From ecccfc827170a5a98308da6875dc414c29701537 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Fri, 14 Sep 2018 19:45:55 +0200 Subject: [PATCH] - rel 8; build with openssl 1.1.1 --- cyrus-sasl-2.1.27-openssl-1.1.0.patch | 1150 +++++++++++++++++++++++++ cyrus-sasl.spec | 4 +- 2 files changed, 1153 insertions(+), 1 deletion(-) create mode 100644 cyrus-sasl-2.1.27-openssl-1.1.0.patch diff --git a/cyrus-sasl-2.1.27-openssl-1.1.0.patch b/cyrus-sasl-2.1.27-openssl-1.1.0.patch new file mode 100644 index 0000000..59fd2b6 --- /dev/null +++ b/cyrus-sasl-2.1.27-openssl-1.1.0.patch @@ -0,0 +1,1150 @@ +diff -up cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 cyrus-sasl-2.1.26/plugins/ntlm.c +--- cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 2012-01-28 00:31:36.000000000 +0100 ++++ cyrus-sasl-2.1.26/plugins/ntlm.c 2016-11-07 16:15:57.498259304 +0100 +@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char + return P24; + } + ++static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ return HMAC_CTX_new(); ++#else ++ return utils->malloc(sizeof(HMAC_CTX)); ++#endif ++} ++ ++static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ HMAC_CTX_free(ctx); ++#else ++ HMAC_cleanup(ctx); ++ utils->free(ctx); ++#endif ++} ++ + static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, + const char *authid, const char *target, + const unsigned char *challenge, +@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char * + const sasl_utils_t *utils, + char **buf, unsigned *buflen, int *result) + { +- HMAC_CTX ctx; ++ HMAC_CTX *ctx = NULL; + unsigned char hash[EVP_MAX_MD_SIZE]; + char *upper; + unsigned int len; +@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char * + SETERROR(utils, "cannot allocate NTLMv2 hash"); + *result = SASL_NOMEM; + } ++ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) { ++ SETERROR(utils, "cannot allocate HMAC CTX"); ++ *result = SASL_NOMEM; ++ } + else { + /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */ + P16_nt(hash, passwd, utils, buf, buflen, result); +@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char * + HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len); + + /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */ +- HMAC_Init(&ctx, hash, len, EVP_md5()); +- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH); +- HMAC_Update(&ctx, blob, bloblen); +- HMAC_Final(&ctx, V2, &len); +- HMAC_cleanup(&ctx); ++ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL); ++ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH); ++ HMAC_Update(ctx, blob, bloblen); ++ HMAC_Final(ctx, V2, &len); + + /* the blob is concatenated outside of this function */ + + *result = SASL_OK; + } + ++ if (ctx) _plug_HMAC_CTX_free(ctx, utils); ++ + return V2; + } + +diff -up cyrus-sasl-2.1.26/plugins/otp.c.openssl110 cyrus-sasl-2.1.26/plugins/otp.c +--- cyrus-sasl-2.1.26/plugins/otp.c.openssl110 2012-10-12 16:05:48.000000000 +0200 ++++ cyrus-sasl-2.1.26/plugins/otp.c 2016-11-07 16:13:54.374327601 +0100 +@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_opti + {NULL, 0, NULL} + }; + ++static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ return EVP_MD_CTX_new(); ++#else ++ return utils->malloc(sizeof(EVP_MD_CTX)); ++#endif ++} ++ ++static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ EVP_MD_CTX_free(ctx); ++#else ++ utils->free(ctx); ++#endif ++} ++ + /* Convert the binary data into ASCII hex */ + void bin2hex(unsigned char *bin, int binlen, char *hex) + { +@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int bin + * swabbing bytes if necessary. + */ + static void otp_hash(const EVP_MD *md, char *in, size_t inlen, +- unsigned char *out, int swab) ++ unsigned char *out, int swab, EVP_MD_CTX *mdctx) + { +- EVP_MD_CTX mdctx; +- char hash[EVP_MAX_MD_SIZE]; ++ unsigned char hash[EVP_MAX_MD_SIZE]; + unsigned int i; + int j; + unsigned hashlen; + +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, in, inlen); +- EVP_DigestFinal(&mdctx, hash, &hashlen); ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, in, inlen); ++ EVP_DigestFinal(mdctx, hash, &hashlen); + + /* Fold the result into 64 bits */ + for (i = OTP_HASH_SIZE; i < hashlen; i++) { +@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils + char *secret, char *otp) + { + const EVP_MD *md; +- char *key; ++ EVP_MD_CTX *mdctx = NULL; ++ char *key = NULL; ++ int r = SASL_OK; + + if (!(md = EVP_get_digestbyname(alg->evp_name))) { + utils->seterror(utils->conn, 0, +@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils + return SASL_FAIL; + } + ++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { ++ SETERROR(utils, "cannot allocate MD CTX"); ++ r = SASL_NOMEM; ++ goto done; ++ } ++ + if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) { + SETERROR(utils, "cannot allocate OTP key"); +- return SASL_NOMEM; ++ r = SASL_NOMEM; ++ goto done; + } + + /* initial step */ + strcpy(key, seed); + strcat(key, secret); +- otp_hash(md, key, strlen(key), otp, alg->swab); ++ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx); + + /* computation step */ + while (seq-- > 0) +- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab); +- +- utils->free(key); ++ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx); ++ ++ done: ++ if (key) utils->free(key); ++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); + +- return SASL_OK; ++ return r; + } + + static int parse_challenge(const sasl_utils_t *utils, +@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg + + /* Convert the 6 words into binary data */ + static int word2bin(const sasl_utils_t *utils, +- char *words, unsigned char *bin, const EVP_MD *md) ++ char *words, unsigned char *bin, const EVP_MD *md, ++ EVP_MD_CTX *mdctx) + { + int i, j; + char *c, *word, buf[OTP_RESPONSE_MAX+1]; +@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t * + + /* alternate dictionary */ + if (alt_dict) { +- EVP_MD_CTX mdctx; +- char hash[EVP_MAX_MD_SIZE]; +- int hashlen; ++ unsigned char hash[EVP_MAX_MD_SIZE]; ++ unsigned hashlen; + +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, word, strlen(word)); +- EVP_DigestFinal(&mdctx, hash, &hashlen); ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, word, strlen(word)); ++ EVP_DigestFinal(mdctx, hash, &hashlen); + + /* use lowest 11 bits */ + x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1]; +@@ -802,6 +834,7 @@ static int verify_response(server_contex + char *response) + { + const EVP_MD *md; ++ EVP_MD_CTX *mdctx = NULL; + char *c; + int do_init = 0; + unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE]; +@@ -815,6 +848,11 @@ static int verify_response(server_contex + return SASL_FAIL; + } + ++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { ++ SETERROR(utils, "cannot allocate MD CTX"); ++ return SASL_NOMEM; ++ } ++ + /* eat leading whitespace */ + c = response; + while (isspace((int) *c)) c++; +@@ -824,7 +862,7 @@ static int verify_response(server_contex + r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE); + } + else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) { +- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md); ++ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx); + } + else if (!strncasecmp(c, OTP_INIT_HEX_TYPE, + strlen(OTP_INIT_HEX_TYPE))) { +@@ -834,7 +872,7 @@ static int verify_response(server_contex + else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, + strlen(OTP_INIT_WORD_TYPE))) { + do_init = 1; +- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md); ++ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx); + } + else { + SETERROR(utils, "unknown OTP extended response type"); +@@ -843,14 +881,15 @@ static int verify_response(server_contex + } + else { + /* standard response, try word first, and then hex */ +- r = word2bin(utils, c, cur_otp, md); ++ r = word2bin(utils, c, cur_otp, md, mdctx); + if (r != SASL_OK) + r = hex2bin(c, cur_otp, OTP_HASH_SIZE); + } + + if (r == SASL_OK) { + /* do one more hash (previous otp) and compare to stored otp */ +- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab); ++ otp_hash(md, (char *) cur_otp, OTP_HASH_SIZE, ++ prev_otp, text->alg->swab, mdctx); + + if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) { + /* update the secret with this seq/otp */ +@@ -879,23 +918,28 @@ static int verify_response(server_contex + *new_resp++ = '\0'; + } + +- if (!(new_chal && new_resp)) +- return SASL_BADAUTH; ++ if (!(new_chal && new_resp)) { ++ r = SASL_BADAUTH; ++ goto done; ++ } + + if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1)) + != SASL_OK) { +- return r; ++ goto done; + } + +- if (seq < 1 || !strcasecmp(seed, text->seed)) +- return SASL_BADAUTH; ++ if (seq < 1 || !strcasecmp(seed, text->seed)) { ++ r = SASL_BADAUTH; ++ goto done; ++ } + + /* find the MDA */ + if (!(md = EVP_get_digestbyname(alg->evp_name))) { + utils->seterror(utils->conn, 0, + "OTP algorithm %s is not available", + alg->evp_name); +- return SASL_BADAUTH; ++ r = SASL_BADAUTH; ++ goto done; + } + + if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) { +@@ -903,7 +947,7 @@ static int verify_response(server_contex + } + else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, + strlen(OTP_INIT_WORD_TYPE))) { +- r = word2bin(utils, new_resp, new_otp, md); ++ r = word2bin(utils, new_resp, new_otp, md, mdctx); + } + + if (r == SASL_OK) { +@@ -914,7 +958,10 @@ static int verify_response(server_contex + memcpy(text->otp, new_otp, OTP_HASH_SIZE); + } + } +- ++ ++ done: ++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); ++ + return r; + } + +diff -up cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 cyrus-sasl-2.1.26/saslauthd/lak.c +--- cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 2016-11-07 16:13:54.347327616 +0100 ++++ cyrus-sasl-2.1.26/saslauthd/lak.c 2016-11-07 16:18:42.283167898 +0100 +@@ -61,6 +61,35 @@ + #include + #include "lak.h" + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++static EVP_MD_CTX *EVP_MD_CTX_new(void) ++{ ++ return EVP_MD_CTX_create(); ++} ++static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) ++{ ++ if (ctx == NULL) ++ return; ++ ++ EVP_MD_CTX_destroy(ctx); ++} ++ ++static EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) ++{ ++ EVP_ENCODE_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); ++ ++ if (ctx != NULL) { ++ memset(ctx, 0, sizeof(*ctx)); ++ } ++ return ctx; ++} ++static void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) ++{ ++ OPENSSL_free(ctx); ++ return; ++} ++#endif ++ + typedef struct lak_auth_method { + int method; + int (*check) (LAK *lak, const char *user, const char *service, const char *realm, const char *password) ; +@@ -1720,20 +1749,28 @@ static int lak_base64_decode( + + int rc, i, tlen = 0; + char *text; +- EVP_ENCODE_CTX EVP_ctx; ++ EVP_ENCODE_CTX *enc_ctx = EVP_ENCODE_CTX_new(); + +- text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1); + if (text == NULL) + return LAK_NOMEM; + +- EVP_DecodeInit(&EVP_ctx); +- rc = EVP_DecodeUpdate(&EVP_ctx, text, &i, (char *)src, strlen(src)); ++ text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1); ++ if (text == NULL) { ++ EVP_ENCODE_CTX_free(enc_ctx); ++ return LAK_NOMEM; ++ } ++ ++ EVP_DecodeInit(enc_ctx); ++ rc = EVP_DecodeUpdate(enc_ctx, (unsigned char *) text, &i, (const unsigned char *)src, strlen(src)); + if (rc < 0) { ++ EVP_ENCODE_CTX_free(enc_ctx); + free(text); + return LAK_FAIL; + } + tlen += i; +- EVP_DecodeFinal(&EVP_ctx, text, &i); ++ EVP_DecodeFinal(enc_ctx, (unsigned char *) text, &i); ++ ++ EVP_ENCODE_CTX_free(enc_ctx); + + *ret = text; + if (rlen != NULL) +@@ -1749,7 +1786,7 @@ static int lak_check_hashed( + { + int rc, clen; + LAK_HASH_ROCK *hrock = (LAK_HASH_ROCK *) rock; +- EVP_MD_CTX mdctx; ++ EVP_MD_CTX *mdctx; + const EVP_MD *md; + unsigned char digest[EVP_MAX_MD_SIZE]; + char *cred; +@@ -1758,17 +1795,24 @@ static int lak_check_hashed( + if (!md) + return LAK_FAIL; + ++ mdctx = EVP_MD_CTX_new(); ++ if (!mdctx) ++ return LAK_NOMEM; ++ + rc = lak_base64_decode(hash, &cred, &clen); +- if (rc != LAK_OK) ++ if (rc != LAK_OK) { ++ EVP_MD_CTX_free(mdctx); + return rc; ++ } + +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, passwd, strlen(passwd)); ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, passwd, strlen(passwd)); + if (hrock->salted) { +- EVP_DigestUpdate(&mdctx, &cred[EVP_MD_size(md)], ++ EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)], + clen - EVP_MD_size(md)); + } +- EVP_DigestFinal(&mdctx, digest, NULL); ++ EVP_DigestFinal(mdctx, digest, NULL); ++ EVP_MD_CTX_free(mdctx); + + rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md)); + free(cred); +diff --git a/plugins/passdss.c b/plugins/passdss.c +index a55ed60d..2f81d44e 100644 +--- a/plugins/passdss.c ++++ b/plugins/passdss.c +@@ -108,23 +111,23 @@ typedef struct context { + const sasl_utils_t *utils; + + /* per-step mem management */ +- char *out_buf; ++ unsigned char *out_buf; + unsigned out_buf_len; + + /* security layer foo */ + unsigned char secmask; /* bitmask of enabled security layers */ + unsigned char padding[EVP_MAX_BLOCK_LENGTH]; /* block of NULs */ + +- HMAC_CTX hmac_send_ctx; +- HMAC_CTX hmac_recv_ctx; ++ HMAC_CTX *hmac_send_ctx; ++ HMAC_CTX *hmac_recv_ctx; + + unsigned char send_integrity_key[4 + EVP_MAX_MD_SIZE]; /* +4 for pktnum */ + unsigned char recv_integrity_key[4 + EVP_MAX_MD_SIZE]; /* +4 for pktnum */ + unsigned char *cs_integrity_key; /* ptr to bare key in send/recv key */ + unsigned char *sc_integrity_key; /* ptr to bare key in send/recv key */ + +- EVP_CIPHER_CTX cipher_enc_ctx; +- EVP_CIPHER_CTX cipher_dec_ctx; ++ EVP_CIPHER_CTX *cipher_enc_ctx; ++ EVP_CIPHER_CTX *cipher_dec_ctx; + unsigned blk_siz; + + unsigned char cs_encryption_iv[EVP_MAX_MD_SIZE]; +@@ -137,7 +140,7 @@ typedef struct context { + uint32_t pktnum_in; + + /* for encoding/decoding mem management */ +- char *encode_buf, *decode_buf, *decode_pkt_buf; ++ unsigned char *encode_buf, *decode_buf, *decode_pkt_buf; + unsigned encode_buf_len, decode_buf_len, decode_pkt_buf_len; + + /* layers buffering */ +@@ -169,7 +172,7 @@ static int passdss_encode(void *context, + inputlen += invec[i].iov_len; + + /* allocate a buffer for the output */ +- ret = _plug_buf_alloc(text->utils, &text->encode_buf, ++ ret = _plug_buf_alloc(text->utils, (char **) &text->encode_buf, + &text->encode_buf_len, + 4 + /* length */ + inputlen + /* content */ +@@ -184,19 +187,19 @@ static int passdss_encode(void *context, + memcpy(text->send_integrity_key, &tmpnum, 4); + + /* key the HMAC */ +- HMAC_Init_ex(&text->hmac_send_ctx, text->send_integrity_key, ++ HMAC_Init_ex(text->hmac_send_ctx, text->send_integrity_key, + 4+SHA_DIGEST_LENGTH, EVP_sha1(), NULL); + + /* operate on each iovec */ + for (i = 0; i < numiov; i++) { + /* hash the content */ +- HMAC_Update(&text->hmac_send_ctx, invec[i].iov_base, invec[i].iov_len); ++ HMAC_Update(text->hmac_send_ctx, invec[i].iov_base, invec[i].iov_len); + + if (text->secmask & PRIVACY_LAYER_FLAG) { +- unsigned enclen; ++ int enclen; + + /* encrypt the data into the output buffer */ +- EVP_EncryptUpdate(&text->cipher_enc_ctx, ++ EVP_EncryptUpdate(text->cipher_enc_ctx, + text->encode_buf + *outputlen, &enclen, + invec[i].iov_base, invec[i].iov_len); + *outputlen += enclen; +@@ -210,14 +213,14 @@ static int passdss_encode(void *context, + } + + /* calculate the HMAC */ +- HMAC_Final(&text->hmac_send_ctx, hmac, &hmaclen); ++ HMAC_Final(text->hmac_send_ctx, hmac, &hmaclen); + + if (text->secmask & PRIVACY_LAYER_FLAG) { +- unsigned enclen; ++ int enclen; + unsigned char padlen; + + /* encrypt the HMAC into the output buffer */ +- EVP_EncryptUpdate(&text->cipher_enc_ctx, ++ EVP_EncryptUpdate(text->cipher_enc_ctx, + text->encode_buf + *outputlen, &enclen, + hmac, hmaclen); + *outputlen += enclen; +@@ -225,17 +228,17 @@ static int passdss_encode(void *context, + /* pad output buffer to multiple of blk_siz + with padlen-1 as last octet */ + padlen = text->blk_siz - ((inputlen + hmaclen) % text->blk_siz) - 1; +- EVP_EncryptUpdate(&text->cipher_enc_ctx, ++ EVP_EncryptUpdate(text->cipher_enc_ctx, + text->encode_buf + *outputlen, &enclen, + text->padding, padlen); + *outputlen += enclen; +- EVP_EncryptUpdate(&text->cipher_enc_ctx, ++ EVP_EncryptUpdate(text->cipher_enc_ctx, + text->encode_buf + *outputlen, &enclen, + &padlen, 1); + *outputlen += enclen; + + /* encrypt the last block of data into the output buffer */ +- EVP_EncryptFinal_ex(&text->cipher_enc_ctx, ++ EVP_EncryptFinal_ex(text->cipher_enc_ctx, + text->encode_buf + *outputlen, &enclen); + *outputlen += enclen; + } +@@ -250,7 +253,7 @@ static int passdss_encode(void *context, + tmpnum = htonl(tmpnum); + memcpy(text->encode_buf, &tmpnum, 4); + +- *output = text->encode_buf; ++ *output = (char *) text->encode_buf; + + return SASL_OK; + } +@@ -269,25 +272,25 @@ static int passdss_decode_packet(void *context, + int ret; + + if (text->secmask & PRIVACY_LAYER_FLAG) { +- unsigned declen, padlen; ++ int declen, padlen; + + /* allocate a buffer for the output */ +- ret = _plug_buf_alloc(text->utils, &(text->decode_pkt_buf), ++ ret = _plug_buf_alloc(text->utils, (char **) &(text->decode_pkt_buf), + &(text->decode_pkt_buf_len), inputlen); + if (ret != SASL_OK) return ret; + + /* decrypt the data into the output buffer */ +- ret = EVP_DecryptUpdate(&text->cipher_dec_ctx, ++ ret = EVP_DecryptUpdate(text->cipher_dec_ctx, + text->decode_pkt_buf, &declen, +- (char *) input, inputlen); ++ (unsigned char *) input, inputlen); + if (ret) +- EVP_DecryptFinal_ex(&text->cipher_dec_ctx, /* should be no output */ ++ EVP_DecryptFinal_ex(text->cipher_dec_ctx, /* should be no output */ + text->decode_pkt_buf + declen, &declen); + if (!ret) { + SETERROR(text->utils, "Error decrypting input"); + return SASL_BADPROT; + } +- input = text->decode_pkt_buf; ++ input = (char *) text->decode_pkt_buf; + + /* trim padding */ + padlen = text->decode_pkt_buf[inputlen - 1] + 1; +@@ -303,7 +306,7 @@ static int passdss_decode_packet(void *context, + + /* calculate the HMAC */ + HMAC(EVP_sha1(), text->recv_integrity_key, 4+SHA_DIGEST_LENGTH, +- input, inputlen, hmac, &hmaclen); ++ (unsigned char *) input, inputlen, hmac, &hmaclen); + + /* verify HMAC */ + if (memcmp(hmac, input+inputlen, hmaclen)) { +@@ -324,12 +327,12 @@ static int passdss_decode(void *context, + { + context_t *text = (context_t *) context; + int ret; +- ++ + ret = _plug_decode(&text->decode_context, input, inputlen, +- &text->decode_buf, &text->decode_buf_len, outputlen, +- passdss_decode_packet, text); ++ (char **) &text->decode_buf, &text->decode_buf_len, ++ outputlen, passdss_decode_packet, text); + +- *output = text->decode_buf; ++ *output = (const char *) text->decode_buf; + + return ret; + } +@@ -340,7 +343,8 @@ static int passdss_decode(void *context, + /* + * Create/append to a PASSDSS buffer from the data specified by the fmt string. + */ +-static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset, ++static int MakeBuffer(const sasl_utils_t *utils, ++ unsigned char **buf, unsigned offset, + unsigned *buflen, unsigned *outlen, const char *fmt, ...) + { + va_list ap; +@@ -423,10 +427,10 @@ static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset, + } + va_end(ap); + +- r = _plug_buf_alloc(utils, buf, buflen, alloclen); ++ r = _plug_buf_alloc(utils, (char **) buf, buflen, alloclen); + if (r != SASL_OK) return r; + +- out = *buf + offset; ++ out = (char *) *buf + offset; + + /* second pass to fill buffer */ + va_start(ap, fmt); +@@ -461,7 +465,7 @@ static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset, + case 'm': + /* MPI */ + mpi = va_arg(ap, BIGNUM *); +- len = BN_bn2bin(mpi, out+4); ++ len = BN_bn2bin(mpi, (unsigned char *) out+4); + nl = htonl(len); + memcpy(out, &nl, 4); /* add 4 byte len (network order) */ + out += len + 4; +@@ -513,7 +517,7 @@ static int MakeBuffer(const sasl_utils_t *utils, char **buf, unsigned offset, + done: + va_end(ap); + +- *outlen = out - *buf; ++ *outlen = out - (char *) *buf; + + return r; + } +@@ -598,8 +602,8 @@ static int UnBuffer(const sasl_utils_t *utils, const char *buf, + + if (mpi) { + if (!*mpi) *mpi = BN_new(); +- BN_init(*mpi); +- BN_bin2bn(buf, len, *mpi); ++ BN_clear(*mpi); ++ BN_bin2bn((unsigned char *) buf, len, *mpi); + } + break; + +@@ -714,16 +718,16 @@ static int UnBuffer(const sasl_utils_t *utils, const char *buf, + } + + #define DOHASH(out, in1, len1, in2, len2, in3, len3) \ +- EVP_DigestInit(&mdctx, EVP_sha1()); \ +- EVP_DigestUpdate(&mdctx, in1, len1); \ +- EVP_DigestUpdate(&mdctx, in2, len2); \ +- EVP_DigestUpdate(&mdctx, in3, len3); \ +- EVP_DigestFinal(&mdctx, out, NULL) +- +-void CalcLayerParams(context_t *text, char *K, unsigned Klen, +- char *hash, unsigned hashlen) ++ EVP_DigestInit(mdctx, EVP_sha1()); \ ++ EVP_DigestUpdate(mdctx, in1, len1); \ ++ EVP_DigestUpdate(mdctx, in2, len2); \ ++ EVP_DigestUpdate(mdctx, in3, len3); \ ++ EVP_DigestFinal(mdctx, out, NULL) ++ ++void CalcLayerParams(context_t *text, unsigned char *K, unsigned Klen, ++ unsigned char *hash, unsigned hashlen) + { +- EVP_MD_CTX mdctx; ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); + + DOHASH(text->cs_encryption_iv, K, Klen, "A", 1, hash, hashlen); + DOHASH(text->sc_encryption_iv, K, Klen, "B", 1, hash, hashlen); +@@ -735,6 +739,8 @@ void CalcLayerParams(context_t *text, char *K, unsigned Klen, + text->sc_encryption_key, hashlen); + DOHASH(text->cs_integrity_key, K, Klen, "E", 1, hash, hashlen); + DOHASH(text->sc_integrity_key, K, Klen, "F", 1, hash, hashlen); ++ ++ EVP_MD_CTX_free(mdctx); + } + + /* +@@ -753,11 +759,11 @@ static void passdss_common_mech_dispose(void *conn_context, + + if (text->dh) DH_free(text->dh); + +- HMAC_CTX_cleanup(&text->hmac_send_ctx); +- HMAC_CTX_cleanup(&text->hmac_recv_ctx); ++ HMAC_CTX_free(text->hmac_send_ctx); ++ HMAC_CTX_free(text->hmac_recv_ctx); + +- EVP_CIPHER_CTX_cleanup(&text->cipher_enc_ctx); +- EVP_CIPHER_CTX_cleanup(&text->cipher_dec_ctx); ++ EVP_CIPHER_CTX_free(text->cipher_enc_ctx); ++ EVP_CIPHER_CTX_free(text->cipher_dec_ctx); + + _plug_decode_free(&text->decode_context); + +@@ -807,15 +813,17 @@ passdss_server_mech_step1(context_t *text, + unsigned *serveroutlen, + sasl_out_params_t *oparams __attribute__((unused))) + { +- BIGNUM *X = NULL; ++ BIGNUM *X = NULL, *dh_p = NULL, *dh_g = NULL; + DSA *dsa = NULL; ++ const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dh_pub_key; + unsigned char *K = NULL; + unsigned Klen, hashlen; + int need, musthave; +- EVP_MD_CTX mdctx; ++ EVP_MD_CTX *mdctx; + unsigned char hash[EVP_MAX_MD_SIZE]; + DSA_SIG *sig = NULL; +- int result; ++ const BIGNUM *sig_r, *sig_s; ++ int r = 0, result; + + /* Expect: + * +@@ -833,8 +841,18 @@ passdss_server_mech_step1(context_t *text, + } + + /* Fetch DSA (XXX create one for now) */ +- dsa = DSA_generate_parameters(1024, NULL, 0, NULL, NULL, NULL, NULL); ++ dsa = DSA_new(); + if (!dsa) { ++ params->utils->log(NULL, ++ SASL_LOG_ERR, "Error creating DSA\n"); ++ result = SASL_FAIL; ++ goto cleanup; ++ } ++ ++ r = DSA_generate_parameters_ex(dsa, 1024, NULL, 0, NULL, NULL, NULL); ++ if (!r) { ++ params->utils->log(NULL, ++ SASL_LOG_ERR, "Error generating DSA parameters\n"); + result = SASL_FAIL; + goto cleanup; + } +@@ -842,8 +860,9 @@ passdss_server_mech_step1(context_t *text, + + /* Create Diffie-Hellman parameters */ + text->dh = DH_new(); +- BN_hex2bn(&text->dh->p, N); +- BN_hex2bn(&text->dh->g, g); ++ BN_hex2bn(&dh_p, N); ++ BN_hex2bn(&dh_g, g); ++ DH_set0_pqg(text->dh, dh_p, NULL, dh_g); + DH_generate_key(text->dh); + + /* Alloc space for shared secret K as mpint */ +@@ -895,10 +914,13 @@ passdss_server_mech_step1(context_t *text, + */ + + /* Items (4) - (7) */ ++ DSA_get0_pqg(dsa, &dsa_p, &dsa_q, &dsa_g); ++ DSA_get0_key(dsa, &dsa_pub_key, NULL); ++ DH_get0_key(text->dh, &dh_pub_key, NULL); + result = MakeBuffer(text->utils, &text->out_buf, 0, &text->out_buf_len, + serveroutlen, "%5a%s%m%m%m%m%m%1o%3u", +- "ssh-dss", dsa->p, dsa->q, dsa->g, dsa->pub_key, +- text->dh->pub_key, &text->secmask, ++ "ssh-dss", dsa_p, dsa_q, dsa_g, dsa_pub_key, ++ dh_pub_key, &text->secmask, + (params->props.maxbufsize > 0xFFFFFF) ? 0xFFFFFF : + params->props.maxbufsize); + if (result) { +@@ -907,26 +929,29 @@ passdss_server_mech_step1(context_t *text, + } + + /* Hash (1) - (7) and K */ +- EVP_DigestInit(&mdctx, EVP_sha1()); ++ mdctx = EVP_MD_CTX_new(); ++ EVP_DigestInit(mdctx, EVP_sha1()); + /* (1) - (3) */ +- EVP_DigestUpdate(&mdctx, clientin, clientinlen); ++ EVP_DigestUpdate(mdctx, clientin, clientinlen); + /* (4) - (7) */ +- EVP_DigestUpdate(&mdctx, text->out_buf, *serveroutlen); ++ EVP_DigestUpdate(mdctx, text->out_buf, *serveroutlen); + /* K */ +- EVP_DigestUpdate(&mdctx, K, Klen); +- EVP_DigestFinal(&mdctx, hash, &hashlen); ++ EVP_DigestUpdate(mdctx, K, Klen); ++ EVP_DigestFinal(mdctx, hash, &hashlen); ++ EVP_MD_CTX_free(mdctx); + + /* Calculate security layer params */ + CalcLayerParams(text, K, Klen, hash, hashlen); + + /* Start cli-hmac */ +- HMAC_CTX_init(&text->hmac_recv_ctx); +- HMAC_Init_ex(&text->hmac_recv_ctx, text->cs_integrity_key, ++ text->hmac_recv_ctx = HMAC_CTX_new(); ++ HMAC_CTX_reset(text->hmac_recv_ctx); ++ HMAC_Init_ex(text->hmac_recv_ctx, text->cs_integrity_key, + SHA_DIGEST_LENGTH, EVP_sha1(), NULL); + /* (1) - (3) */ +- HMAC_Update(&text->hmac_recv_ctx, clientin, clientinlen); ++ HMAC_Update(text->hmac_recv_ctx, (unsigned char *) clientin, clientinlen); + /* (4) - (7) */ +- HMAC_Update(&text->hmac_recv_ctx, text->out_buf, *serveroutlen); ++ HMAC_Update(text->hmac_recv_ctx, text->out_buf, *serveroutlen); + + /* Sign the hash */ + sig = DSA_do_sign(hash, hashlen, dsa); +@@ -938,14 +963,15 @@ passdss_server_mech_step1(context_t *text, + } + + /* Item (8) */ ++ DSA_SIG_get0(sig, &sig_r, &sig_s); + result = MakeBuffer(text->utils, &text->out_buf, *serveroutlen, + &text->out_buf_len, serveroutlen, +- "%3a%s%m%m", "ssh-dss", sig->r, sig->s); ++ "%3a%s%m%m", "ssh-dss", sig_r, sig_s); + if (result) { + params->utils->log(NULL, SASL_LOG_ERR, "Error making output buffer\n"); + goto cleanup; + } +- *serverout = text->out_buf; ++ *serverout = (char *) text->out_buf; + + text->state = 2; + result = SASL_CONTINUE; +@@ -969,10 +995,10 @@ passdss_server_mech_step2(context_t *text, + sasl_out_params_t *oparams) + { + char *password = NULL; +- unsigned declen, hmaclen; ++ unsigned hmaclen; + unsigned char *csecmask, *cli_hmac, hmac[EVP_MAX_MD_SIZE]; + uint32_t cbufsiz; +- int r, result = SASL_OK; ++ int declen, r, result = SASL_OK; + + /* Expect (3DES encrypted): + * +@@ -983,7 +1009,7 @@ passdss_server_mech_step2(context_t *text, + */ + + /* Alloc space for the decrypted input */ +- result = _plug_buf_alloc(text->utils, &text->decode_pkt_buf, ++ result = _plug_buf_alloc(text->utils, (char **) &text->decode_pkt_buf, + &text->decode_pkt_buf_len, clientinlen); + if (result) { + params->utils->log(NULL, SASL_LOG_ERR, +@@ -992,25 +1018,28 @@ passdss_server_mech_step2(context_t *text, + } + + /* Initialize decrypt cipher */ +- EVP_CIPHER_CTX_init(&text->cipher_dec_ctx); +- EVP_DecryptInit_ex(&text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL, ++ text->cipher_dec_ctx = EVP_CIPHER_CTX_new(); ++ EVP_CIPHER_CTX_init(text->cipher_dec_ctx); ++ EVP_DecryptInit_ex(text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL, + text->cs_encryption_key, text->cs_encryption_iv); +- EVP_CIPHER_CTX_set_padding(&text->cipher_dec_ctx, 0); +- text->blk_siz = EVP_CIPHER_CTX_block_size(&text->cipher_dec_ctx); ++ EVP_CIPHER_CTX_set_padding(text->cipher_dec_ctx, 0); ++ text->blk_siz = EVP_CIPHER_CTX_block_size(text->cipher_dec_ctx); + + /* Decrypt the blob */ +- r = EVP_DecryptUpdate(&text->cipher_dec_ctx, text->decode_pkt_buf, &declen, +- clientin, clientinlen); ++ r = EVP_DecryptUpdate(text->cipher_dec_ctx, ++ text->decode_pkt_buf, &declen, ++ (unsigned char *) clientin, clientinlen); + if (r) +- r = EVP_DecryptFinal_ex(&text->cipher_dec_ctx, /* should be no output */ +- text->decode_pkt_buf + declen, &declen); ++ r = EVP_DecryptFinal_ex(text->cipher_dec_ctx, /* should be no output */ ++ text->decode_pkt_buf + declen, ++ &declen); + if (!r) { + params->utils->seterror(params->utils->conn, 0, + "Error decrypting input in step 2"); + result = SASL_BADPROT; + goto cleanup; + } +- clientin = text->decode_pkt_buf; ++ clientin = (char *) text->decode_pkt_buf; + + result = UnBuffer(params->utils, clientin, clientinlen, + "%-1o%3u%s%-*o%*p", &csecmask, &cbufsiz, &password, +@@ -1024,8 +1053,8 @@ passdss_server_mech_step2(context_t *text, + /* Finish cli-hmac */ + /* (1) - (7) hashed in step 1 */ + /* 1st 4 bytes of (9) */ +- HMAC_Update(&text->hmac_recv_ctx, clientin, 4); +- HMAC_Final(&text->hmac_recv_ctx, hmac, &hmaclen); ++ HMAC_Update(text->hmac_recv_ctx, (unsigned char *) clientin, 4); ++ HMAC_Final(text->hmac_recv_ctx, hmac, &hmaclen); + + /* Verify cli-hmac */ + if (memcmp(cli_hmac, hmac, hmaclen)) { +@@ -1087,16 +1116,18 @@ passdss_server_mech_step2(context_t *text, + oparams->decode = &passdss_decode; + oparams->maxoutbuf = cbufsiz - 4 - SHA_DIGEST_LENGTH; /* -len -HMAC */ + +- HMAC_CTX_init(&text->hmac_send_ctx); ++ text->hmac_send_ctx = HMAC_CTX_new(); ++ HMAC_CTX_reset(text->hmac_send_ctx); + + if (oparams->mech_ssf > 1) { + oparams->maxoutbuf -= text->blk_siz-1; /* padding */ + + /* Initialize encrypt cipher */ +- EVP_CIPHER_CTX_init(&text->cipher_enc_ctx); +- EVP_EncryptInit_ex(&text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL, ++ text->cipher_enc_ctx = EVP_CIPHER_CTX_new(); ++ EVP_CIPHER_CTX_init(text->cipher_enc_ctx); ++ EVP_EncryptInit_ex(text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL, + text->sc_encryption_key, text->sc_encryption_iv); +- EVP_CIPHER_CTX_set_padding(&text->cipher_enc_ctx, 0); ++ EVP_CIPHER_CTX_set_padding(text->cipher_enc_ctx, 0); + } + + _plug_decode_init(&text->decode_context, text->utils, +@@ -1245,6 +1276,8 @@ passdss_client_mech_step1(context_t *text, + int auth_result = SASL_OK; + int pass_result = SASL_OK; + int result; ++ BIGNUM *dh_p = NULL, *dh_g = NULL; ++ const BIGNUM *dh_pub_key; + + /* Expect: absolutely nothing */ + if (serverinlen > 0) { +@@ -1332,8 +1365,9 @@ passdss_client_mech_step1(context_t *text, + + /* create Diffie-Hellman parameters */ + text->dh = DH_new(); +- BN_hex2bn(&text->dh->p, N); +- BN_hex2bn(&text->dh->g, g); ++ BN_hex2bn(&dh_p, N); ++ BN_hex2bn(&dh_g, g); ++ DH_set0_pqg(text->dh, dh_p, NULL, dh_g); + DH_generate_key(text->dh); + + +@@ -1344,15 +1378,16 @@ passdss_client_mech_step1(context_t *text, + * (3) mpint X ; Diffie-Hellman parameter X + */ + ++ DH_get0_key(text->dh, &dh_pub_key, NULL); + result = MakeBuffer(text->utils, &text->out_buf, 0, &text->out_buf_len, + clientoutlen, "%s%s%m", + (user && *user) ? (char *) oparams->user : "", +- (char *) oparams->authid, text->dh->pub_key); ++ (char *) oparams->authid, dh_pub_key); + if (result) { + params->utils->log(NULL, SASL_LOG_ERR, "Error making output buffer\n"); + goto cleanup; + } +- *clientout = text->out_buf; ++ *clientout = (char *) text->out_buf; + + text->state = 2; + result = SASL_CONTINUE; +@@ -1374,15 +1409,16 @@ passdss_client_mech_step2(context_t *text, + { + DSA *dsa = DSA_new(); + DSA_SIG *sig = DSA_SIG_new(); +- BIGNUM *Y = NULL; ++ BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL; ++ BIGNUM *Y = NULL, *sig_r = NULL, *sig_s = NULL; + uint32_t siglen; + unsigned char *K = NULL; +- unsigned Klen, hashlen, enclen; ++ unsigned Klen, hashlen; + unsigned char *ssecmask; + uint32_t sbufsiz; +- EVP_MD_CTX mdctx; ++ EVP_MD_CTX *mdctx; + unsigned char hash[EVP_MAX_MD_SIZE]; +- int need, musthave; ++ int enclen, need, musthave; + int result, r; + + /* Expect: +@@ -1404,14 +1440,18 @@ passdss_client_mech_step2(context_t *text, + + result = UnBuffer(params->utils, serverin, serverinlen, + "%u%3p\7ssh-dss%m%m%m%m%m%-1o%3u%u%3p\7ssh-dss%m%m", +- NULL, &dsa->p, &dsa->q, &dsa->g, &dsa->pub_key, +- &Y, &ssecmask, &sbufsiz, &siglen, &sig->r, &sig->s); ++ NULL, &dsa_p, &dsa_q, &dsa_g, &dsa_pub_key, ++ &Y, &ssecmask, &sbufsiz, &siglen, &sig_r, &sig_s); + if (result) { + params->utils->seterror(params->utils->conn, 0, + "Error UnBuffering input in step 2"); + goto cleanup; + } + ++ DSA_set0_pqg(dsa, dsa_p, dsa_q, dsa_g); ++ DSA_set0_key(dsa, dsa_pub_key, NULL); ++ DSA_SIG_set0(sig, sig_r, sig_s); ++ + /* XXX Validate server DSA public key */ + + /* Alloc space for shared secret K as mpint */ +@@ -1430,14 +1470,16 @@ passdss_client_mech_step2(context_t *text, + Klen += 4; + + /* Hash (1) - (7) and K */ +- EVP_DigestInit(&mdctx, EVP_sha1()); ++ mdctx = EVP_MD_CTX_new(); ++ EVP_DigestInit(mdctx, EVP_sha1()); + /* (1) - (3) (output from step 1 still in buffer) */ +- EVP_DigestUpdate(&mdctx, text->out_buf, text->out_buf_len); ++ EVP_DigestUpdate(mdctx, text->out_buf, text->out_buf_len); + /* (4) - (7) */ +- EVP_DigestUpdate(&mdctx, serverin, serverinlen - siglen - 4); ++ EVP_DigestUpdate(mdctx, serverin, serverinlen - siglen - 4); + /* K */ +- EVP_DigestUpdate(&mdctx, K, Klen); +- EVP_DigestFinal(&mdctx, hash, &hashlen); ++ EVP_DigestUpdate(mdctx, K, Klen); ++ EVP_DigestFinal(mdctx, hash, &hashlen); ++ EVP_MD_CTX_free(mdctx); + + /* Verify signature on the hash */ + result = DSA_do_verify(hash, hashlen, sig, dsa); +@@ -1453,11 +1495,12 @@ passdss_client_mech_step2(context_t *text, + CalcLayerParams(text, K, Klen, hash, hashlen); + + /* Initialize encrypt cipher */ +- EVP_CIPHER_CTX_init(&text->cipher_enc_ctx); +- EVP_EncryptInit_ex(&text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL, ++ text->cipher_enc_ctx = EVP_CIPHER_CTX_new(); ++ EVP_CIPHER_CTX_init(text->cipher_enc_ctx); ++ EVP_EncryptInit_ex(text->cipher_enc_ctx, EVP_des_ede3_cbc(), NULL, + text->cs_encryption_key, text->cs_encryption_iv); +- EVP_CIPHER_CTX_set_padding(&text->cipher_enc_ctx, 