17890284 Update to sudo version 1.8.9p5
authorVladimir Marek <Vladimir.Marek@oracle.com>
Thu, 10 Apr 2014 15:30:14 +0200
changeset 1830 93243cb310c5
parent 1829 e207eef6b403
child 1831 2175d25787f8
17890284 Update to sudo version 1.8.9p5
components/sudo/Makefile
components/sudo/TESTING
components/sudo/patches/02-pam_setcred.patch
components/sudo/patches/03-solaris_audit.patch
components/sudo/patches/04-use_libmd.patch
components/sudo/resolve.deps
components/sudo/sudo.license
components/sudo/sudo.p5m
--- a/components/sudo/Makefile	Mon Apr 14 23:01:26 2014 -0700
+++ b/components/sudo/Makefile	Thu Apr 10 15:30:14 2014 +0200
@@ -25,13 +25,13 @@
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		sudo
-SRC_VERSION=	1.8.6
-SRC_PATCH_VERSION=	7
+SRC_VERSION=	1.8.9
+SRC_PATCH_VERSION=	5
 COMPONENT_VERSION=	$(SRC_VERSION).$(SRC_PATCH_VERSION)
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(SRC_VERSION)p$(SRC_PATCH_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:301089edb22356f59d097f6abbe1303f03927a38691b02959d618546c2125036
+    sha256:bc9d5c96de5f8b4d2b014f87a37870aef60d2891c869202454069150a21a5c21
 COMPONENT_ARCHIVE_URL=	http://www.sudo.ws/sudo/dist/$(COMPONENT_ARCHIVE)
 COMPONENT_PROJECT_URL=  http://www.sudo.ws/
 COMPONENT_BUGDB=	utility/sudo
@@ -40,10 +40,13 @@
 include $(WS_TOP)/make-rules/configure.mk
 include $(WS_TOP)/make-rules/ips.mk
 
+COMPONENT_PREP_ACTION = ( cd $(@D) ; $(AUTORECONF) -f -I m4 )
+
 CONFIGURE_ENV +=	"CC=$(CC)"
 CONFIGURE_ENV +=	"CFLAGS=$(CFLAGS)"
 CONFIGURE_ENV +=	"CXX=$(CXX)"
 CONFIGURE_ENV +=	"MAKE=$(GMAKE)"
+CONFIGURE_ENV +=	"LDFLAGS=$(LDFLAGS) -m64"
 
 CONFIGURE_OPTIONS +=	--with-ldap
 CONFIGURE_OPTIONS +=	--with-project
@@ -61,17 +64,37 @@
 COMPONENT_BUILD_ENV +=	"CFLAGS=$(CFLAGS)"
 
 COMPONENT_INSTALL_TARGETS = install
+COMPONENT_INSTALL_ARGS += bindir=$(USRBINDIR)
+COMPONENT_INSTALL_ARGS += sbindir=$(USRSBINDIR)
+
 
 # Enable aslr for this component
 ASLR_MODE = $(ASLR_ENABLE)
 
 # common targets
 
-build:		$(BUILD_32)
+build:		$(BUILD_64)
+
+install:	$(INSTALL_64)
+
+VISUDO=$(BUILD_DIR_64)/plugins/sudoers/visudo
+test:
+	# Since linking with libmd.so (which provides sha2 capability on
+	# Solaris) is optional, we have a check here to make sure that the
+	# configure script found it correctly.
+	# http://www.sudo.ws/bugs/show_bug.cgi?id=641
 
-install:	$(INSTALL_32)
+	# Make sure that sudo is NOT built with it's internal sha2 implementation
+	if [[ -n $$( elfdump -s "$(VISUDO)" | grep SHA256Init | grep -v UNDEF ) ]]; then \
+		echo "SHA256Init is not an undefined symbol in $(VISUDO)"; \
+		exit 1; \
+	fi
+	# ... but is linked with libmd instead
+	if [[ -z $$( elfdump -d "$(VISUDO)" | grep 'NEEDED .* libmd.so' ) ]]; then \
+		echo "$(VISUDO) is not linked against libmd.so"; \
+		exit 1; \
+	fi
 
-test:		$(NO_TESTS)
 
 BUILD_PKG_DEPENDENCIES =	$(BUILD_TOOLS)
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/sudo/TESTING	Thu Apr 10 15:30:14 2014 +0200
@@ -0,0 +1,120 @@
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+# Open second terminal with root shell. Keep this as a possibility to assume
+# root privileges if you loose the ability to do so via sudo during testing.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+# Make sure we are looking at the correct version
+sudo -V | grep version
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+# Test digest feature
+
+openssl dgst -sha224 /usr/bin/ls # make note of the hash
+
+# Add this line to sudoers (replace UID by your user ID and HASH by the ls
+# hash):
+<UID> ALL = sha224:<HASH> /usr/bin/ls
+
+# This should work (asking you a password first)
+sudo /usr/bin/ls /
+
+# Now change the hash so that it is wrong and make sure it does not work this
+# time
+sudo /usr/bin/ls /
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+# add this line to sudoers
+ALL ALL=(ALL:ALL) NOPASSWD: ALL
+
+# Make sure it gives you root account
+sudo id
+
+# Make sure this changes just your group
+sudo -g sol_src id
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+# Test creating a file in etc
+sudoedit /etc/test
+...
+cat /etc/test # Make sure the text is there
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+# Auditing
+cd /var/audit
+sudo /usr/sbin/audit -t
+sudo rm *
+sudo /usr/sbin/audit -s
+sudo auditreduce * | praudit -s
+> file,1970-01-01 00:00:00.000 +00:00,
+> file,2014-03-27 10:34:23.000 +00:00,
+
+# Make sure that since the first run we can see new auditing record
+sudo auditreduce * | praudit -s
+> file,2014-03-27 10:34:23.000 +00:00,
+> header,158,2,AUE_sudo,,10.0.2.15,2014-03-27 10:34:23.735 +00:00
+> subject,vmarek,root,staff,vmarek,staff,2295,3108723863,5096 202240 10.0.2.2
+> path,/var/share/audit
+> path,/usr/sbin/auditreduce
+> cmd,argcnt,1,20140327103420.not_terminated.S12-43,envcnt,0,
+> return,success,0
+> file,2014-03-27 10:34:23.000 +00:00,
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+# PAM credentials
+
+# Make sure that 'root' is a role
+sudo usermod -K type=role root
+
+# Note the preselection mask, it should probably be 'lo(0x1000,0x1000)'
+sudo bash -c 'auditconfig -getpinfo $$'
+
+# Add audit flags to root
+sudo rolemod -K audit_flags=lo,ex:no root
+
+# Make sure that the preselection mask now shows new entries (lo,ex)
+sudo bash -c 'auditconfig -getpinfo $$'
+
+# Disable PAM credentials in sudo by adding this line to sudoers:
+Defaults !pam_setcred
+
+# Make sure that the preselection mask now shows only previous entry
+sudo bash -c 'auditconfig -getpinfo $$'
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+# Solaris privileges
+
+# Add this to the end sudoers keeping the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' above
+<UID> ALL = () PRIVS="basic,dtrace_kernel,dtrace_proc,dtrace_user" NOPASSWD: /usr/sbin/dtrace, /usr/bin/bash
+
+# Just your regular id
+id
+> uid=157888(vmarek) gid=10(staff)
+
+# Sudo normally turning you into root via the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' line
+sudo id
+> uid=0(root) gid=0(root)
+
+# For bash it should leave your ID and just grant dtrace privileges
+sudo bash -c 'id; ppriv $$'
+uid=157888(vmarek) gid=10(staff)
+> 2296:   bash -c id; ppriv $$
+> flags = <none>
+>         E: basic,dtrace_kernel,dtrace_proc,dtrace_user
+>         I: basic,dtrace_kernel,dtrace_proc,dtrace_user
+>         P: basic,dtrace_kernel,dtrace_proc,dtrace_user
+>         L: basic,dtrace_kernel,dtrace_proc,dtrace_user
+
+# dtrace functionality
+sudo dtrace -l -n 'syscall::b*:entry'
+>    ID   PROVIDER            MODULE                          FUNCTION NAME
+> 11282    syscall                                                 brk entry
+> 11550    syscall                                            brandsys entry
+> 11642    syscall                                                bind entry
--- a/components/sudo/patches/02-pam_setcred.patch	Mon Apr 14 23:01:26 2014 -0700
+++ b/components/sudo/patches/02-pam_setcred.patch	Thu Apr 10 15:30:14 2014 +0200
@@ -1,21 +1,35 @@
 Fix for
 17617070 sudo does not use pam_setcred correctly to set the audit context
 
-This fix will be submitted upstream to the latest sudo release,
-currently 1.8.10p2.
+This fix is submitted as http://www.sudo.ws/bugs/show_bug.cgi?id=642
+
+Sudo 1.8.9p5 has another problem, pam_setcred configuration option is not
+enabled by default despite what is said in sudoers(4). Fix for that is
+accumulated in this patch as it will be submitted together with the
+PAM_REINITIALIZE_CRED fix.
 
-diff -ru sudo-1.8.6p7-orig//plugins/sudoers/auth/pam.c sudo-1.8.6p7/plugins/sudoers/auth/pam.c
---- sudo-1.8.6p7-orig//plugins/sudoers/auth/pam.c	Mon Feb 25 11:42:44 2013
-+++ sudo-1.8.6p7/plugins/sudoers/auth/pam.c	Mon Oct 21 13:32:27 2013
[email protected]@ -229,8 +229,10 @@
-      * for the setcred module.  Because we haven't called pam_authenticate(),
-      * this is not set and so pam_setcred() returns PAM_PERM_DENIED.
-      * We can't call pam_acct_mgmt() with Linux-PAM for a similar reason.
+--- sudo-1.8.9p5/plugins/sudoers/auth/pam.c	2014-02-07 10:25:08.979359126 +0100
++++ sudo-1.8.9p5/plugins/sudoers/auth/pam.c	2014-02-07 10:24:43.823180676 +0100
[email protected]@ -236,9 +236,11 @@
+      * PAM_SUCCESS from another.  For example, given a non-local user,
+      * pam_unix will fail but pam_ldap or pam_sss may succeed, but if
+      * pam_unix is first in the stack, pam_setcred() will fail.
 +     *
-+     * Reinitialize credentials when changing a user. 
++     * Reinitialize credentials when changing a user.
       */
--    (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
-+    (void) pam_setcred(pamh, PAM_REINITIALIZE_CRED);
+     if (def_pam_setcred)
+-	(void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
++	(void) pam_setcred(pamh, PAM_REINITIALIZE_CRED);
  
- #ifdef HAVE_PAM_GETENVLIST
-     /*
+     if (def_pam_session) {
+ 	*pam_status = pam_open_session(pamh, 0);
+--- sudo-1.8.9p5/plugins/sudoers/defaults.c	2014-03-28 15:33:41.941482037 -0700
++++ sudo-1.8.9p5/plugins/sudoers/defaults.c	2014-03-28 15:22:36.457133334 -0700
[email protected]@ -485,6 +485,7 @@ init_defaults(void)
+ #endif
+     def_editor = estrdup(EDITOR);
+     def_set_utmp = true;
++    def_pam_setcred = true;
+ 
+     /* Finally do the lists (currently just environment tables). */
+     init_envtables();
--- a/components/sudo/patches/03-solaris_audit.patch	Mon Apr 14 23:01:26 2014 -0700
+++ b/components/sudo/patches/03-solaris_audit.patch	Thu Apr 10 15:30:14 2014 +0200
@@ -3,10 +3,9 @@
 Plan is to contribute these changes upstream to
 the latest sudo release, currently 1.8.10p2.
 
-diff -rupN sudo-1.8.6p7-orig/config.h.in sudo-1.8.6p7/config.h.in
---- sudo-1.8.6p7-orig/config.h.in	2013-02-25 11:46:09.000000000 -0800
-+++ sudo-1.8.6p7/config.h.in	2013-12-18 13:23:28.000000000 -0800
[email protected]@ -506,6 +506,9 @@
+--- sudo-1.8.9p5/config.h.in	2014-03-26 22:54:30.317626194 +0100
++++ sudo-1.8.9p5/config.h.in	2014-03-26 22:54:07.840975014 +0100
[email protected]@ -542,6 +542,9 @@
  /* Define to 1 if you have the `snprintf' function. */
  #undef HAVE_SNPRINTF
  
@@ -16,64 +15,9 @@
  /* Define to 1 if you have the <spawn.h> header file. */
  #undef HAVE_SPAWN_H
  
-diff -rupN sudo-1.8.6p7-orig/configure sudo-1.8.6p7/configure
---- sudo-1.8.6p7-orig/configure	2013-02-25 11:48:02.000000000 -0800
-+++ sudo-1.8.6p7/configure	2014-03-18 15:42:42.364654000 -0700
[email protected]@ -761,6 +761,7 @@ PROGS
- CFLAGS
- LIBTOOL
- HAVE_BSM_AUDIT
-+HAVE_SOLARIS_AUDIT
- target_alias
- host_alias
- build_alias
[email protected]@ -810,6 +811,7 @@ with_rpath
- with_blibpath
- with_bsm_audit
- with_linux_audit
-+with_solaris_audit
- with_sssd
- with_sssd_lib
- with_incpath
[email protected]@ -1590,6 +1592,7 @@ Optional Packages:
-   --with-blibpath=PATH    pass -blibpath flag to ld for additional lib paths
-   --with-bsm-audit        enable BSM audit support
-   --with-linux-audit      enable Linux audit support
-+  --with-solaris-audit    enable Solaris audit support
-   --with-sssd             enable SSSD support
-   --with-sssd-lib         path to the SSSD library
-   --with-incpath          additional places to look for include files
[email protected]@ -3097,6 +3100,26 @@ esac
- fi
- 
- 
-+
-+# Check whether --with-solaris-audit was given.
-+if test "${with_solaris_audit+set}" = set; then :
-+  if test "${with_bsm_audit+set}" = set || test "${with_linux_audit+set}" = set; then
-+	as_fn_error $? "BSM/Linux and Solaris auditing options are mutually exclusive." "$LINENO" 5
-+  fi
-+  withval=$with_solaris_audit; case $with_solaris_audit in
-+    yes)	$as_echo "#define HAVE_SOLARIS_AUDIT 1" >>confdefs.h
-+
-+		SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm"
-+		SUDOERS_OBJS="${SUDOERS_OBJS} solaris_audit.lo"
-+		;;
-+    no)		;;
-+    *)		as_fn_error $? "\"--with-solaris-audit does not take an argument.\"" "$LINENO" 5
-+		;;
-+esac
-+fi
-+
-+
-+
- ac_ext=c
- ac_cpp='$CPP $CPPFLAGS'
- ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-diff -rupN sudo-1.8.6p7-orig/configure.in sudo-1.8.6p7/configure.in
---- sudo-1.8.6p7-orig/configure.in	2013-02-25 11:47:48.000000000 -0800
-+++ sudo-1.8.6p7/configure.in	2013-12-18 13:44:14.000000000 -0800
[email protected]@ -13,6 +13,7 @@ dnl
+--- sudo-1.8.9p5/configure.ac	2014-04-02 15:08:32.733744734 -0700
++++ sudo-1.8.9p5/configure.ac	2014-04-02 15:01:57.931070340 -0700
[email protected]@ -15,6 +15,7 @@ dnl
  dnl Variables that get substituted in the Makefile and man pages
  dnl
  AC_SUBST([HAVE_BSM_AUDIT])
@@ -81,7 +25,7 @@
  AC_SUBST([SHELL])
  AC_SUBST([LIBTOOL])
  AC_SUBST([CFLAGS])
[email protected]@ -305,6 +306,20 @@ AC_ARG_WITH(linux-audit, [AS_HELP_STRING
[email protected]@ -322,6 +323,28 @@ AC_ARG_WITH(linux-audit, [AS_HELP_STRING
  esac])
  
  dnl
@@ -99,23 +43,30 @@
 +esac])
 +
 +dnl
++dnl Check for use of Solaris audit with BSM or Linux audit
++dnl
++if test -n "$with_solaris_audit" && (test -n "$with_bsm_audit" || test -n "$with_linux_audit"); then
++	AC_MSG_ERROR([BSM/Linux and Solaris auditing options are mutually exclusive.])
++fi
++
++
++dnl
  dnl Handle SSSD support.
  dnl
  AC_ARG_WITH(sssd, [AS_HELP_STRING([--with-sssd], [enable SSSD support])],
[email protected]@ -3622,6 +3637,7 @@ AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1
[email protected]@ -3820,6 +3843,7 @@ AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1
  AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
  AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
- AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments])
+ AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments.])
 +AH_TEMPLATE(HAVE_SOLARIS_AUDIT, [Define to 1 to enable Solaris audit support.])
- AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union])
- AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member])
- AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member])
-diff -rupN sudo-1.8.6p7-orig/INSTALL sudo-1.8.6p7/INSTALL
---- sudo-1.8.6p7-orig/INSTALL	2013-02-25 11:42:43.000000000 -0800
-+++ sudo-1.8.6p7/INSTALL	2013-12-18 14:06:38.000000000 -0800
[email protected]@ -159,6 +159,9 @@ Special features/options:
- 	DIR should contain include and lib directories with skey.h
- 	and libskey.a respectively.
+ AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union.])
+ AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member.])
+ AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member.])
+--- sudo-1.8.9p5/INSTALL	2014-03-26 22:55:50.218196304 +0100
++++ sudo-1.8.9p5/INSTALL	2014-03-26 22:55:37.278167183 +0100
[email protected]@ -386,6 +386,9 @@
+         the user name (separated by a slash) when creating the
+         principal name.
  
