mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2026-05-05 20:36:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

main/cyrus-sasl: rebuild against openssl 1.1

Browse Source
This commit is contained in:
Natanael Copa 2018-10-26 13:26:10 +00:00
parent a248281db6
commit fe02999dad
2 changed files with 447 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
main/cyrus-sasl/APKBUILD
View File

@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cyrus-sasl
pkgver=2.1.26
pkgrel=13
pkgrel=14
pkgdesc="Cyrus Simple Authentication Service Layer (SASL)"
url="https://cyrusimap.org/"
arch="all"
@ -12,27 +12,23 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-gssapi $pkgname-gs2
$pkgname-scram $pkgname-ntlm $pkgname-crammd5 $pkgname-digestmd5
libsasl $pkgname-openrc"
depends=
makedepends="db-dev libressl-dev heimdal-dev
makedepends="db-dev openssl-dev heimdal-dev
autoconf automake libtool"
source="ftp://ftp.cyrusimap.org/$pkgname/$pkgname-$pkgver.tar.gz
saslauthd.initd
cyrus-sasl-2.1.25-avoid_pic_overwrite.patch
cyrus-sasl-2.1.26-size_t.patch
CVE-2013-4122.patch
openssl-1.1.patch
"
# secfixes:
# 2.1.26-r7:
# - CVE-2013-4122
_builddir="$srcdir"/$pkgname-$pkgver
builddir="$srcdir"/$pkgname-$pkgver
prepare() {
cd "$_builddir"
for i in $source; do
case $i in
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
default_prepare
# the libtool they ship is broken
sed 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' -i configure.in || return 1
@ -43,7 +39,7 @@ prepare() {
}
build() {
cd "$_builddir"
cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@ -61,15 +57,14 @@ build() {
--with-devrandom=/dev/urandom \
--without-ldap \
--with-saslauthd=/var/run/saslauthd \
--mandir=/usr/share/man \
|| return 1
--mandir=/usr/share/man
# parallell builds is broken
make -j1 || return 1
make -j1
}
package() {
cd "$srcdir"/cyrus-sasl-$pkgver
make -j1 DESTDIR="$pkgdir" install || return 1
make -j1 DESTDIR="$pkgdir" install
install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
install -Dm755 ../saslauthd.initd "$pkgdir"/etc/init.d/saslauthd
@ -81,7 +76,7 @@ _plugin() {
depends=
replaces="libsasl"
pkgdesc="Cyrus SASL plugin for $1"
mkdir -p "$subpkgdir"/$_plugindir || return 1
mkdir -p "$subpkgdir"/$_plugindir
mv "$pkgdir"/$_plugindir/lib${1}.so* "$subpkgdir"/$_plugindir/
}
@ -99,18 +94,9 @@ libsasl() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr/
}
md5sums="a7f4e5e559a0e37b3ffc438c9456e425 cyrus-sasl-2.1.26.tar.gz
6e7cbe301015777bf53d5f08ac4362f0 saslauthd.initd
085acdc345bcce896f3eea8956cc0892 cyrus-sasl-2.1.25-avoid_pic_overwrite.patch
bcaafcbc79054e8356217213d6eda16d cyrus-sasl-2.1.26-size_t.patch
8b3f65a7c8fbcbd7b7da2865f71b8aa7 CVE-2013-4122.patch"
sha256sums="8fbc5136512b59bb793657f36fadda6359cae3b08f01fd16b3d406f1345b7bc3 cyrus-sasl-2.1.26.tar.gz
d6d23c360d52cf35bf266ce32b7c0eccafd79f55daa3e97733a899c97211a90c saslauthd.initd
80cb9cf22b0507b503ff0cf6c5946a44eb5c3808e0a77e66d56d5a53e5e76fa7 cyrus-sasl-2.1.25-avoid_pic_overwrite.patch
b85b20bdd25b42098e07a8ba7e435f02b5cd882dcf69572c4d32de4a5e4f41bb cyrus-sasl-2.1.26-size_t.patch
e32013e7ba1d9a80c18524a413f3b3c4bfc325e1c07b1552908b631edb803346 CVE-2013-4122.patch"
sha512sums="78819cb9bb38bea4537d6770d309deeeef09ff44a67526177609d3e1257ff4334d2b5e5131d5a1e4dea7430d8db1918ea9d171f0dee38b5e8337f4b72ed068f0 cyrus-sasl-2.1.26.tar.gz
71a00a22f91f0fb6ba2796acede321a0f071b1d7a99616f0e36c354213777f30575c340b6df392dcbfc103ba7640d046144882f6a7b505f59709bb5c429b44d8 saslauthd.initd
033e3634116e1d3b316052dbe0b671cca0fcfb6063fca1a97d990c422c2ce05109a1e424e84ed9928dc0312a325a7248f2d2e3f9547f84453b36331c01f63be5 cyrus-sasl-2.1.25-avoid_pic_overwrite.patch
fe4c3e6d5230eb50b9e6885129760a12e7bce316b41a3e58b2c550fa83526b91205cd827f7d1367751313559875d32982b95b024b1a22300ac5b35214e7c2b78 cyrus-sasl-2.1.26-size_t.patch
