From 8965b00c7fa7c7caa0cf451551a63b8262abd5e6 Mon Sep 17 00:00:00 2001
From: Carlo Landmeter <clandmeter@alpinelinux.org>
Date: Wed, 9 Jan 2019 09:08:19 +0000
Subject: [PATCH] main/cyrus-sasl: upgrade to 2.1.27 and cleanup
fails to build with ldap (linker issue)
should probably be added/fixed in the future.
make sasldb the default auth for saslauthd (we do not support pam).
---
main/cyrus-sasl/APKBUILD | 130 +++---
main/cyrus-sasl/CVE-2013-4122.patch | 117 -----
.../cyrus-sasl/cyrus-sasl-2.1.26-size_t.patch | 12 -
.../cyrus-sasl-2.1.27-as_needed.patch | 25 +
.../cyrus-sasl-2.1.27-autotools_fixes.patch | 31 ++
...rus-sasl-2.1.27-avoid_pic_overwrite.patch} | 18 +-
.../cyrus-sasl-2.1.27-doc_build_fix.patch | 11 +
...sl-2.1.27-gss_c_nt_hostbased_service.patch | 16 +
main/cyrus-sasl/openssl-1.1.patch | 435 ------------------
main/cyrus-sasl/saslauthd.initd | 19 +-
10 files changed, 165 insertions(+), 649 deletions(-)
delete mode 100644 main/cyrus-sasl/CVE-2013-4122.patch
delete mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.26-size_t.patch
create mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch
create mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch
rename main/cyrus-sasl/{cyrus-sasl-2.1.25-avoid_pic_overwrite.patch => cyrus-sasl-2.1.27-avoid_pic_overwrite.patch} (62%)
create mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch
create mode 100644 main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
delete mode 100644 main/cyrus-sasl/openssl-1.1.patch
diff --git a/main/cyrus-sasl/APKBUILD b/main/cyrus-sasl/APKBUILD
index aaefd7c8118f..c193314bc383 100644
--- a/main/cyrus-sasl/APKBUILD
+++ b/main/cyrus-sasl/APKBUILD
@@ -1,25 +1,45 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cyrus-sasl
-pkgver=2.1.26
-pkgrel=15
+pkgver=2.1.27
+pkgrel=0
pkgdesc="Cyrus Simple Authentication Service Layer (SASL)"
url="https://cyrusimap.org/"
arch="all"
license="custom"
options="!check" # No test suite.
-subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-gssapi $pkgname-gs2
- $pkgname-scram $pkgname-ntlm $pkgname-crammd5 $pkgname-digestmd5
- libsasl $pkgname-openrc"
-depends=
-makedepends="db-dev openssl-dev heimdal-dev
- autoconf automake libtool"
-source="ftp://ftp.cyrusimap.org/$pkgname/$pkgname-$pkgver.tar.gz
+subpackages="
+ $pkgname-dev
+ $pkgname-doc
+ $pkgname-openrc
+ libsasl
+ $pkgname-gssapiv2:_plugin
+ $pkgname-gs2:_plugin
+ $pkgname-scram:_plugin
+ $pkgname-ntlm:_plugin
+ $pkgname-crammd5:_plugin
+ $pkgname-digestmd5:_plugin
+ $pkgname-plain:_plugin
+ $pkgname-login:_plugin
+ "
+makedepends="
+ db-dev
+ openssl-dev
+ krb5-dev
+ openldap-dev
+ py-sphinx
+
+ automake
+ autoconf
+ libtool
+ "
+source="https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-$pkgver/cyrus-sasl-$pkgver.tar.gz
+ cyrus-sasl-2.1.27-as_needed.patch
+ cyrus-sasl-2.1.27-autotools_fixes.patch
+ cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
+ cyrus-sasl-2.1.27-doc_build_fix.patch
+ cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
saslauthd.initd
- cyrus-sasl-2.1.25-avoid_pic_overwrite.patch
- cyrus-sasl-2.1.26-size_t.patch
- CVE-2013-4122.patch
- openssl-1.1.patch
"
# secfixes:
@@ -27,50 +47,48 @@ source="ftp://ftp.cyrusimap.org/$pkgname/$pkgname-$pkgver.tar.gz
# - CVE-2013-4122
builddir="$srcdir"/$pkgname-$pkgver
-prepare() {
- default_prepare
-
- # the libtool they ship is broken
- sed 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' -i configure.in || return 1
- rm -rf config/config.guess config/config.sub config/ltconfig \
- config/ltmain.sh config/libtool.m4 autom4te.cache
- libtoolize -c && aclocal -I config -I cmulocal \
