pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/gsasl gsasl: update to 1.10.0.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/9a9c855e7e51
branches:  trunk
changeset: 444441:9a9c855e7e51
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Thu Jan 07 22:09:52 2021 +0000

description:
gsasl: update to 1.10.0.

* Version 1.10.0 (released 2021-01-01) [stable]

** This is a new major stable release.  Brief changes compared to 1.8.x:

*** SCRAM-SHA-256 and SCRAM-SHA-256-PLUS support per RFC 7677.

*** SCRAM supports password-less usage (StoredKey/ServerKey).

*** New 'gsasl --mkpasswd' command to prepare SCRAM salted/hashed passwords.

*** Final warning that obsolete APIs will be removed.

*** Various cleanups, portability and other bug fixes.
See the entries in NEWS and lib/NEWS covering the 1.9.x branch for details.

* Version 1.9.3 (released 2021-01-01) [beta]

** Fix build/portability problems.  GnuTLS >= 3.4 is required.
Thanks to Bruno Haible for reports.

* Version 1.9.2 (released 2020-12-24) [beta]

** gsasl: Don't abort command on some exepected TLS events (for TLS 1.3).
Patch from Enrico Scholz <enrico.scholz%sigma-chemnitz.de@localhost> in:
https://lists.gnu.org/archive/html/help-gsasl/2020-08/msg00000.html

** gsasl: Use GnuTLS system trust settings by default for X.509 server
** certificate validation.
Before it was documented behaviour that unless --x509-ca-file was
used, no verification of the server-side certificate was performed.
Now instead it will use the system trust settings, which on properly
configured systems results in verification of the server certificate.
As a result, you may now start to get server certificate verification
errors in situations where you didn't expect them.  Use --x509-ca-file
with the empty string ("") as a file name to use the old behaviour to
not abort on server certificate verification failures.

** SCRAM, GS2 and GSSAPI retrieve properties later in
** the authentication process.
Before the property GSASL_CB_TLS_UNIQUE was retrieved during SCRAM
gsasl_client_start() and gsasl_server_start(), and the properties
GSSAPI_SERVICE and GSSAPI_HOSTNAME was retrived during GS2/GSSAPI
gsasl_server_start().  Now they are retrieved during the first call to
gsasl_step().

The only user-visible impact of this should be that 'gsasl
--client-mechanisms' and 'gsasl --server-mechanisms' will now not
query for parameters before giving a list of supported mechanisms,
which arguable gives a better user experience.  The downside of this
is that SCRAM-*-PLUS, GS2 and GSSAPI may be advertised even though
completing the server mechanism may not complete.

The problem with calling callbacks in the start() function is that the
callback will have no per-session context at that point, only a global
context, so the only way to give per-session unique callback responses
is to use a separate global handle per session.  This was discovered
in the Exim implementation of gsasl with SCRAM that used to request
the GSASL_CB_TLS_UNIQUE property in the start() function.  After
noticing this design issue, and writing this self test, it was
discovered that it also happened for the GSSAPI/GS2 server (not
client) mechanism for the GSASL_SERVICE and GSASL_HOSTNAME properties.

Thanks to Jeremy Harris for noticing the problem and discussion, see
https://lists.gnu.org/archive/html/help-gsasl/2020-01/msg00035.html

** gsasl: The --mkpasswd output format follows Dovecot 'doveadm pw'.

** Filenames of images in the manual are now prefixed with 'gsasl-'.
This makes /usr/share/info more understandable, and it is suggested by
at least Debian to do this in upstream.

** Build changes.
Some more compiler warnings used and code fixed.  Improved ./configure
diagnostics.

* Version 1.9.1 (released 2020-01-14) [beta]

** gsasl: New --mkpasswd argument to prepare salted/hashed passwords.
Currently mechanisms SCRAM-SHA-1 and SCRAM-SHA-256 are supported.  New
parameter --iteration-count to indicate number of PBKDF2 rounds,
default being 65536.  New parameter --salt to specify PBKDF2 salt.

* Version 1.9.0 (released 2020-01-03) [beta]

** Client and server support for SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.

** gsasl: If PORT argument is "587" or "submission", SMTP mode is used.
Further, unrecognized PORT arguments will now on raise an error to
specify --smtp or --imap.

diffstat:

 security/gsasl/Makefile         |   4 ++--
 security/gsasl/PLIST            |   7 ++++++-
 security/gsasl/distinfo         |  11 +++++------
 security/gsasl/patches/patch-ac |  30 ------------------------------
 4 files changed, 13 insertions(+), 39 deletions(-)

diffs (90 lines):

diff -r 1b83feb250db -r 9a9c855e7e51 security/gsasl/Makefile
--- a/security/gsasl/Makefile   Thu Jan 07 22:03:31 2021 +0000
+++ b/security/gsasl/Makefile   Thu Jan 07 22:09:52 2021 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.50 2020/11/16 13:05:07 wiz Exp $
+# $NetBSD: Makefile,v 1.51 2021/01/07 22:09:52 wiz Exp $
 
