+++ /dev/null
-#
-# Copyright (C) 2006-2015 OpenWrt.org
-# 2014 Noah Meyerhans <frodo@morgul.net>
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-include $(INCLUDE_DIR)/kernel.mk
-
-PKG_NAME:=ipsec-tools
-PKG_VERSION:=0.8.2
-PKG_RELEASE:=9
-PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>, \
- Vitaly Protsko <villy@sft.ru>
-PKG_LICENSE := BSD-3-Clause
-
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_SOURCE_URL:=@SF/ipsec-tools
-PKG_HASH:=8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d
-
-PKG_BUILD_PARALLEL:=1
-PKG_INSTALL:=1
-
-PKG_FIXUP:=autoreconf
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/ipsec-tools
- SECTION:=net
- CATEGORY:=Network
- SUBMENU:=VPN
- DEPENDS:=+libopenssl +kmod-ipsec
- TITLE:=IPsec management tools
- URL:=http://ipsec-tools.sourceforge.net/
- MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
-endef
-
-CONFIGURE_ARGS += \
- --enable-shared \
- --enable-static \
- --with-kernel-headers="$(LINUX_DIR)/include" \
- --without-readline \
- --with-openssl="$(STAGING_DIR)/usr" \
- --without-libradius \
- --without-libpam \
- --enable-dpd \
- --enable-hybrid \
- --enable-security-context=no \
- --enable-natt \
- --enable-adminport \
- --enable-frag \
- $(call autoconf_bool,CONFIG_IPV6,ipv6)
-
-# override CFLAGS holding "-Werror" that break builds on compile warnings
-MAKE_FLAGS+=\
- CFLAGS="$(TARGET_CFLAGS) $(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS)"
-
-define Build/Prepare
- $(call Build/Prepare/Default)
- chmod -R u+w $(PKG_BUILD_DIR)
-endef
-
-define Build/Configure
- (cd $(PKG_BUILD_DIR); touch \
- configure.ac \
- aclocal.m4 \
- Makefile.in \
- config.h.in \
- configure \
- );
- $(call Build/Configure/Default)
-ifndef CONFIG_SHADOW_PASSWORDS
- echo "#undef HAVE_SHADOW_H" >> $(PKG_BUILD_DIR)/config.h
-endif
-endef
-
-define Package/ipsec-tools/install
- $(INSTALL_DIR) $(1)/etc/racoon
- $(INSTALL_CONF) ./files/functions.sh $(1)/etc/racoon/
- $(INSTALL_BIN) ./files/p1client-up $(1)/etc/racoon/
- $(INSTALL_BIN) ./files/p1client-down $(1)/etc/racoon/
- $(INSTALL_BIN) ./files/vpnctl $(1)/etc/racoon/
- $(INSTALL_DIR) $(1)/etc/init.d
- $(INSTALL_BIN) ./files/racoon.init $(1)/etc/init.d/racoon
- $(INSTALL_DIR) $(1)/etc/config
- $(INSTALL_CONF) ./files/racoon $(1)/etc/config/
- $(INSTALL_DIR) $(1)/usr/lib
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/
- $(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/plainrsa-gen $(1)/usr/sbin/
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoon $(1)/usr/sbin/
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoonctl $(1)/usr/sbin/
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/setkey $(1)/usr/sbin/
-endef
-
-define Package/ipsec-tools/conffiles
-/etc/config/racoon
-endef
-
-$(eval $(call BuildPackage,ipsec-tools))
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) 2015 Vitaly Protsko <villy@sft.ru>
-
-errno=0
-
-get_fieldval() {
- local __data="$3"
- local __rest
-
- test -z "$1" && return
-
- while true ; do
- __rest=${__data#* }
- test "$__rest" = "$__data" && break
-
- if [ "${__data/ *}" = "$2" ]; then
- eval "$1=${__rest/ *}"
- break
- fi
-
- __data="$__rest"
- done
-}
-
-manage_fw() {
- local cmd=/usr/sbin/iptables
- local mode
- local item
-
- if [ -z "$4" ]; then
- $log "Bad usage of manage_fw"
- errno=3; return 3
- fi
-
- case "$1" in
- add|up|1) mode=A ;;
- del|down|0) mode=D ;;
- *) return 3 ;;
- esac
-
- for item in $4 ; do
- $cmd -$mode forwarding_$2_rule -s $item -j ACCEPT
- $cmd -$mode output_$3_rule -d $item -j ACCEPT
- $cmd -$mode forwarding_$3_rule -d $item -j ACCEPT
- $cmd -t nat -$mode postrouting_$3_rule -d $item -j ACCEPT
- done
-}
-
-manage_sa() {
- local spdcmd
- local rtcmd
- local gate
- local litem
- local ritem
-
- if [ -z "$4" ]; then
- $log "Bad usage of manage_sa"
- errno=3; return 3
- fi
-
- case "$1" in
- add|up|1) spdcmd=add; rtcmd=add ;;
- del|down|0) spdcmd=delete; rtcmd=del ;;
- *) errno=3; return 3 ;;
- esac
-
- get_fieldval gate src "$(/usr/sbin/ip route get $4)"
- if [ -z "$gate" ]; then
- $log "Can not find outbound IP for $4"
- errno=3; return 3
- fi
-
-
- for litem in $2 ; do
- for ritem in $3 ; do
- echo "
-spd$spdcmd $litem $ritem any -P out ipsec esp/tunnel/$gate-$4/require;
-spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
-" | /usr/sbin/setkey -c 1>&2
- done
- done
-
- test -n "$5" && gate=$5
-
- for ritem in $3 ; do
- (sleep 3; /usr/sbin/ip route $rtcmd $ritem via $gate) &
- done
-}
-
-manage_nonesa() {
- local spdcmd
- local item
- local cout cin
-
- if [ -z "$4" ]; then
- $log "Bad usage of manage_nonesa"
- errno=3; return 3
- fi
-
- case "$1" in
- add|up|1) spdcmd=add ;;
- del|down|0) spdcmd=delete ;;
- *) errno=3; return 3 ;;
- esac
-
- case "$2" in
- local|remote) ;;
- *) errno=3; return 3 ;;
- esac
-
- for item in $3 ; do
- if [ "$2" = "local" ]; then
- cout="$4 $item"
- cin="$item $4"
- else
- cout="$item $4"
- cin="$4 $item"
- fi
- echo "
-spd$spdcmd $cout any -P out none;
-spd$spdcmd $cin any -P in none;
-" | /usr/sbin/setkey -c 1>&2
- done
-}
-
-. /lib/functions/network.sh
-
-get_zoneiflist() {
- local item
- local data
- local addr
-
- item=0
- data=$(uci get firewall.@zone[0].name)
- while [ -n "$data" ]; do
- test "$data" = "$1" && break
- let "item=$item+1"
- data=$(uci get firewall.@zone[$item].name)
- done
-
- if [ -z "$data" ]; then
- errno=1
- return $errno
- fi
- data=$(uci get firewall.@zone[$item].network)
-
- echo "$data"
-}
-
-get_zoneiplist() {
- local item
- local addr
- local data
- local result
-
- data=$(get_zoneiflist $1)
- test $? -gt 0 -o $errno -gt 0 -o -z "$data" && return $errno
-
- for item in $data ; do
- if network_is_up $item ; then
- network_get_ipaddrs addr $item
- test $? -eq 0 && result="$result $addr"
- fi
- done
-
- result=$(echo $result)
- echo "$result"
-}
-
-
-# EOF /etc/racoon/functions.sh
+++ /dev/null
-#!/bin/sh
-#
-
-log="logger -t p1client-down[$$]"
-
-. /lib/functions.sh
-. /etc/racoon/functions.sh
-
-if [ -z "$SPLIT_INCLUDE_CIDR" ]; then
- $log "Connection without server-pushed routing is not supported"
- exit 1
-fi
-
-$log "Shutting down tunnel to server $REMOTE_ADDR"
-$log "Closing tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4"
-
-config_load racoon
-config_get confIntZone racoon int_zone lan
-config_get confExtZone racoon ext_zone wan
-
-manage_fw del $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR"
-
-data=$(get_zoneiflist $confIntZone)
-if [ -n "$data" ]; then
- for item in $data ; do
- network_get_subnet locnet $item
- if [ -n "$locnet" ]; then
- manage_sa del "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4
- else
- $log "Can not find subnet on interface $item"
- fi
- done
-else
- $log "Can not find subnets in zone $confIntZone"
-fi
-
-get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)"
-ip address del $INTERNAL_ADDR4/32 dev $data
-
-
