From a8fd5cb7ab022accf078cafd47882bd1fd009816 Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Sat, 31 Aug 2019 08:06:33 -0700 Subject: [PATCH] net: remove ipsec-tools As discussed in #7832, ipsec-tools is no longer suitable for inclusion in the distribution. Signed-off-by: Noah Meyerhans --- net/ipsec-tools/Makefile | 103 -- net/ipsec-tools/files/functions.sh | 172 --- net/ipsec-tools/files/p1client-down | 41 - net/ipsec-tools/files/p1client-up | 41 - net/ipsec-tools/files/racoon | 113 -- net/ipsec-tools/files/racoon.init | 479 ------- net/ipsec-tools/files/vpnctl | 19 - .../patches/001-ipsec-tools-def-psk.patch | 24 - net/ipsec-tools/patches/001-no_libfl.patch | 22 - net/ipsec-tools/patches/002-patch8-utmp.patch | 72 -- .../patches/003-microsoft-fqdn-in-main.patch | 13 - net/ipsec-tools/patches/005-isakmp-fix.patch | 11 - .../patches/006-linux-3.7-compat.patch | 50 - .../patches/007-force_have_policy_fwd.patch | 12 - .../008-racoon-fix_dereference_crash.patch | 16 - net/ipsec-tools/patches/009-musl-compat.patch | 187 --- .../patches/010-CVE-2016-10396.patch | 201 --- .../patches/012-fix-implicit-int.patch | 11 - net/ipsec-tools/patches/015-openssl-1.1.patch | 1096 ----------------- .../patches/020-openssl-deprecated.patch | 21 - 20 files changed, 2704 deletions(-) delete mode 100644 net/ipsec-tools/Makefile delete mode 100644 net/ipsec-tools/files/functions.sh delete mode 100644 net/ipsec-tools/files/p1client-down delete mode 100644 net/ipsec-tools/files/p1client-up delete mode 100644 net/ipsec-tools/files/racoon delete mode 100644 net/ipsec-tools/files/racoon.init delete mode 100644 net/ipsec-tools/files/vpnctl delete mode 100644 net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch delete mode 100644 net/ipsec-tools/patches/001-no_libfl.patch delete mode 100644 net/ipsec-tools/patches/002-patch8-utmp.patch delete mode 100644 net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch delete mode 100644 net/ipsec-tools/patches/005-isakmp-fix.patch delete mode 100644 net/ipsec-tools/patches/006-linux-3.7-compat.patch delete mode 100644 net/ipsec-tools/patches/007-force_have_policy_fwd.patch delete mode 100644 net/ipsec-tools/patches/008-racoon-fix_dereference_crash.patch delete mode 100644 net/ipsec-tools/patches/009-musl-compat.patch delete mode 100644 net/ipsec-tools/patches/010-CVE-2016-10396.patch delete mode 100644 net/ipsec-tools/patches/012-fix-implicit-int.patch delete mode 100644 net/ipsec-tools/patches/015-openssl-1.1.patch delete mode 100644 net/ipsec-tools/patches/020-openssl-deprecated.patch diff --git a/net/ipsec-tools/Makefile b/net/ipsec-tools/Makefile deleted file mode 100644 index 317df78ed..000000000 --- a/net/ipsec-tools/Makefile +++ /dev/null @@ -1,103 +0,0 @@ -# -# Copyright (C) 2006-2015 OpenWrt.org -# 2014 Noah Meyerhans -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk -include $(INCLUDE_DIR)/kernel.mk - -PKG_NAME:=ipsec-tools -PKG_VERSION:=0.8.2 -PKG_RELEASE:=9 -PKG_MAINTAINER:=Noah Meyerhans , \ - Vitaly Protsko -PKG_LICENSE := BSD-3-Clause - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_SOURCE_URL:=@SF/ipsec-tools -PKG_HASH:=8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d - -PKG_BUILD_PARALLEL:=1 -PKG_INSTALL:=1 - -PKG_FIXUP:=autoreconf - -include $(INCLUDE_DIR)/package.mk - -define Package/ipsec-tools - SECTION:=net - CATEGORY:=Network - SUBMENU:=VPN - DEPENDS:=+libopenssl +kmod-ipsec - TITLE:=IPsec management tools - URL:=http://ipsec-tools.sourceforge.net/ - MAINTAINER:=Noah Meyerhans -endef - -CONFIGURE_ARGS += \ - --enable-shared \ - --enable-static \ - --with-kernel-headers="$(LINUX_DIR)/include" \ - --without-readline \ - --with-openssl="$(STAGING_DIR)/usr" \ - --without-libradius \ - --without-libpam \ - --enable-dpd \ - --enable-hybrid \ - --enable-security-context=no \ - --enable-natt \ - --enable-adminport \ - --enable-frag \ - $(call autoconf_bool,CONFIG_IPV6,ipv6) - -# override CFLAGS holding "-Werror" that break builds on compile warnings -MAKE_FLAGS+=\ - CFLAGS="$(TARGET_CFLAGS) $(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS)" - -define Build/Prepare - $(call Build/Prepare/Default) - chmod -R u+w $(PKG_BUILD_DIR) -endef - -define Build/Configure - (cd $(PKG_BUILD_DIR); touch \ - configure.ac \ - aclocal.m4 \ - Makefile.in \ - config.h.in \ - configure \ - ); - $(call Build/Configure/Default) -ifndef CONFIG_SHADOW_PASSWORDS - echo "#undef HAVE_SHADOW_H" >> $(PKG_BUILD_DIR)/config.h -endif -endef - -define Package/ipsec-tools/install - $(INSTALL_DIR) $(1)/etc/racoon - $(INSTALL_CONF) ./files/functions.sh $(1)/etc/racoon/ - $(INSTALL_BIN) ./files/p1client-up $(1)/etc/racoon/ - $(INSTALL_BIN) ./files/p1client-down $(1)/etc/racoon/ - $(INSTALL_BIN) ./files/vpnctl $(1)/etc/racoon/ - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/racoon.init $(1)/etc/init.d/racoon - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_CONF) ./files/racoon $(1)/etc/config/ - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/ - $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/plainrsa-gen $(1)/usr/sbin/ - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoon $(1)/usr/sbin/ - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoonctl $(1)/usr/sbin/ - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/setkey $(1)/usr/sbin/ -endef - -define Package/ipsec-tools/conffiles -/etc/config/racoon -endef - -$(eval $(call BuildPackage,ipsec-tools)) diff --git a/net/ipsec-tools/files/functions.sh b/net/ipsec-tools/files/functions.sh deleted file mode 100644 index 45715b5a3..000000000 --- a/net/ipsec-tools/files/functions.sh +++ /dev/null @@ -1,172 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2015 Vitaly Protsko - -errno=0 - -get_fieldval() { - local __data="$3" - local __rest - - test -z "$1" && return - - while true ; do - __rest=${__data#* } - test "$__rest" = "$__data" && break - - if [ "${__data/ *}" = "$2" ]; then - eval "$1=${__rest/ *}" - break - fi - - __data="$__rest" - done -} - -manage_fw() { - local cmd=/usr/sbin/iptables - local mode - local item - - if [ -z "$4" ]; then - $log "Bad usage of manage_fw" - errno=3; return 3 - fi - - case "$1" in - add|up|1) mode=A ;; - del|down|0) mode=D ;; - *) return 3 ;; - esac - - for item in $4 ; do - $cmd -$mode forwarding_$2_rule -s $item -j ACCEPT - $cmd -$mode output_$3_rule -d $item -j ACCEPT - $cmd -$mode forwarding_$3_rule -d $item -j ACCEPT - $cmd -t nat -$mode postrouting_$3_rule -d $item -j ACCEPT - done -} - -manage_sa() { - local spdcmd - local rtcmd - local gate - local litem - local ritem - - if [ -z "$4" ]; then - $log "Bad usage of manage_sa" - errno=3; return 3 - fi - - case "$1" in - add|up|1) spdcmd=add; rtcmd=add ;; - del|down|0) spdcmd=delete; rtcmd=del ;; - *) errno=3; return 3 ;; - esac - - get_fieldval gate src "$(/usr/sbin/ip route get $4)" - if [ -z "$gate" ]; then - $log "Can not find outbound IP for $4" - errno=3; return 3 - fi - - - for litem in $2 ; do - for ritem in $3 ; do - echo " -spd$spdcmd $litem $ritem any -P out ipsec esp/tunnel/$gate-$4/require; -spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require; -" | /usr/sbin/setkey -c 1>&2 - done - done - - test -n "$5" && gate=$5 - - for ritem in $3 ; do - (sleep 3; /usr/sbin/ip route $rtcmd $ritem via $gate) & - done -} - -manage_nonesa() { - local spdcmd - local item - local cout cin - - if [ -z "$4" ]; then - $log "Bad usage of manage_nonesa" - errno=3; return 3 - fi - - case "$1" in - add|up|1) spdcmd=add ;; - del|down|0) spdcmd=delete ;; - *) errno=3; return 3 ;; - esac - - case "$2" in - local|remote) ;; - *) errno=3; return 3 ;; - esac - - for item in $3 ; do - if [ "$2" = "local" ]; then - cout="$4 $item" - cin="$item $4" - else - cout="$item $4" - cin="$4 $item" - fi - echo " -spd$spdcmd $cout any -P out none; -spd$spdcmd $cin any -P in none; -" | /usr/sbin/setkey -c 1>&2 - done -} - -. /lib/functions/network.sh - -get_zoneiflist() { - local item - local data - local addr - - item=0 - data=$(uci get firewall.@zone[0].name) - while [ -n "$data" ]; do - test "$data" = "$1" && break - let "item=$item+1" - data=$(uci get firewall.@zone[$item].name) - done - - if [ -z "$data" ]; then - errno=1 - return $errno - fi - data=$(uci get firewall.