summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wendler <polynomial-c@gentoo.org>2018-10-24 14:30:31 +0200
committerLars Wendler <polynomial-c@gentoo.org>2018-10-24 14:30:31 +0200
commitab9cb2adf29b582afb8541b4ceb5a3185c82ba30 (patch)
treeff018862021886d751887e6a608e7dd6b300ee30 /dev-libs/cyrus-sasl
parentsys-auth/pam_p11: Fixed build with openssl-1.1 (diff)
downloadgentoo-ab9cb2adf29b582afb8541b4ceb5a3185c82ba30.tar.gz
gentoo-ab9cb2adf29b582afb8541b4ceb5a3185c82ba30.tar.bz2
gentoo-ab9cb2adf29b582afb8541b4ceb5a3185c82ba30.zip
dev-libs/cyrus-sasl: Fixed build with openssl-1.1
Bumped to EAPI-6 and did some ebuild cleanup. Closes: https://bugs.gentoo.org/592528 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11
Diffstat (limited to 'dev-libs/cyrus-sasl')
-rw-r--r--dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild111
-rw-r--r--dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch4
-rw-r--r--dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch8
-rw-r--r--dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch4
-rw-r--r--dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch8
-rw-r--r--dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch8
-rw-r--r--dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch4
-rw-r--r--dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch353
8 files changed, 425 insertions, 75 deletions
diff --git a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild
index 582c8463da1..f7cccc351ba 100644
--- a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild
+++ b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r11.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
-EAPI=5
+EAPI=6
-inherit eutils flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd
+inherit flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd
SASLAUTHD_CONF_VER="2.1.26"
@@ -58,6 +58,7 @@ PATCHES=(
"${FILESDIR}/${PN}-2.1.26-send-imap-logout.patch"
"${FILESDIR}/${PN}-2.1.26-canonuser-ldapdb-garbage-in-out-buffer.patch"
"${FILESDIR}/${PN}-2.1.26-fix_dovecot_authentication.patch"
+ "${FILESDIR}/${PN}-2.1.26-openssl-1.1.patch" #592528
)
pkg_setup() {
@@ -65,7 +66,7 @@ pkg_setup() {
}
src_prepare() {
- epatch "${PATCHES[@]}"
+ default
# Get rid of the -R switch (runpath_switch for Sun)
# >=gcc-4.6 errors out with unknown option
@@ -103,73 +104,66 @@ multilib_src_configure() {
# Java support.
multilib_is_native_abi && use java && export JAVAC="${JAVAC} ${JAVACFLAGS}"
- local myconf=()
-
- # Add authdaemond support (bug #56523).
- if use authdaemond ; then
- myconf+=( --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket )
- fi
-
- # Fix for bug #59634.
- if ! use ssl ; then
- myconf+=( --without-des )
- fi
+ local myeconfargs=(
+ --enable-login
+ --enable-ntlm
+ --enable-auth-sasldb
+ --disable-cmulocal
+ --disable-krb4
+ --disable-macos-framework
+ --enable-otp
+ --without-sqlite
+ --with-saslauthd="${EPREFIX}"/run/saslauthd
+ --with-pwcheck="${EPREFIX}"/run/saslauthd
+ --with-configdir="${EPREFIX}"/etc/sasl2
+ --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2
+ --with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2
+ $(use_with ssl openssl)
+ $(use_with pam)
+ $(use_with openldap ldap)
+ $(use_enable ldapdb)
+ $(multilib_native_use_enable sample)
+ $(use_enable kerberos gssapi)
+ $(multilib_native_use_enable java)
+ $(multilib_native_use_with java javahome ${JAVA_HOME})
+ $(multilib_native_use_with mysql mysql "${EPREFIX}"/usr)
+ $(multilib_native_use_with postgres pgsql)
+ $(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir))
+ $(use_enable srp)
+ $(use_enable static-libs static)
+
+ # Add authdaemond support (bug #56523).
+ $(usex authdaemond --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket '')
+
+ # Fix for bug #59634.
+ $(usex ssl '' --without-des)
+
+ # Use /dev/urandom instead of /dev/random (bug #46038).
