Date: Sat, 16 Jun 2018 06:16:51 +0000 (UTC) From: Hajimu UMEMOTO <ume@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r472519 - in head/security/cyrus-sasl2: . files Message-ID: <201806160616.w5G6GpCO041852@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ume Date: Sat Jun 16 06:16:51 2018 New Revision: 472519 URL: https://svnweb.freebsd.org/changeset/ports/472519 Log: - Backport from 2.1.27-rc7 OpenSSL 1.1 fixes - Fix WWW PR: 225891 Submitted by: brnrd Added: head/security/cyrus-sasl2/files/patch-Makefile.am (contents, props changed) head/security/cyrus-sasl2/files/patch-crypto-compat.c (contents, props changed) head/security/cyrus-sasl2/files/patch-crypto-compat.h (contents, props changed) head/security/cyrus-sasl2/files/patch-lib_Makefile.am (contents, props changed) head/security/cyrus-sasl2/files/patch-plugins_Makefile.am (contents, props changed) head/security/cyrus-sasl2/files/patch-plugins_ntlm.c (contents, props changed) head/security/cyrus-sasl2/files/patch-plugins_otp.c (contents, props changed) head/security/cyrus-sasl2/files/patch-plugins_passdss.c (contents, props changed) head/security/cyrus-sasl2/files/patch-plugins_srp.c (contents, props changed) head/security/cyrus-sasl2/files/patch-saslauthd_Makefile.am (contents, props changed) head/security/cyrus-sasl2/files/patch-saslauthd_lak.c (contents, props changed) Modified: head/security/cyrus-sasl2/pkg-descr Added: head/security/cyrus-sasl2/files/patch-Makefile.am ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cyrus-sasl2/files/patch-Makefile.am Sat Jun 16 06:16:51 2018 (r472519) @@ -0,0 +1,14 @@ +--- Makefile.am.orig 2012-10-12 14:05:48 UTC ++++ Makefile.am +@@ -76,6 +76,11 @@ EXTRA_DIST=config cmulocal win32 mac dlc + pkgconfigdir = $(libdir)/pkgconfig + pkgconfig_DATA = libsasl2.pc + ++noinst_LTLIBRARIES = libcrypto_compat.la ++ ++libcrypto_compat_la_SOURCES = crypto-compat.c crypto-compat.h ++libcrypto_compat_la_LDFLAGS = -version-info $(crypto_compat_version) -no-undefined ++ + dist-hook: + @find $(distdir) -exec chmod o+w {} ';' + @find $(distdir) -name CVS -print | xargs -t rm -rf Added: head/security/cyrus-sasl2/files/patch-crypto-compat.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cyrus-sasl2/files/patch-crypto-compat.c Sat Jun 16 06:16:51 2018 (r472519) @@ -0,0 +1,449 @@ +--- crypto-compat.c.orig 2018-02-14 13:10:38 UTC ++++ crypto-compat.c +@@ -0,0 +1,446 @@ ++/* ++ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include "crypto-compat.h" ++ ++#if defined(HAVE_OPENSSL) && (OPENSSL_VERSION_NUMBER < 0x10100000L) ++ ++#include <string.h> ++#include <openssl/engine.h> ++ ++static void *OPENSSL_zalloc(size_t num) ++{ ++ void *ret = OPENSSL_malloc(num); ++ ++ if (ret != NULL) ++ memset(ret, 0, num); ++ return ret; ++} ++ ++int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) ++{ ++ /* If the fields n and e in r are NULL, the corresponding input ++ * parameters MUST be non-NULL for n and e. d may be ++ * left NULL (in case only the public key is used). ++ */ ++ if ((r->n == NULL && n == NULL) ++ || (r->e == NULL && e == NULL)) ++ return 0; ++ ++ if (n != NULL) { ++ BN_free(r->n); ++ r->n = n; ++ } ++ if (e != NULL) { ++ BN_free(r->e); ++ r->e = e; ++ } ++ if (d != NULL) { ++ BN_free(r->d); ++ r->d = d; ++ } ++ ++ return 1; ++} ++ ++int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) ++{ ++ /* If the fields p and q in r are NULL, the corresponding input ++ * parameters MUST be non-NULL. ++ */ ++ if ((r->p == NULL && p == NULL) ++ || (r->q == NULL && q == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(r->p); ++ r->p = p; ++ } ++ if (q != NULL) { ++ BN_free(r->q); ++ r->q = q; ++ } ++ ++ return 1; ++} ++ ++int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) ++{ ++ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input ++ * parameters MUST be non-NULL. ++ */ ++ if ((r->dmp1 == NULL && dmp1 == NULL) ++ || (r->dmq1 == NULL && dmq1 == NULL) ++ || (r->iqmp == NULL && iqmp == NULL)) ++ return 0; ++ ++ if (dmp1 != NULL) { ++ BN_free(r->dmp1); ++ r->dmp1 = dmp1; ++ } ++ if (dmq1 != NULL) { ++ BN_free(r->dmq1); ++ r->dmq1 = dmq1; ++ } ++ if (iqmp != NULL) { ++ BN_free(r->iqmp); ++ r->iqmp = iqmp; ++ } ++ ++ return 1; ++} ++ ++void RSA_get0_key(const RSA *r, ++ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) ++{ ++ if (n != NULL) ++ *n = r->n; ++ if (e != NULL) ++ *e = r->e; ++ if (d != NULL) ++ *d = r->d; ++} ++ ++void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) ++{ ++ if (p != NULL) ++ *p = r->p; ++ if (q != NULL) ++ *q = r->q; ++} ++ ++void RSA_get0_crt_params(const RSA *r, ++ const BIGNUM **dmp1, const BIGNUM **dmq1, ++ const BIGNUM **iqmp) ++{ ++ if (dmp1 != NULL) ++ *dmp1 = r->dmp1; ++ if (dmq1 != NULL) ++ *dmq1 = r->dmq1; ++ if (iqmp != NULL) ++ *iqmp = r->iqmp; ++} ++ ++void DSA_get0_pqg(const DSA *d, ++ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) ++{ ++ if (p != NULL) ++ *p = d->p; ++ if (q != NULL) ++ *q = d->q; ++ if (g != NULL) ++ *g = d->g; ++} ++ ++int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* If the fields p, q and g in d are NULL, the corresponding input ++ * parameters MUST be non-NULL. ++ */ ++ if ((d->p == NULL && p == NULL) ++ || (d->q == NULL && q == NULL) ++ || (d->g == NULL && g == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(d->p); ++ d->p = p; ++ } ++ if (q != NULL) { ++ BN_free(d->q); ++ d->q = q; ++ } ++ if (g != NULL) { ++ BN_free(d->g); ++ d->g = g; ++ } ++ ++ return 1; ++} ++ ++void DSA_get0_key(const DSA *d, ++ const BIGNUM **pub_key, const BIGNUM **priv_key) ++{ ++ if (pub_key != NULL) ++ *pub_key = d->pub_key; ++ if (priv_key != NULL) ++ *priv_key = d->priv_key; ++} ++ ++int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) ++{ ++ /* If the field pub_key in d is NULL, the corresponding input ++ * parameters MUST be non-NULL. The priv_key field may ++ * be left NULL. ++ */ ++ if (d->pub_key == NULL && pub_key == NULL) ++ return 0; ++ ++ if (pub_key != NULL) { ++ BN_free(d->pub_key); ++ d->pub_key = pub_key; ++ } ++ if (priv_key != NULL) { ++ BN_free(d->priv_key); ++ d->priv_key = priv_key; ++ } ++ ++ return 1; ++} ++ ++void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) ++{ ++ if (pr != NULL) ++ *pr = sig->r; ++ if (ps != NULL) ++ *ps = sig->s; ++} ++ ++int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) ++{ ++ if (r == NULL || s == NULL) ++ return 0; ++ BN_clear_free(sig->r); ++ BN_clear_free(sig->s); ++ sig->r = r; ++ sig->s = s; ++ return 1; ++} ++ ++void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) ++{ ++ if (pr != NULL) ++ *pr = sig->r; ++ if (ps != NULL) ++ *ps = sig->s; ++} ++ ++int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) ++{ ++ if (r == NULL || s == NULL) ++ return 0; ++ BN_clear_free(sig->r); ++ BN_clear_free(sig->s); ++ sig->r = r; ++ sig->s = s; ++ return 1; ++} ++ ++void DH_get0_pqg(const DH *dh, ++ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) ++{ ++ if (p != NULL) ++ *p = dh->p; ++ if (q != NULL) ++ *q = dh->q; ++ if (g != NULL) ++ *g = dh->g; ++} ++ ++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* If the fields p and g in d are NULL, the corresponding input ++ * parameters MUST be non-NULL. q may remain NULL. ++ */ ++ if ((dh->p == NULL && p == NULL) ++ || (dh->g == NULL && g == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(dh->p); ++ dh->p = p; ++ } ++ if (q != NULL) { ++ BN_free(dh->q); ++ dh->q = q; ++ } ++ if (g != NULL) { ++ BN_free(dh->g); ++ dh->g = g; ++ } ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits(q); ++ } ++ ++ return 1; ++} ++ ++void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) ++{ ++ if (pub_key != NULL) ++ *pub_key = dh->pub_key; ++ if (priv_key != NULL) ++ *priv_key = dh->priv_key; ++} ++ ++int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) ++{ ++ /* If the field pub_key in dh is NULL, the corresponding input ++ * parameters MUST be non-NULL. The priv_key field may ++ * be left NULL. ++ */ ++ if (dh->pub_key == NULL && pub_key == NULL) ++ return 0; ++ ++ if (pub_key != NULL) { ++ BN_free(dh->pub_key); ++ dh->pub_key = pub_key; ++ } ++ if (priv_key != NULL) { ++ BN_free(dh->priv_key); ++ dh->priv_key = priv_key; ++ } ++ ++ return 1; ++} ++ ++int DH_set_length(DH *dh, long length) ++{ ++ dh->length = length; ++ return 1; ++} ++ ++const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx) ++{ ++ return ctx->iv; ++} ++ ++unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx) ++{ ++ return ctx->iv; ++} ++ ++EVP_MD_CTX *EVP_MD_CTX_new(void) ++{ ++ return OPENSSL_zalloc(sizeof(EVP_MD_CTX)); ++} ++ ++void EVP_MD_CTX_free(EVP_MD_CTX *ctx) ++{ ++ EVP_MD_CTX_cleanup(ctx); ++ OPENSSL_free(ctx); ++} ++ ++EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) ++{ ++ return OPENSSL_zalloc(sizeof(EVP_ENCODE_CTX)); ++} ++ ++void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) ++{ ++ OPENSSL_free(ctx); ++} ++ ++RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth) ++{ ++ RSA_METHOD *ret; ++ ++ ret = OPENSSL_malloc(sizeof(RSA_METHOD)); ++ ++ if (ret != NULL) { ++ memcpy(ret, meth, sizeof(*meth)); ++ ret->name = OPENSSL_strdup(meth->name); ++ if (ret->name == NULL) { ++ OPENSSL_free(ret); ++ return NULL; ++ } ++ } ++ ++ return ret; ++} ++ ++int RSA_meth_set1_name(RSA_METHOD *meth, const char *name) ++{ ++ char *tmpname; ++ ++ tmpname = OPENSSL_strdup(name); ++ if (tmpname == NULL) { ++ return 0; ++ } ++ ++ OPENSSL_free((char *)meth->name); ++ meth->name = tmpname; ++ ++ return 1; ++} ++ ++int RSA_meth_set_priv_enc(RSA_METHOD *meth, ++ int (*priv_enc) (int flen, const unsigned char *from, ++ unsigned char *to, RSA *rsa, ++ int padding)) ++{ ++ meth->rsa_priv_enc = priv_enc; ++ return 1; ++} ++ ++int RSA_meth_set_priv_dec(RSA_METHOD *meth, ++ int (*priv_dec) (int flen, const unsigned char *from, ++ unsigned char *to, RSA *rsa, ++ int padding)) ++{ ++ meth->rsa_priv_dec = priv_dec; ++ return 1; ++} ++ ++int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)) ++{ ++ meth->finish = finish; ++ return 1; ++} ++ ++void RSA_meth_free(RSA_METHOD *meth) ++{ ++ if (meth != NULL) { ++ OPENSSL_free((char *)meth->name); ++ OPENSSL_free(meth); ++ } ++} ++ ++int RSA_bits(const RSA *r) ++{ ++ return (BN_num_bits(r->n)); ++} ++ ++RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey) ++{ ++ if (pkey->type != EVP_PKEY_RSA) { ++ return NULL; ++ } ++ return pkey->pkey.rsa; ++} ++ ++HMAC_CTX *HMAC_CTX_new(void) ++{ ++ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); ++ if (ctx != NULL) { ++ if (!HMAC_CTX_reset(ctx)) { ++ HMAC_CTX_free(ctx); ++ return NULL; ++ } ++ } ++ return ctx; ++} ++ ++void HMAC_CTX_free(HMAC_CTX *ctx) ++{ ++ if (ctx != NULL) { ++ HMAC_CTX_cleanup(ctx); ++ OPENSSL_free(ctx); ++ } ++} ++ ++int HMAC_CTX_reset(HMAC_CTX *ctx) ++{ ++ HMAC_CTX_init(ctx); ++ return 1; ++} ++ ++ ++#endif /* HAVE_OPENSSL && OPENSSL_VERSION_NUMBER */ Added: head/security/cyrus-sasl2/files/patch-crypto-compat.