-# EOF /etc/racoon/p1client-down
+++ /dev/null
-#!/bin/sh
-#
-
-log="logger -t p1client-up[$$]"
-
-. /lib/functions.sh
-. /etc/racoon/functions.sh
-
-if [ -z "$SPLIT_INCLUDE_CIDR" ]; then
- $log "Connection without server-pushed routing is not supported"
- exit 1
-fi
-
-$log "Setting up tunnel to server $REMOTE_ADDR"
-$log "Making tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4"
-
-get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)"
-ip address add $INTERNAL_ADDR4/32 dev $data
-
-config_load racoon
-config_get confIntZone racoon int_zone lan
-config_get confExtZone racoon ext_zone wan
-
-data=$(get_zoneiflist $confIntZone)
-if [ -n "$data" ]; then
- for item in $data ; do
- network_get_subnet locnet $item
- if [ -n "$locnet" ]; then
- manage_sa add "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4
- else
- $log "Can not find subnet on interface $item"
- fi
- done
-else
- $log "Can not find interfaces in zone $confIntZone"
-fi
-
-manage_fw add $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR"
-
-
-# EOF /etc/racoon/p1client-up
+++ /dev/null
-#/etc/config/racoon
-#
-# Copyright 2015 Vitaly Protsko <villy@sft.ru>
-
-# * WARNING: this is "not working" example
-# * Defaults are commented out
-# * Resuting config will appear in /var/racoon/
-
-config racoon
-# option debug 0
-# option ext_zone 'wan'
-# option int_zone 'lan'
-# option port 500
-# option natt_port 4500
-# following 4 or 6, no default
-# option ipversion 4
-
-config p1_proposal 'example_prop1'
-# option lifetime 28800
- option enc_alg 'aes'
- option hash_alg 'sha1'
- option auth_method 'rsasig'
- option dh_group 2
-
-config p1_proposal 'example_anon'
-# option lifetime 28800
- option enc_alg 'aes'
- option hash_alg 'sha1'
- option auth_method 'xauth_rsa_server'
- option dh_group 2
-
-config p1_proposal 'example_xauth'
-# option lifetime 28800
- option enc_alg 'aes'
- option hash_alg 'sha1'
- option auth_method 'xauth_rsa_client'
- option dh_group 2
-
-config p2_proposal 'example_prop2'
- option pfs_group 2
- option enc_alg 'aes'
- option auth_alg 'hmac_sha1'
-
-config p2_proposal 'example_in2'
- option pfs_group 2
-# option lifetime 14400
- option enc_alg 'aes'
- option auth_alg 'hmac_sha1'
-
-config sainfo 'office'
- option p2_proposal 'example_prop2'
- option local_net '192.168.8.0/24'
- option remote_net '192.168.1.0/24'
-# you can exclude some local or remote
-# addresses from SA rules
- list local_exclude '192.168.8.0/30'
- list remote_exclude '192.168.1.128/29'
-
-config sainfo 'welcome'
- option p2_proposal 'example_in2'
- option local_net '192.168.8.0/24'
- option remote_net '192.168.10.0/24'
- option dns4 '192.168.8.1'
- option defdomain 'myhome.local'
-
-config sainfo 'client'
- option p2_proposal 'std_p2'
-
-config tunnel 'Office'
- option enabled 1
-# initial_contact
-# option init 1
- option remote 'vpn.example.tld'
- option exchange_mode 'main'
- option certificate 'example_cert'
-# option peer_id_type 'asn1dn'
-# option prop_check 'obey'
-# option verify_id 1
-# option weak_p1check 1
-# option dpd_delay ''
- list p1_proposal 'example_prop1'
- list sainfo 'office'
-
-# WARNING: Only ONE tunnel with remote anonymous
-# can be configured and it can have only
-# ONE sainfo. Otherwise resulting racoon
-# configuration will be unusable
-config tunnel 'Incoming'
- option enabled 1
- option remote 'anonymous'
- option pre_shared_key 'testitnow'
- option exchange_mode 'aggressive,main'
- option my_id_type 'fqdn'
- option my_id 'myserver.homeip.net'
- list p1_proposal 'example_anon'
- list sainfo 'welcome'
-
-config tunnel 'Client'
- option enabled 1
- option remote 'vpn.example.tld'
- option username 'testuser'
- option password 'testW0rD'
-# option mode_cfg 1
- list p1_proposal 'example_xauth'
- list sainfo 'client'
-
-# Insert corresponding data in PEM format as one line
-config 'certificate' 'example_cert'
- option 'key' '-----BEGIN PRIVATE KEY----- ~ -----END PRIVATE KEY-----'
- option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----'
-
-config 'certificate' 'example_ca_cert'
- option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----'
+++ /dev/null
-#!/bin/sh /etc/rc.common
-#
-# Copyright (C) 2015 Vitaly Protsko <villy@sft.ru>
-
-#set -vx
-
-USE_PROCD=1
-
-START=60
-STOP=40
-
-let connWait=2/2
-confDir=/var/racoon
-confExtZone=
-confIntZone=
-confPort=
-confNATPort=
-confIPMode=
-
-confPh1ID=0
-
-log="logger -t init.d/racoon[$$] "
-
-. /etc/racoon/functions.sh
-
-setup_load() {
- config_get confExtZone "$1" ext_zone wan
- config_get confIntZone "$1" int_zone lan
- config_get confPort "$1" port 500
- config_get confNATPort "$1" natt_port 4500
- config_get confIPMode "$1" ipversion ""
-
- case X$confIPMode in
- X4|X6) ;;
- *) unset confIPMode ;;
- esac
-}
-
-write_header() {
- echo "
-# autogenerated, don't edit, look at /etc/config/racoon
-#
-path certificate \"$confDir/cert\";
-path script \"/etc/racoon\";
-path pre_shared_key \"$confDir/psk.txt\";
-path pidfile \"$confDir/racoon.pid\";
-padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; }
-timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; }
-"
-}
-
-setup_conf() {
- local conf=$confDir/racoon.conf
- local peerconf=$confDir/peers.txt
- local pskconf=$confDir/psk.txt
- local item
- local data
-
- data="$(get_zoneiplist $confExtZone)"
- if [ "X$data" = X ]; then
- $log "No IP addresses found for zone $confExtZone, exitng"
- errno=2; return 2
- fi
-
- write_header > $conf
- echo -n > $peerconf
- echo -n > $pskconf
- chmod 0600 $conf $peerconf $pskconf
-
- echo "listen {" >> $conf
- for item in $data ; do
- echo " isakmp $item [$confPort]; isakmp_natt $item [$confNATPort];" >> $conf
- done
- echo "}" >> $conf
-
- config_get_bool item "$1" debug 0
- data=warning
- test $item -ne 0 && data=debug
- echo "log $data;" >> $conf
-
- setup_fw add
-}
-
-setup_p1() {
- local conf=$confDir/racoon.conf
- local data
-
- echo " proposal {" >> $conf
- config_get data "$1" lifetime 28800
- echo " lifetime time $data sec;" >> $conf
-
- config_get data "$1" enc_alg
- test -n "$data" && echo " encryption_algorithm $data;" >> $conf
-
- config_get data "$1" hash_alg
- test -n "$data" && echo " hash_algorithm $data;" >> $conf
-
- config_get data "$1" auth_method
- test -n "$data" && echo " authentication_method $data;" >> $conf
-
- config_get data "$1" dh_group 2
- echo -e " dh_group $data;\n }" >> $conf
-}
-
-setup_fw() {
- local cmd=/usr/sbin/iptables
- local mode
-
- case "$1" in
- add|up|1) mode=A ;;
- del|down|0) mode=D ;;
- *) return 3 ;;
- esac
-
- $cmd -$mode input_${confExtZone}_rule -p AH -j ACCEPT
- $cmd -$mode input_${confExtZone}_rule -p ESP -j ACCEPT
- $cmd -$mode input_${confExtZone}_rule -p UDP --dport $confPort -j ACCEPT
- $cmd -$mode input_${confExtZone}_rule -p UDP --dport $confNATPort -j ACCEPT
-}
-
-setup_sa() {
- local conf=$confDir/racoon.conf
