Gentoo Archives: gentoo-commits

From: Lars Wendler <polynomial-c@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/cyrus-sasl/, dev-libs/cyrus-sasl/files/
Date: Wed, 24 Oct 2018 12:30:47
Message-Id: 1540384231.ab9cb2adf29b582afb8541b4ceb5a3185c82ba30.polynomial-c@gentoo
1 commit: ab9cb2adf29b582afb8541b4ceb5a3185c82ba30
2 Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
3 AuthorDate: Wed Oct 24 12:30:31 2018 +0000
4 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5 CommitDate: Wed Oct 24 12:30:31 2018 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab9cb2ad
7
8 dev-libs/cyrus-sasl: Fixed build with openssl-1.1
9
10 Bumped to EAPI-6 and did some ebuild cleanup.
11
12 Closes: https://bugs.gentoo.org/592528
13 Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
14 Package-Manager: Portage-2.3.51, Repoman-2.3.11
15
16 dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild | 111 ++++---
17 ...us-sasl-2.1.23-gss_c_nt_hostbased_service.patch | 4 +-
18 .../files/cyrus-sasl-2.1.25-fix_heimdal.patch | 8 +-
19 .../files/cyrus-sasl-2.1.25-missing_header.patch | 4 +-
20 .../files/cyrus-sasl-2.1.25-service_keytabs.patch | 8 +-
21 ...us-sasl-2.1.26-fix_dovecot_authentication.patch | 8 +-
22 .../files/cyrus-sasl-2.1.26-missing-size_t.patch | 4 +-
23 .../files/cyrus-sasl-2.1.26-openssl-1.1.patch | 353 +++++++++++++++++++++
24 8 files changed, 425 insertions(+), 75 deletions(-)
25
26 diff --git a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild
27 index 582c8463da1..f7cccc351ba 100644
28 --- a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild
29 +++ b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild
30 @@ -1,9 +1,9 @@
31 -# Copyright 1999-2018 Gentoo Foundation
32 +# Copyright 1999-2018 Gentoo Authors
33 # Distributed under the terms of the GNU General Public License v2
34
35 -EAPI=5
36 +EAPI=6
37
38 -inherit eutils flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd
39 +inherit flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd
40
41 SASLAUTHD_CONF_VER="2.1.26"
42
43 @@ -58,6 +58,7 @@ PATCHES=(
44 "${FILESDIR}/${PN}-2.1.26-send-imap-logout.patch"
45 "${FILESDIR}/${PN}-2.1.26-canonuser-ldapdb-garbage-in-out-buffer.patch"
46 "${FILESDIR}/${PN}-2.1.26-fix_dovecot_authentication.patch"
47 + "${FILESDIR}/${PN}-2.1.26-openssl-1.1.patch" #592528
48 )
49
50 pkg_setup() {
51 @@ -65,7 +66,7 @@ pkg_setup() {
52 }
53
54 src_prepare() {
55 - epatch "${PATCHES[@]}"
56 + default
57
58 # Get rid of the -R switch (runpath_switch for Sun)
59 # >=gcc-4.6 errors out with unknown option
60 @@ -103,73 +104,66 @@ multilib_src_configure() {
61 # Java support.
62 multilib_is_native_abi && use java && export JAVAC="${JAVAC} ${JAVACFLAGS}"
63
64 - local myconf=()
65 -
66 - # Add authdaemond support (bug #56523).
67 - if use authdaemond ; then
68 - myconf+=( --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket )
69 - fi
70 -
71 - # Fix for bug #59634.
72 - if ! use ssl ; then
73 - myconf+=( --without-des )
74 - fi
75 + local myeconfargs=(
76 + --enable-login
77 + --enable-ntlm
78 + --enable-auth-sasldb
79 + --disable-cmulocal
80 + --disable-krb4
81 + --disable-macos-framework
82 + --enable-otp
83 + --without-sqlite
84 + --with-saslauthd="${EPREFIX}"/run/saslauthd
85 + --with-pwcheck="${EPREFIX}"/run/saslauthd
86 + --with-configdir="${EPREFIX}"/etc/sasl2
87 + --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2
88 + --with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2
89 + $(use_with ssl openssl)
90 + $(use_with pam)
91 + $(use_with openldap ldap)
92 + $(use_enable ldapdb)
93 + $(multilib_native_use_enable sample)
94 + $(use_enable kerberos gssapi)
95 + $(multilib_native_use_enable java)
96 + $(multilib_native_use_with java javahome ${JAVA_HOME})
97 + $(multilib_native_use_with mysql mysql "${EPREFIX}"/usr)
98 + $(multilib_native_use_with postgres pgsql)
99 + $(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir))
100 + $(use_enable srp)
101 + $(use_enable static-libs static)
102 +
103 + # Add authdaemond support (bug #56523).
