--- /dev/null
+diff -up cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 cyrus-sasl-2.1.26/plugins/ntlm.c
+--- cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/plugins/ntlm.c 2016-11-07 16:15:57.498259304 +0100
+@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char
+ return P24;
+ }
+
++static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils)
++{
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ return HMAC_CTX_new();
++#else
++ return utils->malloc(sizeof(HMAC_CTX));
++#endif
++}
++
++static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils)
++{
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ HMAC_CTX_free(ctx);
++#else
++ HMAC_cleanup(ctx);
++ utils->free(ctx);
++#endif
++}
++
+ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
+ const char *authid, const char *target,
+ const unsigned char *challenge,
+@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char *
+ const sasl_utils_t *utils,
+ char **buf, unsigned *buflen, int *result)
+ {
+- HMAC_CTX ctx;
++ HMAC_CTX *ctx = NULL;
+ unsigned char hash[EVP_MAX_MD_SIZE];
+ char *upper;
+ unsigned int len;
+@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char *
+ SETERROR(utils, "cannot allocate NTLMv2 hash");
+ *result = SASL_NOMEM;
+ }
++ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) {
++ SETERROR(utils, "cannot allocate HMAC CTX");
++ *result = SASL_NOMEM;
++ }
+ else {
+ /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */
+ P16_nt(hash, passwd, utils, buf, buflen, result);
+@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char *
+ HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len);
+
+ /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */
+- HMAC_Init(&ctx, hash, len, EVP_md5());
+- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH);
+- HMAC_Update(&ctx, blob, bloblen);
+- HMAC_Final(&ctx, V2, &len);
+- HMAC_cleanup(&ctx);
++ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL);
++ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH);
++ HMAC_Update(ctx, blob, bloblen);
++ HMAC_Final(ctx, V2, &len);
+
+ /* the blob is concatenated outside of this function */
+
+ *result = SASL_OK;
+ }
+
++ if (ctx) _plug_HMAC_CTX_free(ctx, utils);
++
+ return V2;
+ }
+
+diff -up cyrus-sasl-2.1.26/plugins/otp.c.openssl110 cyrus-sasl-2.1.26/plugins/otp.c
+--- cyrus-sasl-2.1.26/plugins/otp.c.openssl110 2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/plugins/otp.c 2016-11-07 16:13:54.374327601 +0100
+@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_opti
+ {NULL, 0, NULL}
+ };
+
++static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils)
++{
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ return EVP_MD_CTX_new();
++#else
++ return utils->malloc(sizeof(EVP_MD_CTX));
++#endif
++}
++
++static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils)
++{
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ EVP_MD_CTX_free(ctx);
++#else
++ utils->free(ctx);
++#endif
++}
++
+ /* Convert the binary data into ASCII hex */
+ void bin2hex(unsigned char *bin, int binlen, char *hex)
+ {
+@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int bin
+ * swabbing bytes if necessary.
+ */
+ static void otp_hash(const EVP_MD *md, char *in, size_t inlen,
+- unsigned char *out, int swab)
++ unsigned char *out, int swab, EVP_MD_CTX *mdctx)
+ {
+- EVP_MD_CTX mdctx;
+- char hash[EVP_MAX_MD_SIZE];
++ unsigned char hash[EVP_MAX_MD_SIZE];
+ unsigned int i;
+ int j;
+ unsigned hashlen;
+
+- EVP_DigestInit(&mdctx, md);
+- EVP_DigestUpdate(&mdctx, in, inlen);
+- EVP_DigestFinal(&mdctx, hash, &hashlen);
++ EVP_DigestInit(mdctx, md);
++ EVP_DigestUpdate(mdctx, in, inlen);
++ EVP_DigestFinal(mdctx, hash, &hashlen);
+
+ /* Fold the result into 64 bits */
+ for (i = OTP_HASH_SIZE; i < hashlen; i++) {
+@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils
+ char *secret, char *otp)
+ {
+ const EVP_MD *md;
+- char *key;
++ EVP_MD_CTX *mdctx = NULL;
++ char *key = NULL;
++ int r = SASL_OK;
+
+ if (!(md = EVP_get_digestbyname(alg->evp_name))) {
+ utils->seterror(utils->conn, 0,
+@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils
+ return SASL_FAIL;
+ }
+
++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
++ SETERROR(utils, "cannot allocate MD CTX");
++ r = SASL_NOMEM;
++ goto done;
++ }
++
+ if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) {
+ SETERROR(utils, "cannot allocate OTP key");
+- return SASL_NOMEM;
++ r = SASL_NOMEM;
++ goto done;
+ }
+
+ /* initial step */
+ strcpy(key, seed);
+ strcat(key, secret);
+- otp_hash(md, key, strlen(key), otp, alg->swab);
++ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx);
+
