Test: gsasl, libgsasl{18,-common,-devel,-doc} 2.2 (TEST)

Cygwin gsasl Maintainer Brian.Inglis@SystematicSW.ab.ca
Tue Nov 1 19:41:11 GMT 2022


The following packages have been uploaded for testing in Cygwin:

* gsasl			2.2
* libgsasl18		2.2
* libgsasl-common	2.2
* libgsasl-devel	2.2
* libgsasl-doc		2.2

GNU SASL is an implementation of the Simple Authentication and Security
Layer (SASL) framework, consisting of a library with several plugins,
and command-line application.

For more information see the project home page:

	https://www.gnu.org/software/gsasl/

See below or read /usr/share/doc/gsasl/NEWS after installation for
a summary of changes since the last Cygwin release, or read
/usr/share/doc/gsasl/ChangeLog after installation for details.

Please test these packages as extensively as possible (especially if you
are a Cygwin package maintainer) as this library skipped a few versions,
although it is used by libcurl, and that is used in many libraries and
utilities.
Package maintainers should install this test release and rerun checks of
as many libraries and packages depending on libcurl as possible. 
A test release of lib/curl 7.86 is also available.

Checks of curl itself after installing these packages run with no issues.
I have it locally installed so it is getting used by commands, scripts,
cron jobs, and cygport builds, and has and is getting frequent exercise
with no apparent issues so far.
If no issues are reported within a couple of weeks the package will be
upgraded to current.


Noteworthy changes in release 2.2.0	2022-09-03

* Fix build error with too old GnuTLS.

* Tests: New tests/gsasl-mailutils-tls.sh.
  It performs integration checks between GNU SASL and GNU MailUtils
  imapd with TLS enabled, thereby testing TLS support in the 'gsasl'
  command line tool.

* Various minor bug fixes and improvements.
  Mainly to pacify improved CI/CD checking.


Noteworthy changes in release 2.1.1	    2022-08-16 [beta]

* Tests: New tests/gsasl-mailutils-gs2krb5-gssapi.sh.
  It perform integration checks between GNU SASL and GNU MailUtils imapd
  (GSSAPI and GS2-KRB5). They can be used externally from the GNU SASL
  build environment to perform system integration tests, see
  .gitlab-ci.yml for inspiration.

* Various minor bug fixes and improvements.
  Fix two crashes in 'gsasl' introduced in 2.1.0.


Noteworthy changes in release 2.1.0	2022-08-05 [beta]

* Support new "tls-exporter" channel binding.
  The "tls-exporter" channel binding is specified in RFC 9266
  <https://datatracker.ietf.org/doc/html/rfc9266>. Now we can support
  SCRAM-*-PLUS over TLS 1.3 channels, and address some of the security
  problems with "tls-unique".
  The library add new callback property GSASL_CB_TLS_EXPORTER and error
  code GSASL_NO_CB_TLS_EXPORTER. These are documented in the manual.
  The 'gsasl' command-line tool set it if system GnuTLS has
  GNUTLS_CB_TLS_EXPORTER, which was introduced with GnuTLS 3.7.2
  released on 2021-05-29.

* SCRAM: Support for "tls-exporter".
  The SCRAM client will now query the application for
  GSASL_CB_TLS_EXPORTER before it query for GSASL_CB_TLS_UNIQUE. Supply
  it to support TLS 1.3. The SCRAM server will query the application for
  the channel binding type requested by the client (tls-unique or
  tls-exporter), and it is up to the application to decide what to do.

* SCRAM: Fix memory leaks on incremental application usage.
  See tests/scram-incremental.c for application behaviour that trigger
  the leaks. We run valgrind --leak-check=full to catch future
  regressions.

* Tests: New tests/gsasl-dovecot-gssapi.sh & tests/gsasl-mailutils-cram.sh.
  These perform integration checks between GNU SASL and Dovecot
  (GSS-API) and GNU MailUtils imapd (CRAM-MD5, DIGEST-MD5, SCRAM-SHA-*).
  They can be used externally from the GNU SASL build environment to
  perform system integration tests, see .gitlab-ci.yml for inspiration.

* API and ABI modifications.
  GSASL_CB_TLS_EXPORTER: Added.
  GSASL_NO_CB_TLS_EXPORTER: Added.


Noteworthy changes in release 2.0.1	2022-07-15

* Support for the libgssglue GSS-API library were added.
  We encourage you to build with libgssglue, as that allows system
  administrators and end-users to chose between MIT Kerberos, Heimdal
  and GNU GSS during run-time. Read about the background here:
  https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/

* GSSAPI client: don't use AUTHID as fallback for AUTHZID.
  The code historically used the AUTHID as authorization identity, but
  in 2012 we changed it to first query for AUTHZID, and only if that is
  not available, fall back to using AUTHID as the authorization
  identity. The change was not released until version 1.8.1 on
  2019-08-02, when it was properly documented to be removed 'after the
  year 2012'. While documented behaviour, this seems like just
  surprising behaviour and we now finally make the change.