 +  --with-solaris-audit
 +	Enable audit support for Solaris systems.
@@ -123,33 +74,30 @@
    --with-opie[=DIR]
  	Enable NRL OPIE OTP (One Time Password) support.  If specified,
  	DIR should contain include and lib directories with opie.h
-diff -rupN sudo-1.8.6p7-orig/MANIFEST sudo-1.8.6p7/MANIFEST
---- sudo-1.8.6p7-orig/MANIFEST	2013-02-25 11:42:43.000000000 -0800
-+++ sudo-1.8.6p7/MANIFEST	2013-12-18 13:46:06.000000000 -0800
[email protected]@ -261,6 +261,8 @@ plugins/sudoers/regress/sudoers/test8.to
- plugins/sudoers/regress/testsudoers/test1.out.ok
- plugins/sudoers/regress/testsudoers/test1.sh
+--- sudo-1.8.9p5/MANIFEST	2014-03-26 22:57:04.778504180 +0100
++++ sudo-1.8.9p5/MANIFEST	2014-03-26 22:56:53.268979852 +0100
[email protected]@ -369,6 +369,8 @@
  plugins/sudoers/set_perms.c
+ plugins/sudoers/sha2.c
+ plugins/sudoers/sha2.h
 +plugins/sudoers/solaris_audit.c
 +plugins/sudoers/solaris_audit.h
  plugins/sudoers/sssd.c
  plugins/sudoers/sudo_nss.c
  plugins/sudoers/sudo_nss.h
-diff -rupN sudo-1.8.6p7-orig/mkdep.pl sudo-1.8.6p7/mkdep.pl
---- sudo-1.8.6p7-orig/mkdep.pl	2013-02-25 11:42:44.000000000 -0800
-+++ sudo-1.8.6p7/mkdep.pl	2013-12-18 14:03:37.000000000 -0800
[email protected]@ -52,7 +52,7 @@ sub mkdep {
+--- sudo-1.8.9p5/mkdep.pl	2014-03-26 22:58:36.454013953 +0100
++++ sudo-1.8.9p5/mkdep.pl	2014-03-26 22:58:24.406067303 +0100
[email protected]@ -67,7 +67,7 @@
      $makefile =~ s:\@DEV\@::g;
-     $makefile =~ s:\@COMMON_OBJS\@:aix.lo:;
-     $makefile =~ s:\@SUDO_OBJS\@:preload.o selinux.o sesh.o sudo_noexec.lo:;
--    $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo plugin_error.lo sssd.lo:;
-+    $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo plugin_error.lo solaris_audit.lo sssd.lo:;
+     $makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:;
+     $makefile =~ s:\@SUDO_OBJS\@:openbsd.o preload.o selinux.o sesh.o solaris.o sudo_noexec.lo:;
+-    $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo sssd.lo:;
++    $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo solaris_audit.lo sssd.lo:;
      # XXX - fill in AUTH_OBJS from contents of the auth dir instead
      $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
-     $makefile =~ s:\@LTLIBOBJS\@:closefrom.lo dlopen.lo fnmatch.lo getcwd.lo getgrouplist.lo getline.lo getprogname.lo glob.lo isblank.lo memrchr.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo utimes.lo globtest.o fnm_test.o:;
-diff -rupN sudo-1.8.6p7-orig/plugins/sudoers/audit.c sudo-1.8.6p7/plugins/sudoers/audit.c
---- sudo-1.8.6p7-orig/plugins/sudoers/audit.c	2013-02-25 11:46:09.000000000 -0800
-+++ sudo-1.8.6p7/plugins/sudoers/audit.c	2013-12-18 13:48:56.000000000 -0800
+     $makefile =~ s:\@LTLIBOBJS\@:closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getgrouplist.lo getline.lo getopt_long.lo glob.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo pw_dup.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo strtonum.lo utimes.lo globtest.o fnm_test.o:;
+--- sudo-1.8.9p5/plugins/sudoers/audit.c	2014-03-26 22:59:28.211242562 +0100
++++ sudo-1.8.9p5/plugins/sudoers/audit.c	2014-03-26 22:59:08.314263649 +0100
 @@ -43,6 +43,9 @@
  #ifdef HAVE_LINUX_AUDIT
  # include "linux_audit.h"
@@ -158,9 +106,9 @@
 +# include "solaris_audit.h"
 +#endif
  
- void
- audit_success(char *exec_args[])
[email protected]@ -56,6 +59,9 @@ audit_success(char *exec_args[])
+ #define DEFAULT_TEXT_DOMAIN	"sudoers"
+ #include "gettext.h"
[email protected]@ -59,6 +62,9 @@
  #ifdef HAVE_LINUX_AUDIT
  	linux_audit_command(exec_args, 1);
  #endif
@@ -170,7 +118,7 @@
      }
  
      debug_return;
[email protected]@ -75,6 +81,9 @@ audit_failure(char *exec_args[], char co
[email protected]@ -82,6 +88,9 @@
  #ifdef HAVE_LINUX_AUDIT
  	linux_audit_command(exec_args, 0);
  #endif
@@ -180,29 +128,27 @@
  	va_end(ap);
      }
  