- local remote="${2/ *}"
- local client="${2#* }"
- local locnet
- local remnet
- local p2
- local data
-
- test "$2" = "$client" && unset client
-
- if [ -z "$client" ]; then
- config_get locnet "$1" local_net
- config_get remnet "$1" remote_net
- if [ -z "$locnet" ] || [ -z "$remnet" ]; then
- $log "Remote and local networks for $1 must be configured ($2)"
- errno=4; return 4
- fi
-
- if [ "$remote" = "anonymous" ]; then
- echo "sainfo anonymous {" >> $conf
- else
- echo "sainfo address $locnet any address $remnet any {" >> $conf
- fi
- else
- echo "sainfo anonymous {" >> $conf
- fi
-
- config_get p2 "$1" p2_proposal
- if [ -z "$p2" ]; then
- $log "Phase2 proposal must be configured in $1 sainfo"
- errno=5; return 5
- fi
-
- echo " remoteid $confPh1ID;" >> $conf
-
- config_get data "$p2" pfs_group
- test -n "$data" && echo " pfs_group $data;" >> $conf
- config_get data "$p2" lifetime 14400
- test -n "$data" && echo " lifetime time $data sec;" >> $conf
- config_get data "$p2" enc_alg
- test -n "$data" && echo " encryption_algorithm $data;" >> $conf
- config_get data "$p2" auth_alg
- test -n "$data" && echo " authentication_algorithm $data;" >> $conf
-
- echo -e " compression_algorithm deflate;\n}" >> $conf
-
- if [ "$remote" = "anonymous" ]; then
- echo -e "mode_cfg {\n auth_source system;\n conf_source local;" >> $conf
-
- config_get data "$1" dns4
- test -n "$data" && echo " dns4 $data;" >> $conf
- config_get data "$1" defdomain
- test -n "$data" && echo " default_domain \"$data\";" >> $conf
-
- data=${remnet%/*}
- let "data=${data##*.}+1"
- echo " network4 ${remnet%.*}.$data;" >> $conf
-
- let "data=255<<(24-${remnet#*/}+8)&255"
- echo " netmask4 255.255.255.$data;" >> $conf
-
- echo -e " split_network include $locnet;\n}" >> $conf
-
- elif [ -z "$client" ]; then
- config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet"
- config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet"
- manage_sa add "$locnet" "$remnet" $remote
- test $? -gt 0 -o $errno -gt 0 && return $errno
-
- manage_fw add $confIntZone $confExtZone "$remnet"
- fi
-}
-
-setup_tunnel() {
- local conf=$confDir/racoon.conf
- local peerconf=$confDir/peers.txt
- local data
- local remote
- local xauth
-
- config_get_bool data "$1" enabled 0
- test "$data" = "0" && return 0
-
- config_get remote "$1" remote
- if [ "$remote" = "anonymous" ]; then
- echo -e "remote anonymous {\n generate_policy on;" >> $conf
- else
- data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
- test -n "$data" && remote="$data"
- echo -e "remote \"$1\" {\n remote_address $remote;" >> $conf
- echo "$data" >> $peerconf
- fi
-
- config_get data "$1" pre_shared_key ""
- if [ -n "$data" ]; then
- if [ "$remote" != "anonymous" ]; then
- echo "$remote $data" >> $confDir/psk.txt
- else
- echo "* $data" >> $confDir/psk.txt
- fi
- fi
-
- let confPh1ID=$confPh1ID+1
- echo " ph1id $confPh1ID;" >> $conf
-
- config_get xauth "$1" username ""
-
- config_get data "$1" certificate ""
- if [ -n "$data" ]; then
- echo -en " verify_cert on;\n my_identifier asn1dn;\n certificate_type x509 " >> $conf
- echo -en "\"$data.crt\" \"$data.key\";\n send_cr off;\n peers_identifier " >> $conf
- else
- config_get data "$1" my_id_type ""
- if [ -n "$data" ]; then
- echo -n " my_identifier $data" >> $conf
- config_get data "$1" my_id ""
- if [ -n "$data" ]; then
- echo " \"$data\";" >> $conf
- elif [ -n "$xauth" ]; then
- echo " \"$xauth\";" >> $conf
- else
- echo ";" >> $conf
- fi
- elif [ -n "$xauth" ]; then
- echo " my_identifier user_fqdn \"$xauth\";" >> $conf
- fi
- echo -n " peers_identifier " >> $conf
- fi
-
- if [ "$remote" = "anonymous" ]; then
- echo "user_fqdn;" >> $conf
- else
- config_get data "$1" peer_id_type "asn1dn"
- echo -n "$data" >> $conf
-
- config_get data "$1" peer_id ""
- test -n "$data" && echo -n " \"$data\"" >> $conf
-
- echo ";" >> $conf
- fi
-
- if [ -n "$xauth" ]; then
- config_get data "$1" password
- if [ -z "$data" ]; then
- $log "Password must be given in $1 tunnel"
- errno=7; return 7
- fi
- echo "$xauth $data" >> $confDir/psk.txt
-
- echo " xauth_login \"$xauth\";" >> $conf
- echo -e " script \"p1client-up\" phase1_up;\n script \"p1client-down\" phase1_down;" >> $conf
- fi
-
- config_get data "$1" exchange_mode
- if [ -z "$data" ]; then
- data=main
- test -n "$xauth" && data="${data},aggressive"
- fi
- echo -e " exchange_mode $data;\n nat_traversal on;\n support_proxy on;" >> $conf
-
- config_get data "$1" prop_check "obey"
- test -n "$data" && echo " proposal_check $data;" >> $conf
-
- config_get_bool data "$1" weak_p1check 1
- if [ $data -eq 0 ]; then data=off; else data=on; fi
- echo " weak_phase1_check $data;" >> $conf
-
- config_get_bool data "$1" verify_id 1
- if [ $data -eq 0 ]; then data=off; else data=on; fi
- echo " verify_identifier $data;" >> $conf
-
- config_get data "$1" dpd_delay ""
- test -n "$data" && echo " dpd_delay $data;" >> $conf
-
- unset data
- test -n "$xauth" && data="on"
- config_get data "$1" mode_cfg "$data"
- test -n "$data" && echo " mode_cfg $data;" >> $conf
-
- config_get_bool data "$1" init 0
- if [ $data -eq 0 ]; then data=off; else data=on; fi
- echo " initial_contact $data;" >> $conf
-
-
- config_list_foreach "$1" p1_proposal setup_p1
- echo "}" >> $conf
-
- config_list_foreach "$1" sainfo setup_sa "$remote $xauth"
-}
-
-setup_cert() {
- local item
- local data
-
- for item in key crt ; do
- config_get data "$1" $item ""
- test -z "$data" && continue
-
- echo "$data" |\
- sed 's/-\+[A-Z ]\+-\+/\n&\n/g' | sed 's/.\{50,50\}/&\n/g' | sed '/^$/d'\
- > $confDir/cert/$1.$item
-
- chmod 600 $confDir/cert/$1.$item
- done
-
- if [ -s $confDir/cert/$1.crt ]; then
- data=$(openssl x509 -noout -hash -in $confDir/cert/$1.crt)
- ln -sf $confDir/cert/$1.crt $confDir/cert/$data.0
- fi
-}
-
-destroy_sa() {
- local locnet
- local remnet
-
- config_get locnet "$1" local_net
- config_get remnet "$1" remote_net
- if [ -z "$locnet" ] || [ -z "$remnet" ]; then
- $log "Remote and local networks for $1 must be configured"
- errno=4; return 4
- fi
-
- config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet"
- config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet"
- manage_sa del "$locnet" "$remnet" $2
- manage_fw del $confIntZone $confExtZone "$remnet"
-}
-
-destroy_tunnel() {
- local data
-
- config_get_bool data "$1" enabled 0
- test "$data" = "0" && return 0
-
- config_get remote "$1" remote
- data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
- test -n "$data" && remote="$data"
-
- config_get data "$1" username ""
- if [ -z "$data" ]; then
- config_list_foreach "$1" sainfo destroy_sa $remote
- fi
-}
-
-destroy_conf() {
- setup_fw del
-}
-
-check_software() {
- local item
-
- for item in /usr/sbin/setkey /usr/bin/openssl /usr/sbin/ip ; do
- if [ ! -x $item ]; then
- $log "Needed program $item not found, exiting"
- errno=9; return 9
