plugins/digestmd5.c | 3 0 + 3 - 0 !
1 file changed, 3 deletions(-)

 plugins/digestmd5: remove debug log "mech free"

The "DIGEST-MD5 common mech free" debug log message is bothering many users.
It is not really helpful, so drop it.

Fixes #386.

Signed-off-by: Bastian Germann <bage@debian.org>

utils/testsuite.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 use /etc/sasldb2 instead of ./sasldb in the testsuite

saslauthd/saslauthd.mdoc | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 update saslauthd.conf location in documentation

date format (cosmetic).

utils/Makefile.am | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 utils: link libcrypto

With sasl_checkapop enabled, testsuite uses libcrypto functions.

Signed-off-by: Bastian Germann <bage@debian.org>

utils/Makefile.am | 4 2 + 2 - 0 !
utils/dbconverter-2.c | 4 2 + 2 - 0 !
2 files changed, 4 insertions(+), 4 deletions(-)

 include dbconverter-2 in sbin_programs and set default sasldb file
 to /etc/sasldb2

database file to /etc/sasldb2.

configure.ac | 2 1 + 1 - 0 !
plugins/cram.c | 4 4 + 0 - 0 !
2 files changed, 5 insertions(+), 1 deletion(-)

 fix <time.h> check

We're conditionally including based on HAVE_TIME_H in a bunch of places,
but we're not actually checking for time.h, so that's never going to be defined.

While at it, add in a missing include in the cram plugin.

This fixes a bunch of implicit declaration warnings:
```
 * cyrus-sasl-2.1.28/lib/saslutil.c:280:3: warning: implicit declaration of function time [-Wimplicit-function-declaration]
 * cyrus-sasl-2.1.28/lib/saslutil.c:364:41: warning: implicit declaration of function clock [-Wimplicit-function-declaration]
 * cyrus-sasl-2.1.28/plugins/cram.c:132:7: warning: implicit declaration of function time [-Wimplicit-function-declaration]
 * cyrus-sasl-2.1.28/lib/saslutil.c:280:3: warning: implicit declaration of function time [-Wimplicit-function-declaration]
 * cyrus-sasl-2.1.28/lib/saslutil.c:364:41: warning: implicit declaration of function clock [-Wimplicit-function-declaration]
 * cyrus-sasl-2.1.28/plugins/cram.c:132:7: warning: implicit declaration of function time [-Wimplicit-function-declaration]
```

Signed-off-by: Sam James <sam@gentoo.org>

Makefile.am | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 makefile.am: set date in man pages.

The build date is embedded in the man pages by default. Pass arguments
to sphinx to use the date defined in SOURCE_DATE_EPOCH.

https://reproducible-builds.org/docs/source-date-epoch/

lib/Makefile.am | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 don't overwrite pic objects with non-pic variant

This patch makes sure the non-PIC version of libsasldb.a, which
is created out of non-PIC objects, is not going to overwrite the PIC version,
which is created out of PIC objects. The PIC version is placed in .libs, and
the non-PIC version in the current directory.  This ensures that both non-PIC
and PIC versions are available in the correct locations.

utils/pluginviewer.8 | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 self-reference pluginviewer man as saslpluginviewer

pluginviewer is installed as saslpluginviewer in Debian.
Edit the self-references in Debian to match the rename.

Signed-off-by: Bastian Germann <bage@debian.org>

m4/berkdb.m4 | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 look for generic berkeley db first

utils/sasldbconverter2.8 | 61 61 + 0 - 0 !
1 file changed, 61 insertions(+)

 add sasldbconverter2.8

The file stems from version 2.1.28 and is not included in the distribution
tarball.

include/saslplug.h | 2 1 + 1 - 0 !
lib/client.c | 5 4 + 1 - 0 !
lib/common.c | 7 6 + 1 - 0 !
3 files changed, 11 insertions(+), 3 deletions(-)

 fix #386 - honor log_level option on clients too

Signed-off-by: Howard Chu <hyc@symas.com>

include/Makefile.am | 2 1 + 1 - 0 !
include/hmac-md5.h | 4 2 + 2 - 0 !
include/saslplug.h | 3 0 + 3 - 0 !
lib/Makefile.am | 2 1 + 1 - 0 !
lib/common.c | 6 3 + 3 - 0 !
lib/md5.c | 353 44 + 309 - 0 !
6 files changed, 51 insertions(+), 319 deletions(-)

 replace md5 with openssl legacy implementation

Require OpenSSL for the build so that it can be used always.
Drop the internal MD5 implementation and replace every occurence.
Keep the HMAC MD5 implementation for now but base it on OpenSSL.