- && automake -a -c && autoheader && autoconf
-}
build() {
- cd "$builddir"
+ autoreconf -vif
./configure \
--build=$CBUILD \
--host=$CHOST \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
+ --mandir=/usr/share/man \
--enable-static \
--enable-shared \
- --disable-anon \
+ --disable-java \
+ --with-plugindir=/usr/lib/sasl2 \
+ --with-configdir=/etc/sasl2 \
+ --with-dbpath=/etc/sasl2/sasldb2 \
+ --disable-krb4 \
+ --with-gss_impl=mit \
+ --enable-gssapi \
+ --with-rc4 \
+ --with-dblib=berkeley \
+ --with-saslauthd=/run/saslauthd \
+ --without-pwcheck \
+ --with-devrandom=/dev/urandom \
+ --enable-anon \
--enable-cram \
--enable-digest \
- --enable-login \
--enable-ntlm \
- --disable-otp \
--enable-plain \
- --with-gss_impl=heimdal \
- --with-devrandom=/dev/urandom \
- --without-ldap \
- --with-saslauthd=/var/run/saslauthd \
- --mandir=/usr/share/man
- # parallell builds is broken
- make -j1
+ --enable-login \
+ --enable-auth-sasldb \
+ --enable-alwaystrue \
+ --disable-otp
+ make
}
package() {
- cd "$srcdir"/cyrus-sasl-$pkgver
+ cd "$builddir"
make -j1 DESTDIR="$pkgdir" install
+ mkdir -p "$pkgdir"/etc/sasl2
install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
-
- install -Dm755 ../saslauthd.initd "$pkgdir"/etc/init.d/saslauthd
- install -d "$pkgdir"/var/run/saslauthd
+ install -Dm755 "$srcdir"/saslauthd.initd "$pkgdir"/etc/init.d/saslauthd
}
static() {
@@ -79,32 +97,30 @@ static() {
mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/
}
-_plugindir=usr/lib/sasl2
_plugin() {
depends=
+ local plugin=${subpkgname/$pkgname-/}
replaces="libsasl"
- pkgdesc="Cyrus SASL plugin for $1"
- mkdir -p "$subpkgdir"/$_plugindir
- mv "$pkgdir"/$_plugindir/lib${1}.so* "$subpkgdir"/$_plugindir/
+ pkgdesc="Cyrus SASL plugin for $plugin"
+ mkdir -p "$subpkgdir"/usr/lib/sasl2
+ mv "$pkgdir"/usr/lib/sasl2/lib${plugin}.so* "$subpkgdir"/usr/lib/sasl2/
}
-gssapi() { _plugin gssapiv2; }
-gs2() { _plugin gs2; }
-scram() { _plugin scram; }
-ntlm() { _plugin ntlm; }
-crammd5() { _plugin crammd5; }
-digestmd5() { _plugin digestmd5; }
-
libsasl() {
depends=
pkgdesc="Cyrus Simple Authentication and Security Layer (SASL) library"
- mkdir -p "$subpkgdir"/usr
- mv "$pkgdir"/usr/lib "$subpkgdir"/usr/
+ mkdir -p "$subpkgdir"/usr/lib/sasl2
+ local lib=
+ for lib in anonymous sasldb; do
+ mv "$pkgdir"/usr/lib/sasl2/*${lib}*.so* "$subpkgdir"/usr/lib/sasl2/
+ done
+ mv "$pkgdir"/usr/lib/libsasl*.so.* "$subpkgdir"/usr/lib/
}
-sha512sums="78819cb9bb38bea4537d6770d309deeeef09ff44a67526177609d3e1257ff4334d2b5e5131d5a1e4dea7430d8db1918ea9d171f0dee38b5e8337f4b72ed068f0 cyrus-sasl-2.1.26.tar.gz
-71a00a22f91f0fb6ba2796acede321a0f071b1d7a99616f0e36c354213777f30575c340b6df392dcbfc103ba7640d046144882f6a7b505f59709bb5c429b44d8 saslauthd.initd
-033e3634116e1d3b316052dbe0b671cca0fcfb6063fca1a97d990c422c2ce05109a1e424e84ed9928dc0312a325a7248f2d2e3f9547f84453b36331c01f63be5 cyrus-sasl-2.1.25-avoid_pic_overwrite.patch
-fe4c3e6d5230eb50b9e6885129760a12e7bce316b41a3e58b2c550fa83526b91205cd827f7d1367751313559875d32982b95b024b1a22300ac5b35214e7c2b78 cyrus-sasl-2.1.26-size_t.patch
-08964bc3ad713e137b8f05f9bac345d79676d14784bc37525f195e8e2a3e6740428237b64f7eeeacc0c71ed6cf1664c6e9c2267ac6df327761d92174a1853744 CVE-2013-4122.patch
-75541cf0a1b52f809ac9073b629a224fdb6e70a13ce0cf10c0ad0a12bf94887a725466e8000c2a412f20d88d8c4b8bc5be5a5bf74d752c529bc76cfa58755d8a openssl-1.1.patch"
+sha512sums="d11549a99b3b06af79fc62d5478dba3305d7e7cc0824f4b91f0d2638daafbe940623eab235f85af9be38dcf5d42fc131db531c177040a85187aee5096b8df63b cyrus-sasl-2.1.27.tar.gz
+9eefa6d45e3dd9157a5672909acdd88f0ae35e76d64c3723890a474bbb05b22499cfadb0c077924d27f34da3710b2b700094dd7d5704050138c08dabcefdde94 cyrus-sasl-2.1.27-as_needed.patch