- fi
- done
-}
-
-cleanup_conf() {
- config_load racoon
- config_foreach setup_load racoon
- config_foreach destroy_conf racoon
- config_foreach destroy_tunnel tunnel
-
- /usr/sbin/setkey -P -F
- /usr/sbin/setkey -F
-}
-
-check_dir() {
- local item
-
- for item in $confDir $confDir/cert ; do
- if [ ! -d $item ]; then
- mkdir -m 0700 -p $item
- fi
- done
-}
-
-wait4wanzone() {
- local item=$connWait
- local data
-
- data="$(get_zoneiplist $confExtZone)"
- while [ $item -gt 0 ]; do
- test -n "$data" && break
- sleep 2
- let "item=$item-1"
- data="$(get_zoneiplist $confExtZone)"
- done
-
- test -z "$data" && return 10
-}
-
-start_service() {
- check_software
- test $? -gt 0 -o $errno -gt 0 && exit $errno
-
- check_dir
-
- config_load racoon
- config_foreach setup_load racoon
-
- config_foreach wait4wanzone racoon
- if [ $? -gt 0 ] || [ $errno -gt 0 ]; then
- $log "No active interfaces in $confExtZone zone found, exiting"
- exit $errno
- fi
-
- config_foreach setup_conf racoon
- test $? -gt 0 -o $errno -gt 0 && exit $errno
-
- config_foreach setup_tunnel tunnel
- test $? -gt 0 -o $errno -gt 0 && exit $errno
-
- config_foreach setup_cert certificate
-
- procd_open_instance
- procd_set_param command /usr/sbin/racoon
- test -n "$confIPMode" && procd_append_param command -$confIPMode
- procd_append_param command -F -f $confDir/racoon.conf
- procd_set_param file $confDir/racoon.conf
- procd_close_instance
-
- if [ -x /etc/racoon/vpnctl ]; then
- let connWait=$connWait*2+2
- ( sleep $connWait; /etc/racoon/vpnctl up ) &
- fi
-}
-
-service_triggers() {
- local item
- local data
-
- procd_add_reload_trigger "racoon" "network"
-
- config_load racoon
- config_foreach setup_load racoon
-
- data=$(get_zoneiflist $confExtZone)
- if [ $? -gt 0 ] || [ $errno -gt 0 ] || [ -z "$data" ]; then
- $log "Can not find interfaces for $confExtZone zone"
- else
- for item in $data ; do
- procd_add_reload_interface_trigger $item
- done
- fi
-}
-
-stop_service() {
- cleanup_conf
- procd_kill racoon
-}
-
-trap "cleanup_conf" 1 2 3 4 5 6 7 8 9 10
-
-
-# EOF /etc/init.d/racoon
+++ /dev/null
-#!/bin/sh
-#
-
-case X$1 in
- Xup|X1|Xstart) connMode=vpn-connect ;;
- Xdown|X0|Xstop) connMode=vpn-disconnect ;;
- *)
- echo "Usage: $0: up|1|start || down|0|stop"
- exit 1 ;;
-esac
-
-if [ -s /var/racoon/peers.txt ]; then
- (while read ipa ; do
- racoonctl $connMode $ipa
- done) < /var/racoon/peers.txt
-fi
-
-
-# EOF /usr/bin/vpnctl
+++ /dev/null
---- a/src/racoon/oakley.c
-+++ b/src/racoon/oakley.c
-@@ -2424,8 +2424,21 @@ oakley_skeyid(iph1)
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "couldn't find the pskey for %s.\n",
- saddrwop2str(iph1->remote));
-+ }
-+ }
-+ if (iph1->authstr == NULL) {
-+ /*
-+ * If we could not locate a psk above try and locate
-+ * the default psk, ie, "*".
-+ */
-+ iph1->authstr = privsep_getpsk("*", 1);
-+ if (iph1->authstr == NULL) {
-+ plog(LLV_ERROR, LOCATION, iph1->remote,
-+ "couldn't find the the default pskey either.\n");
- goto end;
- }
-+ plog(LLV_NOTIFY, LOCATION, iph1->remote,
-+ "Using default PSK.\n");
- }
- plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
- /* should be secret PSK */
+++ /dev/null
---- a/src/racoon/cftoken.l
-+++ b/src/racoon/cftoken.l
-@@ -104,6 +104,8 @@ static struct include_stack {
- static int incstackp = 0;
-
- static int yy_first_time = 1;
-+
-+int yywrap(void) { return 1; }
- %}
-
- /* common seciton */
---- a/src/setkey/token.l
-+++ b/src/setkey/token.l
-@@ -86,6 +86,8 @@
- #if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC)
- #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
- #endif
-+
-+int yywrap(void) { return 1; }
- %}
-
- /* common section */
+++ /dev/null
---- a/src/racoon/isakmp_cfg.c
-+++ b/src/racoon/isakmp_cfg.c
-@@ -38,7 +38,7 @@
- #include <sys/socket.h>
- #include <sys/queue.h>
-
--#include <utmpx.h>
-+#include <utmp.h>
- #if defined(__APPLE__) && defined(__MACH__)
- #include <util.h>
- #endif
-@@ -1664,7 +1664,8 @@ isakmp_cfg_accounting_system(port, raddr
- int inout;
- {
- int error = 0;
-- struct utmpx ut;
-+ struct utmp ut;
-+ char term[UT_LINESIZE];
- char addr[NI_MAXHOST];
-
- if (usr == NULL || usr[0]=='\0') {
-@@ -1673,34 +1674,37 @@ isakmp_cfg_accounting_system(port, raddr
- return -1;
- }
-
-- memset(&ut, 0, sizeof ut);
-- gettimeofday((struct timeval *)&ut.ut_tv, NULL);
-- snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port);
-+ sprintf(term, TERMSPEC, port);
-
- switch (inout) {
- case ISAKMP_CFG_LOGIN:
-- ut.ut_type = USER_PROCESS;
-- strncpy(ut.ut_user, usr, sizeof ut.ut_user);
-+ strncpy(ut.ut_name, usr, UT_NAMESIZE);
-+ ut.ut_name[UT_NAMESIZE - 1] = '\0';
-+
-+ strncpy(ut.ut_line, term, UT_LINESIZE);
-+ ut.ut_line[UT_LINESIZE - 1] = '\0';
-
- GETNAMEINFO_NULL(raddr, addr);
-- strncpy(ut.ut_host, addr, sizeof ut.ut_host);
-+ strncpy(ut.ut_host, addr, UT_HOSTSIZE);
-+ ut.ut_host[UT_HOSTSIZE - 1] = '\0';
-+
-+ ut.ut_time = time(NULL);
-
- plog(LLV_INFO, LOCATION, NULL,
- "Accounting : '%s' logging on '%s' from %s.\n",
-- ut.ut_user, ut.ut_id, addr);
--
-- pututxline(&ut);
-+ ut.ut_name, ut.ut_line, ut.ut_host);
-
-+ login(&ut);
-+
- break;
- case ISAKMP_CFG_LOGOUT:
-- ut.ut_type = DEAD_PROCESS;
-
- plog(LLV_INFO, LOCATION, NULL,
- "Accounting : '%s' unlogging from '%s'.\n",
-- usr, ut.ut_id);
--
-- pututxline(&ut);
-+ usr, term);
-
-+ logout(term);
-+
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
+++ /dev/null
---- a/src/racoon/ipsec_doi.c
-+++ b/src/racoon/ipsec_doi.c
-@@ -3581,8 +3581,8 @@ ipsecdoi_checkid1(iph1)
- iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
- if (id_b->type != IPSECDOI_ID_IPV4_ADDR
- && id_b->type != IPSECDOI_ID_IPV6_ADDR) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "Expecting IP address type in main mode, "
-+ plog(LLV_WARNING, LOCATION, NULL,
-+ "Expecting IP address type in main mode (RFC2409) , "
- "but %s.\n", s_ipsecdoi_ident(id_b->type));
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
+++ /dev/null
---- a/src/racoon/isakmp.c
-+++ b/src/racoon/isakmp.c
-@@ -31,6 +31,8 @@
- * SUCH DAMAGE.
- */
-
-+#define __packed __attribute__((__packed__))
-+
- #include "config.h"
-
- #include <sys/types.h>
+++ /dev/null
---- a/configure.ac
-+++ b/configure.ac
-@@ -74,9 +74,10 @@ case "$host_os" in
- [ KERNEL_INCLUDE="/lib/modules/`uname -r`/build/include" ])
-
- AC_CHECK_HEADER($KERNEL_INCLUDE/linux/pfkeyv2.h, ,
-- [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h,
-- KERNEL_INCLUDE=/usr/src/linux/include ,
-- [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] )
-+ [ AC_CHECK_HEADER($KERNEL_INCLUDE/uapi/linux/pfkeyv2.h, ,
-+ [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h,
-+ KERNEL_INCLUDE=/usr/src/linux/include ,
-+ [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] ) ] )
- AC_SUBST(KERNEL_INCLUDE)
- # We need the configure script to run with correct kernel headers.
