Updated: gsasl, libgsasl{18,-common,-devel,-doc} 2.2-2
Cygwin gsasl Maintainer
Brian.Inglis@SystematicSW.ab.ca
Fri Nov 18 18:42:26 GMT 2022
The following packages have been uploaded for testing in Cygwin:
* gsasl 2.2-2
* libgsasl18 2.2-2
* libgsasl-common 2.2-2
* libgsasl-devel 2.2-2
* libgsasl-doc 2.2-2
GNU SASL is an implementation of the Simple Authentication and Security
Layer (SASL) framework, consisting of a library with several plugins,
and command-line application.
For more information see the project home page:
https://www.gnu.org/software/gsasl/
See below or read /usr/share/doc/gsasl/NEWS after installation for
a summary of changes since the last Cygwin release, or read
/usr/share/doc/gsasl/ChangeLog after installation for details.
Cygwin release 2 fixes dependency problems affecting curl and git.
Noteworthy changes in release 2.2.0 2022-09-03
* Fix build error with too old GnuTLS.
* Tests: New tests/gsasl-mailutils-tls.sh.
It performs integration checks between GNU SASL and GNU MailUtils
imapd with TLS enabled, thereby testing TLS support in the 'gsasl'
command line tool.
* Various minor bug fixes and improvements.
Mainly to pacify improved CI/CD checking.
Noteworthy changes in release 2.1.1 2022-08-16 [beta]
* Tests: New tests/gsasl-mailutils-gs2krb5-gssapi.sh.
It perform integration checks between GNU SASL and GNU MailUtils imapd
(GSSAPI and GS2-KRB5). They can be used externally from the GNU SASL
build environment to perform system integration tests, see
.gitlab-ci.yml for inspiration.
* Various minor bug fixes and improvements.
Fix two crashes in 'gsasl' introduced in 2.1.0.
Noteworthy changes in release 2.1.0 2022-08-05 [beta]
* Support new "tls-exporter" channel binding.
The "tls-exporter" channel binding is specified in RFC 9266
<https://datatracker.ietf.org/doc/html/rfc9266>. Now we can support
SCRAM-*-PLUS over TLS 1.3 channels, and address some of the security
problems with "tls-unique".
The library add new callback property GSASL_CB_TLS_EXPORTER and error
code GSASL_NO_CB_TLS_EXPORTER. These are documented in the manual.
The 'gsasl' command-line tool set it if system GnuTLS has
GNUTLS_CB_TLS_EXPORTER, which was introduced with GnuTLS 3.7.2
released on 2021-05-29.
* SCRAM: Support for "tls-exporter".
The SCRAM client will now query the application for
GSASL_CB_TLS_EXPORTER before it query for GSASL_CB_TLS_UNIQUE. Supply
it to support TLS 1.3. The SCRAM server will query the application for
the channel binding type requested by the client (tls-unique or
tls-exporter), and it is up to the application to decide what to do.
* SCRAM: Fix memory leaks on incremental application usage.
See tests/scram-incremental.c for application behaviour that trigger
the leaks. We run valgrind --leak-check=full to catch future
regressions.
* Tests: New tests/gsasl-dovecot-gssapi.sh & tests/gsasl-mailutils-cram.sh.
These perform integration checks between GNU SASL and Dovecot
(GSS-API) and GNU MailUtils imapd (CRAM-MD5, DIGEST-MD5, SCRAM-SHA-*).
They can be used externally from the GNU SASL build environment to
perform system integration tests, see .gitlab-ci.yml for inspiration.
* API and ABI modifications.
GSASL_CB_TLS_EXPORTER: Added.
GSASL_NO_CB_TLS_EXPORTER: Added.
Noteworthy changes in release 2.0.1 2022-07-15
* Support for the libgssglue GSS-API library were added.
We encourage you to build with libgssglue, as that allows system
administrators and end-users to chose between MIT Kerberos, Heimdal
and GNU GSS during run-time. Read about the background here:
https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/
* GSSAPI client: don't use AUTHID as fallback for AUTHZID.
The code historically used the AUTHID as authorization identity, but
in 2012 we changed it to first query for AUTHZID, and only if that is
not available, fall back to using AUTHID as the authorization
identity. The change was not released until version 1.8.1 on
2019-08-02, when it was properly documented to be removed 'after the
year 2012'. While documented behaviour, this seems like just
surprising behaviour and we now finally make the change.
* GSSAPI server: don't set AUTHZID to empty string when absent.
The GSS-API SASL protocol does not differentiate between an absent
authorization identity and an authorization identity that is the empty
string. Previously libgsasl would set it to the empty string but now
it is set to NULL. The manual explains that this is a protocol
limitation.
* The examples/smtp-server.c now supports GSSAPI/GS2-KRB5.