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cyrus-sasl2/files/patch-crypto-compat.h Sat Jun 16 06:16:51 2018 (r472519) @@ -0,0 +1,76 @@ +--- crypto-compat.h.orig 2018-02-14 13:10:38 UTC ++++ crypto-compat.h +@@ -0,0 +1,73 @@ ++#ifndef LIBCRYPTO_COMPAT_H ++#define LIBCRYPTO_COMPAT_H ++ ++#include <config.h> ++ ++#ifdef HAVE_OPENSSL ++ ++#include <openssl/opensslv.h> ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++#include <openssl/rsa.h> ++#include <openssl/dsa.h> ++#include <openssl/ecdsa.h> ++#include <openssl/dh.h> ++#include <openssl/evp.h> ++#include <openssl/hmac.h> ++ ++int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); ++int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); ++int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); ++void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); ++void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); ++void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp); ++ ++void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); ++int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); ++void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key); ++int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); ++ ++void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); ++int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); ++ ++void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); ++int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); ++ ++void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); ++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); ++void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); ++int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); ++int DH_set_length(DH *dh, long length); ++ ++const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx); ++unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx); ++EVP_MD_CTX *EVP_MD_CTX_new(void); ++void EVP_MD_CTX_free(EVP_MD_CTX *ctx); ++EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void); ++void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx); ++#define EVP_CIPHER_impl_ctx_size(e) e->ctx_size ++#define EVP_CIPHER_CTX_get_cipher_data(ctx) ctx->cipher_data ++ ++RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); ++int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); ++#define RSA_meth_get_finish(meth) meth->finish ++int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); ++int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); ++int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)); ++void RSA_meth_free(RSA_METHOD *meth); ++ ++int RSA_bits(const RSA *r); ++ ++RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); ++ ++HMAC_CTX *HMAC_CTX_new(void); ++void HMAC_CTX_free(HMAC_CTX *ctx); ++int HMAC_CTX_reset(HMAC_CTX *ctx); ++ ++ ++#endif /* OPENSSL_VERSION_NUMBER */ ++ ++#endif /* HAVE_OPENSSL */ ++ ++#endif /* LIBCRYPTO_COMPAT_H */ Added: head/security/cyrus-sasl2/files/patch-lib_Makefile.am ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cyrus-sasl2/files/patch-lib_Makefile.am Sat Jun 16 06:16:51 2018 (r472519) @@ -0,0 +1,13 @@ +--- lib/Makefile.am.orig 2012-10-12 14:05:48 UTC ++++ lib/Makefile.am +@@ -65,8 +65,8 @@ lib_LTLIBRARIES = libsasl2.la + + libsasl2_la_SOURCES = $(common_sources) $(common_headers) + libsasl2_la_LDFLAGS = -version-info $(sasl_version) +-libsasl2_la_DEPENDENCIES = $(LTLIBOBJS) +-libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR) ++libsasl2_la_DEPENDENCIES = $(LTLIBOBJS) $(CRYPTO_COMPAT_OBJS) ++libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR) $(CRYPTO_COMPAT_OBJS) + + if MACOSX + framedir = /Library/Frameworks/SASL2.framework Added: head/security/cyrus-sasl2/files/patch-plugins_Makefile.am ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cyrus-sasl2/files/patch-plugins_Makefile.am Sat Jun 16 06:16:51 2018 (r472519) @@ -0,0 +1,37 @@ +--- plugins/Makefile.am.orig 2012-10-12 14:05:48 UTC ++++ plugins/Makefile.am +@@ -53,6 +53,7 @@ INCLUDES=-I$(top_srcdir)/include -I$(top + AM_LDFLAGS = -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version) + + COMPAT_OBJS = @LTGETADDRINFOOBJS@ @LTGETNAMEINFOOBJS@ @LTSNPRINTFOBJS@ ++CRYPTO_COMPAT_OBJS = $(top_builddir)/common/libcrypto_compat.la + + EXTRA_DIST = makeinit.sh NTMakefile + noinst_SCRIPTS = makeinit.sh +@@ -106,20 +107,20 @@ liblogin_la_DEPENDENCIES = $(COMPAT_OBJS + liblogin_la_LIBADD = $(PLAIN_LIBS) $(COMPAT_OBJS) + + libsrp_la_SOURCES = srp.c srp_init.c $(common_sources) +-libsrp_la_DEPENDENCIES = $(COMPAT_OBJS) +-libsrp_la_LIBADD = $(SRP_LIBS) $(COMPAT_OBJS) ++libsrp_la_DEPENDENCIES = $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS) ++libsrp_la_LIBADD = $(SRP_LIBS) $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS) + + libotp_la_SOURCES = otp.c otp_init.c otp.h $(common_sources) + libotp_la_DEPENDENCIES = $(COMPAT_OBJS) + libotp_la_LIBADD = $(OTP_LIBS) $(COMPAT_OBJS) + + libntlm_la_SOURCES = ntlm.c ntlm_init.c $(common_sources) +-libntlm_la_DEPENDENCIES = $(COMPAT_OBJS) +-libntlm_la_LIBADD = $(NTLM_LIBS) $(COMPAT_OBJS) ++libntlm_la_DEPENDENCIES = $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS) ++libntlm_la_LIBADD = $(NTLM_LIBS) $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS) + + libpassdss_la_SOURCES = passdss.c passdss_init.c $(common_sources) +-libpassdss_la_DEPENDENCIES = $(COMPAT_OBJS) +-libpassdss_la_LIBADD = $(PASSDSS_LIBS) $(COMPAT_OBJS) ++libpassdss_la_DEPENDENCIES = $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS) ++libpassdss_la_LIBADD = $(PASSDSS_LIBS) $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS) + + # Auxprop Plugins + libsasldb_la_SOURCES = sasldb.c sasldb_init.c $(common_sources) Added: head/security/cyrus-sasl2/files/patch-plugins_ntlm.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cyrus-sasl2/files/patch-plugins_ntlm.c Sat Jun 16 06:16:51 2018 (r472519) @@ -0,0 +1,76 @@ +--- plugins/ntlm.c.orig 2018-02-14 13:10:38 UTC ++++ plugins/ntlm.c +@@ -420,6 +420,29 @@ static unsigned char *P24(unsigned char + return P24; + } + ++static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ return HMAC_CTX_new(); ++#else ++ return utils->malloc(sizeof(EVP_MD_CTX)); ++#endif ++} ++ ++static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ HMAC_CTX_free(ctx); ++#else ++ HMAC_cleanup(ctx); ++ utils->free(ctx); ++#endif ++} ++ + static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, + const char *authid, const char *target, + const unsigned char *challenge, +@@ -427,7 +450,7 @@ static unsigned char *V2(unsigned char * + const sasl_utils_t *utils, + char **buf, unsigned *buflen, int *result) + { +- HMAC_CTX ctx; ++ HMAC_CTX *ctx = NULL; + unsigned char hash[EVP_MAX_MD_SIZE]; + char *upper; + unsigned int len; +@@ -438,6 +461,10 @@ static unsigned char *V2(unsigned char * + SETERROR(utils, "cannot allocate NTLMv2 hash"); + *result = SASL_NOMEM; + } ++ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) { ++ SETERROR(utils, "cannot allocate HMAC CTX"); ++ *result = SASL_NOMEM; ++ } + else { + /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */ + P16_nt(hash, passwd, utils, buf, buflen, result); +@@ -453,17 +480,18 @@ static unsigned char *V2(unsigned char * + (unsigned char *) *buf, 2 * len, hash, &len); + + /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */ +- HMAC_Init(&ctx, hash, len, EVP_md5()); +- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH); +- HMAC_Update(&ctx, blob, bloblen); +- HMAC_Final(&ctx, V2, &len); +- HMAC_cleanup(&ctx); ++ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL); ++ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH); ++ HMAC_Update(ctx, blob, bloblen); ++ HMAC_Final(ctx, V2, &len); + + /* the blob is concatenated outside of this function */ + + *result = SASL_OK; + } + ++ if (ctx) _plug_HMAC_CTX_free(ctx, utils); ++ + return V2; + } + Added: head/security/cyrus-sasl2/files/patch-plugins_otp.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cyrus-sasl2/files/patch-plugins_otp.c Sat Jun 16 06:16:51 2018 (r472519) @@ -0,0 +1,235 @@ +--- plugins/otp.c.orig 2018-02-14 13:16:37 UTC ++++ plugins/otp.c +@@ -98,6 +98,28 @@ static algorithm_option_t algorithm_opti + {NULL, 0, NULL} + }; + ++static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ return EVP_MD_CTX_new(); ++#else ++ return utils->malloc(sizeof(EVP_MD_CTX)); ++#endif ++} ++ ++static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils) ++{ ++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()"); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ EVP_MD_CTX_free(ctx); ++#else ++ utils->free(ctx); ++#endif ++} ++ + /* Convert the binary data into ASCII hex */ + void bin2hex(unsigned char *bin, int binlen, char *hex) + { +@@ -118,17 +140,16 @@ void bin2hex(unsigned char *bin, int bin + * swabbing bytes if necessary. + */ + static void otp_hash(const EVP_MD *md, char *in, size_t inlen, +- unsigned char *out, int swab) ++ unsigned char *out, int swab, EVP_MD_CTX *mdctx) + { +- EVP_MD_CTX mdctx; + char hash[EVP_MAX_MD_SIZE]; + unsigned int i; + int j; + unsigned hashlen; + +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, in, inlen); +- EVP_DigestFinal(&mdctx, hash, &hashlen); ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, in, inlen); ++ EVP_DigestFinal(mdctx, hash, &hashlen); + + /* Fold the result into 64 bits */ + for (i = OTP_HASH_SIZE; i < hashlen; i++) { +@@ -151,31 +172,42 @@ static int generate_otp(const sasl_utils + char *secret, char *otp) + { + const EVP_MD *md; +- char *key; ++ EVP_MD_CTX *mdctx = NULL; ++ char *key = NULL; ++ int r = SASL_OK; + + if (!(md = EVP_get_digestbyname(alg->evp_name))) { + utils->seterror(utils->conn, 0, + "OTP algorithm %s is not available", alg->evp_name); + return SASL_FAIL; + } +- ++ ++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { ++ SETERROR(utils, "cannot allocate MD CTX"); ++ r = SASL_NOMEM; ++ goto done; ++ } ++ + if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) { + SETERROR(utils, "cannot allocate OTP key"); +- return SASL_NOMEM; ++ r = SASL_NOMEM; ++ goto done; + } + + /* initial step */ + strcpy(key, seed); + strcat(key, secret); +- otp_hash(md, key, strlen(key), otp, alg->swab); ++ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx); + + /* computation