+0d99ca049e76c11500769079d94f3bdb634bddb4c8d45a83b383e9bb9777edda66b17566800acbd450e1f4842d070ec3fbc236e7f0ef8759c36e6dd5ea8e3c64 cyrus-sasl-2.1.27-autotools_fixes.patch
+4ca601839b023ef790e48dae567ffbbd57c632384c980946639ec7437ad23874961451718569455e6e25afaeff1728ecbc71a8686f6b43246f83465f95a2c904 cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
+6d723e7ec2c431b45c011b887187b6a670dbe646aa4c39d38171047ab23db529c30c433f8d4dd624181917c5ce4e5271f86e35e2644ede1c40dfb09cb67dccde cyrus-sasl-2.1.27-doc_build_fix.patch
+fca4f2b7e427c7613f71daa4a31772c33c8c0fe9d7f85b57b85da71bc5a88a18fc52f7caea463188b4addd31cd041d5349af689d5face2cc45fb50c700a8afd7 cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
+f76bfb61567172428cdbc1ed900d5e0b6e66afc38118db6ba0e2fd8ba01956ad896e56463b2249bdc46d8725384f1b975a2af3601c0735327d3f8bc26ce1ed75 saslauthd.initd"
diff --git a/main/cyrus-sasl/CVE-2013-4122.patch b/main/cyrus-sasl/CVE-2013-4122.patch
deleted file mode 100644
index 38f2595a5c9e..000000000000
--- a/main/cyrus-sasl/CVE-2013-4122.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d Mon Sep 17 00:00:00 2001
-From: mancha <mancha1@hush.com>
-Date: Thu, 11 Jul 2013 10:08:07 +0100
-Subject: Handle NULL returns from glibc 2.17+ crypt()
-
-Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
-(w/ NULL return) if the salt violates specifications. Additionally,
-on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords
-passed to crypt() fail with EPERM (w/ NULL return).
-
-When using glibc's crypt(), check return value to avoid a possible
-NULL pointer dereference.
-
-Patch by mancha1@hush.com.
-
-diff --git a/pwcheck/pwcheck_getpwnam.c b/pwcheck/pwcheck_getpwnam.c
-index 4b34222..400289c 100644
---- a/pwcheck/pwcheck_getpwnam.c
-+++ b/pwcheck/pwcheck_getpwnam.c
-@@ -32,6 +32,7 @@ char *userid;
- char *password;
- {
- char* r;
-+ char* crpt_passwd;
- struct passwd *pwd;
-
- pwd = getpwnam(userid);
-@@ -41,7 +42,7 @@ char *password;
- else if (pwd->pw_passwd[0] == '*') {
- r = "Account disabled";
- }
-- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
-+ else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) || strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) {
- r = "Incorrect password";
- }
- else {
-diff --git a/pwcheck/pwcheck_getspnam.c b/pwcheck/pwcheck_getspnam.c
-index 2b11286..6d607bb 100644
---- a/pwcheck/pwcheck_getspnam.c
-+++ b/pwcheck/pwcheck_getspnam.c
-@@ -32,13 +32,15 @@ char *userid;
- char *password;
- {
- struct spwd *pwd;
-+ char *crpt_passwd;
-
- pwd = getspnam(userid);
- if (!pwd) {
- return "Userid not found";
- }
-
-- if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) {
-+ crpt_passwd = crypt(password, pwd->sp_pwdp);
-+ if (!crpt_passwd || strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) {
- return "Incorrect password";
- }
- else {
-diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c
-index fc8029d..d4ebe54 100644
---- a/saslauthd/auth_getpwent.c
-+++ b/saslauthd/auth_getpwent.c
-@@ -77,6 +77,7 @@ auth_getpwent (
- {
- /* VARIABLES */
- struct passwd *pw; /* pointer to passwd file entry */
-+ char *crpt_passwd; /* encrypted password */
- int errnum;
- /* END VARIABLES */
-
-@@ -105,7 +106,8 @@ auth_getpwent (
- }
- }
-
-- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
-+ crpt_passwd = crypt(password, pw->pw_passwd);
-+ if (!crpt_passwd || strcmp(pw->pw_passwd, (const char *)crpt_passwd)) {
- if (flags & VERBOSE) {
- syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
- }
-diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c
-index 677131b..1988afd 100644