+ /* computation step */
+ while (seq-- > 0)
+- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab);
+-
+- utils->free(key);
++ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx);
++
++ done:
++ if (key) utils->free(key);
++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
+
+- return SASL_OK;
++ return r;
+ }
+
+ static int parse_challenge(const sasl_utils_t *utils,
+@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg
+
+ /* Convert the 6 words into binary data */
+ static int word2bin(const sasl_utils_t *utils,
+- char *words, unsigned char *bin, const EVP_MD *md)
++ char *words, unsigned char *bin, const EVP_MD *md,
++ EVP_MD_CTX *mdctx)
+ {
+ int i, j;
+ char *c, *word, buf[OTP_RESPONSE_MAX+1];
+@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t *
+
+ /* alternate dictionary */
+ if (alt_dict) {
+- EVP_MD_CTX mdctx;
+- char hash[EVP_MAX_MD_SIZE];
+- int hashlen;
++ unsigned char hash[EVP_MAX_MD_SIZE];
++ unsigned hashlen;
+
+- EVP_DigestInit(&mdctx, md);
+- EVP_DigestUpdate(&mdctx, word, strlen(word));
+- EVP_DigestFinal(&mdctx, hash, &hashlen);
++ EVP_DigestInit(mdctx, md);
++ EVP_DigestUpdate(mdctx, word, strlen(word));
++ EVP_DigestFinal(mdctx, hash, &hashlen);
+
+ /* use lowest 11 bits */
+ x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1];
+@@ -802,6 +834,7 @@ static int verify_response(server_contex
+ char *response)
+ {
+ const EVP_MD *md;
++ EVP_MD_CTX *mdctx = NULL;
+ char *c;
+ int do_init = 0;
+ unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE];
+@@ -815,6 +848,11 @@ static int verify_response(server_contex
+ return SASL_FAIL;
+ }
+
++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
++ SETERROR(utils, "cannot allocate MD CTX");
++ return SASL_NOMEM;
++ }
++
+ /* eat leading whitespace */
+ c = response;
+ while (isspace((int) *c)) c++;
+@@ -824,7 +862,7 @@ static int verify_response(server_contex
+ r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE);
+ }
+ else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) {
+- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md);
++ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx);
+ }
+ else if (!strncasecmp(c, OTP_INIT_HEX_TYPE,
+ strlen(OTP_INIT_HEX_TYPE))) {
+@@ -834,7 +872,7 @@ static int verify_response(server_contex
+ else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
+ strlen(OTP_INIT_WORD_TYPE))) {
+ do_init = 1;
+- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md);
++ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx);
+ }
+ else {
+ SETERROR(utils, "unknown OTP extended response type");
+@@ -843,14 +881,15 @@ static int verify_response(server_contex
+ }
+ else {
+ /* standard response, try word first, and then hex */
+- r = word2bin(utils, c, cur_otp, md);
++ r = word2bin(utils, c, cur_otp, md, mdctx);
+ if (r != SASL_OK)
+ r = hex2bin(c, cur_otp, OTP_HASH_SIZE);
+ }
+
+ if (r == SASL_OK) {
+ /* do one more hash (previous otp) and compare to stored otp */
+- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab);
++ otp_hash(md, (char *) cur_otp, OTP_HASH_SIZE,
++ prev_otp, text->alg->swab, mdctx);
+
+ if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) {
+ /* update the secret with this seq/otp */
+@@ -879,23 +918,28 @@ static int verify_response(server_contex
+ *new_resp++ = '\0';
+ }
+
+- if (!(new_chal && new_resp))
+- return SASL_BADAUTH;
++ if (!(new_chal && new_resp)) {
++ r = SASL_BADAUTH;
++ goto done;
++ }
+
+ if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1))
+ != SASL_OK) {
+- return r;
++ goto done;
+ }
+
+- if (seq < 1 || !strcasecmp(seed, text->seed))
+- return SASL_BADAUTH;
++ if (seq < 1 || !strcasecmp(seed, text->seed)) {
++ r = SASL_BADAUTH;
++ goto done;
++ }
+
+ /* find the MDA */
+ if (!(md = EVP_get_digestbyname(alg->evp_name))) {
+ utils->seterror(utils->conn, 0,
+ "OTP algorithm %s is not available",
+ alg->evp_name);
+- return SASL_BADAUTH;
++ r = SASL_BADAUTH;
++ goto done;
+ }
+
+ if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) {
+@@ -903,7 +947,7 @@ static int verify_response(server_contex
+ }
+ else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
+ strlen(OTP_INIT_WORD_TYPE))) {
+- r = word2bin(utils, new_resp, new_otp, md);
++ r = word2bin(utils, new_resp, new_otp, md, mdctx);
+ }
+
+ if (r == SASL_OK) {
+@@ -914,7 +958,10 @@ static int verify_response(server_contex
+ memcpy(text->otp, new_otp, OTP_HASH_SIZE);
+ }
+ }
+-
++
++ done:
++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
++
+ return r;
+ }
+
+diff -up cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 cyrus-sasl-2.1.26/saslauthd/lak.c
+--- cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 2016-11-07 16:13:54.347327616 +0100
