From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) by sourceware.org (Postfix) with ESMTPS id 6A5C6385841C for ; Fri, 18 Nov 2022 18:44:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 6A5C6385841C Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSW.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=systematicsw.ab.ca Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTP id w1eYo7Z8HMsxDw6M4o31cw; Fri, 18 Nov 2022 18:44:48 +0000 Received: from localhost.localdomain ([184.64.124.72]) by cmsmtp with ESMTP id w6M3oGppd5QfLw6M3onvWD; Fri, 18 Nov 2022 18:44:48 +0000 X-Authority-Analysis: v=2.4 cv=SuCDVdC0 c=1 sm=1 tr=0 ts=6377d2a0 a=oHm12aVswOWz6TMtn9zYKg==:117 a=oHm12aVswOWz6TMtn9zYKg==:17 a=mDV3o1hIAAAA:8 a=48vgC7mUAAAA:8 a=H2kMXXDjAAAA:8 a=NR2fE9q9z1iS0OM1jyYA:9 a=_FVE-zBwftR9WsbkzFJk:22 a=w1C3t2QeGrPiZgrLijVG:22 a=UQGQp_6C1EM-8DAw1ZOj:22 From: "Cygwin gsasl Maintainer" To: "Cygwin Announcements" Reply-To: "Cygwin" Date: Fri, 18 Nov 2022 11:42:26 -0700 Message-Id: <20221118114226.22447-1-Brian.Inglis@SystematicSW.ab.ca> Subject: Updated: gsasl, libgsasl{18,-common,-devel,-doc} 2.2-2 X-CMAE-Envelope: MS4xfMzvYLn/ut0IjrF4ar/Ca1vZOQH4hFS9Cppp5cJst700VzQziLt0PXOuI7ABntauaUu3ou69cnZhZlJyxjT08/0nup+HtDAwB03qMaGpo9DUJ1k2arJw UeqR8MIkj4lmyuJaUvXm0BEpyk6lSxsQZ8QawaGsEbotAE/nZvY5BqCn0K2A1qJYAjwbHkypiTTP0IEeH/1qIB0Mst8/H3vx/lGx/6+WpMuCzDSGvb+H324D X-Spam-Status: No, score=-1163.5 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,KAM_LAZY_DOMAIN_SECURITY,KAM_NUMSUBJECT,KAM_SHORT,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: The following packages have been uploaded for testing in Cygwin: * gsasl 2.2-2 * libgsasl18 2.2-2 * libgsasl-common 2.2-2 * libgsasl-devel 2.2-2 * libgsasl-doc 2.2-2 GNU SASL is an implementation of the Simple Authentication and Security Layer (SASL) framework, consisting of a library with several plugins, and command-line application. For more information see the project home page: https://www.gnu.org/software/gsasl/ See below or read /usr/share/doc/gsasl/NEWS after installation for a summary of changes since the last Cygwin release, or read /usr/share/doc/gsasl/ChangeLog after installation for details. Cygwin release 2 fixes dependency problems affecting curl and git. Noteworthy changes in release 2.2.0 2022-09-03 * Fix build error with too old GnuTLS. * Tests: New tests/gsasl-mailutils-tls.sh. It performs integration checks between GNU SASL and GNU MailUtils imapd with TLS enabled, thereby testing TLS support in the 'gsasl' command line tool. * Various minor bug fixes and improvements. Mainly to pacify improved CI/CD checking. Noteworthy changes in release 2.1.1 2022-08-16 [beta] * Tests: New tests/gsasl-mailutils-gs2krb5-gssapi.sh. It perform integration checks between GNU SASL and GNU MailUtils imapd (GSSAPI and GS2-KRB5). They can be used externally from the GNU SASL build environment to perform system integration tests, see .gitlab-ci.yml for inspiration. * Various minor bug fixes and improvements. Fix two crashes in 'gsasl' introduced in 2.1.0. Noteworthy changes in release 2.1.0 2022-08-05 [beta] * Support new "tls-exporter" channel binding. The "tls-exporter" channel binding is specified in RFC 9266 . Now we can support SCRAM-*-PLUS over TLS 1.3 channels, and address some of the security problems with "tls-unique". The library add new callback property GSASL_CB_TLS_EXPORTER and error code GSASL_NO_CB_TLS_EXPORTER. These are documented in the manual. The 'gsasl' command-line