+++ /dev/null
-diff -up cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 cyrus-sasl-2.1.26/plugins/ntlm.c
---- cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 2012-01-28 00:31:36.000000000 +0100
-+++ cyrus-sasl-2.1.26/plugins/ntlm.c 2016-11-07 16:15:57.498259304 +0100
-@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char
- return P24;
- }
-
-+static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils)
-+{
-+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()");
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ return HMAC_CTX_new();
-+#else
-+ return utils->malloc(sizeof(HMAC_CTX));
-+#endif
-+}
-+
-+static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils)
-+{
-+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()");
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ HMAC_CTX_free(ctx);
-+#else
-+ HMAC_cleanup(ctx);
-+ utils->free(ctx);
-+#endif
-+}
-+
- static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
- const char *authid, const char *target,
- const unsigned char *challenge,
-@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char *
- const sasl_utils_t *utils,
- char **buf, unsigned *buflen, int *result)
- {
-- HMAC_CTX ctx;
-+ HMAC_CTX *ctx = NULL;
- unsigned char hash[EVP_MAX_MD_SIZE];
- char *upper;
- unsigned int len;
-@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char *
- SETERROR(utils, "cannot allocate NTLMv2 hash");
- *result = SASL_NOMEM;
- }
-+ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) {
-+ SETERROR(utils, "cannot allocate HMAC CTX");
-+ *result = SASL_NOMEM;
-+ }
- else {
- /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */
- P16_nt(hash, passwd, utils, buf, buflen, result);
-@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char *
- HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len);
-
- /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */
-- HMAC_Init(&ctx, hash, len, EVP_md5());
-- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH);
-- HMAC_Update(&ctx, blob, bloblen);
-- HMAC_Final(&ctx, V2, &len);
-- HMAC_cleanup(&ctx);
-+ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL);
-+ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH);
-+ HMAC_Update(ctx, blob, bloblen);
-+ HMAC_Final(ctx, V2, &len);
-
- /* the blob is concatenated outside of this function */
-
- *result = SASL_OK;
- }
-
-+ if (ctx) _plug_HMAC_CTX_free(ctx, utils);
-+
- return V2;
- }
-
-diff -up cyrus-sasl-2.1.26/plugins/otp.c.openssl110 cyrus-sasl-2.1.26/plugins/otp.c
---- cyrus-sasl-2.1.26/plugins/otp.c.openssl110 2012-10-12 16:05:48.000000000 +0200
-+++ cyrus-sasl-2.1.26/plugins/otp.c 2016-11-07 16:13:54.374327601 +0100
-@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_opti
- {NULL, 0, NULL}
- };
-
-+static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils)
-+{
-+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()");
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ return EVP_MD_CTX_new();
-+#else
-+ return utils->malloc(sizeof(EVP_MD_CTX));
-+#endif
-+}
-+
-+static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils)
-+{
-+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()");
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ EVP_MD_CTX_free(ctx);
-+#else
-+ utils->free(ctx);
-+#endif
-+}
-+
- /* Convert the binary data into ASCII hex */
- void bin2hex(unsigned char *bin, int binlen, char *hex)
- {
-@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int bin
- * swabbing bytes if necessary.
- */
- static void otp_hash(const EVP_MD *md, char *in, size_t inlen,
-- unsigned char *out, int swab)
-+ unsigned char *out, int swab, EVP_MD_CTX *mdctx)
- {
-- EVP_MD_CTX mdctx;
-- char hash[EVP_MAX_MD_SIZE];
-+ unsigned char hash[EVP_MAX_MD_SIZE];
- unsigned int i;
- int j;
- unsigned hashlen;
-
-- EVP_DigestInit(&mdctx, md);
-- EVP_DigestUpdate(&mdctx, in, inlen);
-- EVP_DigestFinal(&mdctx, hash, &hashlen);
-+ EVP_DigestInit(mdctx, md);
-+ EVP_DigestUpdate(mdctx, in, inlen);
-+ EVP_DigestFinal(mdctx, hash, &hashlen);
-
- /* Fold the result into 64 bits */
- for (i = OTP_HASH_SIZE; i < hashlen; i++) {
-@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils
- char *secret, char *otp)
- {
- const EVP_MD *md;
-- char *key;
-+ EVP_MD_CTX *mdctx = NULL;
-+ char *key = NULL;
-+ int r = SASL_OK;
-
- if (!(md = EVP_get_digestbyname(alg->evp_name))) {
- utils->seterror(utils->conn, 0,
-@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils
- return SASL_FAIL;
- }
-
-+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
-+ SETERROR(utils, "cannot allocate MD CTX");
-+ r = SASL_NOMEM;
-+ goto done;
-+ }
-+
- if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) {
