SOURCES/cyrus-sasl-2.1.27-Add-basic-test-plain-auth.patch

@@ -0,0 +1,411 @@
+diff -Nru cyrus-sasl-2.1.27/tests/runtests.py cyrus-sasl-2.1.27-beldmit/tests/runtests.py
+--- cyrus-sasl-2.1.27/tests/runtests.py	2020-12-23 14:31:35.564537485 +0100
++++ cyrus-sasl-2.1.27-beldmit/tests/runtests.py	2020-12-23 14:30:46.933219377 +0100
+@@ -313,6 +313,99 @@
+ 
+     return err
+ 
++def setup_plain(testdir):
++    """ Create sasldb file """
++    sasldbfile = os.path.join(testdir, 'testsasldb.db')
++
++    sasldbenv = {'SASL_PATH': os.path.join(testdir, '../../plugins/.libs'),
++                 'LD_LIBRARY_PATH' : os.path.join(testdir, '../../lib/.libs')}
++
++    passwdprog = os.path.join(testdir, '../../utils/saslpasswd2')
++
++    echo = subprocess.Popen(('echo', '1234567'), stdout=subprocess.PIPE)
++    subprocess.check_call([
++        passwdprog, "-f", sasldbfile, "-c", "test",
++        "-u", "host.realm.test", "-p"
++        ], stdin=echo.stdout, env=sasldbenv, timeout=5)
++
++    return (sasldbfile, sasldbenv)
++
++def plain_test(sasldbfile, sasldbenv):
++    try:
++        srv = subprocess.Popen(["../tests/t_gssapi_srv", "-P", sasldbfile],
++                               stdout=subprocess.PIPE,
++                               stderr=subprocess.PIPE, env=sasldbenv)
++        srv.stdout.readline() # Wait for srv to say it is ready
++        cli = subprocess.Popen(["../tests/t_gssapi_cli", "-P", "1234567"],
++                               stdout=subprocess.PIPE,
++                               stderr=subprocess.PIPE, env=sasldbenv)
++        try:
++            cli.wait(timeout=5)
++            srv.wait(timeout=5)
++        except Exception as e:
++            print("Failed on {}".format(e));
++            cli.kill()
++            srv.kill()
++        if cli.returncode != 0 or srv.returncode != 0:
++            raise Exception("CLI ({}): {} --> SRV ({}): {}".format(
++                cli.returncode, cli.stderr.read().decode('utf-8'),
++                srv.returncode, srv.stderr.read().decode('utf-8')))
++    except Exception as e:
++        print("FAIL: {}".format(e))
++        return 1
++
++    print("PASS: PLAIN CLI({}) SRV({})".format(
++        cli.stdout.read().decode('utf-8').strip(),
++        srv.stdout.read().decode('utf-8').strip()))
++    return 0
++
++def plain_mismatch_test(sasldbfile, sasldbenv):
++    result = "FAIL"
++    try:
++        srv = subprocess.Popen(["../tests/t_gssapi_srv", "-P", sasldbfile],
++                               stdout=subprocess.PIPE,
++                               stderr=subprocess.PIPE, env=sasldbenv)
++        srv.stdout.readline() # Wait for srv to say it is ready
++        bindings = base64.b64encode("CLI CBS".encode('utf-8'))
++        cli = subprocess.Popen(["../tests/t_gssapi_cli", "-P", "12345678"],
++                               stdout=subprocess.PIPE,
++                               stderr=subprocess.PIPE, env=sasldbenv)
++        try:
++            cli.wait(timeout=5)
++            srv.wait(timeout=5)
++        except Exception as e:
++            print("Failed on {}".format(e));
++            cli.kill()
++            srv.kill()
++        if cli.returncode != 0 or srv.returncode != 0:
++            cli_err = cli.stderr.read().decode('utf-8').strip()
++            srv_err = srv.stderr.read().decode('utf-8').strip()
++            if "authentication failure" in srv_err:
++                result = "PASS"
++            raise Exception("CLI ({}): {} --> SRV ({}): {}".format(
++                cli.returncode, cli_err, srv.returncode, srv_err))
++    except Exception as e:
++        print("{}: {}".format(result, e))
++        return 0
++
++    print("FAIL: This test should fail [CLI({}) SRV({})]".format(
++        cli.stdout.read().decode('utf-8').strip(),
++        srv.stdout.read().decode('utf-8').strip()))
++    return 1
++
++def plain_tests(testdir):
++    err = 0
++    sasldbfile, sasldbenv = setup_plain(testdir)
++    #print("DB file: {}, ENV: {}".format(sasldbfile, sasldbenv))
++    print('SASLDB PLAIN:')
++    print('    ', end='')
++    err += plain_test(sasldbfile, sasldbenv)
++
++    print('SASLDB PLAIN PASSWORD MISMATCH:')
++    print('    ', end='')
++    err += plain_mismatch_test(sasldbfile, sasldbenv)
++
++    return err
+ 
+ if __name__ == "__main__":
+ 
+@@ -329,5 +422,9 @@
+ 
+     err = gssapi_tests(T)
+     if err != 0:
+-        print('{} test(s) FAILED'.format(err))
++        print('{} GSSAPI test(s) FAILED'.format(err))
++
++    err = plain_tests(T)
++    if err != 0:
++        print('{} PLAIN test(s) FAILED'.format(err))
+         sys.exit(-1)
+diff -Nru cyrus-sasl-2.1.27/tests/t_gssapi_cli.c cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_cli.c
+--- cyrus-sasl-2.1.27/tests/t_gssapi_cli.c	2020-12-23 14:31:35.564537485 +0100
++++ cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_cli.c	2021-01-06 11:26:15.460662537 +0100
+@@ -16,6 +16,8 @@
+ #include <saslplug.h>
+ #include <saslutil.h>
+ 
++const char *testpass = NULL;
++
+ static int setup_socket(void)
+ {
+     struct sockaddr_in addr;
+@@ -34,9 +36,60 @@
+     return sock;
+ }
+ 
++static int get_user(void *context __attribute__((unused)),
++                  int id,
++                  const char **result,
++                  unsigned *len)
++{
++    const char *testuser = "test@host.realm.test";
++
++    if (! result)
++        return SASL_BADPARAM;
++
++    switch (id) {
++    case SASL_CB_USER:
++    case SASL_CB_AUTHNAME:
++        *result = testuser;
++        break;
++    default:
++        return SASL_BADPARAM;
++    }
++
++    if (len) *len = strlen(*result);
++
++    return SASL_OK;
++}
++
++static int get_pass(sasl_conn_t *conn __attribute__((unused)),
++          void *context __attribute__((unused)),
++          int id,
++          sasl_secret_t **psecret)
++{
++    size_t len;
++    static sasl_secret_t *x;
++
++    /* paranoia check */
++    if (! conn || ! psecret || id != SASL_CB_PASS)
++        return SASL_BADPARAM;
++
++    len = strlen(testpass);
++
++    x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len);
++
++    if (!x) {
++        return SASL_NOMEM;
++    }
++
++    x->len = len;
++    strcpy((char *)x->data, testpass);
++
++    *psecret = x;
++    return SASL_OK;
++}
++
+ int main(int argc, char *argv[])
+ {
+-    sasl_callback_t callbacks[2] = {};
++    sasl_callback_t callbacks[4] = {};
+     char buf[8192];
+     const char *chosenmech;
+     sasl_conn_t *conn;
+@@ -49,8 +102,9 @@
+     const char *sasl_mech = "GSSAPI";
+     bool spnego = false;
+     bool zeromaxssf = false;
++    bool plain = false;
+ 
+-    while ((c = getopt(argc, argv, "c:zN")) != EOF) {
++    while ((c = getopt(argc, argv, "c:zNP:")) != EOF) {
+         switch (c) {
+         case 'c':
+             parse_cb(&cb, cb_buf, 256, optarg);
+@@ -61,6 +115,10 @@
+         case 'N':
+             spnego = true;
+             break;
++        case 'P':
++            plain = true;
++            testpass = optarg;
++            break;
+         default:
+             break;
+         }
+@@ -73,6 +131,12 @@
+     callbacks[1].id = SASL_CB_LIST_END;
+     callbacks[1].proc = NULL;
+     callbacks[1].context = NULL;
++    callbacks[2].id = SASL_CB_LIST_END;
++    callbacks[2].proc = NULL;
++    callbacks[2].context = NULL;
++    callbacks[3].id = SASL_CB_LIST_END;
++    callbacks[3].proc = NULL;
++    callbacks[3].context = NULL;
+ 
+     r = sasl_client_init(callbacks);
+     if (r != SASL_OK) exit(-1);
+@@ -91,6 +155,16 @@
+         sasl_mech = "GSS-SPNEGO";
+     }
+ 
++    if (plain) {
++        sasl_mech = "PLAIN";
++
++        callbacks[1].id = SASL_CB_AUTHNAME;
++        callbacks[1].proc = (sasl_callback_ft)&get_user;
++
++        callbacks[2].id = SASL_CB_PASS;
++        callbacks[2].proc = (sasl_callback_ft)&get_pass;
++    }
++
+     if (zeromaxssf) {
+         /* set all security properties to 0 including maxssf */
+         sasl_security_properties_t secprops = { 0 };
+@@ -99,9 +173,9 @@
+ 
+     r = sasl_client_start(conn, sasl_mech, NULL, &data, &len, &chosenmech);
+     if (r != SASL_OK && r != SASL_CONTINUE) {
+-	saslerr(r, "starting SASL negotiation");
+-	printf("\n%s\n", sasl_errdetail(conn));
+-	exit(-1);
++        saslerr(r, "starting SASL negotiation");
++        printf("\n%s\n", sasl_errdetail(conn));
++        exit(-1);
+     }
+ 
+     sd = setup_socket();
+@@ -111,11 +185,11 @@
+         len = 8192;
+         recv_string(sd, buf, &len, false);
+ 
+-	r = sasl_client_step(conn, buf, len, NULL, &data, &len);
+-	if (r != SASL_OK && r != SASL_CONTINUE) {
+-	    saslerr(r, "performing SASL negotiation");
+-	    printf("\n%s\n", sasl_errdetail(conn));
+-	    exit(-1);
++        r = sasl_client_step(conn, buf, len, NULL, &data, &len);
++        if (r != SASL_OK && r != SASL_CONTINUE) {
++            saslerr(r, "performing SASL negotiation");
++            printf("\n%s\n", sasl_errdetail(conn));
++            exit(-1);
+         }
+     }
+ 
+diff -Nru cyrus-sasl-2.1.27/tests/t_gssapi_srv.c cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_srv.c
+--- cyrus-sasl-2.1.27/tests/t_gssapi_srv.c	2020-12-23 14:31:35.565537492 +0100
++++ cyrus-sasl-2.1.27-beldmit/tests/t_gssapi_srv.c	2021-01-06 11:27:48.373257373 +0100
+@@ -1,4 +1,5 @@
+-/* Copyright (C) Simo Sorce <simo@redhat.com>
++/* Copyright (C) Simo Sorce <simo@redhat.com>,
++ * Dmitry Belyavskiy <dbelyavs@redhat.com>
+  * See COPYING file for License */
+ 
+ #include "t_common.h"
+@@ -15,6 +16,10 @@
+ #include <arpa/inet.h>
+ #include <saslplug.h>
+ 
++const char *sasldb_path = NULL,
++      *auxprop_plugin = "sasldb",
++      *pwcheck_method = "auxprop-hashed";
++
+ static int setup_socket(void)
+ {
+     struct sockaddr_in addr;
+@@ -45,9 +50,38 @@
+     return sd;
+ }
+ 
++static int test_getopt(void *context __attribute__((unused)),
++                const char *plugin_name __attribute__((unused)),
++                const char *option,
++                const char **result,
++                unsigned *len)
++{
++    if (sasldb_path && !strcmp(option, "sasldb_path")) {
++        *result = sasldb_path;
++        if (len)
++            *len = (unsigned) strlen(sasldb_path);
++        return SASL_OK;
++    }
++
++    if (sasldb_path && !strcmp(option, "auxprop_plugin")) {
++        *result = auxprop_plugin;
++        if (len)
++            *len = (unsigned) strlen(auxprop_plugin);
++        return SASL_OK;
++    }
++
++    if (sasldb_path && !strcmp(option, "pwcheck_method")) {
++        *result = pwcheck_method;
++        if (len)
++            *len = (unsigned) strlen(pwcheck_method);
++        return SASL_OK;
++    }
++    return SASL_FAIL;
++}
++
+ int main(int argc, char *argv[])
+ {
+-    sasl_callback_t callbacks[2] = {};
++    sasl_callback_t callbacks[3] = {};
+     char buf[8192];
+     sasl_conn_t *conn;
+     const char *data;
+@@ -59,8 +93,9 @@
+     const char *sasl_mech = "GSSAPI";
+     bool spnego = false;
+     bool zeromaxssf = false;
++    bool plain = false;
+ 
+-    while ((c = getopt(argc, argv, "c:zN")) != EOF) {
++    while ((c = getopt(argc, argv, "c:zNP:")) != EOF) {
+         switch (c) {
+         case 'c':
+             parse_cb(&cb, cb_buf, 256, optarg);
+@@ -71,6 +106,10 @@
+         case 'N':
+             spnego = true;
+             break;
++        case 'P':
++            plain = true;
++            sasldb_path = optarg;
++            break;
+         default:
+             break;
+         }
+@@ -81,9 +120,12 @@
+     callbacks[0].id = SASL_CB_GETPATH;
+     callbacks[0].proc = (sasl_callback_ft)&getpath;
+     callbacks[0].context = NULL;
+-    callbacks[1].id = SASL_CB_LIST_END;
+-    callbacks[1].proc = NULL;
++    callbacks[1].id = SASL_CB_GETOPT;
++    callbacks[1].proc = (sasl_callback_ft)&test_getopt;
+     callbacks[1].context = NULL;
++    callbacks[2].id = SASL_CB_LIST_END;
++    callbacks[2].proc = NULL;
++    callbacks[2].context = NULL;
+ 
+     r = sasl_server_init(callbacks, "t_gssapi_srv");
+     if (r != SASL_OK) exit(-1);
+@@ -103,6 +145,10 @@
+         sasl_mech = "GSS-SPNEGO";
+     }
+ 
++    if (plain) {
++        sasl_mech = "PLAIN";
++    }
++
+     if (zeromaxssf) {
+         /* set all security properties to 0 including maxssf */
+         sasl_security_properties_t secprops = { 0 };
+@@ -116,9 +162,9 @@
+ 
+     r = sasl_server_start(conn, sasl_mech, buf, len, &data, &len);
+     if (r != SASL_OK && r != SASL_CONTINUE) {
+-	saslerr(r, "starting SASL negotiation");
+-	printf("\n%s\n", sasl_errdetail(conn));
+-	exit(-1);
++        saslerr(r, "starting SASL negotiation");
++        printf("\n%s\n", sasl_errdetail(conn));
++        exit(-1);
+     }
+ 
+     while (r == SASL_CONTINUE) {
+@@ -126,12 +172,12 @@
+         len = 8192;
+         recv_string(sd, buf, &len, true);
+ 
+-	r = sasl_server_step(conn, buf, len, &data, &len);
+-	if (r != SASL_OK && r != SASL_CONTINUE) {
+-	    saslerr(r, "performing SASL negotiation");
+-	    printf("\n%s\n", sasl_errdetail(conn));
+-	    exit(-1);
+-	}
++        r = sasl_server_step(conn, buf, len, &data, &len);
++        if (r != SASL_OK && r != SASL_CONTINUE) {
++            saslerr(r, "performing SASL negotiation");
++            printf("\n%s\n", sasl_errdetail(conn));
++            exit(-1);
++        }
+     }
+ 
+     if (r != SASL_OK) exit(-1);