@zone[$item].network) - - echo "$data" -} - -get_zoneiplist() { - local item - local addr - local data - local result - - data=$(get_zoneiflist $1) - test $? -gt 0 -o $errno -gt 0 -o -z "$data" && return $errno - - for item in $data ; do - if network_is_up $item ; then - network_get_ipaddrs addr $item - test $? -eq 0 && result="$result $addr" - fi - done - - result=$(echo $result) - echo "$result" -} - - -# EOF /etc/racoon/functions.sh diff --git a/net/ipsec-tools/files/p1client-down b/net/ipsec-tools/files/p1client-down deleted file mode 100644 index 8c5a19514..000000000 --- a/net/ipsec-tools/files/p1client-down +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh -# - -log="logger -t p1client-down[$$]" - -. /lib/functions.sh -. /etc/racoon/functions.sh - -if [ -z "$SPLIT_INCLUDE_CIDR" ]; then - $log "Connection without server-pushed routing is not supported" - exit 1 -fi - -$log "Shutting down tunnel to server $REMOTE_ADDR" -$log "Closing tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4" - -config_load racoon -config_get confIntZone racoon int_zone lan -config_get confExtZone racoon ext_zone wan - -manage_fw del $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR" - -data=$(get_zoneiflist $confIntZone) -if [ -n "$data" ]; then - for item in $data ; do - network_get_subnet locnet $item - if [ -n "$locnet" ]; then - manage_sa del "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4 - else - $log "Can not find subnet on interface $item" - fi - done -else - $log "Can not find subnets in zone $confIntZone" -fi - -get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)" -ip address del $INTERNAL_ADDR4/32 dev $data - - -# EOF /etc/racoon/p1client-down diff --git a/net/ipsec-tools/files/p1client-up b/net/ipsec-tools/files/p1client-up deleted file mode 100644 index 8a9678a46..000000000 --- a/net/ipsec-tools/files/p1client-up +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh -# - -log="logger -t p1client-up[$$]" - -. /lib/functions.sh -. /etc/racoon/functions.sh - -if [ -z "$SPLIT_INCLUDE_CIDR" ]; then - $log "Connection without server-pushed routing is not supported" - exit 1 -fi - -$log "Setting up tunnel to server $REMOTE_ADDR" -$log "Making tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4" - -get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)" -ip address add $INTERNAL_ADDR4/32 dev $data - -config_load racoon -config_get confIntZone racoon int_zone lan -config_get confExtZone racoon ext_zone wan - -data=$(get_zoneiflist $confIntZone) -if [ -n "$data" ]; then - for item in $data ; do - network_get_subnet locnet $item - if [ -n "$locnet" ]; then - manage_sa add "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4 - else - $log "Can not find subnet on interface $item" - fi - done -else - $log "Can not find interfaces in zone $confIntZone" -fi - -manage_fw add $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR" - - -# EOF /etc/racoon/p1client-up diff --git a/net/ipsec-tools/files/racoon b/net/ipsec-tools/files/racoon deleted file mode 100644 index e2c8400b4..000000000 --- a/net/ipsec-tools/files/racoon +++ /dev/null @@ -1,113 +0,0 @@ -#/etc/config/racoon -# -# Copyright 2015 Vitaly Protsko - -# * WARNING: this is "not working" example -# * Defaults are commented out -# * Resuting config will appear in /var/racoon/ - -config racoon -# option debug 0 -# option ext_zone 'wan' -# option int_zone 'lan' -# option port 500 -# option natt_port 4500 -# following 4 or 6, no default -# option ipversion 4 - -config p1_proposal 'example_prop1' -# option lifetime 28800 - option enc_alg 'aes' - option hash_alg 'sha1' - option auth_method 'rsasig' - option dh_group 2 - -config p1_proposal 'example_anon' -# option lifetime 28800 - option enc_alg 'aes' - option hash_alg 'sha1' - option auth_method 'xauth_rsa_server' - option dh_group 2 - -config p1_proposal 'example_xauth' -# option lifetime 28800 - option enc_alg 'aes' - option hash_alg 'sha1' - option auth_method 'xauth_rsa_client' - option dh_group 2 - -config p2_proposal 'example_prop2' - option pfs_group 2 - option enc_alg 'aes' - option auth_alg 'hmac_sha1' - -config p2_proposal 'example_in2' - option pfs_group 2 -# option lifetime 14400 - option enc_alg 'aes' - option auth_alg 'hmac_sha1' - -config sainfo 'office' - option p2_proposal 'example_prop2' - option local_net '192.168.8.0/24' - option remote_net '192.168.1.0/24' -# you can exclude some local or remote -# addresses from SA rules - list local_exclude '192.168.8.0/30' - list remote_exclude '192.168.1.128/29' - -config sainfo 'welcome' - option p2_proposal 'example_in2' - option local_net '192.168.8.0/24' - option remote_net '192.168.10.0/24' - option dns4 '192.168.8.1' - option defdomain 'myhome.local' - -config sainfo 'client' - option p2_proposal 'std_p2' - -config tunnel 'Office' - option enabled 1 -# initial_contact -# option init 1 - option remote 'vpn.example.tld' - option exchange_mode 'main' - option certificate 'example_cert' -# option peer_id_type 'asn1dn' -# option prop_check 'obey' -# option verify_id 1 -# option weak_p1check 1 -# option dpd_delay '' - list p1_proposal 'example_prop1' - list sainfo 'office' - -# WARNING: Only ONE tunnel with remote anonymous -# can be configured and it can have only -# ONE sainfo. Otherwise resulting racoon -# configuration will be unusable -config tunnel 'Incoming' - option enabled 1 - option remote 'anonymous' - option pre_shared_key 'testitnow' - option exchange_mode 'aggressive,main' - option my_id_type 'fqdn' - option my_id 'myserver.homeip.net' - list p1_proposal 'example_anon' - list sainfo 'welcome' - -config tunnel 'Client' - option enabled 1 - option remote 'vpn.example.tld' - option username 'testuser' - option password 'testW0rD' -# option mode_cfg 1 - list p1_proposal 'example_xauth' - list sainfo 'client' - -# Insert corresponding data in PEM format as one line -config 'certificate' 'example_cert' - option 'key' '-----BEGIN PRIVATE KEY----- ~ -----END PRIVATE KEY-----' - option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----' - -config 'certificate' 'example_ca_cert' - option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----' diff --git a/net/ipsec-tools/files/racoon.init b/net/ipsec-tools/files/racoon.init deleted file mode 100644 index 247bdfc67..000000000 --- a/net/ipsec-tools/files/racoon.init +++ /dev/null @@ -1,479 +0,0 @@ -#!/bin/sh /etc/rc.common -# -# Copyright (C) 2015 Vitaly Protsko - -#set -vx - -USE_PROCD=1 - -START=60 -STOP=40 - -let connWait=2/2 -confDir=/var/racoon -confExtZone= -confIntZone= -confPort= -confNATPort= -confIPMode= - -confPh1ID=0 - -log="logger -t init.d/racoon[$$] " - -. /etc/racoon/functions.sh - -setup_load() { - config_get confExtZone "$1" ext_zone wan - config_get confIntZone "$1" int_zone lan - config_get confPort "$1" port 500 - config_get confNATPort "$1" natt_port 4500 - config_get confIPMode "$1" ipversion "" - - case X$confIPMode in - X4|X6) ;; - *) unset confIPMode ;; - esac -} - -write_header() { - echo " -# autogenerated, don't edit, look at /etc/config/racoon -# -path certificate \"$confDir/cert\"; -path script \"/etc/racoon\"; -path pre_shared_key \"$confDir/psk.txt\"; -path pidfile \"$confDir/racoon.pid\"; -padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } -timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; } -" -} - -setup_conf() { - local conf=$confDir/racoon.conf - local peerconf=$confDir/peers.txt - local pskconf=$confDir/psk.txt - local item - local data - - data="$(get_zoneiplist $confExtZone)" - if [ "X$data" = X ]; then - $log "No IP addresses found for zone $confExtZone, exitng" - errno=2; return 2 - fi - - write_header > $conf - echo -n > $peerconf - echo -n > $pskconf - chmod 0600 $conf $peerconf $pskconf - - echo "listen {" >> $conf - for item in $data ; do - echo " isakmp $item [$confPort]; isakmp_natt $item [$confNATPort];" >> $conf - done - echo "}" >> $conf - - config_get_bool item "$1" debug 0 - data=warning - test $item -ne 0 && data=debug - echo "log $data;" >> $conf - - setup_fw add -} - -setup_p1() { - local conf=$confDir/racoon.conf - local data - - echo " proposal {" >> $conf - config_get data "$1" lifetime 28800 - echo " lifetime time $data sec;" >> $conf - - config_get data "$1" enc_alg - test -n "$data" && echo " encryption_algorithm $data;" >> $conf - - config_get data "$1" hash_alg - test -n "$data" && echo " hash_algorithm $data;" >> $conf - - config_get data "$1" auth_method - test -n "$data" && echo " authentication_method $data;" >> $conf - - config_get data "$1" dh_group 2 - echo -e " dh_group $data;\n }" >> $conf -} - -setup_fw() { - local cmd=/usr/sbin/iptables - local mode - - case "$1" in - add|up|1) mode=A ;; - del|down|0) mode=D ;; - *) return 3 ;; - esac - - $cmd -$mode input_${confExtZone}_rule -p AH -j ACCEPT - $cmd -$mode input_${confExtZone}_rule -p ESP -j ACCEPT - $cmd -$mode input_${confExtZone}_rule -p UDP --dport $confPort -j ACCEPT - $cmd -$mode input_${confExtZone}_rule -p UDP --dport $confNATPort -j ACCEPT -} - -setup_sa() { - local conf=$confDir/racoon.conf - local remote="${2/ *}" - local client="${2#* }" - local locnet - local remnet - local p2 - local data - - test "$2" = "$client" && unset client - - if [ -z "$client" ]; then - config_get locnet "$1" local_net - config_get remnet "$1" remote_net - if [ -z "$locnet" ] || [ -z "$remnet" ]; then - $log "Remote and local networks for $1 must be configured ($2)" - errno=4; return 4 - fi - - if [ "$remote" = "anonymous" ]; then - echo "sainfo anonymous {" >> $conf - else - echo "sainfo address $locnet any address $remnet any {" >> $conf - fi - else - echo "sainfo anonymous {" >> $conf - fi - - config_get p2 "$1" p2_proposal - if [ -z "$p2" ]; then - $log "Phase2 proposal must be configured in $1 sainfo" - errno=5; return 5 - fi - - echo " remoteid $confPh1ID;" >> $conf - - config_get data "$p2" pfs_group - test -n "$data" && echo " pfs_group $data;" >> $conf - config_get data "$p2" lifetime 14400 - test -n "$data" && echo " lifetime time $data sec;" >> $conf - config_get data "$p2" enc_alg - test -n "$data" && echo " encryption_algorithm $data;" >> $conf - config_get data "$p2" auth_alg - test -n "$data" && echo " authentication_algorithm $data;" >> $conf - - echo -e " compression_algorithm deflate;\n}" >> $conf - - if [ "$remote" = "anonymous" ]; then - echo -e "mode_cfg {\n auth_source system;\n conf_source local;" >> $conf - - config_get data "$1" dns4 - test -n "$data" && echo " dns4 $data;" >> $conf - config_get data "$1" defdomain - test -n "$data" && echo " default_domain \"$data\";" >> $conf - - data=${remnet%/*} - let "data=${data##*.}+1" - echo " network4 ${remnet%.*}.$data;" >> $conf - - let "data=255<<(24-${remnet#*/}+8)&255" - echo " netmask4 255.255.255.