++++ cyrus-sasl-2.1.26/saslauthd/lak.c 2016-11-07 16:18:42.283167898 +0100
+@@ -61,6 +61,35 @@
+ #include <sasl.h>
+ #include "lak.h"
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++static EVP_MD_CTX *EVP_MD_CTX_new(void)
++{
++ return EVP_MD_CTX_create();
++}
++static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
++{
++ if (ctx == NULL)
++ return;
++
++ EVP_MD_CTX_destroy(ctx);
++}
++
++static EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void)
++{
++ EVP_ENCODE_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
++
++ if (ctx != NULL) {
++ memset(ctx, 0, sizeof(*ctx));
++ }
++ return ctx;
++}
++static void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx)
++{
++ OPENSSL_free(ctx);
++ return;
++}
++#endif
++
+ typedef struct lak_auth_method {
+ int method;
+ int (*check) (LAK *lak, const char *user, const char *service, const char *realm, const char *password) ;
+@@ -1720,20 +1749,28 @@ static int lak_base64_decode(
+
+ int rc, i, tlen = 0;
+ char *text;
+- EVP_ENCODE_CTX EVP_ctx;
++ EVP_ENCODE_CTX *enc_ctx = EVP_ENCODE_CTX_new();
+
+- text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1);
+ if (text == NULL)
+ return LAK_NOMEM;
+
+- EVP_DecodeInit(&EVP_ctx);
+- rc = EVP_DecodeUpdate(&EVP_ctx, text, &i, (char *)src, strlen(src));
++ text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1);
++ if (text == NULL) {
++ EVP_ENCODE_CTX_free(enc_ctx);
++ return LAK_NOMEM;
++ }
++
++ EVP_DecodeInit(enc_ctx);
++ rc = EVP_DecodeUpdate(enc_ctx, (unsigned char *) text, &i, (const unsigned char *)src, strlen(src));
+ if (rc < 0) {
++ EVP_ENCODE_CTX_free(enc_ctx);
+ free(text);
+ return LAK_FAIL;
+ }
+ tlen += i;
+- EVP_DecodeFinal(&EVP_ctx, text, &i);
++ EVP_DecodeFinal(enc_ctx, (unsigned char *) text, &i);
++
++ EVP_ENCODE_CTX_free(enc_ctx);
+
+ *ret = text;
+ if (rlen != NULL)
+@@ -1749,7 +1786,7 @@ static int lak_check_hashed(
+ {
+ int rc, clen;
+ LAK_HASH_ROCK *hrock = (LAK_HASH_ROCK *) rock;
+- EVP_MD_CTX mdctx;
++ EVP_MD_CTX *mdctx;
+ const EVP_MD *md;
+ unsigned char digest[EVP_MAX_MD_SIZE];
+ char *cred;
+@@ -1758,17 +1795,24 @@ static int lak_check_hashed(
+ if (!md)
+ return LAK_FAIL;
+
++ mdctx = EVP_MD_CTX_new();
++ if (!mdctx)
++ return LAK_NOMEM;
++
+ rc = lak_base64_decode(hash, &cred, &clen);
+- if (rc != LAK_OK)
++ if (rc != LAK_OK) {
++ EVP_MD_CTX_free(mdctx);
+ return rc;
++ }
+
+- EVP_DigestInit(&mdctx, md);
+- EVP_DigestUpdate(&mdctx, passwd, strlen(passwd));
++ EVP_DigestInit(mdctx, md);
++ EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
+ if (hrock->salted) {
+- EVP_DigestUpdate(&mdctx, &cred[EVP_MD_size(md)],
++ EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
+ clen - EVP_MD_size(md));
+ }
+- EVP_DigestFinal(&mdctx, digest, NULL);
++ EVP_DigestFinal(mdctx, digest, NULL);
++ EVP_MD_CTX_free(mdctx);
+
+ rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md));
+ free(cred);
+diff --git a/plugins/passdss.c b/plugins/passdss.c
+index a55ed60d..2f81d44e 100644
+--- a/plugins/passdss.c
++++ b/plugins/passdss.c
+@@ -108,23 +111,23 @@ typedef struct context {
+ const sasl_utils_t *utils;
+
+ /* per-step mem management */
+- char *out_buf;
++ unsigned char *out_buf;
+ unsigned out_buf_len;
+
+ /* security layer foo */
+ unsigned char secmask; /* bitmask of enabled security layers */
+ unsigned char padding[EVP_MAX_BLOCK_LENGTH]; /* block of NULs */
+
+- HMAC_CTX hmac_send_ctx;
+- HMAC_CTX hmac_recv_ctx;
++ HMAC_CTX *hmac_send_ctx;
++ HMAC_CTX *hmac_recv_ctx;
+
+ unsigned char send_integrity_key[4 + EVP_MAX_MD_SIZE]; /* +4 for pktnum */
+ unsigned char recv_integrity_key[4 + EVP_MAX_MD_SIZE]; /* +4 for pktnum */
+ unsigned char *cs_integrity_key; /* ptr to bare key in send/recv key */
+ unsigned char *sc_integrity_key; /* ptr to bare key in send/recv key */
+
+- EVP_CIPHER_CTX cipher_enc_ctx;
+- EVP_CIPHER_CTX cipher_dec_ctx;
++ EVP_CIPHER_CTX *cipher_enc_ctx;
++ EVP_CIPHER_CTX *cipher_dec_ctx;
+ unsigned blk_siz;
+
+ unsigned char cs_encryption_iv[EVP_MAX_MD_SIZE];
+@@ -137,7 +140,7 @@ typedef struct context {
+ uint32_t pktnum_in;
+
+ /* for encoding/decoding mem management */
+- char *encode_buf, *decode_buf, *decode_pkt_buf;
++ unsigned char *encode_buf, *decode_buf, *decode_pkt_buf;
+ unsigned encode_buf_len, decode_buf_len, decode_pkt_buf_len;
+
+ /* layers buffering */
+@@ -169,7 +172,7 @@ static int passdss_encode(void *context,
+ inputlen += invec[i].iov_len;
+
+ /* allocate a buffer for the output */
+- ret = _plug_buf_alloc(text->utils, &text->encode_buf,
++ ret = _plug_buf_alloc(text->utils, (char **) &text->encode_buf,
+ &text->encode_buf_len,
