utils, &(text->out_buf), + &(text->out_buf_len), *clientoutlen); + if(ret != SASL_OK) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + return ret; + } + memcpy(text->out_buf, output_token->value, *clientoutlen); + *clientout = text->out_buf; + } + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + } + + if (maj_stat == GSS_S_COMPLETE) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_inquire_context(&min_stat, + text->gss_ctx, + &text->client_name, +@@ -1678,7 +1705,7 @@ static int gssapi_client_mech_step(void *conn_context, + NULL, /* flags */ + NULL, /* local init */ + NULL); /* open */ +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + sasl_gss_seterror(text->utils, maj_stat, min_stat); +@@ -1687,18 +1714,18 @@ static int gssapi_client_mech_step(void *conn_context, + } + + name_token.length = 0; +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_display_name(&min_stat, + text->client_name, + &name_token, + NULL); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + if (name_token.value) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, &name_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + } + SETERROR(text->utils, "GSSAPI Failure"); + sasl_gss_free_context_contents(text); +@@ -1719,9 +1746,9 @@ static int gssapi_client_mech_step(void *conn_context, + SASL_CU_AUTHID | SASL_CU_AUTHZID, + oparams); + } +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, &name_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (ret != SASL_OK) return ret; + +@@ -1747,32 +1774,32 @@ static int gssapi_client_mech_step(void *conn_context, + real_input_token.value = (void *) serverin; + real_input_token.length = serverinlen; + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_unwrap(&min_stat, + text->gss_ctx, + input_token, + output_token, + NULL, + NULL); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + if (GSS_ERROR(maj_stat)) { + sasl_gss_seterror(text->utils, maj_stat, min_stat); +- sasl_gss_free_context_contents(text); + if (output_token->value) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + } ++ sasl_gss_free_context_contents(text); + return SASL_FAIL; + } + + if (output_token->length != 4) { + SETERROR(text->utils, + (output_token->length < 4) ? "token too short" : "token too long"); +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + sasl_gss_free_context_contents(text); + return SASL_FAIL; + } +@@ -1873,9 +1900,9 @@ static int gssapi_client_mech_step(void *conn_context, + } + } + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + /* oparams->user is always set, due to canon_user requirements. + * Make sure the client actually requested it though, by checking +@@ -1921,7 +1948,7 @@ static int gssapi_client_mech_step(void *conn_context, + } + ((unsigned char *)input_token->value)[0] = mychoice; + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_wrap (&min_stat, + text->gss_ctx, + 0, /* Just integrity checking here */ +@@ -1929,7 +1956,7 @@ static int gssapi_client_mech_step(void *conn_context, + input_token, + NULL, + output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + params->utils->free(input_token->value); + input_token->value = NULL; +@@ -1937,9 +1964,9 @@ static int gssapi_client_mech_step(void *conn_context, + if (GSS_ERROR(maj_stat)) { + sasl_gss_seterror(text->utils, maj_stat, min_stat); + if (output_token->value) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + } + sasl_gss_free_context_contents(text); + return SASL_FAIL; +@@ -1955,18 +1982,18 @@ static int gssapi_client_mech_step(void *conn_context, + &(text->out_buf_len), + *clientoutlen); + if (ret != SASL_OK) { +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + return ret; + } + memcpy(text->out_buf, output_token->value, *clientoutlen); + *clientout = text->out_buf; + } + +- GSS_LOCK_MUTEX(params->utils); ++ GSS_LOCK_MUTEX_CTX(params->utils, text); + gss_release_buffer(&min_stat, output_token); +- GSS_UNLOCK_MUTEX(params->utils); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); + + } + +-- +2.4.3 + + diff --git a/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch b/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch new file mode 100644 index 0000000..6931d4d --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch @@ -0,0 +1,29 @@ +From 7739268e775e6ed91509727b014cc1d367ad386d Mon Sep 17 00:00:00 2001 +From: Alexey Melnikov +Date: Sun, 30 Mar 2014 15:13:34 +0100 +Subject: When processing a list of mechanism names, we shouldn't allow a short + prefix match the whole mechanism name + +"A", "AN", etc where matching "ANONYMOUS". This patch fixes that. + +As reported by plautrba@redhat.com + +diff --git a/lib/common.c b/lib/common.c +index e0f59eb..672fe2f 100644 +--- a/lib/common.c ++++ b/lib/common.c +@@ -2428,6 +2428,11 @@ int _sasl_is_equal_mech(const char *req_mech, + *plus = 0; + } + ++ if (n < strlen(plug_mech)) { ++ /* Don't allow arbitrary prefix match */ ++ return 0; ++ } ++ + return (strncasecmp(req_mech, plug_mech, n) == 0); + } + +-- +cgit v0.10.2 + diff --git a/SOURCES/cyrus-sasl-2.1.26-keytab.patch b/SOURCES/cyrus-sasl-2.1.26-keytab.patch new file mode 100644 index 0000000..390b517 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-keytab.patch @@ -0,0 +1,36 @@ +diff --git a/cmulocal/sasl2.m4 b/cmulocal/sasl2.m4 +index 3c2841a..b086b8f 100644 +--- a/cmulocal/sasl2.m4 ++++ b/cmulocal/sasl2.m4 +@@ -269,6 +269,18 @@ if test "$gssapi" != no; then + cmu_save_LIBS="$LIBS" + LIBS="$LIBS $GSSAPIBASE_LIBS" + AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity) ++ if test "$ac_cv_func_gsskrb5_register_acceptor_identity" = no ; then ++ AC_CHECK_HEADERS(gssapi/gssapi_krb5.h) ++ if test "$ac_cv_header_gssapi_gssapi_krb5_h" = "yes"; then ++ AC_CHECK_DECL(gsskrb5_register_acceptor_identity, ++ [AC_DEFINE(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY,1, ++ [Define if your GSSAPI implementation defines gsskrb5_register_acceptor_identity])],, ++ [ ++ AC_INCLUDES_DEFAULT ++ #include ++ ]) ++ fi ++ fi + AC_CHECK_FUNCS(gss_decapsulate_token) + AC_CHECK_FUNCS(gss_encapsulate_token) + AC_CHECK_FUNCS(gss_oid_equal) +diff --git a/plugins/gssapi.c b/plugins/gssapi.c +index 6be9d23..e6fcf46 100644 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c +@@ -51,6 +51,8 @@ + #include + #endif + ++#include ++ + #ifdef WIN32 + # include + diff --git a/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch b/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch new file mode 100644 index 0000000..9deee8b --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch @@ -0,0 +1,66 @@ +From 3d48a475054911856b736ca2720b82f529dd68cf Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Wed, 1 Oct 2014 14:20:27 -0700 +Subject: [PATCH] Bug 1147659 - cyrus-sasl client library (client.c) is not + thread safe + +Description: client_dispose (lib/clinet.c) which closes a connection +of a sasl client frees mech_list if the head of the list differs +from the head of the global cmechlist->mech_list. But there was a +possibility that the list appears in the middle of the global mech +list. By freeing the mech, it crashed a multi-threaded sasl client. + +This patch checks each mech if it is in the global mech list or not. +Only if it is not, the mech is freed. +--- + lib/client.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/lib/client.c b/lib/client.c +index 31fe346..3f76483 100644 +--- a/lib/client.c ++++ b/lib/client.c +@@ -324,6 +324,26 @@ int sasl_client_init(const sasl_callback_t *callbacks) + return ret; + } + ++/* ++ * If mech is in cmechlist->mech_list, return 1 ++ * Otherwise, return 0 ++ */ ++static int mech_is_in_cmechlist(cmechanism_t *mech) ++{ ++ cmechanism_t *m = cmechlist->mech_list; ++ if (NULL == mech) { ++ return 0; ++ } ++ ++ while (m && mech) { ++ if (m == mech) { ++ return 1; ++ } ++ m = m->next; ++ } ++ return 0; ++} ++ + static void client_dispose(sasl_conn_t *pconn) + { + sasl_client_conn_t *c_conn=(sasl_client_conn_t *) pconn; +@@ -352,6 +372,13 @@ static void client_dispose(sasl_conn_t *pconn) + while (m) { + prevm = m; + m = m->next; ++ if (mech_is_in_cmechlist(prevm)) { ++ /* ++ * If prevm exists in the global mech_list cmechlist->mech_list, ++ * we should not free it as well as the rest of the list. ++ */ ++ break; ++ } + sasl_FREE(prevm); + } + } +-- +1.9.3 + diff --git a/SOURCES/cyrus-sasl-2.1.26-md5global.patch b/SOURCES/cyrus-sasl-2.1.26-md5global.patch new file mode 100644 index 0000000..744962f --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-md5global.patch @@ -0,0 +1,385 @@ +diff -up cyrus-sasl-2.1.26/include/Makefile.am.md5global.h cyrus-sasl-2.1.26/include/Makefile.am +--- cyrus-sasl-2.1.26/include/Makefile.am.md5global.h 2012-01-28 00:31:36.000000000 +0100 ++++ cyrus-sasl-2.1.26/include/Makefile.am 2013-09-03 13:12:17.623999149 +0200 +@@ -47,16 +47,7 @@ noinst_HEADERS = gai.h exits.h + saslincludedir = $(includedir)/sasl + saslinclude_HEADERS = hmac-md5.h md5.h md5global.h sasl.h saslplug.h saslutil.h prop.h + +-noinst_PROGRAMS = makemd5 +- +-makemd5_SOURCES = makemd5.c +- +-md5global.h: makemd5 +- -rm -f md5global.h +- ./makemd5 md5global.h +- + EXTRA_DIST = NTMakefile +-DISTCLEANFILES = md5global.h + + if MACOSX + framedir = /Library/Frameworks/SASL2.framework +diff -up cyrus-sasl-2.1.26/include/Makefile.in.md5global.h cyrus-sasl-2.1.26/include/Makefile.in +--- cyrus-sasl-2.1.26/include/Makefile.in.md5global.h 2013-09-03 13:09:27.860999892 +0200 ++++ cyrus-sasl-2.1.26/include/Makefile.in 2013-09-03 13:12:21.726000002 +0200 +@@ -1,4 +1,4 @@ +-# Makefile.in generated by automake 1.11 from Makefile.am. ++# Makefile.in generated by automake 1.11.1 from Makefile.am. + # @configure_input@ + + # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +@@ -60,7 +60,6 @@ + ################################################################ + + +- + VPATH = @srcdir@ + pkgdatadir = $(datadir)/@PACKAGE@ + pkgincludedir = $(includedir)/@PACKAGE@ +@@ -81,48 +80,19 @@ POST_UNINSTALL = : + build_triplet = @build@ + host_triplet = @host@ + target_triplet = @target@ +-noinst_PROGRAMS = makemd5$(EXEEXT) + subdir = include + DIST_COMMON = $(noinst_HEADERS) $(saslinclude_HEADERS) \ + $(srcdir)/Makefile.am $(srcdir)/Makefile.in + ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +-am__aclocal_m4_deps = $(top_srcdir)/config/kerberos_v4.m4 \ +- $(top_srcdir)/config/libtool.m4 $(top_srcdir)/config/plain.m4 \ +- $(top_srcdir)/config/sasldb.m4 \ +- $(top_srcdir)/cmulocal/berkdb.m4 \ +- $(top_srcdir)/cmulocal/bsd_sockets.m4 \ +- $(top_srcdir)/cmulocal/c-attribute.m4 \ +- $(top_srcdir)/cmulocal/common.m4 \ +- $(top_srcdir)/cmulocal/cyrus.m4 \ +- $(top_srcdir)/cmulocal/init_automake.m4 \ +- $(top_srcdir)/cmulocal/ipv6.m4 \ +- $(top_srcdir)/cmulocal/openldap.m4 \ +- $(top_srcdir)/cmulocal/openssl.m4 \ +- $(top_srcdir)/cmulocal/sasl2.m4 $(top_srcdir)/configure.in ++am__aclocal_m4_deps = $(top_srcdir)/configure.in + am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) + mkinstalldirs = $(SHELL) $(top_srcdir)/config/mkinstalldirs + CONFIG_HEADER = $(top_builddir)/config.h + CONFIG_CLEAN_FILES = + CONFIG_CLEAN_VPATH_FILES = +-PROGRAMS = $(noinst_PROGRAMS) +-am_makemd5_OBJECTS = makemd5.$(OBJEXT) +-makemd5_OBJECTS = $(am_makemd5_OBJECTS) +-makemd5_LDADD = $(LDADD) +-DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +-depcomp = $(SHELL) $(top_srcdir)/config/depcomp +-am__depfiles_maybe = depfiles +-am__mv = mv -f +-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ +- $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +-LTCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ +- --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ +- $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +-CCLD = $(CC) +-LINK = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link \ +- $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +-SOURCES = $(makemd5_SOURCES) +-DIST_SOURCES = $(makemd5_SOURCES) ++SOURCES = ++DIST_SOURCES = + am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; + am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ +@@ -153,6 +123,7 @@ CTAGS = ctags + DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) + ACLOCAL = @ACLOCAL@ + AMTAR = @AMTAR@ ++AR = @AR@ + AUTOCONF = @AUTOCONF@ + AUTOHEADER = @AUTOHEADER@ + AUTOMAKE = @AUTOMAKE@ +@@ -160,7 +131,6 @@ AWK = @AWK@ + CC = @CC@ + CCDEPMODE = @CCDEPMODE@ + CFLAGS = @CFLAGS@ +-CMU_LIB_SUBDIR = @CMU_LIB_SUBDIR@ + CPP = @CPP@ + CPPFLAGS = @CPPFLAGS@ + CYGPATH_W = @CYGPATH_W@ +@@ -168,17 +138,18 @@ DEFS = @DEFS@ + DEPDIR = @DEPDIR@ + DIRS = @DIRS@ + DMALLOC_LIBS = @DMALLOC_LIBS@ ++DSYMUTIL = @DSYMUTIL@ ++DUMPBIN = @DUMPBIN@ + ECHO_C = @ECHO_C@ + ECHO_N = @ECHO_N@ + ECHO_T = @ECHO_T@ + EGREP = @EGREP@ + EXEEXT = @EXEEXT@ ++FGREP = @FGREP@ + GETADDRINFOOBJS = @GETADDRINFOOBJS@ + GETNAMEINFOOBJS = @GETNAMEINFOOBJS@ + GETSUBOPT = @GETSUBOPT@ + GREP = @GREP@ +-GSSAPIBASE_LIBS = @GSSAPIBASE_LIBS@ +-GSSAPI_LIBS = @GSSAPI_LIBS@ + INSTALL = @INSTALL@ + INSTALL_DATA = @INSTALL_DATA@ + INSTALL_PROGRAM = @INSTALL_PROGRAM@ +@@ -190,19 +161,18 @@ JAVADOC = @JAVADOC@ + JAVAH = @JAVAH@ + JAVAROOT = @JAVAROOT@ + JAVA_INCLUDES = @JAVA_INCLUDES@ ++LD = @LD@ + LDFLAGS = @LDFLAGS@ + LIBOBJS = @LIBOBJS@ + LIBS = @LIBS@ + LIBTOOL = @LIBTOOL@ +-LIB_CRYPT = @LIB_CRYPT@ +-LIB_DES = @LIB_DES@ + LIB_DOOR = @LIB_DOOR@ + LIB_LDAP = @LIB_LDAP@ + LIB_MYSQL = @LIB_MYSQL@ + LIB_PGSQL = @LIB_PGSQL@ +-LIB_SOCKET = @LIB_SOCKET@ + LIB_SQLITE = @LIB_SQLITE@ + LIB_SQLITE3 = @LIB_SQLITE3@ ++LIPO = @LIPO@ + LN_S = @LN_S@ + LTGETADDRINFOOBJS = @LTGETADDRINFOOBJS@ + LTGETNAMEINFOOBJS = @LTGETNAMEINFOOBJS@ +@@ -211,8 +181,12 @@ LTSNPRINTFOBJS = @LTSNPRINTFOBJS@ + MAKEINFO = @MAKEINFO@ + MKDIR_P = @MKDIR_P@ + NM = @NM@ ++NMEDIT = @NMEDIT@ + NTLM_LIBS = @NTLM_LIBS@ ++OBJDUMP = @OBJDUMP@ + OBJEXT = @OBJEXT@ ++OTOOL = @OTOOL@ ++OTOOL64 = @OTOOL64@ + OTP_LIBS = @OTP_LIBS@ + PACKAGE = @PACKAGE@ + PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +@@ -222,19 +196,11 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ + PACKAGE_VERSION = @PACKAGE_VERSION@ + PASSDSS_LIBS = @PASSDSS_LIBS@ + PATH_SEPARATOR = @PATH_SEPARATOR@ +-PLAIN_LIBS = @PLAIN_LIBS@ + PURECOV = @PURECOV@ + PURIFY = @PURIFY@ + PWCHECKMETH = @PWCHECKMETH@ + RANLIB = @RANLIB@ +-SASL_DB_BACKEND = @SASL_DB_BACKEND@ +-SASL_DB_BACKEND_STATIC = @SASL_DB_BACKEND_STATIC@ +-SASL_DB_INC = @SASL_DB_INC@ +-SASL_DB_LIB = @SASL_DB_LIB@ +-SASL_DB_MANS = @SASL_DB_MANS@ +-SASL_DB_UTILS = @SASL_DB_UTILS@ + SASL_DL_LIB = @SASL_DL_LIB@ +-SASL_KRB_LIB = @SASL_KRB_LIB@ + SASL_MECHS = @SASL_MECHS@ + SASL_STATIC_LIBS = @SASL_STATIC_LIBS@ + SASL_STATIC_OBJS = @SASL_STATIC_OBJS@ +@@ -242,6 +208,7 @@ SASL_STATIC_SRCS = @SASL_STATIC_SRCS@ + SASL_UTIL_HEADERS_EXTRA = @SASL_UTIL_HEADERS_EXTRA@ + SASL_UTIL_LIBS_EXTRA = @SASL_UTIL_LIBS_EXTRA@ + SCRAM_LIBS = @SCRAM_LIBS@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SFIO_INC_FLAGS = @SFIO_INC_FLAGS@ + SFIO_LIB_FLAGS = @SFIO_LIB_FLAGS@ +@@ -256,6 +223,7 @@ abs_srcdir = @abs_srcdir@ + abs_top_builddir = @abs_top_builddir@ + abs_top_srcdir = @abs_top_srcdir@ + ac_ct_CC = @ac_ct_CC@ ++ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ + am__include = @am__include@ + am__leading_dot = @am__leading_dot@ + am__quote = @am__quote@ +@@ -287,6 +255,7 @@ libdir = @libdir@ + libexecdir = @libexecdir@ + localedir = @localedir@ + localstatedir = @localstatedir@ ++lt_ECHO = @lt_ECHO@ + mandir = @mandir@ + mkdir_p = @mkdir_p@ + oldincludedir = @oldincludedir@ +@@ -311,16 +280,13 @@ top_srcdir = @top_srcdir@ + noinst_HEADERS = gai.h exits.h + saslincludedir = $(includedir)/sasl + saslinclude_HEADERS = hmac-md5.h md5.h md5global.h sasl.h saslplug.h saslutil.h prop.h +-makemd5_SOURCES = makemd5.c + EXTRA_DIST = NTMakefile +-DISTCLEANFILES = md5global.h + @MACOSX_TRUE@framedir = /Library/Frameworks/SASL2.framework + @MACOSX_TRUE@frameheaderdir = $(framedir)/Versions/A/Headers + @MACOSX_TRUE@frameheader_DATA = $(saslinclude_HEADERS) + all: all-am + + .SUFFIXES: +-.SUFFIXES: .c .lo .o .obj + $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ +@@ -352,47 +318,6 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + $(am__aclocal_m4_deps): + +-clean-noinstPROGRAMS: +- @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ +- echo " rm -f" $$list; \ +- rm -f $$list || exit $$?; \ +- test -n "$(EXEEXT)" || exit 0; \ +- list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ +- echo " rm -f" $$list; \ +- rm -f $$list +-makemd5$(EXEEXT): $(makemd5_OBJECTS) $(makemd5_DEPENDENCIES) +- @rm -f makemd5$(EXEEXT) +- $(LINK) $(makemd5_OBJECTS) $(makemd5_LDADD) $(LIBS) +- +-mostlyclean-compile: +- -rm -f *.