* GSSAPI server: don't set AUTHZID to empty string when absent.
  The GSS-API SASL protocol does not differentiate between an absent
  authorization identity and an authorization identity that is the empty
  string. Previously libgsasl would set it to the empty string but now
  it is set to NULL. The manual explains that this is a protocol
  limitation.

* The examples/smtp-server.c now supports GSSAPI/GS2-KRB5.
  The example is used during CI/CD testing of GNU SASL and thus it made
  sense to extend it. Some bugs related to getline error conditions were
  also fixed.

* GSSAPI server: Fix out-of-bounds read.
  A malicious client can after it has authenticated with Kerberos send a
  specially crafted message that causes Libgsasl to read out of bounds
  and cause a crash in the server.


Noteworthy changes in release 2.0.0	2022-06-20

* drops all obsolete APIs, drops the abandoned KERBEROS_V5 mechanism,
* stops shipping a separate tarball for only the library, adds new APIs
* gsasl_mechanism_name_p() and gsasl_property_free().

  Numerous other translation improvements, code cleanups, bug fixes,
  documentation additions, build improvements and portability
  enhancements were made as well.


Noteworthy changes in release 1.11.3	2022-06-13 [beta]

* libgsasl: Fix substring prefix bug in gsasl_client_suggest_mechanism.

* libgsasl: Fix GSSAPI client encode/decode memory buffer length buf.

* libgsasl: Fix DIGEST-MD5 compiler warnings.

* libgsasl: Rename gsasl_is_mechanism_name_valid to gsasl_mechanism_name_p.
  For better sorting of public APIs and consistency with other *_p
  function name usage.

* Various cleanups, build/bug fixes and portability improvements.


Noteworthy changes in release 1.11.2	2021-10-25 [beta]

* libgsasl: New API gsasl_is_mechanism_name_valid().
  This can be used to check if a mechanism name string is valid, i.e.,
  validate string length and characters used.  This function is the
  recommended upgrade path for code using
  GSASL_VALID_MECHANISM_CHARACTERS, in the majority of use-cases.

* libgsasl: The following variables have been removed:
  GSASL_VALID_MECHANISM_CHARACTERS: The reason for removing this is that
  exporting static global variables from shared libraries has
  portability concerns, and this is not a widely used variable anyway.

* Various cleanups, build/bug fixes and portability improvements.


Noteworthy changes in release 1.11.1	2021-01-19 [alpha]

* New header gsasl-version.h is now installed.

* Deprecated enum Gsasl_cipher removed (forgotten in last release).

* Fix symbol versioning.
  The goal of the 1.11.x branch is now to release 2.0.0.

* Noteworthy changes in release 1.11.0 (2021-01-07) [alpha]

* Stop shipping a separate tarball for libgsasl.
  This allowed us to avoid a second lib/configure script.

* Build modernization.
  Among other improvements, gsasl now use gnulib's bootstrap script for
  building from git, see README-hacking (in git) for more information.

* The KERBEROS_V5 mechanism was removed.
  It has not been enabled by default and was never standardized nor
  widely deployed.

* Lasso is no longer an optional dependency.
  It was only used for building the 'gsasl-saml20-request' helper-tool
  for the example code for the SAML20 mechanism. The example is still
  shipped as part of this package, but the helper tool will now have to
  be built manually by anyone interested in this.

* Functions gsasl_property_set() and gsasl_property_set_raw() now
  return GSASL_MALLOC_ERROR on memory allocation errors.
  Updating code to use the return value is not critical. Everything will
  continue to work the same as before if you ignore the return value --
  that is, if the property had to be set successfully, and memory
  allocation happened to occur, the application will get an error
  message later on about the missing property.

  If you want to support both new and old library versions, to report
  memory allocation errors as such, you may use a construct like this:

  #if GSASL_VERSION_NUMBER >= 0x010b00
     res =
  #endif
     gsasl_property_set (sctx, GSASL_AUTHID, "simon");
  #if GSASL_VERSION_NUMBER >= 0x010b00
     if (res != GSASL_OK)
       return res;
  #endif

  You may put this in a wrapper function to avoid repeating the
  construct elsewhere in your code.

  The function signatures are modified, before the return value was
  'void' now it is 'int'. The shared library version has been
  incremented.

* New API gsasl_property_free().
  This is used to deallocate resources associated with a property.

* All deprecated interfaces have been removed.