SOURCES/cyrus-sasl-2.1.27-Migration-from-BerkeleyDB.patch

@@ -0,0 +1,569 @@
+diff -up cyrus-sasl-2.1.27/configure.ac.frombdb cyrus-sasl-2.1.27/configure.ac
+--- cyrus-sasl-2.1.27/configure.ac.frombdb	2021-06-04 13:02:07.790112263 +0200
++++ cyrus-sasl-2.1.27/configure.ac	2021-06-04 13:02:07.798112327 +0200
+@@ -1091,6 +1091,9 @@ AC_SUBST(SASL_STATIC_SRCS)
+ AC_SUBST(SASL_STATIC_OBJS)
+ AC_SUBST(SASL_STATIC_LIBS)
+ 
++CYRUS_BERKELEY_DB_STATIC_LIB()
++AC_SUBST(BDB_STATIC_LIBADD)
++
+ AC_ARG_WITH(plugindir, [  --with-plugindir=DIR    set the directory where plugins will
+                           be found [[LIBDIR/sasl2]] ],
+   plugindir=$withval,
+diff -up cyrus-sasl-2.1.27/m4/berkdb.m4.frombdb cyrus-sasl-2.1.27/m4/berkdb.m4
+--- cyrus-sasl-2.1.27/m4/berkdb.m4.frombdb	2016-01-29 18:35:35.000000000 +0100
++++ cyrus-sasl-2.1.27/m4/berkdb.m4	2021-06-04 13:02:07.798112327 +0200
+@@ -286,3 +286,10 @@ AC_DEFUN([CYRUS_BERKELEY_DB_CHK],
+ 
+ 	CPPFLAGS=$cmu_save_CPPFLAGS
+ ])
++
++AC_DEFUN([CYRUS_BERKELEY_DB_STATIC_LIB],
++[
++BDB_STATIC_LIBADD="/dev/null -lpthread"
++AC_CHECK_FILE([/usr/lib64/libdb-5.3.a],[BDB_STATIC_LIBADD="/usr/lib64/libdb-5.3.a -lpthread "],[])
++AC_CHECK_FILE([/usr/lib/libdb-5.3.a],[BDB_STATIC_LIBADD="/usr/lib/libdb-5.3.a -lpthread"],[])
++])
+diff -up cyrus-sasl-2.1.27/m4/sasldb.m4.frombdb cyrus-sasl-2.1.27/m4/sasldb.m4
+--- cyrus-sasl-2.1.27/m4/sasldb.m4.frombdb	2017-07-13 20:45:19.000000000 +0200
++++ cyrus-sasl-2.1.27/m4/sasldb.m4	2021-06-04 13:02:07.798112327 +0200
+@@ -111,7 +111,7 @@ AC_MSG_RESULT($dblib)
+ SASL_DB_BACKEND="db_${dblib}.lo"
+ SASL_DB_BACKEND_STATIC="db_${dblib}.o allockey.o"
+ SASL_DB_BACKEND_STATIC_SRCS="\$(top_srcdir)/sasldb/db_${dblib}.c \$(top_srcdir)/sasldb/allockey.c"
+-SASL_DB_UTILS="saslpasswd2 sasldblistusers2"
++SASL_DB_UTILS="cyrusbdb2current saslpasswd2 sasldblistusers2"
+ SASL_DB_MANS="saslpasswd2.8 sasldblistusers2.8"
+ 
+ case "$dblib" in
+diff -up cyrus-sasl-2.1.27/sasldb/db_gdbm.c.frombdb cyrus-sasl-2.1.27/sasldb/db_gdbm.c
+--- cyrus-sasl-2.1.27/sasldb/db_gdbm.c.frombdb	2017-07-13 14:34:03.000000000 +0200
++++ cyrus-sasl-2.1.27/sasldb/db_gdbm.c	2021-06-04 13:04:24.098206887 +0200
+@@ -67,6 +67,7 @@ int _sasldb_getdata(const sasl_utils_t *
+   void *cntxt;
+   sasl_getopt_t *getopt;
+   const char *path = SASL_DB_PATH;
++  int fetch_errno = 0;
+ 
+   if (!utils) return SASL_BADPARAM;
+   if (!authid || !propName || !realm || !out || !max_out) {
+@@ -99,6 +100,9 @@ int _sasldb_getdata(const sasl_utils_t *
+   }
+   db = gdbm_open((char *)path, 0, GDBM_READER, S_IRUSR | S_IWUSR, NULL);
+   if (! db) {
++      utils->log(conn, SASL_LOG_ERR,
++		 "SASL error opening password file. "
++		 "Have you performed the migration from db2 using cyrusbdb2current?\n");
+       utils->seterror(cntxt, 0, "Could not open %s: gdbm_errno=%d",
+ 		      path, gdbm_errno);
+       result = SASL_FAIL;
+@@ -107,9 +111,10 @@ int _sasldb_getdata(const sasl_utils_t *
+   gkey.dptr = key;
+   gkey.dsize = key_len;
+   gvalue = gdbm_fetch(db, gkey);
++  fetch_errno = gdbm_errno;
+   gdbm_close(db);
+   if (! gvalue.dptr) {
+-      if (gdbm_errno == GDBM_ITEM_NOT_FOUND) {
++      if (fetch_errno == GDBM_ITEM_NOT_FOUND) {
+           utils->seterror(conn, SASL_NOLOG,
+ 			  "user: %s@%s property: %s not found in %s",
+ 			  authid, realm, propName, path);
+@@ -186,7 +191,8 @@ int _sasldb_putdata(const sasl_utils_t *
+   if (! db) {
+       utils->log(conn, SASL_LOG_ERR,
+ 		 "SASL error opening password file. "
+-		 "Do you have write permissions?\n");
++		 "Do you have write permissions?\n"
++		 "Have you performed the migration from db2 using cyrusbdb2current?\n");
+       utils->seterror(conn, 0, "Could not open %s for write: gdbm_errno=%d",
+                      path, gdbm_errno);
+       result = SASL_FAIL;
+@@ -298,6 +304,9 @@ sasldb_handle _sasldb_getkeyhandle(const
+     db = gdbm_open((char *)path, 0, GDBM_READER, S_IRUSR | S_IWUSR, NULL);
+ 
+     if(!db) {
++        utils->log(conn, SASL_LOG_ERR,
++		 "SASL error opening password file. "
++		 "Have you performed the migration from db2 using cyrusbdb2current?\n");
+         utils->seterror(conn, 0, "Could not open %s: gdbm_errno=%d",
+ 			 path, gdbm_errno);
+ 	return NULL;
+diff -up cyrus-sasl-2.1.27/utils/cyrusbdb2current.8.frombdb cyrus-sasl-2.1.27/utils/cyrusbdb2current.8
+--- cyrus-sasl-2.1.27/utils/cyrusbdb2current.8.frombdb	2021-06-04 13:02:07.798112327 +0200
++++ cyrus-sasl-2.1.27/utils/cyrusbdb2current.8	2021-06-04 13:02:07.798112327 +0200
+@@ -0,0 +1,159 @@
++.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
++.\"
++.\" Standard preamble:
++.\" ========================================================================
++.de Sp \" Vertical space (when we can't use .PP)
++.if t .sp .5v
++.if n .sp
++..
++.de Vb \" Begin verbatim text
++.ft CW
++.nf
++.ne \\$1
++..
++.de Ve \" End verbatim text
++.ft R
++.fi
++..
++.\" Set up some character translations and predefined strings.  \*(-- will
++.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
++.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
++.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
++.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
++.\" nothing in troff, for use with C<>.
++.tr \(*W-
++.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
++.ie n \{\
++.    ds -- \(*W-
++.    ds PI pi
++.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
++.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
++.    ds L" ""
++.    ds R" ""
++.    ds C` ""
++.    ds C' ""
++'br\}
++.el\{\
++.    ds -- \|\(em\|
++.    ds PI \(*p
++.    ds L" ``
++.    ds R" ''
++.    ds C`
++.    ds C'
++'br\}
++.\"
++.\" Escape single quotes in literal strings from groff's Unicode transform.
++.ie \n(.g .ds Aq \(aq
++.el       .ds Aq '
++.\"
++.\" If the F register is >0, we'll generate index entries on stderr for
++.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
++.\" entries marked with X<> in POD.  Of course, you'll have to process the
++.\" output yourself in some meaningful fashion.
++.\"
++.\" Avoid warning from groff about undefined register 'F'.
++.de IX
++..
++.nr rF 0
++.if \n(.g .if rF .nr rF 1
++.if (\n(rF:(\n(.g==0)) \{\
++.    if \nF \{\
++.        de IX
++.        tm Index:\\$1\t\\n%\t"\\$2"
++..
++.        if !\nF==2 \{\
++.            nr % 0
++.            nr F 2
++.        \}
++.    \}
++.\}
++.rr rF
++.\"
++.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
++.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
++.    \" fudge factors for nroff and troff
++.if n \{\
++.    ds #H 0
++.    ds #V .8m
++.    ds #F .3m
++.    ds #[ \f1
++.    ds #] \fP
++.\}
++.if t \{\
++.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
++.    ds #V .6m
++.    ds #F 0
++.    ds #[ \&
++.    ds #] \&
++.\}
++.    \" simple accents for nroff and troff
++.if n \{\
++.    ds ' \&
++.    ds ` \&
++.    ds ^ \&
++.    ds , \&
++.    ds ~ ~
++.    ds /
++.\}
++.if t \{\
++.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
++.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
++.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
++.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
++.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
++.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
++.\}
++.    \" troff and (daisy-wheel) nroff accents
++.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
++.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
++.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
++.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
++.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
++.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
++.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
++.ds ae a\h'-(\w'a'u*4/10)'e
++.ds Ae A\h'-(\w'A'u*4/10)'E
++.    \" corrections for vroff
++.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
++.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
++.    \" for low resolution devices (crt and lpr)
++.if \n(.H>23 .if \n(.V>19 \
++\{\
++.    ds : e
++.    ds 8 ss
++.    ds o a
++.    ds d- d\h'-1'\(ga
++.    ds D- D\h'-1'\(hy
++.    ds th \o'bp'
++.    ds Th \o'LP'
++.    ds ae ae
++.    ds Ae AE
++.\}
++.rm #[ #] #H #V #F C
++.\" ========================================================================
++.\"
++.IX Title "CYRUSBDB2CURRENT 1"
++.TH CYRUSBDB2CURRENT 1 "2021-04-28" "perl v5.30.3" "User Contributed Perl Documentation"
++.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
++.\" way too many mistakes in technical documents.
++.if n .ad l
++.nh
++.SH "NAME"
++cyrusbdb2current \- command\-line utility converting the SASLDB database from
++BerkeleyDB to the database format currently used bys sasldb.
++.SH "SYNOPSIS"
++.IX Header "SYNOPSIS"
++cyrusbdb2current <sasldb_old_path> <sasldb_new_path>
++.SH "DESCRIPTION"
++.IX Header "DESCRIPTION"
++\&\fBcyrusbdb2current\fR converts the current sasldb database from BerkeleyDB format to the