104 + $(usex authdaemond --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket '')
105 +
106 + # Fix for bug #59634.
107 + $(usex ssl '' --without-des)
108 +
109 + # Use /dev/urandom instead of /dev/random (bug #46038).
110 + $(usex urandom --with-devrandom=/dev/urandom '')
111 + )
112
113 if use sqlite || { multilib_is_native_abi && { use mysql || use postgres; }; } ; then
114 - myconf+=( --enable-sql )
115 + myeconfargs+=( --enable-sql )
116 else
117 - myconf+=( --disable-sql )
118 + myeconfargs+=( --disable-sql )
119 fi
120
121 # Default to GDBM if both 'gdbm' and 'berkdb' are present.
122 if use gdbm ; then
123 einfo "Building with GNU DB as database backend for your SASLdb"
124 - myconf+=( --with-dblib=gdbm )
125 + myeconfargs+=( --with-dblib=gdbm )
126 elif use berkdb ; then
127 einfo "Building with BerkeleyDB as database backend for your SASLdb"
128 - myconf+=(
129 + myeconfargs+=(
130 --with-dblib=berkeley
131 --with-bdb-incdir="$(db_includedir)"
132 )
133 else
134 einfo "Building without SASLdb support"
135 - myconf+=( --with-dblib=none )
136 - fi
137 -
138 - # Use /dev/urandom instead of /dev/random (bug #46038).
139 - if use urandom ; then
140 - myconf+=( --with-devrandom=/dev/urandom )
141 + myeconfargs+=( --with-dblib=none )
142 fi
143
144 - ECONF_SOURCE=${S} \
145 - econf \
146 - --enable-login \
147 - --enable-ntlm \
148 - --enable-auth-sasldb \
149 - --disable-cmulocal \
150 - --disable-krb4 \
151 - --disable-macos-framework \
152 - --enable-otp \
153 - --without-sqlite \
154 - --with-saslauthd="${EPREFIX}"/run/saslauthd \
155 - --with-pwcheck="${EPREFIX}"/run/saslauthd \
156 - --with-configdir="${EPREFIX}"/etc/sasl2 \
157 - --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2 \
158 - --with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2 \
159 - $(use_with ssl openssl) \
160 - $(use_with pam) \
161 - $(use_with openldap ldap) \
162 - $(use_enable ldapdb) \
163 - $(multilib_native_use_enable sample) \
164 - $(use_enable kerberos gssapi) \
165 - $(multilib_native_use_enable java) \
166 - $(multilib_native_use_with java javahome ${JAVA_HOME}) \
167 - $(multilib_native_use_with mysql mysql "${EPREFIX}"/usr) \
168 - $(multilib_native_use_with postgres pgsql) \
169 - $(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir)) \
170 - $(use_enable srp) \
171 - $(use_enable static-libs static) \
172 - "${myconf[@]}"
173 + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
174 }
175
176 multilib_src_compile() {
177 @@ -215,7 +209,9 @@ multilib_src_install_all() {
178
179 dodoc AUTHORS ChangeLog NEWS README doc/TODO doc/*.txt
180 newdoc pwcheck/README README.pwcheck
181 - dohtml doc/*.html
182 +
183 + docinto html
184 + dodoc doc/*.html
185
186 docinto "saslauthd"
187 dodoc saslauthd/{AUTHORS,ChangeLog,LDAP_SASLAUTHD,NEWS,README}
188 @@ -233,8 +229,9 @@ multilib_src_install_all() {
189 # The get_modname bit is important: do not remove the .la files on
190 # platforms where the lib isn't called .so for cyrus searches the .la to
191 # figure out what the name is supposed to be instead
192 - use static-libs || [[ $(get_modname) != .so ]] || \
193 - prune_libtool_files --modules
194 + if ! use static-libs && [[ $(get_modname) == .so ]] ; then
195 + find "${ED}" -name "*.la" -delete || die
196 + fi
197 }
198
199 pkg_postinst () {
200
201 diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch
202 index 9eeab1b42ff..beea8eb28d1 100644
203 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch
204 +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch
205 @@ -1,6 +1,6 @@
206 Gentoo bug #389349
207 ---- cmulocal/sasl2.m4 2009-04-28 17:09:13.000000000 +0200
208 -+++ cmulocal/sasl2.m4 2011-11-02 17:55:24.000000000 +0100
209 +--- a/cmulocal/sasl2.m4
210 ++++ b/cmulocal/sasl2.m4
211 @@ -217,7 +217,11 @@
212 [AC_WARN([Cybersafe define not found])])
