| 1 |
commit: ab9cb2adf29b582afb8541b4ceb5a3185c82ba30 |
| 2 |
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Wed Oct 24 12:30:31 2018 +0000 |
| 4 |
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Wed Oct 24 12:30:31 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab9cb2ad |
| 7 |
|
| 8 |
dev-libs/cyrus-sasl: Fixed build with openssl-1.1 |
| 9 |
|
| 10 |
Bumped to EAPI-6 and did some ebuild cleanup. |
| 11 |
|
| 12 |
Closes: https://bugs.gentoo.org/592528 |
| 13 |
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org> |
| 14 |
Package-Manager: Portage-2.3.51, Repoman-2.3.11 |
| 15 |
|
| 16 |
dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild | 111 ++++--- |
| 17 |
...us-sasl-2.1.23-gss_c_nt_hostbased_service.patch | 4 +- |
| 18 |
.../files/cyrus-sasl-2.1.25-fix_heimdal.patch | 8 +- |
| 19 |
.../files/cyrus-sasl-2.1.25-missing_header.patch | 4 +- |
| 20 |
.../files/cyrus-sasl-2.1.25-service_keytabs.patch | 8 +- |
| 21 |
...us-sasl-2.1.26-fix_dovecot_authentication.patch | 8 +- |
| 22 |
.../files/cyrus-sasl-2.1.26-missing-size_t.patch | 4 +- |
| 23 |
.../files/cyrus-sasl-2.1.26-openssl-1.1.patch | 353 +++++++++++++++++++++ |
| 24 |
8 files changed, 425 insertions(+), 75 deletions(-) |
| 25 |
|
| 26 |
diff --git a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild |
| 27 |
index 582c8463da1..f7cccc351ba 100644 |
| 28 |
--- a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild |
| 29 |
+++ b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild |
| 30 |
@@ -1,9 +1,9 @@ |
| 31 |
-# Copyright 1999-2018 Gentoo Foundation |
| 32 |
+# Copyright 1999-2018 Gentoo Authors |
| 33 |
# Distributed under the terms of the GNU General Public License v2 |
| 34 |
|
| 35 |
-EAPI=5 |
| 36 |
+EAPI=6 |
| 37 |
|
| 38 |
-inherit eutils flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd |
| 39 |
+inherit flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd |
| 40 |
|
| 41 |
SASLAUTHD_CONF_VER="2.1.26" |
| 42 |
|
| 43 |
@@ -58,6 +58,7 @@ PATCHES=( |
| 44 |
"${FILESDIR}/${PN}-2.1.26-send-imap-logout.patch" |
| 45 |
"${FILESDIR}/${PN}-2.1.26-canonuser-ldapdb-garbage-in-out-buffer.patch" |
| 46 |
"${FILESDIR}/${PN}-2.1.26-fix_dovecot_authentication.patch" |
| 47 |
+ "${FILESDIR}/${PN}-2.1.26-openssl-1.1.patch" #592528 |
| 48 |
) |
| 49 |
|
| 50 |
pkg_setup() { |
| 51 |
@@ -65,7 +66,7 @@ pkg_setup() { |
| 52 |
} |
| 53 |
|
| 54 |
src_prepare() { |
| 55 |
- epatch "${PATCHES[@]}" |
| 56 |
+ default |
| 57 |
|
| 58 |
# Get rid of the -R switch (runpath_switch for Sun) |
| 59 |
# >=gcc-4.6 errors out with unknown option |
| 60 |
@@ -103,73 +104,66 @@ multilib_src_configure() { |
| 61 |
# Java support. |
| 62 |
multilib_is_native_abi && use java && export JAVAC="${JAVAC} ${JAVACFLAGS}" |
| 63 |
|
| 64 |
- local myconf=() |
| 65 |
- |
| 66 |
- # Add authdaemond support (bug #56523). |
| 67 |
- if use authdaemond ; then |
| 68 |
- myconf+=( --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket ) |
| 69 |
- fi |
| 70 |
- |
| 71 |
- # Fix for bug #59634. |
| 72 |
- if ! use ssl ; then |
| 73 |
- myconf+=( --without-des ) |
| 74 |
- fi |
| 75 |
+ local myeconfargs=( |
| 76 |
+ --enable-login |
| 77 |
+ --enable-ntlm |
| 78 |
+ --enable-auth-sasldb |
| 79 |
+ --disable-cmulocal |
| 80 |
+ --disable-krb4 |
| 81 |
+ --disable-macos-framework |
| 82 |
+ --enable-otp |
| 83 |
+ --without-sqlite |
