Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 16 Jun 2018 06:16:51 +0000 (UTC)
From:      Hajimu UMEMOTO <ume@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r472519 - in head/security/cyrus-sasl2: . files
Message-ID:  <201806160616.w5G6GpCO041852@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: ume
Date: Sat Jun 16 06:16:51 2018
New Revision: 472519
URL: https://svnweb.freebsd.org/changeset/ports/472519

Log:
  - Backport from 2.1.27-rc7 OpenSSL 1.1 fixes
  - Fix WWW
  
  PR:		225891
  Submitted by:	brnrd

Added:
  head/security/cyrus-sasl2/files/patch-Makefile.am   (contents, props changed)
  head/security/cyrus-sasl2/files/patch-crypto-compat.c   (contents, props changed)
  head/security/cyrus-sasl2/files/patch-crypto-compat.h   (contents, props changed)
  head/security/cyrus-sasl2/files/patch-lib_Makefile.am   (contents, props changed)
  head/security/cyrus-sasl2/files/patch-plugins_Makefile.am   (contents, props changed)
  head/security/cyrus-sasl2/files/patch-plugins_ntlm.c   (contents, props changed)
  head/security/cyrus-sasl2/files/patch-plugins_otp.c   (contents, props changed)
  head/security/cyrus-sasl2/files/patch-plugins_passdss.c   (contents, props changed)
  head/security/cyrus-sasl2/files/patch-plugins_srp.c   (contents, props changed)
  head/security/cyrus-sasl2/files/patch-saslauthd_Makefile.am   (contents, props changed)
  head/security/cyrus-sasl2/files/patch-saslauthd_lak.c   (contents, props changed)
Modified:
  head/security/cyrus-sasl2/pkg-descr

Added: head/security/cyrus-sasl2/files/patch-Makefile.am
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/cyrus-sasl2/files/patch-Makefile.am	Sat Jun 16 06:16:51 2018	(r472519)
@@ -0,0 +1,14 @@
+--- Makefile.am.orig	2012-10-12 14:05:48 UTC
++++ Makefile.am
+@@ -76,6 +76,11 @@ EXTRA_DIST=config cmulocal win32 mac dlc
+ pkgconfigdir = $(libdir)/pkgconfig
+ pkgconfig_DATA = libsasl2.pc
+ 
++noinst_LTLIBRARIES = libcrypto_compat.la
++
++libcrypto_compat_la_SOURCES = crypto-compat.c crypto-compat.h
++libcrypto_compat_la_LDFLAGS = -version-info $(crypto_compat_version) -no-undefined
++
+ dist-hook:
+ 	@find $(distdir) -exec chmod o+w {} ';'
+ 	@find $(distdir) -name CVS -print | xargs -t rm -rf

Added: head/security/cyrus-sasl2/files/patch-crypto-compat.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/cyrus-sasl2/files/patch-crypto-compat.c	Sat Jun 16 06:16:51 2018	(r472519)
@@ -0,0 +1,449 @@
+--- crypto-compat.c.orig	2018-02-14 13:10:38 UTC
++++ crypto-compat.c
+@@ -0,0 +1,446 @@
++/*
++ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include "crypto-compat.h"
++
++#if defined(HAVE_OPENSSL) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
++
++#include <string.h>
++#include <openssl/engine.h>
++
++static void *OPENSSL_zalloc(size_t num)
++{
++    void *ret = OPENSSL_malloc(num);
++
++    if (ret != NULL)
++        memset(ret, 0, num);
++    return ret;
++}
++
++int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
++{
++    /* If the fields n and e in r are NULL, the corresponding input
++     * parameters MUST be non-NULL for n and e.  d may be
++     * left NULL (in case only the public key is used).
++     */
++    if ((r->n == NULL && n == NULL)
++        || (r->e == NULL && e == NULL))
++        return 0;
++
++    if (n != NULL) {
++        BN_free(r->n);
++        r->n = n;
++    }
++    if (e != NULL) {
++        BN_free(r->e);
++        r->e = e;
++    }
++    if (d != NULL) {
++        BN_free(r->d);
++        r->d = d;
++    }
++
++    return 1;
++}
++
++int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
++{
++    /* If the fields p and q in r are NULL, the corresponding input
++     * parameters MUST be non-NULL.