213
214
215 diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch
216 index abf0df2568c..92be2600348 100644
217 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch
218 +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch
219 @@ -1,7 +1,7 @@
220 Fix compiling against heimdal
221
222 ---- sample/server.c 2010-12-01 14:52:55.000000000 +0000
223 -+++ sample/server.c 2011-11-30 14:54:42.000000000 +0000
224 +--- a/sample/server.c
225 ++++ b/sample/server.c
226 @@ -85,8 +85,10 @@
227
228 #ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
229 @@ -13,8 +13,8 @@ Fix compiling against heimdal
230
231 #include "common.h"
232
233 ---- plugins/gssapi.c 2011-05-11 19:25:55.000000000 +0000
234 -+++ plugins/gssapi.c 2011-11-30 14:54:33.000000000 +0000
235 +--- a/plugins/gssapi.c
236 ++++ b/plugins/gssapi.c
237 @@ -50,6 +50,9 @@
238 #else
239 #include <gssapi/gssapi.h>
240
241 diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch
242 index 597d45a7679..a413e00bf42 100644
243 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch
244 +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch
245 @@ -1,5 +1,5 @@
246 ---- pwcheck/pwcheck_getspnam.c 1999-08-26 19:22:44.000000000 +0300
247 -+++ pwcheck/pwcheck_getspnam.c 2011-11-30 13:22:24.601023316 +0200
248 +--- a/pwcheck/pwcheck_getspnam.c
249 ++++ b/pwcheck/pwcheck_getspnam.c
250 @@ -24,6 +24,7 @@
251 ******************************************************************/
252
253
254 diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch
255 index 117e8eb8880..43b6162a66f 100644
256 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch
257 +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch
258 @@ -1,6 +1,6 @@
259 Bug #445932
260 ---- cmulocal/sasl2.m4 2011-09-02 12:58:00.000000000 +0000
261 -+++ cmulocal/sasl2.m4 2012-12-05 08:37:16.425811319 +0000
262 +--- a/cmulocal/sasl2.m4
263 ++++ b/cmulocal/sasl2.m4
264 @@ -268,7 +268,11 @@
265
266 cmu_save_LIBS="$LIBS"
267 @@ -14,8 +14,8 @@ Bug #445932
268 AC_CHECK_FUNCS(gss_decapsulate_token)
269 AC_CHECK_FUNCS(gss_encapsulate_token)
270 AC_CHECK_FUNCS(gss_oid_equal)
271 ---- plugins/gssapi.c 2012-12-05 09:03:31.000220161 +0000
272 -+++ plugins/gssapi.c 2012-12-05 09:01:55.043380204 +0000
273 +--- a/plugins/gssapi.c
274 ++++ b/plugins/gssapi.c
275 @@ -50,7 +50,7 @@
276 #else
277 #include <gssapi/gssapi.h>
278
279 diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch
280 index 46bbdd1ca1a..6fc9de80287 100644
281 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch
282 +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch
283 @@ -1,6 +1,6 @@
284 Bug #510320
285 ---- saslauthd/auth_rimap.c 2012-10-12 14:05:48.000000000 +0000
286 -+++ saslauthd/auth_rimap.c 2014-05-15 05:23:02.000000000 +0000
287 +--- a/saslauthd/auth_rimap.c
288 ++++ b/saslauthd/auth_rimap.c
289 @@ -371,7 +371,7 @@
290 if ( rc>0 ) {
291 /* check if there is more to read */
292 @@ -65,8 +65,8 @@ Bug #510320
293 rc += ret;
294 }
295 }
296 ---- lib/checkpw.c 2012-01-27 23:31:36.000000000 +0000
297 -+++ lib/checkpw.c 2014-05-15 05:19:35.000000000 +0000
298 +--- a/lib/checkpw.c
299 ++++ b/lib/checkpw.c
300 @@ -587,16 +587,14 @@
301 /* Timeout. */
302 errno = ETIMEDOUT;
303
304 diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch
305 index 42f20fb8096..0177b52567f 100644
306 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch
307 +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch
308 @@ -1,6 +1,6 @@
309 Gentoo bug #458790
310 ---- include/sasl.h 2012-10-12 17:05:48.000000000 +0300
311 -+++ include/sasl.h 2013-02-23 16:56:44.648786268 +0200
312 +--- a/include/sasl.h
313 ++++ b/include/sasl.h
314 @@ -121,6 +121,9 @@
315 #ifndef SASL_H
316 #define SASL_H 1
317
318 diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch
319 new file mode 100644