| 84 |
+ --with-saslauthd="${EPREFIX}"/run/saslauthd |
| 85 |
+ --with-pwcheck="${EPREFIX}"/run/saslauthd |
| 86 |
+ --with-configdir="${EPREFIX}"/etc/sasl2 |
| 87 |
+ --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2 |
| 88 |
+ --with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2 |
| 89 |
+ $(use_with ssl openssl) |
| 90 |
+ $(use_with pam) |
| 91 |
+ $(use_with openldap ldap) |
| 92 |
+ $(use_enable ldapdb) |
| 93 |
+ $(multilib_native_use_enable sample) |
| 94 |
+ $(use_enable kerberos gssapi) |
| 95 |
+ $(multilib_native_use_enable java) |
| 96 |
+ $(multilib_native_use_with java javahome ${JAVA_HOME}) |
| 97 |
+ $(multilib_native_use_with mysql mysql "${EPREFIX}"/usr) |
| 98 |
+ $(multilib_native_use_with postgres pgsql) |
| 99 |
+ $(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir)) |
| 100 |
+ $(use_enable srp) |
| 101 |
+ $(use_enable static-libs static) |
| 102 |
+ |
| 103 |
+ # Add authdaemond support (bug #56523). |
| 104 |
+ $(usex authdaemond --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket '') |
| 105 |
+ |
| 106 |
+ # Fix for bug #59634. |
| 107 |
+ $(usex ssl '' --without-des) |
| 108 |
+ |
| 109 |
+ # Use /dev/urandom instead of /dev/random (bug #46038). |
| 110 |
+ $(usex urandom --with-devrandom=/dev/urandom '') |
| 111 |
+ ) |
| 112 |
|
| 113 |
if use sqlite || { multilib_is_native_abi && { use mysql || use postgres; }; } ; then |
| 114 |
- myconf+=( --enable-sql ) |
| 115 |
+ myeconfargs+=( --enable-sql ) |
| 116 |
else |
| 117 |
- myconf+=( --disable-sql ) |
| 118 |
+ myeconfargs+=( --disable-sql ) |
| 119 |
fi |
| 120 |
|
| 121 |
# Default to GDBM if both 'gdbm' and 'berkdb' are present. |
| 122 |
if use gdbm ; then |
| 123 |
einfo "Building with GNU DB as database backend for your SASLdb" |
| 124 |
- myconf+=( --with-dblib=gdbm ) |
| 125 |
+ myeconfargs+=( --with-dblib=gdbm ) |
| 126 |
elif use berkdb ; then |
| 127 |
einfo "Building with BerkeleyDB as database backend for your SASLdb" |
| 128 |
- myconf+=( |
| 129 |
+ myeconfargs+=( |
| 130 |
--with-dblib=berkeley |
| 131 |
--with-bdb-incdir="$(db_includedir)" |
| 132 |
) |
| 133 |
else |
| 134 |
einfo "Building without SASLdb support" |
| 135 |
- myconf+=( --with-dblib=none ) |
| 136 |
- fi |
| 137 |
- |
| 138 |
- # Use /dev/urandom instead of /dev/random (bug #46038). |
| 139 |
- if use urandom ; then |
| 140 |
- myconf+=( --with-devrandom=/dev/urandom ) |
| 141 |
+ myeconfargs+=( --with-dblib=none ) |
| 142 |
fi |
| 143 |
|
| 144 |
- ECONF_SOURCE=${S} \ |
| 145 |
- econf \ |
| 146 |
- --enable-login \ |
| 147 |
- --enable-ntlm \ |
| 148 |
- --enable-auth-sasldb \ |
| 149 |
- --disable-cmulocal \ |
| 150 |
- --disable-krb4 \ |
| 151 |
- --disable-macos-framework \ |
| 152 |
- --enable-otp \ |
| 153 |
- --without-sqlite \ |
| 154 |
- --with-saslauthd="${EPREFIX}"/run/saslauthd \ |
| 155 |
- --with-pwcheck="${EPREFIX}"/run/saslauthd \ |
| 156 |
- --with-configdir="${EPREFIX}"/etc/sasl2 \ |
| 157 |
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2 \ |
| 158 |
- --with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2 \ |
| 159 |
- $(use_with ssl openssl) \ |
| 160 |
- $(use_with pam) \ |
| 161 |
- $(use_with openldap ldap) \ |
| 162 |
- $(use_enable ldapdb) \ |
| 163 |
- $(multilib_native_use_enable sample) \ |
| 164 |
- $(use_enable kerberos gssapi) \ |
| 165 |