* The following functions have been removed:
  gsasl_appinfo_get
  gsasl_appinfo_set
  gsasl_application_data_get
  gsasl_application_data_set
  gsasl_base64_decode
  gsasl_base64_encode
  gsasl_client_application_data_get
  gsasl_client_application_data_set
  gsasl_client_callback_anonymous_get
  gsasl_client_callback_anonymous_set
  gsasl_client_callback_authentication_id_get
  gsasl_client_callback_authentication_id_set
  gsasl_client_callback_authorization_id_get
  gsasl_client_callback_authorization_id_set
  gsasl_client_callback_maxbuf_get
  gsasl_client_callback_maxbuf_set
  gsasl_client_callback_passcode_get
  gsasl_client_callback_passcode_set
  gsasl_client_callback_password_get
  gsasl_client_callback_password_set
  gsasl_client_callback_pin_get
  gsasl_client_callback_pin_set
  gsasl_client_callback_qop_get
  gsasl_client_callback_qop_set
  gsasl_client_callback_realm_get
  gsasl_client_callback_realm_set
  gsasl_client_callback_service_get
  gsasl_client_callback_service_set
  gsasl_client_ctx_get
  gsasl_client_finish
  gsasl_client_listmech
  gsasl_client_step
  gsasl_client_step_base64
  gsasl_ctx_get
  gsasl_decode_inline
  gsasl_encode_inline
  gsasl_hmac_md5
  gsasl_hmac_sha1
  gsasl_md5
  gsasl_md5pwd_get_password
  gsasl_randomize
  gsasl_server_application_data_get
  gsasl_server_application_data_set
  gsasl_server_callback_anonymous_get
  gsasl_server_callback_anonymous_set
  gsasl_server_callback_cipher_get
  gsasl_server_callback_cipher_set
  gsasl_server_callback_cram_md5_get
  gsasl_server_callback_cram_md5_set
  gsasl_server_callback_digest_md5_get
  gsasl_server_callback_digest_md5_set
  gsasl_server_callback_external_get
  gsasl_server_callback_external_set
  gsasl_server_callback_gssapi_get
  gsasl_server_callback_gssapi_set
  gsasl_server_callback_maxbuf_get
  gsasl_server_callback_maxbuf_set
  gsasl_server_callback_qop_get
  gsasl_server_callback_qop_set
  gsasl_server_callback_realm_get
  gsasl_server_callback_realm_set
  gsasl_server_callback_retrieve_get
  gsasl_server_callback_retrieve_set
  gsasl_server_callback_securid_get
  gsasl_server_callback_securid_set
  gsasl_server_callback_service_get
  gsasl_server_callback_service_set
  gsasl_server_callback_validate_get
  gsasl_server_callback_validate_set
  gsasl_server_ctx_get
  gsasl_server_finish
  gsasl_server_listmech
  gsasl_server_step
  gsasl_server_step_base64
  gsasl_server_suggest_mechanism
  gsasl_sha1
  gsasl_stringprep_nfkc
  gsasl_stringprep_saslprep
  gsasl_stringprep_trace

* The following declarations have been removed:
  Gsasl_ctx
  Gsasl_session_ctx
  GSASL_CANNOT_GET_CTX
  GSASL_FCLOSE_ERROR
  GSASL_FOPEN_ERROR
  GSASL_GCRYPT_ERROR
  GSASL_INVALID_HANDLE
  GSASL_KERBEROS_V5_INIT_ERROR
  GSASL_KERBEROS_V5_INTERNAL_ERROR
  GSASL_NEED_CLIENT_ANONYMOUS_CALLBACK
  GSASL_NEED_CLIENT_AUTHENTICATION_ID_CALLBACK
  GSASL_NEED_CLIENT_AUTHORIZATION_ID_CALLBACK
  GSASL_NEED_CLIENT_PASSCODE_CALLBACK
  GSASL_NEED_CLIENT_PASSWORD_CALLBACK
  GSASL_NEED_CLIENT_PIN_CALLBACK
  GSASL_NEED_CLIENT_SERVICE_CALLBACK
  GSASL_NEED_SERVER_ANONYMOUS_CALLBACK
  GSASL_NEED_SERVER_CRAM_MD5_CALLBACK
  GSASL_NEED_SERVER_DIGEST_MD5_CALLBACK
  GSASL_NEED_SERVER_EXTERNAL_CALLBACK
  GSASL_NEED_SERVER_GSSAPI_CALLBACK
  GSASL_NEED_SERVER_REALM_CALLBACK
  GSASL_NEED_SERVER_RETRIEVE_CALLBACK
  GSASL_NEED_SERVER_SECURID_CALLBACK
  GSASL_NEED_SERVER_SERVICE_CALLBACK
  GSASL_NEED_SERVER_VALIDATE_CALLBACK
  GSASL_NO_MORE_REALMS
  GSASL_SHISHI_ERROR
  GSASL_TOO_SMALL_BUFFER
  GSASL_UNICODE_NORMALIZATION_ERROR
  Gsasl_client_callback_anonymous
  Gsasl_client_callback_authentication_id
  Gsasl_client_callback_authorization_id
  Gsasl_client_callback_maxbuf
  Gsasl_client_callback_passcode
  Gsasl_client_callback_password
  Gsasl_client_callback_pin
  Gsasl_client_callback_qop
  Gsasl_client_callback_realm
  Gsasl_client_callback_service
  Gsasl_server_callback_anonymous
  Gsasl_server_callback_cipher
  Gsasl_server_callback_cram_md5
  Gsasl_server_callback_digest_md5
  Gsasl_server_callback_external
  Gsasl_server_callback_gssapi
  Gsasl_server_callback_maxbuf
  Gsasl_server_callback_qop
  Gsasl_server_callback_realm
  Gsasl_server_callback_retrieve
  Gsasl_server_callback_securid
  Gsasl_server_callback_service
  Gsasl_server_callback_validate



More information about the Cygwin-announce mailing list