Fixes: #513, #712

Signed-off-by: Bastian Germann <bage@debian.org>

Versions | 7 7 + 0 - 0 !
lib/Makefile.am | 3 2 + 1 - 0 !
2 files changed, 9 insertions(+), 1 deletion(-)

 make the libsasl2 symbols versioned

lib/dlopen.c | 121 7 + 114 - 0 !
1 file changed, 7 insertions(+), 114 deletions(-)

 don't use la files for opening plugins

include/Makefile.am | 9 0 + 9 - 0 !
1 file changed, 9 deletions(-)

 prevent recreating of md5global

saslauthd/Makefile.am | 5 2 + 3 - 0 !
saslauthd/cache.c | 11 5 + 6 - 0 !
2 files changed, 7 insertions(+), 9 deletions(-)

 saslauthd: replace md5 with openssl evp implementation

Signed-off-by: Bastian Germann <bage@debian.org>

configure.ac | 55 1 + 54 - 0 !
lib/Makefile.am | 16 1 + 15 - 0 !
plugins/Makefile.am | 3 0 + 3 - 0 !
saslauthd/Makefile.am | 6 2 + 4 - 0 !
4 files changed, 4 insertions(+), 76 deletions(-)

 just completely remove libobj from autotools files

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 temporary multiarch fixes

saslauthd/saslauthd.mdoc | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 add reference to ldap_saslauthd file to the saslauthd documentation

include/hmac-md5.h | 4 2 + 2 - 0 !
lib/md5.c | 7 4 + 3 - 0 !
2 files changed, 6 insertions(+), 5 deletions(-)

 exclude md5global.h

lib/md5.c | 34 10 + 24 - 0 !
1 file changed, 10 insertions(+), 24 deletions(-)

 replace custom memset with openssl_cleanse

memset can be elided by linkers, so rely on a function that prevents
that behaviour. Alternatives would be explicit_bzero or the C23
memset_explicit. However, both of them have protability issues.

As OpenSSL is in use in this module anyway, use its OPENSSL_cleanse.

Signed-off-by: Bastian Germann <bage@debian.org>

lib/md5.c | 27 4 + 23 - 0 !
1 file changed, 4 insertions(+), 23 deletions(-)

 replace custom with standard memcpy

Signed-off-by: Bastian Germann <bage@debian.org>

lib/md5.c | 14 12 + 2 - 0 !
1 file changed, 12 insertions(+), 2 deletions(-)

 add a note on the rsa-md license

Signed-off-by: Bastian Germann <bage@debian.org>

lib/md5.c | 76 41 + 35 - 0 !
1 file changed, 41 insertions(+), 35 deletions(-)

 relicense md5.c

"As explained in dffe0b3e86925c95e6f30ec0f2de9fb0c439c7bc, the
RSA-MD-licensed file md5.c can be relicensed easily because the
third-party code that was licensed under RSA-MD is eliminated by now."
-- Bastian Germann <bage@debian.org> in GitHub issue #769

The commit referenced was part of GitHub PR #767 and was authored by
Bastian Germann.

I reviewed the commit history on this file.  I concurred with Bastian's
original assessment that the relevant detail was Rob Earhart's code,
and Bastian agreed with my analysis in the bug.

The next step was confirming that the MD5 code that Rob Earhart
contributed was/is licensed under the same license as the rest of the
project.  This is a reasonable assumption, as he was one of the main
authors of the original code, and everything else he contributed was
under that license.

However, to avoid ambiguity or assumptions, I emailed Rob Earhart.
He responded today, confirming:

On 2023-06-28 12:14, Rob Earhart wrote:
> Any code I wrote for the Cyrus SASL project has my permission to be
> used under that main license.

Fixes #769

Signed-off-by: Richard Laager <rlaager@wiktel.com>

lib/Makefile.am | 2 1 + 1 - 0 !
plugins/Makefile.am | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 revert upstream soname bump

plugins/digestmd5.c | 16 14 + 2 - 0 !
1 file changed, 14 insertions(+), 2 deletions(-)

 [patch] gracefully handle failed initializations

In OpenSSL 3.0 these algorithms have been moved to the legacy provider
which is not enabled by default. This means allocation can and do fail.
Handle failed allocations by returning an actual error instead of
crashing later with a NULL context.

Signed-off-by: Simo Sorce <simo@redhat.com>

saslauthd/lak.c | 32 25 + 7 - 0 !
1 file changed, 25 insertions(+), 7 deletions(-)

 [patch] catch errors from evp_digest* functions

In OpenSSL 3.0 digest init can fail simply because a legacy provider is
not loaded of FIPS mode is active and the digest is not allowed.
If the errors are not handled the application may crash later trying to
access uninitialized contexts.

Signed-off-by: Simo Sorce <simo@redhat.com>

plugins/digestmd5.c | 189 140 + 49 - 0 !
1 file changed, 140 insertions(+), 49 deletions(-)

 [patch] add support for loading legacy provider

OpenSSL 3.0 is moving a number of functions into the legacy provider.
This provider is not loaded by default, so applications that need to
use legacy algorithms must either load them explicitly or admins
have to explicitly load the legacy provider to their openssl conf file.