++     */
++    if ((r->p == NULL && p == NULL)
++        || (r->q == NULL && q == NULL))
++        return 0;
++
++    if (p != NULL) {
++        BN_free(r->p);
++        r->p = p;
++    }
++    if (q != NULL) {
++        BN_free(r->q);
++        r->q = q;
++    }
++
++    return 1;
++}
++
++int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
++{
++    /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
++     * parameters MUST be non-NULL.
++     */
++    if ((r->dmp1 == NULL && dmp1 == NULL)
++        || (r->dmq1 == NULL && dmq1 == NULL)
++        || (r->iqmp == NULL && iqmp == NULL))
++        return 0;
++
++    if (dmp1 != NULL) {
++        BN_free(r->dmp1);
++        r->dmp1 = dmp1;
++    }
++    if (dmq1 != NULL) {
++        BN_free(r->dmq1);
++        r->dmq1 = dmq1;
++    }
++    if (iqmp != NULL) {
++        BN_free(r->iqmp);
++        r->iqmp = iqmp;
++    }
++
++    return 1;
++}
++
++void RSA_get0_key(const RSA *r,
++                  const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
++{
++    if (n != NULL)
++        *n = r->n;
++    if (e != NULL)
++        *e = r->e;
++    if (d != NULL)
++        *d = r->d;
++}
++
++void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
++{
++    if (p != NULL)
++        *p = r->p;
++    if (q != NULL)
++        *q = r->q;
++}
++
++void RSA_get0_crt_params(const RSA *r,
++                         const BIGNUM **dmp1, const BIGNUM **dmq1,
++                         const BIGNUM **iqmp)
++{
++    if (dmp1 != NULL)
++        *dmp1 = r->dmp1;
++    if (dmq1 != NULL)
++        *dmq1 = r->dmq1;
++    if (iqmp != NULL)
++        *iqmp = r->iqmp;
++}
++
++void DSA_get0_pqg(const DSA *d,
++                  const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
++{
++    if (p != NULL)
++        *p = d->p;
++    if (q != NULL)
++        *q = d->q;
++    if (g != NULL)
++        *g = d->g;
++}
++
++int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
++{
++    /* If the fields p, q and g in d are NULL, the corresponding input
++     * parameters MUST be non-NULL.
++     */
++    if ((d->p == NULL && p == NULL)
++        || (d->q == NULL && q == NULL)
++        || (d->g == NULL && g == NULL))
++        return 0;
++
++    if (p != NULL) {
++        BN_free(d->p);
++        d->p = p;
++    }
++    if (q != NULL) {
++        BN_free(d->q);
++        d->q = q;
++    }
++    if (g != NULL) {
++        BN_free(d->g);
++        d->g = g;
++    }
++
++    return 1;
++}
++
++void DSA_get0_key(const DSA *d,
++                  const BIGNUM **pub_key, const BIGNUM **priv_key)
++{
++    if (pub_key != NULL)
++        *pub_key = d->pub_key;
++    if (priv_key != NULL)
++        *priv_key = d->priv_key;
++}
++
++int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
++{
++    /* If the field pub_key in d is NULL, the corresponding input
++     * parameters MUST be non-NULL.  The priv_key field may
++     * be left NULL.
++     */
++    if (d->pub_key == NULL && pub_key == NULL)
++        return 0;
++
++    if (pub_key != NULL) {
++        BN_free(d->pub_key);
++        d->pub_key = pub_key;
++    }
++    if (priv_key != NULL) {
++        BN_free(d->priv_key);
++        d->priv_key = priv_key;
++    }
++
++    return 1;
++}
++
++void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
++{
++    if (pr != NULL)
++        *pr = sig->r;
++    if (ps != NULL)
++        *ps = sig->s;
++}
++
++int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
++{
++    if (r == NULL || s == NULL)
++        return 0;
++    BN_clear_free(sig->r);
++    BN_clear_free(sig->s);
++    sig->r = r;
++    sig->s = s;
++    return 1;
++}
++
++void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
++{
++    if (pr != NULL)
++        *pr = sig->r;
++    if (ps != NULL)
++        *ps = sig->s;
++}
++
++int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
++{
++    if (r == NULL || s == NULL)
++        return 0;
++    BN_clear_free(sig->r);
++    BN_clear_free(sig->s);
++    sig->r = r;
++    sig->s = s;
++    return 1;
++}
++
++void DH_get0_pqg(const DH *dh,
++                 const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
++{
++    if (p != NULL)
++        *p = dh->p;
++    if (q != NULL)
++        *q = dh->q;
++    if (g != NULL)
++        *g = dh->g;
++}
++
++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
++{
++    /* If the fields p and g in d are NULL, the corresponding input
++     * parameters MUST be non-NULL.  q may remain NULL.