---- a/saslauthd/auth_shadow.c
-+++ b/saslauthd/auth_shadow.c
-@@ -210,8 +210,8 @@ auth_shadow (
- RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
- }
-
-- cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
-- if (strcmp(sp->sp_pwdp, cpw)) {
-+ cpw = crypt(password, sp->sp_pwdp);
-+ if (!cpw || strcmp(sp->sp_pwdp, (const char *)cpw)) {
- if (flags & VERBOSE) {
- /*
- * This _should_ reveal the SHADOW_PW_LOCKED prefix to an
-@@ -221,10 +221,8 @@ auth_shadow (
- syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
- sp->sp_pwdp, cpw);
- }
-- free(cpw);
- RETURN("NO Incorrect password");
- }
-- free(cpw);
-
- /*
- * The following fields will be set to -1 if:
-@@ -286,7 +284,7 @@ auth_shadow (
- RETURN("NO Invalid username");
- }
-
-- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
-+ if (!(cpw = crypt(password, upw->upw_passwd)) || (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) {
- if (flags & VERBOSE) {
- syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
- password, upw->upw_passwd);
---
-cgit v0.10.2
-
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.26-size_t.patch b/main/cyrus-sasl/cyrus-sasl-2.1.26-size_t.patch
deleted file mode 100644
index cde823835b5e..000000000000
--- a/main/cyrus-sasl/cyrus-sasl-2.1.26-size_t.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up cyrus-sasl-2.1.26/include/sasl.h.size_t cyrus-sasl-2.1.26/include/sasl.h
---- cyrus-sasl-2.1.26/include/sasl.h.size_t 2012-10-12 09:05:48.000000000 -0500
-+++ cyrus-sasl-2.1.26/include/sasl.h 2013-01-31 13:21:04.007739327 -0600
-@@ -223,6 +223,8 @@ extern "C" {
- * they must be called before all other SASL functions:
- */
-
-+#include <sys/types.h>
-+
- /* memory allocation functions which may optionally be replaced:
- */
- typedef void *sasl_malloc_t(size_t);
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch
new file mode 100644
index 000000000000..7cd9e151fbb7
--- /dev/null
+++ b/main/cyrus-sasl/cyrus-sasl-2.1.27-as_needed.patch
@@ -0,0 +1,25 @@
+Author: Matthias Klose <doko@ubuntu.com>
+Desription: Fix FTBFS, add $(SASL_DB_LIB) as dependency to libsasldb, and use
+it.
+--- cyrus-sasl-2.1.27/saslauthd/Makefile.am
++++ cyrus-sasl-2.1.27/saslauthd/Makefile.am
+@@ -25,7 +25,7 @@
+ saslauthd_DEPENDENCIES = saslauthd-main.o $(LTLIBOBJS_FULL)
+ saslauthd_LDADD = @SASL_KRB_LIB@ \
+ @GSSAPIBASE_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \
+- @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS)
++ @LIB_SOCKET@ ../sasldb/libsasldb.la @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS)
+
+ testsaslauthd_SOURCES = testsaslauthd.c utils.c
+ testsaslauthd_LDADD = @LIB_SOCKET@
+--- cyrus-sasl-2.1.27/sasldb/Makefile.am
++++ cyrus-sasl-2.1.27/sasldb/Makefile.am
+@@ -54,6 +54,6 @@
+
+ libsasldb_la_SOURCES = allockey.c sasldb.h
+ EXTRA_libsasldb_la_SOURCES = $(extra_common_sources)
+-libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND)
+-libsasldb_la_LIBADD = $(SASL_DB_BACKEND)
++libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) $(SASL_DB_LIB)
++libsasldb_la_LIBADD = $(SASL_DB_BACKEND) $(SASL_DB_LIB)
+ libsasldb_la_LDFLAGS = -no-undefined
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch
new file mode 100644
index 000000000000..2ce971efc5b5
--- /dev/null
+++ b/main/cyrus-sasl/cyrus-sasl-2.1.27-autotools_fixes.patch
@@ -0,0 +1,31 @@
+--- cyrus-sasl-2.1.27/configure.ac
++++ cyrus-sasl-2.1.27/configure.ac
+@@ -44,6 +44,8 @@
+
+ AC_PREREQ(2.63)
+
++AC_CONFIG_MACRO_DIR([config])
++
+ dnl
+ dnl REMINDER: When changing the version number here, please also update
+ dnl the values in win32/include/config.h and include/sasl.h as well.