+ $(usex urandom --with-devrandom=/dev/urandom '')
+ )
if use sqlite || { multilib_is_native_abi && { use mysql || use postgres; }; } ; then
- myconf+=( --enable-sql )
+ myeconfargs+=( --enable-sql )
else
- myconf+=( --disable-sql )
+ myeconfargs+=( --disable-sql )
fi
# Default to GDBM if both 'gdbm' and 'berkdb' are present.
if use gdbm ; then
einfo "Building with GNU DB as database backend for your SASLdb"
- myconf+=( --with-dblib=gdbm )
+ myeconfargs+=( --with-dblib=gdbm )
elif use berkdb ; then
einfo "Building with BerkeleyDB as database backend for your SASLdb"
- myconf+=(
+ myeconfargs+=(
--with-dblib=berkeley
--with-bdb-incdir="$(db_includedir)"
)
else
einfo "Building without SASLdb support"
- myconf+=( --with-dblib=none )
- fi
-
- # Use /dev/urandom instead of /dev/random (bug #46038).
- if use urandom ; then
- myconf+=( --with-devrandom=/dev/urandom )
+ myeconfargs+=( --with-dblib=none )
fi
- ECONF_SOURCE=${S} \
- econf \
- --enable-login \
- --enable-ntlm \
- --enable-auth-sasldb \
- --disable-cmulocal \
- --disable-krb4 \
- --disable-macos-framework \
- --enable-otp \
- --without-sqlite \
- --with-saslauthd="${EPREFIX}"/run/saslauthd \
- --with-pwcheck="${EPREFIX}"/run/saslauthd \
- --with-configdir="${EPREFIX}"/etc/sasl2 \
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2 \
- --with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2 \
- $(use_with ssl openssl) \
- $(use_with pam) \
- $(use_with openldap ldap) \
- $(use_enable ldapdb) \
- $(multilib_native_use_enable sample) \
- $(use_enable kerberos gssapi) \
- $(multilib_native_use_enable java) \
- $(multilib_native_use_with java javahome ${JAVA_HOME}) \
- $(multilib_native_use_with mysql mysql "${EPREFIX}"/usr) \
- $(multilib_native_use_with postgres pgsql) \
- $(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir)) \
- $(use_enable srp) \
- $(use_enable static-libs static) \
- "${myconf[@]}"
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
}
multilib_src_compile() {
@@ -215,7 +209,9 @@ multilib_src_install_all() {
dodoc AUTHORS ChangeLog NEWS README doc/TODO doc/*.txt
newdoc pwcheck/README README.pwcheck
- dohtml doc/*.html
+
+ docinto html
+ dodoc doc/*.html
docinto "saslauthd"
dodoc saslauthd/{AUTHORS,ChangeLog,LDAP_SASLAUTHD,NEWS,README}
@@ -233,8 +229,9 @@ multilib_src_install_all() {
# The get_modname bit is important: do not remove the .la files on
# platforms where the lib isn't called .so for cyrus searches the .la to
# figure out what the name is supposed to be instead
- use static-libs || [[ $(get_modname) != .so ]] || \
- prune_libtool_files --modules
+ if ! use static-libs && [[ $(get_modname) == .so ]] ; then
+ find "${ED}" -name "*.la" -delete || die
+ fi
}
pkg_postinst () {
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch
index 9eeab1b42ff..beea8eb28d1 100644
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.23-gss_c_nt_hostbased_service.patch
@@ -1,6 +1,6 @@
Gentoo bug #389349
---- cmulocal/sasl2.m4 2009-04-28 17:09:13.000000000 +0200
-+++ cmulocal/sasl2.m4 2011-11-02 17:55:24.000000000 +0100
+--- a/cmulocal/sasl2.m4
++++ b/cmulocal/sasl2.m4
@@ -217,7 +217,11 @@
[AC_WARN([Cybersafe define not found])])
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch
index abf0df2568c..92be2600348 100644
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-fix_heimdal.patch
@@ -1,7 +1,7 @@
Fix compiling against heimdal
---- sample/server.c 2010-12-01 14:52:55.000000000 +0000
-+++ sample/server.c 2011-11-30 14:54:42.000000000 +0000
+--- a/sample/server.c
++++ b/sample/server.c
@@ -85,8 +85,10 @@
#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
@@ -13,8 +13,8 @@ Fix compiling against heimdal
#include "common.h"
---- plugins/gssapi.c 2011-05-11 19:25:55.000000000 +0000
-+++ plugins/gssapi.c 2011-11-30 14:54:33.000000000 +0000
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
@@ -50,6 +50,9 @@
#else
#include <gssapi/gssapi.h>
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch
index 597d45a7679..a413e00bf42 100644
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-missing_header.patch