++     */
++    if ((dh->p == NULL && p == NULL)
++        || (dh->g == NULL && g == NULL))
++        return 0;
++
++    if (p != NULL) {
++        BN_free(dh->p);
++        dh->p = p;
++    }
++    if (q != NULL) {
++        BN_free(dh->q);
++        dh->q = q;
++    }
++    if (g != NULL) {
++        BN_free(dh->g);
++        dh->g = g;
++    }
++
++    if (q != NULL) {
++        dh->length = BN_num_bits(q);
++    }
++
++    return 1;
++}
++
++void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
++{
++    if (pub_key != NULL)
++        *pub_key = dh->pub_key;
++    if (priv_key != NULL)
++        *priv_key = dh->priv_key;
++}
++
++int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
++{
++    /* If the field pub_key in dh is NULL, the corresponding input
++     * parameters MUST be non-NULL.  The priv_key field may
++     * be left NULL.
++     */
++    if (dh->pub_key == NULL && pub_key == NULL)
++        return 0;
++
++    if (pub_key != NULL) {
++        BN_free(dh->pub_key);
++        dh->pub_key = pub_key;
++    }
++    if (priv_key != NULL) {
++        BN_free(dh->priv_key);
++        dh->priv_key = priv_key;
++    }
++
++    return 1;
++}
++
++int DH_set_length(DH *dh, long length)
++{
++    dh->length = length;
++    return 1;
++}
++
++const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx)
++{
++    return ctx->iv;
++}
++
++unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx)
++{
++    return ctx->iv;
++}
++
++EVP_MD_CTX *EVP_MD_CTX_new(void)
++{
++    return OPENSSL_zalloc(sizeof(EVP_MD_CTX));
++}
++
++void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
++{
++    EVP_MD_CTX_cleanup(ctx);
++    OPENSSL_free(ctx);
++}
++
++EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void)
++{
++    return OPENSSL_zalloc(sizeof(EVP_ENCODE_CTX));
++}
++
++void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx)
++{
++    OPENSSL_free(ctx);
++}
++
++RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth)
++{
++    RSA_METHOD *ret;
++
++    ret = OPENSSL_malloc(sizeof(RSA_METHOD));
++
++    if (ret != NULL) {
++        memcpy(ret, meth, sizeof(*meth));
++        ret->name = OPENSSL_strdup(meth->name);
++        if (ret->name == NULL) {
++            OPENSSL_free(ret);
++            return NULL;
++        }
++    }
++
++    return ret;
++}
++
++int RSA_meth_set1_name(RSA_METHOD *meth, const char *name)
++{
++    char *tmpname;
++
++    tmpname = OPENSSL_strdup(name);
++    if (tmpname == NULL) {
++        return 0;
++    }
++
++    OPENSSL_free((char *)meth->name);
++    meth->name = tmpname;
++
++    return 1;
++}
++
++int RSA_meth_set_priv_enc(RSA_METHOD *meth,
++                          int (*priv_enc) (int flen, const unsigned char *from,
++                                           unsigned char *to, RSA *rsa,
++                                           int padding))
++{
++    meth->rsa_priv_enc = priv_enc;
++    return 1;
++}
++
++int RSA_meth_set_priv_dec(RSA_METHOD *meth,
++                          int (*priv_dec) (int flen, const unsigned char *from,
++                                           unsigned char *to, RSA *rsa,
++                                           int padding))
++{
++    meth->rsa_priv_dec = priv_dec;
++    return 1;
++}
++
++int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
++{
++    meth->finish = finish;
++    return 1;
++}
++
++void RSA_meth_free(RSA_METHOD *meth)
++{
++    if (meth != NULL) {
++        OPENSSL_free((char *)meth->name);
++        OPENSSL_free(meth);
++    }
++}
++
++int RSA_bits(const RSA *r)
++{
++    return (BN_num_bits(r->n));
++}
++
++RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
++{
++    if (pkey->type != EVP_PKEY_RSA) {
++        return NULL;
++    }
++    return pkey->pkey.rsa;
++}
++
++HMAC_CTX *HMAC_CTX_new(void)
++{