- SETERROR(utils, "cannot allocate OTP key");
-- return SASL_NOMEM;
-+ r = SASL_NOMEM;
-+ goto done;
- }
-
- /* initial step */
- strcpy(key, seed);
- strcat(key, secret);
-- otp_hash(md, key, strlen(key), otp, alg->swab);
-+ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx);
-
- /* computation step */
- while (seq-- > 0)
-- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab);
--
-- utils->free(key);
-+ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx);
-+
-+ done:
-+ if (key) utils->free(key);
-+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
-
-- return SASL_OK;
-+ return r;
- }
-
- static int parse_challenge(const sasl_utils_t *utils,
-@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg
-
- /* Convert the 6 words into binary data */
- static int word2bin(const sasl_utils_t *utils,
-- char *words, unsigned char *bin, const EVP_MD *md)
-+ char *words, unsigned char *bin, const EVP_MD *md,
-+ EVP_MD_CTX *mdctx)
- {
- int i, j;
- char *c, *word, buf[OTP_RESPONSE_MAX+1];
-@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t *
-
- /* alternate dictionary */
- if (alt_dict) {
-- EVP_MD_CTX mdctx;
-- char hash[EVP_MAX_MD_SIZE];
-- int hashlen;
-+ unsigned char hash[EVP_MAX_MD_SIZE];
-+ unsigned hashlen;
-
-- EVP_DigestInit(&mdctx, md);
-- EVP_DigestUpdate(&mdctx, word, strlen(word));
-- EVP_DigestFinal(&mdctx, hash, &hashlen);
-+ EVP_DigestInit(mdctx, md);
-+ EVP_DigestUpdate(mdctx, word, strlen(word));
-+ EVP_DigestFinal(mdctx, hash, &hashlen);
-
- /* use lowest 11 bits */
- x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1];
-@@ -802,6 +834,7 @@ static int verify_response(server_contex
- char *response)
- {
- const EVP_MD *md;
-+ EVP_MD_CTX *mdctx = NULL;
- char *c;
- int do_init = 0;
- unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE];
-@@ -815,6 +848,11 @@ static int verify_response(server_contex
- return SASL_FAIL;
- }
-
-+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
-+ SETERROR(utils, "cannot allocate MD CTX");
-+ return SASL_NOMEM;
-+ }
-+
- /* eat leading whitespace */
- c = response;
- while (isspace((int) *c)) c++;
-@@ -824,7 +862,7 @@ static int verify_response(server_contex
- r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE);
- }
- else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) {
-- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md);
-+ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx);
- }
- else if (!strncasecmp(c, OTP_INIT_HEX_TYPE,
- strlen(OTP_INIT_HEX_TYPE))) {
-@@ -834,7 +872,7 @@ static int verify_response(server_contex
- else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
- strlen(OTP_INIT_WORD_TYPE))) {
- do_init = 1;
-- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md);
-+ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx);
- }
- else {
- SETERROR(utils, "unknown OTP extended response type");
-@@ -843,14 +881,15 @@ static int verify_response(server_contex
- }
- else {
- /* standard response, try word first, and then hex */
-- r = word2bin(utils, c, cur_otp, md);
-+ r = word2bin(utils, c, cur_otp, md, mdctx);
- if (r != SASL_OK)
- r = hex2bin(c, cur_otp, OTP_HASH_SIZE);
- }
-
- if (r == SASL_OK) {
- /* do one more hash (previous otp) and compare to stored otp */
-- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab);
-+ otp_hash(md, (char *) cur_otp, OTP_HASH_SIZE,
-+ prev_otp, text->alg->swab, mdctx);
-
- if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) {
- /* update the secret with this seq/otp */
-@@ -879,23 +918,28 @@ static int verify_response(server_contex
- *new_resp++ = '\0';
- }
-
-- if (!(new_chal && new_resp))
-- return SASL_BADAUTH;
-+ if (!(new_chal && new_resp)) {
-+ r = SASL_BADAUTH;
-+ goto done;
-+ }
-
- if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1))
- != SASL_OK) {
-- return r;
-+ goto done;
- }
-
-- if (seq < 1 || !strcasecmp(seed, text->seed))
-- return SASL_BADAUTH;
-+ if (seq < 1 || !strcasecmp(seed, text->seed)) {
-+ r = SASL_BADAUTH;
-+ goto done;
-+ }
-
- /* find the MDA */
- if (!(md = EVP_get_digestbyname(alg->evp_name))) {
- utils->seterror(utils->conn, 0,
- "OTP algorithm %s is not available",
- alg->evp_name);
-- return SASL_BADAUTH;
-+ r = SASL_BADAUTH;
-+ goto done;
- }
-
- if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) {
-@@ -903,7 +947,7 @@ static int verify_response(server_contex
- }
- else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
- strlen(OTP_INIT_WORD_TYPE))) {
-- r = word2bin(utils, new_resp, new_otp, md);
-+ r = word2bin(utils, new_resp, new_otp, md, mdctx);
- }
-
- if (r == SASL_OK) {
-@@ -914,7 +958,10 @@ static int verify_response(server_contex
- memcpy(text->otp, new_otp, OTP_HASH_SIZE);
- }
- }
--