$(OBJEXT) +- +-distclean-compile: +- -rm -f *.tab.c +- +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/makemd5.Po@am__quote@ +- +-.c.o: +-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +-@am__fastdepCC_FALSE@ $(COMPILE) -c $< +- +-.c.obj: +-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +-@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` +- +-.c.lo: +-@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +-@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +- + mostlyclean-libtool: + -rm -f *.lo + +@@ -523,7 +448,7 @@ distdir: $(DISTFILES) + done + check-am: all-am + check: check-am +-all-am: Makefile $(PROGRAMS) $(DATA) $(HEADERS) ++all-am: Makefile $(DATA) $(HEADERS) + installdirs: + for dir in "$(DESTDIR)$(frameheaderdir)" "$(DESTDIR)$(saslincludedir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ +@@ -549,21 +474,17 @@ clean-generic: + distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) +- -test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES) + + maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + clean: clean-am + +-clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ +- mostlyclean-am ++clean-am: clean-generic clean-libtool mostlyclean-am + + distclean: distclean-am +- -rm -rf ./$(DEPDIR) + -rm -f Makefile +-distclean-am: clean-am distclean-compile distclean-generic \ +- distclean-tags ++distclean-am: clean-am distclean-generic distclean-tags + + dvi: dvi-am + +@@ -606,14 +527,12 @@ install-ps-am: + installcheck-am: + + maintainer-clean: maintainer-clean-am +- -rm -rf ./$(DEPDIR) + -rm -f Makefile + maintainer-clean-am: distclean-am maintainer-clean-generic + + mostlyclean: mostlyclean-am + +-mostlyclean-am: mostlyclean-compile mostlyclean-generic \ +- mostlyclean-libtool ++mostlyclean-am: mostlyclean-generic mostlyclean-libtool + + pdf: pdf-am + +@@ -628,26 +547,21 @@ uninstall-am: uninstall-frameheaderDATA + .MAKE: install-am install-strip + + .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ +- clean-libtool clean-noinstPROGRAMS ctags distclean \ +- distclean-compile distclean-generic distclean-libtool \ +- distclean-tags distdir dvi dvi-am html html-am info info-am \ +- install install-am install-data install-data-am install-dvi \ +- install-dvi-am install-exec install-exec-am \ +- install-frameheaderDATA install-html install-html-am \ +- install-info install-info-am install-man install-pdf \ +- install-pdf-am install-ps install-ps-am \ ++ clean-libtool ctags distclean distclean-generic \ ++ distclean-libtool distclean-tags distdir dvi dvi-am html \ ++ html-am info info-am install install-am install-data \ ++ install-data-am install-dvi install-dvi-am install-exec \ ++ install-exec-am install-frameheaderDATA install-html \ ++ install-html-am install-info install-info-am install-man \ ++ install-pdf install-pdf-am install-ps install-ps-am \ + install-saslincludeHEADERS install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ +- maintainer-clean-generic mostlyclean mostlyclean-compile \ +- mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ +- tags uninstall uninstall-am uninstall-frameheaderDATA \ ++ maintainer-clean-generic mostlyclean mostlyclean-generic \ ++ mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ ++ uninstall-am uninstall-frameheaderDATA \ + uninstall-saslincludeHEADERS + + +-md5global.h: makemd5 +- -rm -f md5global.h +- ./makemd5 md5global.h +- + # Tell versions [3.59,3.63) of GNU make to not export all variables. + # Otherwise a system limit (for SysV at least) may be exceeded. + .NOEXPORT: +diff -up cyrus-sasl-2.1.26/include/md5global.h.md5global.h cyrus-sasl-2.1.26/include/md5global.h +--- cyrus-sasl-2.1.26/include/md5global.h.md5global.h 2012-10-15 20:17:34.000000000 +0200 ++++ cyrus-sasl-2.1.26/include/md5global.h 2013-09-03 13:09:19.562000004 +0200 +@@ -15,14 +15,17 @@ The following makes PROTOTYPES default t + /* POINTER defines a generic pointer type */ + typedef unsigned char *POINTER; + +-typedef signed char INT1; /* 8 bits */ +-typedef short INT2; /* 16 bits */ +-typedef int INT4; /* 32 bits */ +-/* There is no 64 bit type */ +-typedef unsigned char UINT1; /* 8 bits */ +-typedef unsigned short UINT2; /* 16 bits */ +-typedef unsigned int UINT4; /* 32 bits */ +-/* There is no 64 bit type */ ++/* We try to define integer types for our use */ ++#include ++ ++typedef int8_t INT1; /* 8 bits */ ++typedef int16_t INT2; /* 16 bits */ ++typedef int32_t INT4; /* 32 bits */ ++typedef int64_t INT8; /* 64 bits */ ++typedef uint8_t UINT1; /* 8 bits */ ++typedef uint16_t UINT2; /* 16 bits */ ++typedef uint32_t UINT4; /* 32 bits */ ++typedef uint64_t UINT8; /* 64 bits */ + + /* PROTO_LIST is defined depending on how PROTOTYPES is defined above. + If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it diff --git a/SOURCES/cyrus-sasl-2.1.26-null-crypt.patch b/SOURCES/cyrus-sasl-2.1.26-null-crypt.patch new file mode 100644 index 0000000..ce9b5e2 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-null-crypt.patch @@ -0,0 +1,86 @@ +diff -up cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c +--- cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt 2012-01-28 00:31:36.000000000 +0100 ++++ cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c 2012-12-20 17:00:14.614580310 +0100 +@@ -31,7 +31,7 @@ char *pwcheck(userid, password) + char *userid; + char *password; + { +- char* r; ++ char* r, *cryptbuf; + struct passwd *pwd; + + pwd = getpwnam(userid); +@@ -41,11 +41,13 @@ char *password; + else if (pwd->pw_passwd[0] == '*') { + r = "Account disabled"; + } +- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) { +- r = "Incorrect password"; +- } + else { +- r = "OK"; ++ cryptbuf = crypt(password, pwd->pw_passwd); ++ if((cryptbuf == NULL) || (strcmp(pwd->pw_passwd, cryptbuf) != 0)) { ++ r = "Incorrect password"; ++ } else { ++ r = "OK"; ++ } + } + + endpwent(); +diff -up cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c +--- cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt 2012-10-12 16:05:48.000000000 +0200 ++++ cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c 2012-12-20 17:03:17.940793653 +0100 +@@ -78,6 +78,7 @@ auth_getpwent ( + /* VARIABLES */ + struct passwd *pw; /* pointer to passwd file entry */ + int errnum; ++ char *cryptbuf; + /* END VARIABLES */ + + errno = 0; +@@ -105,7 +106,8 @@ auth_getpwent ( + } + } + +- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) { ++ cryptbuf = crypt(password, pw->pw_passwd); ++ if ((cryptbuf == NULL) || strcmp(pw->pw_passwd, cryptbuf)) { + if (flags & VERBOSE) { + syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login); + } +diff -up cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_shadow.c +--- cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt 2012-12-20 17:00:14.000000000 +0100 ++++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c 2012-12-20 17:16:44.190360006 +0100 +@@ -214,8 +214,8 @@ auth_shadow ( + RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)"); + } + +- cpw = strdup((const char *)crypt(password, sp->sp_pwdp)); +- if (strcmp(sp->sp_pwdp, cpw)) { ++ cpw = crypt(password, sp->sp_pwdp); ++ if ((cpw == NULL) || strcmp(sp->sp_pwdp, cpw)) { + if (flags & VERBOSE) { + /* + * This _should_ reveal the SHADOW_PW_LOCKED prefix to an +@@ -225,10 +225,8 @@ auth_shadow ( + syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'", + sp->sp_pwdp, cpw); + } +- free(cpw); + RETURN("NO Incorrect password"); + } +- free(cpw); + + /* + * The following fields will be set to -1 if: +@@ -290,7 +288,8 @@ auth_shadow ( + RETURN("NO Invalid username"); + } + +- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) { ++ cpw = crypt(password, upw->upw_passwd); ++ if ((cpw == NULL) || strcmp(upw->upw_passwd, cpw) != 0) { + if (flags & VERBOSE) { + syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s", + password, upw->upw_passwd); diff --git a/SOURCES/cyrus-sasl-2.1.26-obsolete-macro.patch b/SOURCES/cyrus-sasl-2.1.26-obsolete-macro.patch new file mode 100644 index 0000000..a836d8f --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-obsolete-macro.patch @@ -0,0 +1,13 @@ +diff --git a/configure.in b/configure.in +index e70c99a..60f366c 100644 +--- a/configure.in ++++ b/configure.in +@@ -1416,7 +1416,7 @@ inline static unsigned int sleep(unsigned int seconds) { + #endif /* CONFIG_H */ + ]) + +-AM_CONFIG_HEADER(config.h) ++AC_CONFIG_HEADERS(config.h) + + AC_OUTPUT(Makefile + libsasl2.pc diff --git a/SOURCES/cyrus-sasl-2.1.26-ppc.patch b/SOURCES/cyrus-sasl-2.1.26-ppc.patch new file mode 100644 index 0000000..0ebba70 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-ppc.patch @@ -0,0 +1,24 @@ +diff -up cyrus-sasl-2.1.26/config/ltconfig.ppc cyrus-sasl-2.1.26/config/ltconfig +--- cyrus-sasl-2.1.26/config/ltconfig.ppc 2012-10-12 16:05:48.000000000 +0200 ++++ cyrus-sasl-2.1.26/config/ltconfig 2013-06-04 15:38:53.695401296 +0200 +@@ -2040,7 +2040,7 @@ linux-gnu*) + else + # Only the GNU ld.so supports shared libraries on MkLinux. + case "$host_cpu" in +- powerpc*) dynamic_linker=no ;; ++# powerpc*) dynamic_linker=no ;; + *) dynamic_linker='Linux ld.so' ;; + esac + fi +diff -up cyrus-sasl-2.1.26/saslauthd/config/ltconfig.ppc cyrus-sasl-2.1.26/saslauthd/config/ltconfig +--- cyrus-sasl-2.1.26/saslauthd/config/ltconfig.ppc 2013-06-04 15:39:49.849463707 +0200 ++++ cyrus-sasl-2.1.26/saslauthd/config/ltconfig 2013-06-04 15:39:12.826741036 +0200 +@@ -2040,7 +2040,7 @@ linux-gnu*) + else + # Only the GNU ld.so supports shared libraries on MkLinux. + case "$host_cpu" in +- powerpc*) dynamic_linker=no ;; ++ #powerpc*) dynamic_linker=no ;; + *) dynamic_linker='Linux ld.so' ;; + esac + fi diff --git a/SOURCES/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch b/SOURCES/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch new file mode 100644 index 0000000..af88e81 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch @@ -0,0 +1,51 @@ +commit 26dcfb2d7176b78e70757aa5d01951a28ca217c7 +Author: Alexey Melnikov +Date: Fri Jul 5 16:37:59 2013 +0100 + + Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN when selecting the best client side SASL mechanism + + Both SCRAM-SHA-1 & DIGEST-MD5 are lacking SASL_SEC_PASS_CREDENTIALS security + flag, which prevented them from being chosen over PLAIN when PLAIN is selected + as the best mechanism first. For example the problem can be observed when + the server advertises "PLAIN DIGEST-MD5 SCRAM-SHA-1" (PLAIN just has to be + returned before SCRAM/DIGEST.) + + Cyrus SASL bug # 3793 + +diff --git a/lib/client.c b/lib/client.c +index 62dfb0b..31fe346 100644 +--- a/lib/client.c ++++ b/lib/client.c +@@ -658,6 +658,20 @@ _sasl_cbinding_disp(sasl_client_params_t *cparams, + return SASL_OK; + } + ++static int ++_sasl_are_current_security_flags_worse_then_best(unsigned best_security_flags, ++ unsigned current_security_flags) ++{ ++ /* We don't qualify SASL_SEC_PASS_CREDENTIALS as "secure" flag */ ++ best_security_flags &= ~SASL_SEC_PASS_CREDENTIALS; ++ ++ if ((current_security_flags ^ best_security_flags) & best_security_flags) { ++ return 1; ++ } else { ++ return 0; ++ } ++} ++ + /* select a mechanism for a connection + * mechlist -- mechanisms server has available (punctuation ignored) + * secret -- optional secret from previous session +@@ -823,8 +837,9 @@ int sasl_client_start(sasl_conn_t *conn, + */ + + if (bestm && +- ((m->m.plug->security_flags ^ bestm->m.plug->security_flags) & +- bestm->m.plug->security_flags)) { ++ _sasl_are_current_security_flags_worse_then_best( ++ bestm->m.plug->security_flags, ++ m->m.plug->security_flags)) { + break; + } + diff --git a/SOURCES/cyrus-sasl-2.1.26-release-server_creds.patch b/SOURCES/cyrus-sasl-2.1.26-release-server_creds.patch new file mode 100644 index 0000000..a84bf9f --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-release-server_creds.patch @@ -0,0 +1,16 @@ +diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.release-server_creds cyrus-sasl-2.1.26/plugins/gssapi.c +--- cyrus-sasl-2.1.26/plugins/gssapi.c.release-server_creds 2012-12-20 17:17:37.000000000 +0100 ++++ cyrus-sasl-2.1.26/plugins/gssapi.c 2012-12-20 17:42:11.498138999 +0100 +@@ -945,6 +945,12 @@ gssapi_server_mech_authneg(context_t *te + ret = SASL_CONTINUE; + } + ++ /* Release server creds which are no longer needed */ ++ if ( text->server_creds != GSS_C_NO_CREDENTIAL) { ++ maj_stat = gss_release_cred(&min_stat, &text->server_creds); ++ text->server_creds = GSS_C_NO_CREDENTIAL; ++ } ++ + cleanup: + if (client_name_MN) { + GSS_LOCK_MUTEX(params->utils); diff --git a/SOURCES/cyrus-sasl-2.1.26-relro.patch b/SOURCES/cyrus-sasl-2.1.26-relro.patch new file mode 100644 index 0000000..f8b6027 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-relro.patch @@ -0,0 +1,70 @@ +diff -up cyrus-sasl-2.1.26/lib/Makefile.am.relro cyrus-sasl-2.1.26/lib/Makefile.am +--- cyrus-sasl-2.1.26/lib/Makefile.am.relro 2012-10-12 16:05:48.000000000 +0200 ++++ cyrus-sasl-2.1.26/lib/Makefile.am 2013-02-11 14:18:01.749053772 +0100 +@@ -64,7 +64,7 @@ LIB_DOOR= @LIB_DOOR@ + lib_LTLIBRARIES = libsasl2.la + + libsasl2_la_SOURCES = $(common_sources) $(common_headers) +-libsasl2_la_LDFLAGS = -version-info $(sasl_version) ++libsasl2_la_LDFLAGS = -Wl,-z,relro -version-info $(sasl_version) + libsasl2_la_DEPENDENCIES = $(LTLIBOBJS) + libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR) + +diff -up cyrus-sasl-2.1.26/lib/Makefile.in.relro cyrus-sasl-2.1.26/lib/Makefile.in +--- cyrus-sasl-2.1.26/lib/Makefile.in.relro 2013-11-13 16:55:09.606555125 +0100 ++++ cyrus-sasl-2.1.26/lib/Makefile.in 2013-11-13 16:56:43.331096795 +0100 +@@ -330,7 +330,7 @@ common_headers = saslint.h + common_sources = auxprop.c canonusr.c checkpw.c client.c common.c config.c external.c md5.c saslutil.c server.c seterror.c dlopen.c ../plugins/plugin_common.c + lib_LTLIBRARIES = libsasl2.la + libsasl2_la_SOURCES = $(common_sources) $(common_headers) +-libsasl2_la_LDFLAGS = -version-info $(sasl_version) ++libsasl2_la_LDFLAGS = -Wl,-z,relro -version-info $(sasl_version) + libsasl2_la_DEPENDENCIES = $(LTLIBOBJS) + libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR) + @MACOSX_TRUE@framedir = /Library/Frameworks/SASL2.framework +diff -up cyrus-sasl-2.1.26/plugins/Makefile.am.relro cyrus-sasl-2.1.26/plugins/Makefile.am +--- cyrus-sasl-2.1.26/plugins/Makefile.am.relro 2012-10-12 16:05:48.000000000 +0200 ++++ cyrus-sasl-2.1.26/plugins/Makefile.am 2013-02-11 14:18:01.749053772 +0100 +@@ -50,7 +50,7 @@ + plugin_version = 3:0:0 + + INCLUDES=-I$(top_srcdir)/include -I$(top_srcdir)/lib -I$(top_srcdir)/sasldb -I$(top_builddir)/include +-AM_LDFLAGS = -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version) ++AM_LDFLAGS = -Wl,-z,relro -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version) + + COMPAT_OBJS = @LTGETADDRINFOOBJS@ @LTGETNAMEINFOOBJS@ @LTSNPRINTFOBJS@ + +diff -up cyrus-sasl-2.1.26/plugins/Makefile.in.relro cyrus-sasl-2.1.26/plugins/Makefile.in +--- cyrus-sasl-2.1.26/plugins/Makefile.in.relro 2013-11-13 16:57:08.430974081 +0100 ++++ cyrus-sasl-2.1.26/plugins/Makefile.in 