Age | Commit message (Collapse) | Author | Files | Lines |
|
* Noteworthy changes in release 2.0.1 (2022-07-15) [stable]
** Support for the libgssglue GSS-API library were added.
We encourage you to build with libgssglue, as that allows system
administrators and end-users to chose between MIT Kerberos, Heimdal
and GNU GSS during run-time. Read about the background here:
https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/
** GSSAPI client: don't use AUTHID as fallback for AUTHZID.
The code historically used the AUTHID as authorization identity, but
in 2012 we changed it to first query for AUTHZID, and only if that is
not available, fall back to using AUTHID as the authorization
identity. The change was not released until version 1.8.1 on
2019-08-02, when it was properly documented to be removed 'after the
year 2012'. While documented behaviour, this seems like just
surprising behaviour and we now finally make the change.
** GSSAPI server: don't set AUTHZID to empty string when absent.
The GSS-API SASL protocol does not differentiate between an absent
authorization identity and an authorization identity that is the empty
string. Previously libgsasl would set it to the empty string but now
it is set to NULL. The manual explains that this is a protocol
limitation.
** The examples/smtp-server.c now supports GSSAPI/GS2-KRB5.
The example is used during CI/CD testing of GNU SASL and thus it made
sense to extend it. Some bugs related to getline error conditions
were also fixed.
** GSSAPI server: Fix out-of-bounds read.
A malicious client can after it has authenticated with Kerberos send a
specially crafted message that causes Libgsasl to read out of bounds
and cause a crash in the server.
* Noteworthy changes in release 2.0.0 (2022-06-20) [stable]
** Compared to last stable branch 1.10.x the 2.0.0 release
** drops all obsolete APIs, drops the abandoned KERBEROS_V5 mechanism,
** stops shipping a separate tarball for only the library, adds new APIs
** gsasl_mechanism_name_p() and gsasl_property_free().
Numerous other translation improvements, code cleanups, bug fixes,
documentation additions, build improvements and portability
enhancements were made as well.
|
|
|
|
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
|
|
its buildlink3.mk now includes openssl's buildlink3.mk
|
|
|
|
|
|
|
|
* Version 1.10.0 (released 2021-01-01) [stable]
** This is a new major stable release. Brief changes compared to 1.8.x:
*** SCRAM-SHA-256 and SCRAM-SHA-256-PLUS support per RFC 7677.
*** SCRAM supports password-less usage (StoredKey/ServerKey).
*** New 'gsasl --mkpasswd' command to prepare SCRAM salted/hashed passwords.
*** Final warning that obsolete APIs will be removed.
*** Various cleanups, portability and other bug fixes.
See the entries in NEWS and lib/NEWS covering the 1.9.x branch for details.
* Version 1.9.3 (released 2021-01-01) [beta]
** Fix build/portability problems. GnuTLS >= 3.4 is required.
Thanks to Bruno Haible for reports.
* Version 1.9.2 (released 2020-12-24) [beta]
** gsasl: Don't abort command on some exepected TLS events (for TLS 1.3).
Patch from Enrico Scholz <enrico.scholz@sigma-chemnitz.de> in:
https://lists.gnu.org/archive/html/help-gsasl/2020-08/msg00000.html
** gsasl: Use GnuTLS system trust settings by default for X.509 server
** certificate validation.
Before it was documented behaviour that unless --x509-ca-file was
used, no verification of the server-side certificate was performed.
Now instead it will use the system trust settings, which on properly
configured systems results in verification of the server certificate.
As a result, you may now start to get server certificate verification
errors in situations where you didn't expect them. Use --x509-ca-file
with the empty string ("") as a file name to use the old behaviour to
not abort on server certificate verification failures.
** SCRAM, GS2 and GSSAPI retrieve properties later in
** the authentication process.
Before the property GSASL_CB_TLS_UNIQUE was retrieved during SCRAM
gsasl_client_start() and gsasl_server_start(), and the properties
GSSAPI_SERVICE and GSSAPI_HOSTNAME was retrived during GS2/GSSAPI
gsasl_server_start(). Now they are retrieved during the first call to
gsasl_step().
