Discussion:
SASL 2.1.27 rc6
Ken Murchison
2017-12-11 13:01:14 UTC
Permalink
All,

I have built a sixth (and hopefully last) release candidate of SASL
2.1.27 which can be downloaded from here:

HTTP:
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz.sig

FTP:
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz.sig

MD5 Sum:
cyrus-sasl-2.1.27-rc6.tar.gz : de083cc2e5c1cc3a1b88f7d85332a3ff
cyrus-sasl-2.1.27-rc6.tar.gz.sig: 868cc9f5feee63ca2bd91279f5ac043b


Note that the distro has been signed by my colleague Partha Susarla at
FastMail.


We didn't receive much feedback to Alexey's post on the GSSAPI/LDAP
issue, so hopefully this release candidate will provoke some discussion
leading to a resolution.  As stated previously, we would like to make a
final release before Christmas.  If we have some last minute activity on
the GSSAPI issue or any other showstoppers, we could push the release
back to the end of the year as a last resort.


The (mostly) complete list of changes from 2.1.26 are these:

* Added support for OpenSSL 1.1
* Added support for lmdb (from Howard Chu)
* Lots of build fixes (from Ignacio Casal Quinteiro and others)
* Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting
client mech
* DIGEST-MD5 plugin:
o Fixed memory leaks
o Fixed a segfault when looking for non-existent reauth cache
o Prevent client from going from step 3 back to step 2
o Allow cmusaslsecretDIGEST-MD5 property to be disabled
* GSSAPI plugin:
o Added support for retrieving negotiated SSF
o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
o Properly compute maxbufsize AFTER security layers have been set
* SCRAM plugin:
o Added support for SCRAM-SHA-256
o Allow SCRAM-* to be used by HTTP
* LOGIN plugin:
o Don’t prompt client for password until requested by server
* NTLM plugin:
o Fixed crash due to uninitialized HMAC context
* saslauthd:
o cache.c:
+ Don’t use cached credentials if timeout has expired
+ Fixed debug logging output
o ipc_doors.c:
+ Fixed potential DoS attack (from Oracle)
o ipc_unix.c:
+ Prevent premature closing of socket
o auth_rimap.c:
+ Added support LOGOUT command
+ Added support for unsolicited CAPABILITY responses in LOGIN
reply
+ Properly detect end of responses (don’t needlessly wait)
+ Properly handle backslash in passwords
o auth_httpform:
+ Fix off-by-one error in string termination
+ Added support for 204 success response
o auth_krb5.c:
+ Added krb5_conv_krb4_instance option
+ Added more verbose error logging



At this point any major changes (e.g. API, wire protocol) will be pushed
out to 2.1.28 or 2.2.0.  I believe that this is close to being a final
release which I would like to get out by the end of December.
--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
Ken Murchison
2017-12-20 16:00:35 UTC
Permalink
We haven't had much, if any, feedback on this release candidate.

Do the GSSAPI/LDAP folks have any further comments on
https://github.com/cyrusimap/cyrus-sasl/issues/419

I'd really like to make a final release by Christmas as promised, but I
also don't want to make a release that folks will have to patch immediately.
Post by Ken Murchison
All,
I have built a sixth (and hopefully last) release candidate of SASL
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz.sig
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz.sig
cyrus-sasl-2.1.27-rc6.tar.gz : de083cc2e5c1cc3a1b88f7d85332a3ff
cyrus-sasl-2.1.27-rc6.tar.gz.sig: 868cc9f5feee63ca2bd91279f5ac043b
Note that the distro has been signed by my colleague Partha Susarla at
FastMail.
We didn't receive much feedback to Alexey's post on the GSSAPI/LDAP
issue, so hopefully this release candidate will provoke some
discussion leading to a resolution.  As stated previously, we would
like to make a final release before Christmas.  If we have some last
minute activity on the GSSAPI issue or any other showstoppers, we
could push the release back to the end of the year as a last resort.
* Added support for OpenSSL 1.1
* Added support for lmdb (from Howard Chu)
* Lots of build fixes (from Ignacio Casal Quinteiro and others)
* Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when
selecting client mech
o Fixed memory leaks
o Fixed a segfault when looking for non-existent reauth cache
o Prevent client from going from step 3 back to step 2
o Allow cmusaslsecretDIGEST-MD5 property to be disabled
o Added support for retrieving negotiated SSF
o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
o Properly compute maxbufsize AFTER security layers have been set
o Added support for SCRAM-SHA-256
o Allow SCRAM-* to be used by HTTP
o Don’t prompt client for password until requested by server
o Fixed crash due to uninitialized HMAC context
+ Don’t use cached credentials if timeout has expired
+ Fixed debug logging output
+ Fixed potential DoS attack (from Oracle)
+ Prevent premature closing of socket
+ Added support LOGOUT command
+ Added support for unsolicited CAPABILITY responses in
LOGIN reply
+ Properly detect end of responses (don’t needlessly wait)
+ Properly handle backslash in passwords
+ Fix off-by-one error in string termination
+ Added support for 204 success response
+ Added krb5_conv_krb4_instance option
+ Added more verbose error logging
At this point any major changes (e.g. API, wire protocol) will be
pushed out to 2.1.28 or 2.2.0.  I believe that this is close to being
a final release which I would like to get out by the end of December.
--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
Dan White
2017-12-20 16:14:40 UTC
Permalink
Ken,