320 index 00000000000..3b0ffac24f0
321 --- /dev/null
322 +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch
323 @@ -0,0 +1,353 @@
324 +diff --git a/plugins/ntlm.c b/plugins/ntlm.c
325 +index 79ea47c..554a00d 100644
326 +--- a/plugins/ntlm.c
327 ++++ b/plugins/ntlm.c
328 +@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char *P24, unsigned char *P21,
329 + return P24;
330 + }
331 +
332 ++static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils)
333 ++{
334 ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()");
335 ++
336 ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
337 ++ return HMAC_CTX_new();
338 ++#else
339 ++ return utils->malloc(sizeof(EVP_MD_CTX));
340 ++#endif
341 ++}
342 ++
343 ++static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils)
344 ++{
345 ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()");
346 ++
347 ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
348 ++ HMAC_CTX_free(ctx);
349 ++#else
350 ++ HMAC_cleanup(ctx);
351 ++ utils->free(ctx);
352 ++#endif
353 ++}
354 ++
355 + static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
356 + const char *authid, const char *target,
357 + const unsigned char *challenge,
358 +@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
359 + const sasl_utils_t *utils,
360 + char **buf, unsigned *buflen, int *result)
361 + {
362 +- HMAC_CTX ctx;
363 ++ HMAC_CTX *ctx = NULL;
364 + unsigned char hash[EVP_MAX_MD_SIZE];
365 + char *upper;
366 + unsigned int len;
367 +@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
368 + SETERROR(utils, "cannot allocate NTLMv2 hash");
369 + *result = SASL_NOMEM;
370 + }
371 ++ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) {
372 ++ SETERROR(utils, "cannot allocate HMAC CTX");
373 ++ *result = SASL_NOMEM;
374 ++ }
375 + else {
376 + /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */
377 + P16_nt(hash, passwd, utils, buf, buflen, result);
378 +@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
379 + HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len);
380 +
381 + /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */
382 +- HMAC_Init(&ctx, hash, len, EVP_md5());
383 +- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH);
384 +- HMAC_Update(&ctx, blob, bloblen);
385 +- HMAC_Final(&ctx, V2, &len);
386 +- HMAC_cleanup(&ctx);
387 ++ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL);
388 ++ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH);
389 ++ HMAC_Update(ctx, blob, bloblen);
390 ++ HMAC_Final(ctx, V2, &len);
391 +
392 + /* the blob is concatenated outside of this function */
393 +
394 + *result = SASL_OK;
395 + }
396 +
397 ++ if (ctx) _plug_HMAC_CTX_free(ctx, utils);
398 ++
399 + return V2;
400 + }
401 +
402 +diff --git a/plugins/otp.c b/plugins/otp.c
403 +index dd73065..d1e9bf4 100644
404 +--- a/plugins/otp.c
405 ++++ b/plugins/otp.c
406 +@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_options[] = {
407 + {NULL, 0, NULL}
408 + };
409 +
410 ++static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils)
411 ++{
412 ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()");
413 ++
414 ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
415 ++ return EVP_MD_CTX_new();
416 ++#else
417 ++ return utils->malloc(sizeof(EVP_MD_CTX));
418 ++#endif
419 ++}
420 ++
421 ++static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils)
422 ++{
423 ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()");
424 ++
425 ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
426 ++ EVP_MD_CTX_free(ctx);
427 ++#else
428 ++ utils->free(ctx);
429 ++#endif
430 ++}
431 ++
432 + /* Convert the binary data into ASCII hex */
433 + void bin2hex(unsigned char *bin, int binlen, char *hex)
434 + {
435 +@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int binlen, char *hex)
436 + * swabbing bytes if necessary.