- # However we don't want to point to kernel source tree in compile time,
-@@ -643,7 +644,14 @@ AC_EGREP_CPP(yes,
- #ifdef SADB_X_EXT_NAT_T_TYPE
- yes
- #endif
--], [kernel_natt="yes"])
-+], [kernel_natt="yes"], [
-+ AC_EGREP_CPP(yes,
-+ [#include <uapi/linux/pfkeyv2.h>
-+ #ifdef SADB_X_EXT_NAT_T_TYPE
-+ yes
-+ #endif
-+ ], [kernel_natt="yes"])
-+])
- ;;
- freebsd*|netbsd*)
- # NetBSD case
---- a/src/include-glibc/Makefile.am
-+++ b/src/include-glibc/Makefile.am
-@@ -1,14 +1,7 @@
--
--.includes: ${top_builddir}/config.status
-- ln -snf $(KERNEL_INCLUDE)/linux
-- touch .includes
--
--all: .includes
--
- EXTRA_DIST = \
- glibc-bugs.h \
- net/pfkeyv2.h \
- netinet/ipsec.h \
- sys/queue.h
-
--DISTCLEANFILES = .includes linux
-+DISTCLEANFILES = linux
+++ /dev/null
---- a/configure.ac
-+++ b/configure.ac
-@@ -732,7 +732,8 @@ case $host in
- ],
- [AC_MSG_RESULT(yes)
- AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])],
-- [AC_MSG_RESULT(no)])
-+ [AC_MSG_RESULT(forced)
-+ AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])])
- ;;
- *)
- AC_MSG_RESULT(no)
+++ /dev/null
-Fix null dereference in racoon/gssapi.c (CVE-2015-4047)
-
---- a/src/racoon/gssapi.c
-+++ b/src/racoon/gssapi.c
-@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
- gss_name_t princ, canon_princ;
- OM_uint32 maj_stat, min_stat;
-
-+ if (iph1->rmconf == NULL) {
-+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
-+ return -1;
-+ }
-+
- gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
- if (gps == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
+++ /dev/null
---- a/src/racoon/grabmyaddr.c
-+++ b/src/racoon/grabmyaddr.c
-@@ -47,7 +47,6 @@
- #include <net/route.h>
- #include <net/if.h>
- #include <net/if_dl.h>
--#include <sys/sysctl.h>
- #define USE_ROUTE
- #endif
-
---- a/src/racoon/pfkey.c
-+++ b/src/racoon/pfkey.c
-@@ -59,7 +59,6 @@
- #include <sys/param.h>
- #include <sys/socket.h>
- #include <sys/queue.h>
--#include <sys/sysctl.h>
-
- #include <net/route.h>
- #include <net/pfkeyv2.h>
---- a/src/setkey/setkey.c
-+++ b/src/setkey/setkey.c
-@@ -40,7 +40,6 @@
- #include <sys/socket.h>
- #include <sys/time.h>
- #include <sys/stat.h>
--#include <sys/sysctl.h>
- #include <err.h>
- #include <netinet/in.h>
- #include <net/pfkeyv2.h>
---- a/src/libipsec/ipsec_strerror.h
-+++ b/src/libipsec/ipsec_strerror.h
-@@ -34,6 +34,8 @@
- #ifndef _IPSEC_STRERROR_H
- #define _IPSEC_STRERROR_H
-
-+#include <sys/cdefs.h>
-+
- extern int __ipsec_errcode;
- extern void __ipsec_set_strerror __P((const char *));
-
---- a/src/libipsec/libpfkey.h
-+++ b/src/libipsec/libpfkey.h
-@@ -34,6 +34,8 @@
- #ifndef _LIBPFKEY_H
- #define _LIBPFKEY_H
-
-+#include <sys/cdefs.h>
-+
- #ifndef KAME_LIBPFKEY_H
- #define KAME_LIBPFKEY_H
-
---- a/src/racoon/backupsa.c
-+++ b/src/racoon/backupsa.c
-@@ -276,9 +276,9 @@ do { \
- GETNEXTNUM(sa_args.a_keylen, strtoul);
- GETNEXTNUM(sa_args.flags, strtoul);
- GETNEXTNUM(sa_args.l_alloc, strtoul);
-- GETNEXTNUM(sa_args.l_bytes, strtouq);
-- GETNEXTNUM(sa_args.l_addtime, strtouq);
-- GETNEXTNUM(sa_args.l_usetime, strtouq);
-+ GETNEXTNUM(sa_args.l_bytes, strtoull);
-+ GETNEXTNUM(sa_args.l_addtime, strtoull);
-+ GETNEXTNUM(sa_args.l_usetime, strtoull);
- GETNEXTNUM(sa_args.seq, strtoul);
-
- #undef GETNEXTNUM
---- a/src/racoon/cftoken.l
-+++ b/src/racoon/cftoken.l
-@@ -77,6 +77,10 @@
-
- #include "cfparse.h"
-
-+#ifndef GLOB_TILDE
-+#define GLOB_TILDE 0
-+#endif
-+
- int yyerrorcount = 0;
-
- #if defined(YIPS_DEBUG)
---- a/src/racoon/logger.h
-+++ b/src/racoon/logger.h
-@@ -34,6 +34,8 @@
- #ifndef _LOGGER_H
- #define _LOGGER_H
-
-+#include <sys/cdefs.h>
-+
- struct log {
- int head;
- int siz;
---- a/src/racoon/misc.h
-+++ b/src/racoon/misc.h
-@@ -34,6 +34,8 @@
- #ifndef _MISC_H
- #define _MISC_H
-
-+#include <sys/cdefs.h>
-+
- #define BIT2STR(b) bit2str(b, sizeof(b)<<3)
-
- #ifdef HAVE_FUNC_MACRO
---- a/src/racoon/missing/crypto/sha2/sha2.h
-+++ b/src/racoon/missing/crypto/sha2/sha2.h
-@@ -40,6 +40,8 @@
- #ifndef __SHA2_H__
- #define __SHA2_H__
-
-+#include <sys/cdefs.h>
-+
- #ifdef __cplusplus
- extern "C" {
- #endif
---- a/src/racoon/netdb_dnssec.h
-+++ b/src/racoon/netdb_dnssec.h
-@@ -34,6 +34,8 @@
- #ifndef _NETDB_DNSSEC_H
- #define _NETDB_DNSSEC_H
-
-+#include <sys/cdefs.h>
-+
- #ifndef T_CERT
- #define T_CERT 37 /* defined by RFC2538 section 2 */
- #endif
---- a/src/racoon/plog.h
-+++ b/src/racoon/plog.h
-@@ -34,6 +34,8 @@
- #ifndef _PLOG_H
- #define _PLOG_H
-
-+#include <sys/cdefs.h>
-+
- #ifdef HAVE_STDARG_H
- #include <stdarg.h>
- #else
---- a/src/racoon/str2val.h
-+++ b/src/racoon/str2val.h
-@@ -34,6 +34,8 @@
- #ifndef _STR2VAL_H
- #define _STR2VAL_H
-
-+#include <sys/cdefs.h>
-+
- extern caddr_t val2str __P((const char *, size_t));
- extern char *str2val __P((const char *, int, size_t *));
-
---- a/src/racoon/vmbuf.h
-+++ b/src/racoon/vmbuf.h
-@@ -34,6 +34,8 @@
- #ifndef _VMBUF_H
- #define _VMBUF_H
-
-+#include <sys/cdefs.h>
-+
- /*
- * bp v
- * v v
---- a/src/setkey/extern.h
-+++ b/src/setkey/extern.h
-@@ -1,6 +1,6 @@
- /* $NetBSD: extern.h,v 1.5 2009/03/06 11:45:03 tteras Exp $ */
-
--
-+#include <sys/cdefs.h>
-
- void parse_init __P((void));
- int parse __P((FILE **));
---- a/src/racoon/isakmp_cfg.c
-+++ b/src/racoon/isakmp_cfg.c
-@@ -1694,8 +1694,6 @@ isakmp_cfg_accounting_system(port, raddr
- "Accounting : '%s' logging on '%s' from %s.\n",
- ut.ut_name, ut.ut_line, ut.ut_host);
-
-- login(&ut);
--
- break;
- case ISAKMP_CFG_LOGOUT:
-
-@@ -1703,8 +1701,6 @@ isakmp_cfg_accounting_system(port, raddr
- "Accounting : '%s' unlogging from '%s'.\n",
- usr, term);
-
-- logout(term);
--
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
+++ /dev/null
-Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
-Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
-Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
-
-Index: ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/isakmp_frag.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
-@@ -1,4 +1,4 @@
--/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
