plugins/digestmd5.c | 3 0 + 3 - 0 !
1 file changed, 3 deletions(-)

 plugins/digestmd5: remove debug log "mech free"

The "DIGEST-MD5 common mech free" debug log message is bothering many users.
It is not really helpful, so drop it.

Fixes #386.

Signed-off-by: Bastian Germann <bage@debian.org>

utils/testsuite.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 use /etc/sasldb2 instead of ./sasldb in the testsuite

saslauthd/saslauthd.mdoc | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 update saslauthd.conf location in documentation

date format (cosmetic).

utils/Makefile.am | 4 2 + 2 - 0 !
utils/dbconverter-2.c | 4 2 + 2 - 0 !
2 files changed, 4 insertions(+), 4 deletions(-)

 include dbconverter-2 in sbin_programs and set default sasldb file
 to /etc/sasldb2

database file to /etc/sasldb2.

configure.ac | 2 1 + 1 - 0 !
plugins/cram.c | 4 4 + 0 - 0 !
2 files changed, 5 insertions(+), 1 deletion(-)

 fix <time.h> check

We're conditionally including based on HAVE_TIME_H in a bunch of places,
but we're not actually checking for time.h, so that's never going to be defined.

While at it, add in a missing include in the cram plugin.

This fixes a bunch of implicit declaration warnings:
```
 * cyrus-sasl-2.1.28/lib/saslutil.c:280:3: warning: implicit declaration of function time [-Wimplicit-function-declaration]
 * cyrus-sasl-2.1.28/lib/saslutil.c:364:41: warning: implicit declaration of function clock [-Wimplicit-function-declaration]
 * cyrus-sasl-2.1.28/plugins/cram.c:132:7: warning: implicit declaration of function time [-Wimplicit-function-declaration]
 * cyrus-sasl-2.1.28/lib/saslutil.c:280:3: warning: implicit declaration of function time [-Wimplicit-function-declaration]
 * cyrus-sasl-2.1.28/lib/saslutil.c:364:41: warning: implicit declaration of function clock [-Wimplicit-function-declaration]
 * cyrus-sasl-2.1.28/plugins/cram.c:132:7: warning: implicit declaration of function time [-Wimplicit-function-declaration]
```

Signed-off-by: Sam James <sam@gentoo.org>

Makefile.am | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 makefile.am: set date in man pages.

The build date is embedded in the man pages by default. Pass arguments
to sphinx to use the date defined in SOURCE_DATE_EPOCH.

https://reproducible-builds.org/docs/source-date-epoch/

lib/Makefile.am | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 don't overwrite pic objects with non-pic variant

This patch makes sure the non-PIC version of libsasldb.a, which
is created out of non-PIC objects, is not going to overwrite the PIC version,
which is created out of PIC objects. The PIC version is placed in .libs, and
the non-PIC version in the current directory.  This ensures that both non-PIC
and PIC versions are available in the correct locations.

utils/pluginviewer.8 | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 self-reference pluginviewer man as saslpluginviewer

pluginviewer is installed as saslpluginviewer in Debian.
Edit the self-references in Debian to match the rename.

Signed-off-by: Bastian Germann <bage@debian.org>

m4/berkdb.m4 | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 look for generic berkeley db first

utils/sasldbconverter2.8 | 61 61 + 0 - 0 !
1 file changed, 61 insertions(+)

 add sasldbconverter2.8

The file stems from version 2.1.28 and is not included in the distribution
tarball.