08964bc3ad713e137b8f05f9bac345d79676d14784bc37525f195e8e2a3e6740428237b64f7eeeacc0c71ed6cf1664c6e9c2267ac6df327761d92174a1853744 CVE-2013-4122.patch"
08964bc3ad713e137b8f05f9bac345d79676d14784bc37525f195e8e2a3e6740428237b64f7eeeacc0c71ed6cf1664c6e9c2267ac6df327761d92174a1853744 CVE-2013-4122.patch
75541cf0a1b52f809ac9073b629a224fdb6e70a13ce0cf10c0ad0a12bf94887a725466e8000c2a412f20d88d8c4b8bc5be5a5bf74d752c529bc76cfa58755d8a openssl-1.1.patch"

435
main/cyrus-sasl/openssl-1.1.patch Normal file
View File

@ -0,0 +1,435 @@
diff -up cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 cyrus-sasl-2.1.26/plugins/ntlm.c
--- cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 2012-01-28 00:31:36.000000000 +0100
+++ cyrus-sasl-2.1.26/plugins/ntlm.c 2016-11-07 16:15:57.498259304 +0100
@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char
return P24;
}
+static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils)
+{
+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()");
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ return HMAC_CTX_new();
+#else
+ return utils->malloc(sizeof(HMAC_CTX));
+#endif
+}
+
+static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils)
+{
+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()");
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX_free(ctx);
+#else
+ HMAC_cleanup(ctx);
+ utils->free(ctx);
+#endif
+}
+
static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
const char *authid, const char *target,
const unsigned char *challenge,
@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char *
const sasl_utils_t *utils,
char **buf, unsigned *buflen, int *result)
{
- HMAC_CTX ctx;
+ HMAC_CTX *ctx = NULL;
unsigned char hash[EVP_MAX_MD_SIZE];
char *upper;
unsigned int len;
@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char *
SETERROR(utils, "cannot allocate NTLMv2 hash");
*result = SASL_NOMEM;
}
+ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) {
+ SETERROR(utils, "cannot allocate HMAC CTX");
+ *result = SASL_NOMEM;
+ }
else {
/* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */
P16_nt(hash, passwd, utils, buf, buflen, result);
@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char *
HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len);
/* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */
- HMAC_Init(&ctx, hash, len, EVP_md5());
- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH);
- HMAC_Update(&ctx, blob, bloblen);
- HMAC_Final(&ctx, V2, &len);
- HMAC_cleanup(&ctx);
+ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL);
+ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH);
+ HMAC_Update(ctx, blob, bloblen);
+ HMAC_Final(ctx, V2, &len);
/* the blob is concatenated outside of this function */
*result = SASL_OK;
}
+ if (ctx) _plug_HMAC_CTX_free(ctx, utils);
+
return V2;
}
diff -up cyrus-sasl-2.1.26/plugins/otp.c.openssl110 cyrus-sasl-2.1.26/plugins/otp.c
--- cyrus-sasl-2.1.26/plugins/otp.c.openssl110 2012-10-12 16:05:48.000000000 +0200
+++ cyrus-sasl-2.1.26/plugins/otp.c 2016-11-07 16:13:54.374327601 +0100
@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_opti
{NULL, 0, NULL}
};
+static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils)
+{
+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()");
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ return EVP_MD_CTX_new();
+#else
+ return utils->malloc(sizeof(EVP_MD_CTX));
+#endif
+}
+
+static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils)
+{
+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()");
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX_free(ctx);
+#else
+ utils->free(ctx);
+#endif
+}
+
/* Convert the binary data into ASCII hex */
void bin2hex(unsigned char *bin, int binlen, char *hex)
{
@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int bin
* swabbing bytes if necessary.