-diff -rupN sudo-1.8.6p7-orig/plugins/sudoers/Makefile.in sudo-1.8.6p7/plugins/sudoers/Makefile.in
---- sudo-1.8.6p7-orig/plugins/sudoers/Makefile.in	2013-02-25 11:46:09.000000000 -0800
-+++ sudo-1.8.6p7/plugins/sudoers/Makefile.in	2013-12-17 15:32:03.000000000 -0800
[email protected]@ -432,7 +432,7 @@ alias.lo: $(srcdir)/alias.c $(top_buildd
+--- sudo-1.8.9p5/plugins/sudoers/Makefile.in	2014-03-26 23:02:57.999081022 +0100
++++ sudo-1.8.9p5/plugins/sudoers/Makefile.in	2014-03-26 23:02:48.982043568 +0100
[email protected]@ -457,7 +457,7 @@
  	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/alias.c
- audit.lo: $(srcdir)/audit.c $(top_builddir)/config.h $(incdir)/missing.h \
-           $(srcdir)/logging.h $(incdir)/sudo_debug.h $(srcdir)/bsm_audit.h \
--          $(srcdir)/linux_audit.h
-+          $(srcdir)/linux_audit.h $(srcdir)/solaris_audit.h
+ audit.lo: $(srcdir)/audit.c $(incdir)/gettext.h $(incdir)/missing.h \
+           $(incdir)/sudo_debug.h $(srcdir)/bsm_audit.h $(srcdir)/linux_audit.h \
+-          $(srcdir)/logging.h $(top_builddir)/config.h \
++          $(srcdir)/solaris_audit.h $(srcdir)/logging.h $(top_builddir)/config.h \
+           $(top_srcdir)/compat/stdbool.h
  	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/audit.c
- boottime.lo: $(srcdir)/boottime.c $(top_builddir)/config.h $(incdir)/missing.h \
-              $(incdir)/sudo_debug.h
[email protected]@ -728,6 +728,10 @@ sia.lo: $(authdir)/sia.c $(top_builddir)
-         $(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
-         $(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/sia.c
+ base64.lo: $(srcdir)/base64.c $(incdir)/missing.h $(incdir)/sudo_debug.h \
[email protected]@ -659,6 +659,9 @@
+                 $(incdir)/gettext.h $(incdir)/missing.h $(incdir)/sudo_debug.h \
+                 $(srcdir)/linux_audit.h $(top_builddir)/config.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/linux_audit.c
 +solaris_audit.lo: $(srcdir)/solaris_audit.c $(top_builddir)/config.h \
-+              $(incdir)/error.h $(incdir)/sudo_debug.h \
-+              $(srcdir)/solaris_audit.h
++              $(srcdir)/sudoers.h $(incdir)/sudo_debug.h $(srcdir)/solaris_audit.h
 +	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/solaris_audit.c
- sssd.lo: $(srcdir)/sssd.c $(top_builddir)/config.h \
-          $(top_srcdir)/compat/dlfcn.h $(srcdir)/sudoers.h \
-          $(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
+ locale.lo: $(srcdir)/locale.c $(incdir)/alloc.h $(incdir)/fatal.h \
+            $(incdir)/gettext.h $(incdir)/missing.h $(srcdir)/logging.h \
+            $(top_builddir)/config.h $(top_srcdir)/compat/stdbool.h
 diff -rupN sudo-1.8.6p7-orig/plugins/sudoers/solaris_audit.c sudo-1.8.6p7/plugins/sudoers/solaris_audit.c
 --- sudo-1.8.6p7-orig/plugins/sudoers/solaris_audit.c	1969-12-31 16:00:00.000000000 -0800
 +++ sudo-1.8.6p7/plugins/sudoers/solaris_audit.c	2014-03-18 12:09:27.850924000 -0700
@@ -235,13 +181,13 @@
 +	int	argc;
 +
 +	if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
-+		log_error(USE_ERRNO | NO_STDERR, _("sudo: adt_start_session"));
++		log_warning(USE_ERRNO | NO_STDERR, _("sudo: adt_start_session"));
 +	}
 +	if ((event = adt_alloc_event(ah, ADT_sudo)) == NULL) {
-+		log_error(USE_ERRNO | NO_STDERR, _("sudo: alloc_event"));
++		log_warning(USE_ERRNO | NO_STDERR, _("sudo: alloc_event"));
 +	}
 +	if ((event->adt_sudo.cwdpath = getcwd(cwd, sizeof (cwd))) == NULL) {
-+		log_error(USE_ERRNO | NO_STDERR, _("sudo: can't add cwd path"));
++		log_warning(USE_ERRNO | NO_STDERR, _("sudo: can't add cwd path"));
 +	}
 +	for (argc = 0; exec_args[argc] != NULL; argc++) {
 +		continue;
@@ -251,14 +197,14 @@
 +	if (user_cmnd != NULL) {
 +		if (strlcpy(cmdpath, (const char *)user_cmnd,
 +		    sizeof (cmdpath)) >= sizeof (cmdpath)) {
-+			log_error(NO_STDERR,
++			log_warning(NO_STDERR,
 +			    _("sudo: truncated audit path " "user_cmnd: %s"),
 +			    user_cmnd);
 +		}
 +	} else {
 +		if (strlcpy(cmdpath, (const char *)exec_args[0],
 +		    sizeof (cmdpath)) >= sizeof (cmdpath)) {
-+			log_error(NO_STDERR,
++			log_warning(NO_STDERR,
 +			    _("sudo: truncated audit path " "argv[0]: %s"),
 +			    exec_args[0]);
 +		}
@@ -278,7 +224,7 @@
 +	adt_sudo_common(exec_args);
 +
 +	if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
-+		log_error(USE_ERRNO | NO_STDERR,
++		log_warning(USE_ERRNO | NO_STDERR,
 +		    _("sudo: adt_put_event(success)"));
 +	}
 +	adt_free_event(event);
@@ -291,11 +237,11 @@
 +	adt_sudo_common(exec_args);
 +
 +	if (vasprintf(&event->adt_sudo.errmsg, fmt, ap) == -1) {
-+		log_error(USE_ERRNO | NO_STDERR,
++		log_warning(USE_ERRNO | NO_STDERR,
 +		    _("sudo: audit_failure message too long"));
 +	}
 +	if (adt_put_event(event, ADT_FAILURE, ADT_FAIL_VALUE_PROGRAM) != 0) {
-+		log_error(USE_ERRNO | NO_STDERR,
++		log_warning(USE_ERRNO | NO_STDERR,
 +		    _("sudo: adt_put_event(failure)"));
 +	}
 +	free(event->adt_sudo.errmsg);
@@ -317,3 +263,4 @@
 +void	solaris_audit_failure(char **, char const * const, va_list);
 +
 +#endif /* _SUDO_SOLARIS_AUDIT_H */
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/sudo/patches/04-use_libmd.patch	Thu Apr 10 15:30:14 2014 +0200
@@ -0,0 +1,2430 @@
+Taken from http://www.sudo.ws/repos/sudo/rev/cd02732f0704 and backported to
+sudo 1.9.5p5. The fix will be available in sudo 1.8.10p3.
+
+Patching of configure script was removed as we regenerate it by autotools
+anyway.
+
+diff -urN sudo-1.8.9p5.old/common/Makefile.in sudo-1.8.9p5/common/Makefile.in
+--- sudo-1.8.9p5.old/common/Makefile.in	2014-01-07 19:09:02.000000000 +0100
++++ sudo-1.8.9p5/common/Makefile.in	2014-04-10 15:20:34.447046660 +0200
[email protected]@ -186,8 +186,8 @@
+             $(top_builddir)/config.h $(top_srcdir)/compat/stdbool.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c -o [email protected] $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/atomode.c
+ conf_test.lo: $(srcdir)/regress/sudo_conf/conf_test.c $(incdir)/missing.h \
+-              $(incdir)/queue.h $(incdir)/sudo_conf.h $(top_builddir)/config.h \
+-              $(top_srcdir)/compat/stdbool.h
++              $(incdir)/queue.h $(incdir)/sudo_conf.h $(incdir)/sudo_util.h \
++              $(top_builddir)/config.h $(top_srcdir)/compat/stdbool.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c -o [email protected] $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/sudo_conf/conf_test.c
+ event.lo: $(srcdir)/event.c $(incdir)/alloc.h $(incdir)/fatal.h \
+           $(incdir)/missing.h $(incdir)/queue.h $(incdir)/sudo_debug.h \
[email protected]@ -223,8 +223,8 @@
+             $(top_srcdir)/compat/stdbool.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c -o [email protected] $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/gidlist.c
+ hltq_test.lo: $(srcdir)/regress/tailq/hltq_test.c $(incdir)/fatal.h \
+-              $(incdir)/missing.h $(incdir)/queue.h $(top_builddir)/config.h \
+-              $(top_srcdir)/compat/stdbool.h
++              $(incdir)/missing.h $(incdir)/queue.h $(incdir)/sudo_util.h \
++              $(top_builddir)/config.h $(top_srcdir)/compat/stdbool.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c -o [email protected] $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/tailq/hltq_test.c
+ lbuf.lo: $(srcdir)/lbuf.c $(incdir)/alloc.h $(incdir)/fatal.h $(incdir)/lbuf.h \
+          $(incdir)/missing.h $(incdir)/sudo_debug.h $(top_builddir)/config.h
[email protected]@ -233,7 +233,7 @@
+                 $(incdir)/gettext.h $(incdir)/missing.h $(top_builddir)/config.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c -o [email protected] $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(top_srcdir)/src/locale_stub.c
+ parseln_test.lo: $(srcdir)/regress/sudo_parseln/parseln_test.c \
+-                 $(incdir)/fileops.h $(incdir)/missing.h \
++                 $(incdir)/fileops.h $(incdir)/missing.h $(incdir)/sudo_util.h \
+                  $(top_builddir)/config.h $(top_srcdir)/compat/stdbool.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c -o [email protected] $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/sudo_parseln/parseln_test.c
+ progname.lo: $(srcdir)/progname.c $(incdir)/missing.h $(incdir)/sudo_util.h \
+diff -urN sudo-1.8.9p5.old/compat/Makefile.in sudo-1.8.9p5/compat/Makefile.in
+--- sudo-1.8.9p5.old/compat/Makefile.in	2014-01-07 19:08:52.000000000 +0100
++++ sudo-1.8.9p5/compat/Makefile.in	2014-04-10 15:20:34.447431545 +0200
[email protected]@ -178,7 +178,9 @@
+ getcwd.lo: $(srcdir)/getcwd.c $(incdir)/missing.h $(top_builddir)/config.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c -o [email protected] $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/getcwd.c
+ getgrouplist.lo: $(srcdir)/getgrouplist.c $(incdir)/missing.h \
+-                 $(top_builddir)/config.h $(top_srcdir)/compat/nss_dbdefs.h
++                 $(incdir)/sudo_util.h $(top_builddir)/config.h \
++                 $(top_srcdir)/compat/nss_dbdefs.h \
++                 $(top_srcdir)/compat/stdbool.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c -o [email protected] $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/getgrouplist.c
+ getline.lo: $(srcdir)/getline.c $(incdir)/missing.h $(top_builddir)/config.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c -o [email protected] $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/getline.c
+diff -urN sudo-1.8.9p5.old/compat/sha2.c sudo-1.8.9p5/compat/sha2.c
+--- sudo-1.8.9p5.old/compat/sha2.c	1970-01-01 01:00:00.000000000 +0100
++++ sudo-1.8.9p5/compat/sha2.c	2014-04-10 15:20:34.448122160 +0200
[email protected]@ -0,0 +1,526 @@
++/*
++ * Copyright (c) 2013 Todd C. Miller <[email protected]>
++ *
++ * Permission to use, copy, modify, and distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ */
++
++/*
++ * Implementation of SHA-224, SHA-256, SHA-384 and SHA-512
++ * as per FIPS 180-4: Secure Hash Standard (SHS)
++ * http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
++ *
++ * Derived from the public domain SHA-1 and SHA-2 implementations
++ * by Steve Reid and Wei Dai respectively.
++ */
++
++#include <config.h>
++
++#include <stdio.h>
++#ifdef STDC_HEADERS
++# include <stdlib.h>
++# include <stddef.h>
++#else
++# ifdef HAVE_STDLIB_H
++#  include <stdlib.h>
++# endif
++#endif /* STDC_HEADERS */
++#ifdef HAVE_STRING_H
++# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
++#  include <memory.h>
++# endif
++# include <string.h>
++#endif /* HAVE_STRING_H */
++#ifdef HAVE_STRINGS_H
++# include <strings.h>
++#endif /* HAVE_STRINGS_H */
++#if defined(HAVE_STDINT_H)
++# include <stdint.h>
++#elif defined(HAVE_INTTYPES_H)
++# include <inttypes.h>
++#endif
++#if defined(HAVE_ENDIAN_H)
++# include <endian.h>
++#elif defined(HAVE_SYS_ENDIAN_H)
++# include <sys/endian.h>
++#elif defined(HAVE_MACHINE_ENDIAN_H)
++# include <machine/endian.h>
++#else
++# include "compat/endian.h"
++#endif
++
++#include "missing.h"
++#include "sha2.h"
++
++/*
++ * SHA-2 operates on 32-bit and 64-bit words in big endian byte order.
++ * The following macros convert between character arrays and big endian words.
++ */
++#define BE8TO32(x, y) do {				\
++	(x) = (((uint32_t)((y)[0] & 255) << 24) |	\
++	       ((uint32_t)((y)[1] & 255) << 16) |	\
++	       ((uint32_t)((y)[2] & 255) << 8)  |	\
++	       ((uint32_t)((y)[3] & 255)));		\
++} while (0)
++
++#define BE8TO64(x, y) do {				\
++	(x) = (((uint64_t)((y)[0] & 255) << 56) |	\
++	       ((uint64_t)((y)[1] & 255) << 48) |	\
++	       ((uint64_t)((y)[2] & 255) << 40) |	\
++	       ((uint64_t)((y)[3] & 255) << 32) |	\
++	       ((uint64_t)((y)[4] & 255) << 24) |	\
++	       ((uint64_t)((y)[5] & 255) << 16) |	\
++	       ((uint64_t)((y)[6] & 255) << 8)  |	\
++	       ((uint64_t)((y)[7] & 255)));		\
++} while (0)
++
++#define BE32TO8(x, y) do {			\
++	(x)[0] = (uint8_t)(((y) >> 24) & 255);	\
++	(x)[1] = (uint8_t)(((y) >> 16) & 255);	\
++	(x)[2] = (uint8_t)(((y) >> 8) & 255);	\
++	(x)[3] = (uint8_t)((y) & 255);		\
++} while (0)
++
++#define BE64TO8(x, y) do {			\
++	(x)[0] = (uint8_t)(((y) >> 56) & 255);	\
++	(x)[1] = (uint8_t)(((y) >> 48) & 255);	\
++	(x)[2] = (uint8_t)(((y) >> 40) & 255);	\
++	(x)[3] = (uint8_t)(((y) >> 32) & 255);	\
++	(x)[4] = (uint8_t)(((y) >> 24) & 255);	\
++	(x)[5] = (uint8_t)(((y) >> 16) & 255);	\
++	(x)[6] = (uint8_t)(((y) >> 8) & 255);	\
++	(x)[7] = (uint8_t)((y) & 255);		\
++} while (0)
++
++#define rotrFixed(x,y) (y ? ((x>>y) | (x<<(sizeof(x)*8-y))) : x)
++
++#define blk0(i) (W[i])
++#define blk2(i) (W[i&15]+=s1(W[(i-2)&15])+W[(i-7)&15]+s0(W[(i-15)&15]))
++
++#define Ch(x,y,z) (z^(x&(y^z)))
++#define Maj(x,y,z) (y^((x^y)&(y^z)))
++
++#define a(i) T[(0-i)&7]
++#define b(i) T[(1-i)&7]
++#define c(i) T[(2-i)&7]
++#define d(i) T[(3-i)&7]
++#define e(i) T[(4-i)&7]
++#define f(i) T[(5-i)&7]
++#define g(i) T[(6-i)&7]
++#define h(i) T[(7-i)&7]
++
++void
++SHA224Init(SHA2_CTX *ctx)
++{
++	memset(ctx, 0, sizeof(*ctx));
++	ctx->state.st32[0] = 0xc1059ed8UL;
++	ctx->state.st32[1] = 0x367cd507UL;
++	ctx->state.st32[2] = 0x3070dd17UL;
++	ctx->state.st32[3] = 0xf70e5939UL;
++	ctx->state.st32[4] = 0xffc00b31UL;
++	ctx->state.st32[5] = 0x68581511UL;
++	ctx->state.st32[6] = 0x64f98fa7UL;
++	ctx->state.st32[7] = 0xbefa4fa4UL;
++}
++
++void
++SHA224Transform(uint32_t state[8], const uint8_t buffer[SHA224_BLOCK_LENGTH])
++{
++	SHA256Transform(state, buffer);
++}
++
++void
++SHA224Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
++{
++	SHA256Update(ctx, data, len);
++}
++
++void
++SHA224Pad(SHA2_CTX *ctx)
++{
++	SHA256Pad(ctx);
++}
++
++void
++SHA224Final(uint8_t digest[SHA224_DIGEST_LENGTH], SHA2_CTX *ctx)
++{
++	SHA256Pad(ctx);
++	if (digest != NULL) {
++#if BYTE_ORDER == BIG_ENDIAN
++		memcpy(digest, ctx->state.st32, SHA224_DIGEST_LENGTH);
++#else
++		unsigned int i;
++
++		for (i = 0; i < 7; i++)
++			BE32TO8(digest + (i * 4), ctx->state.st32[i]);
++#endif
++		memset(ctx, 0, sizeof(*ctx));
++	}
++}
++
++static const uint32_t SHA256_K[64] = {
++	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
++	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
++	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
++	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
++	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
++	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
++	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
++	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
++	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
++	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
++	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
++	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
++	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
++	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
++	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
++	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
++};
++
++void
++SHA256Init(SHA2_CTX *ctx)
++{
++	memset(ctx, 0, sizeof(*ctx));
++	ctx->state.st32[0] = 0x6a09e667UL;
++	ctx->state.st32[1] = 0xbb67ae85UL;
++	ctx->state.st32[2] = 0x3c6ef372UL;
++	ctx->state.st32[3] = 0xa54ff53aUL;
++	ctx->state.st32[4] = 0x510e527fUL;
++	ctx->state.st32[5] = 0x9b05688cUL;
++	ctx->state.st32[6] = 0x1f83d9abUL;
++	ctx->state.st32[7] = 0x5be0cd19UL;
++}
++
++/* Round macros for SHA256 */
++#define R(i) do {							     \
++	h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+SHA256_K[i+j]+(j?blk2(i):blk0(i)); \
++	d(i)+=h(i);							     \
++	h(i)+=S0(a(i))+Maj(a(i),b(i),c(i));				     \
++} while (0)
++
++#define S0(x) (rotrFixed(x,2)^rotrFixed(x,13)^rotrFixed(x,22))
++#define S1(x) (rotrFixed(x,6)^rotrFixed(x,11)^rotrFixed(x,25))
++#define s0(x) (rotrFixed(x,7)^rotrFixed(x,18)^(x>>3))
++#define s1(x) (rotrFixed(x,17)^rotrFixed(x,19)^(x>>10))
++
++void
++SHA256Transform(uint32_t state[8], const uint8_t data[SHA256_BLOCK_LENGTH])
++{
++	uint32_t W[16];
++	uint32_t T[8];
++	unsigned int j;
++
++	/* Copy context state to working vars. */
++	memcpy(T, state, sizeof(T));
++	/* Copy data to W in big endian format. */
++#if BYTE_ORDER == BIG_ENDIAN
++	memcpy(W, data, sizeof(W));
++#else
++	for (j = 0; j < 16; j++) {
++	    BE8TO32(W[j], data);
++	    data += 4;
++	}
++#endif
++	/* 64 operations, partially loop unrolled. */
++	for (j = 0; j < 64; j += 16)
++	{
++		R( 0); R( 1); R( 2); R( 3);
++		R( 4); R( 5); R( 6); R( 7);
++		R( 8); R( 9); R(10); R(11);
++		R(12); R(13); R(14); R(15);
++	}
++	/* Add the working vars back into context state. */
++	state[0] += a(0);
++	state[1] += b(0);
++	state[2] += c(0);
++	state[3] += d(0);
++	state[4] += e(0);
++	state[5] += f(0);
++	state[6] += g(0);
++	state[7] += h(0);
++	/* Cleanup */
++	memset_s(T, sizeof(T), 0, sizeof(T));
++	memset_s(W, sizeof(W), 0, sizeof(W));
++}
++
++#undef S0
++#undef S1
++#undef s0
++#undef s1
++#undef R
++
++void
++SHA256Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
++{
++	size_t i = 0, j;
++
++	j = (size_t)((ctx->count[0] >> 3) & (SHA256_BLOCK_LENGTH - 1));
++	ctx->count[0] += (len << 3);
++	if ((j + len) > SHA256_BLOCK_LENGTH - 1) {
++		memcpy(&ctx->buffer[j], data, (i = SHA256_BLOCK_LENGTH - j));
++		SHA256Transform(ctx->state.st32, ctx->buffer);
++		for ( ; i + SHA256_BLOCK_LENGTH - 1 < len; i += SHA256_BLOCK_LENGTH)
++			SHA256Transform(ctx->state.st32, (uint8_t *)&data[i]);
++		j = 0;
++	}
++	memcpy(&ctx->buffer[j], &data[i], len - i);
++}
++
++void
++SHA256Pad(SHA2_CTX *ctx)
++{
++	uint8_t finalcount[8];
++
++	/* Store unpadded message length in bits in big endian format. */
++	BE64TO8(finalcount, ctx->count[0]);
++
++	/* Append a '1' bit (0x80) to the message. */
++	SHA256Update(ctx, (uint8_t *)"\200", 1);
++
++	/* Pad message such that the resulting length modulo 512 is 448. */
++	while ((ctx->count[0] & 504) != 448)
++		SHA256Update(ctx, (uint8_t *)"\0", 1);
++
++	/* Append length of message in bits and do final SHA256Transform(). */
++	SHA256Update(ctx, finalcount, sizeof(finalcount));
++}
++
++void
++SHA256Final(uint8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *ctx)
++{
++	SHA256Pad(ctx);
++	if (digest != NULL) {
++#if BYTE_ORDER == BIG_ENDIAN
++		memcpy(digest, ctx->state.st32, SHA256_DIGEST_LENGTH);
++#else
++		unsigned int i;
++
++		for (i = 0; i < 8; i++)
++			BE32TO8(digest + (i * 4), ctx->state.st32[i]);
++#endif
++		memset(ctx, 0, sizeof(*ctx));
++	}
++}
++
++void
++SHA384Init(SHA2_CTX *ctx)
++{
++	memset(ctx, 0, sizeof(*ctx));
++	ctx->state.st64[0] = 0xcbbb9d5dc1059ed8ULL;
++	ctx->state.st64[1] = 0x629a292a367cd507ULL;
++	ctx->state.st64[2] = 0x9159015a3070dd17ULL;
++	ctx->state.st64[3] = 0x152fecd8f70e5939ULL;
++	ctx->state.st64[4] = 0x67332667ffc00b31ULL;
++	ctx->state.st64[5] = 0x8eb44a8768581511ULL;
++	ctx->state.st64[6] = 0xdb0c2e0d64f98fa7ULL;
++	ctx->state.st64[7] = 0x47b5481dbefa4fa4ULL;
++}
++
++void
++SHA384Transform(uint64_t state[8], const uint8_t data[SHA384_BLOCK_LENGTH])
++{
++	SHA512Transform(state, data);
++}
++
++void
++SHA384Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
++{
++	SHA512Update(ctx, data, len);
++}
++
++void
++SHA384Pad(SHA2_CTX *ctx)
++{
++	SHA512Pad(ctx);
++}
++
++void
++SHA384Final(uint8_t digest[SHA384_DIGEST_LENGTH], SHA2_CTX *ctx)
++{
++	SHA384Pad(ctx);
++	if (digest != NULL) {
++#if BYTE_ORDER == BIG_ENDIAN
++		memcpy(digest, ctx->state.st64, SHA384_DIGEST_LENGTH);
++#else
++		unsigned int i;
++
++		for (i = 0; i < 6; i++)
++			BE64TO8(digest + (i * 8), ctx->state.st64[i]);
++#endif
++		memset(ctx, 0, sizeof(*ctx));
++	}
++}
++
++static const uint64_t SHA512_K[80] = {
++	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
++	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
++	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
++	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
++	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
++	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
++	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
++	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
++	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
++	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
++	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
++	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
++	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
++	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
++	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
++	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
++	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
++	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
++	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
++	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
++	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
++	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
++	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
++	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
++	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
++	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
++	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
++	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
++	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
++	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
++	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
++	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
++	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
++	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
++	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
++	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
++	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
++	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
++	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
++	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
++};
++
++void
++SHA512Init(SHA2_CTX *ctx)
++{
++	memset(ctx, 0, sizeof(*ctx));
++	ctx->state.st64[0] = 0x6a09e667f3bcc908ULL;
++	ctx->state.st64[1] = 0xbb67ae8584caa73bULL;
++	ctx->state.st64[2] = 0x3c6ef372fe94f82bULL;
++	ctx->state.st64[3] = 0xa54ff53a5f1d36f1ULL;
++	ctx->state.st64[4] = 0x510e527fade682d1ULL;
++	ctx->state.st64[5] = 0x9b05688c2b3e6c1fULL;
++	ctx->state.st64[6] = 0x1f83d9abfb41bd6bULL;
++	ctx->state.st64[7] = 0x5be0cd19137e2179ULL;
++}
++
++/* Round macros for SHA512 */
++#define R(i) do {							     \
++	h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+SHA512_K[i+j]+(j?blk2(i):blk0(i)); \
++	d(i)+=h(i);							     \
++	h(i)+=S0(a(i))+Maj(a(i),b(i),c(i));				     \
++} while (0)
++
++#define S0(x) (rotrFixed(x,28)^rotrFixed(x,34)^rotrFixed(x,39))
++#define S1(x) (rotrFixed(x,14)^rotrFixed(x,18)^rotrFixed(x,41))
++#define s0(x) (rotrFixed(x,1)^rotrFixed(x,8)^(x>>7))
++#define s1(x) (rotrFixed(x,19)^rotrFixed(x,61)^(x>>6))
++
++void
++SHA512Transform(uint64_t state[8], const uint8_t data[SHA512_BLOCK_LENGTH])
++{
++	uint64_t W[16];
++	uint64_t T[8];
++	unsigned int j;
++
++	/* Copy context state to working vars. */
++	memcpy(T, state, sizeof(T));
++	/* Copy data to W in big endian format. */
++#if BYTE_ORDER == BIG_ENDIAN
++	memcpy(W, data, sizeof(W));
++#else
++	for (j = 0; j < 16; j++) {
++	    BE8TO64(W[j], data);
++	    data += 8;
++	}
++#endif
++	/* 80 operations, partially loop unrolled. */
++	for (j = 0; j < 80; j += 16)
++	{
++		R( 0); R( 1); R( 2); R( 3);
++		R( 4); R( 5); R( 6); R( 7);
++		R( 8); R( 9); R(10); R(11);
++		R(12); R(13); R(14); R(15);
++	}
++	/* Add the working vars back into context state. */
++	state[0] += a(0);
++	state[1] += b(0);
++	state[2] += c(0);
++	state[3] += d(0);
++	state[4] += e(0);
++	state[5] += f(0);
++	state[6] += g(0);
++	state[7] += h(0);
++	/* Cleanup. */
++	memset_s(T, sizeof(T), 0, sizeof(T));
++	memset_s(W, sizeof(W), 0, sizeof(W));
++}
++
++void
++SHA512Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
++{
++	size_t i = 0, j;
++
++	j = (size_t)((ctx->count[0] >> 3) & (SHA512_BLOCK_LENGTH - 1));
++	ctx->count[0] += (len << 3);
++	if (ctx->count[0] < (len << 3))
++		ctx->count[1]++;
++	if ((j + len) > SHA512_BLOCK_LENGTH - 1) {
++		memcpy(&ctx->buffer[j], data, (i = SHA512_BLOCK_LENGTH - j));
++		SHA512Transform(ctx->state.st64, ctx->buffer);
++		for ( ; i + SHA512_BLOCK_LENGTH - 1 < len; i += SHA512_BLOCK_LENGTH)
++			SHA512Transform(ctx->state.st64, (uint8_t *)&data[i]);
++		j = 0;
++	}
++	memcpy(&ctx->buffer[j], &data[i], len - i);
++}
++
++void
++SHA512Pad(SHA2_CTX *ctx)
++{
++	uint8_t finalcount[16];
++
++	/* Store unpadded message length in bits in big endian format. */
++	BE64TO8(finalcount, ctx->count[1]);
++	BE64TO8(finalcount + 8, ctx->count[0]);
++
++	/* Append a '1' bit (0x80) to the message. */
++	SHA512Update(ctx, (uint8_t *)"\200", 1);
++
++	/* Pad message such that the resulting length modulo 1024 is 896. */
++	while ((ctx->count[0] & 1008) != 896)
++		SHA512Update(ctx, (uint8_t *)"\0", 1);
++
++	/* Append length of message in bits and do final SHA512Transform(). */
++	SHA512Update(ctx, finalcount, sizeof(finalcount));
++}
++
++void
++SHA512Final(uint8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *ctx)
++{
++	SHA512Pad(ctx);
++	if (digest != NULL) {
++#if BYTE_ORDER == BIG_ENDIAN
++		memcpy(digest, ctx->state.st64, SHA512_DIGEST_LENGTH);
++#else
++		unsigned int i;
++
++		for (i = 0; i < 8; i++)
++			BE64TO8(digest + (i * 8), ctx->state.st64[i]);
++#endif
++		memset(ctx, 0, sizeof(*ctx));
++	}
++}
+diff -urN sudo-1.8.9p5.old/compat/sha2.h sudo-1.8.9p5/compat/sha2.h
+--- sudo-1.8.9p5.old/compat/sha2.h	1970-01-01 01:00:00.000000000 +0100
++++ sudo-1.8.9p5/compat/sha2.h	2014-04-10 15:20:34.448517327 +0200
[email protected]@ -0,0 +1,74 @@
++/*
++ * Copyright (c) 2013 Todd C. Miller <[email protected]>
++ *
++ * Permission to use, copy, modify, and distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ */
++
++/*
++ * Derived from the public domain SHA-1 and SHA-2 implementations
++ * by Steve Reid and Wei Dai respectively.
++ */
++
++#ifndef _SUDOERS_SHA2_H
++#define _SUDOERS_SHA2_H
++
++#define	SHA224_BLOCK_LENGTH		64
++#define	SHA224_DIGEST_LENGTH		28
++#define	SHA224_DIGEST_STRING_LENGTH	(SHA224_DIGEST_LENGTH * 2 + 1)
++
++#define	SHA256_BLOCK_LENGTH		64
++#define	SHA256_DIGEST_LENGTH		32
++#define	SHA256_DIGEST_STRING_LENGTH	(SHA256_DIGEST_LENGTH * 2 + 1)
++
++#define	SHA384_BLOCK_LENGTH		128
++#define	SHA384_DIGEST_LENGTH		48
++#define	SHA384_DIGEST_STRING_LENGTH	(SHA384_DIGEST_LENGTH * 2 + 1)
++
++#define	SHA512_BLOCK_LENGTH		128
++#define	SHA512_DIGEST_LENGTH		64
++#define	SHA512_DIGEST_STRING_LENGTH	(SHA512_DIGEST_LENGTH * 2 + 1)
++
++typedef struct {
++    union {
++	uint32_t st32[8];	/* sha224 and sha256 */
++	uint64_t st64[8];	/* sha384 and sha512 */
++    } state;
++    uint64_t count[2];
++    uint8_t buffer[SHA512_BLOCK_LENGTH];
++} SHA2_CTX;
++
++void SHA224Init(SHA2_CTX *ctx);
++void SHA224Pad(SHA2_CTX *ctx);
++void SHA224Transform(uint32_t state[8], const uint8_t buffer[SHA224_BLOCK_LENGTH]);
++void SHA224Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
++void SHA224Final(uint8_t digest[SHA224_DIGEST_LENGTH], SHA2_CTX *ctx);
++
++void SHA256Init(SHA2_CTX *ctx);
++void SHA256Pad(SHA2_CTX *ctx);
++void SHA256Transform(uint32_t state[8], const uint8_t buffer[SHA256_BLOCK_LENGTH]);
++void SHA256Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
++void SHA256Final(uint8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *ctx);
++
++void SHA384Init(SHA2_CTX *ctx);
++void SHA384Pad(SHA2_CTX *ctx);
++void SHA384Transform(uint64_t state[8], const uint8_t buffer[SHA384_BLOCK_LENGTH]);
++void SHA384Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
++void SHA384Final(uint8_t digest[SHA384_DIGEST_LENGTH], SHA2_CTX *ctx);
++
++void SHA512Init(SHA2_CTX *ctx);
++void SHA512Pad(SHA2_CTX *ctx);
++void SHA512Transform(uint64_t state[8], const uint8_t buffer[SHA512_BLOCK_LENGTH]);
++void SHA512Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
++void SHA512Final(uint8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *ctx);
++
++#endif /* _SUDOERS_SHA2_H */
+diff -urN sudo-1.8.9p5.old/config.h.in sudo-1.8.9p5/config.h.in
+--- sudo-1.8.9p5.old/config.h.in	2014-04-10 15:19:56.000000000 +0200
++++ sudo-1.8.9p5/config.h.in	2014-04-10 15:20:34.449144378 +0200
[email protected]@ -521,6 +521,9 @@
+ /* Define to 1 if you have the `set_auth_parameters' function. */
+ #undef HAVE_SET_AUTH_PARAMETERS
+ 
++/* Define to 1 if you have the `SHA224Update' function. */
++#undef HAVE_SHA224UPDATE
++
+ /* Define to 1 if you have the `shl_load' function. */
+ #undef HAVE_SHL_LOAD
+ 
[email protected]@ -983,6 +989,10 @@
+ /* Define to 1 to send mail when the user is not in the sudoers file. */
+ #undef SEND_MAIL_WHEN_NO_USER
+ 
++/* Define to 1 if the sha2 functions use `const void *' instead of `const
++   unsigned char'. */
++#undef SHA2_VOID_PTR
++
+ /* Define to 1 if you want sudo to start a shell if given no arguments. */
+ #undef SHELL_IF_NO_ARGS
+ 
+diff -urN sudo-1.8.9p5.old/configure.ac sudo-1.8.9p5/configure.ac
+--- sudo-1.8.9p5.old/configure.ac	2014-04-10 15:19:47.156138496 +0200
++++ sudo-1.8.9p5/configure.ac	2014-04-10 15:20:34.458422206 +0200
[email protected]@ -77,6 +77,7 @@
+ AC_SUBST([LIBDL])
+ AC_SUBST([LT_STATIC])
+ AC_SUBST([LIBINTL])
++AC_SUBST([LIBMD])
+ AC_SUBST([SUDO_NLS])
+ AC_SUBST([LOCALEDIR_SUFFIX])
+ AC_SUBST([COMPAT_TEST_PROGS])
[email protected]@ -194,6 +195,7 @@
+ PSMAN=0
+ SEMAN=0
+ LIBINTL=
++LIBMD=
+ ZLIB=
+ ZLIB_SRC=
+ AUTH_OBJS=
[email protected]@ -2445,6 +2447,16 @@
+ 	[AC_CHECK_MEMBER([struct stat.st_mtim.st__tim], AC_DEFINE(HAVE_ST__TIM))],
+ 	[AC_CHECK_MEMBER([struct stat.st_mtimespec], AC_DEFINE([HAVE_ST_MTIMESPEC]))])
+ fi
++AC_CHECK_HEADER([sha2.h], [
++    AC_CHECK_FUNCS(SHA224Update, [SUDO_FUNC_SHA2_VOID_PTR], [
++	# On some systems, SHA224Update is in libmd
++	AC_CHECK_LIB(md, SHA224Update, [
++	    AC_DEFINE(HAVE_SHA224UPDATE)
++	    SUDO_FUNC_SHA2_VOID_PTR
++	    LIBMD="-lmd"
++	], [AC_LIBOBJ(sha2)])
++    ])
++], [AC_LIBOBJ(sha2)])
+ dnl
+ dnl Function checks for sudo_noexec
+ dnl
+diff -urN sudo-1.8.9p5.old/MANIFEST sudo-1.8.9p5/MANIFEST
+--- sudo-1.8.9p5.old/MANIFEST	2014-04-10 15:19:47.157886371 +0200
++++ sudo-1.8.9p5/MANIFEST	2014-04-10 15:20:58.300108720 +0200
[email protected]@ -88,6 +88,8 @@
+ compat/regress/glob/files
+ compat/regress/glob/globtest.c
+ compat/regress/glob/globtest.in
++compat/sha2.c
++compat/sha2.h
+ compat/sig2str.c
+ compat/siglist.in
+ compat/snprintf.c
[email protected]@ -367,8 +369,6 @@
+ plugins/sudoers/regress/visudo/test5.out.ok
+ plugins/sudoers/regress/visudo/test5.sh
+ plugins/sudoers/set_perms.c
+-plugins/sudoers/sha2.c
+-plugins/sudoers/sha2.h
+ plugins/sudoers/solaris_audit.c
+ plugins/sudoers/solaris_audit.h
+ plugins/sudoers/sssd.c
+diff -urN sudo-1.8.9p5.old/m4/sudo.m4 sudo-1.8.9p5/m4/sudo.m4
+--- sudo-1.8.9p5.old/m4/sudo.m4	2014-01-07 19:08:52.000000000 +0100
++++ sudo-1.8.9p5/m4/sudo.m4	2014-04-10 15:20:34.458820769 +0200
[email protected]@ -264,6 +264,24 @@
+ ])
+ 
+ dnl
++dnl Check if the data argument for the sha2 functions is void * or u_char *
++dnl
++AC_DEFUN([SUDO_FUNC_SHA2_VOID_PTR],
++[AC_CACHE_CHECK([whether the data argument of SHA224Update() is void *],
++sudo_cv_func_sha2_void_ptr,
++[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT
++#include <sha2.h>
++void SHA224Update(SHA2_CTX *context, const void *data, size_t len) {return;}], [])],
++    [sudo_cv_func_sha2_void_ptr=yes],
++    [sudo_cv_func_sha2_void_ptr=no])
++  ])
++  if test $sudo_cv_func_sha2_void_ptr = yes; then
++    AC_DEFINE(SHA2_VOID_PTR, 1,
++      [Define to 1 if the sha2 functions use `const void *' instead of `const unsigned char'.])
++  fi
++])
++
++dnl
+ dnl check for sa_len field in struct sockaddr
+ dnl
+ AC_DEFUN([SUDO_SOCK_SA_LEN], [
+diff -urN sudo-1.8.9p5.old/plugins/sudoers/gram.c sudo-1.8.9p5/plugins/sudoers/gram.c
+--- sudo-1.8.9p5.old/plugins/sudoers/gram.c	2014-01-07 19:08:53.000000000 +0100
++++ sudo-1.8.9p5/plugins/sudoers/gram.c	2014-04-10 15:20:34.460695182 +0200
[email protected]@ -179,10 +179,10 @@
+ #define PRIVS 289
+ #define LIMITPRIVS 290
+ #define MYSELF 291
+-#define SHA224 292
+-#define SHA256 293
+-#define SHA384 294
+-#define SHA512 295
++#define SHA224_TOK 292
++#define SHA256_TOK 293
++#define SHA384_TOK 294
++#define SHA512_TOK 295
+ #define YYERRCODE 256
+ #if defined(__cplusplus) || defined(__STDC__)
+ const short sudoerslhs[] =
[email protected]@ -550,7 +550,7 @@
+ "NOPASSWD","PASSWD","NOEXEC","EXEC","SETENV","NOSETENV","LOG_INPUT",
+ "NOLOG_INPUT","LOG_OUTPUT","NOLOG_OUTPUT","ALL","COMMENT","HOSTALIAS",
+ "CMNDALIAS","USERALIAS","RUNASALIAS","ERROR","TYPE","ROLE","PRIVS","LIMITPRIVS",
