diff --git a/0005-tests-Remove-the-use-of-an-expired-cert-in-tests-as-.patch b/0005-tests-Remove-the-use-of-an-expired-cert-in-tests-as-.patch deleted file mode 100644 index 71659e4d0eb5718f66455089769c294eb9942c54..0000000000000000000000000000000000000000 --- a/0005-tests-Remove-the-use-of-an-expired-cert-in-tests-as-.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Jakub Hrozek <jhrozek@redhat.com> -Date: Mon, 3 Jun 2019 13:30:27 +0200 -Subject: [PATCH] tests: Remove the use of an expired cert in tests as a -workaround - -The test used to verify the signature of the IDP metadata in -test13_test_lasso_server_load_metadata() expired at "Mar 23 09:51:37 -2019 GMT" - -This patch just removes the certificate usage from -lasso_server_load_metadata() which means we don't validate the metadata, -but we can keep the rest of the test at least. ---- - tests/basic_tests.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/basic_tests.c b/tests/basic_tests.c -index 398d789..bbb0972 100644 ---- a/tests/basic_tests.c -+++ b/tests/basic_tests.c -@@ -1983,7 +1983,7 @@ START_TEST(test13_test_lasso_server_load_metadata) - block_lasso_logs; - check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP, - TESTSDATADIR "/metadata/renater-metadata.xml", -- TESTSDATADIR "/metadata/metadata-federation-renater.crt", -+ NULL, - &blacklisted_1, &loaded_entity_ids, - LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT)); - unblock_lasso_logs; diff --git a/backport-CVE-2021-28091.patch b/backport-CVE-2021-28091.patch deleted file mode 100644 index c18f416fc4112fc150b6597cbedbdc670c8ab1f5..0000000000000000000000000000000000000000 --- a/backport-CVE-2021-28091.patch +++ /dev/null @@ -1,179 +0,0 @@ -From ea7e5efe9741e1b1787a58af16cb15b40c23be5a Mon Sep 17 00:00:00 2001 -From: Benjamin Dauvergne -Date: Mon, 8 Mar 2021 11:33:26 +0100 -Subject: Fix signature checking on unsigned response with multiple assertions - -CVE-2021-28091 : when AuthnResponse messages are not signed (which is -permitted by the specifiation), all assertion's signatures should be -checked, but currently after the first signed assertion is checked all -following assertions are accepted without checking their signature, and -the last one is considered the main assertion. - -This patch : -* check signatures from all assertions if the message is not signed, -* refuse messages with assertion from different issuers than the one on - the message, to prevent assertion bundling event if they are signed. - -diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c -index 0d4bb1d..cf62c1c 100644 ---- a/lasso/saml-2.0/login.c -+++ b/lasso/saml-2.0/login.c -@@ -1257,7 +1257,11 @@ lasso_saml20_login_check_assertion_signature(LassoLogin *login, - original_node = lasso_node_get_original_xmlnode(LASSO_NODE(assertion)); - goto_cleanup_if_fail_with_rc(original_node, LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE); - -- rc = profile->signature_status = lasso_provider_verify_saml_signature(remote_provider, original_node, NULL); -+ /* Shouldn't set the profile->signature_status here as we're only -+ * checking the assertion signature. -+ * Instead, we'll set the status after all the assertions are iterated. -+ */ -+ rc = lasso_provider_verify_saml_signature(remote_provider, original_node, NULL); - - #define log_verify_assertion_signature_error(msg) \ - message(G_LOG_LEVEL_WARNING, "Could not verify signature of assertion" \ -@@ -1282,18 +1286,6 @@ cleanup: - return rc; - } - --static gboolean --_lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provider_id) --{ -- if (! LASSO_SAML2_ASSERTION(assertion) || ! provider_id) -- return FALSE; -- -- if (! assertion->Issuer || ! assertion->Issuer->content) -- return FALSE; -- -- return lasso_strisequal(assertion->Issuer->content,provider_id); --} -- - static gint - _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *samlp2_response) - { -@@ -1358,11 +1350,23 @@ _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *sa - return 0; - } - -+/* Verify that an assertion comes from a designated Issuer */ -+static gboolean -+_lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provider_id) -+{ -+ if (! LASSO_SAML2_ASSERTION(assertion) || ! provider_id) -+ return FALSE; -+ if (! assertion->Issuer || ! assertion->Issuer->content) -+ return FALSE; -+ return lasso_strisequal(assertion->Issuer->content,provider_id); -+} -+ - static gint - lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) - { - LassoSamlp2StatusResponse *response; - LassoSamlp2Response *samlp2_response = NULL; -+ LassoSaml2Assertion *last_assertion = NULL; - LassoProfile *profile; - char *status_value; - lasso_error_t rc = 0; -@@ -1404,34 +1408,62 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) - - /* Decrypt all EncryptedAssertions */ - _lasso_saml20_login_decrypt_assertion(login, samlp2_response); -- /* traverse all assertions */ -- goto_cleanup_if_fail_with_rc (samlp2_response->Assertion != NULL, -- LASSO_PROFILE_ERROR_MISSING_ASSERTION); - -+ /* Check there is at least one assertion */ -+ goto_cleanup_if_fail_with_rc (samlp2_response->Assertion != NULL, LASSO_PROFILE_ERROR_MISSING_ASSERTION); -+ -+ /* In case of verify_hint as 'FORCE', if there's no response signature, -+ * we reject. -+ * In case of 'MAYBE', if response signature is present and valid, or -+ * not present, then we proceed with checking assertion signature(s). -+ * In any case, if there's a response signature and it's not valid, -+ * we reject. -+ */ - verify_hint = lasso_profile_get_signature_verify_hint(profile); -+ if (profile->signature_status == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { -+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) { -+ goto_cleanup_with_rc(profile->signature_status); -+ } -+ } else if (profile->signature_status != 0) { -+ goto_cleanup_with_rc(profile->signature_status); -+ } - - lasso_foreach_full_begin(LassoSaml2Assertion*, assertion, it, samlp2_response->Assertion); - LassoSaml2Subject *subject = NULL; - -- lasso_assign_gobject (login->private_data->saml2_assertion, assertion); -+ /* All Assertions MUST come from the same issuer as the Response. */ -+ if (! _lasso_check_assertion_issuer(assertion, profile->remote_providerID)) { -+ goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_ISSUER); -+ } - -- /* If signature has already been verified on the message, and assertion has the same -- * issuer as the message, the assertion is covered. So no need to verify a second -- * time */ -- if (profile->signature_status != 0 -- || ! _lasso_check_assertion_issuer(assertion, -- profile->remote_providerID) -- || verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) { -+ if (profile->signature_status != 0) { -+ /* When response signature is not present */ -+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE) { -+ assertion_signature_status = -+ lasso_saml20_login_check_assertion_signature(login, assertion); -+ if (assertion_signature_status) { -+ goto_cleanup_with_rc(assertion_signature_status); -+ } -+ } -+ } else { -+ /* response signature is present and valid */ - assertion_signature_status = lasso_saml20_login_check_assertion_signature(login, -- assertion); -- /* If signature validation fails, it is the return code for this function */ -+ assertion); - if (assertion_signature_status) { -- rc = LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE; -+ /* assertion signature is not valid or not present */ -+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) { -+ /* In case of FORCE, we reject right away */ -+ goto_cleanup_with_rc(assertion_signature_status); -+ } else if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE) { -+ /* In case of MAYBE, if assertion signature is present and invalid, then we reject */ -+ if (assertion_signature_status != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { -+ goto_cleanup_with_rc(assertion_signature_status); -+ } -+ } - } - } -- - lasso_extract_node_or_fail(subject, assertion->Subject, SAML2_SUBJECT, -- LASSO_PROFILE_ERROR_MISSING_SUBJECT); -+ LASSO_PROFILE_ERROR_MISSING_SUBJECT); - - /* Verify Subject->SubjectConfirmationData->InResponseTo */ - if (login->private_data->request_id) { -@@ -1446,8 +1478,20 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) - /** Handle nameid */ - lasso_check_good_rc(lasso_saml20_profile_process_name_identifier_decryption(profile, - &subject->NameID, &subject->EncryptedID)); -+ -+ last_assertion = assertion; - lasso_foreach_full_end(); - -+ /* set the profile signature status only after all the signatures are -+ * verified. -+ */ -+ profile->signature_status = rc; -+ -+ /* set the default assertion to the last one */ -+ if (last_assertion) { -+ lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion); -+ } -+ - switch (verify_hint) { - case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE: - case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: --- -cgit v0.10.2 - diff --git a/build-scripts-py3-compatible.patch b/build-scripts-py3-compatible.patch deleted file mode 100644 index 563ce43dbb03522817335d8fc7fbb1e59ce67289..0000000000000000000000000000000000000000 --- a/build-scripts-py3-compatible.patch +++ /dev/null @@ -1,255 +0,0 @@ -commit d526669810e0dc0a454260d5081fc96e16fc9e13 -Author: John Dennis -Date: Mon Jun 25 16:26:24 2018 -0400 - - Make Python scripts compatible with both Py2 and Py3 - - During the build if the Python3 interpreter is used a number of - scripts will fail because they were never ported from Py2 to Py3. In - general we want Python code to be compatible with both Py2 and - Py3. This patch brings the scripts up to date with Py3 but retains - backwards compatibility with Py2 (specifically Py 2.7, the last Py2 - release). - - Examples of the required changes are: - - * Replace use of the built-in function file() with open(). file() - does not exist in Py3, open works in both Py2 and Py3. The code was - also modified to use a file context manager (e.g. with open(xxx) as - f:). This assures open files are properly closed when the code block - using the file goes out of scope. This is a standard modern Python - idiom. - - * Replace all use of the print keyword with the six.print_() - function, which itself is an emulation of Py3's print function. Py3 - no longer has a print keyword, only a print() function. - - * The dict methods .keys(), .values(), .items() no longer return a - list in Py3, instead they return a "view" object which is an - iterator whose result is an unordered set. The most notable - consequence is you cannot index the result of these functions like - your could in Py2 (e.g. dict.keys()[0] will raise a run time - exception). - - * Replace use of StringIO.StringIO and cStringIO with - six.StringIO. Py3 no longer has cStringIO and the six variant - handles the correct import. - - * Py3 no longer allows the "except xxx, variable" syntax, where - variable appering after the comma is assigned the exception object, - you must use the "as" keyword to perform the variable assignment - (e.g. execpt xxx as variable) - - Note: the modifications in this patch are the minimum necessary to get - the build to run with the Py3 interpreter. There are numerous other - Python scripts in the repo which need Py3 porting as well but because - they are not invoked during a build they will be updated in a - subsequent patch. - - License: MIT - Signed-off-by: John Dennis - -diff --git a/bindings/python/examples/get_attributes_from_assertion.py b/bindings/python/examples/get_attributes_from_assertion.py -index 44ceb9e5..8f37a337 100644 ---- a/bindings/python/examples/get_attributes_from_assertion.py -+++ b/bindings/python/examples/get_attributes_from_assertion.py -@@ -1,8 +1,10 @@ - # Example SP Python code to get attributes from an assertion - -+from six import print_ -+ - for attribute in assertion.attributeStatement[0].attribute: - if attribute.name == lasso.SAML2_ATTRIBUTE_NAME_EPR: - continue -- print 'attribute : ' + attribute.name -+ print_('attribute : ' + attribute.name) - for value in attribute.attributeValue: -- print ' value : ' + value.any[0].content -+ print_(' value : ' + value.any[0].content) -diff --git a/bindings/python/tests/binding_tests.py b/bindings/python/tests/binding_tests.py -index 6d8e0dfa..54c3635f 100755 ---- a/bindings/python/tests/binding_tests.py -+++ b/bindings/python/tests/binding_tests.py -@@ -311,8 +311,8 @@ class BindingTestCase(unittest.TestCase): - ''' - node = lasso.Node.newFromXmlNode(content) - assert 'next_url' in node.any[1] -- assert 'huhu' in node.attributes.keys()[0] -- assert node.attributes.values()[0] == 'xxx' -+ assert '{https://www.entrouvert.com/}huhu' in node.attributes.keys() -+ assert 'xxx' in node.attributes.values() - node.any = ('coin',) - node.attributes = {'michou': 'zozo'} - assert 'coin' in node.dump() -diff --git a/bindings/python/tests/idwsf2_tests.py b/bindings/python/tests/idwsf2_tests.py -index 6f80c53d..4e47a4a1 100755 ---- a/bindings/python/tests/idwsf2_tests.py -+++ b/bindings/python/tests/idwsf2_tests.py -@@ -27,7 +27,7 @@ - import os - import unittest - import sys --from StringIO import StringIO -+from six import StringIO - import logging - - logging.basicConfig() -@@ -310,11 +310,11 @@ class MetadataTestCase(IdWsf2TestCase): - self.failUnless(idp_disco.request.svcMD[0].svcMDID is None) - try: - idp_disco.checkSecurityMechanism() -- except lasso.Error, e: -+ except lasso.Error as e: - self.fail(e) - try: - idp_disco.validateRequest() -- except lasso.Error, e: -+ except lasso.Error as e: - self.fail(e) - self.failUnless(idp_disco.response is not None) - self.failUnlessEqual(len(idp_disco.metadatas), 1) -@@ -391,16 +391,16 @@ class MetadataTestCase(IdWsf2TestCase): - self.failUnless(idp_disco is not None) - try: - idp_disco.processRequestMsg(wsp_disco.msgBody) -- except lasso.Error, e: -+ except lasso.Error as e: - self.fail(e) - self.failUnless(idp_disco.request is not None) - try: - idp_disco.checkSecurityMechanism() -- except lasso.Error, e: -+ except lasso.Error as e: - self.fail(e) - try: - idp_disco.failRequest(lasso.IDWSF2_DISCOVERY_STATUS_CODE_FAILED, lasso.IDWSF2_DISCOVERY_STATUS_CODE_FORBIDDEN) -- except lasso.Error, e: -+ except lasso.Error as e: - self.fail(e) - self.failUnless(idp_disco.response is not None) - self.failUnless(idp_disco.response.status is not None) -@@ -415,7 +415,7 @@ class MetadataTestCase(IdWsf2TestCase): - wsp_disco.processResponseMsg(idp_disco.msgBody) - except lasso.Idwsf2DiscoveryForbiddenError: - pass -- except lasso.Error, e: -+ except lasso.Error as e: - self.fail(e) - - def test03(self): -@@ -475,7 +475,7 @@ class MetadataTestCase(IdWsf2TestCase): - self.failUnless(soap_envelope.getMessageId() is not None) - try: - idp_disco.checkSecurityMechanism() -- except lasso.Error, e: -+ except lasso.Error as e: - self.fail(e) - # redirect - interactionUrl = spInteractionUrl -@@ -488,7 +488,7 @@ class MetadataTestCase(IdWsf2TestCase): - self.failUnless(response.detail.any[0].redirectURL.startswith(interactionUrl + '?transactionID=')) - try: - idp_disco.buildResponseMsg() -- except lasso.Error, e: -+ except lasso.Error as e: - self.fail(e) - self.failUnless(idp_disco.msgBody is not None) - -@@ -500,7 +500,7 @@ class MetadataTestCase(IdWsf2TestCase): - wsp_disco.processResponseMsg(idp_disco.msgBody) - except lasso.WsfprofileRedirectRequestError: - pass -- except lasso.Error, e: -+ except lasso.Error as e: - self.fail(e) - response_envelope = wsp_disco.getSoapEnvelopeResponse() - self.failUnless(response_envelope.sb2GetRedirectRequestUrl().startswith(interactionUrl + '?transactionID=')) -@@ -527,11 +527,11 @@ class MetadataTestCase(IdWsf2TestCase): - self.failUnless(idp_disco.request.svcMD[0].svcMDID is None) - try: - idp_disco.checkSecurityMechanism() -- except lasso.Error, e: -+ except lasso.Error as e: - self.fail(e) - try: - idp_disco.validateRequest() -- except lasso.Error, e: -+ except lasso.Error as e: - self.fail(e) - self.failUnless(idp_disco.response is not None) - self.failUnlessEqual(len(idp_disco.metadatas), 1) -diff --git a/lasso/build_strerror.py b/lasso/build_strerror.py -index fca59628..908638d5 100644 ---- a/lasso/build_strerror.py -+++ b/lasso/build_strerror.py -@@ -1,42 +1,42 @@ - #! /usr/bin/env python - --from cStringIO import StringIO - import glob - import re - import sys - import os -+from six import print_, StringIO - - srcdir = sys.argv[1] - --hlines = file('%s/errors.h' % srcdir,'r').readlines() - messages = dict() - description = '' - --for line in hlines: -- m = re.match(r'^ \* LASSO.*ERROR', line) -- if m: -- description = '' -- continue -- m = re.match(r'^ \* (.*[^:])$', line) -- if m: -- description += m.group(1) -- m = re.match(r'#define (LASSO_\w*ERROR\w+)', line) -- if m and description: -- description = re.sub(r'[ \n]+', ' ', description).strip() -- messages[m.group(1)] = description -- description = '' -- else: -- m = re.match(r'#define (LASSO_\w*ERROR\w+)',line) -+with open('%s/errors.h' % srcdir,'r') as f: -+ for line in f: -+ m = re.match(r'^ \* LASSO.*ERROR', line) - if m: -- messages[m.group(1)] = m.group(1) -+ description = '' -+ continue -+ m = re.match(r'^ \* (.*[^:])$', line) -+ if m: -+ description += m.group(1) -+ m = re.match(r'#define (LASSO_\w*ERROR\w+)', line) -+ if m and description: -+ description = re.sub(r'[ \n]+', ' ', description).strip() -+ messages[m.group(1)] = description -+ description = '' -+ else: -+ m = re.match(r'#define (LASSO_\w*ERROR\w+)',line) -+ if m: -+ messages[m.group(1)] = m.group(1) - --clines = file('%s/errors.c.in' % srcdir,'r').readlines() --for line in clines: -- if '@ERROR_CASES@' in line: -- keys = messages.keys() -- keys.sort() -- for k in keys: -- print """ case %s: -- return "%s";""" % (k,messages[k].rstrip('\n')) -- else: -- print line, -+with open('%s/errors.c.in' % srcdir,'r') as f: -+ for line in f: -+ if '@ERROR_CASES@' in line: -+ keys = sorted(messages.keys()) -+ for k in keys: -+ print_(' case %s:\n' -+ ' return "%s";' % -+ (k,messages[k].rstrip('\n'))) -+ else: -+ print_(line, end="") diff --git a/duplicate-python-LogoutTestCase.patch b/duplicate-python-LogoutTestCase.patch deleted file mode 100644 index 2adea00d5688d1d35ddbbbb900d9b8a336f0c3e8..0000000000000000000000000000000000000000 --- a/duplicate-python-LogoutTestCase.patch +++ /dev/null @@ -1,83 +0,0 @@ -commit 623d785f957acc9eccb47a9a3f88e5e167a370b6 -Author: John Dennis -Date: Mon Jun 25 17:37:45 2018 -0400 - - fix duplicate definition of LogoutTestCase and logoutSuite - - Commit 6f617027e added a duplicate definition of the LogoutTestCase - class containing only 1 test which shaddowed the original - LogoutTestCase containing 4 tests. The logoutSuite variable was also - shadowed and the allTests variable contained a duplicate of - logoutSuite causing the 2nd definition of LogoutTestCase to be run - twice. - - Not only were the original 4 tests not being run but the entire unit - test in profiles_tests.py was failing under Python3. This is because - the unittest code in Py3 deletes a test from it's list of tests to run - once it's been run. The second time the logoutSuite was invoked it no - longer contained any tests which caused an exception to be raised - because there were no tests to be run. - - License: MIT - Signed-off-by: John Dennis - -diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py -index 547c9e24..0ba1e56e 100755 ---- a/bindings/python/tests/profiles_tests.py -+++ b/bindings/python/tests/profiles_tests.py -@@ -386,6 +386,21 @@ class LogoutTestCase(unittest.TestCase): - else: - self.fail('Logout processResponseMsg should have failed.') - -+ def test05(self): -+ '''Test parsing of a logout request with more than one session index''' -+ content = ''' -+ me -+ coin -+ id1 -+ id2 -+ id3 -+ ''' -+ -+ node = lasso.Samlp2LogoutRequest.newFromXmlNode(content) -+ assert isinstance(node, lasso.Samlp2LogoutRequest) -+ assert node.sessionIndex == 'id1' -+ assert node.sessionIndexes == ('id1', 'id2', 'id3') -+ - class DefederationTestCase(unittest.TestCase): - def test01(self): - """IDP initiated defederation; testing processNotificationMsg with non Liberty query.""" -@@ -478,32 +493,15 @@ class AttributeAuthorityTestCase(unittest.TestCase): - assert aq.response.assertion[0].attributeStatement[0].attribute[0] - assert aq.response.assertion[0].attributeStatement[0].attribute[0].attributeValue[0] - --class LogoutTestCase(unittest.TestCase): -- def test01(self): -- '''Test parsing of a logout request with more than one session index''' -- content = ''' -- me -- coin -- id1 -- id2 -- id3 -- ''' -- -- node = lasso.Samlp2LogoutRequest.newFromXmlNode(content) -- assert isinstance(node, lasso.Samlp2LogoutRequest) -- assert node.sessionIndex == 'id1' -- assert node.sessionIndexes == ('id1', 'id2', 'id3') -- - serverSuite = unittest.makeSuite(ServerTestCase, 'test') - loginSuite = unittest.makeSuite(LoginTestCase, 'test') - logoutSuite = unittest.makeSuite(LogoutTestCase, 'test') - defederationSuite = unittest.makeSuite(DefederationTestCase, 'test') - identitySuite = unittest.makeSuite(IdentityTestCase, 'test') - attributeSuite = unittest.makeSuite(AttributeAuthorityTestCase, 'test') --logoutSuite = unittest.makeSuite(LogoutTestCase, 'test') - - allTests = unittest.TestSuite((serverSuite, loginSuite, logoutSuite, defederationSuite, -- identitySuite, attributeSuite, logoutSuite)) -+ identitySuite, attributeSuite)) - - if __name__ == '__main__': - sys.exit(not unittest.TextTestRunner(verbosity = 2).run(allTests).wasSuccessful()) diff --git a/lasso-2.6.0.tar.gz b/lasso-2.7.0.tar.gz similarity index 34% rename from lasso-2.6.0.tar.gz rename to lasso-2.7.0.tar.gz index 9923491f8553a7d030d001b5410ad30027f5aaa1..b2be1e4b702a3a901fb57b5e295027936fac97d6 100644 Binary files a/lasso-2.6.0.tar.gz and b/lasso-2.7.0.tar.gz differ diff --git a/lasso-python-dont-decref-true-false.patch b/lasso-python-dont-decref-true-false.patch new file mode 100644 index 0000000000000000000000000000000000000000..23a7f63d73772a2c610103a0744b08fd779ba7e6 --- /dev/null +++ b/lasso-python-dont-decref-true-false.patch @@ -0,0 +1,12 @@ +diff --git a/bindings/python/lang.py b/bindings/python/lang.py +index bd7ef70..644de23 100644 +--- a/bindings/python/lang.py ++++ b/bindings/python/lang.py +@@ -739,7 +739,6 @@ register_constants(PyObject *d) + else: + print_('E: unknown constant type: %r' % c[0], file=sys.stderr) + print_(' PyDict_SetItemString(d, "%s", obj);' % c[1][6:], file=fd) +- print_(' Py_DECREF(obj);', file=fd) + print_('}', file=fd) + print_('', file=fd) + diff --git a/lasso.spec b/lasso.spec index 78bb87fc91f50715b7380f77deaa7e811325a306..a50dbbf0f170f835d8ec037f64728f8fa86f6796 100644 --- a/lasso.spec +++ b/lasso.spec @@ -1,26 +1,23 @@ Name: lasso -Version: 2.6.0 -Release: 13 +Version: 2.7.0 +Release: 1 Summary: Liberty Alliance Single Sign On License: GPLv2+ URL: http://lasso.entrouvert.org/ Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz Requires: xmlsec1 >= 1.2.25-4 -Patch1: use-specified-python-interpreter.patch -Patch2: build-scripts-py3-compatible.patch -Patch3: duplicate-python-LogoutTestCase.patch -patch4: versioned-python-configure.patch -Patch5: 0005-tests-Remove-the-use-of-an-expired-cert-in-tests-as-.patch -Patch6000: backport-CVE-2021-28091.patch +Patch1: lasso-python-dont-decref-true-false.patch BuildRequires: autoconf automake check-devel glib2-devel gtk-doc