The only user-visible impact of this should be that 'gsasl
--client-mechanisms' and 'gsasl --server-mechanisms' will now not
query for parameters before giving a list of supported mechanisms,
which arguable gives a better user experience. The downside of this
is that SCRAM-*-PLUS, GS2 and GSSAPI may be advertised even though
completing the server mechanism may not complete.
The problem with calling callbacks in the start() function is that the
callback will have no per-session context at that point, only a global
context, so the only way to give per-session unique callback responses
is to use a separate global handle per session. This was discovered
in the Exim implementation of gsasl with SCRAM that used to request
the GSASL_CB_TLS_UNIQUE property in the start() function. After
noticing this design issue, and writing this self test, it was
discovered that it also happened for the GSSAPI/GS2 server (not
client) mechanism for the GSASL_SERVICE and GSASL_HOSTNAME properties.
Thanks to Jeremy Harris for noticing the problem and discussion, see
https://lists.gnu.org/archive/html/help-gsasl/2020-01/msg00035.html
** gsasl: The --mkpasswd output format follows Dovecot 'doveadm pw'.
** Filenames of images in the manual are now prefixed with 'gsasl-'.
This makes /usr/share/info more understandable, and it is suggested by
at least Debian to do this in upstream.
** Build changes.
Some more compiler warnings used and code fixed. Improved ./configure
diagnostics.
* Version 1.9.1 (released 2020-01-14) [beta]
** gsasl: New --mkpasswd argument to prepare salted/hashed passwords.
Currently mechanisms SCRAM-SHA-1 and SCRAM-SHA-256 are supported. New
parameter --iteration-count to indicate number of PBKDF2 rounds,
default being 65536. New parameter --salt to specify PBKDF2 salt.
* Version 1.9.0 (released 2020-01-03) [beta]
** Client and server support for SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
** gsasl: If PORT argument is "587" or "submission", SMTP mode is used.
Further, unrecognized PORT arguments will now on raise an error to
specify --smtp or --imap.
|
|
* Version 1.8.1 (released 2019-08-02) [stable]
** gsasl: IMAP client code now permits empty SASL tokens prefixed with '+'.
Normally servers should send '+ '. Buggy servers include Microsoft
Exchange. Reported by Adam Sjøgren.
** GSSAPI client: Now retrieves GSASL_AUTHZID for authorization identity.
** GSSAPI client: Can now transmit an empty/missing authorization identity.
See lib/NEWS for more information.
** Build fixes.
Update of gnulib, including how it is bootstrapped.
** i18n: Updated translations.
|
|
|
|
|
|
pkglint --only "https instead of http" -r -F
With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.
This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.
|
|
|
|
|
|
|
|
|
|
|
|
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
|
|
|
|
|
|
|
|
are replaced with .include "../../devel/readline/buildlink3.mk", and
USE_GNU_READLINE are removed,
* .include "../../devel/readline/buildlink3.mk" without USE_GNU_READLINE
are replaced with .include "../../mk/readline.buildlink3.mk".
|
|
|
|
|
|
|
|
This is a new major stable release. Brief changes compared to 1.6.x:
* SAML20 support following RFC 6595.
* OPENID20 support following RFC 6616.
* Added SMTP server examples (for e.g., SCRAM, SAML20, OPENID20).
* Various cleanups, portability and other bug fixes.
See the NEWS entries during the 1.7.x branch for details.
|
|
gss-extra.c fails compilation on DragonFly:
line 43: error: unexpected identifier or '(' before '&' token
It's on code that is only intended for a windows target. Gentoo patched
it by wrapping it in "if (defined _WIN32 || defined __WIN32__)" macro
which is effectively the same is deleting the definition completely,
which is what is being done here.
|
|
* build: Demand gettext >= 0.18.1 in order to get newer M4 files.
The old M4 files associated with 0.17 caused problems on Solaris,
which will hopefully be fixed with this.
* doc: Typo fix in autoconf snippet.
* i18n: Updated translations.
|
|
|
|
|
|
Changes since 1.1:
** gsasl: Add --no-cb to disable use of TLS channel bindings.
** build: Use silent build rules via automake.
Use 'make V=99' to see the command lines used.
** Update gnulib files.
** gsasl: Support for TLS channel bindings.
Requires GnuTLS 2.11.4 or later for the gnutls_session_channel_binding
function. Used by the SCRAM-SHA-1-PLUS mechanism.