$data;" >> $conf - - echo -e " split_network include $locnet;\n}" >> $conf - - elif [ -z "$client" ]; then - config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet" - config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet" - manage_sa add "$locnet" "$remnet" $remote - test $? -gt 0 -o $errno -gt 0 && return $errno - - manage_fw add $confIntZone $confExtZone "$remnet" - fi -} - -setup_tunnel() { - local conf=$confDir/racoon.conf - local peerconf=$confDir/peers.txt - local data - local remote - local xauth - - config_get_bool data "$1" enabled 0 - test "$data" = "0" && return 0 - - config_get remote "$1" remote - if [ "$remote" = "anonymous" ]; then - echo -e "remote anonymous {\n generate_policy on;" >> $conf - else - data=$(nslookup "$remote" | awk 'NR == 5 {print $3}') - test -n "$data" && remote="$data" - echo -e "remote \"$1\" {\n remote_address $remote;" >> $conf - echo "$data" >> $peerconf - fi - - config_get data "$1" pre_shared_key "" - if [ -n "$data" ]; then - if [ "$remote" != "anonymous" ]; then - echo "$remote $data" >> $confDir/psk.txt - else - echo "* $data" >> $confDir/psk.txt - fi - fi - - let confPh1ID=$confPh1ID+1 - echo " ph1id $confPh1ID;" >> $conf - - config_get xauth "$1" username "" - - config_get data "$1" certificate "" - if [ -n "$data" ]; then - echo -en " verify_cert on;\n my_identifier asn1dn;\n certificate_type x509 " >> $conf - echo -en "\"$data.crt\" \"$data.key\";\n send_cr off;\n peers_identifier " >> $conf - else - config_get data "$1" my_id_type "" - if [ -n "$data" ]; then - echo -n " my_identifier $data" >> $conf - config_get data "$1" my_id "" - if [ -n "$data" ]; then - echo " \"$data\";" >> $conf - elif [ -n "$xauth" ]; then - echo " \"$xauth\";" >> $conf - else - echo ";" >> $conf - fi - elif [ -n "$xauth" ]; then - echo " my_identifier user_fqdn \"$xauth\";" >> $conf - fi - echo -n " peers_identifier " >> $conf - fi - - if [ "$remote" = "anonymous" ]; then - echo "user_fqdn;" >> $conf - else - config_get data "$1" peer_id_type "asn1dn" - echo -n "$data" >> $conf - - config_get data "$1" peer_id "" - test -n "$data" && echo -n " \"$data\"" >> $conf - - echo ";" >> $conf - fi - - if [ -n "$xauth" ]; then - config_get data "$1" password - if [ -z "$data" ]; then - $log "Password must be given in $1 tunnel" - errno=7; return 7 - fi - echo "$xauth $data" >> $confDir/psk.txt - - echo " xauth_login \"$xauth\";" >> $conf - echo -e " script \"p1client-up\" phase1_up;\n script \"p1client-down\" phase1_down;" >> $conf - fi - - config_get data "$1" exchange_mode - if [ -z "$data" ]; then - data=main - test -n "$xauth" && data="${data},aggressive" - fi - echo -e " exchange_mode $data;\n nat_traversal on;\n support_proxy on;" >> $conf - - config_get data "$1" prop_check "obey" - test -n "$data" && echo " proposal_check $data;" >> $conf - - config_get_bool data "$1" weak_p1check 1 - if [ $data -eq 0 ]; then data=off; else data=on; fi - echo " weak_phase1_check $data;" >> $conf - - config_get_bool data "$1" verify_id 1 - if [ $data -eq 0 ]; then data=off; else data=on; fi - echo " verify_identifier $data;" >> $conf - - config_get data "$1" dpd_delay "" - test -n "$data" && echo " dpd_delay $data;" >> $conf - - unset data - test -n "$xauth" && data="on" - config_get data "$1" mode_cfg "$data" - test -n "$data" && echo " mode_cfg $data;" >> $conf - - config_get_bool data "$1" init 0 - if [ $data -eq 0 ]; then data=off; else data=on; fi - echo " initial_contact $data;" >> $conf - - - config_list_foreach "$1" p1_proposal setup_p1 - echo "}" >> $conf - - config_list_foreach "$1" sainfo setup_sa "$remote $xauth" -} - -setup_cert() { - local item - local data - - for item in key crt ; do - config_get data "$1" $item "" - test -z "$data" && continue - - echo "$data" |\ - sed 's/-\+[A-Z ]\+-\+/\n&\n/g' | sed 's/.\{50,50\}/&\n/g' | sed '/^$/d'\ - > $confDir/cert/$1.$item - - chmod 600 $confDir/cert/$1.$item - done - - if [ -s $confDir/cert/$1.crt ]; then - data=$(openssl x509 -noout -hash -in $confDir/cert/$1.crt) - ln -sf $confDir/cert/$1.crt $confDir/cert/$data.0 - fi -} - -destroy_sa() { - local locnet - local remnet - - config_get locnet "$1" local_net - config_get remnet "$1" remote_net - if [ -z "$locnet" ] || [ -z "$remnet" ]; then - $log "Remote and local networks for $1 must be configured" - errno=4; return 4 - fi - - config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet" - config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet" - manage_sa del "$locnet" "$remnet" $2 - manage_fw del $confIntZone $confExtZone "$remnet" -} - -destroy_tunnel() { - local data - - config_get_bool data "$1" enabled 0 - test "$data" = "0" && return 0 - - config_get remote "$1" remote - data=$(nslookup "$remote" | awk 'NR == 5 {print $3}') - test -n "$data" && remote="$data" - - config_get data "$1" username "" - if [ -z "$data" ]; then - config_list_foreach "$1" sainfo destroy_sa $remote - fi -} - -destroy_conf() { - setup_fw del -} - -check_software() { - local item - - for item in /usr/sbin/setkey /usr/bin/openssl /usr/sbin/ip ; do - if [ ! -x $item ]; then - $log "Needed program $item not found, exiting" - errno=9; return 9 - fi - done -} - -cleanup_conf() { - config_load racoon - config_foreach setup_load racoon - config_foreach destroy_conf racoon - config_foreach destroy_tunnel tunnel - - /usr/sbin/setkey -P -F - /usr/sbin/setkey -F -} - -check_dir() { - local item - - for item in $confDir $confDir/cert ; do - if [ ! -d $item ]; then - mkdir -m 0700 -p $item - fi - done -} - -wait4wanzone() { - local item=$connWait - local data - - data="$(get_zoneiplist $confExtZone)" - while [ $item -gt 0 ]; do - test -n "$data" && break - sleep 2 - let "item=$item-1" - data="$(get_zoneiplist $confExtZone)" - done - - test -z "$data" && return 10 -} - -start_service() { - check_software - test $? -gt 0 -o $errno -gt 0 && exit $errno - - check_dir - - config_load racoon - config_foreach setup_load racoon - - config_foreach wait4wanzone racoon - if [ $? -gt 0 ] || [ $errno -gt 0 ]; then - $log "No active interfaces in $confExtZone zone found, exiting" - exit $errno - fi - - config_foreach setup_conf racoon - test $? -gt 0 -o $errno -gt 0 && exit $errno - - config_foreach setup_tunnel tunnel - test $? -gt 0 -o $errno -gt 0 && exit $errno - - config_foreach setup_cert certificate - - procd_open_instance - procd_set_param command /usr/sbin/racoon - test -n "$confIPMode" && procd_append_param command -$confIPMode - procd_append_param command -F -f $confDir/racoon.conf - procd_set_param file $confDir/racoon.conf - procd_close_instance - - if [ -x /etc/racoon/vpnctl ]; then - let connWait=$connWait*2+2 - ( sleep $connWait; /etc/racoon/vpnctl up ) & - fi -} - -service_triggers() { - local item - local data - - procd_add_reload_trigger "racoon" "network" - - config_load racoon - config_foreach setup_load racoon - - data=$(get_zoneiflist $confExtZone) - if [ $? -gt 0 ] || [ $errno -gt 0 ] || [ -z "$data" ]; then - $log "Can not find interfaces for $confExtZone zone" - else - for item in $data ; do - procd_add_reload_interface_trigger $item - done - fi -} - -stop_service() { - cleanup_conf - procd_kill racoon -} - -trap "cleanup_conf" 1 2 3 4 5 6 7 8 9 10 - - -# EOF /etc/init.d/racoon diff --git a/net/ipsec-tools/files/vpnctl b/net/ipsec-tools/files/vpnctl deleted file mode 100644 index 5fb66679e..000000000 --- a/net/ipsec-tools/files/vpnctl +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -# - -case X$1 in - Xup|X1|Xstart) connMode=vpn-connect ;; - Xdown|X0|Xstop) connMode=vpn-disconnect ;; - *) - echo "Usage: $0: up|1|start || down|0|stop" - exit 1 ;; -esac - -if [ -s /var/racoon/peers.txt ]; then - (while read ipa ; do - racoonctl $connMode $ipa - done) < /var/racoon/peers.txt -fi - - -# EOF /usr/bin/vpnctl diff --git a/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch b/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch deleted file mode 100644 index db5b3064d..000000000 --- a/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch +++ /dev/null @@ -1,24 +0,0 @@ ---- a/src/racoon/oakley.c -+++ b/src/racoon/oakley.c -@@ -2424,8 +2424,21 @@ oakley_skeyid(iph1) - plog(LLV_ERROR, LOCATION, iph1->remote, - "couldn't find the pskey for %s.\n", - saddrwop2str(iph1->remote)); -+ } -+ } -+ if (iph1->authstr == NULL) { -+ /* -+ * If we could not locate a psk above try and locate -+ * the default psk, ie, "*". -+ */ -+ iph1->authstr = privsep_getpsk("*", 1); -+ if (iph1->authstr == NULL) { -+ plog(LLV_ERROR, LOCATION, iph1->remote, -+ "couldn't find the the default pskey either.\n"); - goto end; - } -+ plog(LLV_NOTIFY, LOCATION, iph1->remote, -+ "Using default PSK.\n"); - } - plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n"); - /* should be secret PSK */ diff --git a/net/ipsec-tools/patches/001-no_libfl.patch b/net/ipsec-tools/patches/001-no_libfl.patch deleted file mode 100644 index b56b596ba..000000000 --- a/net/ipsec-tools/patches/001-no_libfl.