The example is used during CI/CD testing of GNU SASL and thus it made
sense to extend it. Some bugs related to getline error conditions were
also fixed.
* GSSAPI server: Fix out-of-bounds read.
A malicious client can after it has authenticated with Kerberos send a
specially crafted message that causes Libgsasl to read out of bounds
and cause a crash in the server.
Noteworthy changes in release 2.0.0 2022-06-20
* drops all obsolete APIs, drops the abandoned KERBEROS_V5 mechanism,
* stops shipping a separate tarball for only the library, adds new APIs
* gsasl_mechanism_name_p() and gsasl_property_free().
Numerous other translation improvements, code cleanups, bug fixes,
documentation additions, build improvements and portability
enhancements were made as well.
Noteworthy changes in release 1.11.3 2022-06-13 [beta]
* libgsasl: Fix substring prefix bug in gsasl_client_suggest_mechanism.
* libgsasl: Fix GSSAPI client encode/decode memory buffer length buf.
* libgsasl: Fix DIGEST-MD5 compiler warnings.
* libgsasl: Rename gsasl_is_mechanism_name_valid to gsasl_mechanism_name_p.
For better sorting of public APIs and consistency with other *_p
function name usage.
* Various cleanups, build/bug fixes and portability improvements.
Noteworthy changes in release 1.11.2 2021-10-25 [beta]
* libgsasl: New API gsasl_is_mechanism_name_valid().
This can be used to check if a mechanism name string is valid, i.e.,
validate string length and characters used. This function is the
recommended upgrade path for code using
GSASL_VALID_MECHANISM_CHARACTERS, in the majority of use-cases.
* libgsasl: The following variables have been removed:
GSASL_VALID_MECHANISM_CHARACTERS: The reason for removing this is that
exporting static global variables from shared libraries has
portability concerns, and this is not a widely used variable anyway.
* Various cleanups, build/bug fixes and portability improvements.
Noteworthy changes in release 1.11.1 2021-01-19 [alpha]
* New header gsasl-version.h is now installed.
* Deprecated enum Gsasl_cipher removed (forgotten in last release).
* Fix symbol versioning.
The goal of the 1.11.x branch is now to release 2.0.0.
* Noteworthy changes in release 1.11.0 (2021-01-07) [alpha]
* Stop shipping a separate tarball for libgsasl.
This allowed us to avoid a second lib/configure script.
* Build modernization.
Among other improvements, gsasl now use gnulib's bootstrap script for
building from git, see README-hacking (in git) for more information.
* The KERBEROS_V5 mechanism was removed.
It has not been enabled by default and was never standardized nor
widely deployed.
* Lasso is no longer an optional dependency.
It was only used for building the 'gsasl-saml20-request' helper-tool
for the example code for the SAML20 mechanism. The example is still
shipped as part of this package, but the helper tool will now have to
be built manually by anyone interested in this.
* Functions gsasl_property_set() and gsasl_property_set_raw() now
return GSASL_MALLOC_ERROR on memory allocation errors.
Updating code to use the return value is not critical. Everything will
continue to work the same as before if you ignore the return value --
that is, if the property had to be set successfully, and memory
allocation happened to occur, the application will get an error
message later on about the missing property.
If you want to support both new and old library versions, to report
memory allocation errors as such, you may use a construct like this:
#if GSASL_VERSION_NUMBER >= 0x010b00
res =
#endif
gsasl_property_set (sctx, GSASL_AUTHID, "simon");
#if GSASL_VERSION_NUMBER >= 0x010b00
if (res != GSASL_OK)
return res;
#endif
You may put this in a wrapper function to avoid repeating the
construct elsewhere in your code.
The function signatures are modified, before the return value was
'void' now it is 'int'. The shared library version has been
incremented.
* New API gsasl_property_free().
This is used to deallocate resources associated with a property.
* All deprecated interfaces have been removed.
