diff --git a/doc/CHANGES-2020 b/doc/CHANGES-2020 index d02ce70030c6..2face8042777 100644 --- a/doc/CHANGES-2020 +++ b/doc/CHANGES-2020 @@ -1,4 +1,4 @@ -$NetBSD: CHANGES-2020,v 1.4418 2020/08/12 12:17:05 leot Exp $ +$NetBSD: CHANGES-2020,v 1.4419 2020/08/12 14:15:33 manu Exp $ Changes to the packages collection and infrastructure in 2020: @@ -6925,3 +6925,4 @@ Changes to the packages collection and infrastructure in 2020: Updated lang/openjdk11 to 1.11.0.8.10 [ryoon 2020-08-12] Updated net/minitube to 3.5 [ryoon 2020-08-12] Updated time/todotxt to 2.12.0 [leot 2020-08-12] + Updated security/lasso to 2.6.1 [manu 2020-08-12] diff --git a/security/lasso/Makefile b/security/lasso/Makefile index fb2a33c95939..87ba5887ac30 100644 --- a/security/lasso/Makefile +++ b/security/lasso/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.42 2020/06/02 08:22:54 adam Exp $ +# $NetBSD: Makefile,v 1.43 2020/08/12 14:15:33 manu Exp $ CONFIGURE_ARGS+= --disable-python CONFIGURE_ARGS+= --disable-php5 @@ -9,5 +9,5 @@ PYTHON_FOR_BUILD_ONLY= yes EXTRACT_USING= bsdtar -PKGREVISION= 6 +#PKGREVISION= 1 .include "../../security/lasso/Makefile.common" diff --git a/security/lasso/Makefile.common b/security/lasso/Makefile.common index 28af410d5c98..4c957052d209 100644 --- a/security/lasso/Makefile.common +++ b/security/lasso/Makefile.common @@ -1,9 +1,9 @@ -# $NetBSD: Makefile.common,v 1.15 2020/01/26 17:32:03 rillig Exp $ +# $NetBSD: Makefile.common,v 1.16 2020/08/12 14:15:33 manu Exp $ # # used by security/lasso/Makefile # used by security/py-lasso/Makefile -DISTNAME= lasso-2.5.1 +DISTNAME= lasso-2.6.1 CATEGORIES= security MASTER_SITES= https://dev.entrouvert.org/lasso/ diff --git a/security/lasso/distinfo b/security/lasso/distinfo index cc42bd83a954..9059aa61add0 100644 --- a/security/lasso/distinfo +++ b/security/lasso/distinfo @@ -1,9 +1,7 @@ -$NetBSD: distinfo,v 1.24 2018/07/31 12:39:34 jperkin Exp $ +$NetBSD: distinfo,v 1.25 2020/08/12 14:15:33 manu Exp $ -SHA1 (lasso-2.5.1.tar.gz) = fe0e68010bab6e11383003b5cf869c0447ed7a6e -RMD160 (lasso-2.5.1.tar.gz) = 8cc0506fe8cbac770e952fdb0f067c7e58f5bb43 -SHA512 (lasso-2.5.1.tar.gz) = f20bea62c04f3082d5c423f658bafe1bdde0012321c43092ed5d5a2c3ec7b21ec27d88d9fc630743fd7c99e767d9fd92b98de5d4f7d98c3a9e680717483daae1 -Size (lasso-2.5.1.tar.gz) = 4552152 bytes -SHA1 (patch-18771) = 66897d88283c28557eb4a58507db48a42df93b5d -SHA1 (patch-configure) = aa34dcb7a86b6ece774fb230ac092bdd7d8e278c -SHA1 (patch-lasso_xml_tools.c) = 0172915c1654192e3d1eebf89d57d29dd61cef38 +SHA1 (lasso-2.6.1.tar.gz) = 0ab89b159d52cd503182cbbeff0327c80e3ed93d +RMD160 (lasso-2.6.1.tar.gz) = 775d74fccf62afea9f8d587a1a7801e15ad7d986 +SHA512 (lasso-2.6.1.tar.gz) = 768e577ccf650d61305cbb2d8be0d3e13a5c8b6b05f6b0a8419fcd23030eb7530740e8ca785f0279331d7e31743b2e0ab234de50eb87d41cfda5d692a1583d4b +Size (lasso-2.6.1.tar.gz) = 4514418 bytes +SHA1 (patch-45581) = ea1a3c47ed61cce376d3998cdc195dfcfc881061 diff --git a/security/lasso/patches/patch-18771 b/security/lasso/patches/patch-18771 