2013-11-13 16:57:58.911727846 +0100 +@@ -364,7 +364,7 @@ top_srcdir = @top_srcdir@ + # CURRENT:REVISION:AGE + plugin_version = 3:0:0 + INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/lib -I$(top_srcdir)/sasldb -I$(top_builddir)/include +-AM_LDFLAGS = -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version) ++AM_LDFLAGS = -Wl,-z,relro -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version) + COMPAT_OBJS = @LTGETADDRINFOOBJS@ @LTGETNAMEINFOOBJS@ @LTSNPRINTFOBJS@ + EXTRA_DIST = makeinit.sh NTMakefile + noinst_SCRIPTS = makeinit.sh +diff -up cyrus-sasl-2.1.26/saslauthd/Makefile.am.relro cyrus-sasl-2.1.26/saslauthd/Makefile.am +--- cyrus-sasl-2.1.26/saslauthd/Makefile.am.relro 2013-02-11 14:18:36.910900647 +0100 ++++ cyrus-sasl-2.1.26/saslauthd/Makefile.am 2013-02-11 14:20:17.336463915 +0100 +@@ -17,6 +17,7 @@ saslauthd_DEPENDENCIES = saslauthd-main. + saslauthd_LDADD = @SASL_KRB_LIB@ \ + @GSSAPIBASE_LIBS@ @GSSAPI_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \ + @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ @LTLIBOBJS@ ++saslauthd_LDFLAGS = -pie -Wl,-z,now + + testsaslauthd_SOURCES = testsaslauthd.c utils.c + testsaslauthd_LDADD = @LIB_SOCKET@ +diff -up cyrus-sasl-2.1.26/saslauthd/Makefile.in.relro cyrus-sasl-2.1.26/saslauthd/Makefile.in +--- cyrus-sasl-2.1.26/saslauthd/Makefile.in.relro 2013-11-13 16:58:13.085659148 +0100 ++++ cyrus-sasl-2.1.26/saslauthd/Makefile.in 2013-11-13 16:58:49.679481841 +0100 +@@ -234,6 +234,7 @@ saslauthd_DEPENDENCIES = saslauthd-main. + saslauthd_LDADD = @SASL_KRB_LIB@ \ + @GSSAPIBASE_LIBS@ @GSSAPI_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \ + @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ @LTLIBOBJS@ ++saslauthd_LDFLAGS = -pie -Wl,-z,now + + testsaslauthd_SOURCES = testsaslauthd.c utils.c + testsaslauthd_LDADD = @LIB_SOCKET@ diff --git a/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch b/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch new file mode 100644 index 0000000..1a1d259 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch @@ -0,0 +1,16 @@ +--- cyrus-sasl2.orig/plugins/gssapi.c ++++ cyrus-sasl2/plugins/gssapi.c +@@ -1583,10 +1583,10 @@ static int gssapi_client_mech_step(void + } + + /* Setup req_flags properly */ +- req_flags = GSS_C_INTEG_FLAG; ++ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; + if (params->props.max_ssf > params->external_ssf) { + /* We are requesting a security layer */ +- req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; ++ req_flags |= GSS_C_INTEG_FLAG; + /* Any SSF bigger than 1 is confidentiality. */ + /* Let's check if the client of the API requires confidentiality, + and it wasn't already provided by an external layer */ + diff --git a/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch b/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch new file mode 100644 index 0000000..cace375 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch @@ -0,0 +1,33 @@ +diff --git a/saslauthd/saslauthd.mdoc b/saslauthd/saslauthd.mdoc +index 37c6f6e..5b635ab 100644 +--- a/saslauthd/saslauthd.mdoc ++++ b/saslauthd/saslauthd.mdoc +@@ -44,7 +44,27 @@ multi-user mode. When running against a protected authentication + database (e.g. the + .Li shadow + mechanism), +-it must be run as the superuser. ++it must be run as the superuser. Otherwise it is recommended to run ++daemon unprivileged as saslauth:saslauth. You can do so by following ++these steps: ++.Bl -enum -compact ++.It ++create directory ++.Pa /etc/systemd/system/saslauthd.service.d/ ++.It ++create file ++.Pa /etc/systemd/system/saslauthd.service.d/user.conf ++with content ++.Bd -literal ++[Service] ++User=saslauth ++Group=saslauth ++ ++.Ed ++.It ++Reload systemd service file: run ++.Dq systemctl daemon-reload ++.El + .Ss Options + Options named by lower\-case letters configure the server itself. + Upper\-case options control the behavior of specific authentication diff --git a/SOURCES/cyrus-sasl-2.1.26-size_t.patch b/SOURCES/cyrus-sasl-2.1.26-size_t.patch new file mode 100644 index 0000000..cde8238 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-size_t.patch @@ -0,0 +1,12 @@ +diff -up cyrus-sasl-2.1.26/include/sasl.h.size_t cyrus-sasl-2.1.26/include/sasl.h +--- cyrus-sasl-2.1.26/include/sasl.h.size_t 2012-10-12 09:05:48.000000000 -0500 ++++ cyrus-sasl-2.1.26/include/sasl.h 2013-01-31 13:21:04.007739327 -0600 +@@ -223,6 +223,8 @@ extern "C" { + * they must be called before all other SASL functions: + */ + ++#include ++ + /* memory allocation functions which may optionally be replaced: + */ + typedef void *sasl_malloc_t(size_t); diff --git a/SOURCES/cyrus-sasl-2.1.26-sql.patch b/SOURCES/cyrus-sasl-2.1.26-sql.patch new file mode 100644 index 0000000..b7f3db4 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-sql.patch @@ -0,0 +1,2296 @@ +diff -up ./configure.in.sql ./configure.in +--- ./configure.in.sql 2013-11-14 13:19:19.231000002 +0100 ++++ ./configure.in 2013-11-14 14:10:44.728997789 +0100 +@@ -729,7 +729,18 @@ LIB_MYSQL="" + + case "$with_mysql" in + no) true;; +- notfound) AC_WARN([MySQL Library not found]); true;; ++ notfound) ++ save_LDFLAGS=$LDFLAGS ++ LIB_MYSQL=`mysql_config --libs` ++ LIB_MYSQL="-lmysqlclient" ++ LDFLAGS="$LDFLAGS $LIB_MYSQL" ++ # CPPFLAGS="${CPPFLAGS} `mysql_config --include`" ++ AC_CHECK_LIB(mysqlclient, mysql_select_db, ++ AC_DEFINE(HAVE_MYSQL, [], [Do we have mysql support?]), ++ [AC_WARN([MySQL library mysqlclient does not work]) ++ with_mysql=no]) ++ LDFLAGS=$save_LDFLAGS ++ ;; + *) + if test -d ${with_mysql}/lib/mysql; then + CMU_ADD_LIBPATH_TO(${with_mysql}/lib/mysql, LIB_MYSQL) +@@ -750,6 +761,8 @@ case "$with_mysql" in + CPPFLAGS="${CPPFLAGS} -I${with_mysql}/mysql/include" + elif test -d ${with_mysql}/include; then + CPPFLAGS="${CPPFLAGS} -I${with_mysql}/include" ++ elif test -d ${prefix}/include/mysql; then ++ CPPFLAGS="${CPPFLAGS} -I${prefix}/include/mysql" + else + CPPFLAGS="${CPPFLAGS} -I${with_mysql}" + fi +@@ -793,7 +806,17 @@ LIB_PGSQL="" + + case "$with_pgsql" in + no) true;; +- notfound) AC_WARN([PostgreSQL Library not found]); true;; ++ notfound) ++ LIB_PGSQL="-lpq" ++ # CPPFLAGS="${CPPFLAGS} -I`pg_config --includedir`" ++ save_LDFLAGS=$LDFLAGS ++ LDFLAGS="$LDFLAGS $LIB_PGSQL" ++ AC_CHECK_LIB(pq, PQsetdbLogin, AC_DEFINE(HAVE_PGSQL,[], ++ [Do we have Postgres support?]), ++ [AC_WARN([PostgreSQL Library pq does not work]) ++ with_pgsql=no]) ++ LDFLAGS=$save_LDFLAGS ++ ;; + *) + if test -d ${with_pgsql}/lib/pgsql; then + CMU_ADD_LIBPATH_TO(${with_pgsql}/lib/pgsql, LIB_PGSQL) +@@ -814,6 +837,8 @@ case "$with_pgsql" in + CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/pgsql/include" + elif test -d ${with_pgsql}/include; then + CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include" ++ elif test -d ${prefix}/include; then ++ CPPFLAGS="${CPPFLAGS} -I${prefix}/include" + else + CPPFLAGS="${CPPFLAGS} -I${with_pgsql}" + fi +diff -up ./configure.sql ./configure +--- ./configure.sql 2013-11-14 13:19:19.177000002 +0100 ++++ ./configure 2013-11-14 14:10:50.848000001 +0100 +@@ -4340,116 +4340,8 @@ $as_echo "$ac_cv___attribute__" >&6; } + + + # CMU GUESS RUNPATH SWITCH +- { $as_echo "$as_me:$LINENO: checking for runpath switch" >&5 +-$as_echo_n "checking for runpath switch... " >&6; } +-if test "${andrew_cv_runpath_switch+set}" = set; then +- $as_echo_n "(cached) " >&6 +-else +- +- # first, try -R +- SAVE_LDFLAGS="${LDFLAGS}" +- LDFLAGS="-R /usr/lib" +- cat >conftest.$ac_ext <<_ACEOF +-/* confdefs.h. */ +-_ACEOF +-cat confdefs.h >>conftest.$ac_ext +-cat >>conftest.$ac_ext <<_ACEOF +-/* end confdefs.h. */ +- +-int +-main () +-{ +- +- ; +- return 0; +-} +-_ACEOF +-rm -f conftest.$ac_objext conftest$ac_exeext +-if { (ac_try="$ac_link" +-case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +-$as_echo "$ac_try_echo") >&5 +- (eval "$ac_link") 2>conftest.er1 +- ac_status=$? +- grep -v '^ *+' conftest.er1 >conftest.err +- rm -f conftest.er1 +- cat conftest.err >&5 +- $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); } && { +- test -z "$ac_c_werror_flag" || +- test ! -s conftest.err +- } && test -s conftest$ac_exeext && { +- test "$cross_compiling" = yes || +- $as_test_x conftest$ac_exeext +- }; then +- andrew_cv_runpath_switch="-R" +-else +- $as_echo "$as_me: failed program was:" >&5 +-sed 's/^/| /' conftest.$ac_ext >&5 +- +- +- LDFLAGS="-Wl,-rpath,/usr/lib" +- cat >conftest.$ac_ext <<_ACEOF +-/* confdefs.h. */ +-_ACEOF +-cat confdefs.h >>conftest.$ac_ext +-cat >>conftest.$ac_ext <<_ACEOF +-/* end confdefs.h. */ +- +-int +-main () +-{ +- +- ; +- return 0; +-} +-_ACEOF +-rm -f conftest.$ac_objext conftest$ac_exeext +-if { (ac_try="$ac_link" +-case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +-$as_echo "$ac_try_echo") >&5 +- (eval "$ac_link") 2>conftest.er1 +- ac_status=$? +- grep -v '^ *+' conftest.er1 >conftest.err +- rm -f conftest.er1 +- cat conftest.err >&5 +- $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); } && { +- test -z "$ac_c_werror_flag" || +- test ! -s conftest.err +- } && test -s conftest$ac_exeext && { +- test "$cross_compiling" = yes || +- $as_test_x conftest$ac_exeext +- }; then +- andrew_cv_runpath_switch="-Wl,-rpath," +-else +- $as_echo "$as_me: failed program was:" >&5 +-sed 's/^/| /' conftest.$ac_ext >&5 +- +- andrew_cv_runpath_switch="none" +-fi +- +-rm -rf conftest.dSYM +-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ +- conftest$ac_exeext conftest.$ac_ext +- +-fi +- +-rm -rf conftest.dSYM +-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ +- conftest$ac_exeext conftest.$ac_ext +- LDFLAGS="${SAVE_LDFLAGS}" ++ andrew_runpath_switch="none" + +-fi +-{ $as_echo "$as_me:$LINENO: result: $andrew_cv_runpath_switch" >&5 +-$as_echo "$andrew_cv_runpath_switch" >&6; } + + + # Check whether --with-staticsasl was given. +@@ -4784,7 +4676,7 @@ test x"$silent" = xyes && libtool_flags= + case "$lt_target" in + *-*-irix6*) + # Find out which ABI we are using. +- echo '#line 4787 "configure"' > conftest.$ac_ext ++ echo '#line 4679 "configure"' > conftest.$ac_ext + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? +@@ -11239,7 +11131,6 @@ $as_echo "$cyrus_krbinclude" >&6; } + if test -n "${cyrus_krbinclude}"; then + CPPFLAGS="$CPPFLAGS -I${cyrus_krbinclude}" + fi +- LDFLAGS="$LDFLAGS -L$krb4/lib" + fi + + if test "$with_des" != no; then +@@ -13467,69 +13358,43 @@ _ACEOF + fi + done + ++ if test "$ac_cv_func_gsskrb5_register_acceptor_identity" = no ; then + +-for ac_func in gss_decapsulate_token ++for ac_header in gssapi/gssapi_krb5.h + do +-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +-$as_echo_n "checking for $ac_func... " >&6; } +-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then ++as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then ++ { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 ++$as_echo_n "checking for $ac_header... " >&6; } ++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 ++fi ++ac_res=`eval 'as_val=${'$as_ac_Header'} ++ $as_echo "$as_val"'` ++ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 ++$as_echo "$ac_res" >&6; } + else +- cat >conftest.$ac_ext <<_ACEOF ++ # Is the header compilable? ++{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 ++$as_echo_n "checking $ac_header usability... " >&6; } ++cat >conftest.$ac_ext <<_ACEOF + /* confdefs.h. */ + _ACEOF + cat confdefs.h >>conftest.$ac_ext + cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ +-/* Define $ac_func to an innocuous variant, in case declares $ac_func. +- For example, HP-UX 11i declares gettimeofday. */ +-#define $ac_func innocuous_$ac_func +- +-/* System header to define __stub macros and hopefully few prototypes, +- which can conflict with char $ac_func (); below. +- Prefer to if __STDC__ is defined, since +- exists even on freestanding compilers. */ +- +-#ifdef __STDC__ +-# include +-#else +-# include +-#endif +- +-#undef $ac_func +- +-/* Override any GCC internal prototype to avoid an error. +- Use char because int might match the return type of a GCC +- builtin and then its argument prototype would still apply. */ +-#ifdef __cplusplus +-extern "C" +-#endif +-char $ac_func (); +-/* The GNU C library defines this for functions which it implements +- to always fail with ENOSYS. Some functions are actually named +- something starting with __ and the normal name is an alias. */ +-#if defined __stub_$ac_func || defined __stub___$ac_func +-choke me +-#endif +- +-int +-main () +-{ +-return $ac_func (); +- ; +- return 0; +-} ++$ac_includes_default ++#include <$ac_header> + _ACEOF +-rm -f conftest.$ac_objext conftest$ac_exeext +-if { (ac_try="$ac_link" ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" + case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; + esac + eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" + $as_echo "$ac_try_echo") >&5 +- (eval "$ac_link") 2>conftest.er1 ++ (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 +@@ -13538,139 +13403,178 @@ $as_echo "$ac_try_echo") >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err +- } && test -s conftest$ac_exeext && { +- test "$cross_compiling" = yes || +- $as_test_x conftest$ac_exeext +- }; then +- eval "$as_ac_var=yes" ++ } && test -s conftest.$ac_objext; then ++ ac_header_compiler=yes + else + $as_echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 + +- eval "$as_ac_var=no" +-fi +- +-rm -rf conftest.dSYM +-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ +- conftest$ac_exeext conftest.$ac_ext +-fi +-ac_res=`eval 'as_val=${'$as_ac_var'} +- $as_echo "$as_val"'` +- { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +-$as_echo "$ac_res" >&6; } +-as_val=`eval 'as_val=${'$as_ac_var'} +- $as_echo "$as_val"'` +- if test "x$as_val" = x""yes; then +- cat >>confdefs.h <<_ACEOF +-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +-_ACEOF +- ++ ac_header_compiler=no + fi +-done + ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 ++$as_echo "$ac_header_compiler" >&6; } + +-for ac_func in gss_encapsulate_token +-do +-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +-$as_echo_n "checking for $ac_func... " >&6; } +-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then +- $as_echo_n "(cached) " >&6 +-else +- cat >conftest.$ac_ext <<_ACEOF ++# Is the header present? ++{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 ++$as_echo_n "checking $ac_header presence... " >&6; } ++cat >conftest.$ac_ext <<_ACEOF + /* confdefs.h. */ + _ACEOF + cat confdefs.h >>conftest.$ac_ext + cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ +-/* Define $ac_func to an innocuous variant, in case declares $ac_func. +- For example, HP-UX 11i declares gettimeofday. */ +-#define $ac_func innocuous_$ac_func +- +-/* System header to define __stub macros and hopefully few prototypes, +- which can conflict with char $ac_func (); below. +- Prefer to if __STDC__ is defined, since +- exists even on freestanding compilers. */ +- +-#ifdef __STDC__ +-# include +-#else +-# include +-#endif +- +-#undef $ac_func +- +-/* Override any GCC internal prototype to avoid an error. +- Use char because int might match the return type of a GCC +- builtin and then its argument prototype would still apply. */ +-#ifdef __cplusplus +-extern "C" +-#endif +-char $ac_func (); +-/* The GNU C library defines this for functions which it implements +- to always fail with ENOSYS. Some functions are actually named +- something starting with __ and the normal name is an alias. */ +-#if defined __stub_$ac_func || defined __stub___$ac_func +-choke me +-#endif +- +-int +-main () +-{ +-return $ac_func (); +- ; +- return 0; +-} ++#include <$ac_header> + _ACEOF +-rm -f conftest.$ac_objext conftest$ac_exeext +-if { (ac_try="$ac_link" ++if { (ac_try="$ac_cpp conftest.