+ 4 + /* length */
+ inputlen + /* content */
+@@ -184,19 +187,19 @@ static int passdss_encode(void *context,
+ memcpy(text->send_integrity_key, &tmpnum, 4);
+
+ /* key the HMAC */
+- HMAC_Init_ex(&text->hmac_send_ctx, text->send_integrity_key,
++ HMAC_Init_ex(text->hmac_send_ctx, text->send_integrity_key,
+ 4+SHA_DIGEST_LENGTH, EVP_sha1(), NULL);
+
+ /* operate on each iovec */
+ for (i = 0; i < numiov; i++) {
+ /* hash the content */
+- HMAC_Update(&text->hmac_send_ctx, invec[i].iov_base, invec[i].iov_len);
++ HMAC_Update(text->hmac_send_ctx, invec[i].iov_base, invec[i].iov_len);
+
+ if (text->secmask & PRIVACY_LAYER_FLAG) {
+- unsigned enclen;
++ int enclen;
+
+ /* encrypt the data into the output buffer */
+- EVP_EncryptUpdate(&text->cipher_enc_ctx,
++ EVP_EncryptUpdate(text->cipher_enc_ctx,
+ text->encode_buf + *outputlen, &enclen,
+ invec[i].iov_base, invec[i].iov_len);
+ *outputlen += enclen;
+@@ -210,14 +213,14 @@ static int passdss_encode(void *context,
+ }
+
+ /* calculate the HMAC */
+- HMAC_Final(&text->hmac_send_ctx, hmac, &hmaclen);
++ HMAC_Final(text->hmac_send_ctx, hmac, &hmaclen);
+
+ if (text->secmask & PRIVACY_LAYER_FLAG) {
+- unsigned enclen;
++ int enclen;
+ unsigned char padlen;
+
+ /* encrypt the HMAC into the output buffer */
+- EVP_EncryptUpdate(&text->cipher_enc_ctx,
++ EVP_EncryptUpdate(text->cipher_enc_ctx,
+ text->encode_buf + *outputlen, &enclen,
+ hmac, hmaclen);
+ *outputlen += enclen;
+@@ -225,17 +228,17 @@ static int passdss_encode(void *context,
+ /* pad output buffer to multiple of blk_siz
+ with padlen-1 as last octet */
+ padlen = text->blk_siz - ((inputlen + hmaclen) % text->blk_siz) - 1;
+- EVP_EncryptUpdate(&text->cipher_enc_ctx,
++ EVP_EncryptUpdate(text->cipher_enc_ctx,
+ text->encode_buf + *outputlen, &enclen,
+ text->padding, padlen);
+ *outputlen += enclen;
+- EVP_EncryptUpdate(&text->cipher_enc_ctx,
++ EVP_EncryptUpdate(text->cipher_enc_ctx,
+ text->encode_buf + *outputlen, &enclen,
+ &padlen, 1);
+ *outputlen += enclen;
+
+ /* encrypt the last block of data into the output buffer */
+- EVP_EncryptFinal_ex(&text->cipher_enc_ctx,
++ EVP_EncryptFinal_ex(text->cipher_enc_ctx,
+ text->encode_buf + *outputlen, &enclen);
+ *outputlen += enclen;
+ }
+@@ -250,7 +253,7 @@ static int passdss_encode(void *context,
+ tmpnum = htonl(tmpnum);
+ memcpy(text->encode_buf, &tmpnum, 4);
+
+- *output = text->encode_buf;
++ *output = (char *) text->encode_buf;
+
+ return SASL_OK;
+ }
+@@ -269,25 +272,25 @@ static int passdss_decode_packet(void *context,
+ int ret;
+
+ if (text->secmask & PRIVACY_LAYER_FLAG) {
+- unsigned declen, padlen;
++ int declen, padlen;
+
+ /* allocate a buffer for the output */
+- ret = _plug_buf_alloc(text->utils, &(text->decode_pkt_buf),
++ ret = _plug_buf_alloc(text->utils, (char **) &(text->decode_pkt_buf),
+ &(text->decode_pkt_buf_len), inputlen);
+ if (ret != SASL_OK) return ret;
+
+ /* decrypt the data into the output buffer */
+- ret = EVP_DecryptUpdate(&text->cipher_dec_ctx,
++ ret = EVP_DecryptUpdate(text->cipher_dec_ctx,
+ text->decode_pkt_buf, &declen,
+- (char *) input, inputlen);
++ (unsigned char *) input, inputlen);
+ if (ret)
+- EVP_DecryptFinal_ex(&text->cipher_dec_ctx, /* should be no output */
++ EVP_DecryptFinal_ex(text->cipher_dec_ctx, /* should be no output */
+ text->decode_pkt_buf + declen, &declen);
+ if (!ret) {
+ SETERROR(text->utils, "Error decrypting input");
+ return SASL_BADPROT;
+ }
+- input = text->decode_pkt_buf;
++ input = (char *) text->decode_pkt_buf;
+
+ /* trim padding */
+ padlen = text->decode_pkt_buf[inputlen - 1] + 1;
+@@ -303,7 +306,7 @@ static int passdss_decode_packet(void *context,
+
+ /* calculate the HMAC */
+ HMAC(EVP_sha1(), text->recv_integrity_key, 4+SHA_DIGEST_LENGTH,
+- input, inputlen, hmac, &hmaclen);
++ (unsigned char *) input, inputlen, hmac, &hmaclen);
+
+ /* verify HMAC */
+ if (memcmp(hmac, input+inputlen, hmaclen)) {
+@@ -324,12 +327,12 @@ static int passdss_decode(void *context,
+ {
+ context_t *text = (context_t *) context;
+ int ret;
+-
++
+ ret = _plug_decode(&text->decode_context, input, inputlen,
+- &text->decode_buf, &text->decode_buf_len, outputlen,
+- passdss_decode_packet, text);
++ (char **) &text->decode_buf, &text->decode_buf_len,
++ outputlen, passdss_decode_packet, text);
+
+- *output = text->decode_buf;
++ *output = (const char *) text->decode_buf;
+
+ return ret;
+ }
+@@ -340,7 +343,8 @@ static int passdss_decode(void *context,
+ /*
+ * Create/append to a PASSDSS buffer from the data specified by the fmt string.
+ */
+-static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset,
++static int MakeBuffer(const sasl_utils_t *utils,