+-"MYSELF","SHA224","SHA256","SHA384","SHA512",
++"MYSELF","SHA224_TOK","SHA256_TOK","SHA384_TOK","SHA512_TOK",
+ };
+ #if defined(__cplusplus) || defined(__STDC__)
+ const char * const sudoersrule[] =
[email protected]@ -594,10 +594,10 @@
+ "cmndspeclist : cmndspec",
+ "cmndspeclist : cmndspeclist ',' cmndspec",
+ "cmndspec : runasspec selinux solarisprivs cmndtag digcmnd",
+-"digest : SHA224 ':' DIGEST",
+-"digest : SHA256 ':' DIGEST",
+-"digest : SHA384 ':' DIGEST",
+-"digest : SHA512 ':' DIGEST",
++"digest : SHA224_TOK ':' DIGEST",
++"digest : SHA256_TOK ':' DIGEST",
++"digest : SHA384_TOK ':' DIGEST",
++"digest : SHA512_TOK ':' DIGEST",
+ "digcmnd : opcmnd",
+ "digcmnd : digest opcmnd",
+ "opcmnd : cmnd",
[email protected]@ -1089,12 +1089,12 @@
+         goto yyreduce;
+     }
+     if (yyerrflag) goto yyinrecovery;
+-#if defined(lint) || defined(__GNUC__)
++#if defined(__GNUC__)
+     goto yynewerror;
+ #endif
+ yynewerror:
+     yyerror("syntax error");
+-#if defined(lint) || defined(__GNUC__)
++#if defined(__GNUC__)
+     goto yyerrlab;
+ #endif
+ yyerrlab:
+diff -urN sudo-1.8.9p5.old/plugins/sudoers/gram.h sudo-1.8.9p5/plugins/sudoers/gram.h
+--- sudo-1.8.9p5.old/plugins/sudoers/gram.h	2014-01-07 19:08:53.000000000 +0100
++++ sudo-1.8.9p5/plugins/sudoers/gram.h	2014-04-10 15:20:34.461102773 +0200
[email protected]@ -33,10 +33,10 @@
+ #define PRIVS 289
+ #define LIMITPRIVS 290
+ #define MYSELF 291
+-#define SHA224 292
+-#define SHA256 293
+-#define SHA384 294
+-#define SHA512 295
++#define SHA224_TOK 292
++#define SHA256_TOK 293
++#define SHA384_TOK 294
++#define SHA512_TOK 295
+ #ifndef YYSTYPE_DEFINED
+ #define YYSTYPE_DEFINED
+ typedef union {
+diff -urN sudo-1.8.9p5.old/plugins/sudoers/gram.y sudo-1.8.9p5/plugins/sudoers/gram.y
+--- sudo-1.8.9p5.old/plugins/sudoers/gram.y	2014-01-07 19:08:53.000000000 +0100
++++ sudo-1.8.9p5/plugins/sudoers/gram.y	2014-04-10 15:20:34.461582432 +0200
[email protected]@ -142,10 +142,10 @@
+ %token <tok>	 PRIVS			/* Solaris privileges */
+ %token <tok>	 LIMITPRIVS		/* Solaris limit privileges */
+ %token <tok>	 MYSELF			/* run as myself, not another user */
+-%token <tok>	 SHA224			/* sha224 digest */
+-%token <tok>	 SHA256			/* sha256 digest */
+-%token <tok>	 SHA384			/* sha384 digest */
+-%token <tok>	 SHA512			/* sha512 digest */
++%token <tok>	 SHA224_TOK		/* sha224 token */
++%token <tok>	 SHA256_TOK		/* sha256 token */
++%token <tok>	 SHA384_TOK		/* sha384 token */
++%token <tok>	 SHA512_TOK		/* sha512 token */
+ 
+ %type <cmndspec>  cmndspec
+ %type <cmndspec>  cmndspeclist
[email protected]@ -370,16 +370,16 @@
+ 			}
+ 		;
+ 
+-digest		:	SHA224 ':' DIGEST {
++digest		:	SHA224_TOK ':' DIGEST {
+ 			    $$ = new_digest(SUDO_DIGEST_SHA224, $3);
+ 			}
+-		|	SHA256 ':' DIGEST {
++		|	SHA256_TOK ':' DIGEST {
+ 			    $$ = new_digest(SUDO_DIGEST_SHA256, $3);
+ 			}
+-		|	SHA384 ':' DIGEST {
++		|	SHA384_TOK ':' DIGEST {
+ 			    $$ = new_digest(SUDO_DIGEST_SHA384, $3);
+ 			}
+-		|	SHA512 ':' DIGEST {
++		|	SHA512_TOK ':' DIGEST {
+ 			    $$ = new_digest(SUDO_DIGEST_SHA512, $3);
+ 			}
+ 		;
+diff -urN sudo-1.8.9p5.old/plugins/sudoers/Makefile.in sudo-1.8.9p5/plugins/sudoers/Makefile.in
+--- sudo-1.8.9p5.old/plugins/sudoers/Makefile.in	2014-04-10 15:19:47.160183439 +0200
++++ sudo-1.8.9p5/plugins/sudoers/Makefile.in	2014-04-10 15:20:34.459914018 +0200
[email protected]@ -49,8 +49,10 @@
+ LT_LIBS = $(top_builddir)/common/libsudo_util.la $(LIBOBJDIR)libreplace.la
+ LIBS = $(LT_LIBS) @[email protected]
+ NET_LIBS = @[email protected]
+-SUDOERS_LIBS = @[email protected] @[email protected] @[email protected] $(LIBS) $(NET_LIBS) @[email protected] @[email protected]
++SUDOERS_LIBS = @[email protected] @[email protected] @[email protected] $(LIBS) $(NET_LIBS) @[email protected] @[email protected] @[email protected]
+ REPLAY_LIBS = @[email protected] @[email protected]
++VISUDO_LIBS = $(NET_LIBS) @[email protected]
++TESTSUDOERS_LIBS = $(NET_LIBS) @[email protected] @[email protected]
+ 
+ # C preprocessor flags
+ CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(devdir) -I$(srcdir) -I$(top_srcdir) -DLIBDIR=\"$(libdir)\" @[email protected]
[email protected]@ -130,7 +132,7 @@
+ 
+ LIBPARSESUDOERS_OBJS = alias.lo audit.lo base64.lo defaults.lo hexchar.lo \
+ 		       gram.lo match.lo match_addr.lo pwutil.lo pwutil_impl.lo \
+-		       timestr.lo toke.lo toke_util.lo redblack.lo sha2.lo
++		       timestr.lo toke.lo toke_util.lo redblack.lo
+ 
+ SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo env.lo find_path.lo \
+ 	       goodpath.lo group_plugin.lo interfaces.lo iolog.lo \
[email protected]@ -149,7 +151,7 @@
+ 
+ CHECK_BASE64_OBJS = check_base64.o base64.o locale.o
+ 
+-CHECK_DIGEST_OBJS = check_digest.o sha2.o
++CHECK_DIGEST_OBJS = check_digest.o
+ 
+ CHECK_FILL_OBJS = check_fill.o hexchar.o locale.o toke_util.o
+ 
[email protected]@ -196,13 +198,13 @@
+ 	$(LIBTOOL) @[email protected] --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o [email protected] $(SUDOERS_OBJS) libparsesudoers.la $(SUDOERS_LIBS) -module -avoid-version -rpath $(plugindir)
+ 
+ visudo: libparsesudoers.la $(VISUDO_OBJS) $(LT_LIBS)
+-	$(LIBTOOL) --mode=link $(CC) -o [email protected] $(VISUDO_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) libparsesudoers.la $(LIBS) $(NET_LIBS)
++	$(LIBTOOL) --mode=link $(CC) -o [email protected] $(VISUDO_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) libparsesudoers.la $(VISUDO_LIBS) $(LIBS)
+ 
+ sudoreplay: timestr.lo $(REPLAY_OBJS) $(LT_LIBS)
+ 	$(LIBTOOL) --mode=link $(CC) -o [email protected] $(REPLAY_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) timestr.lo $(REPLAY_LIBS) $(LIBS)
+ 
+ testsudoers: libparsesudoers.la $(TEST_OBJS) $(LT_LIBS)
+-	$(LIBTOOL) --mode=link $(CC) -o [email protected] $(TEST_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) libparsesudoers.la $(LIBS) $(NET_LIBS) @[email protected]
++	$(LIBTOOL) --mode=link $(CC) -o [email protected] $(TEST_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) libparsesudoers.la $(TESTSUDOERS_LIBS) $(LIBS)
+ 
+ check_addr: $(CHECK_ADDR_OBJS) $(LT_LIBS)
+ 	$(LIBTOOL) --mode=link $(CC) -o [email protected] $(CHECK_ADDR_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(NET_LIBS)
[email protected]@ -211,7 +213,7 @@
+ 	$(LIBTOOL) --mode=link $(CC) -o [email protected] $(CHECK_BASE64_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
+ 
+ check_digest: $(CHECK_DIGEST_OBJS) $(LT_LIBS)
+-	$(LIBTOOL) --mode=link $(CC) -o [email protected] $(CHECK_DIGEST_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
++	$(LIBTOOL) --mode=link $(CC) -o [email protected] $(CHECK_DIGEST_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) @[email protected]
+ 
+ check_fill: $(CHECK_FILL_OBJS) $(LT_LIBS)
+ 	$(LIBTOOL) --mode=link $(CC) -o [email protected] $(CHECK_FILL_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
[email protected]@ -501,12 +503,12 @@
+                 $(top_builddir)/config.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/parser/check_base64.c
+ check_digest.o: $(srcdir)/regress/parser/check_digest.c $(incdir)/missing.h \
+-                $(srcdir)/sha2.h $(top_builddir)/config.h
++                $(top_builddir)/config.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/parser/check_digest.c
+ check_fill.o: $(srcdir)/regress/parser/check_fill.c $(devdir)/gram.h \
+               $(incdir)/missing.h $(incdir)/queue.h $(incdir)/sudo_plugin.h \
+-              $(srcdir)/parse.h $(srcdir)/toke.h $(top_builddir)/config.h \
+-              $(top_srcdir)/compat/stdbool.h
++              $(incdir)/sudo_util.h $(srcdir)/parse.h $(srcdir)/toke.h \
++              $(top_builddir)/config.h $(top_srcdir)/compat/stdbool.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/parser/check_fill.c
+ check_iolog_path.o: $(srcdir)/regress/iolog_path/check_iolog_path.c \
+                     $(devdir)/def_data.c $(devdir)/def_data.h \
[email protected]@ -607,8 +609,8 @@
+                  $(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/group_plugin.c
+ group_plugin.o: group_plugin.lo
+-hexchar.lo: $(srcdir)/hexchar.c $(incdir)/fatal.h $(incdir)/missing.h \
+-            $(incdir)/sudo_debug.h $(top_builddir)/config.h
++hexchar.lo: $(srcdir)/hexchar.c $(incdir)/missing.h $(incdir)/sudo_debug.h \
++            $(top_builddir)/config.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/hexchar.c
+ hexchar.o: hexchar.lo
+ interfaces.lo: $(srcdir)/interfaces.c $(devdir)/def_data.h $(incdir)/alloc.h \
[email protected]@ -689,9 +691,9 @@
+           $(incdir)/gettext.h $(incdir)/missing.h $(incdir)/queue.h \
+           $(incdir)/sudo_debug.h $(incdir)/sudo_plugin.h $(incdir)/sudo_util.h \
+           $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-          $(srcdir)/sha2.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-          $(top_builddir)/config.h $(top_builddir)/pathnames.h \
+-          $(top_srcdir)/compat/fnmatch.h $(top_srcdir)/compat/glob.h \
++          $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(top_builddir)/config.h \
++          $(top_builddir)/pathnames.h $(top_srcdir)/compat/fnmatch.h \
++          $(top_srcdir)/compat/glob.h $(top_srcdir)/compat/sha2.h \
+           $(top_srcdir)/compat/stdbool.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/match.c
+ match_addr.lo: $(srcdir)/match_addr.c $(devdir)/def_data.h $(incdir)/alloc.h \
[email protected]@ -806,10 +808,6 @@
+               $(srcdir)/sudoers.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/set_perms.c
+-sha2.lo: $(srcdir)/sha2.c $(incdir)/missing.h $(srcdir)/sha2.h \
+-         $(top_builddir)/config.h $(top_srcdir)/compat/endian.h
+-	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sha2.c
+-sha2.o: sha2.lo
+ sia.lo: $(authdir)/sia.c $(devdir)/def_data.h $(incdir)/alloc.h \
+         $(incdir)/fatal.h $(incdir)/fileops.h $(incdir)/gettext.h \
+         $(incdir)/missing.h $(incdir)/queue.h $(incdir)/sudo_debug.h \
[email protected]@ -891,9 +889,9 @@
+          $(incdir)/gettext.h $(incdir)/lbuf.h $(incdir)/missing.h \
+          $(incdir)/queue.h $(incdir)/secure_path.h $(incdir)/sudo_debug.h \
+          $(incdir)/sudo_plugin.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-         $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sha2.h \
+-         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/toke.h \
+-         $(top_builddir)/config.h $(top_builddir)/pathnames.h \
++         $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++         $(srcdir)/sudoers.h $(srcdir)/toke.h $(top_builddir)/config.h \
++         $(top_builddir)/pathnames.h $(top_srcdir)/compat/sha2.h \
+          $(top_srcdir)/compat/stdbool.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(devdir)/toke.c
+ toke_util.lo: $(srcdir)/toke_util.c $(devdir)/def_data.h $(devdir)/gram.h \
+diff -urN sudo-1.8.9p5.old/plugins/sudoers/match.c sudo-1.8.9p5/plugins/sudoers/match.c
+--- sudo-1.8.9p5.old/plugins/sudoers/match.c	2014-01-07 19:08:54.000000000 +0100
++++ sudo-1.8.9p5/plugins/sudoers/match.c	2014-04-10 15:21:59.050793404 +0200
[email protected]@ -88,7 +88,11 @@
+ 
+ #include "sudoers.h"
+ #include "parse.h"
+-#include "sha2.h"
++#ifdef HAVE_SHA224UPDATE
++# include <sha2.h>
++#else
++# include "compat/sha2.h"
++#endif
+ #include <gram.h>
+ 
+ static struct member_list empty = TAILQ_HEAD_INITIALIZER(empty);
[email protected]@ -562,8 +566,13 @@
+     const char *digest_name;
+     const unsigned int digest_len;
+     void (*init)(SHA2_CTX *);
++#ifdef SHA2_VOID_PTR
++    void (*update)(SHA2_CTX *, const void *, size_t);
++    void (*final)(void *, SHA2_CTX *);
++#else
+     void (*update)(SHA2_CTX *, const unsigned char *, size_t);
+     void (*final)(unsigned char *, SHA2_CTX *);
++#endif
+ } digest_functions[] = {
+     {
+ 	"SHA224",
+diff -urN sudo-1.8.9p5.old/plugins/sudoers/regress/parser/check_digest.c sudo-1.8.9p5/plugins/sudoers/regress/parser/check_digest.c
+--- sudo-1.8.9p5.old/plugins/sudoers/regress/parser/check_digest.c	2014-01-07 19:08:52.000000000 +0100
++++ sudo-1.8.9p5/plugins/sudoers/regress/parser/check_digest.c	2014-04-10 15:20:34.462897872 +0200
[email protected]@ -39,9 +39,13 @@
+ #elif defined(HAVE_INTTYPES_H)
+ # include <inttypes.h>
+ #endif
++#ifdef HAVE_SHA224UPDATE
++# include <sha2.h>
++#else
++# include "compat/sha2.h"
++#endif
+ 
+ #include "missing.h"
+-#include "sha2.h"
+ 
+ __dso_public int main(int argc, char *argv[]);
+ 
[email protected]@ -49,8 +53,13 @@
+     const char *digest_name;
+     const int digest_len;
+     void (*init)(SHA2_CTX *);
++#ifdef SHA2_VOID_PTR
++    void (*update)(SHA2_CTX *, const void *, size_t);
++    void (*final)(void *, SHA2_CTX *);
++#else
+     void (*update)(SHA2_CTX *, const unsigned char *, size_t);
+     void (*final)(unsigned char *, SHA2_CTX *);
++#endif
+ } digest_functions[] = {
+     {
+ 	"SHA224",
+diff -urN sudo-1.8.9p5.old/plugins/sudoers/regress/sudoers/test14.toke.ok sudo-1.8.9p5/plugins/sudoers/regress/sudoers/test14.toke.ok
+--- sudo-1.8.9p5.old/plugins/sudoers/regress/sudoers/test14.toke.ok	2014-01-07 19:08:52.000000000 +0100
++++ sudo-1.8.9p5/plugins/sudoers/regress/sudoers/test14.toke.ok	2014-04-10 15:20:34.463272107 +0200
[email protected]@ -1,4 +1,4 @@
+-CMNDALIAS ALIAS = SHA224 : DIGEST COMMAND 
+-CMNDALIAS ALIAS = SHA256 : DIGEST COMMAND 
++CMNDALIAS ALIAS = SHA224_TOK : DIGEST COMMAND 
++CMNDALIAS ALIAS = SHA256_TOK : DIGEST COMMAND 
+ 
+-WORD(5) ALL = ALIAS , ALIAS , SHA512 : DIGEST COMMAND 
++WORD(5) ALL = ALIAS , ALIAS , SHA512_TOK : DIGEST COMMAND 
+diff -urN sudo-1.8.9p5.old/plugins/sudoers/sha2.c sudo-1.8.9p5/plugins/sudoers/sha2.c
+--- sudo-1.8.9p5.old/plugins/sudoers/sha2.c	2014-01-07 19:08:54.000000000 +0100
++++ sudo-1.8.9p5/plugins/sudoers/sha2.c	1970-01-01 01:00:00.000000000 +0100
[email protected]@ -1,526 +0,0 @@
+-/*
+- * Copyright (c) 2013 Todd C. Miller <[email protected]>
+- *
+- * Permission to use, copy, modify, and distribute this software for any
+- * purpose with or without fee is hereby granted, provided that the above
+- * copyright notice and this permission notice appear in all copies.
+- *
+- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+- */
+-
+-/*
+- * Implementation of SHA-224, SHA-256, SHA-384 and SHA-512
+- * as per FIPS 180-4: Secure Hash Standard (SHS)
+- * http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
+- *
+- * Derived from the public domain SHA-1 and SHA-2 implementations
+- * by Steve Reid and Wei Dai respectively.
+- */
+-
+-#include <config.h>
+-
+-#include <stdio.h>
+-#ifdef STDC_HEADERS
+-# include <stdlib.h>
+-# include <stddef.h>
+-#else
+-# ifdef HAVE_STDLIB_H
+-#  include <stdlib.h>
+-# endif
+-#endif /* STDC_HEADERS */
+-#ifdef HAVE_STRING_H
+-# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
+-#  include <memory.h>
+-# endif
+-# include <string.h>
+-#endif /* HAVE_STRING_H */
+-#ifdef HAVE_STRINGS_H
+-# include <strings.h>
+-#endif /* HAVE_STRINGS_H */
+-#if defined(HAVE_STDINT_H)
+-# include <stdint.h>
+-#elif defined(HAVE_INTTYPES_H)
+-# include <inttypes.h>
+-#endif
+-#if defined(HAVE_ENDIAN_H)
+-# include <endian.h>
+-#elif defined(HAVE_SYS_ENDIAN_H)
+-# include <sys/endian.h>
+-#elif defined(HAVE_MACHINE_ENDIAN_H)
+-# include <machine/endian.h>
+-#else
+-# include "compat/endian.h"
+-#endif
+-
+-#include "missing.h"
+-#include "sha2.h"
+-
+-/*
+- * SHA-2 operates on 32-bit and 64-bit words in big endian byte order.
+- * The following macros convert between character arrays and big endian words.
+- */
+-#define BE8TO32(x, y) do {				\
+-	(x) = (((uint32_t)((y)[0] & 255) << 24) |	\
+-	       ((uint32_t)((y)[1] & 255) << 16) |	\
+-	       ((uint32_t)((y)[2] & 255) << 8)  |	\
+-	       ((uint32_t)((y)[3] & 255)));		\
+-} while (0)
+-
+-#define BE8TO64(x, y) do {				\
+-	(x) = (((uint64_t)((y)[0] & 255) << 56) |	\
+-	       ((uint64_t)((y)[1] & 255) << 48) |	\
+-	       ((uint64_t)((y)[2] & 255) << 40) |	\
+-	       ((uint64_t)((y)[3] & 255) << 32) |	\
+-	       ((uint64_t)((y)[4] & 255) << 24) |	\
+-	       ((uint64_t)((y)[5] & 255) << 16) |	\
+-	       ((uint64_t)((y)[6] & 255) << 8)  |	\
+-	       ((uint64_t)((y)[7] & 255)));		\
+-} while (0)
+-
+-#define BE32TO8(x, y) do {			\
+-	(x)[0] = (uint8_t)(((y) >> 24) & 255);	\
+-	(x)[1] = (uint8_t)(((y) >> 16) & 255);	\