tool set it if system GnuTLS has GNUTLS_CB_TLS_EXPORTER, which was introduced with GnuTLS 3.7.2 released on 2021-05-29. * SCRAM: Support for "tls-exporter". The SCRAM client will now query the application for GSASL_CB_TLS_EXPORTER before it query for GSASL_CB_TLS_UNIQUE. Supply it to support TLS 1.3. The SCRAM server will query the application for the channel binding type requested by the client (tls-unique or tls-exporter), and it is up to the application to decide what to do. * SCRAM: Fix memory leaks on incremental application usage. See tests/scram-incremental.c for application behaviour that trigger the leaks. We run valgrind --leak-check=full to catch future regressions. * Tests: New tests/gsasl-dovecot-gssapi.sh & tests/gsasl-mailutils-cram.sh. These perform integration checks between GNU SASL and Dovecot (GSS-API) and GNU MailUtils imapd (CRAM-MD5, DIGEST-MD5, SCRAM-SHA-*). They can be used externally from the GNU SASL build environment to perform system integration tests, see .gitlab-ci.yml for inspiration. * API and ABI modifications. GSASL_CB_TLS_EXPORTER: Added. GSASL_NO_CB_TLS_EXPORTER: Added. Noteworthy changes in release 2.0.1 2022-07-15 * Support for the libgssglue GSS-API library were added. We encourage you to build with libgssglue, as that allows system administrators and end-users to chose between MIT Kerberos, Heimdal and GNU GSS during run-time. Read about the background here: https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/ * GSSAPI client: don't use AUTHID as fallback for AUTHZID. The code historically used the AUTHID as authorization identity, but in 2012 we changed it to first query for AUTHZID, and only if that is not available, fall back to using AUTHID as the authorization identity. The change was not released until version 1.8.1 on 2019-08-02, when it was properly documented to be removed 'after the year 2012'. While documented behaviour, this seems like just surprising behaviour and we now finally make the change. * GSSAPI server: don't set AUTHZID to empty string when absent. The GSS-API SASL protocol does not differentiate between an absent authorization identity and an authorization identity that is the empty string. Previously libgsasl would set it to the empty string but now it is set to NULL. The manual explains that this is a protocol limitation. * The examples/smtp-server.c now supports GSSAPI/GS2-KRB5. The example is used during CI/CD testing of GNU SASL and thus it made sense to extend it. Some bugs related to getline error conditions were also fixed. * GSSAPI server: Fix out-of-bounds read. A malicious client can after it has authenticated with Kerberos send a specially crafted message that causes Libgsasl to read out of bounds and cause a crash in the server. Noteworthy changes in release 2.0.0 2022-06-20 * drops all obsolete APIs, drops the abandoned KERBEROS_V5 mechanism, * stops shipping a separate tarball for only the library, adds new APIs * gsasl_mechanism_name_p() and gsasl_property_free(). Numerous other translation improvements, code cleanups, bug fixes, documentation additions, build improvements and portability enhancements were made as well. Noteworthy changes in release 1.11.3 2022-06-13 [beta] * libgsasl: Fix substring prefix bug in gsasl_client_suggest_mechanism. * libgsasl: Fix GSSAPI client encode/decode memory buffer length buf. * libgsasl: Fix DIGEST-MD5 compiler warnings. * libgsasl: Rename gsasl_is_mechanism_name_valid to gsasl_mechanism_name_p. For