- $(multilib_native_use_enable java) \ |
| 166 |
- $(multilib_native_use_with java javahome ${JAVA_HOME}) \ |
| 167 |
- $(multilib_native_use_with mysql mysql "${EPREFIX}"/usr) \ |
| 168 |
- $(multilib_native_use_with postgres pgsql) \ |
| 169 |
- $(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir)) \ |
| 170 |
- $(use_enable srp) \ |
| 171 |
- $(use_enable static-libs static) \ |
| 172 |
- "${myconf[@]}" |
| 173 |
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" |
| 174 |
} |
| 175 |
|
| 176 |
multilib_src_compile() { |
| 177 |
@@ -215,7 +209,9 @@ multilib_src_install_all() { |
| 178 |
|
| 179 |
dodoc AUTHORS ChangeLog NEWS README doc/TODO doc/*.txt |
| 180 |
newdoc pwcheck/README README.pwcheck |
| 181 |
- dohtml doc/*.html |
| 182 |
+ |
| 183 |
+ docinto html |
| 184 |
+ dodoc doc/*.html |
| 185 |
|
| 186 |
docinto "saslauthd" |
| 187 |
dodoc saslauthd/{AUTHORS,ChangeLog,LDAP_SASLAUTHD,NEWS,README} |
| 188 |
@@ -233,8 +229,9 @@ multilib_src_install_all() { |
| 189 |
# The get_modname bit is important: do not remove the .la files on |
| 190 |
# platforms where the lib isn't called .so for cyrus searches the .la to |
| 191 |
# figure out what the name is supposed to be instead |
| 192 |
- use static-libs || [[ $(get_modname) != .so ]] || \ |
| 193 |
- prune_libtool_files --modules |
| 194 |
+ if ! use static-libs && [[ $(get_modname) == .so ]] ; then |
| 195 |
+ find "${ED}" -name "*.la" -delete || die |
| 196 |
+ fi |
| 197 |
} |
| 198 |
|
| 199 |
pkg_postinst () { |
| 200 |
|
| 201 |
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch |
| 202 |
index 9eeab1b42ff..beea8eb28d1 100644 |
| 203 |
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch |
| 204 |
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch |
| 205 |
@@ -1,6 +1,6 @@ |
| 206 |
Gentoo bug #389349 |
| 207 |
---- cmulocal/sasl2.m4 2009-04-28 17:09:13.000000000 +0200 |
| 208 |
-+++ cmulocal/sasl2.m4 2011-11-02 17:55:24.000000000 +0100 |
| 209 |
+--- a/cmulocal/sasl2.m4 |
| 210 |
++++ b/cmulocal/sasl2.m4 |
| 211 |
@@ -217,7 +217,11 @@ |
| 212 |
[AC_WARN([Cybersafe define not found])]) |
| 213 |
|
| 214 |
|
| 215 |
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch |
| 216 |
index abf0df2568c..92be2600348 100644 |
| 217 |
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch |
| 218 |
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch |
| 219 |
@@ -1,7 +1,7 @@ |
| 220 |
Fix compiling against heimdal |
| 221 |
|
| 222 |
---- sample/server.c 2010-12-01 14:52:55.000000000 +0000 |
| 223 |
-+++ sample/server.c 2011-11-30 14:54:42.000000000 +0000 |
| 224 |
+--- a/sample/server.c |
| 225 |
++++ b/sample/server.c |
| 226 |
@@ -85,8 +85,10 @@ |
| 227 |
|
| 228 |
#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE |
| 229 |
@@ -13,8 +13,8 @@ Fix compiling against heimdal |
| 230 |
|
| 231 |
#include "common.h" |
| 232 |
|
| 233 |
---- plugins/gssapi.c 2011-05-11 19:25:55.000000000 +0000 |
| 234 |
-+++ plugins/gssapi.c 2011-11-30 14:54:33.000000000 +0000 |
| 235 |
+--- a/plugins/gssapi.c |
| 236 |
++++ b/plugins/gssapi.c |
| 237 |
@@ -50,6 +50,9 @@ |
| 238 |
#else |
| 239 |
#include <gssapi/gssapi.h> |
| 240 |
|
| 241 |
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch |
| 242 |
index 597d45a7679..a413e00bf42 100644 |
| 243 |
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch |
| 244 |
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch |
| 245 |
@@ -1,5 +1,5 @@ |
| 246 |
---- pwcheck/pwcheck_getspnam.c 1999-08-26 19:22:44.000000000 +0300 |
| 247 |
-+++ pwcheck/pwcheck_getspnam.c 2011-11-30 13:22:24.601023316 +0200 |
| 248 |
+--- a/pwcheck/pwcheck_getspnam.c |
| 249 |
++++ b/pwcheck/pwcheck_getspnam.c |
| 250 |
@@ -24,6 +24,7 @@ |
| 251 |
******************************************************************/ |
| 252 |
|
| 253 |
|
| 254 |
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch |
| 255 |
index 117e8eb8880..43b6162a66f 100644 |
| 256 |
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch |
| 257 |
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch |
| 258 |
@@ -1,6 +1,6 @@ |
| 259 |
Bug #445932 |
| 260 |
---- cmulocal/sasl2.m4 2011-09-02 12:58:00.000000000 +0000 |
| 261 |
-+++ cmulocal/sasl2.m4 2012-12-05 08:37:16.425811319 +0000 |
| 262 |
+--- a/cmulocal/sasl2.m4 |
| 263 |
++++ b/cmulocal/sasl2.m4 |
| 264 |
@@ -268,7 +268,11 @@ |
| 265 |
|
| 266 |
cmu_save_LIBS="$LIBS" |
| 267 |
@@ -14,8 +14,8 @@ Bug #445932 |
| 268 |
AC_CHECK_FUNCS(gss_decapsulate_token) |
| 269 |
AC_CHECK_FUNCS(gss_encapsulate_token) |
| 270 |
AC_CHECK_FUNCS(gss_oid_equal) |
| 271 |
---- plugins/gssapi.c 2012-12-05 09:03:31.000220161 +0000 |
| 272 |
-+++ plugins/gssapi.c 2012-12-05 09:01:55.043380204 +0000 |
| 273 |
+--- a/plugins/gssapi.c |
| 274 |
++++ b/plugins/gssapi.c |
| 275 |
@@ -50,7 +50,7 @@ |
| 276 |
#else |
| 277 |
#include <gssapi/gssapi.h> |
| 278 |
|
| 279 |
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch |
| 280 |
index 46bbdd1ca1a..6fc9de80287 100644 |
| 281 |
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch |
| 282 |
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch |
| 283 |
@@ -1,6 +1,6 @@ |
| 284 |
Bug #510320 |
| 285 |
---- saslauthd/auth_rimap.c 2012-10-12 14:05:48.000000000 +0000 |
| 286 |
-+++ saslauthd/auth_rimap.c 2014-05-15 05:23:02.000000000 +0000 |
| 287 |
+--- a/saslauthd/auth_rimap.c |
| 288 |
++++ b/saslauthd/auth_rimap.c |
| 289 |
@@ -371,7 +371,7 @@ |
| 290 |
if ( rc>0 ) { |
| 291 |
/* check if there is more to read */ |
| 292 |
@@ -65,8 +65,8 @@ Bug #510320 |
| 293 |
rc += ret; |
| 294 |
} |
| 295 |
} |
| 296 |
---- lib/checkpw.c 2012-01-27 23:31:36.000000000 +0000 |
| 297 |
-+++ lib/checkpw.c 2014-05-15 05:19:35.000000000 +0000 |
| 298 |
+--- a/lib/checkpw.c |
| 299 |
++++ b/lib/checkpw.c |
| 300 |
@@ -587,16 +587,14 @@ |
| 301 |
/* Timeout. */ |
| 302 |
errno = ETIMEDOUT; |
| 303 |
|
| 304 |
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch |
| 305 |
index 42f20fb8096..0177b52567f 100644 |
| 306 |
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch |
| 307 |
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch |
| 308 |
@@ -1,6 +1,6 @@ |
| 309 |
Gentoo bug #458790 |
| 310 |
---- include/sasl.h 2012-10-12 17:05:48.000000000 +0300 |
| 311 |
-+++ include/sasl.h 2013-02-23 16:56:44.648786268 +0200 |
| 312 |
+--- a/include/sasl.h |
| 313 |
++++ b/include/sasl.h |
| 314 |
@@ -121,6 +121,9 @@ |
| 315 |
#ifndef SASL_H |
| 316 |
#define SASL_H 1 |
| 317 |
|
| 318 |
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch |
| 319 |
new file mode 100644 |
| 320 |
index 00000000000..3b0ffac24f0 |
| 321 |
--- /dev/null |
| 322 |
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch |
| 323 |
@@ -0,0 +1,353 @@ |
| 324 |
+diff --git a/plugins/ntlm.c b/plugins/ntlm.c |