++currently used database format. It is \fB\s-1STRONGLY RECOMMENDED\s0\fR to make a backup
++of the current database before the conversion.
++.PP
++We expect that the old path is \fB/etc/sasldb2\fR and the new one is
++\&\fB/etc/sasl2/sasldb2\fR
++.SH "SEE ALSO"
++.IX Header "SEE ALSO"
++\&\fBsaslpasswd2\fR\|(8)
++.PP
++rfc4422 \- Simple Authentication and Security Layer (\s-1SASL\s0)
+diff -up cyrus-sasl-2.1.27/utils/cyrusbdb2current.c.frombdb cyrus-sasl-2.1.27/utils/cyrusbdb2current.c
+--- cyrus-sasl-2.1.27/utils/cyrusbdb2current.c.frombdb	2021-06-04 13:02:07.798112327 +0200
++++ cyrus-sasl-2.1.27/utils/cyrusbdb2current.c	2021-06-04 13:02:07.798112327 +0200
+@@ -0,0 +1,282 @@
++#include <config.h>
++
++#include <stdio.h>
++#include <stdlib.h>
++
++#include <sasl.h>
++#include <saslplug.h>
++#include "../sasldb/sasldb.h"
++
++/* Cheating to make the utils work out right */
++extern const sasl_utils_t *sasl_global_utils;
++sasl_conn_t *globalconn;
++
++typedef void *listcb_t(const char *, const char *, const char *,
++		       const char *, unsigned);
++
++void listusers_cb(const char *authid, const char *realm,
++		  const char *propName, const char *secret,
++		  unsigned seclen)
++{
++    if (!authid || !propName || !realm) {
++	fprintf(stderr,"userlist callback has bad param");
++	return;
++    }
++
++    /* the entries that just say the mechanism exists */
++    if (strlen(authid)==0) return;
++
++    printf("Converting: %s@%s (%s)...",authid,realm,propName);
++
++    _sasldb_putdata(sasl_global_utils, globalconn,
++		    authid, realm, propName,
++		    secret, seclen);
++
++    printf("ok\n");
++}
++
++/*
++ * List all users in database
++ */
++
++#include <db.h>
++
++#define DB_VERSION_FULL ((DB_VERSION_MAJOR << 24) | (DB_VERSION_MINOR << 16) | DB_VERSION_PATCH)
++/*
++ * Open the database
++ *
++ */
++static int berkeleydb_open(const char *path,DB **mbdb)
++{
++    int ret;
++
++#if DB_VERSION_FULL < 0x03000000
++    ret = db_open(path, DB_HASH, DB_CREATE, 0664, NULL, NULL, mbdb);
++#else /* DB_VERSION_FULL < 0x03000000 */
++    ret = db_create(mbdb, NULL, 0);
++    if (ret == 0 && *mbdb != NULL)
++    {
++#if DB_VERSION_FULL >= 0x04010000
++	ret = (*mbdb)->open(*mbdb, NULL, path, NULL, DB_HASH, DB_CREATE, 0664);
++#else
++	ret = (*mbdb)->open(*mbdb, path, NULL, DB_HASH, DB_CREATE, 0664);
++#endif
++	if (ret != 0)
++	{
++	    (void) (*mbdb)->close(*mbdb, 0);
++	    *mbdb = NULL;
++	}
++    }
++#endif /* DB_VERSION_FULL < 0x03000000 */
++
++    if (ret != 0) {
++	fprintf(stderr,"Error opening password file %s\n", path);
++	return SASL_FAIL;
++    }
++
++    return SASL_OK;
++}
++
++/*
++ * Close the database
++ *
++ */
++
++static void berkeleydb_close(DB *mbdb)
++{
++    int ret;
++    
++    ret = mbdb->close(mbdb, 0);
++    if (ret!=0) {
++	fprintf(stderr,"error closing sasldb: %s",
++		db_strerror(ret));
++    }
++}
++
++int listusers(const char *path, listcb_t *cb)
++{
++    int result;
++    DB *mbdb = NULL;
++    DBC *cursor;
++    DBT key, data;
++
++    /* open the db */
++    result=berkeleydb_open(path, &mbdb);
++    if (result!=SASL_OK) goto cleanup;
++
++    /* make cursor */
++#if DB_VERSION_FULL < 0x03060000
++    result = mbdb->cursor(mbdb, NULL,&cursor); 
++#else
++    result = mbdb->cursor(mbdb, NULL,&cursor, 0); 
++#endif /* DB_VERSION_FULL < 0x03060000 */
++
++    if (result!=0) {
++	fprintf(stderr,"Making cursor failure: %s\n",db_strerror(result));
++      result = SASL_FAIL;
++      goto cleanup;
++    }
++
++    memset(&key,0, sizeof(key));
++    memset(&data,0,sizeof(data));
++
++    /* loop thru */
++    result = cursor->c_get(cursor, &key, &data,
++			   DB_FIRST);
++
++    while (result != DB_NOTFOUND)
++    {
++	char *authid;
++	char *realm;
++	char *tmp;
++	unsigned int len;
++	char prop[1024];
++	int numnulls = 0;
++	unsigned int lup;
++
++	/* make sure there are exactly 2 null's */
++	for (lup=0;lup<key.size;lup++)
++	    if (((char *)key.data)[lup]=='\0')
++		numnulls++;
++
++	if (numnulls != 2) {
++	    fprintf(stderr,"warning: probable database corruption\n");
++	    result = cursor->c_get(cursor, &key, &data, DB_NEXT);
++	    continue;
++	}
++
++	authid = key.data;
++	realm  = authid + strlen(authid)+1;
++	tmp    = realm + strlen(realm)+1;
++	len = key.size - (tmp - authid);
++
++	/* make sure we have enough space of prop */
++	if (len >=sizeof(prop)) {
++	    fprintf(stderr,"warning: absurdly long prop name\n");
++	    result = cursor->c_get(cursor, &key, &data, DB_NEXT);
++	    continue;
++	}
++
++	memcpy(prop, tmp, key.size - (tmp - ((char *)key.data)));
++	prop[key.size - (tmp - ((char *)key.data))] = '\0';
++
++	if (*authid) {
++	    /* don't check return values */
++	    cb(authid,realm,prop,data.data,data.size);
++	}
++
++	result = cursor->c_get(cursor, &key, &data, DB_NEXT);
++    }
++
++    if (result != DB_NOTFOUND) {
++	fprintf(stderr,"failure: %s\n",db_strerror(result));
++	result = SASL_FAIL;
++	goto cleanup;
++    }
++
++    result = cursor->c_close(cursor);
++    if (result != 0) {
++        result = SASL_FAIL;
++        goto cleanup;
++    }
++
++    result = SASL_OK;
++
++ cleanup:
++
++    if (mbdb != NULL) berkeleydb_close(mbdb);
++    return result;
++}
++
++
++char *db = NULL, *db_new=NULL;
++
++int good_getopt(void *context __attribute__((unused)), 
++		const char *plugin_name __attribute__((unused)), 
++		const char *option,
++		const char **result,
++		unsigned *len)
++{
++    if (db_new && !strcmp(option, "sasldb_path")) {
++	*result = db_new;
++	if (len)
++	    *len = strlen(db_new);
++	return SASL_OK;
++    }
++
++    return SASL_FAIL;
++}
++
++static struct sasl_callback goodsasl_cb[] = {
++    { SASL_CB_GETOPT, (int (*)(void))&good_getopt, NULL },
++    { SASL_CB_LIST_END, NULL, NULL }
++};
++
++int main(int argc, char **argv)
++{
++    int result;
++    FILE *f;
++
++    if (argc != 3) {
++	fprintf(stderr, "Usage: cyrusbdb2current old_sasldb new_sasldb\n");
++	fprintf(stderr, "old_sasldb is presumably /etc/sasldb2\n");
++       	fprintf(stderr, "new_sasldb is presumably /etc/sasl2/sasldb2\n");
++	return 1;
++    }
++
++    db = argv[1];
++    db_new = argv[2];
++
++    if (strcmp(db, db_new) == 0) {
++	fprintf(stderr, "Old and new files should be different\n");
++	return 1;
++    }
++
++
++    f = fopen(db_new, "rb");
++    if (f != NULL) {
++	fprintf(stderr, "The specified target file %s already exists\n", db_new);
++	fclose(f);
++	return 1;
++    }
++
++    result = sasl_server_init(goodsasl_cb, "dbconverter");
++    if (result != SASL_OK) {
++	fprintf(stderr, "couldn't init saslv2\n");
++	return 1;
++    }
++
++    result = sasl_server_new("sasldb",
++			     "localhost",
++			     NULL,
++			     NULL,
++			     NULL,
++			     NULL,
++			     0,
++			     &globalconn);
++    if (result != SASL_OK) {
++	fprintf(stderr, "couldn't create globalconn\n");
++	return 1;
++    }
++
++    if(_sasl_check_db(sasl_global_utils,globalconn) != SASL_OK) {
++	fprintf(stderr, "target DB %s is not OK\n", db_new);
++	return 1;
++    }
++
++    printf("\nThis program will take the sasldb file specified on the\n"
++           "command line and convert it to a new sasldb specified\n"
++           "on the command line. It is STRONGLY RECOMMENDED that you\n"
++           "backup sasldb before allowing this program to run\n\n"
++	   "We are going to convert %s and our output will be in %s\n\n"
++           "Press return to continue\n", db, db_new);
++
++    getchar();
++
++    listusers(db, (listcb_t *) &listusers_cb);
++
++    sasl_dispose(&globalconn);
++    sasl_done();
++
++    exit(0);
++}
+diff -up cyrus-sasl-2.1.27/utils/Makefile.am.frombdb cyrus-sasl-2.1.27/utils/Makefile.am
+--- cyrus-sasl-2.1.27/utils/Makefile.am.frombdb	2018-10-05 16:40:16.000000000 +0200
++++ cyrus-sasl-2.1.27/utils/Makefile.am	2021-06-04 13:02:07.798112327 +0200
+@@ -46,14 +46,14 @@ all_sasl_libs = ../lib/libsasl2.la $(SAS
+ all_sasl_static_libs = ../lib/.libs/libsasl2.a $(SASL_DB_LIB) $(LIB_SOCKET) $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(SASL_KRB_LIB) $(LIB_DES) $(PLAIN_LIBS) $(SRP_LIBS) $(LIB_MYSQL) $(LIB_PGSQL) $(LIB_SQLITE)
+ 
+ sbin_PROGRAMS = @SASL_DB_UTILS@ @SMTPTEST_PROGRAM@ pluginviewer
+-EXTRA_PROGRAMS = saslpasswd2 sasldblistusers2 testsuite testsuitestatic smtptest pluginviewer
++EXTRA_PROGRAMS = saslpasswd2 sasldblistusers2 testsuite testsuitestatic smtptest pluginviewer cyrusbdb2current
+ 
+ noinst_PROGRAMS = dbconverter-2
+ 
+ if NO_SASL_DB_MANS
+ man_MANS = 
+ else
+-man_MANS = saslpasswd2.8 sasldblistusers2.8 pluginviewer.8
++man_MANS = saslpasswd2.8 sasldblistusers2.8 pluginviewer.8 cyrusbdb2current.8
+ endif
+ 
+ saslpasswd2_LDADD = ../sasldb/libsasldb.la $(all_sasl_libs)
+@@ -63,6 +63,7 @@ sasldblistusers2_SOURCES = sasldblistuse
+ dbconverter_2_LDADD = ../sasldb/libsasldb.la $(all_sasl_libs)
+ pluginviewer_LDADD = $(all_sasl_libs)
+ pluginviewer_SOURCES = pluginviewer.c
++cyrusbdb2current_LDADD = ../sasldb/libsasldb.la @BDB_STATIC_LIBADD@ $(all_sasl_libs)
+ 
+ testsuite_LDADD = $(all_sasl_libs) @DMALLOC_LIBS@
+ 