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- a/src/racoon/cftoken.l -+++ b/src/racoon/cftoken.l -@@ -104,6 +104,8 @@ static struct include_stack { - static int incstackp = 0; - - static int yy_first_time = 1; -+ -+int yywrap(void) { return 1; } - %} - - /* common seciton */ ---- a/src/setkey/token.l -+++ b/src/setkey/token.l -@@ -86,6 +86,8 @@ - #if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC) - #define SADB_X_EALG_AESCBC SADB_X_EALG_AES - #endif -+ -+int yywrap(void) { return 1; } - %} - - /* common section */ diff --git a/net/ipsec-tools/patches/002-patch8-utmp.patch b/net/ipsec-tools/patches/002-patch8-utmp.patch deleted file mode 100644 index 547539043..000000000 --- a/net/ipsec-tools/patches/002-patch8-utmp.patch +++ /dev/null @@ -1,72 +0,0 @@ ---- a/src/racoon/isakmp_cfg.c -+++ b/src/racoon/isakmp_cfg.c -@@ -38,7 +38,7 @@ - #include - #include - --#include -+#include - #if defined(__APPLE__) && defined(__MACH__) - #include - #endif -@@ -1664,7 +1664,8 @@ isakmp_cfg_accounting_system(port, raddr - int inout; - { - int error = 0; -- struct utmpx ut; -+ struct utmp ut; -+ char term[UT_LINESIZE]; - char addr[NI_MAXHOST]; - - if (usr == NULL || usr[0]=='\0') { -@@ -1673,34 +1674,37 @@ isakmp_cfg_accounting_system(port, raddr - return -1; - } - -- memset(&ut, 0, sizeof ut); -- gettimeofday((struct timeval *)&ut.ut_tv, NULL); -- snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port); -+ sprintf(term, TERMSPEC, port); - - switch (inout) { - case ISAKMP_CFG_LOGIN: -- ut.ut_type = USER_PROCESS; -- strncpy(ut.ut_user, usr, sizeof ut.ut_user); -+ strncpy(ut.ut_name, usr, UT_NAMESIZE); -+ ut.ut_name[UT_NAMESIZE - 1] = '\0'; -+ -+ strncpy(ut.ut_line, term, UT_LINESIZE); -+ ut.ut_line[UT_LINESIZE - 1] = '\0'; - - GETNAMEINFO_NULL(raddr, addr); -- strncpy(ut.ut_host, addr, sizeof ut.ut_host); -+ strncpy(ut.ut_host, addr, UT_HOSTSIZE); -+ ut.ut_host[UT_HOSTSIZE - 1] = '\0'; -+ -+ ut.ut_time = time(NULL); - - plog(LLV_INFO, LOCATION, NULL, - "Accounting : '%s' logging on '%s' from %s.\n", -- ut.ut_user, ut.ut_id, addr); -- -- pututxline(&ut); -+ ut.ut_name, ut.ut_line, ut.ut_host); - -+ login(&ut); -+ - break; - case ISAKMP_CFG_LOGOUT: -- ut.ut_type = DEAD_PROCESS; - - plog(LLV_INFO, LOCATION, NULL, - "Accounting : '%s' unlogging from '%s'.\n", -- usr, ut.ut_id); -- -- pututxline(&ut); -+ usr, term); - -+ logout(term); -+ - break; - default: - plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); diff --git a/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch b/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch deleted file mode 100644 index 7174300da..000000000 --- a/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/src/racoon/ipsec_doi.c -+++ b/src/racoon/ipsec_doi.c -@@ -3581,8 +3581,8 @@ ipsecdoi_checkid1(iph1) - iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) { - if (id_b->type != IPSECDOI_ID_IPV4_ADDR - && id_b->type != IPSECDOI_ID_IPV6_ADDR) { -- plog(LLV_ERROR, LOCATION, NULL, -- "Expecting IP address type in main mode, " -+ plog(LLV_WARNING, LOCATION, NULL, -+ "Expecting IP address type in main mode (RFC2409) , " - "but %s.\n", s_ipsecdoi_ident(id_b->type)); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } diff --git a/net/ipsec-tools/patches/005-isakmp-fix.patch b/net/ipsec-tools/patches/005-isakmp-fix.patch deleted file mode 100644 index f7aa3c26c..000000000 --- a/net/ipsec-tools/patches/005-isakmp-fix.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/src/racoon/isakmp.c -+++ b/src/racoon/isakmp.c -@@ -31,6 +31,8 @@ - * SUCH DAMAGE. - */ - -+#define __packed __attribute__((__packed__)) -+ - #include "config.h" - - #include diff --git a/net/ipsec-tools/patches/006-linux-3.7-compat.patch b/net/ipsec-tools/patches/006-linux-3.7-compat.patch deleted file mode 100644 index 46b11ee51..000000000 --- a/net/ipsec-tools/patches/006-linux-3.7-compat.patch +++ /dev/null @@ -1,50 +0,0 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -74,9 +74,10 @@ case "$host_os" in - [ KERNEL_INCLUDE="/lib/modules/`uname -r`/build/include" ]) - - AC_CHECK_HEADER($KERNEL_INCLUDE/linux/pfkeyv2.h, , -- [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h, -- KERNEL_INCLUDE=/usr/src/linux/include , -- [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] ) -+ [ AC_CHECK_HEADER($KERNEL_INCLUDE/uapi/linux/pfkeyv2.h, , -+ [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h, -+ KERNEL_INCLUDE=/usr/src/linux/include , -+ [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] ) ] ) - AC_SUBST(KERNEL_INCLUDE) - # We need the configure script to run with correct kernel headers. - # However we don't want to point to kernel source tree in compile time, -@@ -643,7 +644,14 @@ AC_EGREP_CPP(yes, - #ifdef SADB_X_EXT_NAT_T_TYPE - yes - #endif --], [kernel_natt="yes"]) -+], [kernel_natt="yes"], [ -+ AC_EGREP_CPP(yes, -+ [#include -+ #ifdef SADB_X_EXT_NAT_T_TYPE -+ yes -+ #endif -+ ], [kernel_natt="yes"]) -+]) - ;; - freebsd*|netbsd*) - # NetBSD case ---- a/src/include-glibc/Makefile.am -+++ b/src/include-glibc/Makefile.am -@@ -1,14 +1,7 @@ -- --.includes: ${top_builddir}/config.status -- ln -snf $(KERNEL_INCLUDE)/linux -- touch .includes -- --all: .includes -- - EXTRA_DIST = \ - glibc-bugs.h \ - net/pfkeyv2.h \ - netinet/ipsec.h \ - sys/queue.h - --DISTCLEANFILES = .includes linux -+DISTCLEANFILES = linux diff --git a/net/ipsec-tools/patches/007-force_have_policy_fwd.patch b/net/ipsec-tools/patches/007-force_have_policy_fwd.patch deleted file mode 100644 index 69cd1c039..000000000 --- a/net/ipsec-tools/patches/007-force_have_policy_fwd.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -732,7 +732,8 @@ case $host in - ], - [AC_MSG_RESULT(yes) - AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])], -- [AC_MSG_RESULT(no)]) -+ [AC_MSG_RESULT(forced) -+ AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])]) - ;; - *) - AC_MSG_RESULT(no) diff --git a/net/ipsec-tools/patches/008-racoon-fix_dereference_crash.patch b/net/ipsec-tools/patches/008-racoon-fix_dereference_crash.patch deleted file mode 100644 index 5e3a2d4dd..000000000 --- a/net/ipsec-tools/patches/008-racoon-fix_dereference_crash.patch +++ /dev/null @@ -1,16 +0,0 @@ -Fix null dereference in racoon/gssapi.c (CVE-2015-4047) - ---- a/src/racoon/gssapi.c -+++ b/src/racoon/gssapi.c -@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1) - gss_name_t princ, canon_princ; - OM_uint32 maj_stat, min_stat; - -+ if (iph1->rmconf == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); -+ return -1; -+ } -+ - gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); diff --git a/net/ipsec-tools/patches/009-musl-compat.patch b/net/ipsec-tools/patches/009-musl-compat.patch deleted file mode 100644 index 85d03f9ad..000000000 --- a/net/ipsec-tools/patches/009-musl-compat.patch +++ /dev/null @@ -1,187 +0,0 @@ ---- a/src/racoon/grabmyaddr.c -+++ b/src/racoon/grabmyaddr.c -@@ -47,7 +47,6 @@ - #include - #include - #include --#include - #define USE_ROUTE - #endif - ---- a/src/racoon/pfkey.c -+++ b/src/racoon/pfkey.c -@@ -59,7 +59,6 @@ - #include - #include - #include --#include - - #include - #include ---- a/src/setkey/setkey.c -+++ b/src/setkey/setkey.c -@@ -40,7 +40,6 @@ - #include - #include - #include --#include - #include - #include - #include ---- a/src/libipsec/ipsec_strerror.h -+++ b/src/libipsec/ipsec_strerror.h -@@ -34,6 +34,8 @@ - #ifndef _IPSEC_STRERROR_H - #define _IPSEC_STRERROR_H - -+#include -+ - extern int __ipsec_errcode; - extern void __ipsec_set_strerror __P((const char *)); - ---- a/src/libipsec/libpfkey.h -+++ b/src/libipsec/libpfkey.h -@@ -34,6 +34,8 @@ - #ifndef _LIBPFKEY_H - #define _LIBPFKEY_H - -+#include -+ - #ifndef KAME_LIBPFKEY_H - #define KAME_LIBPFKEY_H - ---- a/src/racoon/backupsa.c -+++ b/src/racoon/backupsa.c -@@ -276,9 +276,9 @@ do { \ - GETNEXTNUM(sa_args.a_keylen, strtoul); - GETNEXTNUM(sa_args.flags, strtoul); - GETNEXTNUM(sa_args.l_alloc, strtoul); -- GETNEXTNUM(sa_args.l_bytes, strtouq); -- GETNEXTNUM(sa_args.l_addtime, strtouq); -- GETNEXTNUM(sa_args.l_usetime, strtouq); -+ GETNEXTNUM(sa_args.l_bytes, strtoull); -+ GETNEXTNUM(sa_args.l_addtime, strtoull); -+ GETNEXTNUM(sa_args.l_usetime, strtoull); - GETNEXTNUM(sa_args.seq, strtoul); - - #undef GETNEXTNUM ---- a/src/racoon/cftoken.l -+++ b/src/racoon/cftoken.l -@@ -77,6 +77,10 @@ - - #include "cfparse.h" - -+#ifndef GLOB_TILDE -+#define GLOB_TILDE 0 -+#endif -+ - int yyerrorcount = 0; - - #if defined(YIPS_DEBUG) ---- a/src/racoon/logger.h -+++ b/src/racoon/logger.h -@@ -34,6 +34,8 @@ - #ifndef _LOGGER_H - #define _LOGGER_H - -+#include -+ - struct log { - int head; - int siz; ---- a/src/racoon/misc.h -+++ b/src/racoon/misc.h -@@ -34,6 +34,8 @@ - #ifndef _MISC_H - #define _MISC_H - -+#include -+ - #define BIT2STR(b) bit2str(b, sizeof(b)<<3) - - #ifdef HAVE_FUNC_MACRO ---- a/src/racoon/missing/crypto/sha2/sha2.h -+++ b/src/racoon/missing/crypto/sha2/sha2.h -@@ -40,6 +40,8 @@ - #ifndef __SHA2_H__ - #define __SHA2_H__ - -+#include -+ - #ifdef __cplusplus - extern "C" { - #endif ---- a/src/racoon/netdb_dnssec.h -+++ b/src/racoon/netdb_dnssec.h -@@ -34,6 +34,8 @@ - #ifndef _NETDB_DNSSEC_H - #define _NETDB_DNSSEC_H - -+#include -+ - #ifndef T_CERT - #define T_CERT 37 /* defined by RFC2538 section 2 */ - #endif ---- a/src/racoon/plog.h -+++ b/src/racoon/plog.h -@@ -34,6 +34,8 @@ - #ifndef _PLOG_H - #define _PLOG_H - -+#include -+ - #ifdef HAVE_STDARG_H - #include - #else ---- a/src/racoon/str2val.h -+++ b/src/racoon/str2val.h -@@ -34,6 +34,8 @@ - #ifndef _STR2VAL_H - #define _STR2VAL_H - -+#include -+ - extern caddr_t val2str __P((const char *, size_t)); - extern char *str2val __P((const char *, int, size_t *)); - ---- a/src/racoon/vmbuf.h -+++ b/src/racoon/vmbuf.h -@@ -34,6 +34,8 @@ - #ifndef _VMBUF_H - #define _VMBUF_H - -+#include -+ - /* - * bp v - * v v ---- a/src/setkey/extern.h -+++ b/src/setkey/extern.h -@@ -1,6 +1,6 @@ - /* $NetBSD: extern.h,v 1.5 2009/03/06 11:45:03 tteras Exp $ */ - -- -+#include - - void parse_init __P((void)); - int parse __P((FILE **)); ---- a/src/racoon/isakmp_cfg.c -+++ b/src/racoon/isakmp_cfg.c -@@ -1694,8 +1694,6 @@ isakmp_cfg_accounting_system(port, raddr - "Accounting : '%s' logging on '%s' from %s.