437 + */
438 + static void otp_hash(const EVP_MD *md, char *in, size_t inlen,
439 +- unsigned char *out, int swab)
440 ++ unsigned char *out, int swab, EVP_MD_CTX *mdctx)
441 + {
442 +- EVP_MD_CTX mdctx;
443 + char hash[EVP_MAX_MD_SIZE];
444 + unsigned int i;
445 + int j;
446 + unsigned hashlen;
447 +
448 +- EVP_DigestInit(&mdctx, md);
449 +- EVP_DigestUpdate(&mdctx, in, inlen);
450 +- EVP_DigestFinal(&mdctx, hash, &hashlen);
451 ++ EVP_DigestInit(mdctx, md);
452 ++ EVP_DigestUpdate(mdctx, in, inlen);
453 ++ EVP_DigestFinal(mdctx, hash, &hashlen);
454 +
455 + /* Fold the result into 64 bits */
456 + for (i = OTP_HASH_SIZE; i < hashlen; i++) {
457 +@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils_t *utils,
458 + char *secret, char *otp)
459 + {
460 + const EVP_MD *md;
461 +- char *key;
462 ++ EVP_MD_CTX *mdctx = NULL;
463 ++ char *key = NULL;
464 ++ int r = SASL_OK;
465 +
466 + if (!(md = EVP_get_digestbyname(alg->evp_name))) {
467 + utils->seterror(utils->conn, 0,
468 +@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils_t *utils,
469 + return SASL_FAIL;
470 + }
471 +
472 ++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
473 ++ SETERROR(utils, "cannot allocate MD CTX");
474 ++ r = SASL_NOMEM;
475 ++ goto done;
476 ++ }
477 ++
478 + if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) {
479 + SETERROR(utils, "cannot allocate OTP key");
480 +- return SASL_NOMEM;
481 ++ r = SASL_NOMEM;
482 ++ goto done;
483 + }
484 +
485 + /* initial step */
486 + strcpy(key, seed);
487 + strcat(key, secret);
488 +- otp_hash(md, key, strlen(key), otp, alg->swab);
489 ++ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx);
490 +
491 + /* computation step */
492 + while (seq-- > 0)
493 +- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab);
494 ++ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx);
495 +
496 +- utils->free(key);
497 ++ done:
498 ++ if (key) utils->free(key);
499 ++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
500 +
501 +- return SASL_OK;
502 ++ return r;
503 + }
504 +
505 + static int parse_challenge(const sasl_utils_t *utils,
506 +@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg1, const void *arg2)
507 +
508 + /* Convert the 6 words into binary data */
509 + static int word2bin(const sasl_utils_t *utils,
510 +- char *words, unsigned char *bin, const EVP_MD *md)
511 ++ char *words, unsigned char *bin, const EVP_MD *md,
512 ++ EVP_MD_CTX *mdctx)
513 + {
514 + int i, j;
515 + char *c, *word, buf[OTP_RESPONSE_MAX+1];
516 +@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t *utils,
517 +
518 + /* alternate dictionary */
519 + if (alt_dict) {
520 +- EVP_MD_CTX mdctx;
521 + char hash[EVP_MAX_MD_SIZE];
522 + int hashlen;
523 +
524 +- EVP_DigestInit(&mdctx, md);
525 +- EVP_DigestUpdate(&mdctx, word, strlen(word));
526 +- EVP_DigestFinal(&mdctx, hash, &hashlen);
527 ++ EVP_DigestInit(mdctx, md);
528 ++ EVP_DigestUpdate(mdctx, word, strlen(word));
529 ++ EVP_DigestFinal(mdctx, hash, &hashlen);
530 +
531 + /* use lowest 11 bits */
532 + x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1];
533 +@@ -802,6 +834,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
534 + char *response)
535 + {
536 + const EVP_MD *md;
537 ++ EVP_MD_CTX *mdctx = NULL;
538 + char *c;
539 + int do_init = 0;
540 + unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE];
541 +@@ -815,6 +848,11 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
542 + return SASL_FAIL;
543 + }
544 +
545 ++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
546 ++ SETERROR(utils, "cannot allocate MD CTX");
547 ++ return SASL_NOMEM;
548 ++ }
549 ++
550 + /* eat leading whitespace */
551 + c = response;
552 + while (isspace((int) *c)) c++;
553 +@@ -824,7 +862,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
554 + r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE);