-DISTNAME=      gsasl-1.8.1
+DISTNAME=      gsasl-1.10.0
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_GNU:=gsasl/}
 
diff -r 1b83feb250db -r 9a9c855e7e51 security/gsasl/PLIST
--- a/security/gsasl/PLIST      Thu Jan 07 22:03:31 2021 +0000
+++ b/security/gsasl/PLIST      Thu Jan 07 22:09:52 2021 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.18 2020/11/16 13:05:07 wiz Exp $
+@comment $NetBSD: PLIST,v 1.19 2021/01/07 22:09:52 wiz Exp $
 bin/gsasl
 include/gsasl-compat.h
 include/gsasl-mech.h
@@ -59,6 +59,9 @@
 man/man3/gsasl_encode_inline.3
 man/man3/gsasl_finish.3
 man/man3/gsasl_free.3
+man/man3/gsasl_hash_length.3
+man/man3/gsasl_hex_from.3
+man/man3/gsasl_hex_to.3
 man/man3/gsasl_hmac_md5.3
 man/man3/gsasl_hmac_sha1.3
 man/man3/gsasl_init.3
@@ -74,6 +77,8 @@
 man/man3/gsasl_randomize.3
 man/man3/gsasl_register.3
 man/man3/gsasl_saslprep.3
+man/man3/gsasl_scram_secrets_from_password.3
+man/man3/gsasl_scram_secrets_from_salted_password.3
 man/man3/gsasl_server_application_data_get.3
 man/man3/gsasl_server_application_data_set.3
 man/man3/gsasl_server_callback_anonymous_get.3
diff -r 1b83feb250db -r 9a9c855e7e51 security/gsasl/distinfo
--- a/security/gsasl/distinfo   Thu Jan 07 22:03:31 2021 +0000
+++ b/security/gsasl/distinfo   Thu Jan 07 22:09:52 2021 +0000
@@ -1,7 +1,6 @@
-$NetBSD: distinfo,v 1.19 2020/11/16 13:05:07 wiz Exp $
+$NetBSD: distinfo,v 1.20 2021/01/07 22:09:52 wiz Exp $
 
-SHA1 (gsasl-1.8.1.tar.gz) = 82ba0079da6918784a8170d4a13ee133d9df1d7a
-RMD160 (gsasl-1.8.1.tar.gz) = 8cf11ab86e608f36c74593e4b37ebdb000df4292
-SHA512 (gsasl-1.8.1.tar.gz) = 8973f5af12cc17aae76a4a2ea887d17e74e48b1ce896dfd62fde8cb874ed965d77c62d671ff86ce3217158e58a7a521b7fde9ea606f73c3a912a8973f1b204cb
-Size (gsasl-1.8.1.tar.gz) = 5774550 bytes
-SHA1 (patch-ac) = 8a51c8a8bc046a0efe6572c244cd0c886e7ab7b4
+SHA1 (gsasl-1.10.0.tar.gz) = ec3def1bdc4a0b6284f0d1e2901495218c87587e
+RMD160 (gsasl-1.10.0.tar.gz) = 0b7b66702493527f295ba35c4f2a409600839946
+SHA512 (gsasl-1.10.0.tar.gz) = 8b1dc87e85dbfd0255b3b43c4b7f9c2e896cb03efe4cd4af86393b62fd193665aae4ce59e66db736722e32babfcea6d4f6ddd3c5f069dcc4210f7e9531043e4a
+Size (gsasl-1.10.0.tar.gz) = 5946076 bytes
diff -r 1b83feb250db -r 9a9c855e7e51 security/gsasl/patches/patch-ac
--- a/security/gsasl/patches/patch-ac   Thu Jan 07 22:03:31 2021 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,30 +0,0 @@
-$NetBSD: patch-ac,v 1.2 2020/11/16 13:05:08 wiz Exp $
-
-In file included from /usr/include/gssapi.h:41,
-                 from gss-extra.h:30,
-                 from gss-extra.c:28:
-gss-extra.c:43:9: error: expected identifier or '(' before '&' token
-   43 | gss_OID GSS_C_NT_HOSTBASED_SERVICE = &tmp;
-      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Sent upstream on 2020/11/16.
-
---- lib/gl/gss-extra.c.orig    2010-12-14 12:57:08.000000000 +0000
-+++ lib/gl/gss-extra.c
-@@ -33,16 +33,6 @@
- /* Get malloc, free. */
- #include <stdlib.h>
- 
--#ifndef HAVE_GSS_C_NT_HOSTBASED_SERVICE
--
--/* MIT Kerberos for Windows version 3.2.2 lacks this. */
--static gss_OID_desc tmp = {
--  10,
--  (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"
--};
--gss_OID GSS_C_NT_HOSTBASED_SERVICE = &tmp;
--
--#endif
- 
- #ifndef HAVE_GSS_OID_EQUAL
- 



Home | Main Index | Thread Index | Old Index