| 325 |
+index 79ea47c..554a00d 100644 |
| 326 |
+--- a/plugins/ntlm.c |
| 327 |
++++ b/plugins/ntlm.c |
| 328 |
+@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char *P24, unsigned char *P21, |
| 329 |
+ return P24; |
| 330 |
+ } |
| 331 |
+ |
| 332 |
++static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils) |
| 333 |
++{ |
| 334 |
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()"); |
| 335 |
++ |
| 336 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
| 337 |
++ return HMAC_CTX_new(); |
| 338 |
++#else |
| 339 |
++ return utils->malloc(sizeof(EVP_MD_CTX)); |
| 340 |
++#endif |
| 341 |
++} |
| 342 |
++ |
| 343 |
++static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils) |
| 344 |
++{ |
| 345 |
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()"); |
| 346 |
++ |
| 347 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
| 348 |
++ HMAC_CTX_free(ctx); |
| 349 |
++#else |
| 350 |
++ HMAC_cleanup(ctx); |
| 351 |
++ utils->free(ctx); |
| 352 |
++#endif |
| 353 |
++} |
| 354 |
++ |
| 355 |
+ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, |
| 356 |
+ const char *authid, const char *target, |
| 357 |
+ const unsigned char *challenge, |
| 358 |
+@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, |
| 359 |
+ const sasl_utils_t *utils, |
| 360 |
+ char **buf, unsigned *buflen, int *result) |
| 361 |
+ { |
| 362 |
+- HMAC_CTX ctx; |
| 363 |
++ HMAC_CTX *ctx = NULL; |
| 364 |
+ unsigned char hash[EVP_MAX_MD_SIZE]; |
| 365 |
+ char *upper; |
| 366 |
+ unsigned int len; |
| 367 |
+@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, |
| 368 |
+ SETERROR(utils, "cannot allocate NTLMv2 hash"); |
| 369 |
+ *result = SASL_NOMEM; |
| 370 |
+ } |
| 371 |
++ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) { |
| 372 |
++ SETERROR(utils, "cannot allocate HMAC CTX"); |
| 373 |
++ *result = SASL_NOMEM; |
| 374 |
++ } |
| 375 |
+ else { |
| 376 |
+ /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */ |
| 377 |
+ P16_nt(hash, passwd, utils, buf, buflen, result); |
| 378 |
+@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, |
| 379 |
+ HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len); |
| 380 |
+ |
| 381 |
+ /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */ |
| 382 |
+- HMAC_Init(&ctx, hash, len, EVP_md5()); |
| 383 |
+- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH); |
| 384 |
+- HMAC_Update(&ctx, blob, bloblen); |
| 385 |
+- HMAC_Final(&ctx, V2, &len); |
| 386 |
+- HMAC_cleanup(&ctx); |
| 387 |
++ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL); |
| 388 |
++ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH); |
| 389 |
++ HMAC_Update(ctx, blob, bloblen); |
| 390 |
++ HMAC_Final(ctx, V2, &len); |
| 391 |
+ |
| 392 |
+ /* the blob is concatenated outside of this function */ |
| 393 |
+ |
| 394 |
+ *result = SASL_OK; |
| 395 |
+ } |
| 396 |
+ |
| 397 |
++ if (ctx) _plug_HMAC_CTX_free(ctx, utils); |
| 398 |
++ |
| 399 |
+ return V2; |
| 400 |
+ } |
| 401 |
+ |
| 402 |
+diff --git a/plugins/otp.c b/plugins/otp.c |
| 403 |
+index dd73065..d1e9bf4 100644 |
| 404 |
+--- a/plugins/otp.c |
| 405 |
++++ b/plugins/otp.c |
| 406 |
+@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_options[] = { |
| 407 |
+ {NULL, 0, NULL} |
| 408 |
+ }; |
| 409 |
+ |
| 410 |
++static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils) |