$ac_ext" + case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; + esac + eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" + $as_echo "$ac_try_echo") >&5 +- (eval "$ac_link") 2>conftest.er1 ++ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); } && { +- test -z "$ac_c_werror_flag" || ++ (exit $ac_status); } >/dev/null && { ++ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err +- } && test -s conftest$ac_exeext && { +- test "$cross_compiling" = yes || +- $as_test_x conftest$ac_exeext + }; then +- eval "$as_ac_var=yes" ++ ac_header_preproc=yes + else + $as_echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 + +- eval "$as_ac_var=no" ++ ac_header_preproc=no + fi + +-rm -rf conftest.dSYM +-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ +- conftest$ac_exeext conftest.$ac_ext ++rm -f conftest.err conftest.$ac_ext ++{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 ++$as_echo "$ac_header_preproc" >&6; } ++ ++# So? What about this header? ++case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in ++ yes:no: ) ++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 ++$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} ++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 ++$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} ++ ac_header_preproc=yes ++ ;; ++ no:yes:* ) ++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 ++$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} ++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 ++$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} ++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 ++$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} ++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 ++$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} ++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 ++$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} ++ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 ++$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} ++ ++ ;; ++esac ++{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 ++$as_echo_n "checking for $ac_header... " >&6; } ++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then ++ $as_echo_n "(cached) " >&6 ++else ++ eval "$as_ac_Header=\$ac_header_preproc" + fi +-ac_res=`eval 'as_val=${'$as_ac_var'} ++ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 + $as_echo "$ac_res" >&6; } +-as_val=`eval 'as_val=${'$as_ac_var'} ++ ++fi ++as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 ++#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 + _ACEOF + + fi ++ + done + ++ if test "$ac_cv_header_gssapi_gssapi_krb5_h" = "yes"; then ++ { $as_echo "$as_me:$LINENO: checking whether gsskrb5_register_acceptor_identity is declared" >&5 ++$as_echo_n "checking whether gsskrb5_register_acceptor_identity is declared... " >&6; } ++if test "${ac_cv_have_decl_gsskrb5_register_acceptor_identity+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++ $ac_includes_default ++ #include + +-for ac_func in gss_oid_equal ++ ++int ++main () ++{ ++#ifndef gsskrb5_register_acceptor_identity ++ (void) gsskrb5_register_acceptor_identity; ++#endif ++ ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ ac_cv_have_decl_gsskrb5_register_acceptor_identity=yes ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_have_decl_gsskrb5_register_acceptor_identity=no ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_have_decl_gsskrb5_register_acceptor_identity" >&5 ++$as_echo "$ac_cv_have_decl_gsskrb5_register_acceptor_identity" >&6; } ++if test "x$ac_cv_have_decl_gsskrb5_register_acceptor_identity" = x""yes; then ++ ++cat >>confdefs.h <<\_ACEOF ++#define HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY 1 ++_ACEOF ++ ++fi ++ ++ fi ++ fi ++ ++for ac_func in gss_decapsulate_token + do + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + { $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +@@ -13770,12 +13674,8 @@ _ACEOF + fi + done + +- LIBS="$cmu_save_LIBS" +- +- cmu_save_LIBS="$LIBS" +- LIBS="$LIBS $GSSAPIBASE_LIBS" + +-for ac_func in gss_get_name_attribute ++for ac_func in gss_encapsulate_token + do + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + { $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +@@ -13875,20 +13775,14 @@ _ACEOF + fi + done + +- LIBS="$cmu_save_LIBS" + +- cmu_save_LIBS="$LIBS" +- LIBS="$LIBS $GSSAPIBASE_LIBS" +- { $as_echo "$as_me:$LINENO: checking for SPNEGO support in GSSAPI libraries" >&5 +-$as_echo_n "checking for SPNEGO support in GSSAPI libraries... " >&6; } +- if test "$cross_compiling" = yes; then +- { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling +-See \`config.log' for more details." >&5 +-$as_echo "$as_me: error: cannot run test program while cross compiling +-See \`config.log' for more details." >&2;} +- { (exit 1); exit 1; }; }; } ++for ac_func in gss_oid_equal ++do ++as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ++{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 ++$as_echo_n "checking for $ac_func... " >&6; } ++if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then ++ $as_echo_n "(cached) " >&6 + else + cat >conftest.$ac_ext <<_ACEOF + /* confdefs.h. */ +@@ -13896,30 +13790,46 @@ _ACEOF + cat confdefs.h >>conftest.$ac_ext + cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ ++/* Define $ac_func to an innocuous variant, in case declares $ac_func. ++ For example, HP-UX 11i declares gettimeofday. */ ++#define $ac_func innocuous_$ac_func + +-#ifdef HAVE_GSSAPI_H +-#include ++/* System header to define __stub macros and hopefully few prototypes, ++ which can conflict with char $ac_func (); below. ++ Prefer to if __STDC__ is defined, since ++ exists even on freestanding compilers. */ ++ ++#ifdef __STDC__ ++# include + #else +-#include ++# include + #endif + +-int main(void) +-{ +- gss_OID_desc spnego_oid = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" }; +- gss_OID_set mech_set; +- OM_uint32 min_stat; +- int have_spnego = 0; ++#undef $ac_func + +- if (gss_indicate_mechs(&min_stat, &mech_set) == GSS_S_COMPLETE) { +- gss_test_oid_set_member(&min_stat, &spnego_oid, mech_set, &have_spnego); +- gss_release_oid_set(&min_stat, &mech_set); +- } ++/* Override any GCC internal prototype to avoid an error. ++ Use char because int might match the return type of a GCC ++ builtin and then its argument prototype would still apply. */ ++#ifdef __cplusplus ++extern "C" ++#endif ++char $ac_func (); ++/* The GNU C library defines this for functions which it implements ++ to always fail with ENOSYS. Some functions are actually named ++ something starting with __ and the normal name is an alias. */ ++#if defined __stub_$ac_func || defined __stub___$ac_func ++choke me ++#endif + +- return (!have_spnego); // 0 = success, 1 = failure ++int ++main () ++{ ++return $ac_func (); ++ ; ++ return 0; + } +- + _ACEOF +-rm -f conftest$ac_exeext ++rm -f conftest.$ac_objext conftest$ac_exeext + if { (ac_try="$ac_link" + case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +@@ -13927,63 +13837,259 @@ case "(($ac_try" in + esac + eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" + $as_echo "$ac_try_echo") >&5 +- (eval "$ac_link") 2>&5 +- ac_status=$? +- $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); } && { ac_try='./conftest$ac_exeext' +- { (case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +-$as_echo "$ac_try_echo") >&5 +- (eval "$ac_try") 2>&5 ++ (eval "$ac_link") 2>conftest.er1 + ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 +- (exit $ac_status); }; }; then +- +-cat >>confdefs.h <<\_ACEOF +-#define HAVE_GSS_SPNEGO /**/ +-_ACEOF +- +- { $as_echo "$as_me:$LINENO: result: yes" >&5 +-$as_echo "yes" >&6; } ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest$ac_exeext && { ++ test "$cross_compiling" = yes || ++ $as_test_x conftest$ac_exeext ++ }; then ++ eval "$as_ac_var=yes" + else +- $as_echo "$as_me: program exited with status $ac_status" >&5 +-$as_echo "$as_me: failed program was:" >&5 ++ $as_echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 + +-( exit $ac_status ) +-{ $as_echo "$as_me:$LINENO: result: no" >&5 +-$as_echo "no" >&6; } ++ eval "$as_ac_var=no" + fi ++ + rm -rf conftest.dSYM +-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext ++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ ++ conftest$ac_exeext conftest.$ac_ext + fi ++ac_res=`eval 'as_val=${'$as_ac_var'} ++ $as_echo "$as_val"'` ++ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 ++$as_echo "$ac_res" >&6; } ++as_val=`eval 'as_val=${'$as_ac_var'} ++ $as_echo "$as_val"'` ++ if test "x$as_val" = x""yes; then ++ cat >>confdefs.h <<_ACEOF ++#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 ++_ACEOF + +- +- LIBS="$cmu_save_LIBS" +- +-else +- { $as_echo "$as_me:$LINENO: result: disabled" >&5 +-$as_echo "disabled" >&6; } + fi ++done + ++ LIBS="$cmu_save_LIBS" + ++ cmu_save_LIBS="$LIBS" ++ LIBS="$LIBS $GSSAPIBASE_LIBS" + +- +-if test "$gssapi" != "no"; then +- +-cat >>confdefs.h <<\_ACEOF +-#define STATIC_GSSAPIV2 /**/ +-_ACEOF +- +- mutex_default="no" +- if test "$gss_impl" = "mit"; then +- mutex_default="yes" +- fi +- { $as_echo "$as_me:$LINENO: checking to use mutexes aroung GSS calls" >&5 +-$as_echo_n "checking to use mutexes aroung GSS calls... " >&6; } ++for ac_func in gss_get_name_attribute ++do ++as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ++{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 ++$as_echo_n "checking for $ac_func... " >&6; } ++if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then ++ $as_echo_n "(cached) " >&6 ++else ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++/* Define $ac_func to an innocuous variant, in case declares $ac_func. ++ For example, HP-UX 11i declares gettimeofday. */ ++#define $ac_func innocuous_$ac_func ++ ++/* System header to define __stub macros and hopefully few prototypes, ++ which can conflict with char $ac_func (); below. ++ Prefer to if __STDC__ is defined, since ++ exists even on freestanding compilers. */ ++ ++#ifdef __STDC__ ++# include ++#else ++# include ++#endif ++ ++#undef $ac_func ++ ++/* Override any GCC internal prototype to avoid an error. ++ Use char because int might match the return type of a GCC ++ builtin and then its argument prototype would still apply. */ ++#ifdef __cplusplus ++extern "C" ++#endif ++char $ac_func (); ++/* The GNU C library defines this for functions which it implements ++ to always fail with ENOSYS. Some functions are actually named ++ something starting with __ and the normal name is an alias. */ ++#if defined __stub_$ac_func || defined __stub___$ac_func ++choke me ++#endif ++ ++int ++main () ++{ ++return $ac_func (); ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext conftest$ac_exeext ++if { (ac_try="$ac_link" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_link") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest$ac_exeext && { ++ test "$cross_compiling" = yes || ++ $as_test_x conftest$ac_exeext ++ }; then ++ eval "$as_ac_var=yes" ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ eval "$as_ac_var=no" ++fi ++ ++rm -rf conftest.dSYM ++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ ++ conftest$ac_exeext conftest.$ac_ext ++fi ++ac_res=`eval 'as_val=${'$as_ac_var'} ++ $as_echo "$as_val"'` ++ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 ++$as_echo "$ac_res" >&6; } ++as_val=`eval 'as_val=${'$as_ac_var'} ++ $as_echo "$as_val"'` ++ if test "x$as_val" = x""yes; then ++ cat >>confdefs.h <<_ACEOF ++#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 ++_ACEOF ++ ++fi ++done ++ ++ LIBS="$cmu_save_LIBS" ++ ++ cmu_save_LIBS="$LIBS" ++ LIBS="$LIBS $GSSAPIBASE_LIBS" ++ { $as_echo "$as_me:$LINENO: checking for SPNEGO support in GSSAPI libraries" >&5 ++$as_echo_n "checking for SPNEGO support in GSSAPI libraries... " >&6; } ++ if test "$cross_compiling" = yes; then ++ { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 ++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} ++{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling ++See \`config.log' for more details." >&5 ++$as_echo "$as_me: error: cannot run test program while cross compiling ++See \`config.log' for more details." >&2;} ++ { (exit 1); exit 1; }; }; } ++else ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_GSSAPI_H ++#include ++#else ++#include ++#endif ++ ++int main(void) ++{ ++ gss_OID_desc spnego_oid = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" }; ++ gss_OID_set mech_set; ++ OM_uint32 min_stat; ++ int have_spnego = 0; ++ ++ if (gss_indicate_mechs(&min_stat, &mech_set) == GSS_S_COMPLETE) { ++ gss_test_oid_set_member(&min_stat, &spnego_oid, mech_set, &have_spnego); ++ gss_release_oid_set(&min_stat, &mech_set); ++ } ++ ++ return (!have_spnego); // 0 = success, 1 = failure ++} ++ ++_ACEOF ++rm -f conftest$ac_exeext ++if { (ac_try="$ac_link" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_link") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ac_try='./conftest$ac_exeext' ++ { (case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_try") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; }; then ++ ++cat >>confdefs.h <<\_ACEOF ++#define HAVE_GSS_SPNEGO /**/ ++_ACEOF ++ ++ { $as_echo "$as_me:$LINENO: result: yes" >&5 ++$as_echo "yes" >&6; } ++else ++ $as_echo "$as_me: program exited with status $ac_status" >&5 ++$as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++( exit $ac_status ) ++{ $as_echo "$as_me:$LINENO: result: no" >&5 ++$as_echo "no" >&6; } ++fi ++rm -rf conftest.dSYM ++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext ++fi ++ ++ ++ LIBS="$cmu_save_LIBS" ++ ++else ++ { $as_echo "$as_me:$LINENO: result: disabled" >&5 ++$as_echo "disabled" >&6; } ++fi ++ ++ ++ ++ ++if test "$gssapi" != "no"; then ++ ++cat >>confdefs.h <<\_ACEOF ++#define STATIC_GSSAPIV2 /**/ ++_ACEOF ++ ++ mutex_default="no" ++ if test "$gss_impl" = "mit"; then ++ mutex_default="yes" ++ fi ++ { $as_echo "$as_me:$LINENO: checking to use mutexes aroung GSS calls" >&5 ++$as_echo_n "checking to use mutexes aroung GSS calls... " >&6; } + # Check whether --enable-gss_mutexes was given. + if test "${enable_gss_mutexes+set}" = set; then + enableval=$enable_gss_mutexes; use_gss_mutexes=$enableval +@@ -14246,44 +14352,127 @@ LIB_MYSQL="" + + case "$with_mysql" in + no) true;; +- notfound) { $as_echo "$as_me:$LINENO: WARNING: MySQL Library not found" >&5 +-$as_echo "$as_me: WARNING: MySQL Library not found" >&2;}; true;; +- *) +- if test -d ${with_mysql}/lib/mysql; then +- +- # this is CMU ADD LIBPATH TO +- if test "$andrew_cv_runpath_switch" = "none" ; then +- LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL}" +- else +- LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib/mysql" +- fi +- +- elif test -d ${with_mysql}/mysql/lib; then +- +- # this is CMU ADD LIBPATH TO +- if test "$andrew_cv_runpath_switch" = "none" ; then +- LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL}" +- else +- LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/mysql/lib" +- fi +- +- elif test -d ${with_mysql}/lib; then +- +- # this is CMU ADD LIBPATH TO +- if test "$andrew_cv_runpath_switch" = "none" ; then +- LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL}" +- else +- LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib" +- fi +- +- else ++ notfound) ++ save_LDFLAGS=$LDFLAGS ++ LIB_MYSQL=`mysql_config --libs` ++ LIB_MYSQL="-lmysqlclient" ++ LDFLAGS="$LDFLAGS $LIB_MYSQL" ++ # CPPFLAGS="${CPPFLAGS} `mysql_config --include`" ++ { $as_echo "$as_me:$LINENO: checking for mysql_select_db in -lmysqlclient" >&5 ++$as_echo_n "checking for mysql_select_db in -lmysqlclient... " >&6; } ++if test "${ac_cv_lib_mysqlclient_mysql_select_db+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ ac_check_lib_save_LIBS=$LIBS ++LIBS="-lmysqlclient $LIBS" ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ + +- # this is CMU ADD LIBPATH TO +- if test "$andrew_cv_runpath_switch" = "none" ; then +- LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL}" +- else +- LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}" +- fi ++/* Override any GCC internal prototype to avoid an error. ++ Use char because int might match the return type of a GCC ++ builtin and then its argument prototype would still apply. */ ++#ifdef __cplusplus ++extern "C" ++#endif ++char mysql_select_db (); ++int ++main () ++{ ++return mysql_select_db (); ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext conftest$ac_exeext ++if { (ac_try="$ac_link" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_link") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest$ac_exeext && { ++ test "$cross_compiling" = yes || ++ $as_test_x conftest$ac_exeext ++ }; then ++ ac_cv_lib_mysqlclient_mysql_select_db=yes ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_lib_mysqlclient_mysql_select_db=no ++fi ++ ++rm -rf conftest.dSYM ++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ ++ conftest$ac_exeext conftest.