** doc: Mention new property GSASL_CB_TLS_UNIQUE and SCRAM-SHA-1-PLUS.
** tests: Added self-tests for SCRAM-SHA-1-PLUS.
** gsasl: Avoid fixed size buffers.
This caused problems on Windows where the BUFSIZ was too small for
some line lengths with GS2-KRB5.
** tests: Fix error strings to be more unique.
** doc: Added section on how to build with MIT Kerberos for Windows.
** doc: Added PDF version of API reference manual.
See doc/reference/gsasl.pdf.
** i18n: Updated translations.
Thanks to Benno Schulenberg.
** doc: Explain GS2-related changes.
** doc: GTK-DOC manual improved.
Now almost all symbols and types are explained.
** gsasl: Fix crash when getaddrinfo does not get a canonical name.
** gsasl: Improve error message when server rejects authentication.
** tests: Self checks are improved.
** gsasl: Improve application data throughput.
Patch from Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de> in
<http://thread.gmane.org/gmane.comp.gnu.gsasl.general/256>.
** Improve MinGW builds.
** doc: Fix doc/cyclo/ output.
** tests/crypto: Also test newly added SHA-1 interfaces.
** tests/scram: Also test GSASL_SCRAM_SALTED_PASSWORD case.
This code path triggered a crash in v1.3.
** i18n: Added Finnish translation.
Thanks to Jorma Karvonen <karvonen.jorma@gmail.com>.
** Experimental support for SCRAM-SHA-1 added.
Please test it but don't put it into production use, the RFC have not
been finalized yet. For this reason, the mechanism priority list is
such that SCRAM-SHA-1 will never be selected over any other mechanism
(including PLAIN, CRAM-MD5, and DIGEST-MD5). When it has been tested
further, we'll make SCRAM-SHA-1 the preferred mechanism after GSSAPI.
** gsasl: Fix libintl-related build errors on MinGW.
Tiny patch from "carlo.bramix" <carlo.bramix@libero.it>.
** doc: Typo fixes to manual.
Based on report by Marco Maggi <marco.maggi-ipsu@poste.it> in
<http://thread.gmane.org/gmane.comp.gnu.gsasl.general/222>.
** tests: Rewrite basic self test using modern API.
** tests: New self-test 'crypto' to increase code coverage.
** gsasl: Fix out of bounds write when in IMAP/SMTP mode.
Reported by Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de> in
<http://thread.gmane.org/gmane.comp.gnu.gsasl.general/230>.
** doc: Rewritten introduction material.
** doc: Improved sections for the info manual.
We now follow the advice given by the texinfo manual on which
directory categories to use. In particular, libgsasl moved from the
'GNU Libraries' section to the 'Software libraries' as GNU SASL, and
'Invoking gsasl' moved from 'GNU utilities' to 'Security'.
** examples: Removed unneeded 'ctx' parameter from client_authenticate.
** Building with many warning flags now requires --enable-gcc-warnings.
This avoids crying wolf for normal compiles.
** New configure parameters to set packaging specific information.
The parameters are --with-packager, --with-packager-version, and
--with-packager-bug-reports. See
<http://article.gmane.org/gmane.comp.lib.gnulib.bugs/17791> for more
details.
|
|
|
|
|
|
|
|
* Reading integrity protected data from server now works.
* The --quality-of-protection parameter now works.
* Only detect sufficiently recent GnuTLS versions.
Changes 1.0:
* New parameter --priority to specify GnuTLS priority strings.
* Print web page links in --help, per new GNU coding standard.
* New self-test for the gsasl_client_suggest_mechanism function.
* Modernize doxygen configuration.
* Use permissive license for man pages.
* Change license on the manual to GFDLv1.3+.
|
|
major change.
Reported by Robert Elz in PR 41345.
|
|
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
|
|
* gsasl: Don't use poll with POLLOUT to avoid busy-waiting.
* doc: Error codes are now extracted using official library APIs.
* doc: Included cyclomatic code complexity charts of the library code.
* tests: Add self test of obsolete base64 functions.
* Update gnulib files. Improves Windows compatibility.
|
|
* Rewrite to use poll instead of select.
* Improve Windows installation instructions in the manual.
* tests: New self test of gsasl_mechanism_name function.
|
|
* Fix SASL operations through TLS.
* Update gnulib files, and include gnulib self-tests.