I'll try to lab up my original test case (for bug 3480) tomorrow
evening.
Post by Ken Murchison
We haven't had much, if any, feedback on this release candidate.
Do the GSSAPI/LDAP folks have any further comments on
https://github.com/cyrusimap/cyrus-sasl/issues/419
I'd really like to make a final release by Christmas as promised, but
I also don't want to make a release that folks will have to patch
immediately.
--
Dan White
Dan White
2017-12-22 16:49:04 UTC
Permalink
Ken,

I'm running in to this:

additional info: SASL(-1): generic failure: Unable to find a callback: 32775

from:

https://github.com/cyrusimap/cyrus-sasl/issues/464

but with GSSAPI, and not GSS-SPNEGO.

In the following scenarios:

ldapwhoami/heimdal -> slapd/mit
ldapwhoami/heimdal -> slapd/heimdal
ldapwhoami/heimdal -> Microsoft AD

But these work:

ldapwhoami/mit -> slapd/mit
ldapwhoami/mit -> MS AD

I can set security properties with the libldab library (ldap.conf(5)). I
tried playing around with maxbufsize, since there are hints that may be
related when searching on google, but it had no effect.

All Heimdal tests are using version 7.5.0, manually compiled.

Do you have suggestions of where to debug?
Post by Dan White
Ken,
I'll try to lab up my original test case (for bug 3480) tomorrow
evening.
Post by Ken Murchison
We haven't had much, if any, feedback on this release candidate.
Do the GSSAPI/LDAP folks have any further comments on
https://github.com/cyrusimap/cyrus-sasl/issues/419
I'd really like to make a final release by Christmas as promised,
but I also don't want to make a release that folks will have to
patch immediately.
--
Dan White
Ken Murchison
2017-12-22 18:03:36 UTC
Permalink
Unfortunately, I don't know where to look.  Alexey knows way more about
GSS that I do.  I do recall from my time at CMU that the kerb libraries
seem to suck at error reporting/logging.
Post by Dan White
Ken,
additional info: SASL(-1): generic failure: Unable to find a callback: 32775
https://github.com/cyrusimap/cyrus-sasl/issues/464
but with GSSAPI, and not GSS-SPNEGO.
ldapwhoami/heimdal -> slapd/mit
ldapwhoami/heimdal -> slapd/heimdal
ldapwhoami/heimdal -> Microsoft AD
ldapwhoami/mit -> slapd/mit
ldapwhoami/mit -> MS AD
I can set security properties with the libldab library (ldap.conf(5)). I
tried playing around with maxbufsize, since there are hints that may be
related when searching on google, but it had no effect.
All Heimdal tests are using version 7.5.0, manually compiled.
Do you have suggestions of where to debug?
Post by Dan White
Ken,
I'll try to lab up my original test case (for bug 3480) tomorrow
evening.
Post by Ken Murchison
We haven't had much, if any, feedback on this release candidate.
Do the GSSAPI/LDAP folks have any further comments on
https://github.com/cyrusimap/cyrus-sasl/issues/419
I'd really like to make a final release by Christmas as promised,
but I also don't want to make a release that folks will have to
patch immediately.
--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
Ken Murchison
2017-12-27 19:53:51 UTC
Permalink
It looks like Dan White may have found and tested a fix for the
ldaps+GSSAPI issues in the tracker.  I'd like to have some peer review
of this before I cut the final release on the morning of the 31st
(US/Eastern time).
Post by Ken Murchison
Unfortunately, I don't know where to look.  Alexey knows way more
about GSS that I do.  I do recall from my time at CMU that the kerb
libraries seem to suck at error reporting/logging.
Post by Dan White
Ken,
additional info: SASL(-1): generic failure: Unable to find a
callback: 32775
https://github.com/cyrusimap/cyrus-sasl/issues/464
but with GSSAPI, and not GSS-SPNEGO.
ldapwhoami/heimdal -> slapd/mit
ldapwhoami/heimdal -> slapd/heimdal
ldapwhoami/heimdal -> Microsoft AD
ldapwhoami/mit -> slapd/mit
ldapwhoami/mit -> MS AD
I can set security properties with the libldab library (ldap.conf(5)). I
tried playing around with maxbufsize, since there are hints that may be
related when searching on google, but it had no effect.
All Heimdal tests are using version 7.5.0, manually compiled.
Do you have suggestions of where to debug?
Post by Dan White
Ken,
I'll try to lab up my original test case (for bug 3480) tomorrow
evening.
Post by Ken Murchison
We haven't had much, if any, feedback on this release candidate.
Do the GSSAPI/LDAP folks have any further comments on
https://github.com/cyrusimap/cyrus-sasl/issues/419
I'd really like to make a final release by Christmas as promised,
but I also don't want to make a release that folks will have to
patch immediately.
--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
Jakub Jelen
2018-01-08 14:48:26 UTC
Permalink
Hello,
I took this snapshot shrough our testing and I did not notice any
significant problem.