$ac_ext ++LIBS=$ac_check_lib_save_LIBS ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_mysqlclient_mysql_select_db" >&5 ++$as_echo "$ac_cv_lib_mysqlclient_mysql_select_db" >&6; } ++if test "x$ac_cv_lib_mysqlclient_mysql_select_db" = x""yes; then ++ ++cat >>confdefs.h <<\_ACEOF ++#define HAVE_MYSQL /**/ ++_ACEOF ++ ++else ++ { $as_echo "$as_me:$LINENO: WARNING: MySQL library mysqlclient does not work" >&5 ++$as_echo "$as_me: WARNING: MySQL library mysqlclient does not work" >&2;} ++ with_mysql=no ++fi ++ ++ LDFLAGS=$save_LDFLAGS ++ ;; ++ *) ++ if test -d ${with_mysql}/lib/mysql; then ++ ++ # this is CMU ADD LIBPATH TO ++ if test "$andrew_cv_runpath_switch" = "none" ; then ++ LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL}" ++ else ++ LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib/mysql" ++ fi ++ ++ elif test -d ${with_mysql}/mysql/lib; then ++ ++ # this is CMU ADD LIBPATH TO ++ if test "$andrew_cv_runpath_switch" = "none" ; then ++ LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL}" ++ else ++ LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/mysql/lib" ++ fi ++ ++ elif test -d ${with_mysql}/lib; then ++ ++ # this is CMU ADD LIBPATH TO ++ if test "$andrew_cv_runpath_switch" = "none" ; then ++ LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL}" ++ else ++ LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib" ++ fi ++ ++ else ++ ++ # this is CMU ADD LIBPATH TO ++ if test "$andrew_cv_runpath_switch" = "none" ; then ++ LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL}" ++ else ++ LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}" ++ fi + + fi + +@@ -14296,6 +14485,8 @@ $as_echo "$as_me: WARNING: MySQL Library + CPPFLAGS="${CPPFLAGS} -I${with_mysql}/mysql/include" + elif test -d ${with_mysql}/include; then + CPPFLAGS="${CPPFLAGS} -I${with_mysql}/include" ++ elif test -d ${prefix}/include/mysql; then ++ CPPFLAGS="${CPPFLAGS} -I${prefix}/include/mysql" + else + CPPFLAGS="${CPPFLAGS} -I${with_mysql}" + fi +@@ -14416,8 +14607,90 @@ LIB_PGSQL="" + + case "$with_pgsql" in + no) true;; +- notfound) { $as_echo "$as_me:$LINENO: WARNING: PostgreSQL Library not found" >&5 +-$as_echo "$as_me: WARNING: PostgreSQL Library not found" >&2;}; true;; ++ notfound) ++ LIB_PGSQL="-lpq" ++ # CPPFLAGS="${CPPFLAGS} -I`pg_config --includedir`" ++ save_LDFLAGS=$LDFLAGS ++ LDFLAGS="$LDFLAGS $LIB_PGSQL" ++ { $as_echo "$as_me:$LINENO: checking for PQsetdbLogin in -lpq" >&5 ++$as_echo_n "checking for PQsetdbLogin in -lpq... " >&6; } ++if test "${ac_cv_lib_pq_PQsetdbLogin+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ ac_check_lib_save_LIBS=$LIBS ++LIBS="-lpq $LIBS" ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++/* Override any GCC internal prototype to avoid an error. ++ Use char because int might match the return type of a GCC ++ builtin and then its argument prototype would still apply. */ ++#ifdef __cplusplus ++extern "C" ++#endif ++char PQsetdbLogin (); ++int ++main () ++{ ++return PQsetdbLogin (); ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext conftest$ac_exeext ++if { (ac_try="$ac_link" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_link") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest$ac_exeext && { ++ test "$cross_compiling" = yes || ++ $as_test_x conftest$ac_exeext ++ }; then ++ ac_cv_lib_pq_PQsetdbLogin=yes ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_lib_pq_PQsetdbLogin=no ++fi ++ ++rm -rf conftest.dSYM ++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ ++ conftest$ac_exeext conftest.$ac_ext ++LIBS=$ac_check_lib_save_LIBS ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pq_PQsetdbLogin" >&5 ++$as_echo "$ac_cv_lib_pq_PQsetdbLogin" >&6; } ++if test "x$ac_cv_lib_pq_PQsetdbLogin" = x""yes; then ++ ++cat >>confdefs.h <<\_ACEOF ++#define HAVE_PGSQL /**/ ++_ACEOF ++ ++else ++ { $as_echo "$as_me:$LINENO: WARNING: PostgreSQL Library pq does not work" >&5 ++$as_echo "$as_me: WARNING: PostgreSQL Library pq does not work" >&2;} ++ with_pgsql=no ++fi ++ ++ LDFLAGS=$save_LDFLAGS ++ ;; + *) + if test -d ${with_pgsql}/lib/pgsql; then + +@@ -14466,6 +14739,8 @@ $as_echo "$as_me: WARNING: PostgreSQL Li + CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/pgsql/include" + elif test -d ${with_pgsql}/include; then + CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include" ++ elif test -d ${prefix}/include; then ++ CPPFLAGS="${CPPFLAGS} -I${prefix}/include" + else + CPPFLAGS="${CPPFLAGS} -I${with_pgsql}" + fi +@@ -18166,116 +18441,989 @@ fi + + done + +-ac_fn_c_check_type "$LINENO" "long long" "ac_cv_type_long_long" " +-#ifdef HAVE_INTTYPES_H +-#include +-#endif +-" +-if test "x$ac_cv_type_long_long" = xyes; then : +- +-cat >>confdefs.h <<_ACEOF +-#define HAVE_LONG_LONG 1 ++{ $as_echo "$as_me:$LINENO: checking for long long" >&5 ++$as_echo_n "checking for long long... " >&6; } ++if test "${ac_cv_type_long_long+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ ac_cv_type_long_long=no ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ + _ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ + +- +-fi +-ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" " + #ifdef HAVE_INTTYPES_H + #include + #endif +-" +-if test "x$ac_cv_type_int8_t" = xyes; then : + +-cat >>confdefs.h <<_ACEOF +-#define HAVE_INT8_T 1 ++int ++main () ++{ ++if (sizeof (long long)) ++ return 0; ++ ; ++ return 0; ++} + _ACEOF +- +- +-fi +-ac_fn_c_check_type "$LINENO" "uint8_t" "ac_cv_type_uint8_t" " +-#ifdef HAVE_INTTYPES_H +-#include +-#endif +-" +-if test "x$ac_cv_type_uint8_t" = xyes; then : +- +-cat >>confdefs.h <<_ACEOF +-#define HAVE_UINT8_T 1 ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ + _ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ + +- +-fi +-ac_fn_c_check_type "$LINENO" "int16_t" "ac_cv_type_int16_t" " + #ifdef HAVE_INTTYPES_H + #include + #endif +-" +-if test "x$ac_cv_type_int16_t" = xyes; then : + +-cat >>confdefs.h <<_ACEOF +-#define HAVE_INT16_T 1 ++int ++main () ++{ ++if (sizeof ((long long))) ++ return 0; ++ ; ++ return 0; ++} + _ACEOF +- +- +-fi +-ac_fn_c_check_type "$LINENO" "uint16_t" "ac_cv_type_uint16_t" " +-#ifdef HAVE_INTTYPES_H +-#include +-#endif +-" +-if test "x$ac_cv_type_uint16_t" = xyes; then : +- +-cat >>confdefs.h <<_ACEOF +-#define HAVE_UINT16_T 1 ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ : ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_type_long_long=yes ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_long_long" >&5 ++$as_echo "$ac_cv_type_long_long" >&6; } ++if test "x$ac_cv_type_long_long" = x""yes; then ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_LONG_LONG 1 + _ACEOF + + + fi +-ac_fn_c_check_type "$LINENO" "int32_t" "ac_cv_type_int32_t" " ++{ $as_echo "$as_me:$LINENO: checking for int8_t" >&5 ++$as_echo_n "checking for int8_t... " >&6; } ++if test "${ac_cv_type_int8_t+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ ac_cv_type_int8_t=no ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ + #ifdef HAVE_INTTYPES_H + #include + #endif +-" +-if test "x$ac_cv_type_int32_t" = xyes; then : + +-cat >>confdefs.h <<_ACEOF +-#define HAVE_INT32_T 1 ++int ++main () ++{ ++if (sizeof (int8_t)) ++ return 0; ++ ; ++ return 0; ++} + _ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ + +- +-fi +-ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" " + #ifdef HAVE_INTTYPES_H + #include + #endif +-" +-if test "x$ac_cv_type_uint32_t" = xyes; then : ++ ++int ++main () ++{ ++if (sizeof ((int8_t))) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ : ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_type_int8_t=yes ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int8_t" >&5 ++$as_echo "$ac_cv_type_int8_t" >&6; } ++if test "x$ac_cv_type_int8_t" = x""yes; then + + cat >>confdefs.h <<_ACEOF +-#define HAVE_UINT32_T 1 ++#define HAVE_INT8_T 1 + _ACEOF + + + fi +-ac_fn_c_check_type "$LINENO" "int64_t" "ac_cv_type_int64_t" " ++{ $as_echo "$as_me:$LINENO: checking for uint8_t" >&5 ++$as_echo_n "checking for uint8_t... " >&6; } ++if test "${ac_cv_type_uint8_t+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ ac_cv_type_uint8_t=no ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ + #ifdef HAVE_INTTYPES_H + #include + #endif +-" +-if test "x$ac_cv_type_int64_t" = xyes; then : ++ ++int ++main () ++{ ++if (sizeof (uint8_t)) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof ((uint8_t))) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ : ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_type_uint8_t=yes ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint8_t" >&5 ++$as_echo "$ac_cv_type_uint8_t" >&6; } ++if test "x$ac_cv_type_uint8_t" = x""yes; then + + cat >>confdefs.h <<_ACEOF +-#define HAVE_INT64_T 1 ++#define HAVE_UINT8_T 1 + _ACEOF + + + fi +-ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" " ++{ $as_echo "$as_me:$LINENO: checking for int16_t" >&5 ++$as_echo_n "checking for int16_t... " >&6; } ++if test "${ac_cv_type_int16_t+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ ac_cv_type_int16_t=no ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ + #ifdef HAVE_INTTYPES_H + #include + #endif +-" +-if test "x$ac_cv_type_uint64_t" = xyes; then : ++ ++int ++main () ++{ ++if (sizeof (int16_t)) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof ((int16_t))) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ : ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_type_int16_t=yes ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int16_t" >&5 ++$as_echo "$ac_cv_type_int16_t" >&6; } ++if test "x$ac_cv_type_int16_t" = x""yes; then ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_INT16_T 1 ++_ACEOF ++ ++ ++fi ++{ $as_echo "$as_me:$LINENO: checking for uint16_t" >&5 ++$as_echo_n "checking for uint16_t... " >&6; } ++if test "${ac_cv_type_uint16_t+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ ac_cv_type_uint16_t=no ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof (uint16_t)) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof ((uint16_t))) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ : ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_type_uint16_t=yes ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint16_t" >&5 ++$as_echo "$ac_cv_type_uint16_t" >&6; } ++if test "x$ac_cv_type_uint16_t" = x""yes; then ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_UINT16_T 1 ++_ACEOF ++ ++ ++fi ++{ $as_echo "$as_me:$LINENO: checking for int32_t" >&5 ++$as_echo_n "checking for int32_t... " >&6; } ++if test "${ac_cv_type_int32_t+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ ac_cv_type_int32_t=no ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof (int32_t)) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof ((int32_t))) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ : ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_type_int32_t=yes ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int32_t" >&5 ++$as_echo "$ac_cv_type_int32_t" >&6; } ++if test "x$ac_cv_type_int32_t" = x""yes; then ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_INT32_T 1 ++_ACEOF ++ ++ ++fi ++{ $as_echo "$as_me:$LINENO: checking for uint32_t" >&5 ++$as_echo_n "checking for uint32_t... " >&6; } ++if test "${ac_cv_type_uint32_t+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ ac_cv_type_uint32_t=no ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof (uint32_t)) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof ((uint32_t))) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ : ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_type_uint32_t=yes ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint32_t" >&5 ++$as_echo "$ac_cv_type_uint32_t" >&6; } ++if test "x$ac_cv_type_uint32_t" = x""yes; then ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_UINT32_T 1 ++_ACEOF ++ ++ ++fi ++{ $as_echo "$as_me:$LINENO: checking for int64_t" >&5 ++$as_echo_n "checking for int64_t... " >&6; } ++if test "${ac_cv_type_int64_t+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ ac_cv_type_int64_t=no ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof (int64_t)) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof ((int64_t))) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ : ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_type_int64_t=yes ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int64_t" >&5 ++$as_echo "$ac_cv_type_int64_t" >&6; } ++if test "x$ac_cv_type_int64_t" = x""yes; then ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_INT64_T 1 ++_ACEOF ++ ++ ++fi ++{ $as_echo "$as_me:$LINENO: checking for uint64_t" >&5 ++$as_echo_n "checking for uint64_t... " >&6; } ++if test "${ac_cv_type_uint64_t+set}" = set; then ++ $as_echo_n "(cached) " >&6 ++else ++ ac_cv_type_uint64_t=no ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof (uint64_t)) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#endif ++ ++int ++main () ++{ ++if (sizeof ((uint64_t))) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (ac_try="$ac_compile" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" ++$as_echo "$ac_try_echo") >&5 ++ (eval "$ac_compile") 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest.$ac_objext; then ++ : ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_cv_type_uint64_t=yes ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ++fi ++ ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint64_t" >&5 ++$as_echo "$ac_cv_type_uint64_t" >&6; } ++if test "x$ac_cv_type_uint64_t" = x""yes; then + + cat >>confdefs.h <<_ACEOF + #define HAVE_UINT64_T 1 diff --git a/SOURCES/cyrus-sasl-2.1.26-warnings.patch b/SOURCES/cyrus-sasl-2.1.26-warnings.patch new file mode 100644 index 0000000..f7127bb --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-warnings.patch @@ -0,0 +1,74 @@ +diff -up cyrus-sasl-2.1.26/lib/server.c.warnings cyrus-sasl-2.1.26/lib/server.c +--- cyrus-sasl-2.1.26/lib/server.c.warnings 2012-10-12 16:05:48.000000000 +0200 ++++ cyrus-sasl-2.1.26/lib/server.c 2012-12-20 17:49:39.620254792 +0100 +@@ -650,7 +650,7 @@ static int load_config(const sasl_callba + goto done; + } + +- snprintf(config_filename, len, "%.*s%c%s.conf", path_len, path_to_config, ++ snprintf(config_filename, len, "%.