++ unsigned char **buf, unsigned offset,
+ unsigned *buflen, unsigned *outlen, const char *fmt, ...)
+ {
+ va_list ap;
+@@ -423,10 +427,10 @@ static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset,
+ }
+ va_end(ap);
+
+- r = _plug_buf_alloc(utils, buf, buflen, alloclen);
++ r = _plug_buf_alloc(utils, (char **) buf, buflen, alloclen);
+ if (r != SASL_OK) return r;
+
+- out = *buf + offset;
++ out = (char *) *buf + offset;
+
+ /* second pass to fill buffer */
+ va_start(ap, fmt);
+@@ -461,7 +465,7 @@ static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset,
+ case 'm':
+ /* MPI */
+ mpi = va_arg(ap, BIGNUM *);
+- len = BN_bn2bin(mpi, out+4);
++ len = BN_bn2bin(mpi, (unsigned char *) out+4);
+ nl = htonl(len);
+ memcpy(out, &nl, 4); /* add 4 byte len (network order) */
+ out += len + 4;
+@@ -513,7 +517,7 @@ static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset,
+ done:
+ va_end(ap);
+
+- *outlen = out - *buf;
++ *outlen = out - (char *) *buf;
+
+ return r;
+ }
+@@ -598,8 +602,8 @@ static int UnBuffer(const sasl_utils_t *utils, const char *buf,
+
+ if (mpi) {
+ if (!*mpi) *mpi = BN_new();
+- BN_init(*mpi);
+- BN_bin2bn(buf, len, *mpi);
++ BN_clear(*mpi);
++ BN_bin2bn((unsigned char *) buf, len, *mpi);
+ }
+ break;
+
+@@ -714,16 +718,16 @@ static int UnBuffer(const sasl_utils_t *utils, const char *buf,
+ }
+
+ #define DOHASH(out, in1, len1, in2, len2, in3, len3) \
+- EVP_DigestInit(&mdctx, EVP_sha1()); \
+- EVP_DigestUpdate(&mdctx, in1, len1); \
+- EVP_DigestUpdate(&mdctx, in2, len2); \
+- EVP_DigestUpdate(&mdctx, in3, len3); \
+- EVP_DigestFinal(&mdctx, out, NULL)
+-
+-void CalcLayerParams(context_t *text, char *K, unsigned Klen,
+- char *hash, unsigned hashlen)
++ EVP_DigestInit(mdctx, EVP_sha1()); \
++ EVP_DigestUpdate(mdctx, in1, len1); \
++ EVP_DigestUpdate(mdctx, in2, len2); \
++ EVP_DigestUpdate(mdctx, in3, len3); \
++ EVP_DigestFinal(mdctx, out, NULL)
++
++void CalcLayerParams(context_t *text, unsigned char *K, unsigned Klen,
++ unsigned char *hash, unsigned hashlen)
+ {
+- EVP_MD_CTX mdctx;
++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
+
+ DOHASH(text->cs_encryption_iv, K, Klen, "A", 1, hash, hashlen);
+ DOHASH(text->sc_encryption_iv, K, Klen, "B", 1, hash, hashlen);
+@@ -735,6 +739,8 @@ void CalcLayerParams(context_t *text, char *K, unsigned Klen,
+ text->sc_encryption_key, hashlen);
+ DOHASH(text->cs_integrity_key, K, Klen, "E", 1, hash, hashlen);
+ DOHASH(text->sc_integrity_key, K, Klen, "F", 1, hash, hashlen);
++
++ EVP_MD_CTX_free(mdctx);
+ }
+
+ /*
+@@ -753,11 +759,11 @@ static void passdss_common_mech_dispose(void *conn_context,
+
+ if (text->dh) DH_free(text->dh);
+
+- HMAC_CTX_cleanup(&text->hmac_send_ctx);
+- HMAC_CTX_cleanup(&text->hmac_recv_ctx);
++ HMAC_CTX_free(text->hmac_send_ctx);
++ HMAC_CTX_free(text->hmac_recv_ctx);
+
+- EVP_CIPHER_CTX_cleanup(&text->cipher_enc_ctx);
+- EVP_CIPHER_CTX_cleanup(&text->cipher_dec_ctx);
++ EVP_CIPHER_CTX_free(text->cipher_enc_ctx);
++ EVP_CIPHER_CTX_free(text->cipher_dec_ctx);
+
+ _plug_decode_free(&text->decode_context);
+
+@@ -807,15 +813,17 @@ passdss_server_mech_step1(context_t *text,
+ unsigned *serveroutlen,
+ sasl_out_params_t *oparams __attribute__((unused)))
+ {
+- BIGNUM *X = NULL;
++ BIGNUM *X = NULL, *dh_p = NULL, *dh_g = NULL;
+ DSA *dsa = NULL;
++ const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dh_pub_key;
+ unsigned char *K = NULL;
+ unsigned Klen, hashlen;
+ int need, musthave;
+- EVP_MD_CTX mdctx;
++ EVP_MD_CTX *mdctx;
+ unsigned char hash[EVP_MAX_MD_SIZE];
+ DSA_SIG *sig = NULL;
+- int result;
++ const BIGNUM *sig_r, *sig_s;
++ int r = 0, result;
+
+ /* Expect:
+ *
+@@ -833,8 +841,18 @@ passdss_server_mech_step1(context_t *text,
+ }
+
+ /* Fetch DSA (XXX create one for now) */
+- dsa = DSA_generate_parameters(1024, NULL, 0, NULL, NULL, NULL, NULL);
++ dsa = DSA_new();
+ if (!dsa) {
++ params->utils->log(NULL,
++ SASL_LOG_ERR, "Error creating DSA\n");
++ result = SASL_FAIL;
++ goto cleanup;
++ }
++
++ r = DSA_generate_parameters_ex(dsa, 1024, NULL, 0, NULL, NULL, NULL);
++ if (!r) {
++ params->utils->log(NULL,
++ SASL_LOG_ERR, "Error generating DSA parameters\n");
+ result = SASL_FAIL;
+ goto cleanup;
+ }
+@@ -842,8 +860,9 @@ passdss_server_mech_step1(context_t *text,
+
+ /* Create Diffie-Hellman parameters */
+ text->dh = DH_new();
+- BN_hex2bn(&text->dh->p, N);
+- BN_hex2bn(&text->dh->g, g);
++ BN_hex2bn(&dh_p, N);
++ BN_hex2bn(&dh_g, g);
++ DH_set0_pqg(text->dh, dh_p, NULL, dh_g);
+ DH_generate_key(text->dh);
+
+ /* Alloc space for shared secret K as mpint */
+@@ -895,10 +914,13 @@ passdss_server_mech_step1(context_t *text,
+ */
+