-+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */
-
- /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
-
-@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
- return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
- }
-
-+static int
-+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
-+{
-+ struct isakmp_frag_item *pitem = NULL;
-+ struct isakmp_frag_item *citem = iph1->frag_chain;
-+
-+ /* no frag yet, just insert at beginning of list */
-+ if (iph1->frag_chain == NULL) {
-+ iph1->frag_chain = item;
-+ return 0;
-+ }
-+
-+ do {
-+ /* duplicate fragment number, abort (CVE-2016-10396) */
-+ if (citem->frag_num == item->frag_num)
-+ return -1;
-+
-+ /* need to insert before current item */
-+ if (citem->frag_num > item->frag_num) {
-+ if (pitem != NULL)
-+ pitem->frag_next = item;
-+ else
-+ /* insert at the beginning of the list */
-+ iph1->frag_chain = item;
-+ item->frag_next = citem;
-+ return 0;
-+ }
-+
-+ pitem = citem;
-+ citem = citem->frag_next;
-+ } while (citem != NULL);
-+
-+ /* we reached the end of the list, insert */
-+ pitem->frag_next = item;
-+ return 0;
-+}
-+
- int
- isakmp_frag_extract(iph1, msg)
- struct ph1handle *iph1;
-@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
- item->frag_next = NULL;
- item->frag_packet = buf;
-
-- /* Look for the last frag while inserting the new item in the chain */
-- if (item->frag_last)
-- last_frag = item->frag_num;
-+ /* Check for the last frag before inserting the new item in the chain */
-+ if (item->frag_last) {
-+ /* if we have the last fragment, indices must match */
-+ if (iph1->frag_last_index != 0 &&
-+ item->frag_last != iph1->frag_last_index) {
-+ plog(LLV_ERROR, LOCATION, NULL,
-+ "Repeated last fragment index mismatch\n");
-+ racoon_free(item);
-+ vfree(buf);
-+ return -1;
-+ }
-
-- if (iph1->frag_chain == NULL) {
-- iph1->frag_chain = item;
-- } else {
-- struct isakmp_frag_item *current;
-+ last_frag = iph1->frag_last_index = item->frag_num;
-+ }
-
-- current = iph1->frag_chain;
-- while (current->frag_next) {
-- if (current->frag_last)
-- last_frag = item->frag_num;
-- current = current->frag_next;
-- }
-- current->frag_next = item;
-+ /* insert fragment into chain */
-+ if (isakmp_frag_insert(iph1, item) == -1) {
-+ plog(LLV_ERROR, LOCATION, NULL,
-+ "Repeated fragment index mismatch\n");
-+ racoon_free(item);
-+ vfree(buf);
-+ return -1;
- }
-
-- /* If we saw the last frag, check if the chain is complete */
-+ /* If we saw the last frag, check if the chain is complete
-+ * we have a sorted list now, so just walk through */
- if (last_frag != 0) {
-+ item = iph1->frag_chain;
- for (i = 1; i <= last_frag; i++) {
-- item = iph1->frag_chain;
-- do {
-- if (item->frag_num == i)
-- break;
-- item = item->frag_next;
-- } while (item != NULL);
--
-+ if (item->frag_num != i)
-+ break;
-+ item = item->frag_next;
- if (item == NULL) /* Not found */
- break;
- }
-
-- if (item != NULL) /* It is complete */
-+ if (i > last_frag) /* It is complete */
- return 1;
- }
-
-@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
- }
- data = buf->v;
-
-+ item = iph1->frag_chain;
- for (i = 1; i <= frag_count; i++) {
-- item = iph1->frag_chain;
-- do {
-- if (item->frag_num == i)
-- break;
-- item = item->frag_next;
-- } while (item != NULL);
--
-- if (item == NULL) {
-+ if (item->frag_num != i) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Missing fragment #%d\n", i);
- vfree(buf);
-@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
- }
- memcpy(data, item->frag_packet->v, item->frag_packet->l);
- data += item->frag_packet->l;
-+ item = item->frag_next;
- }
-
- out:
-Index: ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/isakmp_inf.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
-@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
- #endif
- #ifdef ENABLE_FRAG
- iph1->frag = 0;
-+ iph1->frag_last_index = 0;
- iph1->frag_chain = NULL;
- #endif
-
-Index: ipsec-tools-0.8.2/src/racoon/isakmp.c
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/isakmp.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp.c
-@@ -1071,6 +1071,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
- iph1->frag = 1;
- else
- iph1->frag = 0;
-+ iph1->frag_last_index = 0;
- iph1->frag_chain = NULL;
- #endif
- iph1->approval = NULL;
-@@ -1175,6 +1176,7 @@ isakmp_ph1begin_r(msg, remote, local, et
- #endif
- #ifdef ENABLE_FRAG
- iph1->frag = 0;
-+ iph1->frag_last_index = 0;
- iph1->frag_chain = NULL;
- #endif
- iph1->approval = NULL;
-Index: ipsec-tools-0.8.2/src/racoon/handler.h
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/handler.h
-+++ ipsec-tools-0.8.2/src/racoon/handler.h
-@@ -1,4 +1,4 @@
--/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
-+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
-
- /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
-
-@@ -141,6 +141,7 @@ struct ph1handle {
- #endif
- #ifdef ENABLE_FRAG
- int frag; /* IKE phase 1 fragmentation */
-+ int frag_last_index;
- struct isakmp_frag_item *frag_chain; /* Received fragments */
- #endif
-
+++ /dev/null
---- a/src/racoon/isakmp_xauth.c
-+++ b/src/racoon/isakmp_xauth.c
-@@ -376,6 +376,7 @@ xauth_reply(iph1, port, id, res)
- struct ph1handle *iph1;
- int port;
- int id;
-+ int res;
- {
- struct xauth_state *xst = &iph1->mode_cfg->xauth;
- char *usr = xst->authdata.generic.usr;
-
+++ /dev/null
-From 071fec7181255b9234add44865a435dfdefee520 Mon Sep 17 00:00:00 2001
-In-Reply-To: <20180528120513.560-1-cote2004-github@yahoo.com>
-References: <20180528120513.560-1-cote2004-github@yahoo.com>
-From: Eneas U de Queiroz <cote2004-github@yahoo.com>
-Date: Wed, 30 May 2018 15:42:20 -0300
-Subject: [PATCH v2 1/1] ipsec-tools: add openssl 1.1 support
-To: equeiroz@troianet.com.br
-
-This patch updates the calls to openssl 1.1 API, and adds a
-compatibility layer so it compiles with (at least) openssl 1.0.2, I
-haven't tested it with lower versions, but all that's needed is to edit
-the openssl_compat.* files and add the missing functions there--they're
-usually trivial.