++    HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
++    if (ctx != NULL) {
++        if (!HMAC_CTX_reset(ctx)) {
++            HMAC_CTX_free(ctx);
++            return NULL;
++        }
++    }
++    return ctx;
++}
++
++void HMAC_CTX_free(HMAC_CTX *ctx)
++{
++    if (ctx != NULL) {
++        HMAC_CTX_cleanup(ctx);
++        OPENSSL_free(ctx);
++    }
++}
++
++int HMAC_CTX_reset(HMAC_CTX *ctx)
++{
++    HMAC_CTX_init(ctx);
++    return 1;
++}
++
++
++#endif /* HAVE_OPENSSL && OPENSSL_VERSION_NUMBER */

Added: head/security/cyrus-sasl2/files/patch-crypto-compat.h
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/cyrus-sasl2/files/patch-crypto-compat.h	Sat Jun 16 06:16:51 2018	(r472519)
@@ -0,0 +1,76 @@
+--- crypto-compat.h.orig	2018-02-14 13:10:38 UTC
++++ crypto-compat.h
+@@ -0,0 +1,73 @@
++#ifndef LIBCRYPTO_COMPAT_H
++#define LIBCRYPTO_COMPAT_H
++
++#include <config.h>
++
++#ifdef HAVE_OPENSSL
++
++#include <openssl/opensslv.h>
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++
++#include <openssl/rsa.h>
++#include <openssl/dsa.h>
++#include <openssl/ecdsa.h>
++#include <openssl/dh.h>
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++
++int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
++int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
++int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
++void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
++void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
++void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp);
++
++void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
++int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
++void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key);
++int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
++
++void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
++int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
++
++void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
++int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
++
++void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
++void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
++int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
++int DH_set_length(DH *dh, long length);
++
++const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx);
++unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx);
++EVP_MD_CTX *EVP_MD_CTX_new(void);
++void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
++EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void);
++void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx);
++#define EVP_CIPHER_impl_ctx_size(e) e->ctx_size
++#define EVP_CIPHER_CTX_get_cipher_data(ctx) ctx->cipher_data
++
++RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
++int RSA_meth_set1_name(RSA_METHOD *meth, const char *name);
++#define RSA_meth_get_finish(meth) meth->finish
++int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
++int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
++int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa));
++void RSA_meth_free(RSA_METHOD *meth);
++
++int RSA_bits(const RSA *r);
++
++RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
++
++HMAC_CTX *HMAC_CTX_new(void);
++void HMAC_CTX_free(HMAC_CTX *ctx);
++int HMAC_CTX_reset(HMAC_CTX *ctx);
++
++
++#endif /* OPENSSL_VERSION_NUMBER */
++
++#endif /* HAVE_OPENSSL */
++
++#endif /* LIBCRYPTO_COMPAT_H */

Added: head/security/cyrus-sasl2/files/patch-lib_Makefile.am
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/cyrus-sasl2/files/patch-lib_Makefile.am	Sat Jun 16 06:16:51 2018	(r472519)
@@ -0,0 +1,13 @@
+--- lib/Makefile.am.orig	2012-10-12 14:05:48 UTC
++++ lib/Makefile.am
+@@ -65,8 +65,8 @@ lib_LTLIBRARIES = libsasl2.la
+ 
+ libsasl2_la_SOURCES = $(common_sources) $(common_headers)