+ /* Items (4) - (7) */
++ DSA_get0_pqg(dsa, &dsa_p, &dsa_q, &dsa_g);
++ DSA_get0_key(dsa, &dsa_pub_key, NULL);
++ DH_get0_key(text->dh, &dh_pub_key, NULL);
+ result = MakeBuffer(text->utils, &text->out_buf, 0, &text->out_buf_len,
+ serveroutlen, "%5a%s%m%m%m%m%m%1o%3u",
+- "ssh-dss", dsa->p, dsa->q, dsa->g, dsa->pub_key,
+- text->dh->pub_key, &text->secmask,
++ "ssh-dss", dsa_p, dsa_q, dsa_g, dsa_pub_key,
++ dh_pub_key, &text->secmask,
+ (params->props.maxbufsize > 0xFFFFFF) ? 0xFFFFFF :
+ params->props.maxbufsize);
+ if (result) {
+@@ -907,26 +929,29 @@ passdss_server_mech_step1(context_t *text,
+ }
+
+ /* Hash (1) - (7) and K */
+- EVP_DigestInit(&mdctx, EVP_sha1());
++ mdctx = EVP_MD_CTX_new();
++ EVP_DigestInit(mdctx, EVP_sha1());
+ /* (1) - (3) */
+- EVP_DigestUpdate(&mdctx, clientin, clientinlen);
++ EVP_DigestUpdate(mdctx, clientin, clientinlen);
+ /* (4) - (7) */
+- EVP_DigestUpdate(&mdctx, text->out_buf, *serveroutlen);
++ EVP_DigestUpdate(mdctx, text->out_buf, *serveroutlen);
+ /* K */
+- EVP_DigestUpdate(&mdctx, K, Klen);
+- EVP_DigestFinal(&mdctx, hash, &hashlen);
++ EVP_DigestUpdate(mdctx, K, Klen);
++ EVP_DigestFinal(mdctx, hash, &hashlen);
++ EVP_MD_CTX_free(mdctx);
+
+ /* Calculate security layer params */
+ CalcLayerParams(text, K, Klen, hash, hashlen);
+
+ /* Start cli-hmac */
+- HMAC_CTX_init(&text->hmac_recv_ctx);
+- HMAC_Init_ex(&text->hmac_recv_ctx, text->cs_integrity_key,
++ text->hmac_recv_ctx = HMAC_CTX_new();
++ HMAC_CTX_reset(text->hmac_recv_ctx);
++ HMAC_Init_ex(text->hmac_recv_ctx, text->cs_integrity_key,
+ SHA_DIGEST_LENGTH, EVP_sha1(), NULL);
+ /* (1) - (3) */
+- HMAC_Update(&text->hmac_recv_ctx, clientin, clientinlen);
++ HMAC_Update(text->hmac_recv_ctx, (unsigned char *) clientin, clientinlen);
+ /* (4) - (7) */
+- HMAC_Update(&text->hmac_recv_ctx, text->out_buf, *serveroutlen);
++ HMAC_Update(text->hmac_recv_ctx, text->out_buf, *serveroutlen);
+
+ /* Sign the hash */
+ sig = DSA_do_sign(hash, hashlen, dsa);
+@@ -938,14 +963,15 @@ passdss_server_mech_step1(context_t *text,
+ }
+
+ /* Item (8) */
++ DSA_SIG_get0(sig, &sig_r, &sig_s);
+ result = MakeBuffer(text->utils, &text->out_buf, *serveroutlen,
+ &text->out_buf_len, serveroutlen,
+- "%3a%s%m%m", "ssh-dss", sig->r, sig->s);
++ "%3a%s%m%m", "ssh-dss", sig_r, sig_s);
+ if (result) {
+ params->utils->log(NULL, SASL_LOG_ERR, "Error making output buffer\n");
+ goto cleanup;
+ }
+- *serverout = text->out_buf;
++ *serverout = (char *) text->out_buf;
+
+ text->state = 2;
+ result = SASL_CONTINUE;
+@@ -969,10 +995,10 @@ passdss_server_mech_step2(context_t *text,
+ sasl_out_params_t *oparams)
+ {
+ char *password = NULL;
+- unsigned declen, hmaclen;
++ unsigned hmaclen;
+ unsigned char *csecmask, *cli_hmac, hmac[EVP_MAX_MD_SIZE];
+ uint32_t cbufsiz;
+- int r, result = SASL_OK;
++ int declen, r, result = SASL_OK;
+
+ /* Expect (3DES encrypted):
+ *
+@@ -983,7 +1009,7 @@ passdss_server_mech_step2(context_t *text,
+ */
+
+ /* Alloc space for the decrypted input */
+- result = _plug_buf_alloc(text->utils, &text->decode_pkt_buf,
++ result = _plug_buf_alloc(text->utils, (char **) &text->decode_pkt_buf,
+ &text->decode_pkt_buf_len, clientinlen);
+ if (result) {
+ params->utils->log(NULL, SASL_LOG_ERR,
+@@ -992,25 +1018,28 @@ passdss_server_mech_step2(context_t *text,
+ }
+
+ /* Initialize decrypt cipher */
+- EVP_CIPHER_CTX_init(&text->cipher_dec_ctx);
+- EVP_DecryptInit_ex(&text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL,
++ text->cipher_dec_ctx = EVP_CIPHER_CTX_new();
++ EVP_CIPHER_CTX_init(text->cipher_dec_ctx);
++ EVP_DecryptInit_ex(text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL,
+ text->cs_encryption_key, text->cs_encryption_iv);
+- EVP_CIPHER_CTX_set_padding(&text->cipher_dec_ctx, 0);
+- text->blk_siz = EVP_CIPHER_CTX_block_size(&text->cipher_dec_ctx);
++ EVP_CIPHER_CTX_set_padding(text->cipher_dec_ctx, 0);
++ text->blk_siz = EVP_CIPHER_CTX_block_size(text->cipher_dec_ctx);
+
+ /* Decrypt the blob */
+- r = EVP_DecryptUpdate(&text->cipher_dec_ctx, text->decode_pkt_buf, &declen,
+- clientin, clientinlen);
++ r = EVP_DecryptUpdate(text->cipher_dec_ctx,
++ text->decode_pkt_buf, &declen,
++ (unsigned char *) clientin, clientinlen);
+ if (r)
+- r = EVP_DecryptFinal_ex(&text->cipher_dec_ctx, /* should be no output */
+- text->decode_pkt_buf + declen, &declen);
++ r = EVP_DecryptFinal_ex(text->cipher_dec_ctx, /* should be no output */
++ text->decode_pkt_buf + declen,
++ &declen);
+ if (!r) {
+ params->utils->seterror(params->utils->conn, 0,
+ "Error decrypting input in step 2");
+ result = SASL_BADPROT;
+ goto cleanup;
+ }
+- clientin = text->decode_pkt_buf;
++ clientin = (char *) text->decode_pkt_buf;
+
+ result = UnBuffer(params->utils, clientin, clientinlen,
+ "%-1o%3u%s%-*o%*p", &csecmask, &cbufsiz, &password,
+@@ -1024,8 +1053,8 @@ passdss_server_mech_step2(context_t *text,
+ /* Finish cli-hmac */
+ /* (1) - (7) hashed in step 1 */
+ /* 1st 4 bytes of (9) */
+- HMAC_Update(&text->hmac_recv_ctx, clientin, 4);
+- HMAC_Final(&text->hmac_recv_ctx, hmac, &hmaclen);
++ HMAC_Update(text->hmac_recv_ctx, (unsigned char *) clientin, 4);
++ HMAC_Final(text->hmac_recv_ctx, hmac, &hmaclen);
+
+ /* Verify cli-hmac */
+ if (memcmp(cli_hmac, hmac, hmaclen)) {
+@@ -1087,16 +1116,18 @@ passdss_server_mech_step2(context_t *text,
+ oparams->decode = &passdss_decode;
+ oparams->maxoutbuf = cbufsiz - 4 - SHA_DIGEST_LENGTH; /* -len -HMAC */
+
+- HMAC_CTX_init(&text->hmac_send_ctx);
++ text->hmac_send_ctx = HMAC_CTX_new();
++ HMAC_CTX_reset(text->hmac_send_ctx);
+
+ if (oparams->mech_ssf > 1) {
+ oparams->maxoutbuf -= text->blk_siz-1; /* padding */
+
+ /* Initialize encrypt cipher */
+- EVP_CIPHER_CTX_init(&text->cipher_enc_ctx);
+- EVP_EncryptInit_ex(&text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL,
++ text->cipher_enc_ctx = EVP_CIPHER_CTX_new();
++ EVP_CIPHER_CTX_init(text->cipher_enc_ctx);
++ EVP_EncryptInit_ex(text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL,
+ text->sc_encryption_key, text->sc_encryption_iv);
+- EVP_CIPHER_CTX_set_padding(&text->cipher_enc_ctx, 0);
++ EVP_CIPHER_CTX_set_padding(text->cipher_enc_ctx, 0);
+ }
+
+ _plug_decode_init(&text->decode_context, text->utils,
+@@ -1245,6 +1276,8 @@ passdss_client_mech_step1(context_t *text,
+ int auth_result = SASL_OK;
+ int pass_result = SASL_OK;
+ int result;
++ BIGNUM *dh_p = NULL, *dh_g = NULL;
++ const BIGNUM *dh_pub_key;
+
+ /* Expect: absolutely nothing */
+ if (serverinlen > 0) {
+@@ -1332,8 +1365,9 @@ passdss_client_mech_step1(context_t *text,
+
+ /* create Diffie-Hellman parameters */
+ text->dh = DH_new();
+- BN_hex2bn(&text->dh->p, N);
+- BN_hex2bn(&text->dh->g, g);
++ BN_hex2bn(&dh_p, N);
++ BN_hex2bn(&dh_g, g);
++ DH_set0_pqg(text->dh, dh_p, NULL, dh_g);
+ DH_generate_key(text->dh);
+
+
+@@ -1344,15 +1378,16 @@ passdss_client_mech_step1(context_t *text,
+ * (3) mpint X ; Diffie-Hellman parameter X
+ */
+
++ DH_get0_key(text->dh, &dh_pub_key, NULL);
+ result = MakeBuffer(text->utils, &text->out_buf, 0, &text->out_buf_len,
+ clientoutlen, "%s%s%m",
+ (user && *user) ? (char *) oparams->user : "",
+- (char *) oparams->authid, text->dh->pub_key);
++ (char *) oparams->authid, dh_pub_key);
+ if (result) {
+ params->utils->log(NULL, SASL_LOG_ERR, "Error making output buffer\n");
+ goto cleanup;
+ }
+- *clientout = text->out_buf;
++ *clientout = (char *) text->out_buf;
+
+ text->state = 2;
+ result = SASL_CONTINUE;
+@@ -1374,15 +1409,16 @@ passdss_client_mech_step2(context_t *text,
+ {
+ DSA *dsa = DSA_new();
+ DSA_SIG *sig = DSA_SIG_new();
+- BIGNUM *Y = NULL;
++ BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL;
++ BIGNUM *Y = NULL, *sig_r = NULL, *sig_s = NULL;
+ uint32_t siglen;
+ unsigned char *K = NULL;
+- unsigned Klen, hashlen, enclen;
++ unsigned Klen, hashlen;
+ unsigned char *ssecmask;
+ uint32_t sbufsiz;
+- EVP_MD_CTX mdctx;
++ EVP_MD_CTX *mdctx;
+ unsigned char hash[EVP_MAX_MD_SIZE];
+- int need, musthave;
++ int enclen, need, musthave;
+ int result, r;
+
+ /* Expect:
+@@ -1404,14 +1440,18 @@ passdss_client_mech_step2(context_t *text,
+
+ result = UnBuffer(params->utils, serverin, serverinlen,
+ "%u%3p\7ssh-dss%m%m%m%m%m%-1o%3u%u%3p\7ssh-dss%m%m",
+- NULL, &dsa->p, &dsa->q, &dsa->g, &dsa->pub_key,
+- &Y, &ssecmask, &sbufsiz, &siglen, &sig->r, &sig->s);
++ NULL, &dsa_p, &dsa_q, &dsa_g, &dsa_pub_key,
++ &Y, &ssecmask, &sbufsiz, &siglen, &sig_r, &sig_s);
+ if (result) {
+ params->utils->seterror(params->utils->conn, 0,
+ "Error UnBuffering input in step 2");
+ goto cleanup;
+ }
+
++ DSA_set0_pqg(dsa, dsa_p, dsa_q, dsa_g);
++ DSA_set0_key(dsa, dsa_pub_key, NULL);
++ DSA_SIG_set0(sig, sig_r, sig_s);
++
+ /* XXX Validate server DSA public key */
+
+ /* Alloc space for shared secret K as mpint */
+@@ -1430,14 +1470,16 @@ passdss_client_mech_step2(context_t *text,
+ Klen += 4;
+
+ /* Hash (1) - (7) and K */
+- EVP_DigestInit(&mdctx, EVP_sha1());
++ mdctx = EVP_MD_CTX_new();
++ EVP_DigestInit(mdctx, EVP_sha1());
+ /* (1) - (3) (output from step 1 still in buffer) */
+- EVP_DigestUpdate(&mdctx, text->out_buf, text->out_buf_len);
++ EVP_DigestUpdate(mdctx, text->out_buf, text->out_buf_len);
+ /* (4) - (7) */
+- EVP_DigestUpdate(&mdctx, serverin, serverinlen - siglen - 4);
++ EVP_DigestUpdate(mdctx, serverin, serverinlen - siglen - 4);
+ /* K */