-
-Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
----
- src/racoon/Makefile.am | 10 +--
- src/racoon/algorithm.c | 6 +-
- src/racoon/cfparse.y | 2 +-
- src/racoon/crypto_openssl.c | 197 +++++++++++++++++++++-------------------
- src/racoon/crypto_openssl.h | 2 +-
- src/racoon/eaytest.c | 7 +-
- src/racoon/ipsec_doi.c | 2 +-
- src/racoon/openssl_compat.c | 213 ++++++++++++++++++++++++++++++++++++++++++++
- src/racoon/openssl_compat.h | 45 ++++++++++
- src/racoon/plainrsa-gen.c | 41 +++++----
- src/racoon/prsa_par.y | 28 ++++--
- src/racoon/rsalist.c | 5 +-
- 12 files changed, 431 insertions(+), 127 deletions(-)
- create mode 100644 src/racoon/openssl_compat.c
- create mode 100644 src/racoon/openssl_compat.h
-
-diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
-index dbaded9..4c585f3 100644
---- a/src/racoon/Makefile.am
-+++ b/src/racoon/Makefile.am
-@@ -4,7 +4,7 @@ sbin_PROGRAMS = racoon racoonctl plainrsa-gen
- noinst_PROGRAMS = eaytest
- include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \
- schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \
-- isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h
-+ isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h openssl_compat.h
- lib_LTLIBRARIES = libracoon.la
-
- adminsockdir=${localstatedir}/racoon
-@@ -32,7 +32,7 @@ racoon_SOURCES = \
- gssapi.c dnssec.c getcertsbyname.c privsep.c \
- pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \
- policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \
-- proposal.c sainfo.c strnames.c \
-+ openssl_compat.c proposal.c sainfo.c strnames.c \
- plog.c logger.c schedule.c str2val.c \
- safefile.c backupsa.c genlist.c rsalist.c \
- cftoken.l cfparse.y prsa_tok.l prsa_par.y
-@@ -51,12 +51,12 @@ libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c
- libracoon_la_CFLAGS = -DNOUSE_PRIVSEP $(AM_CFLAGS)
-
- plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \
-- crypto_openssl.c logger.c
-+ crypto_openssl.c logger.c openssl_compat.c
- EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS)
- plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o
- plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o
-
--eaytest_SOURCES = eaytest.c plog.c logger.c
-+eaytest_SOURCES = eaytest.c plog.c logger.c openssl_compat.c
- EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c
- eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \
- $(CRYPTOBJS)
-@@ -75,7 +75,7 @@ noinst_HEADERS = \
- debugrm.h isakmp.h misc.h sainfo.h \
- dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \
- isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \
-- throttle.h privsep.h \
-+ throttle.h privsep.h openssl_compat.h \
- cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \
- missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \
- missing/crypto/rijndael/rijndael-api-fst.h \
-diff --git a/src/racoon/algorithm.c b/src/racoon/algorithm.c
-index 3fd50f6..66c874b 100644
---- a/src/racoon/algorithm.c
-+++ b/src/racoon/algorithm.c
-@@ -128,7 +128,7 @@ static struct enc_algorithm oakley_encdef[] = {
- { "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16,
- eay_aes_encrypt, eay_aes_decrypt,
- eay_aes_weakkey, eay_aes_keylen, },
--#ifdef HAVE_OPENSSL_CAMELLIA_H
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- { "camellia", algtype_camellia, OAKLEY_ATTR_ENC_ALG_CAMELLIA, 16,
- eay_camellia_encrypt, eay_camellia_decrypt,
- eay_camellia_weakkey, eay_camellia_keylen, },
-@@ -168,7 +168,7 @@ static struct enc_algorithm ipsec_encdef[] = {
- { "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16,
- NULL, NULL,
- NULL, eay_twofish_keylen, },
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- { "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8,
- NULL, NULL,
- NULL, NULL, },
-@@ -179,7 +179,7 @@ static struct enc_algorithm ipsec_encdef[] = {
- { "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8,
- NULL, NULL,
- NULL, NULL, },
--#ifdef HAVE_OPENSSL_CAMELLIA_H
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- { "camellia", algtype_camellia, IPSECDOI_ESP_CAMELLIA, 16,
- NULL, NULL,
- NULL, eay_camellia_keylen, },
-diff --git a/src/racoon/cfparse.y b/src/racoon/cfparse.y
-index 0d9bd67..8415752 100644
---- a/src/racoon/cfparse.y
-+++ b/src/racoon/cfparse.y
-@@ -2564,7 +2564,7 @@ set_isakmp_proposal(rmconf)
- plog(LLV_DEBUG2, LOCATION, NULL,
- "encklen=%d\n", s->encklen);
-
-- memset(types, 0, ARRAYLEN(types));
-+ memset(types, 0, sizeof types);
- types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
- types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
- types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
-diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c
-index 55b076a..8fb358f 100644
---- a/src/racoon/crypto_openssl.c
-+++ b/src/racoon/crypto_openssl.c
-@@ -90,6 +90,7 @@
- #endif
- #endif
- #include "plog.h"
-+#include "openssl_compat.h"
-
- #define USE_NEW_DES_API
-
-@@ -316,9 +317,12 @@ eay_cmp_asn1dn(n1, n2)
- i = idx+1;
- goto end;
- }
-- if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
-- (eb->value->length == 1 && eb->value->data[0] == '*')) {
-- if (OBJ_cmp(ea->object,eb->object)) {
-+ ASN1_STRING *sa = X509_NAME_ENTRY_get_data(ea);
-+ ASN1_STRING *sb = X509_NAME_ENTRY_get_data(eb);
-+ if ((ASN1_STRING_length(sa) == 1 && ASN1_STRING_get0_data(sa)[0] == '*') ||
-+ (ASN1_STRING_length(sb) == 1 && ASN1_STRING_get0_data(sb)[0] == '*')) {
-+ if (OBJ_cmp(X509_NAME_ENTRY_get_object(ea),
-+ X509_NAME_ENTRY_get_object(eb))) {
- i = idx+1;
- goto end;
- }
-@@ -430,7 +434,7 @@ cb_check_cert_local(ok, ctx)
-
- if (!ok) {
- X509_NAME_oneline(
-- X509_get_subject_name(ctx->current_cert),
-+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
- buf,
- 256);
- /*
-@@ -438,7 +442,8 @@ cb_check_cert_local(ok, ctx)
- * ok if they are self signed. But we should still warn
- * the user.
- */
-- switch (ctx->error) {
-+ int ctx_error = X509_STORE_CTX_get_error(ctx);
-+ switch (ctx_error) {
- case X509_V_ERR_CERT_HAS_EXPIRED:
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- case X509_V_ERR_INVALID_CA:
-@@ -453,9 +458,9 @@ cb_check_cert_local(ok, ctx)
- }
- plog(log_tag, LOCATION, NULL,
- "%s(%d) at depth:%d SubjectName:%s\n",
-- X509_verify_cert_error_string(ctx->error),
-- ctx->error,
-- ctx->error_depth,
-+ X509_verify_cert_error_string(ctx_error),
-+ ctx_error,
-+ X509_STORE_CTX_get_error_depth(ctx),
- buf);
- }
- ERR_clear_error();
-@@ -477,10 +482,11 @@ cb_check_cert_remote(ok, ctx)
-
- if (!ok) {
- X509_NAME_oneline(
-- X509_get_subject_name(ctx->current_cert),
-+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
- buf,
- 256);
-- switch (ctx->error) {
-+ int ctx_error=X509_STORE_CTX_get_error(ctx);
-+ switch (ctx_error) {
- case X509_V_ERR_UNABLE_TO_GET_CRL:
- ok = 1;
- log_tag = LLV_WARNING;
-@@ -490,9 +496,9 @@ cb_check_cert_remote(ok, ctx)
- }
- plog(log_tag, LOCATION, NULL,
- "%s(%d) at depth:%d SubjectName:%s\n",
-- X509_verify_cert_error_string(ctx->error),
-- ctx->error,
-- ctx->error_depth,
-+ X509_verify_cert_error_string(ctx_error),
-+ ctx_error,
-+ X509_STORE_CTX_get_error_depth(ctx),
- buf);
- }
- ERR_clear_error();
-@@ -516,14 +522,15 @@ eay_get_x509asn1subjectname(cert)
- if (x509 == NULL)
- goto error;
-
-+ X509_NAME *subject_name = X509_get_subject_name(x509);
- /* get the length of the name */
-- len = i2d_X509_NAME(x509->cert_info->subject, NULL);
-+ len = i2d_X509_NAME(subject_name, NULL);
- name = vmalloc(len);
- if (!name)
- goto error;
- /* get the name */
- bp = (unsigned char *) name->v;
-- len = i2d_X509_NAME(x509->cert_info->subject, &bp);
-+ len = i2d_X509_NAME(subject_name, &bp);
-
- X509_free(x509);
-
-@@ -661,15 +668,16 @@ eay_get_x509asn1issuername(cert)
- if (x509 == NULL)
- goto error;
-
-+ X509_NAME *issuer_name = X509_get_issuer_name(x509);
- /* get the length of the name */
-- len = i2d_X509_NAME(x509->cert_info->issuer, NULL);
-+ len = i2d_X509_NAME(issuer_name, NULL);
- name = vmalloc(len);
- if (name == NULL)
- goto error;
-
- /* get the name */
- bp = (unsigned char *) name->v;
-- len = i2d_X509_NAME(x509->cert_info->issuer, &bp);
-+ len = i2d_X509_NAME(issuer_name, &bp);
-
- X509_free(x509);
-
-@@ -850,7 +858,7 @@ eay_check_x509sign(source, sig, cert)
- return -1;
- }
-
-- res = eay_rsa_verify(source, sig, evp->pkey.rsa);
-+ res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp));
-
- EVP_PKEY_free(evp);
- X509_free(x509);
-@@ -992,7 +1000,7 @@ eay_get_x509sign(src, privkey)
- if (evp == NULL)
- return NULL;
-
-- sig = eay_rsa_sign(src, evp->pkey.rsa);
-+ sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
-
- EVP_PKEY_free(evp);
-
-@@ -1079,7 +1087,11 @@ eay_strerror()
- int line, flags;
- unsigned long es;
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */
-+#else
- es = CRYPTO_thread_id();
-+#endif
-
- while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){
- n = snprintf(ebuf + len, sizeof(ebuf) - len,
-@@ -1100,7 +1112,7 @@ vchar_t *
- evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc)
- {
- vchar_t *res;
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx;
-
- if (!e)
- return NULL;
-@@ -1111,7 +1123,7 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
-- EVP_CIPHER_CTX_init(&ctx);
-+ ctx = EVP_CIPHER_CTX_new();
-
- switch(EVP_CIPHER_nid(e)){
- case NID_bf_cbc:
-@@ -1125,54 +1137,41 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc
- /* XXX: can we do that also for algos with a fixed key size ?