+ libsasl2_la_LDFLAGS = -version-info $(sasl_version)
+-libsasl2_la_DEPENDENCIES = $(LTLIBOBJS)
+-libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR)
++libsasl2_la_DEPENDENCIES = $(LTLIBOBJS) $(CRYPTO_COMPAT_OBJS)
++libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR) $(CRYPTO_COMPAT_OBJS)
+ 
+ if MACOSX
+ framedir = /Library/Frameworks/SASL2.framework

Added: head/security/cyrus-sasl2/files/patch-plugins_Makefile.am
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/cyrus-sasl2/files/patch-plugins_Makefile.am	Sat Jun 16 06:16:51 2018	(r472519)
@@ -0,0 +1,37 @@
+--- plugins/Makefile.am.orig	2012-10-12 14:05:48 UTC
++++ plugins/Makefile.am
+@@ -53,6 +53,7 @@ INCLUDES=-I$(top_srcdir)/include -I$(top
+ AM_LDFLAGS = -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version)
+ 
+ COMPAT_OBJS = @LTGETADDRINFOOBJS@ @LTGETNAMEINFOOBJS@ @LTSNPRINTFOBJS@
++CRYPTO_COMPAT_OBJS = $(top_builddir)/common/libcrypto_compat.la
+ 
+ EXTRA_DIST = makeinit.sh NTMakefile
+ noinst_SCRIPTS = makeinit.sh
+@@ -106,20 +107,20 @@ liblogin_la_DEPENDENCIES = $(COMPAT_OBJS
+ liblogin_la_LIBADD = $(PLAIN_LIBS) $(COMPAT_OBJS)
+ 
+ libsrp_la_SOURCES = srp.c srp_init.c $(common_sources)
+-libsrp_la_DEPENDENCIES = $(COMPAT_OBJS)
+-libsrp_la_LIBADD = $(SRP_LIBS) $(COMPAT_OBJS)
++libsrp_la_DEPENDENCIES = $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS)
++libsrp_la_LIBADD = $(SRP_LIBS) $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS)
+ 
+ libotp_la_SOURCES = otp.c otp_init.c otp.h $(common_sources)
+ libotp_la_DEPENDENCIES = $(COMPAT_OBJS)
+ libotp_la_LIBADD = $(OTP_LIBS) $(COMPAT_OBJS)
+ 
+ libntlm_la_SOURCES = ntlm.c ntlm_init.c $(common_sources)
+-libntlm_la_DEPENDENCIES = $(COMPAT_OBJS)
+-libntlm_la_LIBADD = $(NTLM_LIBS) $(COMPAT_OBJS)
++libntlm_la_DEPENDENCIES = $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS)
++libntlm_la_LIBADD = $(NTLM_LIBS) $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS)
+ 
+ libpassdss_la_SOURCES = passdss.c passdss_init.c $(common_sources)
+-libpassdss_la_DEPENDENCIES = $(COMPAT_OBJS)
+-libpassdss_la_LIBADD = $(PASSDSS_LIBS) $(COMPAT_OBJS)
++libpassdss_la_DEPENDENCIES = $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS)
++libpassdss_la_LIBADD = $(PASSDSS_LIBS) $(COMPAT_OBJS) $(CRYPTO_COMPAT_OBJS)
+ 
+ # Auxprop Plugins
+ libsasldb_la_SOURCES = sasldb.c sasldb_init.c $(common_sources)

Added: head/security/cyrus-sasl2/files/patch-plugins_ntlm.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/cyrus-sasl2/files/patch-plugins_ntlm.c	Sat Jun 16 06:16:51 2018	(r472519)
@@ -0,0 +1,76 @@
+--- plugins/ntlm.c.orig	2018-02-14 13:10:38 UTC
++++ plugins/ntlm.c
+@@ -420,6 +420,29 @@ static unsigned char *P24(unsigned char 
+     return P24;
+ }
+ 
++static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils)
++{
++    utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    return HMAC_CTX_new();
++#else
++    return utils->malloc(sizeof(EVP_MD_CTX));
++#endif    
++}
++
++static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils)
++{
++    utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    HMAC_CTX_free(ctx);
++#else
++    HMAC_cleanup(ctx);
++    utils->free(ctx);
++#endif    
++}
++
+ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
+ 			 const char *authid, const char *target,
+ 			 const unsigned char *challenge,
+@@ -427,7 +450,7 @@ static unsigned char *V2(unsigned char *
+ 			 const sasl_utils_t *utils,
+ 			 char **buf, unsigned *buflen, int *result)
+ {
+-    HMAC_CTX ctx;
++    HMAC_CTX *ctx = NULL;
+     unsigned char hash[EVP_MAX_MD_SIZE];
+     char *upper;
+     unsigned int len;
+@@ -438,6 +461,10 @@ static unsigned char *V2(unsigned char *
+ 	SETERROR(utils, "cannot allocate NTLMv2 hash");
+ 	*result = SASL_NOMEM;
+     }