+--- cyrus-sasl-2.1.27/Makefile.am
++++ cyrus-sasl-2.1.27/Makefile.am
+@@ -44,6 +44,8 @@
+ #
+ ################################################################
+
++ACLOCAL_AMFLAGS = -I config
++
+ if SASLAUTHD
+ SAD = saslauthd
+ else
+--- cyrus-sasl-2.1.27/saslauthd/Makefile.am
++++ cyrus-sasl-2.1.27/saslauthd/Makefile.am
+@@ -1,4 +1,6 @@
+ AUTOMAKE_OPTIONS = 1.7
++ACLOCAL_AMFLAGS = -I ../config
++
+ sbin_PROGRAMS = saslauthd testsaslauthd
+ EXTRA_PROGRAMS = saslcache
+
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.25-avoid_pic_overwrite.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
similarity index 62%
rename from main/cyrus-sasl/cyrus-sasl-2.1.25-avoid_pic_overwrite.patch
rename to main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
index 2e5b1750d00d..c331039e2f16 100644
--- a/main/cyrus-sasl/cyrus-sasl-2.1.25-avoid_pic_overwrite.patch
+++ b/main/cyrus-sasl/cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
@@ -4,24 +4,14 @@ is created out of non-PIC objects, is not going to overwrite the PIC version,
which is created out of PIC objects. The PIC version is placed in .libs, and
the non-PIC version in the current directory. This ensures that both non-PIC
and PIC versions are available in the correct locations.
---- a/lib/Makefile.am
-+++ b/lib/Makefile.am
-@@ -78,7 +78,7 @@ endif
+--- cyrus-sasl-2.1.27/lib/Makefile.am
++++ cyrus-sasl-2.1.27/lib/Makefile.am
+@@ -98,7 +98,7 @@
libsasl2.a: libsasl2.la $(SASL_STATIC_OBJS)
@echo adding static plugins and dependencies
- $(AR) cru .libs/$@ $(SASL_STATIC_OBJS)
+ $(AR) cru $@ $(SASL_STATIC_OBJS)
- @for i in ./libsasl2.la ../sasldb/libsasldb.la ../plugins/lib*.la; do \
+ @for i in ./libsasl2.la ../common/libplugin_common.la ../sasldb/libsasldb.la ../plugins/lib*.la; do \
if test ! -f $$i; then continue; fi; . $$i; \
for j in $$dependency_libs foo; do \
---- a/sasldb/Makefile.am
-+++ b/sasldb/Makefile.am
-@@ -63,6 +63,6 @@ libsasldb_a_SOURCES =
- EXTRA_libsasldb_a_SOURCES =
-
- libsasldb.a: libsasldb.la $(SASL_DB_BACKEND_STATIC)
-- $(AR) cru .libs/$@ $(SASL_DB_BACKEND_STATIC)
-+ $(AR) cru $@ $(SASL_DB_BACKEND_STATIC)
-
-
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch
new file mode 100644
index 000000000000..bdd02f779660
--- /dev/null
+++ b/main/cyrus-sasl/cyrus-sasl-2.1.27-doc_build_fix.patch
@@ -0,0 +1,11 @@
+--- cyrus-sasl-2.1.27/docsrc/exts/sphinxlocal/writers/manpage.py
++++ cyrus-sasl-2.1.27/docsrc/exts/sphinxlocal/writers/manpage.py
+@@ -23,7 +23,7 @@
+ from sphinx import addnodes
+ from sphinx.locale import admonitionlabels, _
+ from sphinx.util.osutil import ustrftime
+-from sphinx.util.compat import docutils_version
++#from sphinx.util.compat import docutils_version
+
+ class CyrusManualPageWriter(ManualPageWriter):
+
diff --git a/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch b/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
new file mode 100644
index 000000000000..c585cb158e15
--- /dev/null
+++ b/main/cyrus-sasl/cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
@@ -0,0 +1,16 @@
+Gentoo bug #389349
+--- cyrus-sasl-2.1.27/m4/sasl2.m4
++++ cyrus-sasl-2.1.27/m4/sasl2.m4
+@@ -220,7 +220,11 @@
+ [AC_WARN([Cybersafe define not found])])
+
+ elif test "$ac_cv_header_gssapi_h" = "yes"; then
+- AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi.h,
++ AC_EGREP_CPP(hostbased_service_gss_nt_yes, gssapi.h,
++ [#include <gssapi.h>
++ #ifdef GSS_C_NT_HOSTBASED_SERVICE
++ hostbased_service_gss_nt_yes
++ #endif],
+ [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,,
+ [Define if your GSSAPI implementation defines GSS_C_NT_HOSTBASED_SERVICE])])
+ elif test "$ac_cv_header_gssapi_gssapi_h"; then
diff --git a/main/cyrus-sasl/openssl-1.1.patch b/main/cyrus-sasl/openssl-1.1.patch
deleted file mode 100644
index c02a2141d254..000000000000
--- a/main/cyrus-sasl/openssl-1.1.patch
+++ /dev/null
@@ -1,435 +0,0 @@
-diff -up cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 cyrus-sasl-2.1.26/plugins/ntlm.c
---- cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 2012-01-28 00:31:36.000000000 +0100
-+++ cyrus-sasl-2.1.26/plugins/ntlm.c 2016-11-07 16:15:57.498259304 +0100
-@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char
- return P24;
- }
-
-+static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils)
-+{