| 411 |
++{ |
| 412 |
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()"); |
| 413 |
++ |
| 414 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
| 415 |
++ return EVP_MD_CTX_new(); |
| 416 |
++#else |
| 417 |
++ return utils->malloc(sizeof(EVP_MD_CTX)); |
| 418 |
++#endif |
| 419 |
++} |
| 420 |
++ |
| 421 |
++static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils) |
| 422 |
++{ |
| 423 |
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()"); |
| 424 |
++ |
| 425 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
| 426 |
++ EVP_MD_CTX_free(ctx); |
| 427 |
++#else |
| 428 |
++ utils->free(ctx); |
| 429 |
++#endif |
| 430 |
++} |
| 431 |
++ |
| 432 |
+ /* Convert the binary data into ASCII hex */ |
| 433 |
+ void bin2hex(unsigned char *bin, int binlen, char *hex) |
| 434 |
+ { |
| 435 |
+@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int binlen, char *hex) |
| 436 |
+ * swabbing bytes if necessary. |
| 437 |
+ */ |
| 438 |
+ static void otp_hash(const EVP_MD *md, char *in, size_t inlen, |
| 439 |
+- unsigned char *out, int swab) |
| 440 |
++ unsigned char *out, int swab, EVP_MD_CTX *mdctx) |
| 441 |
+ { |
| 442 |
+- EVP_MD_CTX mdctx; |
| 443 |
+ char hash[EVP_MAX_MD_SIZE]; |
| 444 |
+ unsigned int i; |
| 445 |
+ int j; |
| 446 |
+ unsigned hashlen; |
| 447 |
+ |
| 448 |
+- EVP_DigestInit(&mdctx, md); |
| 449 |
+- EVP_DigestUpdate(&mdctx, in, inlen); |
| 450 |
+- EVP_DigestFinal(&mdctx, hash, &hashlen); |
| 451 |
++ EVP_DigestInit(mdctx, md); |
| 452 |
++ EVP_DigestUpdate(mdctx, in, inlen); |
| 453 |
++ EVP_DigestFinal(mdctx, hash, &hashlen); |
| 454 |
+ |
| 455 |
+ /* Fold the result into 64 bits */ |
| 456 |
+ for (i = OTP_HASH_SIZE; i < hashlen; i++) { |
| 457 |
+@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils_t *utils, |
| 458 |
+ char *secret, char *otp) |
| 459 |
+ { |
| 460 |
+ const EVP_MD *md; |
| 461 |
+- char *key; |
| 462 |
++ EVP_MD_CTX *mdctx = NULL; |
| 463 |
++ char *key = NULL; |
| 464 |
++ int r = SASL_OK; |
| 465 |
+ |
| 466 |
+ if (!(md = EVP_get_digestbyname(alg->evp_name))) { |
| 467 |
+ utils->seterror(utils->conn, 0, |
| 468 |
+@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils_t *utils, |
| 469 |
+ return SASL_FAIL; |
| 470 |
+ } |
| 471 |
+ |
| 472 |
++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { |
| 473 |
++ SETERROR(utils, "cannot allocate MD CTX"); |
| 474 |
++ r = SASL_NOMEM; |
| 475 |
++ goto done; |
| 476 |
++ } |
| 477 |
++ |
| 478 |
+ if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) { |
| 479 |
+ SETERROR(utils, "cannot allocate OTP key"); |
| 480 |
+- return SASL_NOMEM; |
| 481 |
++ r = SASL_NOMEM; |
| 482 |
++ goto done; |
| 483 |
+ } |
| 484 |
+ |
| 485 |
+ /* initial step */ |
| 486 |
+ strcpy(key, seed); |
| 487 |
+ strcat(key, secret); |
| 488 |
+- otp_hash(md, key, strlen(key), otp, alg->swab); |
| 489 |
++ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx); |
| 490 |
+ |
| 491 |
+ /* computation step */ |
| 492 |
+ while (seq-- > 0) |
| 493 |
+- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab); |
| 494 |
++ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx); |
| 495 |
+ |
| 496 |
+- utils->free(key); |
| 497 |
++ done: |
| 498 |
++ if (key) utils->free(key); |
| 499 |
++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); |
| 500 |
+ |
| 501 |
+- return SASL_OK; |
| 502 |