-+
-+ done:
-+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
-+
- return r;
- }
-
-diff -up cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 cyrus-sasl-2.1.26/saslauthd/lak.c
---- cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 2016-11-07 16:13:54.347327616 +0100
-+++ cyrus-sasl-2.1.26/saslauthd/lak.c 2016-11-07 16:18:42.283167898 +0100
-@@ -61,6 +61,35 @@
- #include <sasl.h>
- #include "lak.h"
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+static EVP_MD_CTX *EVP_MD_CTX_new(void)
-+{
-+ return EVP_MD_CTX_create();
-+}
-+static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
-+{
-+ if (ctx == NULL)
-+ return;
-+
-+ EVP_MD_CTX_destroy(ctx);
-+}
-+
-+static EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void)
-+{
-+ EVP_ENCODE_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
-+
-+ if (ctx != NULL) {
-+ memset(ctx, 0, sizeof(*ctx));
-+ }
-+ return ctx;
-+}
-+static void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx)
-+{
-+ OPENSSL_free(ctx);
-+ return;
-+}
-+#endif
-+
- typedef struct lak_auth_method {
- int method;
- int (*check) (LAK *lak, const char *user, const char *service, const char *realm, const char *password) ;
-@@ -1720,20 +1749,28 @@ static int lak_base64_decode(
-
- int rc, i, tlen = 0;
- char *text;
-- EVP_ENCODE_CTX EVP_ctx;
-+ EVP_ENCODE_CTX *enc_ctx = EVP_ENCODE_CTX_new();
-
-- text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1);
- if (text == NULL)
- return LAK_NOMEM;
-
-- EVP_DecodeInit(&EVP_ctx);
-- rc = EVP_DecodeUpdate(&EVP_ctx, text, &i, (char *)src, strlen(src));
-+ text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1);
-+ if (text == NULL) {
-+ EVP_ENCODE_CTX_free(enc_ctx);
-+ return LAK_NOMEM;
-+ }
-+
-+ EVP_DecodeInit(enc_ctx);
-+ rc = EVP_DecodeUpdate(enc_ctx, (unsigned char *) text, &i, (const unsigned char *)src, strlen(src));
- if (rc < 0) {
-+ EVP_ENCODE_CTX_free(enc_ctx);
- free(text);
- return LAK_FAIL;
- }
- tlen += i;
-- EVP_DecodeFinal(&EVP_ctx, text, &i);
-+ EVP_DecodeFinal(enc_ctx, (unsigned char *) text, &i);
-+
-+ EVP_ENCODE_CTX_free(enc_ctx);
-
- *ret = text;
- if (rlen != NULL)
-@@ -1749,7 +1786,7 @@ static int lak_check_hashed(
- {
- int rc, clen;
- LAK_HASH_ROCK *hrock = (LAK_HASH_ROCK *) rock;
-- EVP_MD_CTX mdctx;
-+ EVP_MD_CTX *mdctx;
- const EVP_MD *md;
- unsigned char digest[EVP_MAX_MD_SIZE];
- char *cred;
-@@ -1758,17 +1795,24 @@ static int lak_check_hashed(
- if (!md)
- return LAK_FAIL;
-
-+ mdctx = EVP_MD_CTX_new();
-+ if (!mdctx)
-+ return LAK_NOMEM;
-+
- rc = lak_base64_decode(hash, &cred, &clen);
-- if (rc != LAK_OK)
-+ if (rc != LAK_OK) {
-+ EVP_MD_CTX_free(mdctx);
- return rc;
-+ }
-
-- EVP_DigestInit(&mdctx, md);
-- EVP_DigestUpdate(&mdctx, passwd, strlen(passwd));
-+ EVP_DigestInit(mdctx, md);
-+ EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
- if (hrock->salted) {
-- EVP_DigestUpdate(&mdctx, &cred[EVP_MD_size(md)],
-+ EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
- clen - EVP_MD_size(md));
- }
-- EVP_DigestFinal(&mdctx, digest, NULL);
-+ EVP_DigestFinal(mdctx, digest, NULL);
-+ EVP_MD_CTX_free(mdctx);
-
- rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md));
- free(cred);
-diff --git a/plugins/passdss.c b/plugins/passdss.c
-index a55ed60d..2f81d44e 100644
---- a/plugins/passdss.c
-+++ b/plugins/passdss.c
-@@ -108,23 +111,23 @@ typedef struct context {
- const sasl_utils_t *utils;
-
- /* per-step mem management */
-- char *out_buf;
-+ unsigned char *out_buf;
- unsigned out_buf_len;
-
- /* security layer foo */
- unsigned char secmask; /* bitmask of enabled security layers */
- unsigned char padding[EVP_MAX_BLOCK_LENGTH]; /* block of NULs */
-
-- HMAC_CTX hmac_send_ctx;
-- HMAC_CTX hmac_recv_ctx;
-+ HMAC_CTX *hmac_send_ctx;
-+ HMAC_CTX *hmac_recv_ctx;
-
- unsigned char send_integrity_key[4 + EVP_MAX_MD_SIZE]; /* +4 for pktnum */
- unsigned char recv_integrity_key[4 + EVP_MAX_MD_SIZE]; /* +4 for pktnum */
- unsigned char *cs_integrity_key; /* ptr to bare key in send/recv key */
- unsigned char *sc_integrity_key; /* ptr to bare key in send/recv key */
-
-- EVP_CIPHER_CTX cipher_enc_ctx;
-- EVP_CIPHER_CTX cipher_dec_ctx;
-+ EVP_CIPHER_CTX *cipher_enc_ctx;
-+ EVP_CIPHER_CTX *cipher_dec_ctx;
- unsigned blk_siz;
-
- unsigned char cs_encryption_iv[EVP_MAX_MD_SIZE];
-@@ -137,7 +140,7 @@ typedef struct context {
- uint32_t pktnum_in;
-
- /* for encoding/decoding mem management */
-- char *encode_buf, *decode_buf, *decode_pkt_buf;
-+ unsigned char *encode_buf, *decode_buf, *decode_pkt_buf;
- unsigned encode_buf_len, decode_buf_len, decode_pkt_buf_len;
-
- /* layers buffering */
-@@ -169,7 +172,7 @@ static int passdss_encode(void *context,
- inputlen += invec[i].iov_len;