+-	(x)[2] = (uint8_t)(((y) >> 8) & 255);	\
+-	(x)[3] = (uint8_t)((y) & 255);		\
+-} while (0)
+-
+-#define BE64TO8(x, y) do {			\
+-	(x)[0] = (uint8_t)(((y) >> 56) & 255);	\
+-	(x)[1] = (uint8_t)(((y) >> 48) & 255);	\
+-	(x)[2] = (uint8_t)(((y) >> 40) & 255);	\
+-	(x)[3] = (uint8_t)(((y) >> 32) & 255);	\
+-	(x)[4] = (uint8_t)(((y) >> 24) & 255);	\
+-	(x)[5] = (uint8_t)(((y) >> 16) & 255);	\
+-	(x)[6] = (uint8_t)(((y) >> 8) & 255);	\
+-	(x)[7] = (uint8_t)((y) & 255);		\
+-} while (0)
+-
+-#define rotrFixed(x,y) (y ? ((x>>y) | (x<<(sizeof(x)*8-y))) : x)
+-
+-#define blk0(i) (W[i])
+-#define blk2(i) (W[i&15]+=s1(W[(i-2)&15])+W[(i-7)&15]+s0(W[(i-15)&15]))
+-
+-#define Ch(x,y,z) (z^(x&(y^z)))
+-#define Maj(x,y,z) (y^((x^y)&(y^z)))
+-
+-#define a(i) T[(0-i)&7]
+-#define b(i) T[(1-i)&7]
+-#define c(i) T[(2-i)&7]
+-#define d(i) T[(3-i)&7]
+-#define e(i) T[(4-i)&7]
+-#define f(i) T[(5-i)&7]
+-#define g(i) T[(6-i)&7]
+-#define h(i) T[(7-i)&7]
+-
+-void
+-SHA224Init(SHA2_CTX *ctx)
+-{
+-	memset(ctx, 0, sizeof(*ctx));
+-	ctx->state.st32[0] = 0xc1059ed8UL;
+-	ctx->state.st32[1] = 0x367cd507UL;
+-	ctx->state.st32[2] = 0x3070dd17UL;
+-	ctx->state.st32[3] = 0xf70e5939UL;
+-	ctx->state.st32[4] = 0xffc00b31UL;
+-	ctx->state.st32[5] = 0x68581511UL;
+-	ctx->state.st32[6] = 0x64f98fa7UL;
+-	ctx->state.st32[7] = 0xbefa4fa4UL;
+-}
+-
+-void
+-SHA224Transform(uint32_t state[8], const uint8_t buffer[SHA224_BLOCK_LENGTH])
+-{
+-	SHA256Transform(state, buffer);
+-}
+-
+-void
+-SHA224Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
+-{
+-	SHA256Update(ctx, data, len);
+-}
+-
+-void
+-SHA224Pad(SHA2_CTX *ctx)
+-{
+-	SHA256Pad(ctx);
+-}
+-
+-void
+-SHA224Final(uint8_t digest[SHA224_DIGEST_LENGTH], SHA2_CTX *ctx)
+-{
+-	SHA256Pad(ctx);
+-	if (digest != NULL) {
+-#if BYTE_ORDER == BIG_ENDIAN
+-		memcpy(digest, ctx->state.st32, SHA224_DIGEST_LENGTH);
+-#else
+-		unsigned int i;
+-
+-		for (i = 0; i < 7; i++)
+-			BE32TO8(digest + (i * 4), ctx->state.st32[i]);
+-#endif
+-		memset(ctx, 0, sizeof(*ctx));
+-	}
+-}
+-
+-static const uint32_t SHA256_K[64] = {
+-	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
+-	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
+-	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
+-	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
+-	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
+-	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
+-	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
+-	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
+-	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
+-	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
+-	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
+-	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
+-	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
+-	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
+-	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
+-	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
+-};
+-
+-void
+-SHA256Init(SHA2_CTX *ctx)
+-{
+-	memset(ctx, 0, sizeof(*ctx));
+-	ctx->state.st32[0] = 0x6a09e667UL;
+-	ctx->state.st32[1] = 0xbb67ae85UL;
+-	ctx->state.st32[2] = 0x3c6ef372UL;
+-	ctx->state.st32[3] = 0xa54ff53aUL;
+-	ctx->state.st32[4] = 0x510e527fUL;
+-	ctx->state.st32[5] = 0x9b05688cUL;
+-	ctx->state.st32[6] = 0x1f83d9abUL;
+-	ctx->state.st32[7] = 0x5be0cd19UL;
+-}
+-
+-/* Round macros for SHA256 */
+-#define R(i) do {							     \
+-	h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+SHA256_K[i+j]+(j?blk2(i):blk0(i)); \
+-	d(i)+=h(i);							     \
+-	h(i)+=S0(a(i))+Maj(a(i),b(i),c(i));				     \
+-} while (0)
+-
+-#define S0(x) (rotrFixed(x,2)^rotrFixed(x,13)^rotrFixed(x,22))
+-#define S1(x) (rotrFixed(x,6)^rotrFixed(x,11)^rotrFixed(x,25))
+-#define s0(x) (rotrFixed(x,7)^rotrFixed(x,18)^(x>>3))
+-#define s1(x) (rotrFixed(x,17)^rotrFixed(x,19)^(x>>10))
+-
+-void
+-SHA256Transform(uint32_t state[8], const uint8_t data[SHA256_BLOCK_LENGTH])
+-{
+-	uint32_t W[16];
+-	uint32_t T[8];
+-	unsigned int j;
+-
+-	/* Copy context state to working vars. */
+-	memcpy(T, state, sizeof(T));
+-	/* Copy data to W in big endian format. */
+-#if BYTE_ORDER == BIG_ENDIAN
+-	memcpy(W, data, sizeof(W));
+-#else
+-	for (j = 0; j < 16; j++) {
+-	    BE8TO32(W[j], data);
+-	    data += 4;
+-	}
+-#endif
+-	/* 64 operations, partially loop unrolled. */
+-	for (j = 0; j < 64; j += 16)
+-	{
+-		R( 0); R( 1); R( 2); R( 3);
+-		R( 4); R( 5); R( 6); R( 7);
+-		R( 8); R( 9); R(10); R(11);
+-		R(12); R(13); R(14); R(15);
+-	}
+-	/* Add the working vars back into context state. */
+-	state[0] += a(0);
+-	state[1] += b(0);
+-	state[2] += c(0);
+-	state[3] += d(0);
+-	state[4] += e(0);
+-	state[5] += f(0);
+-	state[6] += g(0);
+-	state[7] += h(0);
+-	/* Cleanup */
+-	memset_s(T, sizeof(T), 0, sizeof(T));
+-	memset_s(W, sizeof(W), 0, sizeof(W));
+-}
+-
+-#undef S0
+-#undef S1
+-#undef s0
+-#undef s1
+-#undef R
+-
+-void
+-SHA256Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
+-{
+-	size_t i = 0, j;
+-
+-	j = (size_t)((ctx->count[0] >> 3) & (SHA256_BLOCK_LENGTH - 1));
+-	ctx->count[0] += (len << 3);
+-	if ((j + len) > SHA256_BLOCK_LENGTH - 1) {
+-		memcpy(&ctx->buffer[j], data, (i = SHA256_BLOCK_LENGTH - j));
+-		SHA256Transform(ctx->state.st32, ctx->buffer);
+-		for ( ; i + SHA256_BLOCK_LENGTH - 1 < len; i += SHA256_BLOCK_LENGTH)
+-			SHA256Transform(ctx->state.st32, (uint8_t *)&data[i]);
+-		j = 0;
+-	}
+-	memcpy(&ctx->buffer[j], &data[i], len - i);
+-}
+-
+-void
+-SHA256Pad(SHA2_CTX *ctx)
+-{
+-	uint8_t finalcount[8];
+-
+-	/* Store unpadded message length in bits in big endian format. */
+-	BE64TO8(finalcount, ctx->count[0]);
+-
+-	/* Append a '1' bit (0x80) to the message. */
+-	SHA256Update(ctx, (uint8_t *)"\200", 1);
+-
+-	/* Pad message such that the resulting length modulo 512 is 448. */
+-	while ((ctx->count[0] & 504) != 448)
+-		SHA256Update(ctx, (uint8_t *)"\0", 1);
+-
+-	/* Append length of message in bits and do final SHA256Transform(). */
+-	SHA256Update(ctx, finalcount, sizeof(finalcount));
+-}
+-
+-void
+-SHA256Final(uint8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *ctx)
+-{
+-	SHA256Pad(ctx);
+-	if (digest != NULL) {
+-#if BYTE_ORDER == BIG_ENDIAN
+-		memcpy(digest, ctx->state.st32, SHA256_DIGEST_LENGTH);
+-#else
+-		unsigned int i;
+-
+-		for (i = 0; i < 8; i++)
+-			BE32TO8(digest + (i * 4), ctx->state.st32[i]);
+-#endif
+-		memset(ctx, 0, sizeof(*ctx));
+-	}
+-}
+-
+-void
+-SHA384Init(SHA2_CTX *ctx)
+-{
+-	memset(ctx, 0, sizeof(*ctx));
+-	ctx->state.st64[0] = 0xcbbb9d5dc1059ed8ULL;
+-	ctx->state.st64[1] = 0x629a292a367cd507ULL;
+-	ctx->state.st64[2] = 0x9159015a3070dd17ULL;
+-	ctx->state.st64[3] = 0x152fecd8f70e5939ULL;
+-	ctx->state.st64[4] = 0x67332667ffc00b31ULL;
+-	ctx->state.st64[5] = 0x8eb44a8768581511ULL;
+-	ctx->state.st64[6] = 0xdb0c2e0d64f98fa7ULL;
+-	ctx->state.st64[7] = 0x47b5481dbefa4fa4ULL;
+-}
+-
+-void
+-SHA384Transform(uint64_t state[8], const uint8_t data[SHA384_BLOCK_LENGTH])
+-{
+-	SHA512Transform(state, data);
+-}
+-
+-void
+-SHA384Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
+-{
+-	SHA512Update(ctx, data, len);
+-}
+-
+-void
+-SHA384Pad(SHA2_CTX *ctx)
+-{
+-	SHA512Pad(ctx);
+-}
+-
+-void
+-SHA384Final(uint8_t digest[SHA384_DIGEST_LENGTH], SHA2_CTX *ctx)
+-{
+-	SHA384Pad(ctx);
+-	if (digest != NULL) {
+-#if BYTE_ORDER == BIG_ENDIAN
+-		memcpy(digest, ctx->state.st64, SHA384_DIGEST_LENGTH);
+-#else
+-		unsigned int i;
+-
+-		for (i = 0; i < 6; i++)
+-			BE64TO8(digest + (i * 8), ctx->state.st64[i]);
+-#endif
+-		memset(ctx, 0, sizeof(*ctx));
+-	}
+-}
+-
+-static const uint64_t SHA512_K[80] = {
+-	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
+-	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
+-	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
+-	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
+-	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
+-	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
+-	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
+-	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
+-	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
+-	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
+-	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
+-	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
+-	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
+-	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
+-	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
+-	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
+-	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
+-	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
+-	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
+-	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
+-	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
+-	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
+-	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
+-	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
+-	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
+-	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
+-	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
+-	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
+-	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
+-	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
+-	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
+-	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
+-	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
+-	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
+-	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
+-	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
+-	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
+-	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
+-	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
+-	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
+-};
+-
+-void
+-SHA512Init(SHA2_CTX *ctx)
+-{
+-	memset(ctx, 0, sizeof(*ctx));
+-	ctx->state.st64[0] = 0x6a09e667f3bcc908ULL;
+-	ctx->state.st64[1] = 0xbb67ae8584caa73bULL;
+-	ctx->state.st64[2] = 0x3c6ef372fe94f82bULL;
+-	ctx->state.st64[3] = 0xa54ff53a5f1d36f1ULL;
+-	ctx->state.st64[4] = 0x510e527fade682d1ULL;
+-	ctx->state.st64[5] = 0x9b05688c2b3e6c1fULL;
+-	ctx->state.st64[6] = 0x1f83d9abfb41bd6bULL;
+-	ctx->state.st64[7] = 0x5be0cd19137e2179ULL;
+-}
+-
+-/* Round macros for SHA512 */
+-#define R(i) do {							     \
+-	h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+SHA512_K[i+j]+(j?blk2(i):blk0(i)); \
+-	d(i)+=h(i);							     \
+-	h(i)+=S0(a(i))+Maj(a(i),b(i),c(i));				     \
+-} while (0)
+-
+-#define S0(x) (rotrFixed(x,28)^rotrFixed(x,34)^rotrFixed(x,39))
+-#define S1(x) (rotrFixed(x,14)^rotrFixed(x,18)^rotrFixed(x,41))
+-#define s0(x) (rotrFixed(x,1)^rotrFixed(x,8)^(x>>7))
+-#define s1(x) (rotrFixed(x,19)^rotrFixed(x,61)^(x>>6))
+-
+-void
+-SHA512Transform(uint64_t state[8], const uint8_t data[SHA512_BLOCK_LENGTH])
+-{
+-	uint64_t W[16];
+-	uint64_t T[8];
+-	unsigned int j;
+-
+-	/* Copy context state to working vars. */
+-	memcpy(T, state, sizeof(T));
+-	/* Copy data to W in big endian format. */
+-#if BYTE_ORDER == BIG_ENDIAN
+-	memcpy(W, data, sizeof(W));
+-#else
+-	for (j = 0; j < 16; j++) {
+-	    BE8TO64(W[j], data);
+-	    data += 8;
+-	}
+-#endif
+-	/* 80 operations, partially loop unrolled. */
+-	for (j = 0; j < 80; j += 16)
+-	{
+-		R( 0); R( 1); R( 2); R( 3);
+-		R( 4); R( 5); R( 6); R( 7);
+-		R( 8); R( 9); R(10); R(11);
+-		R(12); R(13); R(14); R(15);
+-	}
+-	/* Add the working vars back into context state. */
+-	state[0] += a(0);
+-	state[1] += b(0);
+-	state[2] += c(0);
+-	state[3] += d(0);
+-	state[4] += e(0);
+-	state[5] += f(0);
+-	state[6] += g(0);
+-	state[7] += h(0);
+-	/* Cleanup. */
+-	memset_s(T, sizeof(T), 0, sizeof(T));
+-	memset_s(W, sizeof(W), 0, sizeof(W));
+-}
+-
+-void
+-SHA512Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
+-{
+-	size_t i = 0, j;
+-
+-	j = (size_t)((ctx->count[0] >> 3) & (SHA512_BLOCK_LENGTH - 1));
+-	ctx->count[0] += (len << 3);
+-	if (ctx->count[0] < (len << 3))
+-		ctx->count[1]++;
+-	if ((j + len) > SHA512_BLOCK_LENGTH - 1) {
+-		memcpy(&ctx->buffer[j], data, (i = SHA512_BLOCK_LENGTH - j));
+-		SHA512Transform(ctx->state.st64, ctx->buffer);
+-		for ( ; i + SHA512_BLOCK_LENGTH - 1 < len; i += SHA512_BLOCK_LENGTH)
+-			SHA512Transform(ctx->state.st64, (uint8_t *)&data[i]);
+-		j = 0;
+-	}
+-	memcpy(&ctx->buffer[j], &data[i], len - i);
+-}
+-
+-void
+-SHA512Pad(SHA2_CTX *ctx)
+-{
+-	uint8_t finalcount[16];
+-
+-	/* Store unpadded message length in bits in big endian format. */
+-	BE64TO8(finalcount, ctx->count[1]);
+-	BE64TO8(finalcount + 8, ctx->count[0]);
+-
+-	/* Append a '1' bit (0x80) to the message. */
+-	SHA512Update(ctx, (uint8_t *)"\200", 1);
+-
+-	/* Pad message such that the resulting length modulo 1024 is 896. */
+-	while ((ctx->count[0] & 1008) != 896)
+-		SHA512Update(ctx, (uint8_t *)"\0", 1);
+-
+-	/* Append length of message in bits and do final SHA512Transform(). */
+-	SHA512Update(ctx, finalcount, sizeof(finalcount));
+-}
+-
+-void
+-SHA512Final(uint8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *ctx)
+-{
+-	SHA512Pad(ctx);
+-	if (digest != NULL) {
+-#if BYTE_ORDER == BIG_ENDIAN
+-		memcpy(digest, ctx->state.st64, SHA512_DIGEST_LENGTH);
+-#else
+-		unsigned int i;
+-
+-		for (i = 0; i < 8; i++)
+-			BE64TO8(digest + (i * 8), ctx->state.st64[i]);
+-#endif
+-		memset(ctx, 0, sizeof(*ctx));
+-	}
+-}
+diff -urN sudo-1.8.9p5.old/plugins/sudoers/sha2.h sudo-1.8.9p5/plugins/sudoers/sha2.h
+--- sudo-1.8.9p5.old/plugins/sudoers/sha2.h	2014-01-07 19:08:54.000000000 +0100
++++ sudo-1.8.9p5/plugins/sudoers/sha2.h	1970-01-01 01:00:00.000000000 +0100
[email protected]@ -1,74 +0,0 @@
+-/*
+- * Copyright (c) 2013 Todd C. Miller <[email protected]>
+- *
+- * Permission to use, copy, modify, and distribute this software for any
+- * purpose with or without fee is hereby granted, provided that the above
+- * copyright notice and this permission notice appear in all copies.
+- *
+- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+- */
+-
+-/*
+- * Derived from the public domain SHA-1 and SHA-2 implementations
+- * by Steve Reid and Wei Dai respectively.
+- */
+-
+-#ifndef _SUDOERS_SHA2_H
+-#define _SUDOERS_SHA2_H
+-
+-#define	SHA224_BLOCK_LENGTH		64
+-#define	SHA224_DIGEST_LENGTH		28
+-#define	SHA224_DIGEST_STRING_LENGTH	(SHA224_DIGEST_LENGTH * 2 + 1)
+-
+-#define	SHA256_BLOCK_LENGTH		64
+-#define	SHA256_DIGEST_LENGTH		32
+-#define	SHA256_DIGEST_STRING_LENGTH	(SHA256_DIGEST_LENGTH * 2 + 1)
+-
+-#define	SHA384_BLOCK_LENGTH		128
+-#define	SHA384_DIGEST_LENGTH		48
+-#define	SHA384_DIGEST_STRING_LENGTH	(SHA384_DIGEST_LENGTH * 2 + 1)
+-
+-#define	SHA512_BLOCK_LENGTH		128
+-#define	SHA512_DIGEST_LENGTH		64
+-#define	SHA512_DIGEST_STRING_LENGTH	(SHA512_DIGEST_LENGTH * 2 + 1)
+-
+-typedef struct {
+-    union {
+-	uint32_t st32[8];	/* sha224 and sha256 */
+-	uint64_t st64[8];	/* sha384 and sha512 */
+-    } state;
+-    uint64_t count[2];
+-    uint8_t buffer[SHA512_BLOCK_LENGTH];
+-} SHA2_CTX;
+-
+-void SHA224Init(SHA2_CTX *ctx);
+-void SHA224Pad(SHA2_CTX *ctx);
+-void SHA224Transform(uint32_t state[8], const uint8_t buffer[SHA224_BLOCK_LENGTH]);
+-void SHA224Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
+-void SHA224Final(uint8_t digest[SHA224_DIGEST_LENGTH], SHA2_CTX *ctx);
+-
+-void SHA256Init(SHA2_CTX *ctx);
+-void SHA256Pad(SHA2_CTX *ctx);
+-void SHA256Transform(uint32_t state[8], const uint8_t buffer[SHA256_BLOCK_LENGTH]);
+-void SHA256Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
+-void SHA256Final(uint8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *ctx);
+-
+-void SHA384Init(SHA2_CTX *ctx);
+-void SHA384Pad(SHA2_CTX *ctx);
+-void SHA384Transform(uint64_t state[8], const uint8_t buffer[SHA384_BLOCK_LENGTH]);
+-void SHA384Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
+-void SHA384Final(uint8_t digest[SHA384_DIGEST_LENGTH], SHA2_CTX *ctx);
+-
+-void SHA512Init(SHA2_CTX *ctx);
+-void SHA512Pad(SHA2_CTX *ctx);
+-void SHA512Transform(uint64_t state[8], const uint8_t buffer[SHA512_BLOCK_LENGTH]);
+-void SHA512Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
+-void SHA512Final(uint8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *ctx);
+-
+-#endif /* _SUDOERS_SHA2_H */