++ return r; |
| 503 |
+ } |
| 504 |
+ |
| 505 |
+ static int parse_challenge(const sasl_utils_t *utils, |
| 506 |
+@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg1, const void *arg2) |
| 507 |
+ |
| 508 |
+ /* Convert the 6 words into binary data */ |
| 509 |
+ static int word2bin(const sasl_utils_t *utils, |
| 510 |
+- char *words, unsigned char *bin, const EVP_MD *md) |
| 511 |
++ char *words, unsigned char *bin, const EVP_MD *md, |
| 512 |
++ EVP_MD_CTX *mdctx) |
| 513 |
+ { |
| 514 |
+ int i, j; |
| 515 |
+ char *c, *word, buf[OTP_RESPONSE_MAX+1]; |
| 516 |
+@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t *utils, |
| 517 |
+ |
| 518 |
+ /* alternate dictionary */ |
| 519 |
+ if (alt_dict) { |
| 520 |
+- EVP_MD_CTX mdctx; |
| 521 |
+ char hash[EVP_MAX_MD_SIZE]; |
| 522 |
+ int hashlen; |
| 523 |
+ |
| 524 |
+- EVP_DigestInit(&mdctx, md); |
| 525 |
+- EVP_DigestUpdate(&mdctx, word, strlen(word)); |
| 526 |
+- EVP_DigestFinal(&mdctx, hash, &hashlen); |
| 527 |
++ EVP_DigestInit(mdctx, md); |
| 528 |
++ EVP_DigestUpdate(mdctx, word, strlen(word)); |
| 529 |
++ EVP_DigestFinal(mdctx, hash, &hashlen); |
| 530 |
+ |
| 531 |
+ /* use lowest 11 bits */ |
| 532 |
+ x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1]; |
| 533 |
+@@ -802,6 +834,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, |
| 534 |
+ char *response) |
| 535 |
+ { |
| 536 |
+ const EVP_MD *md; |
| 537 |
++ EVP_MD_CTX *mdctx = NULL; |
| 538 |
+ char *c; |
| 539 |
+ int do_init = 0; |
| 540 |
+ unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE]; |
| 541 |
+@@ -815,6 +848,11 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, |
| 542 |
+ return SASL_FAIL; |
| 543 |
+ } |
| 544 |
+ |
| 545 |
++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { |
| 546 |
++ SETERROR(utils, "cannot allocate MD CTX"); |
| 547 |
++ return SASL_NOMEM; |
| 548 |
++ } |
| 549 |
++ |
| 550 |
+ /* eat leading whitespace */ |
| 551 |
+ c = response; |
| 552 |
+ while (isspace((int) *c)) c++; |
| 553 |
+@@ -824,7 +862,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, |
| 554 |
+ r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE); |
| 555 |
+ } |
| 556 |
+ else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) { |
| 557 |
+- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md); |
| 558 |
++ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx); |
| 559 |
+ } |
| 560 |
+ else if (!strncasecmp(c, OTP_INIT_HEX_TYPE, |
| 561 |
+ strlen(OTP_INIT_HEX_TYPE))) { |
| 562 |
+@@ -834,7 +872,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, |
| 563 |
+ else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, |
| 564 |
+ strlen(OTP_INIT_WORD_TYPE))) { |
| 565 |
+ do_init = 1; |
| 566 |
+- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md); |
| 567 |
++ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx); |
| 568 |
+ } |
| 569 |
+ else { |
| 570 |
+ SETERROR(utils, "unknown OTP extended response type"); |
| 571 |
+@@ -843,14 +881,14 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, |
| 572 |
+ } |
| 573 |
+ else { |
| 574 |
+ /* standard response, try word first, and then hex */ |
| 575 |
+- r = word2bin(utils, c, cur_otp, md); |
| 576 |
++ r = word2bin(utils, c, cur_otp, md, mdctx); |
| 577 |
+ if (r != SASL_OK) |
| 578 |
+ r = hex2bin(c, cur_otp, OTP_HASH_SIZE); |
| 579 |
+ } |
| 580 |
+ |
| 581 |