-
- /* allocate a buffer for the output */
-- ret = _plug_buf_alloc(text->utils, &text->encode_buf,
-+ ret = _plug_buf_alloc(text->utils, (char **) &text->encode_buf,
- &text->encode_buf_len,
- 4 + /* length */
- inputlen + /* content */
-@@ -184,19 +187,19 @@ static int passdss_encode(void *context,
- memcpy(text->send_integrity_key, &tmpnum, 4);
-
- /* key the HMAC */
-- HMAC_Init_ex(&text->hmac_send_ctx, text->send_integrity_key,
-+ HMAC_Init_ex(text->hmac_send_ctx, text->send_integrity_key,
- 4+SHA_DIGEST_LENGTH, EVP_sha1(), NULL);
-
- /* operate on each iovec */
- for (i = 0; i < numiov; i++) {
- /* hash the content */
-- HMAC_Update(&text->hmac_send_ctx, invec[i].iov_base, invec[i].iov_len);
-+ HMAC_Update(text->hmac_send_ctx, invec[i].iov_base, invec[i].iov_len);
-
- if (text->secmask & PRIVACY_LAYER_FLAG) {
-- unsigned enclen;
-+ int enclen;
-
- /* encrypt the data into the output buffer */
-- EVP_EncryptUpdate(&text->cipher_enc_ctx,
-+ EVP_EncryptUpdate(text->cipher_enc_ctx,
- text->encode_buf + *outputlen, &enclen,
- invec[i].iov_base, invec[i].iov_len);
- *outputlen += enclen;
-@@ -210,14 +213,14 @@ static int passdss_encode(void *context,
- }
-
- /* calculate the HMAC */
-- HMAC_Final(&text->hmac_send_ctx, hmac, &hmaclen);
-+ HMAC_Final(text->hmac_send_ctx, hmac, &hmaclen);
-
- if (text->secmask & PRIVACY_LAYER_FLAG) {
-- unsigned enclen;
-+ int enclen;
- unsigned char padlen;
-
- /* encrypt the HMAC into the output buffer */
-- EVP_EncryptUpdate(&text->cipher_enc_ctx,
-+ EVP_EncryptUpdate(text->cipher_enc_ctx,
- text->encode_buf + *outputlen, &enclen,
- hmac, hmaclen);
- *outputlen += enclen;
-@@ -225,17 +228,17 @@ static int passdss_encode(void *context,
- /* pad output buffer to multiple of blk_siz
- with padlen-1 as last octet */
- padlen = text->blk_siz - ((inputlen + hmaclen) % text->blk_siz) - 1;
-- EVP_EncryptUpdate(&text->cipher_enc_ctx,
-+ EVP_EncryptUpdate(text->cipher_enc_ctx,
- text->encode_buf + *outputlen, &enclen,
- text->padding, padlen);
- *outputlen += enclen;
-- EVP_EncryptUpdate(&text->cipher_enc_ctx,
-+ EVP_EncryptUpdate(text->cipher_enc_ctx,
- text->encode_buf + *outputlen, &enclen,
- &padlen, 1);
- *outputlen += enclen;
-
- /* encrypt the last block of data into the output buffer */
-- EVP_EncryptFinal_ex(&text->cipher_enc_ctx,
-+ EVP_EncryptFinal_ex(text->cipher_enc_ctx,
- text->encode_buf + *outputlen, &enclen);
- *outputlen += enclen;
- }
-@@ -250,7 +253,7 @@ static int passdss_encode(void *context,
- tmpnum = htonl(tmpnum);
- memcpy(text->encode_buf, &tmpnum, 4);
-
-- *output = text->encode_buf;
-+ *output = (char *) text->encode_buf;
-
- return SASL_OK;
- }
-@@ -269,25 +272,25 @@ static int passdss_decode_packet(void *context,
- int ret;
-
- if (text->secmask & PRIVACY_LAYER_FLAG) {
-- unsigned declen, padlen;
-+ int declen, padlen;
-
- /* allocate a buffer for the output */
-- ret = _plug_buf_alloc(text->utils, &(text->decode_pkt_buf),
-+ ret = _plug_buf_alloc(text->utils, (char **) &(text->decode_pkt_buf),
- &(text->decode_pkt_buf_len), inputlen);
- if (ret != SASL_OK) return ret;
-
- /* decrypt the data into the output buffer */
-- ret = EVP_DecryptUpdate(&text->cipher_dec_ctx,
-+ ret = EVP_DecryptUpdate(text->cipher_dec_ctx,
- text->decode_pkt_buf, &declen,
-- (char *) input, inputlen);
-+ (unsigned char *) input, inputlen);
- if (ret)
-- EVP_DecryptFinal_ex(&text->cipher_dec_ctx, /* should be no output */
-+ EVP_DecryptFinal_ex(text->cipher_dec_ctx, /* should be no output */
- text->decode_pkt_buf + declen, &declen);
- if (!ret) {
- SETERROR(text->utils, "Error decrypting input");
- return SASL_BADPROT;
- }
-- input = text->decode_pkt_buf;
-+ input = (char *) text->decode_pkt_buf;
-
- /* trim padding */
- padlen = text->decode_pkt_buf[inputlen - 1] + 1;
-@@ -303,7 +306,7 @@ static int passdss_decode_packet(void *context,
-
- /* calculate the HMAC */
- HMAC(EVP_sha1(), text->recv_integrity_key, 4+SHA_DIGEST_LENGTH,
-- input, inputlen, hmac, &hmaclen);
-+ (unsigned char *) input, inputlen, hmac, &hmaclen);
-
- /* verify HMAC */
- if (memcmp(hmac, input+inputlen, hmaclen)) {
-@@ -324,12 +327,12 @@ static int passdss_decode(void *context,
- {
- context_t *text = (context_t *) context;
- int ret;
--
-+
- ret = _plug_decode(&text->decode_context, input, inputlen,
-- &text->decode_buf, &text->decode_buf_len, outputlen,
-- passdss_decode_packet, text);
-+ (char **) &text->decode_buf, &text->decode_buf_len,
-+ outputlen, passdss_decode_packet, text);
-
-- *output = text->decode_buf;
-+ *output = (const char *) text->decode_buf;
-
- return ret;
- }
-@@ -340,7 +343,8 @@ static int passdss_decode(void *context,
- /*