Is there anything more needed for this to get released?

Regards,
Jakub
Post by Ken Murchison
All,
I have built a sixth (and hopefully last) release candidate of SASL
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz.sig
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz.sig
cyrus-sasl-2.1.27-rc6.tar.gz : de083cc2e5c1cc3a1b88f7d85332a3ff
cyrus-sasl-2.1.27-rc6.tar.gz.sig: 868cc9f5feee63ca2bd91279f5ac043b
Note that the distro has been signed by my colleague Partha Susarla at
FastMail.
We didn't receive much feedback to Alexey's post on the GSSAPI/LDAP
issue, so hopefully this release candidate will provoke some
discussion
leading to a resolution. As stated previously, we would like to make
a
final release before Christmas. If we have some last minute activity
on
the GSSAPI issue or any other showstoppers, we could push the
release
back to the end of the year as a last resort.
* Added support for OpenSSL 1.1
* Added support for lmdb (from Howard Chu)
* Lots of build fixes (from Ignacio Casal Quinteiro and others)
* Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when
selecting
client mech
o Fixed memory leaks
o Fixed a segfault when looking for non-existent reauth cache
o Prevent client from going from step 3 back to step 2
o Allow cmusaslsecretDIGEST-MD5 property to be disabled
o Added support for retrieving negotiated SSF
o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
o Properly compute maxbufsize AFTER security layers have been set
o Added support for SCRAM-SHA-256
o Allow SCRAM-* to be used by HTTP
o Don’t prompt client for password until requested by server
o Fixed crash due to uninitialized HMAC context
+ Don’t use cached credentials if timeout has expired
+ Fixed debug logging output
+ Fixed potential DoS attack (from Oracle)
+ Prevent premature closing of socket
+ Added support LOGOUT command
+ Added support for unsolicited CAPABILITY responses in LOGIN
reply
+ Properly detect end of responses (don’t needlessly wait)
+ Properly handle backslash in passwords
+ Fix off-by-one error in string termination
+ Added support for 204 success response
+ Added krb5_conv_krb4_instance option
+ Added more verbose error logging
At this point any major changes (e.g. API, wire protocol) will be pushed
out to 2.1.28 or 2.2.0. I believe that this is close to being a
final
release which I would like to get out by the end of December.
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
Ken Murchison
2018-01-08 14:50:41 UTC
Permalink
Waiting on some last minute GSSAPI testing to be done.
Post by Jakub Jelen
Hello,
I took this snapshot shrough our testing and I did not notice any
significant problem.
Is there anything more needed for this to get released?
Regards,
Jakub
Post by Ken Murchison
All,
I have built a sixth (and hopefully last) release candidate of SASL
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz.sig
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz.sig
cyrus-sasl-2.1.27-rc6.tar.gz : de083cc2e5c1cc3a1b88f7d85332a3ff
cyrus-sasl-2.1.27-rc6.tar.gz.sig: 868cc9f5feee63ca2bd91279f5ac043b
Note that the distro has been signed by my colleague Partha Susarla at
FastMail.
We didn't receive much feedback to Alexey's post on the GSSAPI/LDAP
issue, so hopefully this release candidate will provoke some
discussion
leading to a resolution. As stated previously, we would like to make
a
final release before Christmas. If we have some last minute activity
on
the GSSAPI issue or any other showstoppers, we could push the
release
back to the end of the year as a last resort.
* Added support for OpenSSL 1.1
* Added support for lmdb (from Howard Chu)
* Lots of build fixes (from Ignacio Casal Quinteiro and others)
* Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting
client mech
o Fixed memory leaks
o Fixed a segfault when looking for non-existent reauth cache
o Prevent client from going from step 3 back to step 2
o Allow cmusaslsecretDIGEST-MD5 property to be disabled
o Added support for retrieving negotiated SSF
o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
o Properly compute maxbufsize AFTER security layers have been set
o Added support for SCRAM-SHA-256
o Allow SCRAM-* to be used by HTTP
o Don’t prompt client for password until requested by server
o Fixed crash due to uninitialized HMAC context
+ Don’t use cached credentials if timeout has expired
+ Fixed debug logging output
+ Fixed potential DoS attack (from Oracle)
+ Prevent premature closing of socket
+ Added support LOGOUT command
+ Added support for unsolicited CAPABILITY responses in LOGIN
reply
+ Properly detect end of responses (don’t needlessly wait)
+ Properly handle backslash in passwords
+ Fix off-by-one error in string termination
+ Added support for 204 success response
+ Added krb5_conv_krb4_instance option
+ Added more verbose error logging
At this point any major changes (e.g. API, wire protocol) will be pushed
out to 2.1.28 or 2.2.0. I believe that this is close to being a
final
release which I would like to get out by the end of December.
--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
Loading...