SOURCES/cyrus-sasl-2.1.27-coverity.patch

@@ -0,0 +1,56 @@
+diff -up cyrus-sasl-2.1.27/include/makemd5.c.coverity cyrus-sasl-2.1.27/include/makemd5.c
+--- cyrus-sasl-2.1.27/include/makemd5.c.coverity	2021-04-12 15:10:25.421431535 +0200
++++ cyrus-sasl-2.1.27/include/makemd5.c	2021-04-12 15:56:46.752827737 +0200
+@@ -107,7 +107,6 @@ my_strupr(char *s)
+     }	
+ }
+ 
+-
+ #define BITSIZE(TYPE)						\
+ {								\
+     int b = 0; TYPE x = 1, zero = 0; char *pre = "U";		\
+@@ -129,6 +128,8 @@ my_strupr(char *s)
+ static void
+ try_signed(FILE *f, int len)
+ {
++/* Local macros for not-installed program. No coverity/compiler issues! */
++#pragma GCC diagnostic ignored "-Wformat-overflow"
+ #ifdef HAVE_INT8_T
+     BITSIZE(int8_t);
+ #endif
+@@ -149,6 +150,7 @@ try_signed(FILE *f, int len)
+     BITSIZE(long long);
+ #endif
+     fprintf(f, "/* There is no %d bit type */\n", len);
++#pragma GCC pop
+ }
+ 
+ static void
+diff -up cyrus-sasl-2.1.27/saslauthd/lak.c.coverity cyrus-sasl-2.1.27/saslauthd/lak.c
+--- cyrus-sasl-2.1.27/saslauthd/lak.c.coverity	2018-11-08 18:29:57.000000000 +0100
++++ cyrus-sasl-2.1.27/saslauthd/lak.c	2021-04-12 15:10:25.433431630 +0200
+@@ -337,9 +337,9 @@ static int lak_config_read(
+          EMPTY(conf->group_search_base) )
+         strlcpy(conf->group_search_base, conf->search_base, LAK_DN_LEN);
+         
+-	fclose(infile);
++    fclose(infile);
+ 
+-	return LAK_OK;
++    return LAK_OK;
+ }
+ 
+ static int lak_config_int(
+diff -up cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c.coverity cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c
+--- cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c.coverity	2018-01-19 15:13:40.000000000 +0100
++++ cyrus-sasl-2.1.27/saslauthd/saslauthd-main.c	2021-04-12 15:10:25.433431630 +0200
+@@ -833,7 +833,8 @@ void detach_tty() {
+     }
+     
+     logger(L_INFO, L_FUNC, "master pid is: %lu", (unsigned long)master_pid);
+-    
++    /* null_fd expected to be more than 2, so it is closed after dups, no leaks occur */
++    /* coverity[leaked_handle : FALSE]*/
+     return;
+ }
+ 