+- EVP_DigestUpdate(&mdctx, K, Klen);
+- EVP_DigestFinal(&mdctx, hash, &hashlen);
++ EVP_DigestUpdate(mdctx, K, Klen);
++ EVP_DigestFinal(mdctx, hash, &hashlen);
++ EVP_MD_CTX_free(mdctx);
+
+ /* Verify signature on the hash */
+ result = DSA_do_verify(hash, hashlen, sig, dsa);
+@@ -1453,11 +1495,12 @@ passdss_client_mech_step2(context_t *text,
+ CalcLayerParams(text, K, Klen, hash, hashlen);
+
+ /* Initialize encrypt cipher */
+- EVP_CIPHER_CTX_init(&text->cipher_enc_ctx);
+- EVP_EncryptInit_ex(&text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL,
++ text->cipher_enc_ctx = EVP_CIPHER_CTX_new();
++ EVP_CIPHER_CTX_init(text->cipher_enc_ctx);
++ EVP_EncryptInit_ex(text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL,
+ text->cs_encryption_key, text->cs_encryption_iv);
+- EVP_CIPHER_CTX_set_padding(&text->cipher_enc_ctx, 0);
+- text->blk_siz = EVP_CIPHER_CTX_block_size(&text->cipher_enc_ctx);
++ EVP_CIPHER_CTX_set_padding(text->cipher_enc_ctx, 0);
++ text->blk_siz = EVP_CIPHER_CTX_block_size(text->cipher_enc_ctx);
+
+ /* pick a layer */
+ if (params->props.maxbufsize < 32) {
+@@ -1488,13 +1531,15 @@ passdss_client_mech_step2(context_t *text,
+ }
+
+ /* Start cli-hmac */
+- HMAC_CTX_init(&text->hmac_send_ctx);
+- HMAC_Init_ex(&text->hmac_send_ctx, text->cs_integrity_key,
++ text->hmac_send_ctx = HMAC_CTX_new();
++ HMAC_CTX_reset(text->hmac_send_ctx);
++ HMAC_Init_ex(text->hmac_send_ctx, text->cs_integrity_key,
+ SHA_DIGEST_LENGTH, EVP_sha1(), NULL);
+ /* (1) - (3) (output from step 1 still in buffer) */
+- HMAC_Update(&text->hmac_send_ctx, text->out_buf, text->out_buf_len);
++ HMAC_Update(text->hmac_send_ctx, text->out_buf, text->out_buf_len);
+ /* (4) - (7) */
+- HMAC_Update(&text->hmac_send_ctx, serverin, serverinlen - siglen - 4);
++ HMAC_Update(text->hmac_send_ctx,
++ (unsigned char *) serverin, serverinlen - siglen - 4);
+
+
+ /* Send out (3DES encrypted):
+@@ -1518,8 +1563,8 @@ passdss_client_mech_step2(context_t *text,
+
+ /* Finish cli-hmac */
+ /* 1st 4 bytes of (9) */
+- HMAC_Update(&text->hmac_send_ctx, text->out_buf, 4);
+- HMAC_Final(&text->hmac_send_ctx, hash, &hashlen);
++ HMAC_Update(text->hmac_send_ctx, text->out_buf, 4);
++ HMAC_Final(text->hmac_send_ctx, hash, &hashlen);
+
+ /* Add HMAC and pad to fill no more than current block */
+ result = MakeBuffer(text->utils, &text->out_buf, *clientoutlen,
+@@ -1531,7 +1576,7 @@ passdss_client_mech_step2(context_t *text,
+ }
+
+ /* Alloc space for the encrypted output */
+- result = _plug_buf_alloc(text->utils, &text->encode_buf,
++ result = _plug_buf_alloc(text->utils, (char **) &text->encode_buf,
+ &text->encode_buf_len, *clientoutlen);
+ if (result) {
+ params->utils->log(NULL, SASL_LOG_ERR,
+@@ -1540,19 +1585,20 @@ passdss_client_mech_step2(context_t *text,
+ }
+
+ /* Encrypt (9) (here we calculate the exact number of full blocks) */
+- r = EVP_EncryptUpdate(&text->cipher_enc_ctx, text->encode_buf,
+- clientoutlen, text->out_buf,
++ r = EVP_EncryptUpdate(text->cipher_enc_ctx,
++ text->encode_buf, (int *) clientoutlen, text->out_buf,
+ text->blk_siz * (*clientoutlen / text->blk_siz));
+ if (r)
+- r = EVP_EncryptFinal_ex(&text->cipher_enc_ctx, /* should be no output */
+- text->encode_buf + *clientoutlen, &enclen);
++ r = EVP_EncryptFinal_ex(text->cipher_enc_ctx, /* should be no output */
++ text->encode_buf + *clientoutlen,
++ &enclen);
+ if (!r) {
+ params->utils->seterror(params->utils->conn, 0,
+ "Error encrypting output in step 2");
+ result = SASL_FAIL;
+ goto cleanup;
+ }
+- *clientout = text->encode_buf;
++ *clientout = (char *) text->encode_buf;
+
+ /* Set oparams */
+ oparams->doneflag = 1;
+@@ -1563,16 +1609,18 @@ passdss_client_mech_step2(context_t *text,
+ oparams->decode = &passdss_decode;
+ oparams->maxoutbuf = sbufsiz - 4 - SHA_DIGEST_LENGTH; /* -len -HMAC */
+
+- HMAC_CTX_init(&text->hmac_recv_ctx);
++ text->hmac_recv_ctx = HMAC_CTX_new();
++ HMAC_CTX_reset(text->hmac_recv_ctx);
+
+ if (oparams->mech_ssf > 1) {
+ oparams->maxoutbuf -= text->blk_siz-1; /* padding */
+
+ /* Initialize decrypt cipher */
+- EVP_CIPHER_CTX_init(&text->cipher_dec_ctx);
+- EVP_DecryptInit_ex(&text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL,
++ text->cipher_dec_ctx = EVP_CIPHER_CTX_new();
++ EVP_CIPHER_CTX_init(text->cipher_dec_ctx);
++ EVP_DecryptInit_ex(text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL,
+ text->sc_encryption_key, text->sc_encryption_iv);
+- EVP_CIPHER_CTX_set_padding(&text->cipher_dec_ctx, 0);
++ EVP_CIPHER_CTX_set_padding(text->cipher_dec_ctx, 0);
+ }
+
+ _plug_decode_init(&text->decode_context, text->utils,
+
projects / packages / cyrus-sasl.git / commitdiff