better sorting of public APIs and consistency with other *_p function name usage. * Various cleanups, build/bug fixes and portability improvements. Noteworthy changes in release 1.11.2 2021-10-25 [beta] * libgsasl: New API gsasl_is_mechanism_name_valid(). This can be used to check if a mechanism name string is valid, i.e., validate string length and characters used. This function is the recommended upgrade path for code using GSASL_VALID_MECHANISM_CHARACTERS, in the majority of use-cases. * libgsasl: The following variables have been removed: GSASL_VALID_MECHANISM_CHARACTERS: The reason for removing this is that exporting static global variables from shared libraries has portability concerns, and this is not a widely used variable anyway. * Various cleanups, build/bug fixes and portability improvements. Noteworthy changes in release 1.11.1 2021-01-19 [alpha] * New header gsasl-version.h is now installed. * Deprecated enum Gsasl_cipher removed (forgotten in last release). * Fix symbol versioning. The goal of the 1.11.x branch is now to release 2.0.0. * Noteworthy changes in release 1.11.0 (2021-01-07) [alpha] * Stop shipping a separate tarball for libgsasl. This allowed us to avoid a second lib/configure script. * Build modernization. Among other improvements, gsasl now use gnulib's bootstrap script for building from git, see README-hacking (in git) for more information. * The KERBEROS_V5 mechanism was removed. It has not been enabled by default and was never standardized nor widely deployed. * Lasso is no longer an optional dependency. It was only used for building the 'gsasl-saml20-request' helper-tool for the example code for the SAML20 mechanism. The example is still shipped as part of this package, but the helper tool will now have to be built manually by anyone interested in this. * Functions gsasl_property_set() and gsasl_property_set_raw() now return GSASL_MALLOC_ERROR on memory allocation errors. Updating code to use the return value is not critical. Everything will continue to work the same as before if you ignore the return value -- that is, if the property had to be set successfully, and memory allocation happened to occur, the application will get an error message later on about the missing property. If you want to support both new and old library versions, to report memory allocation errors as such, you may use a construct like this: #if GSASL_VERSION_NUMBER >= 0x010b00 res = #endif gsasl_property_set (sctx, GSASL_AUTHID, "simon"); #if GSASL_VERSION_NUMBER >= 0x010b00 if (res != GSASL_OK) return res; #endif You may put this in a wrapper function to avoid repeating the construct elsewhere in your code. The function signatures are modified, before the return value was 'void' now it is 'int'. The shared library version has been incremented. * New API gsasl_property_free(). This is used to deallocate resources associated with a property. * All deprecated interfaces have been removed. * The following functions have been removed: gsasl_appinfo_get gsasl_appinfo_set gsasl_application_data_get gsasl_application_data_set gsasl_base64_decode gsasl_base64_encode gsasl_client_application_data_get gsasl_client_application_data_set gsasl_client_callback_anonymous_get gsasl_client_callback_anonymous_set gsasl_client_callback_authentication_id_get gsasl_client_callback_authentication_id_set gsasl_client_callback_authorization_id_get gsasl_client_callback_authorization_id_set gsasl_client_callback_maxbuf_get