SOURCES/cyrus-sasl-2.1.27-cumulative-digestmd5.patch

@@ -0,0 +1,546 @@
+diff -uPr cyrus-sasl-2.1.27/plugins/digestmd5.c cyrus-sasl-2.1.27.digestmd5/plugins/digestmd5.c
+--- cyrus-sasl-2.1.27/plugins/digestmd5.c	2022-09-08 12:22:03.782961573 -0400
++++ cyrus-sasl-2.1.27.digestmd5/plugins/digestmd5.c	2022-09-08 12:24:20.289994669 -0400
+@@ -80,6 +80,12 @@
+ # endif
+ #endif /* WITH_DES */
+ 
++/* legacy provider with openssl 3.0 */
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#  include <openssl/provider.h>
++#  include <openssl/crypto.h>
++#endif
++
+ #ifdef WIN32
+ # include <winsock2.h>
+ #else /* Unix */
+@@ -170,6 +176,12 @@
+ 
+ typedef struct cipher_context cipher_context_t;
+ 
++typedef struct crypto_context {
++    void *libctx;
++    cipher_context_t *enc_ctx;
++    cipher_context_t *dec_ctx;
++} crypto_context_t;
++
+ /* cached auth info used for fast reauth */
+ typedef struct reauth_entry {
+     char *authid;
+@@ -254,12 +266,12 @@
+     decode_context_t decode_context;
+ 
+     /* if privacy mode is used use these functions for encode and decode */
++    char *cipher_name;
+     cipher_function_t *cipher_enc;
+     cipher_function_t *cipher_dec;
+     cipher_init_t *cipher_init;
+     cipher_free_t *cipher_free;
+-    struct cipher_context *cipher_enc_context;
+-    struct cipher_context *cipher_dec_context;
++    crypto_context_t crypto;
+ } context_t;
+ 
+ struct digest_cipher {
+@@ -888,7 +900,7 @@
+ 		    char *output,
+ 		    unsigned *outputlen)
+ {
+-    des_context_t *c = (des_context_t *) text->cipher_dec_context;
++    des_context_t *c = (des_context_t *) text->crypto.dec_ctx;
+     int padding, p;
+     
+     des_ede2_cbc_encrypt((void *) input,
+@@ -925,7 +937,7 @@
+ 		    char *output,
+ 		    unsigned *outputlen)
+ {
+-    des_context_t *c = (des_context_t *) text->cipher_enc_context;
++    des_context_t *c = (des_context_t *) text->crypto.enc_ctx;
+     int len;
+     int paddinglen;
+     
+@@ -973,7 +985,7 @@
+ 	return SASL_FAIL;
+     memcpy(c->ivec, ((char *) enckey) + 8, 8);
+ 
+-    text->cipher_enc_context = (cipher_context_t *) c;
++    text->crypto.enc_ctx = (cipher_context_t *) c;
+ 
+     /* setup dec context */
+     c++;
+@@ -987,7 +999,7 @@
+     
+     memcpy(c->ivec, ((char *) deckey) + 8, 8);
+ 
+-    text->cipher_dec_context = (cipher_context_t *) c;
++    text->crypto.dec_ctx = (cipher_context_t *) c;
+     
+     return SASL_OK;
+ }
+@@ -1006,7 +1018,7 @@
+ 		   char *output,
+ 		   unsigned *outputlen)
+ {
+-    des_context_t *c = (des_context_t *) text->cipher_dec_context;
++    des_context_t *c = (des_context_t *) text->crypto.dec_ctx;
+     int p, padding = 0;
+     
+     des_cbc_encrypt((void *) input,
+@@ -1046,7 +1058,7 @@
+ 		   char *output,
+ 		   unsigned *outputlen)
+ {
+-    des_context_t *c = (des_context_t *) text->cipher_enc_context;
++    des_context_t *c = (des_context_t *) text->crypto.enc_ctx;
+     int len;
+     int paddinglen;
+   
+@@ -1093,7 +1105,7 @@
+ 
+     memcpy(c->ivec, ((char *) enckey) + 8, 8);
+     
+-    text->cipher_enc_context = (cipher_context_t *) c;
++    text->crypto.enc_ctx = (cipher_context_t *) c;
+ 
+     /* setup dec context */
+     c++;
+@@ -1102,34 +1114,83 @@
+ 
+     memcpy(c->ivec, ((char *) deckey) + 8, 8);
+     
+-    text->cipher_dec_context = (cipher_context_t *) c;
++    text->crypto.dec_ctx = (cipher_context_t *) c;
+ 
+     return SASL_OK;
+ }
+ 
+ static void free_des(context_t *text)
+ {
+-    /* free des contextss. only cipher_enc_context needs to be free'd,
+-       since cipher_dec_context was allocated at the same time. */
+-    if (text->cipher_enc_context) text->utils->free(text->cipher_enc_context);
++    /* free des contextss. only enc_ctx needs to be free'd,
++       since dec_cxt was allocated at the same time. */
++    if (text->crypto.enc_ctx) {
++        text->utils->free(text->crypto.enc_ctx);
++    }
+ }
+ 
+ #endif /* WITH_DES */
+ 
+ #ifdef WITH_RC4
+-#ifdef HAVE_OPENSSL
+ #include <openssl/evp.h>
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++typedef struct ossl3_library_context {
++    OSSL_LIB_CTX *libctx;
++    OSSL_PROVIDER *legacy_provider;
++    OSSL_PROVIDER *default_provider;
++} ossl3_context_t;
++
++static int init_ossl3_ctx(context_t *text)
++{
++    ossl3_context_t *ctx = text->utils->malloc(sizeof(ossl3_context_t));
++    if (!ctx) return SASL_NOMEM;
++
++    ctx->libctx = OSSL_LIB_CTX_new();
++    if (!ctx->libctx) {
++        text->utils->free(ctx);
++        return SASL_FAIL;
++    }
++
++    /* Load both legacy and default provider as both may be needed */
++    /* if they fail keep going and an error will be raised when we try to
++     * fetch the cipher later */
++    ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy");
++    ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default");
++    text->crypto.libctx = (void *)ctx;
++
++    return SASL_OK;
++}
++
++static void free_ossl3_ctx(context_t *text)
++{
++    ossl3_context_t *ctx;
++
++    if (!text->crypto.libctx) return;
++
++    ctx = (ossl3_context_t *)text->crypto.libctx;
++
++    if (ctx->legacy_provider) OSSL_PROVIDER_unload(ctx->legacy_provider);
++    if (ctx->default_provider) OSSL_PROVIDER_unload(ctx->default_provider);
++    if (ctx->libctx) OSSL_LIB_CTX_free(ctx->libctx);
++
++    text->utils->free(ctx);
++    text->crypto.libctx = NULL;
++}
++#endif
++
+ static void free_rc4(context_t *text)
+ {
+-    if (text->cipher_enc_context) {
+-        EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_enc_context);
+-        text->cipher_enc_context = NULL;
+-    }
+-    if (text->cipher_dec_context) {
+-        EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->cipher_dec_context);
+-        text->cipher_dec_context = NULL;
++    if (text->crypto.enc_ctx) {
++        EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->crypto.enc_ctx);
++        text->crypto.enc_ctx = NULL;
++    }
++    if (text->crypto.dec_ctx) {
++        EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)text->crypto.dec_ctx);
++        text->crypto.dec_ctx = NULL;
+     }
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++    free_ossl3_ctx(text);
++#endif
+ }
+ 
+ static int init_rc4(context_t *text,
+@@ -1139,23 +1200,57 @@
+     EVP_CIPHER_CTX *ctx;
+     int rc;
+ 
+-    ctx = EVP_CIPHER_CTX_new();
+-    if (ctx == NULL) return SASL_NOMEM;
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++    EVP_CIPHER *cipher;
++    ossl3_context_t *ossl3_ctx;
+ 
+-    rc = EVP_EncryptInit_ex(ctx, EVP_rc4(), NULL, enckey, NULL);
+-    if (rc != 1) return SASL_FAIL;
++    rc = init_ossl3_ctx(text);
++    if (rc != SASL_OK) return rc;
++
++    ossl3_ctx = (ossl3_context_t *)text->crypto.libctx;
++    cipher = EVP_CIPHER_fetch(ossl3_ctx->libctx, "RC4", "");
++#else
++    const EVP_CIPHER *cipher;
++    cipher = EVP_rc4();
++#endif
+ 
+-    text->cipher_enc_context = (void *)ctx;
+ 
+     ctx = EVP_CIPHER_CTX_new();
+-    if (ctx == NULL) return SASL_NOMEM;
++    if (ctx == NULL) {
++        rc = SASL_NOMEM;
++        goto done;
++    }
+ 
+-    rc = EVP_DecryptInit_ex(ctx, EVP_rc4(), NULL, deckey, NULL);
+-    if (rc != 1) return SASL_FAIL;
++    rc = EVP_EncryptInit_ex(ctx, cipher, NULL, enckey, NULL);
++    if (rc != 1) {
++        rc = SASL_FAIL;
++        goto done;
++    }
++    text->crypto.enc_ctx = (void *)ctx;
++
++    ctx = EVP_CIPHER_CTX_new();
++    if (ctx == NULL) {
++        rc = SASL_NOMEM;
++        goto done;
++    }
++
++    rc = EVP_DecryptInit_ex(ctx, cipher, NULL, deckey, NULL);
++    if (rc != 1) {
++        rc = SASL_FAIL;
++        goto done;
++    }
++    text->crypto.dec_ctx = (void *)ctx;
+ 
+-    text->cipher_dec_context = (void *)ctx;
++    rc = SASL_OK;
+ 
+-    return SASL_OK;
++done:
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++    EVP_CIPHER_free(cipher);
++#endif
++    if (rc != SASL_OK) {
++        free_rc4(text);
++    }
++    return rc;
+ }
+ 
+ static int dec_rc4(context_t *text,
+@@ -1169,14 +1264,14 @@
+     int rc;
+ 
+     /* decrypt the text part & HMAC */
+-    rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->cipher_dec_context,
++    rc = EVP_DecryptUpdate((EVP_CIPHER_CTX *)text->crypto.dec_ctx,
+                            (unsigned char *)output, &len,
+                            (const unsigned char *)input, inputlen);
+     if (rc != 1) return SASL_FAIL;
+ 
+     *outputlen = len;
+ 
+-    rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_dec_context,
++    rc = EVP_DecryptFinal_ex((EVP_CIPHER_CTX *)text->crypto.dec_ctx,
+                              (unsigned char *)output + len, &len);
+     if (rc != 1) return SASL_FAIL;
+ 
+@@ -1198,7 +1293,7 @@
+     int len;
+     int rc;
+     /* encrypt the text part */
+-    rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
++    rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
+                            (unsigned char *)output, &len,
+                            (const unsigned char *)input, inputlen);
+     if (rc != 1) return SASL_FAIL;
+@@ -1206,14 +1301,14 @@
+     *outputlen = len;
+ 
+     /* encrypt the `MAC part */
+-    rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->cipher_enc_context,
++    rc = EVP_EncryptUpdate((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
+                            (unsigned char *)output + *outputlen, &len,
+                            digest, 10);
+     if (rc != 1) return SASL_FAIL;
+ 
+     *outputlen += len;
+ 
+-    rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->cipher_enc_context,
++    rc = EVP_EncryptFinal_ex((EVP_CIPHER_CTX *)text->crypto.enc_ctx,
+                              (unsigned char *)output + *outputlen, &len);
+     if (rc != 1) return SASL_FAIL;
+ 
+@@ -1221,188 +1316,11 @@
+ 
+     return SASL_OK;
+ }
+-#else
+-/* quick generic implementation of RC4 */
+-struct rc4_context_s {
+-    unsigned char sbox[256];
+-    int i, j;
+-};
+-
+-typedef struct rc4_context_s rc4_context_t;
+-
+-static void rc4_init(rc4_context_t *text,
+-		     const unsigned char *key,
+-		     unsigned keylen)
+-{
+-    int i, j;
+-    
+-    /* fill in linearly s0=0 s1=1... */
+-    for (i=0;i<256;i++)
+-	text->sbox[i]=i;
+-    
+-    j=0;
+-    for (i = 0; i < 256; i++) {
+-	unsigned char tmp;
+-	/* j = (j + Si + Ki) mod 256 */
+-	j = (j + text->sbox[i] + key[i % keylen]) % 256;
+-	
+-	/* swap Si and Sj */
+-	tmp = text->sbox[i];
+-	text->sbox[i] = text->sbox[j];
+-	text->sbox[j] = tmp;
+-    }
+-    
+-    /* counters initialized to 0 */
+-    text->i = 0;
+-    text->j = 0;
+-}
+-
+-static void rc4_encrypt(rc4_context_t *text,
+-			const char *input,
+-			char *output,
+-			unsigned len)
+-{
+-    int tmp;
+-    int i = text->i;
+-    int j = text->j;
+-    int t;
+-    int K;
+-    const char *input_end = input + len;
+-    
+-    while (input < input_end) {
+-	i = (i + 1) % 256;
+-	
+-	j = (j + text->sbox[i]) % 256;
+-	
+-	/* swap Si and Sj */
+-	tmp = text->sbox[i];
+-	text->sbox[i] = text->sbox[j];
+-	text->sbox[j] = tmp;
+-	
+-	t = (text->sbox[i] + text->sbox[j]) % 256;
+-	
+-	K = text->sbox[t];
+-	
+-	/* byte K is Xor'ed with plaintext */
+-	*output++ = *input++ ^ K;
+-    }
+-    
+-    text->i = i;
+-    text->j = j;
+-}
+-
+-static void rc4_decrypt(rc4_context_t *text,
+-			const char *input,
+-			char *output,
+-			unsigned len)
+-{
+-    int tmp;
+-    int i = text->i;
+-    int j = text->j;
+-    int t;
+-    int K;
+-    const char *input_end = input + len;
+-    
+-    while (input < input_end) {
+-	i = (i + 1) % 256;
+-	
+-	j = (j + text->sbox[i]) % 256;
+-	
+-	/* swap Si and Sj */
+-	tmp = text->sbox[i];
+-	text->sbox[i] = text->sbox[j];
+-	text->sbox[j] = tmp;
+-	
+-	t = (text->sbox[i] + text->sbox[j]) % 256;
+-	
+-	K = text->sbox[t];
+-	
+-	/* byte K is Xor'ed with plaintext */
+-	*output++ = *input++ ^ K;
+-    }
+-    
+-    text->i = i;
+-    text->j = j;
+-}
+-
+-static void free_rc4(context_t *text)
+-{
+-    /* free rc4 context structures */
+-
+-    if(text->cipher_enc_context) text->utils->free(text->cipher_enc_context);
+-    if(text->cipher_dec_context) text->utils->free(text->cipher_dec_context);
+-}
+-
+-static int init_rc4(context_t *text, 
+-		    unsigned char enckey[16],
+-		    unsigned char deckey[16])
+-{
+-    /* allocate rc4 context structures */
+-    text->cipher_enc_context=
+-	(cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t));
+-    if (text->cipher_enc_context == NULL) return SASL_NOMEM;
+-    
+-    text->cipher_dec_context=
+-	(cipher_context_t *) text->utils->malloc(sizeof(rc4_context_t));
+-    if (text->cipher_dec_context == NULL) return SASL_NOMEM;
+-    
+-    /* initialize them */
+-    rc4_init((rc4_context_t *) text->cipher_enc_context,
+-             (const unsigned char *) enckey, 16);
+-    rc4_init((rc4_context_t *) text->cipher_dec_context,
+-             (const unsigned char *) deckey, 16);
+-    
+-    return SASL_OK;
+-}
+-
+-static int dec_rc4(context_t *text,
+-		   const char *input,
+-		   unsigned inputlen,
+-		   unsigned char digest[16] __attribute__((unused)),
+-		   char *output,
+-		   unsigned *outputlen)
+-{
+-    /* decrypt the text part & HMAC */
+-    rc4_decrypt((rc4_context_t *) text->cipher_dec_context, 
+-                input, output, inputlen);
+-
+-    /* no padding so we just subtract the HMAC to get the text length */
+-    *outputlen = inputlen - 10;
+-    
+-    return SASL_OK;
+-}
+-
+-static int enc_rc4(context_t *text,
+-		   const char *input,
+-		   unsigned inputlen,
+-		   unsigned char digest[16],
+-		   char *output,
+-		   unsigned *outputlen)
+-{
+-    /* pad is zero */
+-    *outputlen = inputlen+10;
+-    
+-    /* encrypt the text part */
+-    rc4_encrypt((rc4_context_t *) text->cipher_enc_context,
+-                input,
+-                output,
+-                inputlen);
+-    
+-    /* encrypt the HMAC part */
+-    rc4_encrypt((rc4_context_t *) text->cipher_enc_context, 
+-                (const char *) digest, 
+-		(output)+inputlen, 10);
+-    
+-    return SASL_OK;
+-}
+-#endif /* HAVE_OPENSSL */
+ #endif /* WITH_RC4 */
+ 
+ struct digest_cipher available_ciphers[] =
+ {
+ #ifdef WITH_RC4
+-    { "rc4-40", 40, 5, 0x01, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
+-    { "rc4-56", 56, 7, 0x02, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
+     { "rc4", 128, 16, 0x04, &enc_rc4, &dec_rc4, &init_rc4, &free_rc4 },
+ #endif
+ #ifdef WITH_DES
+@@ -2815,6 +2733,7 @@
+ 	}
+ 	
+ 	if (cptr->name) {
++	    text->cipher_name = cptr->name;
+ 	    text->cipher_enc = cptr->cipher_enc;
+ 	    text->cipher_dec = cptr->cipher_dec;
+ 	    text->cipher_init = cptr->cipher_init;
+@@ -2958,7 +2877,10 @@
+ 	if (text->cipher_init) {
+ 	    if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
+ 		sparams->utils->seterror(sparams->utils->conn, 0,
+-					 "couldn't init cipher");
++					 "couldn't init cipher '%s'",
++                                         text->cipher_name);
++                result = SASL_FAIL;
++                goto FreeAllMem;
+ 	    }
+ 	}
+     }
+@@ -3509,6 +3431,7 @@
+ 	oparams->mech_ssf = ctext->cipher->ssf;
+ 
+ 	nbits = ctext->cipher->n;
++	text->cipher_name = ctext->cipher->name;
+ 	text->cipher_enc = ctext->cipher->cipher_enc;
+ 	text->cipher_dec = ctext->cipher->cipher_dec;
+ 	text->cipher_free = ctext->cipher->cipher_free;
+@@ -3733,7 +3656,13 @@
+ 	
+ 	/* initialize cipher if need be */
+ 	if (text->cipher_init) {
+-	    text->cipher_init(text, enckey, deckey);
++	    if (text->cipher_init(text, enckey, deckey) != SASL_OK) {
++	        params->utils->seterror(params->utils->conn, 0,
++		         "internal error: failed to init cipher '%s'",
++                         text->cipher_name);
++                result = SASL_FAIL;
++                goto FreeAllocatedMem;
++            }
+ 	}
+     }
+     