-+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()");
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ return HMAC_CTX_new();
-+#else
-+ return utils->malloc(sizeof(HMAC_CTX));
-+#endif
-+}
-+
-+static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils)
-+{
-+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()");
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ HMAC_CTX_free(ctx);
-+#else
-+ HMAC_cleanup(ctx);
-+ utils->free(ctx);
-+#endif
-+}
-+
- static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
- const char *authid, const char *target,
- const unsigned char *challenge,
-@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char *
- const sasl_utils_t *utils,
- char **buf, unsigned *buflen, int *result)
- {
-- HMAC_CTX ctx;
-+ HMAC_CTX *ctx = NULL;
- unsigned char hash[EVP_MAX_MD_SIZE];
- char *upper;
- unsigned int len;
-@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char *
- SETERROR(utils, "cannot allocate NTLMv2 hash");
- *result = SASL_NOMEM;
- }
-+ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) {
-+ SETERROR(utils, "cannot allocate HMAC CTX");
-+ *result = SASL_NOMEM;
-+ }
- else {
- /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */
- P16_nt(hash, passwd, utils, buf, buflen, result);
-@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char *
- HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len);
-
- /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */
-- HMAC_Init(&ctx, hash, len, EVP_md5());
-- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH);
-- HMAC_Update(&ctx, blob, bloblen);
-- HMAC_Final(&ctx, V2, &len);
-- HMAC_cleanup(&ctx);
-+ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL);
-+ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH);
-+ HMAC_Update(ctx, blob, bloblen);
-+ HMAC_Final(ctx, V2, &len);
-
- /* the blob is concatenated outside of this function */
-
- *result = SASL_OK;
- }
-
-+ if (ctx) _plug_HMAC_CTX_free(ctx, utils);
-+
- return V2;
- }
-
-diff -up cyrus-sasl-2.1.26/plugins/otp.c.openssl110 cyrus-sasl-2.1.26/plugins/otp.c
---- cyrus-sasl-2.1.26/plugins/otp.c.openssl110 2012-10-12 16:05:48.000000000 +0200
-+++ cyrus-sasl-2.1.26/plugins/otp.c 2016-11-07 16:13:54.374327601 +0100
-@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_opti
- {NULL, 0, NULL}
- };
-
-+static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils)
-+{
-+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()");
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ return EVP_MD_CTX_new();
-+#else
-+ return utils->malloc(sizeof(EVP_MD_CTX));
-+#endif
-+}
-+
-+static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils)
-+{
-+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()");
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ EVP_MD_CTX_free(ctx);
-+#else
-+ utils->free(ctx);
-+#endif
-+}
-+
- /* Convert the binary data into ASCII hex */
- void bin2hex(unsigned char *bin, int binlen, char *hex)
- {
-@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int bin
- * swabbing bytes if necessary.
- */
- static void otp_hash(const EVP_MD *md, char *in, size_t inlen,
-- unsigned char *out, int swab)
-+ unsigned char *out, int swab, EVP_MD_CTX *mdctx)
- {
-- EVP_MD_CTX mdctx;
-- char hash[EVP_MAX_MD_SIZE];
-+ unsigned char hash[EVP_MAX_MD_SIZE];
- unsigned int i;
- int j;
- unsigned hashlen;
-
-- EVP_DigestInit(&mdctx, md);
-- EVP_DigestUpdate(&mdctx, in, inlen);
-- EVP_DigestFinal(&mdctx, hash, &hashlen);
-+ EVP_DigestInit(mdctx, md);
-+ EVP_DigestUpdate(mdctx, in, inlen);
-+ EVP_DigestFinal(mdctx, hash, &hashlen);
-
- /* Fold the result into 64 bits */
- for (i = OTP_HASH_SIZE; i < hashlen; i++) {
-@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils
- char *secret, char *otp)
- {
- const EVP_MD *md;
-- char *key;
-+ EVP_MD_CTX *mdctx = NULL;
-+ char *key = NULL;
-+ int r = SASL_OK;
-
- if (!(md = EVP_get_digestbyname(alg->evp_name))) {
- utils->seterror(utils->conn, 0,
-@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils
- return SASL_FAIL;
- }
-
-+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
-+ SETERROR(utils, "cannot allocate MD CTX");
-+ r = SASL_NOMEM;
-+ goto done;
-+ }
-+
- if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) {
- SETERROR(utils, "cannot allocate OTP key");
-- return SASL_NOMEM;
-+ r = SASL_NOMEM;
-+ goto done;
- }
-