- * Create/append to a PASSDSS buffer from the data specified by the fmt string.
- */
--static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset,
-+static int MakeBuffer(const sasl_utils_t *utils,
-+ unsigned char **buf, unsigned offset,
- unsigned *buflen, unsigned *outlen, const char *fmt, ...)
- {
- va_list ap;
-@@ -423,10 +427,10 @@ static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset,
- }
- va_end(ap);
-
-- r = _plug_buf_alloc(utils, buf, buflen, alloclen);
-+ r = _plug_buf_alloc(utils, (char **) buf, buflen, alloclen);
- if (r != SASL_OK) return r;
-
-- out = *buf + offset;
-+ out = (char *) *buf + offset;
-
- /* second pass to fill buffer */
- va_start(ap, fmt);
-@@ -461,7 +465,7 @@ static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset,
- case 'm':
- /* MPI */
- mpi = va_arg(ap, BIGNUM *);
-- len = BN_bn2bin(mpi, out+4);
-+ len = BN_bn2bin(mpi, (unsigned char *) out+4);
- nl = htonl(len);
- memcpy(out, &nl, 4); /* add 4 byte len (network order) */
- out += len + 4;
-@@ -513,7 +517,7 @@ static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset,
- done:
- va_end(ap);
-
-- *outlen = out - *buf;
-+ *outlen = out - (char *) *buf;
-
- return r;
- }
-@@ -598,8 +602,8 @@ static int UnBuffer(const sasl_utils_t *utils, const char *buf,
-
- if (mpi) {
- if (!*mpi) *mpi = BN_new();
-- BN_init(*mpi);
-- BN_bin2bn(buf, len, *mpi);
-+ BN_clear(*mpi);
-+ BN_bin2bn((unsigned char *) buf, len, *mpi);
- }
- break;
-
-@@ -714,16 +718,16 @@ static int UnBuffer(const sasl_utils_t *utils, const char *buf,
- }
-
- #define DOHASH(out, in1, len1, in2, len2, in3, len3) \
-- EVP_DigestInit(&mdctx, EVP_sha1()); \
-- EVP_DigestUpdate(&mdctx, in1, len1); \
-- EVP_DigestUpdate(&mdctx, in2, len2); \
-- EVP_DigestUpdate(&mdctx, in3, len3); \
-- EVP_DigestFinal(&mdctx, out, NULL)
--
--void CalcLayerParams(context_t *text, char *K, unsigned Klen,
-- char *hash, unsigned hashlen)
-+ EVP_DigestInit(mdctx, EVP_sha1()); \
-+ EVP_DigestUpdate(mdctx, in1, len1); \
-+ EVP_DigestUpdate(mdctx, in2, len2); \
-+ EVP_DigestUpdate(mdctx, in3, len3); \
-+ EVP_DigestFinal(mdctx, out, NULL)
-+
-+void CalcLayerParams(context_t *text, unsigned char *K, unsigned Klen,
-+ unsigned char *hash, unsigned hashlen)
- {
-- EVP_MD_CTX mdctx;
-+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
-
- DOHASH(text->cs_encryption_iv, K, Klen, "A", 1, hash, hashlen);
- DOHASH(text->sc_encryption_iv, K, Klen, "B", 1, hash, hashlen);
-@@ -735,6 +739,8 @@ void CalcLayerParams(context_t *text, char *K, unsigned Klen,
- text->sc_encryption_key, hashlen);
- DOHASH(text->cs_integrity_key, K, Klen, "E", 1, hash, hashlen);
- DOHASH(text->sc_integrity_key, K, Klen, "F", 1, hash, hashlen);
-+
-+ EVP_MD_CTX_free(mdctx);
- }
-
- /*
-@@ -753,11 +759,11 @@ static void passdss_common_mech_dispose(void *conn_context,
-
- if (text->dh) DH_free(text->dh);
-
-- HMAC_CTX_cleanup(&text->hmac_send_ctx);
-- HMAC_CTX_cleanup(&text->hmac_recv_ctx);
-+ HMAC_CTX_free(text->hmac_send_ctx);
-+ HMAC_CTX_free(text->hmac_recv_ctx);
-
-- EVP_CIPHER_CTX_cleanup(&text->cipher_enc_ctx);
-- EVP_CIPHER_CTX_cleanup(&text->cipher_dec_ctx);
-+ EVP_CIPHER_CTX_free(text->cipher_enc_ctx);
-+ EVP_CIPHER_CTX_free(text->cipher_dec_ctx);
-
- _plug_decode_free(&text->decode_context);
-
-@@ -807,15 +813,17 @@ passdss_server_mech_step1(context_t *text,
- unsigned *serveroutlen,
- sasl_out_params_t *oparams __attribute__((unused)))
- {
-- BIGNUM *X = NULL;
-+ BIGNUM *X = NULL, *dh_p = NULL, *dh_g = NULL;
- DSA *dsa = NULL;
-+ const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dh_pub_key;
- unsigned char *K = NULL;
- unsigned Klen, hashlen;
- int need, musthave;
-- EVP_MD_CTX mdctx;
-+ EVP_MD_CTX *mdctx;
- unsigned char hash[EVP_MAX_MD_SIZE];
- DSA_SIG *sig = NULL;
-- int result;
-+ const BIGNUM *sig_r, *sig_s;
-+ int r = 0, result;
-
- /* Expect:
- *
-@@ -833,8 +841,18 @@ passdss_server_mech_step1(context_t *text,
- }
-
- /* Fetch DSA (XXX create one for now) */
-- dsa = DSA_generate_parameters(1024, NULL, 0, NULL, NULL, NULL, NULL);
-+ dsa = DSA_new();
- if (!dsa) {
-+ params->utils->log(NULL,
-+ SASL_LOG_ERR, "Error creating DSA\n");
-+ result = SASL_FAIL;
-+ goto cleanup;
-+ }
-+
-+ r = DSA_generate_parameters_ex(dsa, 1024, NULL, 0, NULL, NULL, NULL);
-+ if (!r) {
-+ params->utils->log(NULL,
-+ SASL_LOG_ERR, "Error generating DSA parameters\n");
- result = SASL_FAIL;
- goto cleanup;
- }
-@@ -842,8 +860,9 @@ passdss_server_mech_step1(context_t *text,
-
- /* Create Diffie-Hellman parameters */
- text->dh = DH_new();
-- BN_hex2bn(&text->dh->p, N);
-- BN_hex2bn(&text->dh->g, g);
-+ BN_hex2bn(&dh_p, N);
-+ BN_hex2bn(&dh_g, g);
-+ DH_set0_pqg(text->dh, dh_p, NULL, dh_g);
- DH_generate_key(text->dh);