SOURCES/cyrus-sasl-2.1.27-cumulative-ossl3.patch

@@ -0,0 +1,109 @@
+diff -uPr cyrus-sasl-2.1.27/configure.ac cyrus-sasl-2.1.27.ossl3/configure.ac
+--- cyrus-sasl-2.1.27/configure.ac	2021-10-06 11:29:53.274375206 -0400
++++ cyrus-sasl-2.1.27.ossl3/configure.ac	2021-10-06 11:31:19.966726775 -0400
+@@ -1115,7 +1115,11 @@
+ 	with_rc4=yes)
+ 
+ if test "$with_rc4" != no; then
+-    AC_DEFINE(WITH_RC4,[],[Use RC4])
++    if test "$with_openssl" = no; then
++        AC_WARN([OpenSSL not found -- RC4 will be disabled])
++    else
++        AC_DEFINE(WITH_RC4,[],[Use RC4])
++    fi
+ fi
+ 
+ building_for_macosx=no
+diff -uPr cyrus-sasl-2.1.27/plugins/scram.c cyrus-sasl-2.1.27.ossl3/plugins/scram.c
+--- cyrus-sasl-2.1.27/plugins/scram.c	2018-11-08 12:29:57.000000000 -0500
++++ cyrus-sasl-2.1.27.ossl3/plugins/scram.c	2021-10-06 11:31:04.407484201 -0400
+@@ -65,7 +65,9 @@
+ 
+ #include <openssl/sha.h>
+ #include <openssl/evp.h>
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ #include <openssl/hmac.h>
++#endif
+ 
+ /*****************************  Common Section  *****************************/
+ 
+@@ -267,6 +271,32 @@
+ }
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++
++/* Decalre as void given functions never use the result */
++void *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
++                     const unsigned char *data, size_t data_len,
++                     unsigned char *md, unsigned int *md_len)
++{
++    const char *digest;
++    size_t digest_size;
++    size_t out_len;
++    void *ret = NULL;
++
++    digest = EVP_MD_get0_name(evp_md);
++    if (digest == NULL) {
++        return NULL;
++    }
++    digest_size = EVP_MD_size(evp_md);
++
++    ret = EVP_Q_mac(NULL, "hmac", NULL, digest, NULL, key, key_len,
++                    data, data_len, md, digest_size, &out_len);
++    if (ret != NULL) {
++        *md_len = (unsigned int)out_len;
++    }
++    return ret;
++}
++#endif
+ 
+ /* The result variable need to point to a buffer big enough for the [SHA-1] hash */
+ static void
+diff -uPr cyrus-sasl-2.1.27/saslauthd/lak.c cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c
+--- cyrus-sasl-2.1.27/saslauthd/lak.c	2022-01-09 11:30:50.000000000 -0400
++++ cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c	2022-01-09 11:30:50.000000001 -0400
+@@ -1806,18 +1806,36 @@
+ 		return rc;
+ 	}
+ 
+-	EVP_DigestInit(mdctx, md);
+-	EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
++	rc = EVP_DigestInit(mdctx, md);
++	if (rc != 1) {
++		rc = LAK_FAIL;
++		goto done;
++	}
++	rc = EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
++	if (rc != 1) {
++		rc = LAK_FAIL;
++		goto done;
++	}
+ 	if (hrock->salted) {
+-		EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
+-				 clen - EVP_MD_size(md));
++		rc = EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
++				      clen - EVP_MD_size(md));
++		if (rc != 1) {
++		    rc = LAK_FAIL;
++		    goto done;
++		}
++	}
++	rc = EVP_DigestFinal(mdctx, digest, NULL);
++	if (rc != 1) {
++		rc = LAK_FAIL;
++		goto done;
+ 	}
+-	EVP_DigestFinal(mdctx, digest, NULL);
+-	EVP_MD_CTX_free(mdctx);
+ 
+ 	rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md));
++	rc = rc ? LAK_INVALID_PASSWORD : LAK_OK;
++done:
++	EVP_MD_CTX_free(mdctx);
+ 	free(cred);
+-	return rc ? LAK_INVALID_PASSWORD : LAK_OK;
++	return rc;
+ }
+ 
+ #endif /* HAVE_OPENSSL */

SOURCES/cyrus-sasl-2.1.27-fix-for-autoconf270.patch

@@ -0,0 +1,74 @@
+From 3b0149cf3d235247b051b7cb7663bc3dadbb999b Mon Sep 17 00:00:00 2001
+From: Pavel Raiskup <praiskup@redhat.com>
+Date: Thu, 1 Apr 2021 17:17:52 +0200
+Subject: [PATCH] configure.ac: avoid side-effects in AC_CACHE_VAL
+
+In the COMMANDS-TO-SET-IT argument, per Autoconf docs:
+https://www.gnu.org/software/autoconf/manual/autoconf-2.63/html_node/Caching-Results.html
+---
+ configure.ac | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index a106d35e..d333496d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -220,11 +220,14 @@ void foo() { int i=0;}
+ int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY);
+     if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo");
+     if(ptr1 && !ptr2) exit(0); } exit(1); } 
+-], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no
+-	AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?]),
++], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no,
+ 	AC_MSG_WARN(cross-compiler, we'll do our best)))
+ 	LIBS="$cmu_save_LIBS"
+       AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore)
++
++      if test "$sasl_cv_dlsym_adds_uscore" = no; then
++        AC_DEFINE(DLSYM_NEEDS_UNDERSCORE, [], [Do we need a leading _ for dlsym?])
++      fi
+   fi
+ fi
+ 
+From d3bcaf62f6213e7635e9c4a574f39a831e333980 Mon Sep 17 00:00:00 2001
+From: Pavel Raiskup <praiskup@redhat.com>
+Date: Thu, 1 Apr 2021 17:26:28 +0200
+Subject: [PATCH] configure.ac: properly quote macro arguments
+
+Autoconf 2.70+ is more picky about the quotation (even though with
+previous versions the arguments should have been quoted, too).  When we
+don't quote macros inside the AC_CACHE_VAL macro - some of the Autoconf
+initialization is wrongly ordered in ./configure script and we keep
+seeing bugs like:
+
+    ./configure: line 2165: ac_fn_c_try_run: command not found
+
+Original report: https://bugzilla.redhat.com/1943013
+---
+ configure.ac | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d333496d..7281cba0 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -213,15 +213,16 @@ if test $sasl_cv_uscore = yes; then
+ 	AC_MSG_CHECKING(whether dlsym adds the underscore for us)
+ 	cmu_save_LIBS="$LIBS"
+ 	LIBS="$LIBS $SASL_DL_LIB"
+-	AC_CACHE_VAL(sasl_cv_dlsym_adds_uscore,AC_TRY_RUN( [
++	AC_CACHE_VAL([sasl_cv_dlsym_adds_uscore],
++	             [AC_TRY_RUN([
+ #include <dlfcn.h>
+ #include <stdio.h>
+ void foo() { int i=0;}
+ int main() { void *self, *ptr1, *ptr2; self=dlopen(NULL,RTLD_LAZY);
+     if(self) { ptr1=dlsym(self,"foo"); ptr2=dlsym(self,"_foo");
+     if(ptr1 && !ptr2) exit(0); } exit(1); } 
+-], [sasl_cv_dlsym_adds_uscore=yes], sasl_cv_dlsym_adds_uscore=no,
+-	AC_MSG_WARN(cross-compiler, we'll do our best)))
++], [sasl_cv_dlsym_adds_uscore=yes], [sasl_cv_dlsym_adds_uscore=no],
++	[AC_MSG_WARN(cross-compiler, we'll do our best)])])
+ 	LIBS="$cmu_save_LIBS"
+       AC_MSG_RESULT($sasl_cv_dlsym_adds_uscore)
+ 