gsasl_client_callback_maxbuf_set gsasl_client_callback_passcode_get gsasl_client_callback_passcode_set gsasl_client_callback_password_get gsasl_client_callback_password_set gsasl_client_callback_pin_get gsasl_client_callback_pin_set gsasl_client_callback_qop_get gsasl_client_callback_qop_set gsasl_client_callback_realm_get gsasl_client_callback_realm_set gsasl_client_callback_service_get gsasl_client_callback_service_set gsasl_client_ctx_get gsasl_client_finish gsasl_client_listmech gsasl_client_step gsasl_client_step_base64 gsasl_ctx_get gsasl_decode_inline gsasl_encode_inline gsasl_hmac_md5 gsasl_hmac_sha1 gsasl_md5 gsasl_md5pwd_get_password gsasl_randomize gsasl_server_application_data_get gsasl_server_application_data_set gsasl_server_callback_anonymous_get gsasl_server_callback_anonymous_set gsasl_server_callback_cipher_get gsasl_server_callback_cipher_set gsasl_server_callback_cram_md5_get gsasl_server_callback_cram_md5_set gsasl_server_callback_digest_md5_get gsasl_server_callback_digest_md5_set gsasl_server_callback_external_get gsasl_server_callback_external_set gsasl_server_callback_gssapi_get gsasl_server_callback_gssapi_set gsasl_server_callback_maxbuf_get gsasl_server_callback_maxbuf_set gsasl_server_callback_qop_get gsasl_server_callback_qop_set gsasl_server_callback_realm_get gsasl_server_callback_realm_set gsasl_server_callback_retrieve_get gsasl_server_callback_retrieve_set gsasl_server_callback_securid_get gsasl_server_callback_securid_set gsasl_server_callback_service_get gsasl_server_callback_service_set gsasl_server_callback_validate_get gsasl_server_callback_validate_set gsasl_server_ctx_get gsasl_server_finish gsasl_server_listmech gsasl_server_step gsasl_server_step_base64 gsasl_server_suggest_mechanism gsasl_sha1 gsasl_stringprep_nfkc gsasl_stringprep_saslprep gsasl_stringprep_trace * The following declarations have been removed: Gsasl_ctx Gsasl_session_ctx GSASL_CANNOT_GET_CTX GSASL_FCLOSE_ERROR GSASL_FOPEN_ERROR GSASL_GCRYPT_ERROR GSASL_INVALID_HANDLE GSASL_KERBEROS_V5_INIT_ERROR GSASL_KERBEROS_V5_INTERNAL_ERROR GSASL_NEED_CLIENT_ANONYMOUS_CALLBACK GSASL_NEED_CLIENT_AUTHENTICATION_ID_CALLBACK GSASL_NEED_CLIENT_AUTHORIZATION_ID_CALLBACK GSASL_NEED_CLIENT_PASSCODE_CALLBACK GSASL_NEED_CLIENT_PASSWORD_CALLBACK GSASL_NEED_CLIENT_PIN_CALLBACK GSASL_NEED_CLIENT_SERVICE_CALLBACK GSASL_NEED_SERVER_ANONYMOUS_CALLBACK GSASL_NEED_SERVER_CRAM_MD5_CALLBACK GSASL_NEED_SERVER_DIGEST_MD5_CALLBACK GSASL_NEED_SERVER_EXTERNAL_CALLBACK GSASL_NEED_SERVER_GSSAPI_CALLBACK GSASL_NEED_SERVER_REALM_CALLBACK GSASL_NEED_SERVER_RETRIEVE_CALLBACK GSASL_NEED_SERVER_SECURID_CALLBACK GSASL_NEED_SERVER_SERVICE_CALLBACK GSASL_NEED_SERVER_VALIDATE_CALLBACK GSASL_NO_MORE_REALMS GSASL_SHISHI_ERROR GSASL_TOO_SMALL_BUFFER GSASL_UNICODE_NORMALIZATION_ERROR Gsasl_client_callback_anonymous Gsasl_client_callback_authentication_id Gsasl_client_callback_authorization_id Gsasl_client_callback_maxbuf Gsasl_client_callback_passcode Gsasl_client_callback_password Gsasl_client_callback_pin Gsasl_client_callback_qop Gsasl_client_callback_realm Gsasl_client_callback_service Gsasl_server_callback_anonymous Gsasl_server_callback_cipher Gsasl_server_callback_cram_md5 Gsasl_server_callback_digest_md5 Gsasl_server_callback_external Gsasl_server_callback_gssapi Gsasl_server_callback_maxbuf Gsasl_server_callback_qop Gsasl_server_callback_realm Gsasl_server_callback_retrieve Gsasl_server_callback_securid Gsasl_server_callback_service Gsasl_server_callback_validate