include/saslplug.h | 2 1 + 1 - 0 !
lib/client.c | 5 4 + 1 - 0 !
lib/common.c | 7 6 + 1 - 0 !
3 files changed, 11 insertions(+), 3 deletions(-)

 fix #386 - honor log_level option on clients too

Signed-off-by: Howard Chu <hyc@symas.com>

Versions | 7 7 + 0 - 0 !
lib/Makefile.am | 3 2 + 1 - 0 !
2 files changed, 9 insertions(+), 1 deletion(-)

 make the libsasl2 symbols versioned

lib/dlopen.c | 121 7 + 114 - 0 !
1 file changed, 7 insertions(+), 114 deletions(-)

 don't use la files for opening plugins

configure.ac | 55 1 + 54 - 0 !
lib/Makefile.am | 16 1 + 15 - 0 !
plugins/Makefile.am | 3 0 + 3 - 0 !
saslauthd/Makefile.am | 6 2 + 4 - 0 !
4 files changed, 4 insertions(+), 76 deletions(-)

 just completely remove libobj from autotools files

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 temporary multiarch fixes

saslauthd/saslauthd.mdoc | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 add reference to ldap_saslauthd file to the saslauthd documentation

lib/Makefile.am | 2 1 + 1 - 0 !
plugins/Makefile.am | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 revert upstream soname bump

plugins/digestmd5.c | 16 14 + 2 - 0 !
1 file changed, 14 insertions(+), 2 deletions(-)

 [patch] gracefully handle failed initializations

In OpenSSL 3.0 these algorithms have been moved to the legacy provider
which is not enabled by default. This means allocation can and do fail.
Handle failed allocations by returning an actual error instead of
crashing later with a NULL context.

Signed-off-by: Simo Sorce <simo@redhat.com>

saslauthd/lak.c | 32 25 + 7 - 0 !
1 file changed, 25 insertions(+), 7 deletions(-)

 [patch] catch errors from evp_digest* functions

In OpenSSL 3.0 digest init can fail simply because a legacy provider is
not loaded of FIPS mode is active and the digest is not allowed.
If the errors are not handled the application may crash later trying to
access uninitialized contexts.

Signed-off-by: Simo Sorce <simo@redhat.com>

plugins/digestmd5.c | 189 140 + 49 - 0 !
1 file changed, 140 insertions(+), 49 deletions(-)

 [patch] add support for loading legacy provider

OpenSSL 3.0 is moving a number of functions into the legacy provider.
This provider is not loaded by default, so applications that need to
use legacy algorithms must either load them explicitly or admins
have to explicitly load the legacy provider to their openssl conf file.

The latter is bad as it will enable legacy providers systam-wide, it
also requires manual intervention. Programmatically load the legacy
provider for older plugins that have no good cipher option to fall
back on.

Signed-off-by: Simo Sorce <simo@redhat.com>

configure.ac | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 add ${with_pgsql}include/postgresql/ to include path

plugins/gssapi.c | 30 25 + 5 - 0 !
1 file changed, 25 insertions(+), 5 deletions(-)

 add channel binding support for gssapi/gss-spnego

Signed-off-by: Simo Sorce <simo@redhat.com>

m4/sasl2.m4 | 13 13 + 0 - 0 !
plugins/gssapi.c | 44 43 + 1 - 0 !
2 files changed, 56 insertions(+), 1 deletion(-)

 add support for setting max ssf 0 to gss-spnego

This is needed to interop with Windows within a TLS channel.

Signed-off-by: Simo Sorce <simo@redhat.com>

plugins/gssapi.c | 12 9 + 3 - 0 !
1 file changed, 9 insertions(+), 3 deletions(-)

 be more conformant to rfc4752

Although we need to be able to completely suppress Integrity and
Confidentiality flags in GSS-SPNEGO, we also need to be more conformant
to RFC4752 for the GSSAPI mechanism.

The RFC reuires to always set Integrity for SASL/GSSAPI, it also
requires MUTUAL/SEQUENCE flags to only be set if any Security Layer is
requested.

Finally Confidentiality should be set only when requested so change the
code that suppresses MIT krb5 setting CI flags not only in the SSF == 0
case but also when SSF == 1, the integrity flag in that case will be
explicitly set by our code and the NO_CI_FLAGS option will unset just
the CONF flag.

Signed-off-by: Simo Sorce <simo@redhat.com>