++    else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) {
++        SETERROR(utils, "cannot allocate HMAC CTX");
++        *result = SASL_NOMEM;
++    }
+     else {
+ 	/* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */
+ 	P16_nt(hash, passwd, utils, buf, buflen, result);
+@@ -453,17 +480,18 @@ static unsigned char *V2(unsigned char *
+ 		(unsigned char *) *buf, 2 * len, hash, &len);
+ 
+ 	/* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */
+-	HMAC_Init(&ctx, hash, len, EVP_md5());
+-	HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH);
+-	HMAC_Update(&ctx, blob, bloblen);
+-	HMAC_Final(&ctx, V2, &len);
+-	HMAC_cleanup(&ctx);
++	HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL);
++	HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH);
++	HMAC_Update(ctx, blob, bloblen);
++	HMAC_Final(ctx, V2, &len);
+ 
+ 	/* the blob is concatenated outside of this function */
+ 
+ 	*result = SASL_OK;
+     }
+ 
++    if (ctx) _plug_HMAC_CTX_free(ctx, utils);
++
+     return V2;
+ }
+ 

Added: head/security/cyrus-sasl2/files/patch-plugins_otp.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/cyrus-sasl2/files/patch-plugins_otp.c	Sat Jun 16 06:16:51 2018	(r472519)
@@ -0,0 +1,235 @@
+--- plugins/otp.c.orig	2018-02-14 13:16:37 UTC
++++ plugins/otp.c
+@@ -98,6 +98,28 @@ static algorithm_option_t algorithm_opti
+     {NULL,	0,	NULL}
+ };
+ 
++static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils)
++{
++    utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    return EVP_MD_CTX_new();
++#else
++    return utils->malloc(sizeof(EVP_MD_CTX));
++#endif    
++}
++
++static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils)
++{
++    utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    EVP_MD_CTX_free(ctx);
++#else
++    utils->free(ctx);
++#endif    
++}
++
+ /* Convert the binary data into ASCII hex */
+ void bin2hex(unsigned char *bin, int binlen, char *hex)
+ {
+@@ -118,17 +140,16 @@ void bin2hex(unsigned char *bin, int bin
+  * swabbing bytes if necessary.
+  */
+ static void otp_hash(const EVP_MD *md, char *in, size_t inlen,
+-		     unsigned char *out, int swab)
++		     unsigned char *out, int swab, EVP_MD_CTX *mdctx)
+ {
+-    EVP_MD_CTX mdctx;
+     char hash[EVP_MAX_MD_SIZE];
+     unsigned int i;
+     int j;
+     unsigned hashlen;
+     
+-    EVP_DigestInit(&mdctx, md);
+-    EVP_DigestUpdate(&mdctx, in, inlen);
+-    EVP_DigestFinal(&mdctx, hash, &hashlen);
++    EVP_DigestInit(mdctx, md);
++    EVP_DigestUpdate(mdctx, in, inlen);
++    EVP_DigestFinal(mdctx, hash, &hashlen);
+     
+     /* Fold the result into 64 bits */
+     for (i = OTP_HASH_SIZE; i < hashlen; i++) {
+@@ -151,31 +172,42 @@ static int generate_otp(const sasl_utils
+ 			char *secret, char *otp)
+ {
+     const EVP_MD *md;
+-    char *key;
++    EVP_MD_CTX *mdctx = NULL;
++    char *key = NULL;
++    int r = SASL_OK;
+     
+     if (!(md = EVP_get_digestbyname(alg->evp_name))) {
+ 	utils->seterror(utils->conn, 0,
+ 			"OTP algorithm %s is not available", alg->evp_name);
+ 	return SASL_FAIL;
+     }
+-    
++
++    if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
++	SETERROR(utils, "cannot allocate MD CTX");
++	r = SASL_NOMEM;
++        goto done;
++    }    
++
+     if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) {
+ 	SETERROR(utils, "cannot allocate OTP key");
+-	return SASL_NOMEM;
++        r = SASL_NOMEM;
++        goto done;
+     }
+     
+     /* initial step */
+     strcpy(key, seed);
+     strcat(key, secret);
+-    otp_hash(md, key, strlen(key), otp, alg->swab);
++    otp_hash(md, key, strlen(key), otp, alg->swab, mdctx);
+     
+     /* computation step */
+     while (seq-- > 0)
+-	otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab);
+-    
+-    utils->free(key);