- /* initial step */
- strcpy(key, seed);
- strcat(key, secret);
-- otp_hash(md, key, strlen(key), otp, alg->swab);
-+ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx);
-
- /* computation step */
- while (seq-- > 0)
-- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab);
--
-- utils->free(key);
-+ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx);
-+
-+ done:
-+ if (key) utils->free(key);
-+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
-
-- return SASL_OK;
-+ return r;
- }
-
- static int parse_challenge(const sasl_utils_t *utils,
-@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg
-
- /* Convert the 6 words into binary data */
- static int word2bin(const sasl_utils_t *utils,
-- char *words, unsigned char *bin, const EVP_MD *md)
-+ char *words, unsigned char *bin, const EVP_MD *md,
-+ EVP_MD_CTX *mdctx)
- {
- int i, j;
- char *c, *word, buf[OTP_RESPONSE_MAX+1];
-@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t *
-
- /* alternate dictionary */
- if (alt_dict) {
-- EVP_MD_CTX mdctx;
-- char hash[EVP_MAX_MD_SIZE];
-- int hashlen;
-+ unsigned char hash[EVP_MAX_MD_SIZE];
-+ unsigned hashlen;
-
-- EVP_DigestInit(&mdctx, md);
-- EVP_DigestUpdate(&mdctx, word, strlen(word));
-- EVP_DigestFinal(&mdctx, hash, &hashlen);
-+ EVP_DigestInit(mdctx, md);
-+ EVP_DigestUpdate(mdctx, word, strlen(word));
-+ EVP_DigestFinal(mdctx, hash, &hashlen);
-
- /* use lowest 11 bits */
- x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1];
-@@ -802,6 +834,7 @@ static int verify_response(server_contex
- char *response)
- {
- const EVP_MD *md;
-+ EVP_MD_CTX *mdctx = NULL;
- char *c;
- int do_init = 0;
- unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE];
-@@ -815,6 +848,11 @@ static int verify_response(server_contex
- return SASL_FAIL;
- }
-
-+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
-+ SETERROR(utils, "cannot allocate MD CTX");
-+ return SASL_NOMEM;
-+ }
-+
- /* eat leading whitespace */
- c = response;
- while (isspace((int) *c)) c++;
-@@ -824,7 +862,7 @@ static int verify_response(server_contex
- r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE);
- }
- else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) {
-- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md);
-+ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx);
- }
- else if (!strncasecmp(c, OTP_INIT_HEX_TYPE,
- strlen(OTP_INIT_HEX_TYPE))) {
-@@ -834,7 +872,7 @@ static int verify_response(server_contex
- else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
- strlen(OTP_INIT_WORD_TYPE))) {
- do_init = 1;
-- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md);
-+ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx);
- }
- else {
- SETERROR(utils, "unknown OTP extended response type");
-@@ -843,14 +881,15 @@ static int verify_response(server_contex
- }
- else {
- /* standard response, try word first, and then hex */
-- r = word2bin(utils, c, cur_otp, md);
-+ r = word2bin(utils, c, cur_otp, md, mdctx);
- if (r != SASL_OK)
- r = hex2bin(c, cur_otp, OTP_HASH_SIZE);
- }
-
- if (r == SASL_OK) {
- /* do one more hash (previous otp) and compare to stored otp */
-- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab);
-+ otp_hash(md, (char *) cur_otp, OTP_HASH_SIZE,
-+ prev_otp, text->alg->swab, mdctx);
-
- if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) {
- /* update the secret with this seq/otp */
-@@ -879,23 +918,28 @@ static int verify_response(server_contex
- *new_resp++ = '\0';
- }
-
-- if (!(new_chal && new_resp))
-- return SASL_BADAUTH;
-+ if (!(new_chal && new_resp)) {
-+ r = SASL_BADAUTH;
-+ goto done;
-+ }
-
- if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1))
- != SASL_OK) {
-- return r;
-+ goto done;
- }
-
-- if (seq < 1 || !strcasecmp(seed, text->seed))
-- return SASL_BADAUTH;
-+ if (seq < 1 || !strcasecmp(seed, text->seed)) {
-+ r = SASL_BADAUTH;
-+ goto done;
-+ }
-
- /* find the MDA */
- if (!(md = EVP_get_digestbyname(alg->evp_name))) {
- utils->seterror(utils->conn, 0,
- "OTP algorithm %s is not available",
- alg->evp_name);
-- return SASL_BADAUTH;
-+ r = SASL_BADAUTH;
-+ goto done;
- }
-
- if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) {
-@@ -903,7 +947,7 @@ static int verify_response(server_contex
- }
- else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
- strlen(OTP_INIT_WORD_TYPE))) {