step */ + while (seq-- > 0) +- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab); +- +- utils->free(key); ++ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx); ++ ++ done: ++ if (key) utils->free(key); ++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); + +- return SASL_OK; ++ return r; + } + + static int parse_challenge(const sasl_utils_t *utils, +@@ -695,7 +727,8 @@ static int strptrcasecmp(const void *arg + + /* Convert the 6 words into binary data */ + static int word2bin(const sasl_utils_t *utils, +- char *words, unsigned char *bin, const EVP_MD *md) ++ char *words, unsigned char *bin, const EVP_MD *md, ++ EVP_MD_CTX *mdctx) + { + int i, j; + char *c, *word, buf[OTP_RESPONSE_MAX+1]; +@@ -754,13 +787,12 @@ static int word2bin(const sasl_utils_t * + + /* alternate dictionary */ + if (alt_dict) { +- EVP_MD_CTX mdctx; + char hash[EVP_MAX_MD_SIZE]; + int hashlen; + +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, word, strlen(word)); +- EVP_DigestFinal(&mdctx, hash, &hashlen); ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, word, strlen(word)); ++ EVP_DigestFinal(mdctx, hash, &hashlen); + + /* use lowest 11 bits */ + x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1]; +@@ -804,6 +836,7 @@ static int verify_response(server_contex + char *response) + { + const EVP_MD *md; ++ EVP_MD_CTX *mdctx = NULL; + char *c; + int do_init = 0; + unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE]; +@@ -817,6 +850,11 @@ static int verify_response(server_contex + return SASL_FAIL; + } + ++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { ++ SETERROR(utils, "cannot allocate MD CTX"); ++ return SASL_NOMEM; ++ } ++ + /* eat leading whitespace */ + c = response; + while (isspace((int) *c)) c++; +@@ -826,7 +864,7 @@ static int verify_response(server_contex + r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE); + } + else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) { +- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md); ++ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx); + } + else if (!strncasecmp(c, OTP_INIT_HEX_TYPE, + strlen(OTP_INIT_HEX_TYPE))) { +@@ -836,7 +874,7 @@ static int verify_response(server_contex + else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, + strlen(OTP_INIT_WORD_TYPE))) { + do_init = 1; +- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md); ++ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx); + } + else { + SETERROR(utils, "unknown OTP extended response type"); +@@ -852,7 +890,8 @@ static int verify_response(server_contex + + if (r == SASL_OK) { + /* do one more hash (previous otp) and compare to stored otp */ +- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab); ++ otp_hash(md, cur_otp, OTP_HASH_SIZE, ++ prev_otp, text->alg->swab, mdctx); + + if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) { + /* update the secret with this seq/otp */ +@@ -881,23 +920,28 @@ static int verify_response(server_contex + *new_resp++ = '\0'; + } + +- if (!(new_chal && new_resp)) +- return SASL_BADAUTH; ++ if (!(new_chal && new_resp)) { ++ r = SASL_BADAUTH; ++ goto done; ++ } + + if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1)) + != SASL_OK) { +- return r; ++ goto done; + } + +- if (seq < 1 || !strcasecmp(seed, text->seed)) +- return SASL_BADAUTH; ++ if (seq < 1 || !strcasecmp(seed, text->seed)) { ++ r = SASL_BADAUTH; ++ goto done; ++ } + + /* find the MDA */ + if (!