++	otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx);
++
++ done:
++    if (key) utils->free(key);
++    if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
+     
+-    return SASL_OK;
++    return r;
+ }
+ 
+ static int parse_challenge(const sasl_utils_t *utils,
+@@ -695,7 +727,8 @@ static int strptrcasecmp(const void *arg
+ 
+ /* Convert the 6 words into binary data */
+ static int word2bin(const sasl_utils_t *utils,
+-		    char *words, unsigned char *bin, const EVP_MD *md)
++		    char *words, unsigned char *bin, const EVP_MD *md,
++                    EVP_MD_CTX *mdctx)
+ {
+     int i, j;
+     char *c, *word, buf[OTP_RESPONSE_MAX+1];
+@@ -754,13 +787,12 @@ static int word2bin(const sasl_utils_t *
+ 	
+ 	/* alternate dictionary */
+ 	if (alt_dict) {
+-	    EVP_MD_CTX mdctx;
+ 	    char hash[EVP_MAX_MD_SIZE];
+ 	    int hashlen;
+ 	    
+-	    EVP_DigestInit(&mdctx, md);
+-	    EVP_DigestUpdate(&mdctx, word, strlen(word));
+-	    EVP_DigestFinal(&mdctx, hash, &hashlen);
++	    EVP_DigestInit(mdctx, md);
++	    EVP_DigestUpdate(mdctx, word, strlen(word));
++	    EVP_DigestFinal(mdctx, hash, &hashlen);
+ 	    
+ 	    /* use lowest 11 bits */
+ 	    x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1];
+@@ -804,6 +836,7 @@ static int verify_response(server_contex
+ 			   char *response)
+ {
+     const EVP_MD *md;
++    EVP_MD_CTX *mdctx = NULL;
+     char *c;
+     int do_init = 0;
+     unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE];
+@@ -817,6 +850,11 @@ static int verify_response(server_contex
+ 	return SASL_FAIL;
+     }
+     
++    if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
++	SETERROR(utils, "cannot allocate MD CTX");
++	return SASL_NOMEM;
++    }
++    
+     /* eat leading whitespace */
+     c = response;
+     while (isspace((int) *c)) c++;
+@@ -826,7 +864,7 @@ static int verify_response(server_contex
+ 	    r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE);
+ 	}
+ 	else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) {
+-	    r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md);
++	    r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx);
+ 	}
+ 	else if (!strncasecmp(c, OTP_INIT_HEX_TYPE,
+ 			      strlen(OTP_INIT_HEX_TYPE))) {
+@@ -836,7 +874,7 @@ static int verify_response(server_contex
+ 	else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
+ 			      strlen(OTP_INIT_WORD_TYPE))) {
+ 	    do_init = 1;
+-	    r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md);
++	    r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx);
+ 	}
+ 	else {
+ 	    SETERROR(utils, "unknown OTP extended response type");
+@@ -852,7 +890,8 @@ static int verify_response(server_contex
+     
+     if (r == SASL_OK) {
+ 	/* do one more hash (previous otp) and compare to stored otp */
+-	otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab);
++	otp_hash(md, cur_otp, OTP_HASH_SIZE, 
++		prev_otp, text->alg->swab, mdctx);
+ 	
+ 	if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) {
+ 	    /* update the secret with this seq/otp */
+@@ -881,23 +920,28 @@ static int verify_response(server_contex
+ 		*new_resp++ = '\0';
+ 	}
+ 	
+-	if (!(new_chal && new_resp))
+-	    return SASL_BADAUTH;
++	if (!(new_chal && new_resp)) {
++	    r = SASL_BADAUTH;
++            goto done;
++        }
+ 	
+ 	if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1))
+ 	    != SASL_OK) {
+-	    return r;
++            goto done;
+ 	}
+ 	
+-	if (seq < 1 || !strcasecmp(seed, text->seed))
+-	    return SASL_BADAUTH;
++	if (seq < 1 || !strcasecmp(seed, text->seed)) {
++	    r = SASL_BADAUTH;
++            goto done;
++        }
+ 	
+ 	/* find the MDA */
+ 	if (!(md = EVP_get_digestbyname(alg->evp_name))) {
+ 	    utils->seterror(utils->conn, 0,
+ 			    "OTP algorithm %s is not available",