The latter is bad as it will enable legacy providers systam-wide, it
also requires manual intervention. Programmatically load the legacy
provider for older plugins that have no good cipher option to fall
back on.

Signed-off-by: Simo Sorce <simo@redhat.com>

utils/testsuite.c | 12 7 + 5 - 0 !
1 file changed, 7 insertions(+), 5 deletions(-)

 testsuite: replace md5 with openssl evp implementation

Signed-off-by: Bastian Germann <bage@debian.org>

lib/checkpw.c | 24 13 + 11 - 0 !
1 file changed, 13 insertions(+), 11 deletions(-)

 checkpw: replace md5 with openssl evp implementation

Signed-off-by: Bastian Germann <bage@debian.org>

configure.ac | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 add ${with_pgsql}include/postgresql/ to include path

m4/sasl2.m4 | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 sasl2.m4: check for gssapi_krb5.h before testing a resulting value

When <gssapi/gssapi_krb5.h> stems from Heimdal but
build-heimdal/config.h doesn't define HAVE_GSSAPI_GSSAPI_KRB5_H,
<gssapi/gssapi_krb5.h> is not included.

The header file is only checked if gsskrb5_register_acceptor_identity is
not found.

Move the header check so that it works for both KRB5 and Heimdal.

Link: https://bugs.debian.org/1066214
Signed-off-by: Bastian Germann <bage@debian.org>

plugins/gssapi.c | 30 25 + 5 - 0 !
1 file changed, 25 insertions(+), 5 deletions(-)

 add channel binding support for gssapi/gss-spnego

Signed-off-by: Simo Sorce <simo@redhat.com>

m4/sasl2.m4 | 13 13 + 0 - 0 !
plugins/gssapi.c | 44 43 + 1 - 0 !
2 files changed, 56 insertions(+), 1 deletion(-)

 add support for setting max ssf 0 to gss-spnego

This is needed to interop with Windows within a TLS channel.

Signed-off-by: Simo Sorce <simo@redhat.com>

plugins/gssapi.c | 12 9 + 3 - 0 !
1 file changed, 9 insertions(+), 3 deletions(-)

 be more conformant to rfc4752

Although we need to be able to completely suppress Integrity and
Confidentiality flags in GSS-SPNEGO, we also need to be more conformant
to RFC4752 for the GSSAPI mechanism.

The RFC reuires to always set Integrity for SASL/GSSAPI, it also
requires MUTUAL/SEQUENCE flags to only be set if any Security Layer is
requested.

Finally Confidentiality should be set only when requested so change the
code that suppresses MIT krb5 setting CI flags not only in the SSF == 0
case but also when SSF == 1, the integrity flag in that case will be
explicitly set by our code and the NO_CI_FLAGS option will unset just
the CONF flag.

Signed-off-by: Simo Sorce <simo@redhat.com>

docsrc/conf.py | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 prevent linking via intersphinx

lib/saslutil.c | 4 2 + 2 - 0 !
plugins/otp.c | 10 6 + 4 - 0 !
saslauthd/saslcache.c | 2 1 + 1 - 0 !
3 files changed, 9 insertions(+), 7 deletions(-)

 extend the time_t format specifiers to long long

In some format strings, it is expected that time_t is the same size as long.
long is 32 bit for 32 bit architectures, while time_t might be 64 bit.
Extend the format string specifiers to long long, which can hold a
time_t regardless of the platform and libc configuration.

Closes: #484

Signed-off-by: Bastian Germann <bage@debian.org>

docsrc/exts/sphinxlocal/builders/manpage.py | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 prevent six import

include/saslplug.h | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 harmonize md5 signatures with openssl

sample/sample-client.c | 8 4 + 4 - 0 !
sample/sample-server.c | 8 4 + 4 - 0 !
2 files changed, 8 insertions(+), 8 deletions(-)

 harmonize getsubopt casts with glibc

plugins/digestmd5.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 digestmd5: free rc4 cipher

lib/auxprop.c | 2 1 + 1 - 0 !
lib/canonusr.c | 6 3 + 3 - 0 !
lib/client.c | 6 3 + 3 - 0 !
lib/common.c | 40 20 + 20 - 0 !
lib/saslint.h | 8 4 + 4 - 0 !
lib/server.c | 32 16 + 16 - 0 !
saslauthd/auth_sasldb.c | 4 1 + 3 - 0 !
saslauthd/saslauthd-main.c | 12 8 + 4 - 0 !
saslauthd/saslauthd-main.h | 5 3 + 2 - 0 !
9 files changed, 59 insertions(+), 56 deletions(-)

 add compatibility for gcc 15 (#869)

Fedora 42 is going to use gcc 15 which changes some warnings into
errors. Address the issues raised.

The issues addressed include: