commit: ab9cb2adf29b582afb8541b4ceb5a3185c82ba30 Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> AuthorDate: Wed Oct 24 12:30:31 2018 +0000 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> CommitDate: Wed Oct 24 12:30:31 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab9cb2ad
dev-libs/cyrus-sasl: Fixed build with openssl-1.1 Bumped to EAPI-6 and did some ebuild cleanup. Closes: https://bugs.gentoo.org/592528 Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild | 111 ++++--- ...us-sasl-2.1.23-gss_c_nt_hostbased_service.patch | 4 +- .../files/cyrus-sasl-2.1.25-fix_heimdal.patch | 8 +- .../files/cyrus-sasl-2.1.25-missing_header.patch | 4 +- .../files/cyrus-sasl-2.1.25-service_keytabs.patch | 8 +- ...us-sasl-2.1.26-fix_dovecot_authentication.patch | 8 +- .../files/cyrus-sasl-2.1.26-missing-size_t.patch | 4 +- .../files/cyrus-sasl-2.1.26-openssl-1.1.patch | 353 +++++++++++++++++++++ 8 files changed, 425 insertions(+), 75 deletions(-) diff --git a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild index 582c8463da1..f7cccc351ba 100644 --- a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild +++ b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild @@ -1,9 +1,9 @@ -# Copyright 1999-2018 Gentoo Foundation +# Copyright 1999-2018 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=5 +EAPI=6 -inherit eutils flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd +inherit flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd SASLAUTHD_CONF_VER="2.1.26" @@ -58,6 +58,7 @@ PATCHES=( "${FILESDIR}/${PN}-2.1.26-send-imap-logout.patch" "${FILESDIR}/${PN}-2.1.26-canonuser-ldapdb-garbage-in-out-buffer.patch" "${FILESDIR}/${PN}-2.1.26-fix_dovecot_authentication.patch" + "${FILESDIR}/${PN}-2.1.26-openssl-1.1.patch" #592528 ) pkg_setup() { @@ -65,7 +66,7 @@ pkg_setup() { } src_prepare() { - epatch "${PATCHES[@]}" + default # Get rid of the -R switch (runpath_switch for Sun) # >=gcc-4.6 errors out with unknown option @@ -103,73 +104,66 @@ multilib_src_configure() { # Java support. multilib_is_native_abi && use java && export JAVAC="${JAVAC} ${JAVACFLAGS}" - local myconf=() - - # Add authdaemond support (bug #56523). - if use authdaemond ; then - myconf+=( --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket ) - fi - - # Fix for bug #59634. - if ! use ssl ; then - myconf+=( --without-des ) - fi + local myeconfargs=( + --enable-login + --enable-ntlm + --enable-auth-sasldb + --disable-cmulocal + --disable-krb4 + --disable-macos-framework + --enable-otp + --without-sqlite + --with-saslauthd="${EPREFIX}"/run/saslauthd + --with-pwcheck="${EPREFIX}"/run/saslauthd + --with-configdir="${EPREFIX}"/etc/sasl2 + --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2 + --with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2 + $(use_with ssl openssl) + $(use_with pam) + $(use_with openldap ldap) + $(use_enable ldapdb) + $(multilib_native_use_enable sample) + $(use_enable kerberos gssapi) + $(multilib_native_use_enable java) + $(multilib_native_use_with java javahome ${JAVA_HOME}) + $(multilib_native_use_with mysql mysql "${EPREFIX}"/usr) + $(multilib_native_use_with postgres pgsql) + $(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir)) + $(use_enable srp) + $(use_enable static-libs static) + + # Add authdaemond support (bug #56523). + $(usex authdaemond --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket '') + + # Fix for bug #59634. + $(usex ssl '' --without-des) + + # Use /dev/urandom instead of /dev/random (bug #46038). + $(usex urandom --with-devrandom=/dev/urandom '') + ) if use sqlite || { multilib_is_native_abi && { use mysql || use postgres; }; } ; then - myconf+=( --enable-sql ) + myeconfargs+=( --enable-sql ) else - myconf+=( --disable-sql ) + myeconfargs+=( --disable-sql ) fi # Default to GDBM if both 'gdbm' and 'berkdb' are present. if use gdbm ; then einfo "Building with GNU DB as database backend for your SASLdb" - myconf+=( --with-dblib=gdbm ) + myeconfargs+=( --with-dblib=gdbm ) elif use berkdb ; then einfo "Building with BerkeleyDB as database backend for your SASLdb" - myconf+=( + myeconfargs+=( --with-dblib=berkeley --with-bdb-incdir="$(db_includedir)" ) else einfo "Building without SASLdb support" - myconf+=( --with-dblib=none ) - fi - - # Use /dev/urandom instead of /dev/random (bug #46038). - if use urandom ; then - myconf+=( --with-devrandom=/dev/urandom ) + myeconfargs+=( --with-dblib=none ) fi - ECONF_SOURCE=${S} \ - econf \ - --enable-login \ - --enable-ntlm \ - --enable-auth-sasldb \ - --disable-cmulocal \ - --disable-krb4 \ - --disable-macos-framework \ - --enable-otp \ - --without-sqlite \ - --with-saslauthd="${EPREFIX}"/run/saslauthd \ - --with-pwcheck="${EPREFIX}"/run/saslauthd \ - --with-configdir="${EPREFIX}"/etc/sasl2 \ - --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2 \ - --with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2 \ - $(use_with ssl openssl) \ - $(use_with pam) \ - $(use_with openldap ldap) \ - $(use_enable ldapdb) \ - $(multilib_native_use_enable sample) \ - $(use_enable kerberos gssapi) \ - $(multilib_native_use_enable java) \ - $(multilib_native_use_with java javahome ${JAVA_HOME}) \ - $(multilib_native_use_with mysql mysql "${EPREFIX}"/usr) \ - $(multilib_native_use_with postgres pgsql) \ - $(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir)) \ - $(use_enable srp) \ - $(use_enable static-libs static) \ - "${myconf[@]}" + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" } multilib_src_compile() { @@ -215,7 +209,9 @@ multilib_src_install_all() { dodoc AUTHORS ChangeLog NEWS README doc/TODO doc/*.txt newdoc pwcheck/README README.pwcheck - dohtml doc/*.html + + docinto html + dodoc doc/*.html docinto "saslauthd" dodoc saslauthd/{AUTHORS,ChangeLog,LDAP_SASLAUTHD,NEWS,README} @@ -233,8 +229,9 @@ multilib_src_install_all() { # The get_modname bit is important: do not remove the .la files on # platforms where the lib isn't called .so for cyrus searches the .la to # figure out what the name is supposed to be instead - use static-libs || [[ $(get_modname) != .so ]] || \ - prune_libtool_files --modules + if ! use static-libs && [[ $(get_modname) == .so ]] ; then + find "${ED}" -name "*.la" -delete || die + fi } pkg_postinst () { diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch index 9eeab1b42ff..beea8eb28d1 100644 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch @@ -1,6 +1,6 @@ Gentoo bug #389349 ---- cmulocal/sasl2.m4 2009-04-28 17:09:13.000000000 +0200 -+++ cmulocal/sasl2.m4 2011-11-02 17:55:24.000000000 +0100 +--- a/cmulocal/sasl2.m4 ++++ b/cmulocal/sasl2.m4 @@ -217,7 +217,11 @@ [AC_WARN([Cybersafe define not found])]) diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch index abf0df2568c..92be2600348 100644 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch @@ -1,7 +1,7 @@ Fix compiling against heimdal ---- sample/server.c 2010-12-01 14:52:55.000000000 +0000 -+++ sample/server.c 2011-11-30 14:54:42.000000000 +0000 +--- a/sample/server.c ++++ b/sample/server.c @@ -85,8 +85,10 @@ #ifdef HAVE_GSS_GET_NAME_ATTRIBUTE @@ -13,8 +13,8 @@ Fix compiling against heimdal #include "common.h" ---- plugins/gssapi.c 2011-05-11 19:25:55.000000000 +0000 -+++ plugins/gssapi.c 2011-11-30 14:54:33.000000000 +0000 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c @@ -50,6 +50,9 @@ #else #include <gssapi/gssapi.h> diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch index 597d45a7679..a413e00bf42 100644 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch @@ -1,5 +1,5 @@ ---- pwcheck/pwcheck_getspnam.c 1999-08-26 19:22:44.000000000 +0300 -+++ pwcheck/pwcheck_getspnam.c 2011-11-30 13:22:24.601023316 +0200 +--- a/pwcheck/pwcheck_getspnam.c ++++ b/pwcheck/pwcheck_getspnam.c @@ -24,6 +24,7 @@ ******************************************************************/ diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch index 117e8eb8880..43b6162a66f 100644 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch @@ -1,6 +1,6 @@ Bug #445932 ---- cmulocal/sasl2.m4 2011-09-02 12:58:00.000000000 +0000 -+++ cmulocal/sasl2.m4 2012-12-05 08:37:16.425811319 +0000 +--- a/cmulocal/sasl2.m4 ++++ b/cmulocal/sasl2.m4 @@ -268,7 +268,11 @@ cmu_save_LIBS="$LIBS" @@ -14,8 +14,8 @@ Bug #445932 AC_CHECK_FUNCS(gss_decapsulate_token) AC_CHECK_FUNCS(gss_encapsulate_token) AC_CHECK_FUNCS(gss_oid_equal) ---- plugins/gssapi.c 2012-12-05 09:03:31.000220161 +0000 -+++ plugins/gssapi.c 2012-12-05 09:01:55.043380204 +0000 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c @@ -50,7 +50,7 @@ #else #include <gssapi/gssapi.h> diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch index 46bbdd1ca1a..6fc9de80287 100644 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch @@ -1,6 +1,6 @@ Bug #510320 ---- saslauthd/auth_rimap.c 2012-10-12 14:05:48.000000000 +0000 -+++ saslauthd/auth_rimap.c 2014-05-15 05:23:02.000000000 +0000 +--- a/saslauthd/auth_rimap.c ++++ b/saslauthd/auth_rimap.c @@ -371,7 +371,7 @@ if ( rc>0 ) { /* check if there is more to read */ @@ -65,8 +65,8 @@ Bug #510320 rc += ret; } } ---- lib/checkpw.c 2012-01-27 23:31:36.000000000 +0000 -+++ lib/checkpw.c 2014-05-15 05:19:35.000000000 +0000 +--- a/lib/checkpw.c ++++ b/lib/checkpw.c @@ -587,16 +587,14 @@ /* Timeout. */ errno = ETIMEDOUT; diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch index 42f20fb8096..0177b52567f 100644 --- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch @@ -1,6 +1,6 @@ Gentoo bug #458790 ---- include/sasl.h 2012-10-12 17:05:48.000000000 +0300 -+++ include/sasl.h 2013-02-23 16:56:44.648786268 +0200 +--- a/include/sasl.h ++++ b/include/sasl.h @@ -121,6 +121,9 @@ #ifndef SASL_H #define SASL_H 1 diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch new file mode 100644 index 00000000000..3b0ffac24f0 --- /dev/null +++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch @@ -0,0 +1,353 @@ +diff --git a/plugins/ntlm.c b/plugins/ntlm.c +index 79ea47c..554a00d 100644 +--- a/plugins/ntlm.c ++++ b/plugins/ntlm.c +@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char *P24, unsigned char *P21, + return P24; + } + ++static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ return HMAC_CTX_new(); ++#else ++ return utils->malloc(sizeof(EVP_MD_CTX)); ++#endif ++} ++ ++static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ HMAC_CTX_free(ctx); ++#else ++ HMAC_cleanup(ctx); ++ utils->free(ctx); ++#endif ++} ++ + static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, + const char *authid, const char *target, + const unsigned char *challenge, +@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, + const sasl_utils_t *utils, + char **buf, unsigned *buflen, int *result) + { +- HMAC_CTX ctx; ++ HMAC_CTX *ctx = NULL; + unsigned char hash[EVP_MAX_MD_SIZE]; + char *upper; + unsigned int len; +@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, + SETERROR(utils, "cannot allocate NTLMv2 hash"); + *result = SASL_NOMEM; + } ++ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) { ++ SETERROR(utils, "cannot allocate HMAC CTX"); ++ *result = SASL_NOMEM; ++ } + else { + /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */ + P16_nt(hash, passwd, utils, buf, buflen, result); +@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, + HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len); + + /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */ +- HMAC_Init(&ctx, hash, len, EVP_md5()); +- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH); +- HMAC_Update(&ctx, blob, bloblen); +- HMAC_Final(&ctx, V2, &len); +- HMAC_cleanup(&ctx); ++ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL); ++ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH); ++ HMAC_Update(ctx, blob, bloblen); ++ HMAC_Final(ctx, V2, &len); + + /* the blob is concatenated outside of this function */ + + *result = SASL_OK; + } + ++ if (ctx) _plug_HMAC_CTX_free(ctx, utils); ++ + return V2; + } + +diff --git a/plugins/otp.c b/plugins/otp.c +index dd73065..d1e9bf4 100644 +--- a/plugins/otp.c ++++ b/plugins/otp.c +@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_options[] = { + {NULL, 0, NULL} + }; + ++static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ return EVP_MD_CTX_new(); ++#else ++ return utils->malloc(sizeof(EVP_MD_CTX)); ++#endif ++} ++ ++static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ EVP_MD_CTX_free(ctx); ++#else ++ utils->free(ctx); ++#endif ++} ++ + /* Convert the binary data into ASCII hex */ + void bin2hex(unsigned char *bin, int binlen, char *hex) + { +@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int binlen, char *hex) + * swabbing bytes if necessary. + */ + static void otp_hash(const EVP_MD *md, char *in, size_t inlen, +- unsigned char *out, int swab) ++ unsigned char *out, int swab, EVP_MD_CTX *mdctx) + { +- EVP_MD_CTX mdctx; + char hash[EVP_MAX_MD_SIZE]; + unsigned int i; + int j; + unsigned hashlen; + +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, in, inlen); +- EVP_DigestFinal(&mdctx, hash, &hashlen); ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, in, inlen); ++ EVP_DigestFinal(mdctx, hash, &hashlen); + + /* Fold the result into 64 bits */ + for (i = OTP_HASH_SIZE; i < hashlen; i++) { +@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils_t *utils, + char *secret, char *otp) + { + const EVP_MD *md; +- char *key; ++ EVP_MD_CTX *mdctx = NULL; ++ char *key = NULL; ++ int r = SASL_OK; + + if (!(md = EVP_get_digestbyname(alg->evp_name))) { + utils->seterror(utils->conn, 0, +@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils_t *utils, + return SASL_FAIL; + } + ++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { ++ SETERROR(utils, "cannot allocate MD CTX"); ++ r = SASL_NOMEM; ++ goto done; ++ } ++ + if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) { + SETERROR(utils, "cannot allocate OTP key"); +- return SASL_NOMEM; ++ r = SASL_NOMEM; ++ goto done; + } + + /* initial step */ + strcpy(key, seed); + strcat(key, secret); +- otp_hash(md, key, strlen(key), otp, alg->swab); ++ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx); + + /* computation step */ + while (seq-- > 0) +- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab); ++ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx); + +- utils->free(key); ++ done: ++ if (key) utils->free(key); ++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); + +- return SASL_OK; ++ return r; + } + + static int parse_challenge(const sasl_utils_t *utils, +@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg1, const void *arg2) + + /* Convert the 6 words into binary data */ + static int word2bin(const sasl_utils_t *utils, +- char *words, unsigned char *bin, const EVP_MD *md) ++ char *words, unsigned char *bin, const EVP_MD *md, ++ EVP_MD_CTX *mdctx) + { + int i, j; + char *c, *word, buf[OTP_RESPONSE_MAX+1]; +@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t *utils, + + /* alternate dictionary */ + if (alt_dict) { +- EVP_MD_CTX mdctx; + char hash[EVP_MAX_MD_SIZE]; + int hashlen; + +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, word, strlen(word)); +- EVP_DigestFinal(&mdctx, hash, &hashlen); ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, word, strlen(word)); ++ EVP_DigestFinal(mdctx, hash, &hashlen); + + /* use lowest 11 bits */ + x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1]; +@@ -802,6 +834,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, + char *response) + { + const EVP_MD *md; ++ EVP_MD_CTX *mdctx = NULL; + char *c; + int do_init = 0; + unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE]; +@@ -815,6 +848,11 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, + return SASL_FAIL; + } + ++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { ++ SETERROR(utils, "cannot allocate MD CTX"); ++ return SASL_NOMEM; ++ } ++ + /* eat leading whitespace */ + c = response; + while (isspace((int) *c)) c++; +@@ -824,7 +862,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, + r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE); + } + else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) { +- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md); ++ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx); + } + else if (!strncasecmp(c, OTP_INIT_HEX_TYPE, + strlen(OTP_INIT_HEX_TYPE))) { +@@ -834,7 +872,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, + else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, + strlen(OTP_INIT_WORD_TYPE))) { + do_init = 1; +- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md); ++ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx); + } + else { + SETERROR(utils, "unknown OTP extended response type"); +@@ -843,14 +881,14 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, + } + else { + /* standard response, try word first, and then hex */ +- r = word2bin(utils, c, cur_otp, md); ++ r = word2bin(utils, c, cur_otp, md, mdctx); + if (r != SASL_OK) + r = hex2bin(c, cur_otp, OTP_HASH_SIZE); + } + + if (r == SASL_OK) { + /* do one more hash (previous otp) and compare to stored otp */ +- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab); ++ otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab, mdctx); + + if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) { + /* update the secret with this seq/otp */ +@@ -879,23 +917,28 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, + *new_resp++ = '\0'; + } + +- if (!(new_chal && new_resp)) +- return SASL_BADAUTH; ++ if (!(new_chal && new_resp)) { ++ r = SASL_BADAUTH; ++ goto done; ++ } + + if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1)) + != SASL_OK) { +- return r; ++ goto done; + } + +- if (seq < 1 || !strcasecmp(seed, text->seed)) +- return SASL_BADAUTH; ++ if (seq < 1 || !strcasecmp(seed, text->seed)) { ++ r = SASL_BADAUTH; ++ goto done; ++ } + + /* find the MDA */ + if (!(md = EVP_get_digestbyname(alg->evp_name))) { + utils->seterror(utils->conn, 0, + "OTP algorithm %s is not available", + alg->evp_name); +- return SASL_BADAUTH; ++ r = SASL_BADAUTH; ++ goto done; + } + + if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) { +@@ -903,7 +946,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, + } + else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, + strlen(OTP_INIT_WORD_TYPE))) { +- r = word2bin(utils, new_resp, new_otp, md); ++ r = word2bin(utils, new_resp, new_otp, md, mdctx); + } + + if (r == SASL_OK) { +@@ -914,7 +957,10 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils, + memcpy(text->otp, new_otp, OTP_HASH_SIZE); + } + } +- ++ ++ done: ++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); ++ + return r; + } + +@@ -1443,8 +1489,10 @@ int otp_server_plug_init(const sasl_utils_t *utils, + *pluglist = otp_server_plugins; + *plugcount = 1; + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* Add all digests */ + OpenSSL_add_all_digests(); ++#endif + + return SASL_OK; + } +@@ -1844,8 +1892,10 @@ int otp_client_plug_init(sasl_utils_t *utils, + *pluglist = otp_client_plugins; + *plugcount = 1; + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* Add all digests */ + OpenSSL_add_all_digests(); ++#endif + + return SASL_OK; + } +--- a/saslauthd/lak.c ++++ b/saslauthd/lak.c +@@ -729,7 +729,7 @@ int lak_init( + return rc; + } + +-#ifdef HAVE_OPENSSL ++#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10100000L + OpenSSL_add_all_digests(); + #endif +