+ 			    alg->evp_name);
+-	    return SASL_BADAUTH;
++	    r = SASL_BADAUTH;
++            goto done;
+ 	}
+ 	
+ 	if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) {
+@@ -905,7 +949,7 @@ static int verify_response(server_contex
+ 	}
+ 	else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
+ 			      strlen(OTP_INIT_WORD_TYPE))) {
+-	    r = word2bin(utils, new_resp, new_otp, md);
++	    r = word2bin(utils, new_resp, new_otp, md, mdctx);
+ 	}
+ 	
+ 	if (r == SASL_OK) {
+@@ -916,7 +960,10 @@ static int verify_response(server_contex
+ 	    memcpy(text->otp, new_otp, OTP_HASH_SIZE);
+ 	}
+     }
+-    
++
++  done:
++    if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
++
+     return r;
+ }
+ 

Added: head/security/cyrus-sasl2/files/patch-plugins_passdss.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/cyrus-sasl2/files/patch-plugins_passdss.c	Sat Jun 16 06:16:51 2018	(r472519)
@@ -0,0 +1,721 @@
+--- plugins/passdss.c.orig	2012-01-27 23:31:36 UTC
++++ plugins/passdss.c
+@@ -71,6 +71,9 @@
+ #include <openssl/sha.h>
+ #include <openssl/dsa.h>
+ 
++/* for legacy libcrypto support */
++#include "crypto-compat.h"
++
+ #include <sasl.h>
+ #define MD5_H  /* suppress internal MD5 */
+ #include <saslplug.h>
+@@ -110,23 +113,23 @@ typedef struct context {
+     const sasl_utils_t *utils;
+     
+     /* per-step mem management */
+-    char *out_buf;
++    unsigned char *out_buf;
+     unsigned out_buf_len;
+ 
+     /* security layer foo */
+     unsigned char secmask;	/* bitmask of enabled security layers */
+     unsigned char padding[EVP_MAX_BLOCK_LENGTH];  /* block of NULs */
+ 
+-    HMAC_CTX hmac_send_ctx;
+-    HMAC_CTX hmac_recv_ctx;
++    HMAC_CTX *hmac_send_ctx;
++    HMAC_CTX *hmac_recv_ctx;
+ 
+     unsigned char send_integrity_key[4 + EVP_MAX_MD_SIZE]; /* +4 for pktnum */
+     unsigned char recv_integrity_key[4 + EVP_MAX_MD_SIZE]; /* +4 for pktnum */
+     unsigned char *cs_integrity_key;  /* ptr to bare key in send/recv key */
+     unsigned char *sc_integrity_key;  /* ptr to bare key in send/recv key */
+ 
+-    EVP_CIPHER_CTX cipher_enc_ctx;
+-    EVP_CIPHER_CTX cipher_dec_ctx;
++    EVP_CIPHER_CTX *cipher_enc_ctx;
++    EVP_CIPHER_CTX *cipher_dec_ctx;
+     unsigned blk_siz;
+     
+     unsigned char cs_encryption_iv[EVP_MAX_MD_SIZE];
+@@ -139,7 +142,7 @@ typedef struct context {
+     uint32_t pktnum_in;
+     
+     /* for encoding/decoding mem management */
+-    char           *encode_buf, *decode_buf, *decode_pkt_buf;
++    unsigned char  *encode_buf, *decode_buf, *decode_pkt_buf;
+     unsigned       encode_buf_len, decode_buf_len, decode_pkt_buf_len;
+     
+     /* layers buffering */
+@@ -171,7 +174,7 @@ static int passdss_encode(void *context,
+ 	inputlen += invec[i].iov_len;
+ 
+     /* allocate a buffer for the output */
+-    ret = _plug_buf_alloc(text->utils, &text->encode_buf,
++    ret = _plug_buf_alloc(text->utils, (char **) &text->encode_buf,
+ 			  &text->encode_buf_len,
+ 			  4 +				/* length */
+ 			  inputlen +			/* content */
+@@ -186,19 +189,19 @@ static int passdss_encode(void *context,
+     memcpy(text->send_integrity_key, &tmpnum, 4);
+ 
+     /* key the HMAC */
+-    HMAC_Init_ex(&text->hmac_send_ctx, text->send_integrity_key,
++    HMAC_Init_ex(text->hmac_send_ctx, text->send_integrity_key,
+ 		 4+SHA_DIGEST_LENGTH, EVP_sha1(), NULL);
+ 
+     /* operate on each iovec */
+     for (i = 0; i < numiov; i++) {
+ 	/* hash the content */
+-	HMAC_Update(&text->hmac_send_ctx, invec[i].iov_base, invec[i].iov_len);
++	HMAC_Update(text->hmac_send_ctx, invec[i].iov_base, invec[i].iov_len);
+ 
+ 	if (text->secmask & PRIVACY_LAYER_FLAG) {
+-	    unsigned enclen;
++	    int enclen;

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806160616.w5G6GpCO041852>