deleted file mode 100644 index 51db4cc7e0ee..000000000000 --- a/security/lasso/patches/patch-18771 +++ /dev/null @@ -1,167 +0,0 @@ -$NetBSD: patch-18771,v 1.2 2018/05/31 07:33:28 wiz Exp $ - -From upstream: https://dev.entrouvert.org/issues/18771 - -commit 1d56cd1e31ce993ad17f4b4bbc31c12ffff1311f -Author: Benjamin Dauvergne -Date: Fri Oct 6 10:28:22 2017 +0200 - - replace use of which is deprecated (fixes #18771) - -diff --git a/lasso/id-wsf/wsf_profile.c b/lasso/id-wsf/wsf_profile.c -index 8cfe5a2..0aca204 100644 ---- ./lasso/id-wsf/wsf_profile.c -+++ ./lasso/id-wsf/wsf_profile.c -@@ -29,7 +29,6 @@ - #include - #include - #include --#include - - #include "../utils.h" - -@@ -60,6 +59,7 @@ - #include "../id-ff/providerprivate.h" - #include "../id-ff/sessionprivate.h" - #include "../xml/misc_text_node.h" -+#include <../xml/xmlsec_soap.h> - - /** - * SECTION:wsf_profile -diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c -index ade6d66..81e75b5 100644 ---- ./lasso/xml/tools.c -+++ ./lasso/xml/tools.c -@@ -57,7 +57,6 @@ - #include - #include - #include --#include - - #include - -@@ -71,6 +70,7 @@ - #include - #include - #include "../lasso_config.h" -+#include - - /** - * SECTION:tools -diff --git a/lasso/xml/xmlsec_soap.h b/lasso/xml/xmlsec_soap.h -new file mode 100644 -index 0000000..11fc3db ---- /dev/null -+++ ./lasso/xml/xmlsec_soap.h -@@ -0,0 +1,111 @@ -+ /* -+ * Lasso - A free implementation of the Liberty Alliance specifications. -+ * -+ * Copyright (C) 2004-2007 Entr'ouvert -+ * http://lasso.entrouvert.org -+ * -+ * Authors: See AUTHORS file in top-level directory. -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, see . -+ */ -+ -+#ifndef __LASSO_XMLSEC_SOAP_H__ -+#define __LASSO_XMLSEC_SOAP_H__ -+ -+#ifdef __cplusplus -+extern "C" { -+#endif /* __cplusplus */ -+ -+#include -+ -+#include -+#include -+#include -+ -+ -+/** Replacement for xmlsec/soap.h */ -+ -+#define xmlSecSoap11Ns ((xmlChar*)"http://schemas.xmlsoap.org/soap/envelope/") -+#define xmlSecSoap12Ns ((xmlChar*)"http://www.w3.org/2003/05/soap-envelope") -+ -+static inline xmlNodePtr -+xmlSecSoap11GetHeader(xmlNodePtr envNode) { -+ xmlNodePtr cur; -+ -+ xmlSecAssert2(envNode != NULL, NULL); -+ -+ /* optional Header node is first */ -+ cur = xmlSecGetNextElementNode(envNode->children); -+ if((cur != NULL) && xmlSecCheckNodeName(cur, xmlSecNodeHeader, xmlSecSoap11Ns)) { -+ return(cur); -+ } -+ -+ return(NULL); -+} -+ -+static inline xmlNodePtr -+xmlSecSoap11GetBody(xmlNodePtr envNode) { -+ xmlNodePtr cur; -+ -+ xmlSecAssert2(envNode != NULL, NULL); -+ -+ /* optional Header node first */ -+ cur = xmlSecGetNextElementNode(envNode->children); -+ if((cur != NULL) && xmlSecCheckNodeName(cur, xmlSecNodeHeader, xmlSecSoap11Ns)) { -+ cur = xmlSecGetNextElementNode(cur->next); -+ } -+ -+ /* Body node is next */ -+ if((cur == NULL) || !xmlSecCheckNodeName(cur, xmlSecNodeBody, xmlSecSoap11Ns)) { -+ xmlSecError(XMLSEC_ERRORS_HERE, -+ NULL, -+ xmlSecErrorsSafeString(xmlSecNodeBody), -+ XMLSEC_ERRORS_R_NODE_NOT_FOUND, -+ XMLSEC_ERRORS_NO_MESSAGE); -+ return(NULL); -+ } -+ -+ return(cur); -+} -+ -+static inline xmlNodePtr -+xmlSecSoap12GetBody(xmlNodePtr envNode) { -+ xmlNodePtr cur; -+ -+ xmlSecAssert2(envNode != NULL, NULL); -+ -+ /* optional Header node first */ -+ cur = xmlSecGetNextElementNode(envNode->children); -+ if((cur != NULL) && xmlSecCheckNodeName(cur, xmlSecNodeHeader, xmlSecSoap12Ns)) { -+ cur = xmlSecGetNextElementNode(cur->next); -+ } -+ -+ /* Body node is next */ -+ if((cur == NULL) || !xmlSecCheckNodeName(cur, xmlSecNodeBody, xmlSecSoap12Ns)) { -+ xmlSecError(XMLSEC_ERRORS_HERE, -+ NULL, -+ xmlSecErrorsSafeString(xmlSecNodeBody), -+ XMLSEC_ERRORS_R_NODE_NOT_FOUND, -+ XMLSEC_ERRORS_NO_MESSAGE); -+ return(NULL); -+ } -+ -+ return(cur); -+} -+ -+#ifdef __cplusplus -+} -+#endif /* __cplusplus */ -+ -+#endif /* __LASSO_XMLSEC_SOAP_H__ */ diff --git a/security/lasso/patches/patch-45581 b/security/lasso/patches/patch-45581 new file mode 100644 index 000000000000..c76053f606d3 --- /dev/null +++ b/security/lasso/patches/patch-45581 @@ -0,0 +1,189 @@ +$NetBSD: patch-45581,v 1.1 2020/08/12 14:15:33 manu Exp $ + +Fix lasso fail to properly escape single quotes in RelayState +From upstream https://dev.entrouvert.org/issues/45581 + +diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c +index 0f4e8926..68693ffe 100644 +--- lasso/id-ff/login.c ++++ lasso/id-ff/login.c +@@ -988,11 +988,11 @@ lasso_login_build_artifact_msg(LassoLogin *login, LassoHttpMethod http_method) + } + + b64_samlArt = xmlStrdup((xmlChar*)login->assertionArtifact); +- relayState = xmlURIEscapeStr( ++ relayState = lasso_xmlURIEscapeStr( + (xmlChar*)LASSO_LIB_AUTHN_REQUEST(profile->request)->RelayState, NULL); + + if (http_method == LASSO_HTTP_METHOD_REDIRECT) { +- xmlChar *escaped_artifact = xmlURIEscapeStr(b64_samlArt, NULL); ++ xmlChar *escaped_artifact = lasso_xmlURIEscapeStr(b64_samlArt, NULL); + gchar *query = NULL; + + if (relayState == NULL) { +diff --git a/lasso/xml/private.h b/lasso/xml/private.h +index 52a21e56..a2b47aa4 100644 +--- lasso/xml/private.h ++++ lasso/xml/private.h +@@ -287,6 +287,7 @@ gboolean lasso_eval_xpath_expression(xmlXPathContextPtr xpath_ctx, const char *e + + char * lasso_get_relaystate_from_query(const char *query); + char * lasso_url_add_parameters(char *url, gboolean free, ...); ++xmlChar * lasso_xmlURIEscapeStr(const xmlChar *from, const xmlChar *list); + xmlSecKey* lasso_xmlsec_load_private_key_from_buffer(const char *buffer, size_t length, const char *password, LassoSignatureMethod signature_method, const char *certificate); + xmlSecKey* lasso_xmlsec_load_private_key(const char *filename_or_buffer, const char *password, + LassoSignatureMethod signature_method, const char *certificate); +diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c +index 53d7d37b..589a795d 100644 +--- lasso/xml/tools.c ++++ lasso/xml/tools.c +@@ -36,6 +36,7 @@ + #define _BSD_SOURCE + #include "private.h" + #include ++#include + #include + #include + #include +@@ -540,7 +541,7 @@ lasso_query_sign(char *query, LassoSignatureContext context) + } + + { +- const char *t = (char*)xmlURIEscapeStr(algo_href, NULL); ++ const char *t = (char*)lasso_xmlURIEscapeStr(algo_href, NULL); + new_query = g_strdup_printf("%s&SigAlg=%s", query, t); + xmlFree(BAD_CAST t); + } +@@ -662,7 +663,7 @@ lasso_query_sign(char *query, LassoSignatureContext context) + /* Base64 encode the signature value */ + b64_sigret = xmlSecBase64Encode(sigret, sigret_size, 0); + /* escape b64_sigret */ +- e_b64_sigret = xmlURIEscapeStr((xmlChar*)b64_sigret, NULL); ++ e_b64_sigret = lasso_xmlURIEscapeStr((xmlChar*)b64_sigret, NULL); + + /* add signature */ + switch (sign_method) { +@@ -1307,7 +1308,7 @@ lasso_xmlnode_build_deflated_query(xmlNode *xmlnode) + b64_ret = xmlSecBase64Encode(ret, stream.total_out, 0); + lasso_release(ret); + +- ret = xmlURIEscapeStr(b64_ret, NULL); ++ ret = lasso_xmlURIEscapeStr(b64_ret, NULL); + rret = g_strdup((char*)ret); + xmlFree(b64_ret); + xmlFree(ret); +@@ -2329,7 +2330,7 @@ lasso_url_add_parameters(char *url, + if (! key) { + break; + } +- encoded_key = xmlURIEscapeStr((xmlChar*)key, NULL); ++ encoded_key = lasso_xmlURIEscapeStr((xmlChar*)key, NULL); + goto_cleanup_if_fail(encoded_key); + + value = va_arg(ap, char*); +@@ -2337,7 +2338,7 @@ lasso_url_add_parameters(char *url, + message(G_LOG_LEVEL_CRITICAL, "lasso_url_add_parameter: key without a value !!"); + break; + } +- encoded_value = xmlURIEscapeStr((xmlChar*)value, NULL); ++ encoded_value = lasso_xmlURIEscapeStr((xmlChar*)value, NULL); + goto_cleanup_if_fail(encoded_value); + + if (old_url) { +@@ -2480,6 +2481,56 @@ lasso_base64_decode(const char *from, char **buffer, int *buffer_len) + return TRUE; + } + ++/** ++ * lasso_xmlURIEscapeStr: ++ * @from: the source URI string ++ * @list: optional list of characters not to escape ++ * ++ * Drop-in replacement for libxml2 xmlURIEscapeStr(), but encoding ++ * everything but [A-Za-z0-9._~-] which are the unreserved chartacters ++ * for RFC3986 section 2.3 ++ * ++ * Return value: a buffer containing the URL-encoded string or NULL on error ++ */ ++xmlChar * ++lasso_xmlURIEscapeStr(const xmlChar *from, const xmlChar *list) ++{ ++ size_t len = 0; ++ const xmlChar *fp; ++ xmlChar *result; ++ int ri; ++ ++ if (list == NULL) ++ list = ""; ++ ++ for (fp = from; *fp; fp++) { ++ if (isalnum(*fp) || index("._~-", *fp) || index(list, *fp)) ++ len++; ++ else ++ len += 3; ++ } ++ ++ result = g_malloc0(len + 1); ++ ri = 0; ++ ++ for (fp = from; *fp; fp++) { ++ if (isalnum(*fp) || index("._~-", *fp) || index(list, *fp)) { ++ result[ri++] = *fp; ++ } else { ++ int msb = (*fp & 0xf0) >> 4; ++ int lsb = *fp & 0x0f; ++ ++ result[ri++] = '%'; ++ result[ri++] = (msb > 9) ? 'A' + msb - 10 : '0' + msb; ++ result[ri++] = (lsb > 9) ? 