0); +- text->blk_siz = EVP_CIPHER_CTX_block_size(&text->cipher_enc_ctx); ++ EVP_CIPHER_CTX_set_padding(text->cipher_enc_ctx, 0); ++ text->blk_siz = EVP_CIPHER_CTX_block_size(text->cipher_enc_ctx); + + /* pick a layer */ + if (params->props.maxbufsize < 32) { +@@ -1488,13 +1531,15 @@ passdss_client_mech_step2(context_t *text, + } + + /* Start cli-hmac */ +- HMAC_CTX_init(&text->hmac_send_ctx); +- HMAC_Init_ex(&text->hmac_send_ctx, text->cs_integrity_key, ++ text->hmac_send_ctx = HMAC_CTX_new(); ++ HMAC_CTX_reset(text->hmac_send_ctx); ++ HMAC_Init_ex(text->hmac_send_ctx, text->cs_integrity_key, + SHA_DIGEST_LENGTH, EVP_sha1(), NULL); + /* (1) - (3) (output from step 1 still in buffer) */ +- HMAC_Update(&text->hmac_send_ctx, text->out_buf, text->out_buf_len); ++ HMAC_Update(text->hmac_send_ctx, text->out_buf, text->out_buf_len); + /* (4) - (7) */ +- HMAC_Update(&text->hmac_send_ctx, serverin, serverinlen - siglen - 4); ++ HMAC_Update(text->hmac_send_ctx, ++ (unsigned char *) serverin, serverinlen - siglen - 4); + + + /* Send out (3DES encrypted): +@@ -1518,8 +1563,8 @@ passdss_client_mech_step2(context_t *text, + + /* Finish cli-hmac */ + /* 1st 4 bytes of (9) */ +- HMAC_Update(&text->hmac_send_ctx, text->out_buf, 4); +- HMAC_Final(&text->hmac_send_ctx, hash, &hashlen); ++ HMAC_Update(text->hmac_send_ctx, text->out_buf, 4); ++ HMAC_Final(text->hmac_send_ctx, hash, &hashlen); + + /* Add HMAC and pad to fill no more than current block */ + result = MakeBuffer(text->utils, &text->out_buf, *clientoutlen, +@@ -1531,7 +1576,7 @@ passdss_client_mech_step2(context_t *text, + } + + /* Alloc space for the encrypted output */ +- result = _plug_buf_alloc(text->utils, &text->encode_buf, ++ result = _plug_buf_alloc(text->utils, (char **) &text->encode_buf, + &text->encode_buf_len, *clientoutlen); + if (result) { + params->utils->log(NULL, SASL_LOG_ERR, +@@ -1540,19 +1585,20 @@ passdss_client_mech_step2(context_t *text, + } + + /* Encrypt (9) (here we calculate the exact number of full blocks) */ +- r = EVP_EncryptUpdate(&text->cipher_enc_ctx, text->encode_buf, +- clientoutlen, text->out_buf, ++ r = EVP_EncryptUpdate(text->cipher_enc_ctx, ++ text->encode_buf, (int *) clientoutlen, text->out_buf, + text->blk_siz * (*clientoutlen / text->blk_siz)); + if (r) +- r = EVP_EncryptFinal_ex(&text->cipher_enc_ctx, /* should be no output */ +- text->encode_buf + *clientoutlen, &enclen); ++ r = EVP_EncryptFinal_ex(text->cipher_enc_ctx, /* should be no output */ ++ text->encode_buf + *clientoutlen, ++ &enclen); + if (!r) { + params->utils->seterror(params->utils->conn, 0, + "Error encrypting output in step 2"); + result = SASL_FAIL; + goto cleanup; + } +- *clientout = text->encode_buf; ++ *clientout = (char *) text->encode_buf; + + /* Set oparams */ + oparams->doneflag = 1; +@@ -1563,16 +1609,18 @@ passdss_client_mech_step2(context_t *text, + oparams->decode = &passdss_decode; + oparams->maxoutbuf = sbufsiz - 4 - SHA_DIGEST_LENGTH; /* -len -HMAC */ + +- HMAC_CTX_init(&text->hmac_recv_ctx); ++ text->hmac_recv_ctx = HMAC_CTX_new(); ++ HMAC_CTX_reset(text->hmac_recv_ctx); + + if (oparams->mech_ssf > 1) { + oparams->maxoutbuf -= text->blk_siz-1; /* padding */ + + /* Initialize decrypt cipher */ +- EVP_CIPHER_CTX_init(&text->cipher_dec_ctx); +- EVP_DecryptInit_ex(&text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL, ++ text->cipher_dec_ctx = EVP_CIPHER_CTX_new(); ++ EVP_CIPHER_CTX_init(text->cipher_dec_ctx); ++ EVP_DecryptInit_ex(text->cipher_dec_ctx, EVP_des_ede3_cbc(), NULL, + text->sc_encryption_key, text->sc_encryption_iv); +- EVP_CIPHER_CTX_set_padding(&text->cipher_dec_ctx, 0); ++ EVP_CIPHER_CTX_set_padding(text->cipher_dec_ctx, 0); + } + + _plug_decode_init(&text->decode_context, text->utils, + diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec index 505f1dd..7730c64 100644 --- a/cyrus-sasl.spec +++ b/cyrus-sasl.spec @@ -24,7 +24,7 @@ Summary(ru.UTF-8): Библиотека Cyrus SASL Summary(uk.UTF-8): Бібліотека Cyrus SASL Name: cyrus-sasl Version: 2.1.26 -Release: 7 +Release: 8 License: distributable Group: Libraries Source0: ftp://ftp.cyrusimap.org/cyrus-sasl/%{name}-%{version}.tar.gz @@ -58,6 +58,7 @@ Patch20: %{name}-auxprop.patch Patch21: 0030-dont_use_la_files_for_opening_plugins.patch Patch22: %{name}-stddef.patch Patch23: http://sourceforge.net/projects/miscellaneouspa/files/glibc217/cyrus-sasl-2.1.26-glibc217-crypt.diff +Patch24: cyrus-sasl-2.1.27-openssl-1.1.0.patch URL: http://asg.web.cmu.edu/sasl/ BuildRequires: autoconf >= 2.54 BuildRequires: automake >= 1:1.7 @@ -535,6 +536,7 @@ Wtyczka Nagiosa do sprawdzania działania saslauthd. %patch21 -p1 %patch22 -p1 %patch23 -p1 +%patch24 -p1 cd doc echo "cyrus-sasl complies with the following RFCs:" > rfc-compliance -- 2.43.0