*/
static void otp_hash(const EVP_MD *md, char *in, size_t inlen,
- unsigned char *out, int swab)
+ unsigned char *out, int swab, EVP_MD_CTX *mdctx)
{
- EVP_MD_CTX mdctx;
- char hash[EVP_MAX_MD_SIZE];
+ unsigned char hash[EVP_MAX_MD_SIZE];
unsigned int i;
int j;
unsigned hashlen;
- EVP_DigestInit(&mdctx, md);
- EVP_DigestUpdate(&mdctx, in, inlen);
- EVP_DigestFinal(&mdctx, hash, &hashlen);
+ EVP_DigestInit(mdctx, md);
+ EVP_DigestUpdate(mdctx, in, inlen);
+ EVP_DigestFinal(mdctx, hash, &hashlen);
/* Fold the result into 64 bits */
for (i = OTP_HASH_SIZE; i < hashlen; i++) {
@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils
char *secret, char *otp)
{
const EVP_MD *md;
- char *key;
+ EVP_MD_CTX *mdctx = NULL;
+ char *key = NULL;
+ int r = SASL_OK;
if (!(md = EVP_get_digestbyname(alg->evp_name))) {
utils->seterror(utils->conn, 0,
@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils
return SASL_FAIL;
}
+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
+ SETERROR(utils, "cannot allocate MD CTX");
+ r = SASL_NOMEM;
+ goto done;
+ }
+
if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) {
SETERROR(utils, "cannot allocate OTP key");
- return SASL_NOMEM;
+ r = SASL_NOMEM;
+ goto done;
}
/* initial step */
strcpy(key, seed);
strcat(key, secret);
- otp_hash(md, key, strlen(key), otp, alg->swab);
+ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx);
/* computation step */
while (seq-- > 0)
- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab);
-
- utils->free(key);
+ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx);
+
+ done:
+ if (key) utils->free(key);
+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
- return SASL_OK;
+ return r;
}
static int parse_challenge(const sasl_utils_t *utils,
@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg
/* Convert the 6 words into binary data */
static int word2bin(const sasl_utils_t *utils,
- char *words, unsigned char *bin, const EVP_MD *md)
+ char *words, unsigned char *bin, const EVP_MD *md,
+ EVP_MD_CTX *mdctx)
{
int i, j;
char *c, *word, buf[OTP_RESPONSE_MAX+1];
@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t *
/* alternate dictionary */
if (alt_dict) {
- EVP_MD_CTX mdctx;
- char hash[EVP_MAX_MD_SIZE];
- int hashlen;
+ unsigned char hash[EVP_MAX_MD_SIZE];
+ unsigned hashlen;
- EVP_DigestInit(&mdctx, md);
- EVP_DigestUpdate(&mdctx, word, strlen(word));
- EVP_DigestFinal(&mdctx, hash, &hashlen);
+ EVP_DigestInit(mdctx, md);
+ EVP_DigestUpdate(mdctx, word, strlen(word));
+ EVP_DigestFinal(mdctx, hash, &hashlen);
/* use lowest 11 bits */
x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1];
@@ -802,6 +834,7 @@ static int verify_response(server_contex
char *response)
{
const EVP_MD *md;
+ EVP_MD_CTX *mdctx = NULL;
char *c;
int do_init = 0;
unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE];
@@ -815,6 +848,11 @@ static int verify_response(server_contex
return SASL_FAIL;
}
+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
+ SETERROR(utils, "cannot allocate MD CTX");
+ return SASL_NOMEM;
+ }
+
/* eat leading whitespace */
c = response;
while (isspace((int) *c)) c++;
@@ -824,7 +862,7 @@ static int verify_response(server_contex
r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE);
}
else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) {
- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md);
+ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx);
}
else if (!strncasecmp(c, OTP_INIT_HEX_TYPE,
strlen(OTP_INIT_HEX_TYPE))) {
@@ -834,7 +872,7 @@ static int verify_response(server_contex
else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
strlen(OTP_INIT_WORD_TYPE))) {
do_init = 1;
- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md);
+ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx);
}
else {
SETERROR(utils, "unknown OTP extended response type");
@@ -843,14 +881,15 @@ static int verify_response(server_contex
}
else {
/* standard response, try word first, and then hex */
- r = word2bin(utils, c, cur_otp, md);
+ r = word2bin(utils, c, cur_otp, md, mdctx);
if (r != SASL_OK)
r = hex2bin(c, cur_otp, OTP_HASH_SIZE);
}
if (r == SASL_OK) {
/* do one more hash (previous otp) and compare to stored otp */
- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab);
+ otp_hash(md, (char *) cur_otp, OTP_HASH_SIZE,