(md = EVP_get_digestbyname(alg->evp_name))) { + utils->seterror(utils->conn, 0, + "OTP algorithm %s is not available", + alg->evp_name); +- return SASL_BADAUTH; ++ r = SASL_BADAUTH; ++ goto done; + } + + if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) { +@@ -905,7 +949,7 @@ static int verify_response(server_contex + } + else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, + strlen(OTP_INIT_WORD_TYPE))) { +- r = word2bin(utils, new_resp, new_otp, md); ++ r = word2bin(utils, new_resp, new_otp, md, mdctx); + } + + if (r == SASL_OK) { +@@ -916,7 +960,10 @@ static int verify_response(server_contex + memcpy(text->otp, new_otp, OTP_HASH_SIZE); + } + } +- ++ ++ done: ++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); ++ + return r; + } + Added: head/security/cyrus-sasl2/files/patch-plugins_passdss.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/cyrus-sasl2/files/patch-plugins_passdss.c Sat Jun 16 06:16:51 2018 (r472519) @@ -0,0 +1,721 @@ +--- plugins/passdss.c.orig 2012-01-27 23:31:36 UTC ++++ plugins/passdss.c +@@ -71,6 +71,9 @@ + #include <openssl/sha.h> + #include <openssl/dsa.h> + ++/* for legacy libcrypto support */ ++#include "crypto-compat.h" ++ + #include <sasl.h> + #define MD5_H /* suppress internal MD5 */ + #include <saslplug.h> +@@ -110,23 +113,23 @@ typedef struct context { + const sasl_utils_t *utils; + + /* per-step mem management */ +- char *out_buf; ++ unsigned char *out_buf; + unsigned out_buf_len; + + /* security layer foo */ + unsigned char secmask; /* bitmask of enabled security layers */ + unsigned char padding[EVP_MAX_BLOCK_LENGTH]; /* block of NULs */ + +- HMAC_CTX hmac_send_ctx; +- HMAC_CTX hmac_recv_ctx; ++ HMAC_CTX *hmac_send_ctx; ++ HMAC_CTX *hmac_recv_ctx; + + unsigned char send_integrity_key[4 + EVP_MAX_MD_SIZE]; /* +4 for pktnum */ + unsigned char recv_integrity_key[4 + EVP_MAX_MD_SIZE]; /* +4 for pktnum */ + unsigned char *cs_integrity_key; /* ptr to bare key in send/recv key */ + unsigned char *sc_integrity_key; /* ptr to bare key in send/recv key */ + +- EVP_CIPHER_CTX cipher_enc_ctx; +- EVP_CIPHER_CTX cipher_dec_ctx; ++ EVP_CIPHER_CTX *cipher_enc_ctx; ++ EVP_CIPHER_CTX *cipher_dec_ctx; + unsigned blk_siz; + + unsigned char cs_encryption_iv[EVP_MAX_MD_SIZE]; +@@ -139,7 +142,7 @@ typedef struct context { + uint32_t pktnum_in; + + /* for encoding/decoding mem management */ +- char *encode_buf, *decode_buf, *decode_pkt_buf; ++ unsigned char *encode_buf, *decode_buf, *decode_pkt_buf; + unsigned encode_buf_len, decode_buf_len, decode_pkt_buf_len; + + /* layers buffering */ +@@ -171,7 +174,7 @@ static int passdss_encode(void *context, + inputlen += invec[i].iov_len; + + /* allocate a buffer for the output */ +- ret = _plug_buf_alloc(text->utils, &text->encode_buf, ++ ret = _plug_buf_alloc(text->utils, (char **) &text->encode_buf, + &text->encode_buf_len, + 4 + /* length */ + inputlen + /* content */ +@@ -186,19 +189,19 @@ static int passdss_encode(void *context, + memcpy(text->send_integrity_key, &tmpnum, 4); + + /* key the HMAC */ +- HMAC_Init_ex(&text->hmac_send_ctx, text->send_integrity_key, ++ HMAC_Init_ex(text->hmac_send_ctx, text->send_integrity_key, + 4+SHA_DIGEST_LENGTH, EVP_sha1(), NULL); + + /* operate on each iovec */ + for (i = 0; i < numiov; i++) { + /* hash the content */ +- HMAC_Update(&text->hmac_send_ctx, invec[i].iov_base, invec[i].iov_len); ++ HMAC_Update(text->hmac_send_ctx, invec[i].iov_base, invec[i].iov_len); + + if (text->secmask & PRIVACY_LAYER_FLAG) { +- unsigned enclen; ++ int enclen; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806160616.w5G6GpCO041852>