\n", - ut.ut_name, ut.ut_line, ut.ut_host); - -- login(&ut); -- - break; - case ISAKMP_CFG_LOGOUT: - -@@ -1703,8 +1701,6 @@ isakmp_cfg_accounting_system(port, raddr - "Accounting : '%s' unlogging from '%s'.\n", - usr, term); - -- logout(term); -- - break; - default: - plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); diff --git a/net/ipsec-tools/patches/010-CVE-2016-10396.patch b/net/ipsec-tools/patches/010-CVE-2016-10396.patch deleted file mode 100644 index 110b86c47..000000000 --- a/net/ipsec-tools/patches/010-CVE-2016-10396.patch +++ /dev/null @@ -1,201 +0,0 @@ -Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 -Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682 -Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 - -Index: ipsec-tools-0.8.2/src/racoon/isakmp_frag.c -=================================================================== ---- ipsec-tools-0.8.2.orig/src/racoon/isakmp_frag.c -+++ ipsec-tools-0.8.2/src/racoon/isakmp_frag.c -@@ -1,4 +1,4 @@ --/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */ -+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */ - - /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */ - -@@ -173,6 +173,43 @@ vendorid_frag_cap(gen) - return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); - } - -+static int -+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) -+{ -+ struct isakmp_frag_item *pitem = NULL; -+ struct isakmp_frag_item *citem = iph1->frag_chain; -+ -+ /* no frag yet, just insert at beginning of list */ -+ if (iph1->frag_chain == NULL) { -+ iph1->frag_chain = item; -+ return 0; -+ } -+ -+ do { -+ /* duplicate fragment number, abort (CVE-2016-10396) */ -+ if (citem->frag_num == item->frag_num) -+ return -1; -+ -+ /* need to insert before current item */ -+ if (citem->frag_num > item->frag_num) { -+ if (pitem != NULL) -+ pitem->frag_next = item; -+ else -+ /* insert at the beginning of the list */ -+ iph1->frag_chain = item; -+ item->frag_next = citem; -+ return 0; -+ } -+ -+ pitem = citem; -+ citem = citem->frag_next; -+ } while (citem != NULL); -+ -+ /* we reached the end of the list, insert */ -+ pitem->frag_next = item; -+ return 0; -+} -+ - int - isakmp_frag_extract(iph1, msg) - struct ph1handle *iph1; -@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg) - item->frag_next = NULL; - item->frag_packet = buf; - -- /* Look for the last frag while inserting the new item in the chain */ -- if (item->frag_last) -- last_frag = item->frag_num; -+ /* Check for the last frag before inserting the new item in the chain */ -+ if (item->frag_last) { -+ /* if we have the last fragment, indices must match */ -+ if (iph1->frag_last_index != 0 && -+ item->frag_last != iph1->frag_last_index) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "Repeated last fragment index mismatch\n"); -+ racoon_free(item); -+ vfree(buf); -+ return -1; -+ } - -- if (iph1->frag_chain == NULL) { -- iph1->frag_chain = item; -- } else { -- struct isakmp_frag_item *current; -+ last_frag = iph1->frag_last_index = item->frag_num; -+ } - -- current = iph1->frag_chain; -- while (current->frag_next) { -- if (current->frag_last) -- last_frag = item->frag_num; -- current = current->frag_next; -- } -- current->frag_next = item; -+ /* insert fragment into chain */ -+ if (isakmp_frag_insert(iph1, item) == -1) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "Repeated fragment index mismatch\n"); -+ racoon_free(item); -+ vfree(buf); -+ return -1; - } - -- /* If we saw the last frag, check if the chain is complete */ -+ /* If we saw the last frag, check if the chain is complete -+ * we have a sorted list now, so just walk through */ - if (last_frag != 0) { -+ item = iph1->frag_chain; - for (i = 1; i <= last_frag; i++) { -- item = iph1->frag_chain; -- do { -- if (item->frag_num == i) -- break; -- item = item->frag_next; -- } while (item != NULL); -- -+ if (item->frag_num != i) -+ break; -+ item = item->frag_next; - if (item == NULL) /* Not found */ - break; - } - -- if (item != NULL) /* It is complete */ -+ if (i > last_frag) /* It is complete */ - return 1; - } - -@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1) - } - data = buf->v; - -+ item = iph1->frag_chain; - for (i = 1; i <= frag_count; i++) { -- item = iph1->frag_chain; -- do { -- if (item->frag_num == i) -- break; -- item = item->frag_next; -- } while (item != NULL); -- -- if (item == NULL) { -+ if (item->frag_num != i) { - plog(LLV_ERROR, LOCATION, NULL, - "Missing fragment #%d\n", i); - vfree(buf); -@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1) - } - memcpy(data, item->frag_packet->v, item->frag_packet->l); - data += item->frag_packet->l; -+ item = item->frag_next; - } - - out: -Index: ipsec-tools-0.8.2/src/racoon/isakmp_inf.c -=================================================================== ---- ipsec-tools-0.8.2.orig/src/racoon/isakmp_inf.c -+++ ipsec-tools-0.8.2/src/racoon/isakmp_inf.c -@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca - #endif - #ifdef ENABLE_FRAG - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - -Index: ipsec-tools-0.8.2/src/racoon/isakmp.c -=================================================================== ---- ipsec-tools-0.8.2.orig/src/racoon/isakmp.c -+++ ipsec-tools-0.8.2/src/racoon/isakmp.c -@@ -1071,6 +1071,7 @@ isakmp_ph1begin_i(rmconf, remote, local) - iph1->frag = 1; - else - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - iph1->approval = NULL; -@@ -1175,6 +1176,7 @@ isakmp_ph1begin_r(msg, remote, local, et - #endif - #ifdef ENABLE_FRAG - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - iph1->approval = NULL; -Index: ipsec-tools-0.8.2/src/racoon/handler.h -=================================================================== ---- ipsec-tools-0.8.2.orig/src/racoon/handler.h -+++ ipsec-tools-0.8.2/src/racoon/handler.h -@@ -1,4 +1,4 @@ --/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */ -+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */ - - /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ - -@@ -141,6 +141,7 @@ struct ph1handle { - #endif - #ifdef ENABLE_FRAG - int frag; /* IKE phase 1 fragmentation */ -+ int frag_last_index; - struct isakmp_frag_item *frag_chain; /* Received fragments */ - #endif - diff --git a/net/ipsec-tools/patches/012-fix-implicit-int.patch b/net/ipsec-tools/patches/012-fix-implicit-int.patch deleted file mode 100644 index 1fa7cb24f..000000000 --- a/net/ipsec-tools/patches/012-fix-implicit-int.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/src/racoon/isakmp_xauth.c -+++ b/src/racoon/isakmp_xauth.c -@@ -376,6 +376,7 @@ xauth_reply(iph1, port, id, res) - struct ph1handle *iph1; - int port; - int id; -+ int res; - { - struct xauth_state *xst = &iph1->mode_cfg->xauth; - char *usr = xst->authdata.generic.usr; - diff --git a/net/ipsec-tools/patches/015-openssl-1.1.patch b/net/ipsec-tools/patches/015-openssl-1.1.patch deleted file mode 100644 index 5d55c59cb..000000000 --- a/net/ipsec-tools/patches/015-openssl-1.1.patch +++ /dev/null @@ -1,1096 +0,0 @@ -From 071fec7181255b9234add44865a435dfdefee520 Mon Sep 17 00:00:00 2001 -In-Reply-To: <20180528120513.560-1-cote2004-github@yahoo.com> -References: <20180528120513.560-1-cote2004-github@yahoo.com> -From: Eneas U de Queiroz -Date: Wed, 30 May 2018 15:42:20 -0300 -Subject: [PATCH v2 1/1] ipsec-tools: add openssl 1.1 support -To: equeiroz@troianet.com.br - -This patch updates the calls to openssl 1.1 API, and adds a -compatibility layer so it compiles with (at least) openssl 1.0.2, I -haven't tested it with lower versions, but all that's needed is to edit -the openssl_compat.* files and add the missing functions there--they're -usually trivial. - -Signed-off-by: Eneas U de Queiroz ---- - src/racoon/Makefile.am | 10 +-- - src/racoon/algorithm.c | 6 +- - src/racoon/cfparse.y | 2 +- - src/racoon/crypto_openssl.c | 197 +++++++++++++++++++++------------------- - src/racoon/crypto_openssl.h | 2 +- - src/racoon/eaytest.c | 7 +- - src/racoon/ipsec_doi.c | 2 +- - src/racoon/openssl_compat.c | 213 ++++++++++++++++++++++++++++++++++++++++++++ - src/racoon/openssl_compat.h | 45 ++++++++++ - src/racoon/plainrsa-gen.c | 41 +++++---- - src/racoon/prsa_par.y | 28 ++++-- - src/racoon/rsalist.c | 5 +- - 12 files changed, 431 insertions(+), 127 deletions(-) - create mode 100644 src/racoon/openssl_compat.c - create mode 100644 src/racoon/openssl_compat.h - -diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am -index dbaded9..4c585f3 100644 ---- a/src/racoon/Makefile.am -+++ b/src/racoon/Makefile.am -@@ -4,7 +4,7 @@ sbin_PROGRAMS = racoon racoonctl plainrsa-gen - noinst_PROGRAMS = eaytest - include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \ - schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \ -- isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h -+ isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h openssl_compat.h - lib_LTLIBRARIES = libracoon.la - - adminsockdir=${localstatedir}/racoon -@@ -32,7 +32,7 @@ racoon_SOURCES = \ - gssapi.c dnssec.c getcertsbyname.c privsep.c \ - pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \ - policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \ -- proposal.c sainfo.c strnames.c \ -+ openssl_compat.c proposal.c sainfo.c strnames.c \ - plog.c logger.c schedule.c str2val.c \ - safefile.c backupsa.c genlist.c rsalist.c \ - cftoken.l cfparse.y prsa_tok.l prsa_par.y -@@ -51,12 +51,12 @@ libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c - libracoon_la_CFLAGS = -DNOUSE_PRIVSEP $(AM_CFLAGS) - - plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \ -- crypto_openssl.c logger.c -+ crypto_openssl.c logger.c openssl_compat.c - EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS) - plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o - plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o - --eaytest_SOURCES = eaytest.c plog.c logger.c -+eaytest_SOURCES = eaytest.c plog.c logger.c openssl_compat.c - EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c - eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \ - $(CRYPTOBJS) -@@ -75,7 +75,7 @@ noinst_HEADERS = \ - debugrm.h isakmp.h misc.h sainfo.h \ - dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \ - isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \ -- throttle.h privsep.h \ -+ throttle.h privsep.h openssl_compat.h \ - cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \ - missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \ - missing/crypto/rijndael/rijndael-api-fst.h \ -diff --git a/src/racoon/algorithm.c b/src/racoon/algorithm.c -index 3fd50f6..66c874b 100644 ---- a/src/racoon/algorithm.c -+++ b/src/racoon/algorithm.c -@@ -128,7 +128,7 @@ static struct enc_algorithm oakley_encdef[] = { - { "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16, - eay_aes_encrypt, eay_aes_decrypt, - eay_aes_weakkey, eay_aes_keylen, }, --#ifdef HAVE_OPENSSL_CAMELLIA_H -+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) - { "camellia", algtype_camellia, OAKLEY_ATTR_ENC_ALG_CAMELLIA, 16, - eay_camellia_encrypt, eay_camellia_decrypt, - eay_camellia_weakkey, eay_camellia_keylen, }, -@@ -168,7 +168,7 @@ static struct enc_algorithm ipsec_encdef[] = { - { "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16, - NULL, NULL, - NULL, eay_twofish_keylen, }, --#ifdef HAVE_OPENSSL_IDEA_H -+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) - { "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8, - NULL, NULL, - NULL, NULL, }, -@@ -179,7 +179,7 @@ static struct enc_algorithm ipsec_encdef[] = { - { "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8, - NULL, NULL, - NULL, NULL, }, --#ifdef HAVE_OPENSSL_CAMELLIA_H -+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) - { "camellia", algtype_camellia, IPSECDOI_ESP_CAMELLIA, 16, - NULL, NULL, - NULL, eay_camellia_keylen, }, -diff --git a/src/racoon/cfparse.y b/src/racoon/cfparse.y -index 0d9bd67..8415752 100644 ---- a/src/racoon/cfparse.y -+++ b/src/racoon/cfparse.y -@@ -2564,7 +2564,7 @@ set_isakmp_proposal(rmconf) - plog(LLV_DEBUG2, LOCATION, NULL, - "encklen=%d\n", s->encklen); - -- memset(types, 0, ARRAYLEN(types)); -+ memset(types, 0, sizeof types); - types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; - types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; - types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; -diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c -index 55b076a..8fb358f 100644 ---- a/src/racoon/crypto_openssl.c -+++ b/src/racoon/crypto_openssl.c -@@ -90,6 +90,7 @@ - #endif - #endif - #include "plog.h" -+#include "openssl_compat.h" - - #define USE_NEW_DES_API - -@@ -316,9 +317,12 @@ eay_cmp_asn1dn(n1, n2) - i = idx+1; - goto end; - } -- if ((ea->value->length == 1 && ea->value->data[0] == '*') || -- (eb->value->length == 1 && eb->value->data[0] == '*')) { -- if (OBJ_cmp(ea->object,eb->object)) { -+ ASN1_STRING *sa = X509_NAME_ENTRY_get_data(ea); -+ ASN1_STRING *sb = X509_NAME_ENTRY_get_data(eb); -+ if ((ASN1_STRING_length(sa) == 1 && ASN1_STRING_get0_data(sa)[0] == '*') || -+ (ASN1_STRING_length(sb) == 1 && ASN1_STRING_get0_data(sb)[0] == '*')) { -+ if (OBJ_cmp(X509_NAME_ENTRY_get_object(ea), -+ X509_NAME_ENTRY_get_object(eb))) { - i = idx+1; - goto end; - } -@@ -430,7 +434,7 @@ cb_check_cert_local(ok, ctx) - - if (!ok) { - X509_NAME_oneline( -- X509_get_subject_name(ctx->current_cert), -+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), - buf, - 256); - /* -@@ -438,7 +442,8 @@ cb_check_cert_local(ok, ctx) - * ok if they are self signed. But we should still warn - * the user. - */ -- switch (ctx->error) { -+ int ctx_error = X509_STORE_CTX_get_error(ctx); -+ switch (ctx_error) { - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: - case X509_V_ERR_INVALID_CA: -@@ -453,9 +458,9 @@ cb_check_cert_local(ok, ctx) - } - plog(log_tag, LOCATION, NULL, - "%s(%d) at depth:%d SubjectName:%s\n", -- X509_verify_cert_error_string(ctx->error), -- ctx->error, -- ctx->error_depth, -+ X509_verify_cert_error_string(ctx_error), -+ ctx_error, -+ X509_STORE_CTX_get_error_depth(ctx), - buf); - } - ERR_clear_error(); -@@ -477,10 +482,11 @@ cb_check_cert_remote(ok, ctx) - - if (!ok) { - X509_NAME_oneline( -- X509_get_subject_name(ctx->current_cert), -+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), - buf, - 256); -- switch (ctx->error) { -+ int ctx_error=X509_STORE_CTX_get_error(ctx); -+ switch (ctx_error) { - case X509_V_ERR_UNABLE_TO_GET_CRL: - ok = 1; - log_tag = LLV_WARNING; -@@ -490,9 +496,9 @@ cb_check_cert_remote(ok, ctx) - } - plog(log_tag, LOCATION, NULL, - "%s(%d) at depth:%d SubjectName:%s\n", -- X509_verify_cert_error_string(ctx->error), -- ctx->error, -- ctx->error_depth, -+ X509_verify_cert_error_string(ctx_error), -+ ctx_error, -+ X509_STORE_CTX_get_error_depth(ctx), - buf); - } - ERR_clear_error(); -@@ -516,14 +522,15 @@ eay_get_x509asn1subjectname(cert) - if (x509 == NULL) - goto error; - -+ X509_NAME *subject_name = X509_get_subject_name(x509); - /* get the length of the name */ -- len = i2d_X509_NAME(x509->cert_info->subject, NULL); -+ len = i2d_X509_NAME(subject_name, NULL); - name = vmalloc(len); - if (!name) - goto error; - /* get the name */ - bp = (unsigned char *) name->v; -- len = i2d_X509_NAME(x509->cert_info->subject, &bp); -+ len = i2d_X509_NAME(subject_name, &bp); - - X509_free(x509); - -@@ -661,15 +668,16 @@ eay_get_x509asn1issuername(cert) - if (x509 == NULL) - goto error; - -+ X509_NAME *issuer_name = X509_get_issuer_name(x509); - /* get the length of the name */ -- len = i2d_X509_NAME(x509->cert_info->issuer, NULL); -+ len = i2d_X509_NAME(issuer_name, NULL); - name = vmalloc(len); - if (name == NULL) - goto error; - - /* get the name */ - bp = (unsigned char *) name->v; -- len = i2d_X509_NAME(x509->cert_info->issuer, &bp); -+ len = i2d_X509_NAME(issuer_name, &bp); - - X509_free(x509); - -@@ -850,7 +858,7 @@ eay_check_x509sign(source, sig, cert) - return -1; - } - -- res = eay_rsa_verify(source, sig, evp->pkey.rsa); -+ res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp)); - - EVP_PKEY_free(evp); - X509_free(x509); -@@ -992,7 +1000,7 @@ eay_get_x509sign(src, privkey) - if (evp == NULL) - return NULL; - -- sig = eay_rsa_sign(src, evp->pkey.rsa); -+ sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp)); - - EVP_PKEY_free(evp); - -@@ -1079,7 +1087,11 @@ eay_strerror() - int line, flags; - unsigned long es; - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */ -+#else - es = CRYPTO_thread_id(); -+#endif - - while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){ - n = snprintf(ebuf + len, sizeof(ebuf) - len, -@@ -1100,7 +1112,7 @@ vchar_t * - evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc) - { - vchar_t *res; -- EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX *ctx; - - if (!e) - return NULL; -@@ -1111,7 +1123,7 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc - if ((res = vmalloc(data->l)) == NULL) - return NULL; - -- EVP_CIPHER_CTX_init(&ctx); -+ ctx = EVP_CIPHER_CTX_new(); - - switch(EVP_CIPHER_nid(e)){ - case NID_bf_cbc: -@@ -1125,54 +1137,41 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc - /* XXX: can we do that also for algos with a fixed key size ? - */ - /* init context without key/iv -- */ -- if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc)) -- { -- OpenSSL_BUG(); -- vfree(res); -- return NULL; -- } -+ */ -+ if (!EVP_CipherInit(ctx, e, NULL, NULL, enc)) -+ goto out; - -- /* update key size -- */ -- if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l)) -- { -- OpenSSL_BUG(); -- vfree(res); -- return NULL; -- } -- -- /* finalize context init with desired key size -- */ -- if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v, -+ /* update key size -+ */ -+ if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l)) -+ goto out; -+ -+ /* finalize context init with desired key size -+ */ -+ if (!EVP_CipherInit(ctx, NULL, (u_char *) key->v, - (u_char *) iv->v, enc)) -- { -- OpenSSL_BUG(); -- vfree(res); -- return NULL; -- } -+ goto out; - break; - default: -- if (!EVP_CipherInit(&ctx, e, (u_char *) key->v, -- (u_char *) iv->v, enc)) { -- OpenSSL_BUG(); -- vfree(res); -- return NULL; -- } -+ if (!EVP_CipherInit(ctx, e, (u_char *) key->v, -+ (u_char *) iv->v, enc)) -+ goto out; - } - - /* disable openssl padding */ -- EVP_CIPHER_CTX_set_padding(&ctx, 0); -+ EVP_CIPHER_CTX_set_padding(ctx, 0); - -- if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) { -- OpenSSL_BUG(); -- vfree(res); -- return NULL; -- } -+ if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l)) -+ goto out; - -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - - return res; -+out: -+ EVP_CIPHER_CTX_free(ctx); -+ OpenSSL_BUG(); -+ vfree(res); -+ return NULL; - } - - int -@@ -1230,7 +1229,7 @@ eay_des_keylen(len) - return evp_keylen(len, EVP_des_cbc()); - } - --#ifdef HAVE_OPENSSL_IDEA_H -+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) - /* - * IDEA-CBC - */ -@@ -1587,7 +1586,7 @@ eay_aes_keylen(len) - return len; - } - --#if defined(HAVE_OPENSSL_CAMELLIA_H) -+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) - /* - * CAMELLIA-CBC - */ -@@ -1680,9 +1679,9 @@ eay_hmac_init(key, md) - vchar_t *key; - const EVP_MD *md; - { -- HMAC_CTX *c = racoon_malloc(sizeof(*c)); -+ HMAC_CTX *c = HMAC_CTX_new(); - -- HMAC_Init(c, key->v, key->l, md); -+ HMAC_Init_ex(c, key->v, key->l, md, NULL); - - return (caddr_t)c; - } -@@ -1761,8 +1760,7 @@ eay_hmacsha2_512_final(c) - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; -- HMAC_cleanup((HMAC_CTX *)c); -- (void)racoon_free(c); -+ HMAC_CTX_free((HMAC_CTX *)c); - - if (SHA512_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -1811,8 +1809,7 @@ eay_hmacsha2_384_final(c) - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; -- HMAC_cleanup((HMAC_CTX *)c); -- (void)racoon_free(c); -+ HMAC_CTX_free((HMAC_CTX *)c); - - if (SHA384_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -1861,8 +1858,7 @@ eay_hmacsha2_256_final(c) - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; -- HMAC_cleanup((HMAC_CTX *)c); -- (void)racoon_free(c); -+ HMAC_CTX_free((HMAC_CTX *)c); - - if (SHA256_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -1912,8 +1908,7 @@ eay_hmacsha1_final(c) - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; -- HMAC_cleanup((HMAC_CTX *)c); -- (void)racoon_free(c); -+ HMAC_CTX_free((HMAC_CTX *)c); - - if (SHA_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -1962,8 +1957,7 @@ eay_hmacmd5_final(c) - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; -- HMAC_cleanup((HMAC_CTX *)c); -- (void)racoon_free(c); -+ HMAC_CTX_free((HMAC_CTX *)c); - - if (MD5_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -2266,6 +2260,7 @@ eay_dh_generate(prime, g, publen, pub, priv) - u_int32_t g; - { - BIGNUM *p = NULL; -+ BIGNUM *BNg = NULL; - DH *dh = NULL; - int error = -1; - -@@ -2276,25 +2271,28 @@ eay_dh_generate(prime, g, publen, pub, priv) - - if ((dh = DH_new()) == NULL) - goto end; -- dh->p = p; -- p = NULL; /* p is now part of dh structure */ -- dh->g = NULL; -- if ((dh->g = BN_new()) == NULL) -+ if ((BNg = BN_new()) == NULL) - goto end; -- if (!BN_set_word(dh->g, g)) -+ if (!BN_set_word(BNg, g)) - goto end; -+ if (! DH_set0_pqg(dh, p, NULL, BNg)) -+ goto end; -+ BNg = NULL; -+ p = NULL; /* p is now part of dh structure */ - - if (publen != 0) -- dh->length = publen; -+ DH_set_length(dh, publen); - - /* generate public and private number */ - if (!DH_generate_key(dh)) - goto end; - - /* copy results to buffers */ -- if (eay_bn2v(pub, dh->pub_key) < 0) -+ BIGNUM *pub_key, *priv_key; -+ DH_get0_key(dh, (const BIGNUM**) &pub_key, (const BIGNUM**) &priv_key); -+ if (eay_bn2v(pub, pub_key) < 0) - goto end; -- if (eay_bn2v(priv, dh->priv_key) < 0) { -+ if (eay_bn2v(priv, priv_key) < 0) { - vfree(*pub); - goto end; - } -@@ -2306,6 +2304,8 @@ end: - DH_free(dh); - if (p != 0) - BN_free(p); -+ if (BNg != 0) -+ BN_free(BNg); - return(error); - } - -@@ -2319,6 +2319,10 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) - int l; - unsigned char *v = NULL; - int error = -1; -+ BIGNUM *p = BN_new(); -+ BIGNUM *BNg = BN_new(); -+ BIGNUM *pub_key = BN_new(); -+ BIGNUM *priv_key = BN_new(); - - /* make public number to compute */ - if (eay_v2bn(&dh_pub, pub2) < 0) -@@ -2327,19 +2331,21 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) - /* make DH structure */ - if ((dh = DH_new()) == NULL) - goto end; -- if (eay_v2bn(&dh->p, prime) < 0) -+ if (p == NULL || BNg == NULL || pub_key == NULL || priv_key == NULL) - goto end; -- if (eay_v2bn(&dh->pub_key, pub) < 0) -+ -+ if (eay_v2bn(&p, prime) < 0) - goto end; -- if (eay_v2bn(&dh->priv_key, priv) < 0) -+ if (eay_v2bn(&pub_key, pub) < 0) - goto end; -- dh->length = pub2->l * 8; -- -- dh->g = NULL; -- if ((dh->g = BN_new()) == NULL) -+ if (eay_v2bn(&priv_key, priv) < 0) - goto end; -- if (!BN_set_word(dh->g, g)) -+ if (!BN_set_word(BNg, g)) - goto end; -+ DH_set0_key(dh, pub_key, priv_key); -+ DH_set_length(dh, pub2->l * 8); -+ DH_set0_pqg(dh, p, NULL, BNg); -+ pub_key = priv_key = p = BNg = NULL; - - if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL) - goto end; -@@ -2350,6 +2356,14 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) - error = 0; - - end: -+ if (p != NULL) -+ BN_free(p); -+ if (BNg != NULL) -+ BN_free(BNg); -+ if (pub_key != NULL) -+ BN_free(pub_key); -+ if (priv_key != NULL) -+ BN_free(priv_key); - if (dh_pub != NULL) - BN_free(dh_pub); - if (dh != NULL) -@@ -2400,12 +2414,14 @@ eay_bn2v(var, bn) - void - eay_init() - { -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - OpenSSL_add_all_algorithms(); - ERR_load_crypto_strings(); - #ifdef HAVE_OPENSSL_ENGINE_H - ENGINE_load_builtin_engines(); - ENGINE_register_all_complete(); - #endif -+#endif - } - - vchar_t * -@@ -2504,8 +2520,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf) - goto out; - } - -- rsa_pub->n = mod; -- rsa_pub->e = exp; -+ RSA_set0_key(rsa_pub, mod, exp, NULL); - - out: - return rsa_pub; -@@ -2582,5 +2597,5 @@ eay_random() - const char * - eay_version() - { -- return SSLeay_version(SSLEAY_VERSION); -+ return OpenSSL_version(OPENSSL_VERSION); - } -diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h -index 66fac73..ee5b765 100644 ---- a/src/racoon/crypto_openssl.h -+++ b/src/racoon/crypto_openssl.h -@@ -124,7 +124,7 @@ extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); - extern int eay_aes_weakkey __P((vchar_t *)); - extern int eay_aes_keylen __P((int)); - --#if defined(HAVE_OPENSSL_CAMELLIA_H) -+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) - /* Camellia */ - extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); - extern vchar_t *eay_camellia_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c -index 1474bdc..ae09db3 100644 ---- a/src/racoon/eaytest.c -+++ b/src/racoon/eaytest.c -@@ -62,6 +62,7 @@ - #include "dhgroup.h" - #include "crypto_openssl.h" - #include "gnuc.h" -+#include "openssl_compat.h" - - #include "package_version.h" - -@@ -103,7 +104,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_txt) - printf ("PEM_read_PUBKEY(): %s\n", eay_strerror()); - return -1; - } -- error = eay_check_rsasign(src, sig, evp->pkey.rsa); -+ error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp)); - - return error; - } -@@ -698,7 +699,7 @@ ciphertest(ac, av) - eay_cast_encrypt, eay_cast_decrypt) < 0) - return -1; - --#ifdef HAVE_OPENSSL_IDEA_H -+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) - if (ciphertest_1 ("IDEA", - &data, 8, - &key, key.l, -@@ -715,7 +716,7 @@ ciphertest(ac, av) - eay_rc5_encrypt, eay_rc5_decrypt) < 0) - return -1; - #endif --#if defined(HAVE_OPENSSL_CAMELLIA_H) -+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) - if (ciphertest_1 ("CAMELLIA", - &data, 16, - &key, key.l, -diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c -index 84a4c71..b52469f 100644 ---- a/src/racoon/ipsec_doi.c -+++ b/src/racoon/ipsec_doi.c -@@ -715,7 +715,7 @@ out: - /* key length must not be specified on some algorithms */ - if (keylen) { - if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES --#ifdef HAVE_OPENSSL_IDEA_H -+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) - || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA - #endif - || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) { -diff --git a/src/racoon/openssl_compat.c b/src/racoon/openssl_compat.c -new file mode 100644 -index 0000000..864b5fb ---- /dev/null -+++ b/src/racoon/openssl_compat.c -@@ -0,0 +1,213 @@ -+/* -+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the OpenSSL license (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include "openssl_compat.h" -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+#include -+ -+static void *OPENSSL_zalloc(size_t num) -+{ -+ void *ret = OPENSSL_malloc(num); -+ -+ if (ret != NULL) -+ memset(ret, 0, num); -+ return ret; -+} -+ -+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) -+{ -+ /* If the fields n and e in r are NULL, the corresponding input -+ * parameters MUST be non-NULL for n and e. d may be -+ * left NULL (in case only the public key is used). -+ */ -+ if ((r->n == NULL && n == NULL) -+ || (r->e == NULL && e == NULL)) -+ return 0; -+ -+ if (n != NULL) { -+ BN_free(r->n); -+ r->n = n; -+ } -+ if (e != NULL) { -+ BN_free(r->e); -+ r->e = e; -+ } -+ if (d != NULL) { -+ BN_free(r->d); -+ r->d = d; -+ } -+ -+ return 1; -+} -+ -+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) -+{ -+ /* If the fields p and q in r are NULL, the corresponding input -+ * parameters MUST be non-NULL. -+ */ -+ if ((r->p == NULL && p == NULL) -+ || (r->q == NULL && q == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free(r->p); -+ r->p = p; -+ } -+ if (q != NULL) { -+ BN_free(r->q); -+ r->q = q; -+ } -+ -+ return 1; -+} -+ -+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) -+{ -+ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input -+ * parameters MUST be non-NULL. -+ */ -+ if ((r->dmp1 == NULL && dmp1 == NULL) -+ || (r->dmq1 == NULL && dmq1 == NULL) -+ || (r->iqmp == NULL && iqmp == NULL)) -+ return 0; -+ -+ if (dmp1 != NULL) { -+ BN_free(r->dmp1); -+ r->dmp1 = dmp1; -+ } -+ if (dmq1 != NULL) { -+ BN_free(r->dmq1); -+ r->dmq1 = dmq1; -+ } -+ if (iqmp != NULL) { -+ BN_free(r->iqmp); -+ r->iqmp = iqmp; -+ } -+ -+ return 1; -+} -+ -+void RSA_get0_key(const RSA *r, -+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) -+{ -+ if (n != NULL) -+ *n = r->n; -+ if (e != NULL) -+ *e = r->e; -+ if (d != NULL) -+ *d = r->d; -+} -+ -+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) -+{ -+ if (p != NULL) -+ *p = r->p; -+ if (q != NULL) -+ *q = r->q; -+} -+ -+void RSA_get0_crt_params(const RSA *r, -+ const BIGNUM **dmp1, const BIGNUM **dmq1, -+ const BIGNUM **iqmp) -+{ -+ if (dmp1 != NULL) -+ *dmp1 = r->dmp1; -+ if (dmq1 != NULL) -+ *dmq1 = r->dmq1; -+ if (iqmp != NULL) -+ *iqmp = r->iqmp; -+} -+ -+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -+{ -+ /* If the fields p and g in d are NULL, the corresponding input -+ * parameters MUST be non-NULL. q may remain NULL. -+ */ -+ if ((dh->p == NULL && p == NULL) -+ || (dh->g == NULL && g == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free(dh->p); -+ dh->p = p; -+ } -+ if (q != NULL) { -+ BN_free(dh->q); -+ dh->q = q; -+ } -+ if (g != NULL) { -+ BN_free(dh->g); -+ dh->g = g; -+ } -+ -+ if (q != NULL) { -+ dh->length = BN_num_bits(q); -+ } -+ -+ return 1; -+} -+ -+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) -+{ -+ if (pub_key != NULL) -+ *pub_key = dh->pub_key; -+ if (priv_key != NULL) -+ *priv_key = dh->priv_key; -+} -+ -+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) -+{ -+ /* If the field pub_key in dh is NULL, the corresponding input -+ * parameters MUST be non-NULL. The priv_key field may -+ * be left NULL. -+ */ -+ if (dh->pub_key == NULL && pub_key == NULL) -+ return 0; -+ -+ if (pub_key != NULL) { -+ BN_free(dh->pub_key); -+ dh->pub_key = pub_key; -+ } -+ if (priv_key != NULL) { -+ BN_free(dh->priv_key); -+ dh->priv_key = priv_key; -+ } -+ -+ return 1; -+} -+ -+int DH_set_length(DH *dh, long length) -+{ -+ dh->length = length; -+ return 1; -+} -+ -+HMAC_CTX *HMAC_CTX_new(void) -+{ -+ return OPENSSL_zalloc(sizeof(HMAC_CTX)); -+} -+ -+void HMAC_CTX_free(HMAC_CTX *ctx) -+{ -+ HMAC_CTX_cleanup(ctx); -+ OPENSSL_free(ctx); -+} -+ -+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey) -+{ -+ if (pkey->type != EVP_PKEY_RSA) { -+ return NULL; -+ } -+ return pkey->pkey.rsa; -+} -+ -+ -+#endif /* OPENSSL_VERSION_NUMBER */ -diff --git a/src/racoon/openssl_compat.h b/src/racoon/openssl_compat.h -new file mode 100644 -index 0000000..9e152c2 ---- /dev/null -+++ b/src/racoon/openssl_compat.h -@@ -0,0 +1,45 @@ -+#ifndef OPENSSL_COMPAT_H -+#define OPENSSL_COMPAT_H -+ -+#include -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+#include -+#include -+#include -+#include -+ -+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); -+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); -+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); -+void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); -+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); -+void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp); -+ -+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); -+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); -+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); -+int DH_set_length(DH *dh, long length); -+ -+HMAC_CTX *HMAC_CTX_new(void); -+void HMAC_CTX_free(HMAC_CTX* ctx); -+ -+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); -+ -+#define ASN1_STRING_length(s) s->length -+#define ASN1_STRING_get0_data(s) s->data -+ -+#define X509_get_subject_name(x) x->cert_info->subject -+#define X509_get_issuer_name(x) x->cert_info->issuer -+#define X509_NAME_ENTRY_get_data(n) n->value -+#define X509_NAME_ENTRY_get_object(n) n->object -+#define X509_STORE_CTX_get_current_cert(ctx) ctx->current_cert -+#define X509_STORE_CTX_get_error(ctx) ctx->error -+#define X509_STORE_CTX_get_error_depth(ctx) ctx->error_depth -+ -+#define OPENSSL_VERSION SSLEAY_VERSION -+#define OpenSSL_version SSLeay_version -+ -+#endif /* OPENSSL_VERSION_NUMBER */ -+ -+#endif /* OPENSSL_COMPAT_H */ -diff --git a/src/racoon/plainrsa-gen.c b/src/racoon/plainrsa-gen.c -index cad1861..b949b08 100644 ---- a/src/racoon/plainrsa-gen.c -+++ b/src/racoon/plainrsa-gen.c -@@ -60,6 +60,7 @@ - #include "vmbuf.h" - #include "plog.h" - #include "crypto_openssl.h" -+#include "openssl_compat.h" - - #include "package_version.h" - -@@ -90,12 +91,14 @@ mix_b64_pubkey(const RSA *key) - char *binbuf; - long binlen, ret; - vchar_t *res; -- -- binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n); -+ const BIGNUM *e, *n; -+ -+ RSA_get0_key(key, &n, &e, NULL); -+ binlen = 1 + BN_num_bytes(e) + BN_num_bytes(n); - binbuf = malloc(binlen); - memset(binbuf, 0, binlen); -- binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]); -- ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1])); -+ binbuf[0] = BN_bn2bin(e, (unsigned char *) &binbuf[1]); -+ ret = BN_bn2bin(n, (unsigned char *) (&binbuf[binbuf[0] + 1])); - if (1 + binbuf[0] + ret != binlen) { - plog(LLV_ERROR, LOCATION, NULL, - "Pubkey generation failed. This is really strange...\n"); -@@ -131,16 +134,20 @@ print_rsa_key(FILE *fp, const RSA *key) - - fprintf(fp, "# : PUB 0s%s\n", pubkey64->v); - fprintf(fp, ": RSA\t{\n"); -- fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n)); -+ const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; -+ RSA_get0_key(key, &n, &e, &d); -+ RSA_get0_factors(key, &p, &q); -+ RSA_get0_crt_params(key, &dmp1, &dmq1, &iqmp); -+ fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(n)); - fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v); -- fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n))); -- fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e))); -- fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d))); -- fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p))); -- fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q))); -- fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1))); -- fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1))); -- fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp))); -+ fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(n))); -+ fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(e))); -+ fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(d))); -+ fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(p))); -+ fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(q))); -+ fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(dmp1))); -+ fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(dmq1))); -+ fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(iqmp))); - fprintf(fp, " }\n"); - - vfree(pubkey64); -@@ -203,11 +210,13 @@ int - gen_rsa_key(FILE *fp, size_t bits, unsigned long exp) - { - int ret; -- RSA *key; -+ RSA *key = RSA_new(); -+ BIGNUM *e = BN_new(); - -- key = RSA_generate_key(bits, exp, NULL, NULL); -- if (!key) { -+ BN_set_word(e, exp); -+ if (! RSA_generate_key_ex(key, bits, e, NULL)) { - fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror()); -+ RSA_free(key); - return -1; - } - -diff --git a/src/racoon/prsa_par.y b/src/racoon/prsa_par.y -index 1987e4d..27ce4c6 100644 ---- a/src/racoon/prsa_par.y -+++ b/src/racoon/prsa_par.y -@@ -68,6 +68,7 @@ - #include "isakmp_var.h" - #include "handler.h" - #include "crypto_openssl.h" -+#include "openssl_compat.h" - #include "sockmisc.h" - #include "rsalist.h" - -@@ -85,7 +86,18 @@ char *prsa_cur_fname = NULL; - struct genlist *prsa_cur_list = NULL; - enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY; - --static RSA *rsa_cur; -+struct my_rsa_st { -+ BIGNUM *n; -+ BIGNUM *e; -+ BIGNUM *d; -+ BIGNUM *p; -+ BIGNUM *q; -+ BIGNUM *dmp1; -+ BIGNUM *dmq1; -+ BIGNUM *iqmp; -+}; -+ -+static struct my_rsa_st *rsa_cur; - - void - prsaerror(const char *s, ...) -@@ -201,8 +213,12 @@ rsa_statement: - rsa_cur->iqmp = NULL; - } - } -- $$ = rsa_cur; -- rsa_cur = RSA_new(); -+ RSA * rsa_tmp = RSA_new(); -+ RSA_set0_key(rsa_tmp, rsa_cur->n, rsa_cur->e, rsa_cur->d); -+ RSA_set0_factors(rsa_tmp, rsa_cur->p, rsa_cur->q); -+ RSA_set0_crt_params(rsa_tmp, rsa_cur->dmp1, rsa_cur->dmq1, rsa_cur->iqmp); -+ $$ = rsa_tmp; -+ memset(rsa_cur, 0, sizeof(struct my_rsa_st)); - } - | TAG_PUB BASE64 - { -@@ -351,10 +367,12 @@ prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type) - prsa_cur_fname = fname; - prsa_cur_list = list; - prsa_cur_type = type; -- rsa_cur = RSA_new(); -+ rsa_cur = malloc(sizeof(struct my_rsa_st)); -+ memset(rsa_cur, 0, sizeof(struct my_rsa_st)); - ret = prsaparse(); - if (rsa_cur) { -- RSA_free(rsa_cur); -+ memset(rsa_cur, 0, sizeof(struct my_rsa_st)); -+ free(rsa_cur); - rsa_cur = NULL; - } - fclose (fp); -diff --git a/src/racoon/rsalist.c b/src/racoon/rsalist.c -index f152c82..96e8363 100644 ---- a/src/racoon/rsalist.c -+++ b/src/racoon/rsalist.c -@@ -52,6 +52,7 @@ - #include "genlist.h" - #include "remoteconf.h" - #include "crypto_openssl.h" -+#include "openssl_compat.h" - - #ifndef LIST_FIRST - #define LIST_FIRST(head) ((head)->lh_first) -@@ -98,7 +99,9 @@ rsa_key_dup(struct rsa_key *key) - return NULL; - - if (key->rsa) { -- new->rsa = key->rsa->d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa); -+ const BIGNUM *d; -+ RSA_get0_key(key->rsa, NULL, NULL, &d); -+ new->rsa = (d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa)); - if (new->rsa == NULL) - goto dup_error; - } --- -2.16.1 - diff --git a/net/ipsec-tools/patches/020-openssl-deprecated.patch b/net/ipsec-tools/patches/020-openssl-deprecated.patch deleted file mode 100644 index 3c2cca12f..000000000 --- a/net/ipsec-tools/patches/020-openssl-deprecated.patch +++ /dev/null @@ -1,21 +0,0 @@ ---- a/src/racoon/crypto_openssl.c -+++ b/src/racoon/crypto_openssl.c -@@ -1087,7 +1087,7 @@ eay_strerror() - int line, flags; - unsigned long es; - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if OPENSSL_VERSION_NUMBER >= 0x10000000L - es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */ - #else - es = CRYPTO_thread_id(); ---- a/src/racoon/openssl_compat.h -+++ b/src/racoon/openssl_compat.h -@@ -5,6 +5,7 @@ - #if OPENSSL_VERSION_NUMBER < 0x10100000L - - #include -+#include - #include - #include - #include