* The following functions have been removed:
gsasl_appinfo_get
gsasl_appinfo_set
gsasl_application_data_get
gsasl_application_data_set
gsasl_base64_decode
gsasl_base64_encode
gsasl_client_application_data_get
gsasl_client_application_data_set
gsasl_client_callback_anonymous_get
gsasl_client_callback_anonymous_set
gsasl_client_callback_authentication_id_get
gsasl_client_callback_authentication_id_set
gsasl_client_callback_authorization_id_get
gsasl_client_callback_authorization_id_set
gsasl_client_callback_maxbuf_get
gsasl_client_callback_maxbuf_set
gsasl_client_callback_passcode_get
gsasl_client_callback_passcode_set
gsasl_client_callback_password_get
gsasl_client_callback_password_set
gsasl_client_callback_pin_get
gsasl_client_callback_pin_set
gsasl_client_callback_qop_get
gsasl_client_callback_qop_set
gsasl_client_callback_realm_get
gsasl_client_callback_realm_set
gsasl_client_callback_service_get
gsasl_client_callback_service_set
gsasl_client_ctx_get
gsasl_client_finish
gsasl_client_listmech
gsasl_client_step
gsasl_client_step_base64
gsasl_ctx_get
gsasl_decode_inline
gsasl_encode_inline
gsasl_hmac_md5
gsasl_hmac_sha1
gsasl_md5
gsasl_md5pwd_get_password
gsasl_randomize
gsasl_server_application_data_get
gsasl_server_application_data_set
gsasl_server_callback_anonymous_get
gsasl_server_callback_anonymous_set
gsasl_server_callback_cipher_get
gsasl_server_callback_cipher_set
gsasl_server_callback_cram_md5_get
gsasl_server_callback_cram_md5_set
gsasl_server_callback_digest_md5_get
gsasl_server_callback_digest_md5_set
gsasl_server_callback_external_get
gsasl_server_callback_external_set
gsasl_server_callback_gssapi_get
gsasl_server_callback_gssapi_set
gsasl_server_callback_maxbuf_get
gsasl_server_callback_maxbuf_set
gsasl_server_callback_qop_get
gsasl_server_callback_qop_set
gsasl_server_callback_realm_get
gsasl_server_callback_realm_set
gsasl_server_callback_retrieve_get
gsasl_server_callback_retrieve_set
gsasl_server_callback_securid_get
gsasl_server_callback_securid_set
gsasl_server_callback_service_get
gsasl_server_callback_service_set
gsasl_server_callback_validate_get
gsasl_server_callback_validate_set
gsasl_server_ctx_get
gsasl_server_finish
gsasl_server_listmech
gsasl_server_step
gsasl_server_step_base64
gsasl_server_suggest_mechanism
gsasl_sha1
gsasl_stringprep_nfkc
gsasl_stringprep_saslprep
gsasl_stringprep_trace
* The following declarations have been removed:
Gsasl_ctx
Gsasl_session_ctx
GSASL_CANNOT_GET_CTX
GSASL_FCLOSE_ERROR
GSASL_FOPEN_ERROR
GSASL_GCRYPT_ERROR
GSASL_INVALID_HANDLE
GSASL_KERBEROS_V5_INIT_ERROR
GSASL_KERBEROS_V5_INTERNAL_ERROR
GSASL_NEED_CLIENT_ANONYMOUS_CALLBACK
GSASL_NEED_CLIENT_AUTHENTICATION_ID_CALLBACK
GSASL_NEED_CLIENT_AUTHORIZATION_ID_CALLBACK
GSASL_NEED_CLIENT_PASSCODE_CALLBACK
GSASL_NEED_CLIENT_PASSWORD_CALLBACK
GSASL_NEED_CLIENT_PIN_CALLBACK
GSASL_NEED_CLIENT_SERVICE_CALLBACK
GSASL_NEED_SERVER_ANONYMOUS_CALLBACK
GSASL_NEED_SERVER_CRAM_MD5_CALLBACK
GSASL_NEED_SERVER_DIGEST_MD5_CALLBACK
GSASL_NEED_SERVER_EXTERNAL_CALLBACK
GSASL_NEED_SERVER_GSSAPI_CALLBACK
GSASL_NEED_SERVER_REALM_CALLBACK
GSASL_NEED_SERVER_RETRIEVE_CALLBACK
GSASL_NEED_SERVER_SECURID_CALLBACK
GSASL_NEED_SERVER_SERVICE_CALLBACK
GSASL_NEED_SERVER_VALIDATE_CALLBACK
GSASL_NO_MORE_REALMS
GSASL_SHISHI_ERROR
GSASL_TOO_SMALL_BUFFER
GSASL_UNICODE_NORMALIZATION_ERROR
Gsasl_client_callback_anonymous
Gsasl_client_callback_authentication_id
Gsasl_client_callback_authorization_id
Gsasl_client_callback_maxbuf
Gsasl_client_callback_passcode
Gsasl_client_callback_password
Gsasl_client_callback_pin
Gsasl_client_callback_qop
Gsasl_client_callback_realm
Gsasl_client_callback_service
Gsasl_server_callback_anonymous
Gsasl_server_callback_cipher
Gsasl_server_callback_cram_md5
Gsasl_server_callback_digest_md5
Gsasl_server_callback_external
Gsasl_server_callback_gssapi
Gsasl_server_callback_maxbuf
Gsasl_server_callback_qop
Gsasl_server_callback_realm
Gsasl_server_callback_retrieve
Gsasl_server_callback_securid
Gsasl_server_callback_service
Gsasl_server_callback_validate
More information about the Cygwin-announce
mailing list