+ prev_otp, text->alg->swab, mdctx);
if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) {
/* update the secret with this seq/otp */
@@ -879,23 +918,28 @@ static int verify_response(server_contex
*new_resp++ = '\0';
}
- if (!(new_chal && new_resp))
- return SASL_BADAUTH;
+ if (!(new_chal && new_resp)) {
+ r = SASL_BADAUTH;
+ goto done;
+ }
if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1))
!= SASL_OK) {
- return r;
+ goto done;
}
- if (seq < 1 || !strcasecmp(seed, text->seed))
- return SASL_BADAUTH;
+ if (seq < 1 || !strcasecmp(seed, text->seed)) {
+ r = SASL_BADAUTH;
+ goto done;
+ }
/* find the MDA */
if (!(md = EVP_get_digestbyname(alg->evp_name))) {
utils->seterror(utils->conn, 0,
"OTP algorithm %s is not available",
alg->evp_name);
- return SASL_BADAUTH;
+ r = SASL_BADAUTH;
+ goto done;
}
if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) {
@@ -903,7 +947,7 @@ static int verify_response(server_contex
}
else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
strlen(OTP_INIT_WORD_TYPE))) {
- r = word2bin(utils, new_resp, new_otp, md);
+ r = word2bin(utils, new_resp, new_otp, md, mdctx);
}
if (r == SASL_OK) {
@@ -914,7 +958,10 @@ static int verify_response(server_contex
memcpy(text->otp, new_otp, OTP_HASH_SIZE);
}
}
-
+
+ done:
+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
+
return r;
}
diff -up cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 cyrus-sasl-2.1.26/saslauthd/lak.c
--- cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 2016-11-07 16:13:54.347327616 +0100
+++ cyrus-sasl-2.1.26/saslauthd/lak.c 2016-11-07 16:18:42.283167898 +0100
@@ -61,6 +61,35 @@
#include <sasl.h>
#include "lak.h"
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+static EVP_MD_CTX *EVP_MD_CTX_new(void)
+{
+ return EVP_MD_CTX_create();
+}
+static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
+{
+ if (ctx == NULL)
+ return;
+
+ EVP_MD_CTX_destroy(ctx);
+}
+
+static EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void)
+{
+ EVP_ENCODE_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
+
+ if (ctx != NULL) {
+ memset(ctx, 0, sizeof(*ctx));
+ }
+ return ctx;
+}
+static void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx)
+{
+ OPENSSL_free(ctx);
+ return;
+}
+#endif
+
typedef struct lak_auth_method {
int method;
int (*check) (LAK *lak, const char *user, const char *service, const char *realm, const char *password) ;
@@ -1720,20 +1749,28 @@ static int lak_base64_decode(
int rc, i, tlen = 0;
char *text;
- EVP_ENCODE_CTX EVP_ctx;
+ EVP_ENCODE_CTX *enc_ctx = EVP_ENCODE_CTX_new();
- text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1);
if (text == NULL)
return LAK_NOMEM;
- EVP_DecodeInit(&EVP_ctx);
- rc = EVP_DecodeUpdate(&EVP_ctx, text, &i, (char *)src, strlen(src));
+ text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1);
+ if (text == NULL) {
+ EVP_ENCODE_CTX_free(enc_ctx);
+ return LAK_NOMEM;
+ }
+
+ EVP_DecodeInit(enc_ctx);
+ rc = EVP_DecodeUpdate(enc_ctx, (unsigned char *) text, &i, (const unsigned char *)src, strlen(src));
if (rc < 0) {
+ EVP_ENCODE_CTX_free(enc_ctx);
free(text);
return LAK_FAIL;
}
tlen += i;
- EVP_DecodeFinal(&EVP_ctx, text, &i);
+ EVP_DecodeFinal(enc_ctx, (unsigned char *) text, &i);
+
+ EVP_ENCODE_CTX_free(enc_ctx);
*ret = text;
if (rlen != NULL)
@@ -1749,7 +1786,7 @@ static int lak_check_hashed(
{
int rc, clen;
LAK_HASH_ROCK *hrock = (LAK_HASH_ROCK *) rock;
- EVP_MD_CTX mdctx;
+ EVP_MD_CTX *mdctx;
const EVP_MD *md;
unsigned char digest[EVP_MAX_MD_SIZE];
char *cred;
@@ -1758,17 +1795,24 @@ static int lak_check_hashed(
if (!md)
return LAK_FAIL;
+ mdctx = EVP_MD_CTX_new();
+ if (!mdctx)
+ return LAK_NOMEM;
+
rc = lak_base64_decode(hash, &cred, &clen);
- if (rc != LAK_OK)
+ if (rc != LAK_OK) {
+ EVP_MD_CTX_free(mdctx);
return rc;
+ }
- EVP_DigestInit(&mdctx, md);
- EVP_DigestUpdate(&mdctx, passwd, strlen(passwd));
+ EVP_DigestInit(mdctx, md);
+ EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
if (hrock->salted) {
- EVP_DigestUpdate(&mdctx, &cred[EVP_MD_size(md)],
+ EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
clen - EVP_MD_size(md));
}
- EVP_DigestFinal(&mdctx, digest, NULL);
+ EVP_DigestFinal(mdctx, digest, NULL);
+ EVP_MD_CTX_free(mdctx);
rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md));
free(cred);