+diff -urN sudo-1.8.9p5.old/plugins/sudoers/toke.c sudo-1.8.9p5/plugins/sudoers/toke.c
+--- sudo-1.8.9p5.old/plugins/sudoers/toke.c	2014-01-07 19:08:50.000000000 +0100
++++ sudo-1.8.9p5/plugins/sudoers/toke.c	2014-04-10 15:20:34.466936711 +0200
[email protected]@ -1997,6 +1997,11 @@
+ #  include <ndir.h>
+ # endif
+ #endif
++#ifdef HAVE_SHA224UPDATE
++# include <sha2.h>
++#else
++# include "compat/sha2.h"
++#endif
+ #include <errno.h>
+ #include <ctype.h>
+ #include "sudoers.h"
[email protected]@ -2004,7 +2009,6 @@
+ #include "toke.h"
+ #include <gram.h>
+ #include "lbuf.h"
+-#include "sha2.h"
+ #include "secure_path.h"
+ 
+ int sudolineno;			/* current sudoers line number. */
[email protected]@ -2050,7 +2054,7 @@
+ 
+ #define WANTDIGEST 6
+ 
+-#line 2053 "lex.sudoers.c"
++#line 2057 "lex.sudoers.c"
+ 
+ /* Macros after this point can all be overridden by user definitions in
+  * section 1.
[email protected]@ -2204,9 +2208,9 @@
+ 	register char *yy_cp, *yy_bp;
+ 	register int yy_act;
+ 
+-#line 137 "toke.l"
++#line 141 "toke.l"
+ 
+-#line 2209 "lex.sudoers.c"
++#line 2213 "lex.sudoers.c"
+ 
+ 	if ( yy_init )
+ 		{
[email protected]@ -2292,7 +2296,7 @@
+ 
+ case 1:
+ YY_RULE_SETUP
+-#line 138 "toke.l"
++#line 142 "toke.l"
+ {
+ 			    LEXTRACE(", ");
+ 			    LEXRETURN(',');
[email protected]@ -2300,12 +2304,12 @@
+ 	YY_BREAK
+ case 2:
+ YY_RULE_SETUP
+-#line 143 "toke.l"
++#line 147 "toke.l"
+ BEGIN STARTDEFS;
+ 	YY_BREAK
+ case 3:
+ YY_RULE_SETUP
+-#line 145 "toke.l"
++#line 149 "toke.l"
+ {
+ 			    BEGIN INDEFS;
+ 			    LEXTRACE("DEFVAR ");
[email protected]@ -2317,7 +2321,7 @@
+ 
+ case 4:
+ YY_RULE_SETUP
+-#line 154 "toke.l"
++#line 158 "toke.l"
+ {
+ 			    BEGIN STARTDEFS;
+ 			    LEXTRACE(", ");
[email protected]@ -2326,7 +2330,7 @@
+ 	YY_BREAK
+ case 5:
+ YY_RULE_SETUP
+-#line 160 "toke.l"
++#line 164 "toke.l"
+ {
+ 			    LEXTRACE("= ");
+ 			    LEXRETURN('=');
[email protected]@ -2334,7 +2338,7 @@
+ 	YY_BREAK
+ case 6:
+ YY_RULE_SETUP
+-#line 165 "toke.l"
++#line 169 "toke.l"
+ {
+ 			    LEXTRACE("+= ");
+ 			    LEXRETURN('+');
[email protected]@ -2342,7 +2346,7 @@
+ 	YY_BREAK
+ case 7:
+ YY_RULE_SETUP
+-#line 170 "toke.l"
++#line 174 "toke.l"
+ {
+ 			    LEXTRACE("-= ");
+ 			    LEXRETURN('-');
[email protected]@ -2350,7 +2354,7 @@
+ 	YY_BREAK
+ case 8:
+ YY_RULE_SETUP
+-#line 175 "toke.l"
++#line 179 "toke.l"
+ {
+ 			    LEXTRACE("BEGINSTR ");
+ 			    sudoerslval.string = NULL;
[email protected]@ -2360,7 +2364,7 @@
+ 	YY_BREAK
+ case 9:
+ YY_RULE_SETUP
+-#line 182 "toke.l"
++#line 186 "toke.l"
+ {
+ 			    LEXTRACE("WORD(2) ");
+ 			    if (!fill(sudoerstext, sudoersleng))
[email protected]@ -2372,7 +2376,7 @@
+ 
+ case 10:
+ YY_RULE_SETUP
+-#line 191 "toke.l"
++#line 195 "toke.l"
+ {
+ 			    /* Line continuation char followed by newline. */
+ 			    sudolineno++;
[email protected]@ -2381,7 +2385,7 @@
+ 	YY_BREAK
+ case 11:
+ YY_RULE_SETUP
+-#line 197 "toke.l"
++#line 201 "toke.l"
+ {
+ 			    LEXTRACE("ENDSTR ");
+ 			    BEGIN prev_state;
[email protected]@ -2416,7 +2420,7 @@
+ 	YY_BREAK
+ case 12:
+ YY_RULE_SETUP
+-#line 229 "toke.l"
++#line 233 "toke.l"
+ {
+ 			    LEXTRACE("BACKSLASH ");
+ 			    if (!append(sudoerstext, sudoersleng))
[email protected]@ -2425,7 +2429,7 @@
+ 	YY_BREAK
+ case 13:
+ YY_RULE_SETUP
+-#line 235 "toke.l"
++#line 239 "toke.l"
+ {
+ 			    LEXTRACE("STRBODY ");
+ 			    if (!append(sudoerstext, sudoersleng))
[email protected]@ -2436,7 +2440,7 @@
+ 
+ case 14:
+ YY_RULE_SETUP
+-#line 243 "toke.l"
++#line 247 "toke.l"
+ {
+ 			    /* quoted fnmatch glob char, pass verbatim */
+ 			    LEXTRACE("QUOTEDCHAR ");
[email protected]@ -2447,7 +2451,7 @@
+ 	YY_BREAK
+ case 15:
+ YY_RULE_SETUP
+-#line 251 "toke.l"
++#line 255 "toke.l"
+ {
+ 			    /* quoted sudoers special char, strip backslash */
+ 			    LEXTRACE("QUOTEDCHAR ");
[email protected]@ -2458,7 +2462,7 @@
+ 	YY_BREAK
+ case 16:
+ YY_RULE_SETUP
+-#line 259 "toke.l"
++#line 263 "toke.l"
+ {
+ 			    BEGIN INITIAL;
+ 			    yyless(0);
[email protected]@ -2467,7 +2471,7 @@
+ 	YY_BREAK
+ case 17:
+ YY_RULE_SETUP
+-#line 265 "toke.l"
++#line 269 "toke.l"
+ {
+ 			    LEXTRACE("ARG ");
+ 			    if (!fill_args(sudoerstext, sudoersleng, sawspace))
[email protected]@ -2478,7 +2482,7 @@
+ 
+ case 18:
+ YY_RULE_SETUP
+-#line 273 "toke.l"
++#line 277 "toke.l"
+ {
+ 			    /* Only return DIGEST if the length is correct. */
+ 			    if (sudoersleng == digest_len * 2) {
[email protected]@ -2494,7 +2498,7 @@
+ 	YY_BREAK
+ case 19:
+ YY_RULE_SETUP
+-#line 286 "toke.l"
++#line 290 "toke.l"
+ {
+ 			    /* Only return DIGEST if the length is correct. */
+ 			    int len;
[email protected]@ -2518,7 +2522,7 @@
+ 	YY_BREAK
+ case 20:
+ YY_RULE_SETUP
+-#line 307 "toke.l"
++#line 311 "toke.l"
+ {
+ 			    char *path;
+ 
[email protected]@ -2539,7 +2543,7 @@
+ 	YY_BREAK
+ case 21:
+ YY_RULE_SETUP
+-#line 325 "toke.l"
++#line 329 "toke.l"
+ {
+ 			    char *path;
+ 
[email protected]@ -2563,7 +2567,7 @@
+ 	YY_BREAK
+ case 22:
+ YY_RULE_SETUP
+-#line 346 "toke.l"
++#line 350 "toke.l"
+ {
+ 			    char deftype;
+ 			    int n;
[email protected]@ -2606,7 +2610,7 @@
+ 	YY_BREAK
+ case 23:
+ YY_RULE_SETUP
+-#line 386 "toke.l"
++#line 390 "toke.l"
+ {
+ 			    int n;
+ 
[email protected]@ -2635,7 +2639,7 @@
+ 	YY_BREAK
+ case 24:
+ YY_RULE_SETUP
+-#line 412 "toke.l"
++#line 416 "toke.l"
+ {
+ 				/* cmnd does not require passwd for this user */
+ 			    	LEXTRACE("NOPASSWD ");
[email protected]@ -2644,7 +2648,7 @@
+ 	YY_BREAK
+ case 25:
+ YY_RULE_SETUP
+-#line 418 "toke.l"
++#line 422 "toke.l"
+ {
+ 				/* cmnd requires passwd for this user */
+ 			    	LEXTRACE("PASSWD ");
[email protected]@ -2653,7 +2657,7 @@
+ 	YY_BREAK
+ case 26:
+ YY_RULE_SETUP
+-#line 424 "toke.l"
++#line 428 "toke.l"
+ {
+ 			    	LEXTRACE("NOEXEC ");
+ 			    	LEXRETURN(NOEXEC);
[email protected]@ -2661,7 +2665,7 @@
+ 	YY_BREAK
+ case 27:
+ YY_RULE_SETUP
+-#line 429 "toke.l"
++#line 433 "toke.l"
+ {
+ 			    	LEXTRACE("EXEC ");
+ 			    	LEXRETURN(EXEC);
[email protected]@ -2669,7 +2673,7 @@
+ 	YY_BREAK
+ case 28:
+ YY_RULE_SETUP
+-#line 434 "toke.l"
++#line 438 "toke.l"
+ {
+ 			    	LEXTRACE("SETENV ");
+ 			    	LEXRETURN(SETENV);
[email protected]@ -2677,7 +2681,7 @@
+ 	YY_BREAK
+ case 29:
+ YY_RULE_SETUP
+-#line 439 "toke.l"
++#line 443 "toke.l"
+ {
+ 			    	LEXTRACE("NOSETENV ");
+ 			    	LEXRETURN(NOSETENV);
[email protected]@ -2685,7 +2689,7 @@
+ 	YY_BREAK
+ case 30:
+ YY_RULE_SETUP
+-#line 444 "toke.l"
++#line 448 "toke.l"
+ {
+ 			    	LEXTRACE("LOG_OUTPUT ");
+ 			    	LEXRETURN(LOG_OUTPUT);
[email protected]@ -2693,7 +2697,7 @@
+ 	YY_BREAK
+ case 31:
+ YY_RULE_SETUP
+-#line 449 "toke.l"
++#line 453 "toke.l"
+ {
+ 			    	LEXTRACE("NOLOG_OUTPUT ");
+ 			    	LEXRETURN(NOLOG_OUTPUT);
[email protected]@ -2701,7 +2705,7 @@
+ 	YY_BREAK
+ case 32:
+ YY_RULE_SETUP
+-#line 454 "toke.l"
++#line 458 "toke.l"
+ {
+ 			    	LEXTRACE("LOG_INPUT ");
+ 			    	LEXRETURN(LOG_INPUT);
[email protected]@ -2709,7 +2713,7 @@
+ 	YY_BREAK
+ case 33:
+ YY_RULE_SETUP
+-#line 459 "toke.l"
++#line 463 "toke.l"
+ {
+ 			    	LEXTRACE("NOLOG_INPUT ");
+ 			    	LEXRETURN(NOLOG_INPUT);
[email protected]@ -2717,7 +2721,7 @@
+ 	YY_BREAK
+ case 34:
+ YY_RULE_SETUP
+-#line 464 "toke.l"
++#line 468 "toke.l"
+ {
+ 			    /* empty group or netgroup */
+ 			    LEXTRACE("ERROR ");
[email protected]@ -2726,7 +2730,7 @@
+ 	YY_BREAK
+ case 35:
+ YY_RULE_SETUP
+-#line 470 "toke.l"
++#line 474 "toke.l"
+ {
+ 			    /* netgroup */
+ 			    if (!fill(sudoerstext, sudoersleng))
[email protected]@ -2737,7 +2741,7 @@
+ 	YY_BREAK
+ case 36:
+ YY_RULE_SETUP
+-#line 478 "toke.l"
++#line 482 "toke.l"
+ {
+ 			    /* group */
+ 			    if (!fill(sudoerstext, sudoersleng))
[email protected]@ -2748,7 +2752,7 @@
+ 	YY_BREAK
+ case 37:
+ YY_RULE_SETUP
+-#line 486 "toke.l"
++#line 490 "toke.l"
+ {
+ 			    if (!fill(sudoerstext, sudoersleng))
+ 				yyterminate();
[email protected]@ -2758,7 +2762,7 @@
+ 	YY_BREAK
+ case 38:
+ YY_RULE_SETUP
+-#line 493 "toke.l"
++#line 497 "toke.l"
+ {
+ 			    if (!fill(sudoerstext, sudoersleng))
+ 				yyterminate();
[email protected]@ -2768,7 +2772,7 @@
+ 	YY_BREAK
+ case 39:
+ YY_RULE_SETUP
+-#line 500 "toke.l"
++#line 504 "toke.l"
+ {
+ 			    if (!ipv6_valid(sudoerstext)) {
+ 				LEXTRACE("ERROR ");
[email protected]@ -2782,7 +2786,7 @@
+ 	YY_BREAK
+ case 40:
+ YY_RULE_SETUP
+-#line 511 "toke.l"
++#line 515 "toke.l"
+ {
+ 			    if (!ipv6_valid(sudoerstext)) {
+ 				LEXTRACE("ERROR ");
[email protected]@ -2796,7 +2800,7 @@
+ 	YY_BREAK
+ case 41:
+ YY_RULE_SETUP
+-#line 522 "toke.l"
++#line 526 "toke.l"
+ {
+ 			    LEXTRACE("ALL ");
+ 			    LEXRETURN(ALL);
[email protected]@ -2805,7 +2809,7 @@
+ 	YY_BREAK
+ case 42:
+ YY_RULE_SETUP
+-#line 528 "toke.l"
++#line 532 "toke.l"
+ {
+ #ifdef HAVE_SELINUX
+ 			    LEXTRACE("ROLE ");
[email protected]@ -2817,7 +2821,7 @@
+ 	YY_BREAK
+ case 43:
+ YY_RULE_SETUP
+-#line 537 "toke.l"
++#line 541 "toke.l"
+ {
+ #ifdef HAVE_SELINUX
+ 			    LEXTRACE("TYPE ");
[email protected]@ -2829,7 +2833,7 @@
+ 	YY_BREAK
+ case 44:
+ YY_RULE_SETUP
+-#line 545 "toke.l"
++#line 549 "toke.l"
+ {
+ #ifdef HAVE_PRIV_SET
+ 			    LEXTRACE("PRIVS ");
[email protected]@ -2841,7 +2845,7 @@
+ 	YY_BREAK
+ case 45:
+ YY_RULE_SETUP
+-#line 554 "toke.l"
++#line 558 "toke.l"
+ {
+ #ifdef HAVE_PRIV_SET
+ 			    LEXTRACE("LIMITPRIVS ");
[email protected]@ -2853,7 +2857,7 @@
+ 	YY_BREAK
+ case 46:
+ YY_RULE_SETUP
+-#line 563 "toke.l"
++#line 567 "toke.l"
+ {
+ 			got_alias:
+ 			    if (!fill(sudoerstext, sudoersleng))
[email protected]@ -2864,7 +2868,7 @@
+ 	YY_BREAK
+ case 47:
+ YY_RULE_SETUP
+-#line 571 "toke.l"
++#line 575 "toke.l"
+ {
+ 			    /* XXX - no way to specify digest for command */
+ 			    /* no command args allowed for Defaults!/path */
[email protected]@ -2876,47 +2880,47 @@
+ 	YY_BREAK
+ case 48:
+ YY_RULE_SETUP
+-#line 580 "toke.l"
++#line 584 "toke.l"
+ {
+ 			    digest_len = SHA224_DIGEST_LENGTH;
+ 			    BEGIN WANTDIGEST;
+-			    LEXTRACE("SHA224 ");
+-			    LEXRETURN(SHA224);
++			    LEXTRACE("SHA224_TOK ");
++			    LEXRETURN(SHA224_TOK);
+ 			}
+ 	YY_BREAK
+ case 49:
+ YY_RULE_SETUP
+-#line 587 "toke.l"
++#line 591 "toke.l"
+ {
+ 			    digest_len = SHA256_DIGEST_LENGTH;
+ 			    BEGIN WANTDIGEST;
+-			    LEXTRACE("SHA256 ");
+-			    LEXRETURN(SHA256);
++			    LEXTRACE("SHA256_TOK ");
++			    LEXRETURN(SHA256_TOK);
+ 			}
+ 	YY_BREAK
+ case 50:
+ YY_RULE_SETUP
+-#line 594 "toke.l"
++#line 598 "toke.l"
+ {
+ 			    digest_len = SHA384_DIGEST_LENGTH;
+ 			    BEGIN WANTDIGEST;
+-			    LEXTRACE("SHA384 ");
+-			    LEXRETURN(SHA384);
++			    LEXTRACE("SHA384_TOK ");
++			    LEXRETURN(SHA384_TOK);
+ 			}
+ 	YY_BREAK
+ case 51:
+ YY_RULE_SETUP
+-#line 601 "toke.l"
++#line 605 "toke.l"
+ {
+ 			    digest_len = SHA512_DIGEST_LENGTH;
+ 			    BEGIN WANTDIGEST;
+-			    LEXTRACE("SHA512 ");
+-			    LEXRETURN(SHA512);
++			    LEXTRACE("SHA512_TOK ");
++			    LEXRETURN(SHA512_TOK);
+ 			}
+ 	YY_BREAK
+ case 52:
+ YY_RULE_SETUP
+-#line 608 "toke.l"
++#line 612 "toke.l"
+ {
+ 			    BEGIN GOTCMND;
+ 			    LEXTRACE("COMMAND ");
[email protected]@ -2926,7 +2930,7 @@
+ 	YY_BREAK
+ case 53:
+ YY_RULE_SETUP
+-#line 615 "toke.l"
++#line 619 "toke.l"
+ {
+ 			    /* directories can't have args... */
+ 			    if (sudoerstext[sudoersleng - 1] == '/') {
[email protected]@ -2944,7 +2948,7 @@
+ 	YY_BREAK
+ case 54:
+ YY_RULE_SETUP
+-#line 630 "toke.l"
++#line 634 "toke.l"
+ {
+ 			    LEXTRACE("BEGINSTR ");
+ 			    sudoerslval.string = NULL;
[email protected]@ -2954,7 +2958,7 @@
+ 	YY_BREAK
+ case 55:
+ YY_RULE_SETUP
+-#line 637 "toke.l"
++#line 641 "toke.l"
+ {
+ 			    /* a word */
+ 			    if (!fill(sudoerstext, sudoersleng))
[email protected]@ -2965,7 +2969,7 @@
+ 	YY_BREAK
+ case 56:
+ YY_RULE_SETUP
+-#line 645 "toke.l"
++#line 649 "toke.l"
+ {
+ 			    LEXTRACE("( ");
+ 			    LEXRETURN('(');
[email protected]@ -2973,7 +2977,7 @@
+ 	YY_BREAK
+ case 57:
+ YY_RULE_SETUP
+-#line 650 "toke.l"
++#line 654 "toke.l"
+ {
+ 			    LEXTRACE(") ");
+ 			    LEXRETURN(')');
[email protected]@ -2981,7 +2985,7 @@
+ 	YY_BREAK
+ case 58:
+ YY_RULE_SETUP
+-#line 655 "toke.l"
++#line 659 "toke.l"
+ {
+ 			    LEXTRACE(", ");
+ 			    LEXRETURN(',');
[email protected]@ -2989,7 +2993,7 @@
+ 	YY_BREAK
+ case 59:
+ YY_RULE_SETUP
+-#line 660 "toke.l"
++#line 664 "toke.l"
+ {
+ 			    LEXTRACE("= ");
+ 			    LEXRETURN('=');
[email protected]@ -2997,7 +3001,7 @@
+ 	YY_BREAK
+ case 60:
+ YY_RULE_SETUP
+-#line 665 "toke.l"
++#line 669 "toke.l"
+ {
+ 			    LEXTRACE(": ");
+ 			    LEXRETURN(':');
[email protected]@ -3005,7 +3009,7 @@
+ 	YY_BREAK
+ case 61:
+ YY_RULE_SETUP
+-#line 670 "toke.l"
++#line 674 "toke.l"
+ {
+ 			    if (sudoersleng & 1) {
+ 				LEXTRACE("!");
[email protected]@ -3015,7 +3019,7 @@
+ 	YY_BREAK
+ case 62:
+ YY_RULE_SETUP
+-#line 677 "toke.l"
++#line 681 "toke.l"
+ {
+ 			    if (YY_START == INSTR) {
+ 				LEXTRACE("ERROR ");
[email protected]@ -3030,14 +3034,14 @@
+ 	YY_BREAK
+ case 63:
+ YY_RULE_SETUP
+-#line 689 "toke.l"
++#line 693 "toke.l"
+ {			/* throw away space/tabs */
+ 			    sawspace = true;	/* but remember for fill_args */
+ 			}
+ 	YY_BREAK
+ case 64:
+ YY_RULE_SETUP
+-#line 693 "toke.l"
++#line 697 "toke.l"
+ {
+ 			    sawspace = true;	/* remember for fill_args */
+ 			    sudolineno++;
[email protected]@ -3046,7 +3050,7 @@
+ 	YY_BREAK
+ case 65:
+ YY_RULE_SETUP
+-#line 699 "toke.l"
++#line 703 "toke.l"
+ {
+ 			    if (sudoerstext[sudoersleng - 1] == '\n') {
+ 				/* comment ending in a newline */
[email protected]@ -3063,7 +3067,7 @@
+ 	YY_BREAK
+ case 66:
+ YY_RULE_SETUP
+-#line 713 "toke.l"
++#line 717 "toke.l"
+ {
+ 			    LEXTRACE("ERROR ");
+ 			    LEXRETURN(ERROR);
[email protected]@ -3076,7 +3080,7 @@
+ case YY_STATE_EOF(INDEFS):
+ case YY_STATE_EOF(INSTR):
+ case YY_STATE_EOF(WANTDIGEST):
+-#line 718 "toke.l"
++#line 722 "toke.l"
+ {
+ 			    if (YY_START != INITIAL) {
+ 			    	BEGIN INITIAL;
[email protected]@ -3089,10 +3093,10 @@
+ 	YY_BREAK
+ case 67:
+ YY_RULE_SETUP
+-#line 728 "toke.l"
++#line 732 "toke.l"
+ ECHO;
+ 	YY_BREAK
+-#line 3095 "lex.sudoers.c"
++#line 3099 "lex.sudoers.c"
+ 
+ 	case YY_END_OF_BUFFER:
+ 		{
[email protected]@ -3983,7 +3987,7 @@
+ 	return 0;
+ 	}
+ #endif
+-#line 728 "toke.l"
++#line 732 "toke.l"
+ 
+ struct path_list {
+     SLIST_ENTRY(path_list) entries;
+diff -urN sudo-1.8.9p5.old/plugins/sudoers/toke.l sudo-1.8.9p5/plugins/sudoers/toke.l
+--- sudo-1.8.9p5.old/plugins/sudoers/toke.l	2014-01-07 19:08:50.000000000 +0100
++++ sudo-1.8.9p5/plugins/sudoers/toke.l	2014-04-10 15:20:34.467610395 +0200
[email protected]@ -69,6 +69,11 @@
+ #  include <ndir.h>
+ # endif
+ #endif
++#ifdef HAVE_SHA224UPDATE
++# include <sha2.h>
++#else
++# include "compat/sha2.h"
++#endif
+ #include <errno.h>
+ #include <ctype.h>
+ #include "sudoers.h"
[email protected]@ -76,7 +81,6 @@
+ #include "toke.h"
+ #include <gram.h>
+ #include "lbuf.h"
+-#include "sha2.h"
+ #include "secure_path.h"
+ 
+ int sudolineno;			/* current sudoers line number. */
[email protected]@ -580,29 +584,29 @@
+ sha224			{
+ 			    digest_len = SHA224_DIGEST_LENGTH;
+ 			    BEGIN WANTDIGEST;
+-			    LEXTRACE("SHA224 ");
+-			    LEXRETURN(SHA224);
++			    LEXTRACE("SHA224_TOK ");
++			    LEXRETURN(SHA224_TOK);
+ 			}
+ 
+ sha256			{
+ 			    digest_len = SHA256_DIGEST_LENGTH;
+ 			    BEGIN WANTDIGEST;
+-			    LEXTRACE("SHA256 ");
+-			    LEXRETURN(SHA256);
++			    LEXTRACE("SHA256_TOK ");
++			    LEXRETURN(SHA256_TOK);
+ 			}
+ 
+ sha384			{
+ 			    digest_len = SHA384_DIGEST_LENGTH;
+ 			    BEGIN WANTDIGEST;
+-			    LEXTRACE("SHA384 ");
+-			    LEXRETURN(SHA384);
++			    LEXTRACE("SHA384_TOK ");
++			    LEXRETURN(SHA384_TOK);
+ 			}
+ 
+ sha512			{
+ 			    digest_len = SHA512_DIGEST_LENGTH;
+ 			    BEGIN WANTDIGEST;
+-			    LEXTRACE("SHA512 ");
+-			    LEXRETURN(SHA512);
++			    LEXTRACE("SHA512_TOK ");
++			    LEXRETURN(SHA512_TOK);
+ 			}
+ 
+ sudoedit		{
--- a/components/sudo/resolve.deps	Mon Apr 14 23:01:26 2014 -0700
+++ b/components/sudo/resolve.deps	Thu Apr 10 15:30:14 2014 +0200
@@ -1,2 +1,3 @@
 library/zlib
 system/library
+system/library/security/crypto
--- a/components/sudo/sudo.license	Mon Apr 14 23:01:26 2014 -0700
+++ b/components/sudo/sudo.license	Thu Apr 10 15:30:14 2014 +0200
@@ -1,10 +1,10 @@
 