*s%c%s.conf", (int)path_len, path_to_config, + HIER_DELIMITER, global_callbacks.appname); + + /* Ask the application if it's safe to use this file */ +diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.warnings cyrus-sasl-2.1.26/plugins/gssapi.c +--- cyrus-sasl-2.1.26/plugins/gssapi.c.warnings 2012-01-28 00:31:36.000000000 +0100 ++++ cyrus-sasl-2.1.26/plugins/gssapi.c 2012-12-20 17:49:39.620254792 +0100 +@@ -202,7 +202,8 @@ sasl_gss_seterror_(const sasl_utils_t *u + OM_uint32 msg_ctx; + int ret; + char *out = NULL; +- size_t len, curlen = 0; ++ size_t len; ++ unsigned curlen = 0; + const char prefix[] = "GSSAPI Error: "; + + if (!utils) return SASL_OK; +diff -up cyrus-sasl-2.1.26/plugins/ldapdb.c.warnings cyrus-sasl-2.1.26/plugins/ldapdb.c +--- cyrus-sasl-2.1.26/plugins/ldapdb.c.warnings 2012-01-28 00:31:36.000000000 +0100 ++++ cyrus-sasl-2.1.26/plugins/ldapdb.c 2012-12-20 17:49:39.621254788 +0100 +@@ -22,6 +22,7 @@ + + #include "plugin_common.h" + ++#define LDAP_DEPRECATED 1 + #include + + static char ldapdb[] = "ldapdb"; +diff -up cyrus-sasl-2.1.26/plugins/plugin_common.c.warnings cyrus-sasl-2.1.26/plugins/plugin_common.c +--- cyrus-sasl-2.1.26/plugins/plugin_common.c.warnings 2013-09-03 14:40:35.181455452 +0200 ++++ cyrus-sasl-2.1.26/plugins/plugin_common.c 2013-09-03 14:40:38.320441024 +0200 +@@ -94,7 +94,7 @@ static void sockaddr_unmapped( + if (!IN6_IS_ADDR_V4MAPPED((&sin6->sin6_addr))) + return; + sin4 = (struct sockaddr_in *)sa; +- addr = *(uint32_t *)&sin6->sin6_addr.s6_addr[12]; ++ addr = *(uint32_t *)&sin6->sin6_addr.s6_addr32[3]; + port = sin6->sin6_port; + memset(sin4, 0, sizeof(struct sockaddr_in)); + sin4->sin_addr.s_addr = addr; +diff -up cyrus-sasl-2.1.26/saslauthd/auth_httpform.c.warnings cyrus-sasl-2.1.26/saslauthd/auth_httpform.c +--- cyrus-sasl-2.1.26/saslauthd/auth_httpform.c.warnings 2012-10-12 16:05:48.000000000 +0200 ++++ cyrus-sasl-2.1.26/saslauthd/auth_httpform.c 2013-09-03 14:39:25.411776109 +0200 +@@ -574,7 +574,7 @@ auth_httpform ( + "Content-Type: application/x-www-form-urlencoded" CRLF + "Content-Length: %d" TWO_CRLF + "%s", +- r_uri, r_host, r_port, strlen(req), req); ++ r_uri, r_host, r_port, (int)strlen(req), req); + + if (flags & VERBOSE) { + syslog(LOG_DEBUG, "auth_httpform: sending %s %s %s", +diff -up cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.warnings cyrus-sasl-2.1.26/saslauthd/auth_shadow.c +--- cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.warnings 2012-10-12 16:05:48.000000000 +0200 ++++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c 2012-12-20 17:49:39.621254788 +0100 +@@ -70,6 +70,10 @@ + # include + # endif /* ! HAVE_GETUSERPW */ + ++# ifdef HAVE_CRYPT_H ++# include ++# endif ++ + # include "auth_shadow.h" + # include "globals.h" + /* END PUBLIC DEPENDENCIES */ diff --git a/SOURCES/make-no-dlcompatorsrp-tarball.sh b/SOURCES/make-no-dlcompatorsrp-tarball.sh new file mode 100755 index 0000000..a0a3245 --- /dev/null +++ b/SOURCES/make-no-dlcompatorsrp-tarball.sh @@ -0,0 +1,41 @@ +#!/bin/bash -e +# +# See ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ for unmodified sources. +# + +tmppath=`mktemp -d ${TMPDIR:-/tmp}/make-no-dlcompat-tarball-XXXXXX` +if test -z "$tmppath" ; then + echo Error creating temporary directory. + exit 1 +fi +trap "rm -fr $tmppath" EXIT + +initialdir=`pwd` + +for tarball in ${initialdir}/cyrus-sasl-*.tar.{gz,bz2} ; do + if ! test -s "$tarball" ; then + continue + fi + rm -fr $tmppath/* + pushd $tmppath > /dev/null + case "$tarball" in + *nodlcompat*) + : Do nothing. + ;; + *.gz) + gzip -dc "$tarball" | tar xf - + rm -fr cyrus-sasl-*/dlcompat* + rm -fr cyrus-sasl-*/plugins/srp* + tar cf - * | gzip -9c > \ + $initialdir/`basename $tarball .tar.gz`-nodlcompatorsrp.tar.gz + ;; + *.bz2) + bzip2 -dc "$tarball" | tar xf - + rm -fr cyrus-sasl-*/dlcompat* + rm -fr cyrus-sasl-*/plugins/srp* + tar cf - * | bzip2 -9c > \ + $initialdir/`basename $tarball .tar.bz2`-nodlcompatorsrp.tar.bz2 + ;; + esac + popd > /dev/null +done diff --git a/SOURCES/sasl-checkpass.c b/SOURCES/sasl-checkpass.c new file mode 100644 index 0000000..27a0b94 --- /dev/null +++ b/SOURCES/sasl-checkpass.c @@ -0,0 +1,185 @@ +#include +#include +#include +#include + +#include "sasl.h" +#ifdef SASL2 +static int main_requested_sasl_version = 2; +#else +static int main_requested_sasl_version = 1; +#endif + +static int main_verbose = 0; + +static int +my_getopt(void *context, const char *plugin_name, + const char *option, const char **result, unsigned *len) +{ + if (result) { + *result = NULL; + if (strcmp(option, "pwcheck_method") == 0) { + *result = "saslauthd"; + } + if (strcmp(option, "saslauthd_version") == 0) { + switch (main_requested_sasl_version) { + case 1: + *result = "1"; + break; + case 2: + *result = "2"; + break; + default: +#ifdef SASL2 + *result = "2"; +#else + *result = "1"; +#endif + break; + } + } + if (main_verbose) { + fprintf(stderr, "Getopt plugin=%s%s%s/option=%s%s%s -> ", + plugin_name ? "\"" : "", + plugin_name ? plugin_name : "(null)", + plugin_name ? "\"" : "", + option ? "\"" : "", + option ? option : "(null)", + option ? "\"" : ""); + fprintf(stderr, "'%s'.\n", *result ? *result : ""); + } + } + if (len) { + *len = 0; + } + return 0; +} + +int +main(int argc, char **argv) +{ + const char *user, *realm, *passwd, *service, *mechs, **globals, *err; + int c, ret; + sasl_callback_t callbacks[] = { + {SASL_CB_GETOPT, my_getopt, NULL}, + {SASL_CB_LIST_END}, + }; + sasl_conn_t *connection; + char hostname[512]; + char fulluser[512]; /* XXX: may overflow */ + + user = realm = passwd = service = ""; + strcpy(hostname, "localhost"); + gethostname(hostname, sizeof(hostname)); + + while ((c = getopt(argc, argv, "u:r:p:s:h:12v")) != -1) { + switch (c) { + case 'u': + user = optarg; + break; + case 'r': + realm = optarg; + break; + case 'p': + passwd = optarg; + break; + case 's': + service = optarg; + break; + case 'h': + strncpy(hostname, optarg, sizeof(hostname) - 1); + hostname[sizeof(hostname) - 1] = '\0'; + break; + case '1': + main_requested_sasl_version = 1; + break; + case '2': + main_requested_sasl_version = 2; + break; + case 'v': + main_verbose++; + break; + default: + printf("Usage: %s [-v] [-1] [-2] " + "[-h hostname] " + "[-u user] " + "[-r realm] " + "[-p password] " + "[-s service] " + "\n", argv[0]); + return 2; + break; + } + } + if ((strlen(user) == 0) || (strlen(passwd) == 0)) { + printf("Usage: %s [-v] [-1] [-2] " + "[-h hostname] " + "[-u user] " + "[-r realm] " + "[-p password] " + "[-s service] " + "\n", argv[0]); + return 2; + } + if (realm && (strlen(realm) > 0)) { + sprintf(fulluser, "%s@%s", user, realm); + } else { + sprintf(fulluser, "%s", user); + } + + ret = sasl_server_init(callbacks, + strlen(service) ? service : "sasl-checkpass"); + if (ret != SASL_OK) { + fprintf(stderr, "Error in sasl_server_init(): %s\n", + sasl_errstring(ret, NULL, NULL)); + } + + connection = NULL; + ret = sasl_server_new(strlen(service) ? service : "sasl-checkpass", + hostname, + NULL, +#ifdef SASL2 + NULL, + NULL, +#endif + callbacks, + 0, + &connection); + if (ret != SASL_OK) { + fprintf(stderr, "Error in sasl_server_new(): %s\n", + sasl_errstring(ret, NULL, NULL)); + } + + err = NULL; + ret = sasl_checkpass(connection, + fulluser, strlen(fulluser), + passwd, strlen(passwd) +#ifndef SASL2 + , &err +#endif + ); + switch (ret) { + case SASL_OK: + printf("OK\n"); + break; + default: + printf("NO: %d", ret); + switch (ret) { + case SASL_FAIL: + err = "generic failure"; + break; + case SASL_BADAUTH: + err = "authentication failure"; + break; + default: + err = NULL; + break; + } + if (err) { + printf(" (%s)", err); + } + printf("\n"); + break; + } + return ret; +} diff --git a/SOURCES/sasl-mechlist.c b/SOURCES/sasl-mechlist.c new file mode 100644 index 0000000..680e983 --- /dev/null +++ b/SOURCES/sasl-mechlist.c @@ -0,0 +1,99 @@ +#include +#include +#include +#include + +#include "sasl.h" + +static int +my_getopt(void *context, const char *plugin_name, + const char *option, const char **result, unsigned *len) +{ + if (result) { + *result = NULL; +#if 0 + fprintf(stderr, "Getopt plugin=%s%s%s/option=%s%s%s -> ", + plugin_name ? "\"" : "", + plugin_name ? plugin_name : "(null)", + plugin_name ? "\"" : "", + option ? "\"" : "", + option ? option : "(null)", + option ? "\"" : ""); + fprintf(stderr, "'%s'.\n", *result ? *result : ""); +#endif + } + if (len) { + *len = 0; + } + return 0; +} + +int +main(int argc, char **argv) +{ + int ret, i; + const char *mechs, **globals; + sasl_callback_t callbacks[] = { + {SASL_CB_GETOPT, my_getopt, NULL}, + {SASL_CB_LIST_END}, + }; + sasl_conn_t *connection; + char hostname[512]; + + if ((argc > 1) && (argv[1][0] == '-')) { + fprintf(stderr, "Usage: %s [appname [hostname] ]\n", argv[0]); + return 0; + } + + ret = sasl_server_init(callbacks, argc > 1 ? argv[1] : "sasl-mechlist"); + if (ret != SASL_OK) { + fprintf(stderr, "Error in sasl_server_init(): %s\n", + sasl_errstring(ret, NULL, NULL)); + } + + connection = NULL; + strcpy(hostname, "localhost"); + gethostname(hostname, sizeof(hostname)); + ret = sasl_server_new(argc > 2 ? argv[2] : "host", + hostname, + NULL, + NULL, + NULL, + callbacks, + 0, + &connection); + if (ret != SASL_OK) { + fprintf(stderr, "Error in sasl_server_new(): %s\n", + sasl_errstring(ret, NULL, NULL)); + } + + ret = sasl_listmech(connection, + getenv("USER") ? getenv("USER") : "root", + "Available mechanisms: ", + ",", + "\n", + &mechs, + NULL, + NULL); + if (ret != SASL_OK) { + fprintf(stderr, "Error in sasl_listmechs(): %s\n", + sasl_errstring(ret, NULL, NULL)); + } else { + fprintf(stdout, "%s", mechs); + } + + globals = sasl_global_listmech(); + for (i = 0; (globals != NULL) && (globals[i] != NULL); i++) { + if (i == 0) { + fprintf(stdout, "Library supports: "); + } + fprintf(stdout, "%s", globals[i]); + if (globals[i + 1] != NULL) { + fprintf(stdout, ","); + } else { + fprintf(stdout, "\n"); + } + } + + return 0; +} diff --git a/SOURCES/saslauthd.service b/SOURCES/saslauthd.service new file mode 100644 index 0000000..f59ab3e --- /dev/null +++ b/SOURCES/saslauthd.service @@ -0,0 +1,13 @@ +[Unit] +Description=SASL authentication daemon. +After=syslog.target + +[Service] +Type=forking +PIDFile=/run/saslauthd/saslauthd.pid +EnvironmentFile=/etc/sysconfig/saslauthd +ExecStart=/usr/sbin/saslauthd -m $SOCKETDIR -a $MECH $FLAGS +RuntimeDirectory=saslauthd + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/saslauthd.sysconfig b/SOURCES/saslauthd.sysconfig new file mode 100644 index 0000000..5413c36 --- /dev/null +++ b/SOURCES/saslauthd.sysconfig @@ -0,0 +1,11 @@ +# Directory in which to place saslauthd's listening socket, pid file, and so +# on. This directory must already exist. +SOCKETDIR=/run/saslauthd + +# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list +# of which mechanism your installation was compiled with the ablity to use. +MECH=pam + +# Additional flags to pass to saslauthd on the command line. See saslauthd(8) +# for the list of accepted flags. +FLAGS= diff --git a/SPECS/cyrus-sasl.spec b/SPECS/cyrus-sasl.spec new file mode 100644 index 0000000..30c6bbf --- /dev/null +++ b/SPECS/cyrus-sasl.spec @@ -0,0 +1,1120 @@ +%define username saslauth +%define hint Saslauthd user +%define homedir /run/saslauthd + +%define _plugindir2 %{_libdir}/sasl2 +%define bootstrap_cyrus_sasl 0 + +%global _performance_build 1 + +Summary: The Cyrus SASL library +Name: cyrus-sasl +Version: 2.1.26 +Release: 23%{?dist} +License: BSD with advertising +Group: System Environment/Libraries +# Source0 originally comes from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/; +# make-no-dlcompatorsrp-tarball.sh removes the "dlcompat" subdirectory and builds a +# new tarball. +Source0: cyrus-sasl-%{version}-nodlcompatorsrp.tar.gz +Source5: saslauthd.service +Source7: sasl-mechlist.c +Source8: sasl-checkpass.c +Source9: saslauthd.sysconfig +Source10: make-no-dlcompatorsrp-tarball.sh +URL: http://asg.web.cmu.edu/sasl/sasl-library.html +Requires: %{name}-lib%{?_isa} = %{version}-%{release} +Patch11: cyrus-sasl-2.1.25-no_rpath.patch +Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch +Patch23: cyrus-sasl-2.1.23-man.patch +Patch24: cyrus-sasl-2.1.21-sizes.patch +Patch31: cyrus-sasl-2.1.22-kerberos4.patch +Patch32: cyrus-sasl-2.1.26-warnings.patch +Patch34: cyrus-sasl-2.1.22-ldap-timeout.patch +# removed due to #759334 +#Patch38: cyrus-sasl-2.1.23-pam_rhosts.patch +Patch42: cyrus-sasl-2.1.26-relro.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=816250 +Patch43: cyrus-sasl-2.1.26-null-crypt.patch +Patch44: cyrus-sasl-2.1.26-release-server_creds.patch +# AM_CONFIG_HEADER is obsolete, use AC_CONFIG_HEADERS instead +Patch45: cyrus-sasl-2.1.26-obsolete-macro.patch +# missing size_t declaration in sasl.h +Patch46: cyrus-sasl-2.1.26-size_t.patch +# disable incorrect check for MkLinux +Patch47: cyrus-sasl-2.1.26-ppc.patch +# detect gsskrb5_register_acceptor_identity macro (#976538) +Patch48: cyrus-sasl-2.1.26-keytab.patch +Patch49: cyrus-sasl-2.1.26-md5global.patch +# improve sql libraries detection (#1029918) +Patch50: cyrus-sasl-2.1.26-sql.patch +# Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718) +Patch51: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch +# Revert updated GSSAPI flags as in RFC 4752 to restore backward compatibility (#1154566) +Patch52: cyrus-sasl-2.1.26-revert-gssapi-flags.patch +# Document ability to run saslauthd unprivileged (#1188065) +Patch53: cyrus-sasl-2.1.26-saslauthd-user.patch +# Support non-confidentiality/non-integrity requests from AIX SASL GSSAPI implementation (#1174322) +Patch54: cyrus-sasl-2.1.26-gssapi-non-encrypt.patch +# Update client library to be thread safe (#1147659) +Patch55: cyrus-sasl-2.1.26-make-client-thread-sage.patch +# Parsing short prefix matches the whole mechanism name (#1089267) +Patch56: cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch +# Fix confusing message when config file has typo (#1022479) +Patch57: cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch +# GSSAPI: Use per-connection mutex where possible (#1263017) +Patch58: cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch +# GSS-SPNEGO compatible with Windows clients (#1421663) +Patch59: cyrus-sasl-2.1.26-gss-spnego.patch +# Allow cyrus sasl to get the ssf from gssapi (#1431586) +Patch60: cyrus-sasl-2.1.26-gss-ssf.patch + +Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: autoconf, automake, libtool, gdbm-devel, groff +BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig +BuildRequires: mysql-devel, postgresql-devel, zlib-devel +BuildRequires: libdb-devel +%if ! %{bootstrap_cyrus_sasl} +BuildRequires: openldap-devel +%endif +Requires(post): chkconfig, /sbin/service systemd-units +Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd systemd-units +Requires(postun): /usr/sbin/userdel /usr/sbin/groupdel systemd-units +Requires: /sbin/nologin +Requires: systemd >= 219 +Provides: user(%username) +Provides: group(%username) + + +%description +The %{name} package contains the Cyrus implementation of SASL. +SASL is the Simple Authentication and Security Layer, a method for +adding authentication support to connection-based protocols. + +%package lib +Group: System Environment/Libraries +Summary: Shared libraries needed by applications which use Cyrus SASL + +%description lib +The %{name}-lib package contains shared libraries which are needed by +applications which use the Cyrus SASL library. + +%package devel +Requires: %{name}-lib%{?_isa} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig +Group: Development/Libraries +Summary: Files needed for developing applications with Cyrus SASL + +%description devel +The %{name}-devel package contains files needed for developing and +compiling applications which use the Cyrus SASL library. + +%package gssapi +Requires: %{name}-lib%{?_isa} = %{version}-%{release} +Group: System Environment/Libraries +Summary: GSSAPI authentication support for Cyrus SASL + +%description gssapi +The %{name}-gssapi package contains the Cyrus SASL plugins which +support GSSAPI authentication. GSSAPI is commonly used for Kerberos +authentication. + +%package plain +Requires: %{name}-lib%{?