libtool BuildRequires: libxml2-devel openssl-devel swig xmlsec1-devel >= 1.2.25-4 BuildRequires: xmlsec1-openssl-devel >= 1.2.25-4 zlib-devel jpackage-utils -BuildRequires: java-devel perl(ExtUtils::MakeMaker) perl(strict) perl(Error) +BuildRequires: java-1.8.0-openjdk-devel perl(ExtUtils::MakeMaker) perl(strict) perl(Error) BuildRequires: perl-devel perl-generators perl(XSLoader) perl(warnings) BuildRequires: perl(Test::More) python3 python3-devel BuildRequires: python3-lxml python3-six libtool-ltdl-devel +Obsoletes: java-lasso < %{version}-%{release} + %description The package is a implements the Liberty Alliance Single Sign On standards library, includeing the SAML2 and SAML specifications. it provides bindings for multiple @@ -72,16 +69,17 @@ sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>) \ |(/usr/bin/env[[:blank:]]+python[^3]?)' *` %build +export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk ./autogen.sh %configure --enable-php5=no --with-python=%{__python3} %make_build CFLAGS="%{optflags}" %check -make check +make check CK_TIMEOUT_MULTIPLIER=10 %install -%make_install exec_prefix=%{_prefix} -%delete_la +%make_install exec_prefix=%{_prefix} DESTDIR=%{buildroot} +find %{buildroot} -type f -name '*.la' -exec rm -f {} \; find %{buildroot} -type f -name '*.a' -exec rm -f {} \; find %{buildroot} \( -name perllocal.pod -o -name .packlist \) -exec rm -v {} \; find %{buildroot}/usr/lib*/perl5 -type f -print | @@ -105,8 +103,6 @@ fi %files -n perl-lasso -f lasso-perl-filelist %files -n java-lasso -%{_libdir}/java/libjnilasso.so -%{_javadir}/lasso.jar %files -n python3-lasso %{python3_sitearch}/{lasso.py*,_lasso.so,__pycache__/*} @@ -115,6 +111,9 @@ fi %doc AUTHORS NEWS README %changelog +* Fri Apr 8 2022 yaoxin - 2.7.0-1 +- Resolve compilation failures + * Sat Jul 10 2021 shixuantong - 2.6.0-13 - fix CVE-2021-28091 diff --git a/use-specified-python-interpreter.patch b/use-specified-python-interpreter.patch deleted file mode 100644 index fcdc3608862ffec5f95125216dadf5a992c5acbd..0000000000000000000000000000000000000000 --- a/use-specified-python-interpreter.patch +++ /dev/null @@ -1,80 +0,0 @@ -commit e3e904af7dd308fe7530773bd9ea136afc90049b -Author: John Dennis -Date: Thu Jun 21 10:49:30 2018 -0400 - - Use python interpreter specified configure script - - The configure script allows you to specify the python interpreter to - use via the --with-python option. There were several places where the - python interpreter was implicity invoked without using the specified - version. This can create a number of problems in an environment with - multiple python versions as is the case during the transition from - Python 2 to Python 3. Python 2 is not compatible with Python - 3. Lasso's Python code is supposed to be compatible with both - versions. But during the build and when running the unit tests it is - essential the same interpreter be used consistently otherwise you can - have problems. - - This patch assures whenever python is invoked it does so via the - $(PYTHON) configuration variable. - - What about shebang lines (e.g #/usr/bin/python) at the top of scripts? - Python PEP 394 (https://www.python.org/dev/peps/pep-0394/) covers - this. Basically it says if a script is compatible only with Py2 the - shebang should be #/usr/bin/python2, if only compatible with Py3 the - shebang should be #/usr/bin/python3. However, if the script is - compatible with both versions it can continue to use the - compatible with both Py2 and Py3. - - License: MIT - Signed-off-by: John Dennis - -diff --git a/bindings/java/Makefile.am b/bindings/java/Makefile.am -index 05e5f9ee..8de0178d 100644 ---- a/bindings/java/Makefile.am -+++ b/bindings/java/Makefile.am -@@ -26,7 +26,7 @@ if WSF_ENABLED - EXTRA_ARGS = --enable-id-wsf - endif - --java_lasso_source_files := $(shell python $(top_srcdir)/bindings/bindings.py -l java-list --src-dir=$(top_srcdir)/lasso/ $(EXTRA_ARGS) ) -+java_lasso_source_files := $(shell $(PYTHON) $(top_srcdir)/bindings/bindings.py -l java-list --src-dir=$(top_srcdir)/lasso/ $(EXTRA_ARGS) ) - - lasso_jardir=$(prefix)/share/java - lasso_jar_DATA=lasso.jar -diff --git a/bindings/python/tests/Makefile.am b/bindings/python/tests/Makefile.am -index 205e7613..1305f26f 100644 ---- a/bindings/python/tests/Makefile.am -+++ b/bindings/python/tests/Makefile.am -@@ -11,5 +11,8 @@ if WSF_ENABLED - TESTS += idwsf1_tests.py idwsf2_tests.py - endif - -+TEST_EXTENSIONS = .py -+PY_LOG_COMPILER = $(PYTHON) -+ - EXTRA_DIST = profiles_tests.py binding_tests.py idwsf1_tests.py idwsf2_tests.py \ - tests.py XmlTestRunner.py -diff --git a/lasso/Makefile.am b/lasso/Makefile.am -index 751f9419..49ae88a7 100644 ---- a/lasso/Makefile.am -+++ b/lasso/Makefile.am -@@ -91,7 +91,7 @@ liblasso_la_LDFLAGS = -no-undefined -version-info @LASSO_VERSION_INFO@ \ - endif - - $(srcdir)/errors.c: $(srcdir)/errors.h $(srcdir)/build_strerror.py -- python $(srcdir)/build_strerror.py $(srcdir) >.errors.c.new -+ $(PYTHON) $(srcdir)/build_strerror.py $(srcdir) >.errors.c.new - if ! cmp -s $(srcdir)/errors.c .errors.c.new; then \ - mv -f .errors.c.new $@; else \ - rm .errors.c.new; fi -diff --git a/tools/check-lasso-sections.py b/tools/check-lasso-sections.py -index cb4c39c4..3a6c9880 100755 ---- a/tools/check-lasso-sections.py -+++ b/tools/check-lasso-sections.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/env python - - import sys - import os.path diff --git a/versioned-python-configure.patch b/versioned-python-configure.patch deleted file mode 100644 index 9fe3d573506cca3f7bed982bd51ba6ae8adf5d53..0000000000000000000000000000000000000000 --- a/versioned-python-configure.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit af29047480cacafaed697cb2a1fb24c5143078a8 -Author: John Dennis -Date: Sat Jul 7 10:59:32 2018 -0400 - - Configure should search for versioned Python interpreter. - - Following the guidelines in Python PEP 394 with regards to the python - command on UNIX like systems preference should be given to explicitly - versioned command interpreter as opposed to unversioned and that an - unversioned python command should (but might not) refer to - Python2. Also in some environments unversioned Python interpreters - (e.g. /usr/bin/python) do not even exist, onlyh their explicitly - versioned variants are (e.g. /usr/bin/python2 and /usr/bin/python3). - - Therefore the AC_CHECK_PROGS directive in configure.ac should not rely - exclusively on an unversioned Python interpreter as it does not, - rather it should search in priority order. First for python3, then for - an unversionsed python because some distributions have already moved - the default unversioned python to python3, and then finally search for - python2. In the scenario where unversioned python is still pointing to - python2 it's equivalent to selecting the last prority option of - python2, but if unversioned python is pointing to python3 you get - instead. The net result is always preferring python3 but gracefully - falling back to python2 not matter how the environment exports it's - Python. - - If AC_CHECK_PROGS for python does not check for the versioned variants - the build fails in environments that only have versioned variants with - this error: - - configure: error: Python must be installed to compile lasso - - License: MIT - Signed-off-by: John Dennis - -diff --git a/configure.ac b/configure.ac -index 898468e6..74766972 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -131,7 +131,7 @@ dnl AC_CHECK_PROGS(JAR, fastjar jar) - AC_CHECK_PROGS(PERL, perl) - AC_CHECK_PROGS(PHP5, php5 php) - AC_CHECK_PROGS(PHP5_CONFIG, php-config5 php-config) --AC_CHECK_PROGS(PYTHON, python) -+AC_CHECK_PROGS(PYTHON, python3 python python2) - AC_CHECK_PROGS(SWIG, swig) - - dnl Make sure we have an ANSI compiler