SOURCES/cyrus-sasl-2.1.27-nostrncpy.patch

@@ -0,0 +1,51 @@
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 5d900c5e..4688bb9a 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -1567,7 +1567,6 @@ int gssapiv2_server_plug_init(
+ {
+ #ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
+     const char *keytab = NULL;
+-    char keytab_path[1024];
+     unsigned int rl;
+ #endif
+     
+@@ -1589,15 +1588,7 @@ int gssapiv2_server_plug_init(
+ 	    return SASL_FAIL;
+ 	}
+ 	
+-	if(strlen(keytab) > 1024) {
+-	    utils->log(NULL, SASL_LOG_ERR,
+-		       "path to keytab is > 1024 characters");
+-	    return SASL_BUFOVER;
+-	}
+-	
+-	strncpy(keytab_path, keytab, 1024);
+-	
+-	gsskrb5_register_acceptor_identity(keytab_path);
++	gsskrb5_register_acceptor_identity(keytab);
+     }
+ #endif
+     
+diff --git a/plugins/ntlm.c b/plugins/ntlm.c
+index aeb3ac34..8a7d9065 100644
+--- a/plugins/ntlm.c
++++ b/plugins/ntlm.c
+@@ -375,10 +375,15 @@ static unsigned char *P16_lm(unsigned char *P16, sasl_secret_t *passwd,
+ 			     unsigned *buflen __attribute__((unused)),
+ 			     int *result)
+ {
+-    char P14[14];
++    char P14[14] = { 0 };
++    int Plen;
+     unsigned char S8[] = { 0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
+ 
+-    strncpy(P14, (const char *) passwd->data, sizeof(P14));
++    Plen = sizeof(P14);
++    if (passwd->len < Plen) {
++        Plen = passwd->len;
++    }
++    memcpy(P14, (const char *) passwd->data, Plen);
+     ucase(P14, sizeof(P14));
+ 
+     E(P16, (unsigned char *) P14, sizeof(P14), S8, sizeof(S8));

SOURCES/cyrus-sasl-cve-2019-19906.patch

@@ -1,18 +1,17 @@
-From bcb6c06ec17728f7c9c492dc257b1e541a6830da Mon Sep 17 00:00:00 2001
+From dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
+From: Quanah Gibson-Mount <quanah@symas.com>
-Date: Tue, 5 May 2020 14:41:06 -0400
+Date: Tue, 18 Feb 2020 19:05:12 +0000
-Subject: [PATCH] CVE-2019-19906
+Subject: [PATCH] Fix #587
 
-Backport of commit id:
+Off by one error in common.c, CVE-2019-19906.
-dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1
 
-Signed-off-by: Simo Sorce <simo@redhat.com>
+Thanks to Stephan Zeisberg for reporting
 ---
  lib/common.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/lib/common.c b/lib/common.c
-index bc3bf1d..9969d6a 100644
+index bc3bf1df..9969d6aa 100644
 --- a/lib/common.c
 +++ b/lib/common.c
 @@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
@@ -24,6 +23,3 @@ index bc3bf1d..9969d6a 100644
    if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
      return SASL_NOMEM;
  
--- 
-2.18.2
-

SOURCES/cyrus-sasl-pr559-RC4-openssl.patch

@@ -13,7 +13,8 @@ diff --git a/configure.ac b/configure.ac
 index 388f5d02..cfdee4a2 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1102,12 +1102,11 @@ AC_ARG_WITH(configdir, [   --with-configdir=DIR    set the directory where confi
+@@ -1103,13 +1103,12 @@ AC_ARG_WITH(configdir, [   --with-configdir=DIR    set the directory where confi
+   configdir='${plugindir}:${sysconfdir}/sasl2')
  AC_SUBST(configdir)
  
 -dnl look for rc4 libraries. we accept the CMU one or one from openSSL

SOURCES/make-no-dlcompatorsrp-tarball.sh

@@ -1,6 +1,6 @@
 #!/bin/bash -e
 #
-#  See ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ for unmodified sources.
+#  See https://github.com/cyrusimap/cyrus-sasl/releases for unmodified sources.
 #
 
 tmppath=`mktemp -d ${TMPDIR:-/tmp}/make-no-dlcompat-tarball-XXXXXX`

SPECS/cyrus-sasl.spec

@@ -4,13 +4,15 @@
 
 %global _plugindir2 %{_libdir}/sasl2
 %global bootstrap_cyrus_sasl 0
+%global gdbm_db_file /etc/sasl2/sasldb2
 
 Summary: The Cyrus SASL library
 Name: cyrus-sasl
 Version: 2.1.27
-Release: 6%{?dist}
+Release: 21%{?dist}
 License: BSD with advertising
-Group: System Environment/Libraries
+URL: https://www.cyrusimap.org/sasl/
+
 # Source0 originally comes from https://www.cyrusimap.org/releases/;
 # make-no-dlcompatorsrp-tarball.sh removes the "dlcompat" subdirectory and builds a
 # new tarball.
@@ -22,38 +24,53 @@ Source10: make-no-dlcompatorsrp-tarball.sh
 # From upstream git, required for reconfigure after applying patches to configure.ac
 # https://raw.githubusercontent.com/cyrusimap/cyrus-sasl/master/autogen.sh
 Source11: autogen.sh
-URL: https://www.cyrusimap.org/sasl/
+
-Requires: %{name}-lib%{?_isa} = %{version}-%{release}
 Patch11: cyrus-sasl-2.1.25-no_rpath.patch
 Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch
 Patch23: cyrus-sasl-2.1.23-man.patch
 Patch24: cyrus-sasl-2.1.21-sizes.patch
+# The 64 bit *INT8 type is not used anywhere and other types match
 Patch49: cyrus-sasl-2.1.26-md5global.patch
 Patch60: cyrus-sasl-pr559-RC4-openssl.patch
-Patch830: cyrus-sasl-2.1.27-CVE-2019-19906.patch
+
-Patch831: cyrus-sasl-2.1.27-Add-basic-test-infrastructure.patch
+Patch100: cyrus-sasl-cve-2019-19906.patch
-Patch832: cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch
+Patch101: cyrus-sasl-2.1.27-Add-basic-test-infrastructure.patch
-Patch833: cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch
+Patch102: cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch
-Patch834: cyrus-sasl-2.1.27-Emit-debug-log-only-in-case-of-errors.patch
+Patch103: cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch
+Patch104: cyrus-sasl-2.1.27-Emit-debug-log-only-in-case-of-errors.patch
+Patch105: cyrus-sasl-2.1.27-fix-for-autoconf270.patch
+#https://github.com/simo5/cyrus-sasl/commit/ebd2387f06c84c7f9aac3167ec041bb01e5c6e48
+Patch106: cyrus-sasl-2.1.27-nostrncpy.patch
+# Upstream PR: https://github.com/cyrusimap/cyrus-sasl/pull/635
+Patch107: cyrus-sasl-2.1.27-Add-basic-test-plain-auth.patch
+#Migration tool should be removed from RHEL10
+Patch108: cyrus-sasl-2.1.27-Migration-from-BerkeleyDB.patch
+Patch500: cyrus-sasl-2.1.27-coverity.patch
+Patch501: cyrus-sasl-2.1.27-cumulative-digestmd5.patch
+Patch502: cyrus-sasl-2.1.27-cumulative-ossl3.patch
 
 Patch900: 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
 
-Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
-BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig
+BuildRequires: krb5-devel >= 1.19, openssl-devel, pam-devel, pkgconfig
-BuildRequires: mariadb-connector-c-devel, postgresql-devel, zlib-devel
+BuildRequires: mariadb-connector-c-devel, libpq-devel, zlib-devel
-BuildRequires: libdb-devel
 %if ! %{bootstrap_cyrus_sasl}
 BuildRequires: openldap-devel
 %endif
+#build reqs for migration from BerkeleyDB
+#should be removed from RHEL10
+BuildRequires: libdb-devel-static
 #build reqs for make check
-BuildRequires: python36 nss_wrapper socket_wrapper krb5-server
+BuildRequires: python3 nss_wrapper socket_wrapper krb5-server
 %{?systemd_requires}
-Requires(post): chkconfig
+
+Requires: %{name}-lib = %{version}-%{release}
+Requires: systemd
+
+#Requires/Provides related to the saslauthd user creation
+Requires: /sbin/nologin
 Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd
 Requires(postun): /usr/sbin/userdel /usr/sbin/groupdel
-Requires: /sbin/nologin
-Requires: systemd >= 211
 Provides: user(%username)
 Provides: group(%username)
 
@@ -64,7 +81,6 @@ SASL is the Simple Authentication and Security Layer, a method for
 adding authentication support to connection-based protocols.
 
 %package lib
-Group: System Environment/Libraries
 Summary: Shared libraries needed by applications which use Cyrus SASL
 
 %description lib
@@ -72,10 +88,9 @@ The %{name}-lib package contains shared libraries which are needed by
 applications which use the Cyrus SASL library.
 
 %package devel
-Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Requires: %{name}-lib = %{version}-%{release}
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: %{name} = %{version}-%{release}
 Requires: pkgconfig
-Group: Development/Libraries
 Summary: Files needed for developing applications with Cyrus SASL
 
 %description devel
@@ -84,7 +99,6 @@ compiling applications which use the Cyrus SASL library.
 
 %package gssapi
 Requires: %{name}-lib%{?_isa} = %{version}-%{release}
-Group: System Environment/Libraries
 Summary: GSSAPI authentication support for Cyrus SASL
 
 %description gssapi
@@ -94,7 +108,6 @@ authentication.
 
 %package plain
 Requires: %{name}-lib%{?_isa} = %{version}-%{release}
-Group: System Environment/Libraries
 Summary: PLAIN and LOGIN authentication support for Cyrus SASL
 
 %description plain
@@ -103,7 +116,6 @@ PLAIN and LOGIN authentication schemes.
 
 %package md5
 Requires: %{name}-lib%{?_isa} = %{version}-%{release}
-Group: System Environment/Libraries
 Summary: CRAM-MD5 and DIGEST-MD5 authentication support for Cyrus SASL
 
 %description md5
@@ -112,7 +124,6 @@ CRAM-MD5 and DIGEST-MD5 authentication schemes.
 
 %package ntlm
 Requires: %{name}-lib%{?_isa} = %{version}-%{release}
-Group: System Environment/Libraries
 Summary: NTLM authentication support for Cyrus SASL
 
 %description ntlm
@@ -122,7 +133,6 @@ the NTLM authentication scheme.
 # This would more appropriately be named cyrus-sasl-auxprop-sql.
 %package sql
 Requires: %{name}-lib%{?_isa} = %{version}-%{release}
-Group: System Environment/Libraries
 Summary: SQL auxprop support for Cyrus SASL
 
 %description sql
@@ -133,7 +143,6 @@ using a RDBMS for storing shared secrets.
 # This was *almost* named cyrus-sasl-auxprop-ldapdb, but that's a lot of typing.
 %package ldap
 Requires: %{name}-lib%{?_isa} = %{version}-%{release}
-Group: System Environment/Libraries
 Summary: LDAP auxprop support for Cyrus SASL
 
 %description ldap
@@ -143,7 +152,6 @@ a directory server, accessed using LDAP, for storing shared secrets.
 