-
- /* Alloc space for shared secret K as mpint */
-@@ -895,10 +914,13 @@ passdss_server_mech_step1(context_t *text,
- */
-
- /* Items (4) - (7) */
-+ DSA_get0_pqg(dsa, &dsa_p, &dsa_q, &dsa_g);
-+ DSA_get0_key(dsa, &dsa_pub_key, NULL);
-+ DH_get0_key(text->dh, &dh_pub_key, NULL);
- result = MakeBuffer(text->utils, &text->out_buf, 0, &text->out_buf_len,
- serveroutlen, "%5a%s%m%m%m%m%m%1o%3u",
-- "ssh-dss", dsa->p, dsa->q, dsa->g, dsa->pub_key,
-- text->dh->pub_key, &text->secmask,
-+ "ssh-dss", dsa_p, dsa_q, dsa_g, dsa_pub_key,
-+ dh_pub_key, &text->secmask,
- (params->props.maxbufsize > 0xFFFFFF) ? 0xFFFFFF :
- params->props.maxbufsize);
- if (result) {
-@@ -907,26 +929,29 @@ passdss_server_mech_step1(context_t *text,
- }
-
- /* Hash (1) - (7) and K */
-- EVP_DigestInit(&mdctx, EVP_sha1());
-+ mdctx = EVP_MD_CTX_new();
-+ EVP_DigestInit(mdctx, EVP_sha1());
- /* (1) - (3) */
-- EVP_DigestUpdate(&mdctx, clientin, clientinlen);
-+ EVP_DigestUpdate(mdctx, clientin, clientinlen);
- /* (4) - (7) */
-- EVP_DigestUpdate(&mdctx, text->out_buf, *serveroutlen);
-+ EVP_DigestUpdate(mdctx, text->out_buf, *serveroutlen);
- /* K */
-- EVP_DigestUpdate(&mdctx, K, Klen);
-- EVP_DigestFinal(&mdctx, hash, &hashlen);
-+ EVP_DigestUpdate(mdctx, K, Klen);
-+ EVP_DigestFinal(mdctx, hash, &hashlen);
-+ EVP_MD_CTX_free(mdctx);
-
- /* Calculate security layer params */
- CalcLayerParams(text, K, Klen, hash, hashlen);
-
- /* Start cli-hmac */
-- HMAC_CTX_init(&text->hmac_recv_ctx);
-- HMAC_Init_ex(&text->hmac_recv_ctx, text->cs_integrity_key,
-+ text->hmac_recv_ctx = HMAC_CTX_new();
-+ HMAC_CTX_reset(text->hmac_recv_ctx);
-+ HMAC_Init_ex(text->hmac_recv_ctx, text->cs_integrity_key,
- SHA_DIGEST_LENGTH, EVP_sha1(), NULL);
- /* (1) - (3) */
-- HMAC_Update(&text->hmac_recv_ctx, clientin, clientinlen);
-+ HMAC_Update(text->hmac_recv_ctx, (unsigned char *) clientin, clientinlen);
- /* (4) - (7) */
-- HMAC_Update(&text->hmac_recv_ctx, text->out_buf, *serveroutlen);
-+ HMAC_Update(text->hmac_recv_ctx, text->out_buf, *serveroutlen);
-
- /* Sign the hash */
- sig = DSA_do_sign(hash, hashlen, dsa);
-@@ -938,14 +963,15 @@ passdss_server_mech_step1(context_t *text,
- }
-
- /* Item (8) */
-+ DSA_SIG_get0(sig, &sig_r, &sig_s);
- result = MakeBuffer(text->utils, &text->out_buf, *serveroutlen,
- &text->out_buf_len, serveroutlen,
-- "%3a%s%m%m", "ssh-dss", sig->r, sig->s);
-+ "%3a%s%m%m", "ssh-dss", sig_r, sig_s);
- if (result) {
- params->utils->log(NULL, SASL_LOG_ERR, "Error making output buffer\n");
- goto cleanup;
- }
-- *serverout = text->out_buf;
-+ *serverout = (char *) text->out_buf;
-
- text->state = 2;
- result = SASL_CONTINUE;
-@@ -969,10 +995,10 @@ passdss_server_mech_step2(context_t *text,
- sasl_out_params_t *oparams)
- {
- char *password = NULL;
-- unsigned declen, hmaclen;
-+ unsigned hmaclen;
- unsigned char *csecmask, *cli_hmac, hmac[EVP_MAX_MD_SIZE];
- uint32_t cbufsiz;
-- int r, result = SASL_OK;
-+ int declen, r, result = SASL_OK;
-
- /* Expect (3DES encrypted):
- *
-@@ -983,7 +1009,7 @@ passdss_server_mech_step2(context_t *text,
- */
-
- /* Alloc space for the decrypted input */
-- result = _plug_buf_alloc(text->utils, &text->decode_pkt_buf,
-+ result = _plug_buf_alloc(text->utils, (char **) &text->decode_pkt_buf,
- &text->decode_pkt_buf_len, clientinlen);
- if (result) {
- params->utils->log(NULL, SASL_LOG_ERR,
-@@ -992,25 +1018,28 @@ passdss_server_mech_step2(context_t *text,
- }
-
- /* Initialize decrypt cipher */
-- EVP_CIPHER_CTX_init(&text->cipher_dec_ctx);
-- EVP_DecryptInit_ex(&text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL,
-+ text->cipher_dec_ctx = EVP_CIPHER_CTX_new();
-+ EVP_CIPHER_CTX_init(text->cipher_dec_ctx);
-+ EVP_DecryptInit_ex(text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL,
- text->cs_encryption_key, text->cs_encryption_iv);
-- EVP_CIPHER_CTX_set_padding(&text->cipher_dec_ctx, 0);
-- text->blk_siz = EVP_CIPHER_CTX_block_size(&text->cipher_dec_ctx);
-+ EVP_CIPHER_CTX_set_padding(text->cipher_dec_ctx, 0);
-+ text->blk_siz = EVP_CIPHER_CTX_block_size(text->cipher_dec_ctx);
-
- /* Decrypt the blob */
-- r = EVP_DecryptUpdate(&text->cipher_dec_ctx, text->decode_pkt_buf, &declen,
-- clientin, clientinlen);
-+ r = EVP_DecryptUpdate(text->cipher_dec_ctx,
-+ text->decode_pkt_buf, &declen,
-+ (unsigned char *) clientin, clientinlen);
- if (r)
-- r = EVP_DecryptFinal_ex(&text->cipher_dec_ctx, /* should be no output */
-- text->decode_pkt_buf + declen, &declen);
-+ r = EVP_DecryptFinal_ex(text->cipher_dec_ctx, /* should be no output */
-+ text->decode_pkt_buf + declen,
-+ &declen);
- if (!r) {
- params->utils->seterror(params->utils->conn, 0,
- "Error decrypting input in step 2");
