Submitted By: Armin K. Date: 2012-04-01 Initial Package Version: 2.1.25 Upstream Status: Unknown Origin: Debian Description: Various package fixes, including BDB 5.x build fix, LDAPDB and GSSAPI build fixes, plugin loading fixes, documentation typos, dovecot authentification fixes and shadow authentification fix. --- cyrus-sasl.orig/lib/checkpw.c 2009-12-03 20:07:01.000000000 +0100 +++ cyrus-sasl/lib/checkpw.c 2012-04-01 12:30:31.124336510 +0200 @@ -587,16 +587,14 @@ /* Timeout. */ errno = ETIMEDOUT; return -1; - case +1: - if (FD_ISSET(fd, &rfds)) { - /* Success, file descriptor is readable. */ - return 0; - } - return -1; case -1: if (errno == EINTR || errno == EAGAIN) continue; default: + if (FD_ISSET(fd, &rfds)) { + /* Success, file descriptor is readable. */ + return 0; + } /* Error catch-all. */ return -1; } --- cyrus-sasl.orig/lib/common.c 2011-09-02 14:58:01.000000000 +0200 +++ cyrus-sasl/lib/common.c 2012-04-01 12:27:52.893087046 +0200 @@ -818,7 +818,7 @@ result = sasl_canonuser_add_plugin("INTERNAL", internal_canonuser_init); if(result != SASL_OK) return result; - if (!free_mutex) { + if (!free_mutex || free_mutex == 0x1) { free_mutex = sasl_MUTEX_ALLOC(); } if (!free_mutex) return SASL_FAIL; @@ -838,6 +838,11 @@ /* serialize disposes. this is necessary because we can't dispose of conn->mutex if someone else is locked on it */ + + if (!free_mutex || free_mutex == 0x1) + free_mutex = sasl_MUTEX_ALLOC(); + if (!free_mutex) return SASL_FAIL; + result = sasl_MUTEX_LOCK(free_mutex); if (result!=SASL_OK) return; --- cyrus-sasl.orig/lib/dlopen.c 2009-12-03 20:07:01.000000000 +0100 +++ cyrus-sasl/lib/dlopen.c 2012-04-01 12:29:44.564379243 +0200 @@ -247,105 +247,6 @@ return result; } -/* this returns the file to actually open. - * out should be a buffer of size PATH_MAX - * and may be the same as in. */ - -/* We'll use a static buffer for speed unless someone complains */ -#define MAX_LINE 2048 - -static int _parse_la(const char *prefix, const char *in, char *out) -{ - FILE *file; - size_t length; - char line[MAX_LINE]; - char *ntmp = NULL; - - if(!in || !out || !prefix || out == in) return SASL_BADPARAM; - - /* Set this so we can detect failure */ - *out = '\0'; - - length = strlen(in); - - if (strcmp(in + (length - strlen(LA_SUFFIX)), LA_SUFFIX)) { - if(!strcmp(in + (length - strlen(SO_SUFFIX)),SO_SUFFIX)) { - /* check for a .la file */ - strcpy(line, prefix); - strcat(line, in); - length = strlen(line); - *(line + (length - strlen(SO_SUFFIX))) = '\0'; - strcat(line, LA_SUFFIX); - file = fopen(line, "r"); - if(file) { - /* We'll get it on the .la open */ - fclose(file); - return SASL_FAIL; - } - } - strcpy(out, prefix); - strcat(out, in); - return SASL_OK; - } - - strcpy(line, prefix); - strcat(line, in); - - file = fopen(line, "r"); - if(!file) { - _sasl_log(NULL, SASL_LOG_WARN, - "unable to open LA file: %s", line); - return SASL_FAIL; - } - - while(!feof(file)) { - if(!fgets(line, MAX_LINE, file)) break; - if(line[strlen(line) - 1] != '\n') { - _sasl_log(NULL, SASL_LOG_WARN, - "LA file has too long of a line: %s", in); - return SASL_BUFOVER; - } - if(line[0] == '\n' || line[0] == '#') continue; - if(!strncmp(line, "dlname=", sizeof("dlname=") - 1)) { - /* We found the line with the name in it */ - char *end; - char *start; - size_t len; - end = strrchr(line, '\''); - if(!end) continue; - start = &line[sizeof("dlname=")-1]; - len = strlen(start); - if(len > 3 && start[0] == '\'') { - ntmp=&start[1]; - *end='\0'; - /* Do we have dlname="" ? */ - if(ntmp == end) { - _sasl_log(NULL, SASL_LOG_DEBUG, - "dlname is empty in .la file: %s", in); - return SASL_FAIL; - } - strcpy(out, prefix); - strcat(out, ntmp); - } - break; - } - } - if(ferror(file) || feof(file)) { - _sasl_log(NULL, SASL_LOG_WARN, - "Error reading .la: %s\n", in); - fclose(file); - return SASL_FAIL; - } - fclose(file); - - if(!(*out)) { - _sasl_log(NULL, SASL_LOG_WARN, - "Could not find a dlname line in .la file: %s", in); - return SASL_FAIL; - } - - return SASL_OK; -} #endif /* DO_DLOPEN */ /* loads a plugin library */ @@ -499,18 +400,18 @@ if (length + pos>=PATH_MAX) continue; /* too big */ if (strcmp(dir->d_name + (length - strlen(SO_SUFFIX)), - SO_SUFFIX) - && strcmp(dir->d_name + (length - strlen(LA_SUFFIX)), - LA_SUFFIX)) + SO_SUFFIX)) continue; + /* We only use .so files for loading plugins */ + memcpy(name,dir->d_name,length); name[length]='\0'; - result = _parse_la(prefix, name, tmp); - if(result != SASL_OK) - continue; - + /* Create full name with path */ + strncpy(tmp, prefix, PATH_MAX); + strncat(tmp, name, PATH_MAX); + /* skip "lib" and cut off suffix -- this only need be approximate */ strcpy(plugname, name + 3); --- cyrus-sasl.orig/plugins/gssapi.c 2011-05-11 21:25:55.000000000 +0200 +++ cyrus-sasl/plugins/gssapi.c 2012-04-01 12:30:17.442055118 +0200 @@ -370,7 +370,7 @@ } if (output_token->value && output) { - unsigned char * p = (unsigned char *) text->encode_buf; + int len; ret = _plug_buf_alloc(text->utils, &(text->encode_buf), @@ -384,11 +384,8 @@ return ret; } - p[0] = (output_token->length>>24) & 0xFF; - p[1] = (output_token->length>>16) & 0xFF; - p[2] = (output_token->length>>8) & 0xFF; - p[3] = output_token->length & 0xFF; - + len = htonl(output_token->length); + memcpy(text->encode_buf, &len, 4); memcpy(text->encode_buf + 4, output_token->value, output_token->length); } @@ -1480,10 +1477,10 @@ } /* Setup req_flags properly */ - req_flags = GSS_C_INTEG_FLAG; + req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; if (params->props.max_ssf > params->external_ssf) { /* We are requesting a security layer */ - req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; + req_flags |= GSS_C_INTEG_FLAG; /* Any SSF bigger than 1 is confidentiality. */ /* Let's check if the client of the API requires confidentiality, and it wasn't already provided by an external layer */ --- cyrus-sasl.orig/plugins/ldapdb.c 2011-05-11 21:25:55.000000000 +0200 +++ cyrus-sasl/plugins/ldapdb.c 2012-04-01 12:29:19.622866806 +0200 @@ -251,6 +251,8 @@ #if defined(LDAP_PROXY_AUTHZ_FAILURE) case LDAP_PROXY_AUTHZ_FAILURE: +#elif defined(LDAP_X_PROXY_AUTHZ_FAILURE) + case LDAP_X_PROXY_AUTHZ_FAILURE: #endif case LDAP_INAPPROPRIATE_AUTH: case LDAP_INVALID_CREDENTIALS: --- cyrus-sasl.orig/saslauthd/auth_rimap.c 2009-12-03 20:07:03.000000000 +0100 +++ cyrus-sasl/saslauthd/auth_rimap.c 2012-04-01 12:30:31.123336490 +0200 @@ -1,3 +1,4 @@ + /* MODULE: auth_rimap */ /* COPYRIGHT @@ -367,6 +368,30 @@ alarm(NETWORK_IO_TIMEOUT); rc = read(s, rbuf, sizeof(rbuf)); alarm(0); + if ( rc>0 ) { + /* check if there is more to read */ + fd_set perm; + int fds, ret; + struct timeval timeout; + + FD_ZERO(&perm); + FD_SET(s, &perm); + fds = s +1; + + timeout.tv_sec = 1; + timeout.tv_usec = 0; + while( select (fds, &perm, NULL, NULL, &timeout ) >0 ) { + if ( FD_ISSET(s, &perm) ) { + ret = read(s, rbuf+rc, sizeof(rbuf)-rc); + if ( ret<0 ) { + rc = ret; + break; + } else { + rc += ret; + } + } + } + } if (rc == -1) { syslog(LOG_WARNING, "auth_rimap: read (banner): %m"); (void) close(s); @@ -456,6 +481,30 @@ alarm(NETWORK_IO_TIMEOUT); rc = read(s, rbuf, sizeof(rbuf)); alarm(0); + if ( rc>0 ) { + /* check if there is more to read */ + fd_set perm; + int fds, ret; + struct timeval timeout; + + FD_ZERO(&perm); + FD_SET(s, &perm); + fds = s +1; + + timeout.tv_sec = 1; + timeout.tv_usec = 0; + while( select (fds, &perm, NULL, NULL, &timeout ) >0 ) { + if ( FD_ISSET(s, &perm) ) { + ret = read(s, rbuf+rc, sizeof(rbuf)-rc); + if ( ret<0 ) { + rc = ret; + break; + } else { + rc += ret; + } + } + } + } (void) close(s); /* we're done with the remote */ if (rc == -1) { syslog(LOG_WARNING, "auth_rimap: read (response): %m"); --- cyrus-sasl.orig/saslauthd/auth_shadow.c 2009-12-03 20:07:03.000000000 +0100 +++ cyrus-sasl/saslauthd/auth_shadow.c 2012-04-01 12:28:24.619737694 +0200 @@ -36,6 +36,7 @@ #ifdef AUTH_SHADOW +#define _XOPEN_SOURCE #define PWBUFSZ 256 /***SWB***/ # include --- cyrus-sasl.orig/saslauthd/saslauthd.mdoc 2009-12-03 20:07:03.000000000 +0100 +++ cyrus-sasl/saslauthd/saslauthd.mdoc 2012-04-01 12:26:58.090964382 +0200 @@ -10,7 +10,7 @@ .\" manpage in saslauthd.8 whenever you change this source .\" version. Only the pre-formatted manpage is installed. .\" -.Dd 10 24 2002 +.Dd October 24 2002 .Dt SASLAUTHD 8 .Os "CMU-SASL" .Sh NAME @@ -216,7 +216,7 @@ .Em (All platforms that support OpenLDAP 2.0 or higher) .Pp Authenticate against an ldap server. The ldap configuration parameters are -read from /usr/local/etc/saslauthd.conf. The location of this file can be +read from /etc/saslauthd.conf. The location of this file can be changed with the -O parameter. See the LDAP_SASLAUTHD file included with the distribution for the list of available parameters. .It Li sia @@ -249,7 +249,7 @@ .Bl -tag -width "/var/run/saslauthd/mux" .It Pa /var/run/saslauthd/mux The default communications socket. -.It Pa /usr/local/etc/saslauthd.conf +.It Pa /etc/saslauthd.conf The default configuration file for ldap support. .El .Sh SEE ALSO --- cyrus-sasl.orig/sasldb/db_berkeley.c 2011-09-02 14:58:02.000000000 +0200 +++ cyrus-sasl/sasldb/db_berkeley.c 2012-04-01 12:29:02.720519690 +0200 @@ -101,7 +101,7 @@ ret = db_create(mbdb, NULL, 0); if (ret == 0 && *mbdb != NULL) { -#if DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1 +#if (DB_VERSION_MAJOR > 4) || ((DB_VERSION_MAJOR == 4) && (DB_VERSION_MINOR >= 1)) ret = (*mbdb)->open(*mbdb, NULL, path, NULL, DB_HASH, flags, 0660); #else ret = (*mbdb)->open(*mbdb, path, NULL, DB_HASH, flags, 0660); --- cyrus-sasl.orig/utils/dbconverter-2.c 2003-02-13 20:56:17.000000000 +0100 +++ cyrus-sasl/utils/dbconverter-2.c 2012-04-01 12:29:02.722519730 +0200 @@ -214,7 +214,7 @@ ret = db_create(mbdb, NULL, 0); if (ret == 0 && *mbdb != NULL) { -#if DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1 +#if (DB_VERSION_MAJOR > 4) || ((DB_VERSION_MAJOR == 4) && (DB_VERSION_MINOR >= 1)) ret = (*mbdb)->open(*mbdb, NULL, path, NULL, DB_HASH, DB_CREATE, 0664); #else ret = (*mbdb)->open(*mbdb, path, NULL, DB_HASH, DB_CREATE, 0664);