 %package scram
 Requires: %{name}-lib%{?_isa} = %{version}-%{release}
-Group: System Environment/Libraries
 Summary: SCRAM auxprop support for Cyrus SASL
 
 %description scram
@@ -152,7 +160,6 @@ the SCRAM authentication scheme.
 
 %package gs2
 Requires: %{name}-lib%{?_isa} = %{version}-%{release}
-Group: System Environment/Libraries
 Summary: GS2 support for Cyrus SASL
 
 %description gs2
@@ -170,11 +177,18 @@ the GS2 authentication scheme.
 %patch24 -p1 -b .sizes
 %patch49 -p1 -b .md5global.h
 %patch60 -p1 -b .openssl_rc4
-%patch830 -p1 -b .CVE-2019-19906
+%patch100 -p1 -b .cve_2019_19906
-%patch831 -p1 -b .tests
+%patch101 -p1 -b .tests
-%patch832 -p1 -b .gssapi_cbs
+%patch102 -p1 -b .gssapi_cbs
-%patch833 -p1 -b .maxssf0
+%patch103 -p1 -b .maxssf0
-%patch834 -p1 -b .nolog
+%patch104 -p1 -b .nolog
+%patch105 -p1 -b .autoconf270
+%patch106 -p1 -b .nostrncpy
+%patch107 -p1 -b .plaintests
+%patch108 -p1 -b .frombdb
+%patch500 -p1 -b .coverity
+%patch501 -p1 -b .digestmd5
+%patch502 -p1 -b .ossl3
 %patch900 -p1 -b .CVE-2022-24407
 
 %build
@@ -220,14 +234,7 @@ if test x"$LIB_DIR" != "x-L%{_libdir}"; then
         LDFLAGS="$LIB_DIR $LDFLAGS"; export LDFLAGS
 fi
 
-# Patch config.sub to support ppc64p7 subarch (Fedora specific)
-# This is similar to what the config.sub from automake has
-for i in `find . -name config.sub`; do
-  perl -pi -e "s/ppc64-\*/ppc64-\* \| ppc64p7-\*/" $i
-done
-
 CFLAGS="$RPM_OPT_FLAGS $CFLAGS $CPPFLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now"; export CFLAGS
-LDFLAGS="$LDFLAGS -pie -Wl,-z,now"; export LDFLAGS
 
 echo "$CFLAGS"
 echo "$CPPFLAGS"
@@ -242,8 +249,8 @@ echo "$LDFLAGS"
         --enable-gssapi${krb5_prefix:+=${krb5_prefix}} \
         --with-gss_impl=mit \
         --with-rc4 \
-        --with-dblib=berkeley \
+        --with-dblib=gdbm \
-        --with-bdb=db \
+        --with-dbpath=%{gdbm_db_file} \
         --with-saslauthd=/run/saslauthd --without-pwcheck \
 %if ! %{bootstrap_cyrus_sasl}
         --with-ldap \
@@ -285,6 +292,8 @@ install -m755 -d $RPM_BUILD_ROOT%{_bindir}
 install -m755 sample/client $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-client
 ./libtool --mode=install \
 install -m755 sample/server $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-server
+#Migration tool should be removed from RHEL10
+mv $RPM_BUILD_ROOT%{_sbindir}/cyrusbdb2current $RPM_BUILD_ROOT%{_bindir}/cyrusbdb2current
 ./libtool --mode=install \
 install -m755 saslauthd/testsaslauthd $RPM_BUILD_ROOT%{_sbindir}/testsaslauthd
 
@@ -294,9 +303,8 @@ install -m755 -d $RPM_BUILD_ROOT%{_mandir}/man8/
 install -m644 -p saslauthd/saslauthd.mdoc $RPM_BUILD_ROOT%{_mandir}/man8/saslauthd.8
 install -m644 -p saslauthd/testsaslauthd.8 $RPM_BUILD_ROOT%{_mandir}/man8/testsaslauthd.8
 
-# Install the init script for saslauthd and the init script's config file.
+# Install the systemd unit file for saslauthd and the config file.
-install -m755 -d $RPM_BUILD_ROOT/etc/rc.d/init.d $RPM_BUILD_ROOT/etc/sysconfig
+install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} $RPM_BUILD_ROOT/etc/sysconfig
-install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
 install -m644 -p %{SOURCE5} $RPM_BUILD_ROOT/%{_unitdir}/saslauthd.service
 install -m644 -p %{SOURCE9} $RPM_BUILD_ROOT/etc/sysconfig/saslauthd
 
@@ -331,16 +339,9 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 %postun
 %systemd_postun_with_restart saslauthd.service
 
-%triggerun -n cyrus-sasl -- cyrus-sasl < 2.1.23-32
+%ldconfig_scriptlets lib
-/usr/bin/systemd-sysv-convert --save saslauthd >/dev/null 2>&1 || :
-/sbin/chkconfig --del saslauthd >/dev/null 2>&1 || :
-/bin/systemctl try-restart saslauthd.service >/dev/null 2>&1 || :
-
-%post lib -p /sbin/ldconfig
-%postun lib -p /sbin/ldconfig
 
 %files
-%defattr(-,root,root)
 %doc saslauthd/LDAP_SASLAUTHD
 %{_mandir}/man8/*
 %{_sbindir}/pluginviewer
@@ -351,7 +352,6 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 %ghost /run/saslauthd
 
 %files lib
-%defattr(-,root,root)
 %license COPYING
 %doc AUTHORS doc/html/*.html
 %{_libdir}/libsasl*.so.*
@@ -361,45 +361,37 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 %{_plugindir2}/*sasldb*.so*
 %{_sbindir}/saslpasswd2
 %{_sbindir}/sasldblistusers2
+%{_bindir}/cyrusbdb2current
 
 %files plain
-%defattr(-,root,root)
 %{_plugindir2}/*plain*.so*
 %{_plugindir2}/*login*.so*
 
 %if ! %{bootstrap_cyrus_sasl}
 %files ldap
-%defattr(-,root,root)
 %{_plugindir2}/*ldapdb*.so*
 %endif
 
 %files md5
-%defattr(-,root,root)
 %{_plugindir2}/*crammd5*.so*
 %{_plugindir2}/*digestmd5*.so*
 
 %files ntlm
-%defattr(-,root,root)
 %{_plugindir2}/*ntlm*.so*
 
 %files sql
-%defattr(-,root,root)
 %{_plugindir2}/*sql*.so*
 
 %files gssapi
-%defattr(-,root,root)
 %{_plugindir2}/*gssapi*.so*
 
 %files scram
-%defattr(-,root,root)
 %{_plugindir2}/libscram.so*
 
 %files gs2
-%defattr(-,root,root)
 %{_plugindir2}/libgs2.so*
 
 %files devel
-%defattr(-,root,root)
 %{_bindir}/sasl2-sample-client
 %{_bindir}/sasl2-sample-server
 %{_includedir}/*
@@ -409,40 +401,96 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 %{_sbindir}/sasl2-shared-mechlist
 
 %changelog
-* Thu Feb 17 2022 Simo Sorce <simo@redhat.com> - 2.1.27-6
+* Mon Aug  1 2022 Simo Sorce <simo@redhat.com> - 2.1.27-21
+- Fix memleak
+
+* Wed Feb 23 2022 Simo Sorce <simo@redhat.com> - 2.1.27-20
 - Fix for CVE-2022-24407
-- Resolves: rhbz#2055846
+- Resolves: rhbz#2055848
 
-* Tue May  5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-5
+* Wed Feb  9 2022 Simo Sorce <simo@redhat.com> - 2.1.27-19
-- Reduce excessive GSSAPI plugin logging
+- Fix a memleak in one of the OpenSSL 3 compat patches
-- Resolves: rhbz#1274734
+  found by covscan
 
-* Tue May  5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-4
+* Mon Feb  7 2022 Simo Sorce <simo@redhat.com> - 2.1.27-18
-- Add support for setting maxssf=0 in GSS-SPNEGO
+- Update OpenSSL 3 related compatibility patch backports
-- Resolves: rhbz#1822133
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.27-17
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue May  5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-3
+* Wed Jul 28 2021 Simo Sorce <simo@redhat.com> - 2.1.27-16
+- Rebuild to pass gating after fixing rhbz#1983928
+
+* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 2.1.27-15
+- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
+
+* Mon Jul 19 2021 Simo Sorce <simo@redhat.com> - 2.1.27-14
+- Fix crashs on missing legacy algorithms
+  Resolves: rhbz#1974354
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.27-13
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri Jun 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 2.1.27-12
+- Incorporate the upstream gdbm specific patch from
+  https://github.com/cyrusimap/cyrus-sasl/pull/554
+- Resolves rhbz#1947971
+
+* Wed Apr 28 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 2.1.27-11
+- Set default sasldb database to GDBM instead of BerkeleyDB
+- Add the migration tool from BerkeleyDB
+- Add some PLAIN auth tests
+- Resolves rhbz#1947971
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.27-10
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Mon Apr 12 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 2.1.27-9
+- Coverity-related fixes (#1938700)
+
+* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 2.1.27-8
+- rebuild for libpq ABI fix rhbz#1908268
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu May  7 2020 Simo Sorce <simo@redhat.com> - 2.1.27-5
 - Backport GSSAPI Channel Bindings support
-- Resolves: rhbz#1817054
+- Add support for setting maxssf=0 in GSS-SPNEGO
+- Reduce excessive GSSAPI plugin logging
+
+* Thu Mar 19 2020 Simo Sorce - 2.1.27-4
+- Fix CVE 2019 19906
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jun 13 2019 Simo Sorce - 2.1.27-1
+- Update to final 2.1.27 sources
+- Also add patch to use OpenSSL RC4, currently proposed as PR 559
 
-* Tue May  5 2020 Simo Sorce <simo@redhat.com> - 2.1.27-2
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-0.6rc7
-- Backport fix for CVE-2019-19906
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-- Resolves: rhbz#1804036
 
-* Fri Jun 14 2019 Simo Sorce <simo@redhat.com> - 2.1.27-1
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2.1.27-0.5rc7
-- Rc7 to final source
+- Rebuilt for libcrypt.so.2 (#1666033)
-- Resovles bz#1618744
 
-* Thu Jun 13 2019 Simo Sorce <simo@redhat.com> - 2.1.27-0.4rc7
+* Sun Oct 14 2018 Peter Robinson <pbrobinson@fedoraproject.org> 2.1.27-0.4rc7
-- Add patch form Upstream PR559 to use RC4 implementation from OpenSSL
+- Clean up remanents of sys-v, spec cleanups
-- Resolves bz#1618744
-- Fix multilib issue bz#1663120
 
-* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 2.1.27-0.3rc7
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.27-0.3rc7
-- Rebuild with fixed binutils
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
-* Wed Jul 25 2018 Petr Kubat <pkubat@redhat.com> - 2.1.27-0.2rc7
+* Thu May 17 2018 Jakub Jelen <jjelen@redhat.com> - 2.1.27-0.2rc7
-- Rebuilt for gdbm
+- Avoid multilib conflicts between devel subpackages (#1577675)
 
 * Mon Mar 05 2018 Jakub Jelen <jjelen@redhat.com> - 2.1.27-0.1rc7
 - New upstream (pre-)release