@@ -1,5 +1,5 @@
---- pwcheck/pwcheck_getspnam.c 1999-08-26 19:22:44.000000000 +0300
-+++ pwcheck/pwcheck_getspnam.c 2011-11-30 13:22:24.601023316 +0200
+--- a/pwcheck/pwcheck_getspnam.c
++++ b/pwcheck/pwcheck_getspnam.c
@@ -24,6 +24,7 @@
******************************************************************/
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch
index 117e8eb8880..43b6162a66f 100644
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.25-service_keytabs.patch
@@ -1,6 +1,6 @@
Bug #445932
---- cmulocal/sasl2.m4 2011-09-02 12:58:00.000000000 +0000
-+++ cmulocal/sasl2.m4 2012-12-05 08:37:16.425811319 +0000
+--- a/cmulocal/sasl2.m4
++++ b/cmulocal/sasl2.m4
@@ -268,7 +268,11 @@
cmu_save_LIBS="$LIBS"
@@ -14,8 +14,8 @@ Bug #445932
AC_CHECK_FUNCS(gss_decapsulate_token)
AC_CHECK_FUNCS(gss_encapsulate_token)
AC_CHECK_FUNCS(gss_oid_equal)
---- plugins/gssapi.c 2012-12-05 09:03:31.000220161 +0000
-+++ plugins/gssapi.c 2012-12-05 09:01:55.043380204 +0000
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
@@ -50,7 +50,7 @@
#else
#include <gssapi/gssapi.h>
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch
index 46bbdd1ca1a..6fc9de80287 100644
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix_dovecot_authentication.patch
@@ -1,6 +1,6 @@
Bug #510320
---- saslauthd/auth_rimap.c 2012-10-12 14:05:48.000000000 +0000
-+++ saslauthd/auth_rimap.c 2014-05-15 05:23:02.000000000 +0000
+--- a/saslauthd/auth_rimap.c
++++ b/saslauthd/auth_rimap.c
@@ -371,7 +371,7 @@
if ( rc>0 ) {
/* check if there is more to read */
@@ -65,8 +65,8 @@ Bug #510320
rc += ret;
}
}
---- lib/checkpw.c 2012-01-27 23:31:36.000000000 +0000
-+++ lib/checkpw.c 2014-05-15 05:19:35.000000000 +0000
+--- a/lib/checkpw.c
++++ b/lib/checkpw.c
@@ -587,16 +587,14 @@
/* Timeout. */
errno = ETIMEDOUT;
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch
index 42f20fb8096..0177b52567f 100644
--- a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-missing-size_t.patch
@@ -1,6 +1,6 @@
Gentoo bug #458790
---- include/sasl.h 2012-10-12 17:05:48.000000000 +0300
-+++ include/sasl.h 2013-02-23 16:56:44.648786268 +0200
+--- a/include/sasl.h
++++ b/include/sasl.h
@@ -121,6 +121,9 @@
#ifndef SASL_H
#define SASL_H 1
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch
new file mode 100644
index 00000000000..3b0ffac24f0
--- /dev/null
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-openssl-1.1.patch
@@ -0,0 +1,353 @@
+diff --git a/plugins/ntlm.c b/plugins/ntlm.c
+index 79ea47c..554a00d 100644
+--- a/plugins/ntlm.c
++++ b/plugins/ntlm.c
+@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char *P24, unsigned char *P21,
+ return P24;
+ }
+
++static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils)
++{
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ return HMAC_CTX_new();
++#else
++ return utils->malloc(sizeof(EVP_MD_CTX));
++#endif
++}
++
++static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils)
++{
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ HMAC_CTX_free(ctx);
++#else
++ HMAC_cleanup(ctx);
++ utils->free(ctx);
++#endif
++}
++
+ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
+ const char *authid, const char *target,
+ const unsigned char *challenge,
+@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
+ const sasl_utils_t *utils,
+ char **buf, unsigned *buflen, int *result)
+ {
+- HMAC_CTX ctx;
++ HMAC_CTX *ctx = NULL;
+ unsigned char hash[EVP_MAX_MD_SIZE];
+ char *upper;
+ unsigned int len;
+@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
+ SETERROR(utils, "cannot allocate NTLMv2 hash");
+ *result = SASL_NOMEM;
+ }
++ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) {
++ SETERROR(utils, "cannot allocate HMAC CTX");
++ *result = SASL_NOMEM;
++ }
+ else {
+ /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */
+ P16_nt(hash, passwd, utils, buf, buflen, result);
+@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd,
+ HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len);
+
+ /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */
+- HMAC_Init(&ctx, hash, len, EVP_md5());
+- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH);
+- HMAC_Update(&ctx, blob, bloblen);
+- HMAC_Final(&ctx, V2, &len);
+- HMAC_cleanup(&ctx);
++ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL);
++ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH);
++ HMAC_Update(ctx, blob, bloblen);
++ HMAC_Final(ctx, V2, &len);
+
+ /* the blob is concatenated outside of this function */
+
+ *result = SASL_OK;
+ }
+
++ if (ctx) _plug_HMAC_CTX_free(ctx, utils);
++
+ return V2;
+ }
+
+diff --git a/plugins/otp.c b/plugins/otp.c
+index dd73065..d1e9bf4 100644
+--- a/plugins/otp.c
++++ b/plugins/otp.c
+@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_options[] = {
+ {NULL, 0, NULL}
+ };
+
++static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils)
++{
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ return EVP_MD_CTX_new();
++#else
++ return utils->malloc(sizeof(EVP_MD_CTX));
++#endif
++}
++
++static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils)
++{
++ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()");
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ EVP_MD_CTX_free(ctx);
++#else
++ utils->free(ctx);
++#endif
++}
++
+ /* Convert the binary data into ASCII hex */
+ void bin2hex(unsigned char *bin, int binlen, char *hex)
+ {
+@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int binlen, char *hex)
+ * swabbing bytes if necessary.
+ */
+ static void otp_hash(const EVP_MD *md, char *in, size_t inlen,
+- unsigned char *out, int swab)
++ unsigned char *out, int swab, EVP_MD_CTX *mdctx)
+ {
+- EVP_MD_CTX mdctx;
+ char hash[EVP_MAX_MD_SIZE];
+ unsigned int i;
+ int j;
+ unsigned hashlen;
+
+- EVP_DigestInit(&mdctx, md);
+- EVP_DigestUpdate(&mdctx, in, inlen);
+- EVP_DigestFinal(&mdctx, hash, &hashlen);
++ EVP_DigestInit(mdctx, md);
++ EVP_DigestUpdate(mdctx, in, inlen);
++ EVP_DigestFinal(mdctx, hash, &hashlen);
+
+ /* Fold the result into 64 bits */
+ for (i = OTP_HASH_SIZE; i < hashlen; i++) {
+@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils_t *utils,
+ char *secret, char *otp)
+ {
+ const EVP_MD *md;
+- char *key;
++ EVP_MD_CTX *mdctx = NULL;
++ char *key = NULL;
++ int r = SASL_OK;
+
+ if (!(md = EVP_get_digestbyname(alg->evp_name))) {
+ utils->seterror(utils->conn, 0,
+@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils_t *utils,
+ return SASL_FAIL;
+ }
+
++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
++ SETERROR(utils, "cannot allocate MD CTX");
++ r = SASL_NOMEM;
++ goto done;
++ }
++
+ if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) {
+ SETERROR(utils, "cannot allocate OTP key");
+- return SASL_NOMEM;
++ r = SASL_NOMEM;
++ goto done;
+ }
+
+ /* initial step */
+ strcpy(key, seed);
+ strcat(key, secret);
+- otp_hash(md, key, strlen(key), otp, alg->swab);
++ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx);
+
+ /* computation step */
+ while (seq-- > 0)
+- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab);
++ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx);
+
+- utils->free(key);
++ done:
++ if (key) utils->free(key);
++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
+
+- return SASL_OK;
++ return r;
+ }
+
+ static int parse_challenge(const sasl_utils_t *utils,
+@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg1, const void *arg2)
+
+ /* Convert the 6 words into binary data */
+ static int word2bin(const sasl_utils_t *utils,
+- char *words, unsigned char *bin, const EVP_MD *md)
++ char *words, unsigned char *bin, const EVP_MD *md,
++ EVP_MD_CTX *mdctx)
+ {
+ int i, j;
+ char *c, *word, buf[OTP_RESPONSE_MAX+1];
+@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t *utils,
+
+ /* alternate dictionary */
+ if (alt_dict) {
+- EVP_MD_CTX mdctx;
+ char hash[EVP_MAX_MD_SIZE];
+ int hashlen;
+
+- EVP_DigestInit(&mdctx, md);
+- EVP_DigestUpdate(&mdctx, word, strlen(word));
+- EVP_DigestFinal(&mdctx, hash, &hashlen);
++ EVP_DigestInit(mdctx, md);
++ EVP_DigestUpdate(mdctx, word, strlen(word));
++ EVP_DigestFinal(mdctx, hash, &hashlen);
+
+ /* use lowest 11 bits */