-- r = word2bin(utils, new_resp, new_otp, md);
-+ r = word2bin(utils, new_resp, new_otp, md, mdctx);
- }
-
- if (r == SASL_OK) {
-@@ -914,7 +958,10 @@ static int verify_response(server_contex
- memcpy(text->otp, new_otp, OTP_HASH_SIZE);
- }
- }
--
-+
-+ done:
-+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
-+
- return r;
- }
-
-diff -up cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 cyrus-sasl-2.1.26/saslauthd/lak.c
---- cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 2016-11-07 16:13:54.347327616 +0100
-+++ cyrus-sasl-2.1.26/saslauthd/lak.c 2016-11-07 16:18:42.283167898 +0100
-@@ -61,6 +61,35 @@
- #include <sasl.h>
- #include "lak.h"
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+static EVP_MD_CTX *EVP_MD_CTX_new(void)
-+{
-+ return EVP_MD_CTX_create();
-+}
-+static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
-+{
-+ if (ctx == NULL)
-+ return;
-+
-+ EVP_MD_CTX_destroy(ctx);
-+}
-+
-+static EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void)
-+{
-+ EVP_ENCODE_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
-+
-+ if (ctx != NULL) {
-+ memset(ctx, 0, sizeof(*ctx));
-+ }
-+ return ctx;
-+}
-+static void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx)
-+{
-+ OPENSSL_free(ctx);
-+ return;
-+}
-+#endif
-+
- typedef struct lak_auth_method {
- int method;
- int (*check) (LAK *lak, const char *user, const char *service, const char *realm, const char *password) ;
-@@ -1720,20 +1749,28 @@ static int lak_base64_decode(
-
- int rc, i, tlen = 0;
- char *text;
-- EVP_ENCODE_CTX EVP_ctx;
-+ EVP_ENCODE_CTX *enc_ctx = EVP_ENCODE_CTX_new();
-
-- text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1);
- if (text == NULL)
- return LAK_NOMEM;
-
-- EVP_DecodeInit(&EVP_ctx);
-- rc = EVP_DecodeUpdate(&EVP_ctx, text, &i, (char *)src, strlen(src));
-+ text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1);
-+ if (text == NULL) {
-+ EVP_ENCODE_CTX_free(enc_ctx);
-+ return LAK_NOMEM;
-+ }
-+
-+ EVP_DecodeInit(enc_ctx);
-+ rc = EVP_DecodeUpdate(enc_ctx, (unsigned char *) text, &i, (const unsigned char *)src, strlen(src));
- if (rc < 0) {
-+ EVP_ENCODE_CTX_free(enc_ctx);
- free(text);
- return LAK_FAIL;
- }
- tlen += i;
-- EVP_DecodeFinal(&EVP_ctx, text, &i);
-+ EVP_DecodeFinal(enc_ctx, (unsigned char *) text, &i);
-+
-+ EVP_ENCODE_CTX_free(enc_ctx);
-
- *ret = text;
- if (rlen != NULL)
-@@ -1749,7 +1786,7 @@ static int lak_check_hashed(
- {
- int rc, clen;
- LAK_HASH_ROCK *hrock = (LAK_HASH_ROCK *) rock;
-- EVP_MD_CTX mdctx;
-+ EVP_MD_CTX *mdctx;
- const EVP_MD *md;
- unsigned char digest[EVP_MAX_MD_SIZE];
- char *cred;
-@@ -1758,17 +1795,24 @@ static int lak_check_hashed(
- if (!md)
- return LAK_FAIL;
-
-+ mdctx = EVP_MD_CTX_new();
-+ if (!mdctx)
-+ return LAK_NOMEM;
-+
- rc = lak_base64_decode(hash, &cred, &clen);
-- if (rc != LAK_OK)
-+ if (rc != LAK_OK) {
-+ EVP_MD_CTX_free(mdctx);
- return rc;
-+ }
-
-- EVP_DigestInit(&mdctx, md);
-- EVP_DigestUpdate(&mdctx, passwd, strlen(passwd));
-+ EVP_DigestInit(mdctx, md);
-+ EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
- if (hrock->salted) {
-- EVP_DigestUpdate(&mdctx, &cred[EVP_MD_size(md)],
-+ EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
- clen - EVP_MD_size(md));
- }
-- EVP_DigestFinal(&mdctx, digest, NULL);
-+ EVP_DigestFinal(mdctx, digest, NULL);
-+ EVP_MD_CTX_free(mdctx);
-
- rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md));
- free(cred);
diff --git a/main/cyrus-sasl/saslauthd.initd b/main/cyrus-sasl/saslauthd.initd
index 2707f533d6e6..728577004016 100644
--- a/main/cyrus-sasl/saslauthd.initd
+++ b/main/cyrus-sasl/saslauthd.initd
@@ -1,22 +1,13 @@
#!/sbin/openrc-run
-# Copyright 1999-2007 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/cyrus-sasl/files/saslauthd2.rc6,v 1.7 2007/04/07 13:03:55 chtekk Exp $
+command="/usr/sbin/saslauthd"
+command_args=${SASLAUTHD_OPTS:--a sasldb}
+pidfile="/run/saslauthd/saslauthd.pid"
depend() {
need net
after firewall
}
-start() {
- ebegin "Starting saslauthd"
- start-stop-daemon --start --quiet --exec /usr/sbin/saslauthd \
- -- ${SASLAUTHD_OPTS}
- eend $?
-}
-
-stop() {
- ebegin "Stopping saslauthd"
- start-stop-daemon --stop --quiet --pidfile /var/run/saslauthd/saslauthd.pid
- eend $?
+start_pre() {
+ checkpath --directory --mode 0775 /run/saslauthd
}
--
GitLab