- result = SASL_BADPROT;
- goto cleanup;
- }
-- clientin = text->decode_pkt_buf;
-+ clientin = (char *) text->decode_pkt_buf;
-
- result = UnBuffer(params->utils, clientin, clientinlen,
- "%-1o%3u%s%-*o%*p", &csecmask, &cbufsiz, &password,
-@@ -1024,8 +1053,8 @@ passdss_server_mech_step2(context_t *text,
- /* Finish cli-hmac */
- /* (1) - (7) hashed in step 1 */
- /* 1st 4 bytes of (9) */
-- HMAC_Update(&text->hmac_recv_ctx, clientin, 4);
-- HMAC_Final(&text->hmac_recv_ctx, hmac, &hmaclen);
-+ HMAC_Update(text->hmac_recv_ctx, (unsigned char *) clientin, 4);
-+ HMAC_Final(text->hmac_recv_ctx, hmac, &hmaclen);
-
- /* Verify cli-hmac */
- if (memcmp(cli_hmac, hmac, hmaclen)) {
-@@ -1087,16 +1116,18 @@ passdss_server_mech_step2(context_t *text,
- oparams->decode = &passdss_decode;
- oparams->maxoutbuf = cbufsiz - 4 - SHA_DIGEST_LENGTH; /* -len -HMAC */
-
-- HMAC_CTX_init(&text->hmac_send_ctx);
-+ text->hmac_send_ctx = HMAC_CTX_new();
-+ HMAC_CTX_reset(text->hmac_send_ctx);
-
- if (oparams->mech_ssf > 1) {
- oparams->maxoutbuf -= text->blk_siz-1; /* padding */
-
- /* Initialize encrypt cipher */
-- EVP_CIPHER_CTX_init(&text->cipher_enc_ctx);
-- EVP_EncryptInit_ex(&text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL,
-+ text->cipher_enc_ctx = EVP_CIPHER_CTX_new();
-+ EVP_CIPHER_CTX_init(text->cipher_enc_ctx);
-+ EVP_EncryptInit_ex(text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL,
- text->sc_encryption_key, text->sc_encryption_iv);
-- EVP_CIPHER_CTX_set_padding(&text->cipher_enc_ctx, 0);
-+ EVP_CIPHER_CTX_set_padding(text->cipher_enc_ctx, 0);
- }
-
- _plug_decode_init(&text->decode_context, text->utils,
-@@ -1245,6 +1276,8 @@ passdss_client_mech_step1(context_t *text,
- int auth_result = SASL_OK;
- int pass_result = SASL_OK;
- int result;
-+ BIGNUM *dh_p = NULL, *dh_g = NULL;
-+ const BIGNUM *dh_pub_key;
-
- /* Expect: absolutely nothing */
- if (serverinlen > 0) {
-@@ -1332,8 +1365,9 @@ passdss_client_mech_step1(context_t *text,
-
- /* create Diffie-Hellman parameters */
- text->dh = DH_new();
-- BN_hex2bn(&text->dh->p, N);
-- BN_hex2bn(&text->dh->g, g);
-+ BN_hex2bn(&dh_p, N);
-+ BN_hex2bn(&dh_g, g);
-+ DH_set0_pqg(text->dh, dh_p, NULL, dh_g);
- DH_generate_key(text->dh);
-
-
-@@ -1344,15 +1378,16 @@ passdss_client_mech_step1(context_t *text,
- * (3) mpint X ; Diffie-Hellman parameter X
- */
-
-+ DH_get0_key(text->dh, &dh_pub_key, NULL);
- result = MakeBuffer(text->utils, &text->out_buf, 0, &text->out_buf_len,
- clientoutlen, "%s%s%m",
- (user && *user) ? (char *) oparams->user : "",
-- (char *) oparams->authid, text->dh->pub_key);
-+ (char *) oparams->authid, dh_pub_key);
- if (result) {
- params->utils->log(NULL, SASL_LOG_ERR, "Error making output buffer\n");
- goto cleanup;
- }
-- *clientout = text->out_buf;
-+ *clientout = (char *) text->out_buf;
-
- text->state = 2;
- result = SASL_CONTINUE;
-@@ -1374,15 +1409,16 @@ passdss_client_mech_step2(context_t *text,
- {
- DSA *dsa = DSA_new();
- DSA_SIG *sig = DSA_SIG_new();
-- BIGNUM *Y = NULL;
-+ BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL;
-+ BIGNUM *Y = NULL, *sig_r = NULL, *sig_s = NULL;
- uint32_t siglen;
- unsigned char *K = NULL;
-- unsigned Klen, hashlen, enclen;
-+ unsigned Klen, hashlen;
- unsigned char *ssecmask;
- uint32_t sbufsiz;
-- EVP_MD_CTX mdctx;
-+ EVP_MD_CTX *mdctx;
- unsigned char hash[EVP_MAX_MD_SIZE];
-- int need, musthave;
-+ int enclen, need, musthave;
- int result, r;
-
- /* Expect:
-@@ -1404,14 +1440,18 @@ passdss_client_mech_step2(context_t *text,
-
- result = UnBuffer(params->utils, serverin, serverinlen,
- "%u%3p\7ssh-dss%m%m%m%m%m%-1o%3u%u%3p\7ssh-dss%m%m",
-- NULL, &dsa->p, &dsa->q, &dsa->g, &dsa->pub_key,
-- &Y, &ssecmask, &sbufsiz, &siglen, &sig->r, &sig->s);
-+ NULL, &dsa_p, &dsa_q, &dsa_g, &dsa_pub_key,
-+ &Y, &ssecmask, &sbufsiz, &siglen, &sig_r, &sig_s);
- if (result) {
- params->utils->seterror(params->utils->conn, 0,
- "Error UnBuffering input in step 2");
- goto cleanup;
- }
-
-+ DSA_set0_pqg(dsa, dsa_p, dsa_q, dsa_g);
-+ DSA_set0_key(dsa, dsa_pub_key, NULL);
-+ DSA_SIG_set0(sig, sig_r, sig_s);
-+
- /* XXX Validate server DSA public key */
-
- /* Alloc space for shared secret K as mpint */
-@@ -1430,14 +1470,16 @@ passdss_client_mech_step2(context_t *text,
- Klen += 4;
-
- /* Hash (1) - (7) and K */
-- EVP_DigestInit(&mdctx, EVP_sha1());
-+ mdctx = EVP_MD_CTX_new();
-+ EVP_DigestInit(mdctx, EVP_sha1());
- /* (1) - (3) (output from step 1 still in buffer) */
-- EVP_DigestUpdate(&mdctx, text->out_buf, text->out_buf_len);
-+ EVP_DigestUpdate(mdctx, text->out_buf, text->out_buf_len);
- /* (4) - (7) */
-- EVP_DigestUpdate(&mdctx, serverin, serverinlen - siglen - 4);