+ x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1];
+@@ -802,6 +834,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
+ char *response)
+ {
+ const EVP_MD *md;
++ EVP_MD_CTX *mdctx = NULL;
+ char *c;
+ int do_init = 0;
+ unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE];
+@@ -815,6 +848,11 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
+ return SASL_FAIL;
+ }
+
++ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) {
++ SETERROR(utils, "cannot allocate MD CTX");
++ return SASL_NOMEM;
++ }
++
+ /* eat leading whitespace */
+ c = response;
+ while (isspace((int) *c)) c++;
+@@ -824,7 +862,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
+ r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE);
+ }
+ else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) {
+- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md);
++ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx);
+ }
+ else if (!strncasecmp(c, OTP_INIT_HEX_TYPE,
+ strlen(OTP_INIT_HEX_TYPE))) {
+@@ -834,7 +872,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
+ else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
+ strlen(OTP_INIT_WORD_TYPE))) {
+ do_init = 1;
+- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md);
++ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx);
+ }
+ else {
+ SETERROR(utils, "unknown OTP extended response type");
+@@ -843,14 +881,14 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
+ }
+ else {
+ /* standard response, try word first, and then hex */
+- r = word2bin(utils, c, cur_otp, md);
++ r = word2bin(utils, c, cur_otp, md, mdctx);
+ if (r != SASL_OK)
+ r = hex2bin(c, cur_otp, OTP_HASH_SIZE);
+ }
+
+ if (r == SASL_OK) {
+ /* do one more hash (previous otp) and compare to stored otp */
+- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab);
++ otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab, mdctx);
+
+ if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) {
+ /* update the secret with this seq/otp */
+@@ -879,23 +917,28 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
+ *new_resp++ = '\0';
+ }
+
+- if (!(new_chal && new_resp))
+- return SASL_BADAUTH;
++ if (!(new_chal && new_resp)) {
++ r = SASL_BADAUTH;
++ goto done;
++ }
+
+ if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1))
+ != SASL_OK) {
+- return r;
++ goto done;
+ }
+
+- if (seq < 1 || !strcasecmp(seed, text->seed))
+- return SASL_BADAUTH;
++ if (seq < 1 || !strcasecmp(seed, text->seed)) {
++ r = SASL_BADAUTH;
++ goto done;
++ }
+
+ /* find the MDA */
+ if (!(md = EVP_get_digestbyname(alg->evp_name))) {
+ utils->seterror(utils->conn, 0,
+ "OTP algorithm %s is not available",
+ alg->evp_name);
+- return SASL_BADAUTH;
++ r = SASL_BADAUTH;
++ goto done;
+ }
+
+ if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) {
+@@ -903,7 +946,7 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
+ }
+ else if (!strncasecmp(c, OTP_INIT_WORD_TYPE,
+ strlen(OTP_INIT_WORD_TYPE))) {
+- r = word2bin(utils, new_resp, new_otp, md);
++ r = word2bin(utils, new_resp, new_otp, md, mdctx);
+ }
+
+ if (r == SASL_OK) {
+@@ -914,7 +957,10 @@ static int verify_response(server_context_t *text, const sasl_utils_t *utils,
+ memcpy(text->otp, new_otp, OTP_HASH_SIZE);
+ }
+ }
+-
++
++ done:
++ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils);
++
+ return r;
+ }
+
+@@ -1443,8 +1489,10 @@ int otp_server_plug_init(const sasl_utils_t *utils,
+ *pluglist = otp_server_plugins;
+ *plugcount = 1;
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* Add all digests */
+ OpenSSL_add_all_digests();
++#endif
+
+ return SASL_OK;
+ }
+@@ -1844,8 +1892,10 @@ int otp_client_plug_init(sasl_utils_t *utils,
+ *pluglist = otp_client_plugins;
+ *plugcount = 1;
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* Add all digests */
+ OpenSSL_add_all_digests();
++#endif
+
+ return SASL_OK;
+ }
+--- a/saslauthd/lak.c
++++ b/saslauthd/lak.c
+@@ -729,7 +729,7 @@ int lak_init(
+ return rc;
+ }
+
+-#ifdef HAVE_OPENSSL
++#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10100000L
+ OpenSSL_add_all_digests();
+ #endif
+