+ if (r == SASL_OK) { |
| 582 |
+ /* do one more hash (previous otp) and compare to stored otp */ |
| 583 |
+- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab); |
| 584 |
++ otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab, mdctx); |
| 585 |
+ |
| 586 |
+ if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) { |
| 587 |
+ /* update the secret with this seq/otp */ |
| 588 |
+@@ -879,23 +917,28 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, |
| 589 |
+ *new_resp++ = '\0'; |
| 590 |
+ } |
| 591 |
+ |
| 592 |
+- if (!(new_chal && new_resp)) |
| 593 |
+- return SASL_BADAUTH; |
| 594 |
++ if (!(new_chal && new_resp)) { |
| 595 |
++ r = SASL_BADAUTH; |
| 596 |
++ goto done; |
| 597 |
++ } |
| 598 |
+ |
| 599 |
+ if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1)) |
| 600 |
+ != SASL_OK) { |
| 601 |
+- return r; |
| 602 |
++ goto done; |
| 603 |
+ } |
| 604 |
+ |
| 605 |
+- if (seq < 1 || !strcasecmp(seed, text->seed)) |
| 606 |
+- return SASL_BADAUTH; |
| 607 |
++ if (seq < 1 || !strcasecmp(seed, text->seed)) { |
| 608 |
++ r = SASL_BADAUTH; |
| 609 |
++ goto done; |
| 610 |
++ } |
| 611 |
+ |
| 612 |
+ /* find the MDA */ |
| 613 |
+ if (!(md = EVP_get_digestbyname(alg->evp_name))) { |
| 614 |
+ utils->seterror(utils->conn, 0, |
| 615 |
+ "OTP algorithm %s is not available", |
| 616 |
+ alg->evp_name); |
| 617 |
+- return SASL_BADAUTH; |
| 618 |
++ r = SASL_BADAUTH; |
| 619 |
++ goto done; |
| 620 |
+ } |
| 621 |
+ |
| 622 |
+ if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) { |
| 623 |
+@@ -903,7 +946,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, |
| 624 |
+ } |
| 625 |
+ else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, |
| 626 |
+ strlen(OTP_INIT_WORD_TYPE))) { |
| 627 |
+- r = word2bin(utils, new_resp, new_otp, md); |
| 628 |
++ r = word2bin(utils, new_resp, new_otp, md, mdctx); |
| 629 |
+ } |
| 630 |
+ |
| 631 |
+ if (r == SASL_OK) { |
| 632 |
+@@ -914,7 +957,10 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, |
| 633 |
+ memcpy(text->otp, new_otp, OTP_HASH_SIZE); |
| 634 |
+ } |
| 635 |
+ } |
| 636 |
+- |
| 637 |
++ |
| 638 |
++ done: |
| 639 |
++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); |
| 640 |
++ |
| 641 |
+ return r; |
| 642 |
+ } |
| 643 |
+ |
| 644 |
+@@ -1443,8 +1489,10 @@ int otp_server_plug_init(const sasl_utils_t *utils, |
| 645 |
+ *pluglist = otp_server_plugins; |
| 646 |
+ *plugcount = 1; |
| 647 |
+ |
| 648 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
| 649 |
+ /* Add all digests */ |
| 650 |
+ OpenSSL_add_all_digests(); |
| 651 |
++#endif |
| 652 |
+ |
| 653 |
+ return SASL_OK; |
| 654 |
+ } |
| 655 |
+@@ -1844,8 +1892,10 @@ int otp_client_plug_init(sasl_utils_t *utils, |
| 656 |
+ *pluglist = otp_client_plugins; |
| 657 |
+ *plugcount = 1; |
| 658 |
+ |
| 659 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
| 660 |
+ /* Add all digests */ |
| 661 |
+ OpenSSL_add_all_digests(); |
| 662 |
++#endif |
| 663 |
+ |
| 664 |
+ return SASL_OK; |
| 665 |
+ } |
| 666 |
+--- a/saslauthd/lak.c |
| 667 |
++++ b/saslauthd/lak.c |
| 668 |
+@@ -729,7 +729,7 @@ int lak_init( |
| 669 |
+ return rc; |
| 670 |
+ } |
| 671 |
+ |
| 672 |
+-#ifdef HAVE_OPENSSL |
| 673 |
++#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10100000L |
| 674 |
+ OpenSSL_add_all_digests(); |
| 675 |
+ #endif |
| 676 |
+ |
Archives