-+ EVP_DigestUpdate(mdctx, serverin, serverinlen - siglen - 4);
- /* K */
-- EVP_DigestUpdate(&mdctx, K, Klen);
-- EVP_DigestFinal(&mdctx, hash, &hashlen);
-+ EVP_DigestUpdate(mdctx, K, Klen);
-+ EVP_DigestFinal(mdctx, hash, &hashlen);
-+ EVP_MD_CTX_free(mdctx);
-
- /* Verify signature on the hash */
- result = DSA_do_verify(hash, hashlen, sig, dsa);
-@@ -1453,11 +1495,12 @@ passdss_client_mech_step2(context_t *text,
- CalcLayerParams(text, K, Klen, hash, hashlen);
-
- /* Initialize encrypt cipher */
-- EVP_CIPHER_CTX_init(&text->cipher_enc_ctx);
-- EVP_EncryptInit_ex(&text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL,
-+ text->cipher_enc_ctx = EVP_CIPHER_CTX_new();
-+ EVP_CIPHER_CTX_init(text->cipher_enc_ctx);
-+ EVP_EncryptInit_ex(text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL,
- text->cs_encryption_key, text->cs_encryption_iv);
-- EVP_CIPHER_CTX_set_padding(&text->cipher_enc_ctx, 0);
-- text->blk_siz = EVP_CIPHER_CTX_block_size(&text->cipher_enc_ctx);
-+ EVP_CIPHER_CTX_set_padding(text->cipher_enc_ctx, 0);
-+ text->blk_siz = EVP_CIPHER_CTX_block_size(text->cipher_enc_ctx);
-
- /* pick a layer */
- if (params->props.maxbufsize < 32) {
-@@ -1488,13 +1531,15 @@ passdss_client_mech_step2(context_t *text,
- }
-
- /* Start cli-hmac */
-- HMAC_CTX_init(&text->hmac_send_ctx);
-- HMAC_Init_ex(&text->hmac_send_ctx, text->cs_integrity_key,
-+ text->hmac_send_ctx = HMAC_CTX_new();
-+ HMAC_CTX_reset(text->hmac_send_ctx);
-+ HMAC_Init_ex(text->hmac_send_ctx, text->cs_integrity_key,
- SHA_DIGEST_LENGTH, EVP_sha1(), NULL);
- /* (1) - (3) (output from step 1 still in buffer) */
-- HMAC_Update(&text->hmac_send_ctx, text->out_buf, text->out_buf_len);
-+ HMAC_Update(text->hmac_send_ctx, text->out_buf, text->out_buf_len);
- /* (4) - (7) */
-- HMAC_Update(&text->hmac_send_ctx, serverin, serverinlen - siglen - 4);
-+ HMAC_Update(text->hmac_send_ctx,
-+ (unsigned char *) serverin, serverinlen - siglen - 4);
-
-
- /* Send out (3DES encrypted):
-@@ -1518,8 +1563,8 @@ passdss_client_mech_step2(context_t *text,
-
- /* Finish cli-hmac */
- /* 1st 4 bytes of (9) */
-- HMAC_Update(&text->hmac_send_ctx, text->out_buf, 4);
-- HMAC_Final(&text->hmac_send_ctx, hash, &hashlen);
-+ HMAC_Update(text->hmac_send_ctx, text->out_buf, 4);
-+ HMAC_Final(text->hmac_send_ctx, hash, &hashlen);
-
- /* Add HMAC and pad to fill no more than current block */
- result = MakeBuffer(text->utils, &text->out_buf, *clientoutlen,
-@@ -1531,7 +1576,7 @@ passdss_client_mech_step2(context_t *text,
- }
-
- /* Alloc space for the encrypted output */
-- result = _plug_buf_alloc(text->utils, &text->encode_buf,
-+ result = _plug_buf_alloc(text->utils, (char **) &text->encode_buf,
- &text->encode_buf_len, *clientoutlen);
- if (result) {
- params->utils->log(NULL, SASL_LOG_ERR,
-@@ -1540,19 +1585,20 @@ passdss_client_mech_step2(context_t *text,
- }
-
- /* Encrypt (9) (here we calculate the exact number of full blocks) */
-- r = EVP_EncryptUpdate(&text->cipher_enc_ctx, text->encode_buf,
-- clientoutlen, text->out_buf,
-+ r = EVP_EncryptUpdate(text->cipher_enc_ctx,
-+ text->encode_buf, (int *) clientoutlen, text->out_buf,
- text->blk_siz * (*clientoutlen / text->blk_siz));
- if (r)
-- r = EVP_EncryptFinal_ex(&text->cipher_enc_ctx, /* should be no output */
-- text->encode_buf + *clientoutlen, &enclen);
-+ r = EVP_EncryptFinal_ex(text->cipher_enc_ctx, /* should be no output */
-+ text->encode_buf + *clientoutlen,
-+ &enclen);
- if (!r) {
- params->utils->seterror(params->utils->conn, 0,
- "Error encrypting output in step 2");
- result = SASL_FAIL;
- goto cleanup;
- }
-- *clientout = text->encode_buf;
-+ *clientout = (char *) text->encode_buf;
-
- /* Set oparams */
- oparams->doneflag = 1;
-@@ -1563,16 +1609,18 @@ passdss_client_mech_step2(context_t *text,
- oparams->decode = &passdss_decode;
- oparams->maxoutbuf = sbufsiz - 4 - SHA_DIGEST_LENGTH; /* -len -HMAC */
-
-- HMAC_CTX_init(&text->hmac_recv_ctx);
-+ text->hmac_recv_ctx = HMAC_CTX_new();
-+ HMAC_CTX_reset(text->hmac_recv_ctx);
-
- if (oparams->mech_ssf > 1) {
- oparams->maxoutbuf -= text->blk_siz-1; /* padding */
-
- /* Initialize decrypt cipher */
-- EVP_CIPHER_CTX_init(&text->cipher_dec_ctx);
-- EVP_DecryptInit_ex(&text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL,
-+ text->cipher_dec_ctx = EVP_CIPHER_CTX_new();
-+ EVP_CIPHER_CTX_init(text->cipher_dec_ctx);
-+ EVP_DecryptInit_ex(text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL,
- text->sc_encryption_key, text->sc_encryption_iv);
-- EVP_CIPHER_CTX_set_padding(&text->cipher_dec_ctx, 0);
-+ EVP_CIPHER_CTX_set_padding(text->cipher_dec_ctx, 0);
- }
-
- _plug_decode_init(&text->decode_context, text->utils,
-