_isa} = %{version}-%{release} +Group: System Environment/Libraries +Summary: PLAIN and LOGIN authentication support for Cyrus SASL + +%description plain +The %{name}-plain package contains the Cyrus SASL plugins which support +PLAIN and LOGIN authentication schemes. + +%package md5 +Requires: %{name}-lib%{?_isa} = %{version}-%{release} +Group: System Environment/Libraries +Summary: CRAM-MD5 and DIGEST-MD5 authentication support for Cyrus SASL + +%description md5 +The %{name}-md5 package contains the Cyrus SASL plugins which support +CRAM-MD5 and DIGEST-MD5 authentication schemes. + +%package ntlm +Requires: %{name}-lib%{?_isa} = %{version}-%{release} +Group: System Environment/Libraries +Summary: NTLM authentication support for Cyrus SASL + +%description ntlm +The %{name}-ntlm package contains the Cyrus SASL plugin which supports +the NTLM authentication scheme. + +# This would more appropriately be named cyrus-sasl-auxprop-sql. +%package sql +Requires: %{name}-lib%{?_isa} = %{version}-%{release} +Group: System Environment/Libraries +Summary: SQL auxprop support for Cyrus SASL + +%description sql +The %{name}-sql package contains the Cyrus SASL plugin which supports +using a RDBMS for storing shared secrets. + +%if ! %{bootstrap_cyrus_sasl} +# This was *almost* named cyrus-sasl-auxprop-ldapdb, but that's a lot of typing. +%package ldap +Requires: %{name}-lib%{?_isa} = %{version}-%{release} +Group: System Environment/Libraries +Summary: LDAP auxprop support for Cyrus SASL + +%description ldap +The %{name}-ldap package contains the Cyrus SASL plugin which supports using +a directory server, accessed using LDAP, for storing shared secrets. +%endif + +%package scram +Requires: %{name}-lib%{?_isa} = %{version}-%{release} +Group: System Environment/Libraries +Summary: SCRAM auxprop support for Cyrus SASL + +%description scram +The %{name}-scram package contains the Cyrus SASL plugin which supports +the SCRAM authentication scheme. + +%package gs2 +Requires: %{name}-lib%{?_isa} = %{version}-%{release} +Group: System Environment/Libraries +Summary: GS2 support for Cyrus SASL + +%description gs2 +The %{name}-gs2 package contains the Cyrus SASL plugin which supports +the GS2 authentication scheme. + +### + + +%prep +%setup -q +chmod -x doc/*.html +chmod -x include/*.h +%patch11 -p1 -b .no_rpath +%patch15 -p1 -b .path +%patch23 -p1 -b .man +%patch24 -p1 -b .sizes +%patch31 -p1 -b .krb4 +%patch32 -p1 -b .warnings +%patch34 -p1 -b .ldap-timeout +%patch42 -p1 -b .relro +%patch43 -p1 -b .null-crypt +%patch44 -p1 -b .release-server_creds +%patch45 -p1 -b .obsolete-macro +%patch46 -p1 -b .size_t +%patch47 -p1 -b .ppc +%patch48 -p1 -b .keytab +%patch49 -p1 -b .md5global.h +%patch50 -p1 -b .sql +%patch51 -p1 -b .sha1vsplain +%patch52 -p1 -b .revert +%patch53 -p1 -b .man-unprivileged +%patch54 -p1 -b .gssapi_non_encrypt +%patch55 -p1 -b .threads +%patch56 -p1 -b .prefix +%patch57 -p1 -b .typo +%patch58 -p1 -b .mutex +%patch59 -p1 -b .spnego +%patch60 -p1 -b .ssf + + +%build +# Find Kerberos. +krb5_prefix=`krb5-config --prefix` +if test x$krb5_prefix = x%{_prefix} ; then + krb5_prefix= +else + CPPFLAGS="-I${krb5_prefix}/include $CPPFLAGS"; export CPPFLAGS + LDFLAGS="-L${krb5_prefix}/%{_lib} $LDFLAGS"; export LDFLAGS +fi + +# Find OpenSSL. +LIBS="-lcrypt"; export LIBS +if pkg-config openssl ; then + CPPFLAGS="`pkg-config --cflags-only-I openssl` $CPPFLAGS"; export CPPFLAGS + LDFLAGS="`pkg-config --libs-only-L openssl` $LDFLAGS"; export LDFLAGS +fi + +# Find the MySQL libraries used needed by the SQL auxprop plugin. +INC_DIR="`mysql_config --include`" +if test x"$INC_DIR" != "x-I%{_includedir}"; then + CPPFLAGS="$INC_DIR $CPPFLAGS"; export CPPFLAGS +fi +LIB_DIR="`mysql_config --libs | sed -e 's,-[^L][^ ]*,,g' -e 's,^ *,,' -e 's, *$,,' -e 's, *, ,g'`" +if test x"$LIB_DIR" != "x-L%{_libdir}"; then + LDFLAGS="$LIB_DIR $LDFLAGS"; export LDFLAGS +fi + +# Find the PostgreSQL libraries used needed by the SQL auxprop plugin. +INC_DIR="-I`pg_config --includedir`" +if test x"$INC_DIR" != "x-I%{_includedir}"; then + CPPFLAGS="$INC_DIR $CPPFLAGS"; export CPPFLAGS +fi +LIB_DIR="-L`pg_config --libdir`" +if test x"$LIB_DIR" != "x-L%{_libdir}"; then + LDFLAGS="$LIB_DIR $LDFLAGS"; export LDFLAGS +fi + +CFLAGS="$RPM_OPT_FLAGS $CFLAGS $CPPFLAGS -fPIE"; export CFLAGS +LDFLAGS="$LDFLAGS -pie -Wl,-z,now"; export LDFLAGS + +echo "$CFLAGS" +echo "$CPPFLAGS" +echo "$LDFLAGS" + +%configure \ + --enable-shared --disable-static \ + --disable-java \ + --with-plugindir=%{_plugindir2} \ + --with-configdir=%{_plugindir2}:%{_sysconfdir}/sasl2 \ + --disable-krb4 \ + --enable-gssapi${krb5_prefix:+=${krb5_prefix}} \ + --with-gss_impl=mit \ + --with-rc4 \ + --with-dblib=berkeley \ + --with-bdb=db \ + --with-saslauthd=/run/saslauthd --without-pwcheck \ +%if ! %{bootstrap_cyrus_sasl} + --with-ldap \ +%endif + --with-devrandom=/dev/urandom \ + --enable-anon \ + --enable-cram \ + --enable-digest \ + --enable-ntlm \ + --enable-plain \ + --enable-login \ + --enable-alwaystrue \ + --enable-httpform \ + --disable-otp \ +%if ! %{bootstrap_cyrus_sasl} + --enable-ldapdb \ +%endif + --enable-sql --with-mysql=yes --with-pgsql=yes \ + --without-sqlite \ + "$@" + # --enable-auth-sasldb -- EXPERIMENTAL +make sasldir=%{_plugindir2} +make -C saslauthd testsaslauthd +make -C sample + +# Build a small program to list the available mechanisms, because I need it. +pushd lib +../libtool --mode=link %{__cc} -o sasl2-shared-mechlist -I../include $CFLAGS %{SOURCE7} $LDFLAGS ./libsasl2.la + + +%install +test "$RPM_BUILD_ROOT" != "/" && rm -rf $RPM_BUILD_ROOT + +make install DESTDIR=$RPM_BUILD_ROOT sasldir=%{_plugindir2} +make install DESTDIR=$RPM_BUILD_ROOT sasldir=%{_plugindir2} -C plugins + +install -m755 -d $RPM_BUILD_ROOT%{_bindir} +./libtool --mode=install \ +install -m755 sample/client $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-client +./libtool --mode=install \ +install -m755 sample/server $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-server +./libtool --mode=install \ +install -m755 saslauthd/testsaslauthd $RPM_BUILD_ROOT%{_sbindir}/testsaslauthd + +# Install the saslauthd mdoc page in the expected location. Sure, it's not +# really a man page, but groff seems to be able to cope with it. +install -m755 -d $RPM_BUILD_ROOT%{_mandir}/man8/ +install -m644 -p saslauthd/saslauthd.mdoc $RPM_BUILD_ROOT%{_mandir}/man8/saslauthd.8 +install -m644 -p saslauthd/testsaslauthd.8 $RPM_BUILD_ROOT%{_mandir}/man8/testsaslauthd.8 + +# Install the init script for saslauthd and the init script's config file. +install -m755 -d $RPM_BUILD_ROOT/etc/rc.d/init.d $RPM_BUILD_ROOT/etc/sysconfig +install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} +install -m644 -p %{SOURCE5} $RPM_BUILD_ROOT/%{_unitdir}/saslauthd.service +install -m644 -p %{SOURCE9} $RPM_BUILD_ROOT/etc/sysconfig/saslauthd + +# Install the config dirs if they're not already there. +install -m755 -d $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2 +install -m755 -d $RPM_BUILD_ROOT/%{_plugindir2} + +# Provide an easy way to query the list of available mechanisms. +./libtool --mode=install \ +install -m755 lib/sasl2-shared-mechlist $RPM_BUILD_ROOT/%{_sbindir}/ + +# Remove unpackaged files from the buildroot. +rm -f $RPM_BUILD_ROOT%{_libdir}/sasl2/libotp.* +rm -f $RPM_BUILD_ROOT%{_libdir}/sasl2/*.a +rm -f $RPM_BUILD_ROOT%{_libdir}/sasl2/*.la +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la +rm -f $RPM_BUILD_ROOT%{_mandir}/cat8/saslauthd.8 + + +%clean +test "$RPM_BUILD_ROOT" != "/" && rm -rf $RPM_BUILD_ROOT + +%pre +getent group %{username} >/dev/null || groupadd -g 76 -r %{username} +getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} -s /sbin/nologin -c "%{hint}" %{username} + +%post +%systemd_post saslauthd.service + +%preun +%systemd_preun saslauthd.service + +%postun +%systemd_postun_with_restart saslauthd.service + +%triggerun -n cyrus-sasl -- cyrus-sasl < 2.1.23-32 +/usr/bin/systemd-sysv-convert --save saslauthd >/dev/null 2>&1 || : +/sbin/chkconfig --del saslauthd >/dev/null 2>&1 || : +/bin/systemctl try-restart saslauthd.service >/dev/null 2>&1 || : + +%post lib -p /sbin/ldconfig +%postun lib -p /sbin/ldconfig + +%files +%defattr(-,root,root) +%doc saslauthd/LDAP_SASLAUTHD +%{_mandir}/man8/* +%{_sbindir}/pluginviewer +%{_sbindir}/saslauthd +%{_sbindir}/testsaslauthd +%config(noreplace) /etc/sysconfig/saslauthd +%{_unitdir}/saslauthd.service +%ghost /run/saslauthd + +%files lib +%defattr(-,root,root) +%doc AUTHORS COPYING NEWS README doc/*.html +%{_libdir}/libsasl*.so.* +%dir %{_sysconfdir}/sasl2 +%dir %{_plugindir2}/ +%{_plugindir2}/*anonymous*.so* +%{_plugindir2}/*sasldb*.so* +%{_sbindir}/saslpasswd2 +%{_sbindir}/sasldblistusers2 + +%files plain +%defattr(-,root,root) +%{_plugindir2}/*plain*.so* +%{_plugindir2}/*login*.so* + +%if ! %{bootstrap_cyrus_sasl} +%files ldap +%defattr(-,root,root) +%{_plugindir2}/*ldapdb*.so* +%endif + +%files md5 +%defattr(-,root,root) +%{_plugindir2}/*crammd5*.so* +%{_plugindir2}/*digestmd5*.so* + +%files ntlm +%defattr(-,root,root) +%{_plugindir2}/*ntlm*.so* + +%files sql +%defattr(-,root,root) +%{_plugindir2}/*sql*.so* + +%files gssapi +%defattr(-,root,root) +%{_plugindir2}/*gssapi*.so* + +%files scram +%defattr(-,root,root) +%{_plugindir2}/libscram.so* + +%files gs2 +%defattr(-,root,root) +%{_plugindir2}/libgs2.so* + +%files devel +%defattr(-,root,root) +%doc doc/*.txt +%{_bindir}/sasl2-sample-client +%{_bindir}/sasl2-sample-server +%{_includedir}/* +%{_libdir}/libsasl*.*so +%{_libdir}/pkgconfig/*.pc +%{_mandir}/man3/* +%{_sbindir}/sasl2-shared-mechlist + +%changelog +* Wed Nov 22 2017 Jakub Jelen - 2.1.26-23 +- Avoid undefined symbols on s390x (#1516193) + +* Thu Sep 21 2017 Jakub Jelen - 2.1.26-22 +- Allow cyrus sasl to get the ssf from gssapi (#1431586) + +* Mon Mar 06 2017 Jakub Jelen - 2.1.26-21 +- support proper SASL GSS-SPNEGO (#1421663) + +* Fri Dec 04 2015 Jakub Jelen 2.1.26-20 +- GSSAPI: Use per-connection mutex where possible (#1263017) + +* Thu Jul 16 2015 Jakub Jelen 2.1.26-19.2 +- Revert tmpfiles.d and use new systemd feature RuntimeDirectory (#1188065) + +* Wed May 20 2015 Jakub Jelen 2.1.26-18 +- Revert updated GSSAPI flags as in RFC 4752 to restore backward compatibility (#1154566) +- Add and document ability to run saslauth as non-root user (#1188065) +- Support AIX SASL GSSAPI (#1174322) +- Update client library to be thread safe (#1147659) +- Fix problem, that parsing short prefix matches the whole mechanism name (#1089267) +- Don't use unnecessary quotes around user description (#1082564) +- Fix confusing message when config file has typo (#1022479) + +* Fri Jan 24 2014 Daniel Mach - 2.1.26-17 +- Mass rebuild 2014-01-24 + +* Wed Jan 15 2014 Honza Horak - 2.1.26-16 +- Rebuild for mariadb-libs + Related: #1045013 + +* Tue Jan 14 2014 Petr Lautrbach 2.1.26-15 +- compile cyrus-sasl with -O3 on ppc64 (#1051063) + +* Fri Dec 27 2013 Daniel Mach - 2.1.26-14 +- Mass rebuild 2013-12-27 + +* Tue Nov 19 2013 Petr Lautrbach 2.1.26-13 +- Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718) + +* Tue Oct 01 2013 Petr Lautrbach 2.1.26-12.1 +- rebuild for https://bugzilla.redhat.com/show_bug.cgi?id=1002625 + +* Mon Sep 09 2013 Petr Lautrbach 2.1.26-11 +- build with RPM_OPT_FLAGS (#1005535) + +* Tue Sep 03 2013 Petr Lautrbach 2.1.26-10 +- fix hardening for /usr/sbin/saslauthd +- add testsaslauthd.8 man page to the package +- use static md5global.h file + +* Mon Jun 24 2013 Petr Lautrbach 2.1.26-9 +- detect gsskrb5_register_acceptor_identity macro (#976538) + +* Tue Jun 04 2013 Karsten Hopp 2.1.26-8 +- disable incorrect check for MkLinux to allow building with shared libraries on PPC + +* Tue May 21 2013 Petr Lautrbach 2.1.26-7 +- fix the spec file in order to build the cyrus-sasl-sql plugin + with support for PostgreSQL and MySQL + +* Thu Feb 21 2013 Petr Lautrbach 2.1.26-6 +- don't include system sasl2 library needed for rebuilds after rebase + +* Mon Feb 11 2013 Petr Lautrbach 2.1.26-5 +- enable full relro and PIE compiler flags for saslauthd + +* Fri Feb 01 2013 Petr Lautrbach 2.1.26-4 +- fix library symlinks + +* Thu Jan 31 2013 Rex Dieter 2.1.26-3 +- actually apply size_t patch (#906519) + +* Thu Jan 31 2013 Rex Dieter 2.1.26-2 +- sasl.h: +#include for missing size_t type (#906519) +- tighten subpkg deps via %%?_isa + +* Thu Dec 20 2012 Petr Lautrbach 2.1.26-1 +- update to 2.1.26 +- fix segfaults in sasl_gss_encode (#886140) + +* Mon Dec 10 2012 Petr Lautrbach 2.1.25-2 +- always use the current external Berkeley DB when linking + +* Fri Dec 07 2012 Petr Lautrbach 2.1.25-1 +- update to 2.1.25 +- add cyrus-sasl-scram and cyrus-sasl-gs2 packages + +* Fri Sep 14 2012 Petr Lautrbach 2.1.23-36 +- replace scriptlets with systemd macros (#856666) + +* Wed Jul 18 2012 Fedora Release Engineering - 2.1.23-35 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 17 2012 Petr Lautrbach 2.1.23-34 +- move /etc/tmpfiles.d/saslauthd.conf to /usr/lib/tmpfiles.d/saslauthd.conf (#840193) + +* Wed Jun 20 2012 Petr Lautrbach 2.1.23-33 +- properly deal with crypt() returning NULL (#816250) +- use fixed gid 76 for saslauth + +* Mon Apr 16 2012 Jindrich Novy 2.1.23-32 +- re-enable libdb support and utilities + +* Wed Apr 04 2012 Jindrich Novy 2.1.23-31 +- temporarily disable libdb support to resolve cyrus-sasl + chicken and egg build problem against libdb + +* Tue Apr 03 2012 Jindrich Novy 2.1.23-30 +- rebuild against new libdb + +* Wed Feb 08 2012 Petr Lautrbach 2.1.23-29 +- Change saslauth user homedir to /run/saslauthd (#752889) +- Change all /var/run/ to /run/ +- DAEMONOPTS are not supported any more in systemd units + +* Mon Jan 09 2012 Jeroen van Meeuwen - 2.1.23-28 +- Ship with sasl_pwcheck_method: alwaystrue + +* Mon Dec 12 2011 Petr Lautrbach 2.1.23-27 +- remove support for logging of the remote host via PAM (#759334) +- fix systemd files (#750436) + +* Wed Aug 10 2011 Jan F. Chadima - 2.1.23-26 +- Add partial relro support for libraries + +* Mon Jul 25 2011 Jan F. Chadima - 2.1.23-25 +- Add support for berkeley db 5 + +* Wed Jun 29 2011 Jan F. Chadima - 2.1.23-23 +- Migrate the package to full native systemd unit files, according to the Fedora + packaging guidelines. + +* Wed Jun 1 2011 Jan F. Chadima - 2.1.23-22 +- repair rimap support (more packets in response) + +* Wed May 25 2011 Jan F. Chadima - 2.1.23-21 +- repair ntlm support + +* Mon May 23 2011 Jan F. Chadima - 2.1.23-20 +- add logging of the remote host via PAM + +* Thu Apr 28 2011 Jan F. Chadima - 2.1.23-19 +- temporarilly revert systemd units + +* Tue Apr 26 2011 Jan F. Chadima - 2.1.23-18 +- update scriptlets + +* Fri Apr 22 2011 Jan F. Chadima - 2.1.23-17 +- Add systemd units + +* Wed Mar 23 2011 Tomas Mraz - 2.1.23-16 +- Rebuilt with new mysqlclient + +* Fri Feb 25 2011 Jan F. Chadima - 2.1.23-15 +- set correct license tag +- add ghost to /var/run/saslauthd + +* Tue Feb 08 2011 Fedora Release Engineering - 2.1.23-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Apr 9 2010 Jan F. Chadima - 2.1.23-13 +- Add /etc/tmpfiles.d element (#662734) + +* Fri Apr 9 2010 Jan F. Chadima - 2.1.23-12 +- Update init script to impeach pid file + +* Thu Mar 11 2010 Jan F. Chadima - 2.1.23-11 +- Update pre post preun and postun scripts (#572399) + +* Wed Mar 10 2010 Jan F. Chadima - 2.1.23-10 +- Rewrite spec file, make corect CFLAGS, CPPFLAGS and LDFLAGS + +* Mon Feb 22 2010 Jan F. Chadima - 2.1.23-9 +- solve race condition (#566875) + +* Wed Feb 17 2010 Stepan Kasal - 2.1.23-8 +- improve m4 quoting to fix saslauthd/configure (#566088) +- call autotools in build, not in prep + +* Fri Feb 5 2010 Jan F. Chadima - 2.1.23-7 +- Add man page to testtcpauthd (#526189) + +* Fri Oct 16 2009 Jan F. Chadima - 2.1.23-6 +- Create the saslauth user according to fedora packaging guide + +* Thu Sep 24 2009 Jan F. Chadima - 2.1.23-5 +- Repair initscript to make condrestart working properly (#522103) + +* Wed Sep 23 2009 Jan F. Chadima - 2.1.23-3 +- Add possibility to run the saslauth without root privilegies (#185614) + +* Fri Aug 21 2009 Tomas Mraz - 2.1.23-2 +- rebuilt with new openssl + +* Fri Aug 7 2009 Jan F. Chadima - 2.1.23-1 +- update to 2.1.23 + +* Fri Jul 24 2009 Fedora Release Engineering - 2.1.22-25 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon May 11 2009 Jan F. Chadima - 2.1.22-24 +- repair sasl_encode64 nul termination (#487251) + +* Thu Apr 16 2009 Robert Scheck - 2.1.22-23 +- Don't build the krb4 plugin as krb5 1.7 will drop it (#225974 #c6) + +* Tue Feb 24 2009 Fedora Release Engineering - 2.1.22-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Feb 6 2009 Tomas Mraz - 2.1.22-21 +- fix build with gcc-4.4 + +* Fri Jan 23 2009 Tomas Mraz - 2.1.22-20 +- set LDAP_OPT_TIMEOUT (#326452) +- provide LSB compatible init script (#246900) + +* Fri Sep 26 2008 Tomas Mraz - 2.1.22-19 +- always use the current external db4 when linking, + thanks to Dan Horak for the original patch (#464098) + +* Wed Sep 10 2008 Tomas Mraz - 2.1.22-18 +- fix most critical build warnings (#433583) +- use external db4 + +* Fri Aug 29 2008 Tomas Mraz - 2.1.22-17 +- always link against the internal db4 (#459163) +- rediff patches for no fuzz + +* Wed Jul 9 2008 Tomas Mraz - 2.1.22-16 +- update internal db4 (#449737) + +* Tue Jul 1 2008 Tomas Mraz - 2.1.22-15 +- drop reload from initscript help (#448154) +- fix hang in rimap auth method (#438533) +- build the krb4 plugin (#154675) + +* Fri May 23 2008 Dennis Gilmore - 2.1.22-14 +- make it so that bootstrap actually works + +* Thu May 22 2008 Tom "spot" Callaway - 2.1.22-13.1 +- minor release bump for sparc rebuild + +* Tue Feb 19 2008 Fedora Release Engineering - 2.1.22-13 +- Autorebuild for GCC 4.3 + +* Thu Feb 14 2008 Steve Conklin - 2.1.22-12 +- rebuild for gcc4.3 + +* Fri Jan 25 2008 Steve Conklin - 2.1.22-11 +- Cleanup after merge review bz #225673 +- no longer mark /etc/rc.d/init.d/saslauthd as config file +- removed -x permissions on include files +- added devel package dependency on cyrus-sasl +- removed some remaining .la files that were being delivered + +* Wed Dec 05 2007 Release Engineering - 2.1.22-10 + - Rebuild for deps + +* Wed Nov 7 2007 Steve Conklin - 2.1.22-9 +- Fixed a typo in the spec file + +* Wed Nov 7 2007 Steve Conklin - 2.1.22-8 +- Removed srp plugin source and added dist to NVR + +* Tue Sep 18 2007 Steve Conklin 2.1.22-7 +- use db4 version 4.6.19 bz#249737 + +* Mon Feb 26 2007 Nalin Dahyabhai 2.1.22-6 +- install config files and init scripts using -p +- pull in patch to build with current automake (#229010, Jacek Konieczny + and Robert Scheck) +- remove prereq on ldconfig, RPM should pick it up based on the -libs + scriptlets +- pull in patch to correctly detect gsskrb5_register_acceptor_identity + (#200892, Mirko Streckenbach) +- move sasldb auxprop modules into the -lib subpackage, so that we'll pick + it up for multilib systems + +* Thu Feb 22 2007 Nalin Dahyabhai +- pull CVS fix for not tripping over extra commas in digest-md5 + challenges (#229640) + +* Fri Feb 16 2007 Nalin Dahyabhai +- remove static build, which is no longer a useful option because not all of + our dependencies are available as static libraries +- drop patches which were needed to keep static builds going +- drop gssapi-generic patch due to lack of interest +- update the bundled copy of db to 4.5.20 (#229012) +- drop dbconverter-2, as we haven't bundled v1 libraries since FC4 + +* Tue Dec 5 2006 Nalin Dahyabhai 2.1.22-5 +- rebuild +- add 'authentication' or 'auxprop' to summaries for plugin packages to + better indicate what the plugin provides +- switch from automake 1.9 to automake 1.7 + +* Fri Sep 29 2006 Nalin Dahyabhai 2.1.22-4 +- rebuild without 'dlcompat' bits (#206119) + +* Mon Jul 17 2006 Nalin Dahyabhai 2.1.22-3 +- rebuild + +* Tue Jun 20 2006 Nalin Dahyabhai 2.1.22-2 +- fix a typo in sasl_client_start(3) (#196066) + +* Mon May 22 2006 Nalin Dahyabhai 2.1.22-1 +- update to 2.1.22, adding pluginviewer to %%{_sbindir} + +* Tue May 16 2006 Nalin Dahyabhai 2.1.21-12 +- add conditionalized build dependency on openldap-devel (#191855) +- patch md5global.h to be the same on all architectures + +* Thu Apr 27 2006 Nalin Dahyabhai 2.1.21-11 +- add unapplied patch which makes the DIGEST-MD5 plugin omit the realm + argument when the environment has $CYRUS_SASL_DIGEST_MD5_OMIT_REALM set to a + non-zero value, for testing purposes +- add missing buildrequires on zlib-devel (#190113) + +* Mon Feb 20 2006 Nalin Dahyabhai 2.1.21-10 +- add missing buildrequires on gdbm-devel (Karsten Hopp) + +* Fri Feb 10 2006 Jesse Keating - 2.1.21-9.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 2.1.21-9.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Mon Dec 19 2005 Nalin Dahyabhai 2.1.21-9 +- use --as-needed to avoid linking dbconverter-2 with SQL libraries, which + it doesn't use because it manipulates files directly (#173321) + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Mon Nov 14 2005 Nalin Dahyabhai 2.1.21-8 +- rebuild with new OpenLDAP, overriding the version checks to assume that + 2.3.11 is acceptable +- remove a lingering patch for 1.x which we no longer use + +* Sat Nov 12 2005 Tom Lane 2.1.21-7 +- Rebuild due to mysql update. + +* Tue Nov 8 2005 Tomas Mraz 2.1.21-6 +- rebuilt with new openssl + +* Fri Sep 9 2005 Nalin Dahyabhai 2.1.21-5 +- add missing buildrequires: on groff (#163032) + +* Thu Sep 1 2005 Nalin Dahyabhai 2.1.21-4 +- move the ldapdb auxprop support into a subpackage (#167300) + (note: the ldap password check support in saslauthd doesn't use auxprop) + +* Tue Aug 30 2005 Nalin Dahyabhai 2.1.21-3 +- correct a use of uninitialized memory in the bundled libdb (Arjan van de Ven) + +* Mon Aug 29 2005 Nalin Dahyabhai 2.1.21-2 +- move the ANONYMOUS mech plugin to the -lib subpackage so that multilib + systems can use it without installing the main package +- build the static libraries without sql auxprop support + +* Mon Aug 29 2005 Nalin Dahyabhai 2.1.21-1 +- update to 2.1.21 +- turn off compilation of libsasl v1 (finally) +- explicitly disable sqlite to avoid the build warning +- change the default mechanism which is set for saslauthd from "shadow" to + "pam" (#159194) +- split the shared library up from saslauthd so that multilib systems don't + have to pull in every dependency of saslauthd for the compat arch (#166749) + +* Wed Apr 13 2005 Nalin Dahyabhai 2.1.20-5 +- rebuild with new deps + +* Tue Mar 1 2005 Nalin Dahyabhai 2.1.20-4 +- rebuild with new deps + +* Thu Nov 11 2004 Jeff Johnson 2.1.20-3 +- rebuild against db-4.3.21. + +* Thu Nov 11 2004 Nalin Dahyabhai 2.1.20-2 +- build with mysql-devel instead of mysqlclient10 + +* Mon Nov 1 2004 Nalin Dahyabhai 2.1.20-1 +- build with mysqlclient10 instead of mysql-devel + +* Wed Oct 27 2004 Nalin Dahyabhai 2.1.20-0 +- update to 2.1.20, including the fix for CAN-2004-0884 + +* Tue Oct 5 2004 Nalin Dahyabhai 2.1.19-3 +- use notting's fix for incorrect patch for CAN-2004-0884 for 1.5.28 + +* Tue Oct 5 2004 Nalin Dahyabhai 2.1.19-2 +- don't trust the environment in setuid/setgid contexts (CAN-2004-0884, #134660) + +* Thu Aug 19 2004 Nalin Dahyabhai 2.1.19-1 +- rebuild (the 2.1.19 changelog for fixing a buffer overflow referred to a CVS + revision between 2.1.18 and 2.1.19) + +* Mon Jul 19 2004 Nalin Dahyabhai 2.1.19-0 +- update to 2.1.19, maybe for update + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Mon Jun 7 2004 Nalin Dahyabhai 2.1.18-4 +- enable sql auxprop support in a subpackage +- include LDAP_SASLAUTHD documentation file (#124830) + +* Fri Jun 4 2004 Nalin Dahyabhai +- turn on ntlm in a subpackage + +* Thu May 13 2004 Thomas Woerner 2.1.18-3 +- removed rpath + +* Tue Mar 16 2004 Nalin Dahyabhai 2.1.18-2 +- turn on building of libsasl v1 again + +* Fri Mar 12 2004 Nalin Dahyabhai 2.1.18-1 +- update to 2.1.18 +- saslauthd's ldap code is no longer marked experimental, so we build it + +* Mon Mar 8 2004 Nalin Dahyabhai 2.1.17-4 +- rebuild + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Feb 3 2004 Nalin Dahyabhai 2.1.17-2 +- include default /etc/sysconfig/saslauthd configuration file for the init + script (#114868) + +* Thu Jan 29 2004 Nalin Dahyabhai +- drop saslauthd_version patch for libsasl2 + +* Thu Jan 29 2004 Nalin Dahyabhai +- add a saslauthd_version option to libsasl's saslauthd client and teach it to + do the right thing +- enable the saslauthd client code in libsasl version 1 (it's still going away!) +- add saslauthd1-checkpass/saslauthd2-checkpass for testing the above change + +* Wed Jan 7 2004 Nalin Dahyabhai 2.1.17-1 +- forcibly disable otp and sql plugins at compile-time + +* Fri Dec 19 2003 Nalin Dahyabhai +- update to 2.1.17, forcing the gssapi plugin to be shared now, as before +- use a bundled libdb (#112215) +- build static-with-all-plugins and normal-shared libsasl versions +- add sasl2-{shared,static}-mechlist for very basic sanity checking +- make inclusion of sasl1 stuffs conditional, because it's so going away + +* Sat Dec 13 2003 Jeff Johnson 2.1.15-7 +- rebuild against db-4.2.52. + +* Thu Oct 23 2003 Nalin Dahyabhai 2.1.15-6 +- use /dev/urandom instead of /dev/random for SASL2 (docs indicate that this is + safe if you aren't using OTP or SRP, and we build neither); SASL1 appears to + use it to seed the libc RNG only (#103378) + +* Mon Oct 20 2003 Nalin Dahyabhai +- obey RPM_OPT_FLAGS again when krb5_prefix != %%{_prefix} + +* Fri Oct 17 2003 Nalin Dahyabhai 2.1.15-5 +- install saslauthd's mdoc page instead of the pre-formatted man page, which + would get formatted again + +* Thu Sep 25 2003 Jeff Johnson 2.1.15-5 +- rebuild against db-4.2.42. + +* Mon Sep 15 2003 Nalin Dahyabhai +- include testsaslauthd +- note in the README that the saslauthd protocol is different for v1 and v2, + so v1's clients can't talk to the v2 server + +* Thu Aug 21 2003 Nalin Dahyabhai 2.1.15-4 +- rebuild + +* Thu Aug 21 2003 Nalin Dahyabhai 2.1.15-3 +- add logic to build with gssapi libs in either /usr or /usr/kerberos + +* Mon Jul 21 2003 Nalin Dahyabhai 2.1.15-2 +- rebuild + +* Tue Jul 15 2003 Nalin Dahyabhai 2.1.15-1 +- update to 2.1.15 + +* Mon Jul 14 2003 Nalin Dahyabhai 2.1.14-1 +- update to 2.1.14 + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Fri May 9 2003 Nalin Dahyabhai 2.1.13-3 +- change -m argument to saslauthd to be a directory instead of a path + +* Thu May 8 2003 Nalin Dahyabhai 2.1.13-2 +- link libsasl2 with -lpthread to ensure that the sasldb plug-in can always + be loaded + +* Tue Apr 29 2003 Nalin Dahyabhai 2.1.13-1 +- update to 2.1.13 + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Tue Jan 7 2003 Nalin Dahyabhai 2.1.10-3 +- rebuild + +* Thu Dec 12 2002 Nalin Dahyabhai +- consider either des_cbc_encrypt or DES_cbc_encrypt to be sufficient when + searching for a DES implementation in libcrypto +- pull in CPPFLAGS and LDFLAGS from openssl's pkg-config data, if it exists + +* Mon Dec 9 2002 Nalin Dahyabhai 2.1.10-2 +- rebuild + +* Mon Dec 9 2002 Nalin Dahyabhai 2.1.10-1 +- update to 2.1.10, fixing buffer overflows in libsasl2 noted by Timo Sirainen + +* Tue Nov 12 2002 Tim Powers 2.1.7-5 +- remove files from $RPM_BUILD_ROOT that we don't intend to include + +* Wed Oct 9 2002 Nalin Dahyabhai 2.1.7-4 +- update to SASLv1 to final 1.5.28 + +* Fri Sep 13 2002 Nalin Dahyabhai 2.1.7-3 +- rebuild, overriding sasldir when running make so that on multilib systems + applications will be able to load modules for the right arch + +* Mon Sep 2 2002 Nalin Dahyabhai 2.1.7-2 +- include dbconverter-2 (#68741) + +* Fri Aug 9 2002 Nalin Dahyabhai 2.1.7-1 +- update to 2.1.7, fixing a race condition in digest-md5 + +* Wed Jul 17 2002 Nalin Dahyabhai 2.1.6-1 +- update to 2.1.6 and 1.5.28 + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu Jun 13 2002 Nalin Dahyabhai 2.1.5-1 +- update to 2.1.5 + +* Mon Jun 10 2002 Nalin Dahyabhai 2.1.4-1 +- update to 2.1.4 + +* Sun May 26 2002 Tim Powers +- automated rebuild + +* Thu May 16 2002 Nalin Dahyabhai 2.1.2-1 +- modify to build with db 4.x + +* Thu Apr 18 2002 Nalin Dahyabhai +- update cyrus-sasl 2 to 2.1.2 +- change buildreq to db3-devel + +* Tue Feb 12 2002 Nalin Dahyabhai 2.1.1-3 +- suppress output to stdout/stderr in %%postun + +* Sun Feb 10 2002 Nalin Dahyabhai 2.1.1-2 +- configure sasldb2 to use berkeley DB instead of gdbm + +* Wed Feb 6 2002 Nalin Dahyabhai 2.1.1-1 +- update to 2.1.1 + +* Thu Jan 31 2002 Nalin Dahyabhai 2.1.0-1 +- marge 1.5.24 back in, making a note that it should be removed at some + point in the future + +* Wed Jan 30 2002 Nalin Dahyabhai +- update to 2.1.0, which is designed to be installed in parallel with cyrus sasl + 1.x, so fork the package and rename it to cyrus-sasl2 +- add the sasldb auxprop plugin to the main package +- add disabled-by-default saslauthd init script +- move the .la files for plugins into their respective packages -- they're + needed by the library + +* Wed Jan 23 2002 Nalin Dahyabhai 1.5.24-24 +- free ride through the build system + +* Fri Nov 2 2001 Nalin Dahyabhai 1.5.24-23 +- patch to fix possible syslog format-string vulnerability + +* Mon Oct 29 2001 Nalin Dahyabhai 1.5.24-22 +- add pam-devel as a buildprereq + +* Wed Aug 29 2001 Nalin Dahyabhai 1.5.24-21 +- include sample programs in the -devel subpackage, prefixing their names + with "sasl-" to reduce future potential naming conflicts + +* Tue Aug 14 2001 Nalin Dahyabhai 1.5.24-20 +- build without -ggdb + +* Fri Aug 3 2001 Nalin Dahyabhai +- add gdbm-devel as a build dependency (#44990) +- split off CRAM-MD5 and DIGEST-MD5 into a subpackage of their own (#43079, + and dialogs with David L. Parsley) + +* Fri Apr 27 2001 Nalin Dahyabhai +- split out the PLAIN and LOGIN mechanisms into their own package (this allows + an administrator to disable them by simply removing the package) + +* Fri Jan 19 2001 Nalin Dahyabhai +- rebuild in new environment + +* Wed Dec 6 2000 Nalin Dahyabhai +- fix gssapi-over-tls + +* Fri Oct 27 2000 Nalin Dahyabhai +- enable static libraries, but always build with -fPIC + +* Wed Oct 25 2000 Nalin Dahyabhai +- make sure the version of 1.5.24 in the package matches the masters (#18968) + +* Mon Oct 9 2000 Nalin Dahyabhai +- re-add the libsasl.so symlink to the -devel package (oops) + +* Fri Oct 6 2000 Nalin Dahyabhai +- move .so files for modules to their respective packages -- they're not -devel + links meant for use by ld anyway + +* Thu Oct 5 2000 Nalin Dahyabhai +- split off -devel subpackage +- add a -gssapi subpackage for the gssapi plugins + +* Wed Aug 16 2000 Nalin Dahyabhai +- fix the summary text + +* Sun Aug 13 2000 Nalin Dahyabhai +- re-enable arcfour and CRAM + +* Fri Aug 4 2000 Nalin Dahyabhai +- force use of gdbm for database files to avoid DB migration weirdness +- enable login mechanism +- disable gssapi until it can coexist peacefully with non-gssapi setups +- actually do a make in the build section (#15410) + +* Fri Jul 21 2000 Nalin Dahyabhai +- update to 1.5.24 + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Tue Jun 27 2000 Nalin Dahyabhai +- rebuild in new environment (release 3) + +* Mon Jun 19 2000 Nalin Dahyabhai +- don't muck with syslogd in post +- remove patch for db-3.0 wackiness, no longer needed + +* Thu Jun 8 2000 Nalin Dahyabhai +- FHS cleanup +- don't strip anything by default + +* Fri Feb 11 2000 Tim Powers +- fixed man pages not being gzipped + +* Tue Nov 16 1999 Tim Powers +- incorporated changes from Mads Kiilerich +- release number is 1, not mk1 + +* Wed Nov 10 1999 Mads Kiilerich +- updated to sasl 1.5.11 +- configure --disable-krb4 --without-rc4 --disable-cram + because of missing libraries and pine having cram as default... +- handle changing libsasl.so versions + +* Mon Aug 30 1999 Tim Powers +- changed group + +* Fri Aug 13 1999 Tim Powers +- first build for Powertools