* Update translations.
|
|
Based on patch provided by Eric Schnoebelen in PR 38692.
While here, marked as DESTDIR support.
Also fix CONFIGURE option for GSSAPI implement (I don't know from when).
* Version 0.2.26 (released 2008-05-05)
** Translations files not stored directly in git to avoid merge conflicts.
This allows us to avoid use of --no-location which makes the
translation teams happier.
** Build fixes for the documentation.
** Update gnulib files.
* Version 0.2.25 (released 2008-03-10)
** gsasl: Fix buffering issue to avoid mixing stdout/stderr outputs.
This would manifest itself when redirecting output to a pipe, such as
when used with Gnus. Reported by Enrico Scholz
<enrico.scholz@informatik.tu-chemnitz.de>, see
<http://thread.gmane.org/gmane.comp.gnu.gsasl.general/123>.
** Fix non-portable use of brace expansion in makefiles.
* Version 0.2.24 (released 2008-01-15)
** Link self-tests with gnulib, to fix link failures under MinGW.
* Version 0.2.23 (released 2008-01-15)
** Improve CRAM-MD5 self-test to detect if challenges are the same.
** Improve gsasl --help and --version to conform with GNU standards.
** Use gettext 0.17.
** Update gnulib files.
* Version 0.2.22 (released 2007-10-08)
** Development git tree moved to savannah.
See <https://savannah.gnu.org/projects/gsasl/>.
** Fix warnings when building the tool 'gsasl'.
** Update gnulib files.
|
|
|
|
* Fix typos in manual.
* Update gnulib files.
|
|
affected packages.
|
|
* Version 0.2.15 (released 2006-08-22)
** Changed libgsasl shared library version.
The shared library version was not incremented correctly in the last
release, even though new APIs were added.
* Version 0.2.14 (released 2006-08-19)
** New section "Requirements" in the manual, lists the external components.
Suggested by James Mansion.
** Update of gnulib files.
* Version 0.2.13 (released 2006-06-14)
** Update of gnulib files.
Further improves portability to MinGW.
** Various improvements in the manuals.
** The tests are run under valgrind, if it is installed.
Use --disable-valgrind-tests to unconditionally disable this. It is
disabled by default for cross compiles.
** Various minor fixes.
* Version 0.2.12 (released 2006-03-08)
** Update of gnulib files.
Improves portability to Mingw32.
* Version 0.2.11 (released 2006-02-07)
** Ported to Windows by cross-compiling using Mingw32.
Using Debian's mingw32 compiler, you can build it for Windows by invoking
`./configure --host=i586-mingw32msvc --disable-gssapi'.
** Update of gnulib files.
* Version 0.2.10 (released 2005-10-23)
** Work around bug in GnuTLS that made the command line tool exit after
** failing to write a zero length message to the peer.
** Don't use GnuTLS if gnutls_certificate_verify_peers2 isn't present.
** Update of gnulib files.
* Version 0.2.9 (released 2005-10-07)
** Update of gnulib files.
* Version 0.2.8 (released 2005-09-08)
** The gsasl tool now support STARTTLS for IMAP and SMTP using GnuTLS.
** The --client and --server parameters for the gsasl tool now work properly.
** The --client and --server stdin/stdout modes now use the readline library.
** Fixed build problems in getpass on uClibc and Mingw32 platforms.
** Kinyarwanda translation added.
* Version 0.2.7 (released 2005-08-25)
** Fix build problems when cross-compiling to uClibc and Mingw32 platforms.
** Detecting and using the readline library has been improved.
* Version 0.2.6 (released 2005-08-08)
** The gsasl tool now try to connect to all addresses for a server name.
** The help-gsasl@gnu.org mailing list is now mentioned in documentation.
** The license template in files were updated with the new FSF address.
** Update of gnulib files.
|
|
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
|
|
of the order in which buildlink3.mk files are (recursively) included
by a package Makefile.
|
|
PKGLOCALEDIR and which install their locale files directly under
${PREFIX}/${PKGLOCALEDIR} and sort the PLIST file entries. From now
on, pkgsrc/mk/plist/plist-locale.awk will automatically handle
transforming the PLIST to refer to the correct locale directory.
|
|
USE_TOOLS+=msgfmt.
|
|
that they look nicer.
|