-Copyright (c) 2012-2013 Todd C. Miller <[email protected]>
 Copyright (c) 2009 Christian S.J. Peron
+Copyright (C) 1995-2012 Jean-loup Gailly and Mark Adler
 
 Sudo is distributed under the following license:
 
-   Copyright (c) 1994-1996, 1998-2012
+   Copyright (c) 1994-1996, 1998-2014
         Todd C. Miller <[email protected]>
 
    Permission to use, copy, modify, and distribute this software for any
@@ -23,6 +23,9 @@
    Agency (DARPA) and Air Force Research Laboratory, Air Force
    Materiel Command, USAF, under agreement number F39502-99-1-0512.
 
+
+
+
 The file redblack.c bears the following license:
 
    Copyright (c) 2001 Emin Martinian
@@ -45,7 +48,10 @@
    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-The files getcwd.c, glob.c, glob.h and snprintf.c bear the following license:
+
+
+
+The files include/queue.h, getcwd.c, glob.c, glob.h and snprintf.c bear the following license:
 
    Copyright (c) 1989, 1990, 1991, 1993
         The Regents of the University of California.  All rights reserved.
@@ -74,6 +80,9 @@
    OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    SUCH DAMAGE.
 
+
+
+
 The file fnmatch.c bears the following license:
 
    Copyright (c) 2011, VMware, Inc.
@@ -101,9 +110,12 @@
    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
    THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+
+
+
 The embedded copy of zlib bears the following license:
 
-  Copyright (C) 1995-2012 Jean-loup Gailly and Mark Adler
+  Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler
 
   This software is provided 'as-is', without any express or implied
   warranty.  In no event will the authors be held liable for any damages
@@ -123,3 +135,52 @@
 
   Jean-loup Gailly        Mark Adler
   [email protected]          [email protected]
+
+
+
+
+The files compat/getopt.h, compat/getopt_long.c have the following license:
+
+Copyright (c) 2000 The NetBSD Foundation, Inc.
+All rights reserved.
+
+This code is derived from software contributed to The NetBSD Foundation
+by Dieter Baron and Thomas Klausner.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+
+
+
+The file m4/ax_func_getaddrinfo.m4:
+Placed in the public domain by Todd C. Miller on November 20, 2013.
+
+
+
+
+The file m4/ax_func_snprintf.m4:
+Copyright (c) 2008 Ruediger Kuhlmann <[email protected]>
+
+Copying and distribution of this file, with or without modification, are
+permitted in any medium without royalty provided the copyright notice
+and this notice are preserved. This file is offered as-is, without any
+warranty.
--- a/components/sudo/sudo.p5m	Mon Apr 14 23:01:26 2014 -0700
+++ b/components/sudo/sudo.p5m	Thu Apr 10 15:30:14 2014 +0200
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
 #
 
 <transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
@@ -26,7 +26,7 @@
 set name=pkg.fmri value=pkg:/security/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
 set name=pkg.summary value="sudo - tool to allow certain tasks to be run as root by ordinary users"
 set name=com.oracle.info.description value="the sudo utility"
-set name=com.oracle.info.tpno value=12745
+set name=com.oracle.info.tpno value=16733
 set name=info.classification \
 	value="org.opensolaris.category.2008:Applications/System Utilities"
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
@@ -42,7 +42,10 @@
 file path=usr/bin/sudo mode=4511
 file path=usr/bin/sudoreplay mode=0511
 file path=usr/include/sudo_plugin.h
-file path=usr/lib/sudo/sudoers.so
+# pkglint complains about sudoers.so since it thinks that it is 64bit library
+# in 32bit path. But since this is sudo module rather than generic *.so library
+# we are free to have it there. We just need to silence the warning.
+file path=usr/lib/sudo/sudoers.so pkg.linted.userland.action001.2=true
 file path=usr/sbin/visudo mode=0511
 file path=usr/share/doc/sudo/ChangeLog
 file path=usr/share/doc/sudo/HISTORY