555 + }
556 + else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) {
557 +- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md);
558 ++ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx);
559 + }
560 + else if (!strncasecmp(c, OTP_INIT_HEX_TYPE,
561 + strlen(OTP_INIT_HEX_TYPE))) {
562 +@@ -834,7 +872,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
563 + else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
564 + strlen(OTP_INIT_WORD_TYPE))) {
565 + do_init = 1;
566 +- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md);
567 ++ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx);
568 + }
569 + else {
570 + SETERROR(utils, "unknown OTP extended response type");
571 +@@ -843,14 +881,14 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
572 + }
573 + else {
574 + /* standard response, try word first, and then hex */
575 +- r = word2bin(utils, c, cur_otp, md);
576 ++ r = word2bin(utils, c, cur_otp, md, mdctx);
577 + if (r != SASL_OK)
578 + r = hex2bin(c, cur_otp, OTP_HASH_SIZE);
579 + }
580 +
581 + if (r == SASL_OK) {
582 + /* do one more hash (previous otp) and compare to stored otp */
583 +- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab);
584 ++ otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab, mdctx);
585 +
586 + if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) {
587 + /* update the secret with this seq/otp */
588 +@@ -879,23 +917,28 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
589 + *new_resp++ = '\0';
590 + }
591 +
592 +- if (!(new_chal && new_resp))
593 +- return SASL_BADAUTH;
594 ++ if (!(new_chal && new_resp)) {
595 ++ r = SASL_BADAUTH;
596 ++ goto done;
597 ++ }
598 +
599 + if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1))
600 + != SASL_OK) {
601 +- return r;
602 ++ goto done;
603 + }
604 +
605 +- if (seq < 1 || !strcasecmp(seed, text->seed))
606 +- return SASL_BADAUTH;
607 ++ if (seq < 1 || !strcasecmp(seed, text->seed)) {
608 ++ r = SASL_BADAUTH;
609 ++ goto done;
610 ++ }
611 +
612 + /* find the MDA */
613 + if (!(md = EVP_get_digestbyname(alg->evp_name))) {
614 + utils->seterror(utils->conn, 0,
615 + "OTP algorithm %s is not available",
616 + alg->evp_name);
617 +- return SASL_BADAUTH;
618 ++ r = SASL_BADAUTH;
619 ++ goto done;
620 + }
621 +
622 + if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) {
623 +@@ -903,7 +946,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
624 + }
625 + else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
626 + strlen(OTP_INIT_WORD_TYPE))) {
627 +- r = word2bin(utils, new_resp, new_otp, md);
628 ++ r = word2bin(utils, new_resp, new_otp, md, mdctx);
629 + }
630 +
631 + if (r == SASL_OK) {
632 +@@ -914,7 +957,10 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
633 + memcpy(text->otp, new_otp, OTP_HASH_SIZE);
634 + }
635 + }
636 +-
637 ++
638 ++ done:
639 ++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
640 ++
641 + return r;
642 + }
643 +
644 +@@ -1443,8 +1489,10 @@ int otp_server_plug_init(const sasl_utils_t *utils,
645 + *pluglist = otp_server_plugins;
646 + *plugcount = 1;
647 +
648 ++#if OPENSSL_VERSION_NUMBER < 0x10100000L
649 + /* Add all digests */
650 + OpenSSL_add_all_digests();
651 ++#endif
652 +
653 + return SASL_OK;
654 + }
655 +@@ -1844,8 +1892,10 @@ int otp_client_plug_init(sasl_utils_t *utils,
656 + *pluglist = otp_client_plugins;
657 + *plugcount = 1;
658 +
659 ++#if OPENSSL_VERSION_NUMBER < 0x10100000L
660 + /* Add all digests */
661 + OpenSSL_add_all_digests();
662 ++#endif
663 +
664 + return SASL_OK;
665 + }
666 +--- a/saslauthd/lak.c
667 ++++ b/saslauthd/lak.c
668 +@@ -729,7 +729,7 @@ int lak_init(
669 + return rc;
670 + }
671 +
672 +-#ifdef HAVE_OPENSSL
673 ++#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10100000L
674 + OpenSSL_add_all_digests();
675 + #endif
676 +