'A' + lsb - 10 : '0' + lsb; ++ } ++ } ++ ++ result[ri++] = '\0'; ++ ++ return result; ++} ++ + /** + * lasso_xmlsec_load_private_key_from_buffer: + * @buffer: a buffer containing a key in any format +diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c +index 565172e1..938844ba 100644 +--- lasso/xml/xml.c ++++ lasso/xml/xml.c +@@ -3120,7 +3120,7 @@ get_value_by_path(LassoNode *node, char *path, struct XmlSnippet *xml_snippet) + s = xmlGetProp(t, a->name); + g_string_append(result, a->name); + g_string_append(result, "="); +- s2 = xmlURIEscapeStr(s, NULL); ++ s2 = lasso_xmlURIEscapeStr(s, NULL); + g_string_append(result, s2); + xmlFree(s2); + xmlFree(s); +@@ -3140,7 +3140,7 @@ get_value_by_path(LassoNode *node, char *path, struct XmlSnippet *xml_snippet) + g_string_append(result, (char*)c->name); + g_string_append(result, "="); + s = xmlNodeGetContent(c); +- s2 = xmlURIEscapeStr(s, NULL); ++ s2 = lasso_xmlURIEscapeStr(s, NULL); + g_string_append(result, (char*)s2); + xmlFree(s2); + xmlFree(s); +@@ -3263,7 +3263,7 @@ lasso_node_build_query_from_snippets(LassoNode *node) + g_string_append(s, "&"); + g_string_append(s, field_name); + g_string_append(s, "="); +- t = xmlURIEscapeStr((xmlChar*)v, NULL); ++ t = lasso_xmlURIEscapeStr((xmlChar*)v, NULL); + g_string_append(s, (char*)t); + xmlFree(t); + } +@@ -3634,7 +3634,7 @@ lasso_node_export_to_saml2_query(LassoNode *node, const char *param_name, const + value = lasso_node_build_deflated_query(node); + if (! value) + goto cleanup; +- encoded_param = xmlURIEscapeStr(BAD_CAST param_name, NULL); ++ encoded_param = lasso_xmlURIEscapeStr(BAD_CAST param_name, NULL); + if (! encoded_param) + goto cleanup; + query = g_strdup_printf("%s=%s", encoded_param, value); diff --git a/security/lasso/patches/patch-configure b/security/lasso/patches/patch-configure deleted file mode 100644 index ea78c2755ea6..000000000000 --- a/security/lasso/patches/patch-configure +++ /dev/null @@ -1,25 +0,0 @@ -$NetBSD: patch-configure,v 1.4 2018/07/31 12:39:34 jperkin Exp $ - -Use = instead of == for test(1) portability sake. - ---- configure.orig 2016-02-18 23:11:38.249290059 +0000 -+++ configure -@@ -4382,9 +4382,6 @@ else - fi - - --CFLAGS="" --AM_CFLAGS="" -- - ac_ext=c - ac_cpp='$CPP $CPPFLAGS' - ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -@@ -13976,7 +13973,7 @@ else - JAVA_VERSION="" - fi - --if test "$DARWIN" == 1; then -+if test "$DARWIN" = 1; then - JNI_EXTRA_LDFLAGS="-shrext .jnilib" - fi - diff --git a/security/lasso/patches/patch-lasso_xml_tools.c b/security/lasso/patches/patch-lasso_xml_tools.c deleted file mode 100644 index 20fc46cbb7e5..000000000000 --- a/security/lasso/patches/patch-lasso_xml_tools.c +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-lasso_xml_tools.c,v 1.1 2018/07/31 12:39:34 jperkin Exp $ - -Set _XOPEN_SOURCE correctly. - ---- lasso/xml/tools.c.orig 2016-02-18 23:11:15.312239445 +0000 -+++ lasso/xml/tools.c -@@ -28,7 +28,9 @@ - */ - #define _DEFAULT_SOURCE - /* permit importation of strptime for glibc2 */ -+#if !defined(__sun) - #define _XOPEN_SOURCE -+#endif - /* permit importation of timegm for glibc2, wait for people to complain it does not work on their - * system. */ - #define _BSD_SOURCE