- */
- /* init context without key/iv
-- */
-- if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
-- {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ */
-+ if (!EVP_CipherInit(ctx, e, NULL, NULL, enc))
-+ goto out;
-
-- /* update key size
-- */
-- if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
-- {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
--
-- /* finalize context init with desired key size
-- */
-- if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
-+ /* update key size
-+ */
-+ if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l))
-+ goto out;
-+
-+ /* finalize context init with desired key size
-+ */
-+ if (!EVP_CipherInit(ctx, NULL, (u_char *) key->v,
- (u_char *) iv->v, enc))
-- {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ goto out;
- break;
- default:
-- if (!EVP_CipherInit(&ctx, e, (u_char *) key->v,
-- (u_char *) iv->v, enc)) {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ if (!EVP_CipherInit(ctx, e, (u_char *) key->v,
-+ (u_char *) iv->v, enc))
-+ goto out;
- }
-
- /* disable openssl padding */
-- EVP_CIPHER_CTX_set_padding(&ctx, 0);
-+ EVP_CIPHER_CTX_set_padding(ctx, 0);
-
-- if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l))
-+ goto out;
-
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_free(ctx);
-
- return res;
-+out:
-+ EVP_CIPHER_CTX_free(ctx);
-+ OpenSSL_BUG();
-+ vfree(res);
-+ return NULL;
- }
-
- int
-@@ -1230,7 +1229,7 @@ eay_des_keylen(len)
- return evp_keylen(len, EVP_des_cbc());
- }
-
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- /*
- * IDEA-CBC
- */
-@@ -1587,7 +1586,7 @@ eay_aes_keylen(len)
- return len;
- }
-
--#if defined(HAVE_OPENSSL_CAMELLIA_H)
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- /*
- * CAMELLIA-CBC
- */
-@@ -1680,9 +1679,9 @@ eay_hmac_init(key, md)
- vchar_t *key;
- const EVP_MD *md;
- {
-- HMAC_CTX *c = racoon_malloc(sizeof(*c));
-+ HMAC_CTX *c = HMAC_CTX_new();
-
-- HMAC_Init(c, key->v, key->l, md);
-+ HMAC_Init_ex(c, key->v, key->l, md, NULL);
-
- return (caddr_t)c;
- }
-@@ -1761,8 +1760,7 @@ eay_hmacsha2_512_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA512_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1811,8 +1809,7 @@ eay_hmacsha2_384_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA384_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1861,8 +1858,7 @@ eay_hmacsha2_256_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA256_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1912,8 +1908,7 @@ eay_hmacsha1_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1962,8 +1957,7 @@ eay_hmacmd5_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (MD5_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -2266,6 +2260,7 @@ eay_dh_generate(prime, g, publen, pub, priv)
- u_int32_t g;
- {
- BIGNUM *p = NULL;
-+ BIGNUM *BNg = NULL;
- DH *dh = NULL;
- int error = -1;
-
-@@ -2276,25 +2271,28 @@ eay_dh_generate(prime, g, publen, pub, priv)
-
- if ((dh = DH_new()) == NULL)
- goto end;
-- dh->p = p;
-- p = NULL; /* p is now part of dh structure */
-- dh->g = NULL;
-- if ((dh->g = BN_new()) == NULL)
-+ if ((BNg = BN_new()) == NULL)
- goto end;
-- if (!BN_set_word(dh->g, g))
-+ if (!BN_set_word(BNg, g))
- goto end;
-+ if (! DH_set0_pqg(dh, p, NULL, BNg))
-+ goto end;
-+ BNg = NULL;
-+ p = NULL; /* p is now part of dh structure */
-
- if (publen != 0)
-- dh->length = publen;
-+ DH_set_length(dh, publen);
-
- /* generate public and private number */
- if (!DH_generate_key(dh))
- goto end;
-
- /* copy results to buffers */
-- if (eay_bn2v(pub, dh->pub_key) < 0)
-+ BIGNUM *pub_key, *priv_key;
-+ DH_get0_key(dh, (const BIGNUM**) &pub_key, (const BIGNUM**) &priv_key);
-+ if (eay_bn2v(pub, pub_key) < 0)
- goto end;
-- if (eay_bn2v(priv, dh->priv_key) < 0) {
-+ if (eay_bn2v(priv, priv_key) < 0) {
- vfree(*pub);
- goto end;
- }
-@@ -2306,6 +2304,8 @@ end:
- DH_free(dh);
- if (p != 0)
- BN_free(p);
-+ if (BNg != 0)
-+ BN_free(BNg);
- return(error);
- }
-
-@@ -2319,6 +2319,10 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
- int l;
- unsigned char *v = NULL;
- int error = -1;
-+ BIGNUM *p = BN_new();
-+ BIGNUM *BNg = BN_new();
-+ BIGNUM *pub_key = BN_new();
-+ BIGNUM *priv_key = BN_new();
-
- /* make public number to compute */
- if (eay_v2bn(&dh_pub, pub2) < 0)
-@@ -2327,19 +2331,21 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
- /* make DH structure */
- if ((dh = DH_new()) == NULL)
- goto end;
-- if (eay_v2bn(&dh->p, prime) < 0)
-+ if (p == NULL || BNg == NULL || pub_key == NULL || priv_key == NULL)
- goto end;
-- if (eay_v2bn(&dh->pub_key, pub) < 0)
-+
-+ if (eay_v2bn(&p, prime) < 0)
- goto end;
-- if (eay_v2bn(&dh->priv_key, priv) < 0)
-+ if (eay_v2bn(&pub_key, pub) < 0)
- goto end;
-- dh->length = pub2->l * 8;
--
-- dh->g = NULL;
-- if ((dh->g = BN_new()) == NULL)
-+ if (eay_v2bn(&priv_key, priv) < 0)
- goto end;
-- if (!BN_set_word(dh->g, g))
-+ if (!BN_set_word(BNg, g))
- goto end;
-+ DH_set0_key(dh, pub_key, priv_key);
-+ DH_set_length(dh, pub2->l * 8);
-+ DH_set0_pqg(dh, p, NULL, BNg);
-+ pub_key = priv_key = p = BNg = NULL;
-
- if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
- goto end;
-@@ -2350,6 +2356,14 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
- error = 0;
-
- end:
-+ if (p != NULL)
-+ BN_free(p);
-+ if (BNg != NULL)
-+ BN_free(BNg);
-+ if (pub_key != NULL)
-+ BN_free(pub_key);
-+ if (priv_key != NULL)
-+ BN_free(priv_key);
- if (dh_pub != NULL)
- BN_free(dh_pub);
- if (dh != NULL)
-@@ -2400,12 +2414,14 @@ eay_bn2v(var, bn)
- void
- eay_init()
- {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- OpenSSL_add_all_algorithms();
- ERR_load_crypto_strings();
- #ifdef HAVE_OPENSSL_ENGINE_H
- ENGINE_load_builtin_engines();
- ENGINE_register_all_complete();
- #endif
-+#endif
- }
-
- vchar_t *
-@@ -2504,8 +2520,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf)
- goto out;
- }
-
-- rsa_pub->n = mod;
-- rsa_pub->e = exp;
-+ RSA_set0_key(rsa_pub, mod, exp, NULL);
-
- out:
- return rsa_pub;
-@@ -2582,5 +2597,5 @@ eay_random()
- const char *
- eay_version()
- {
-- return SSLeay_version(SSLEAY_VERSION);
-+ return OpenSSL_version(OPENSSL_VERSION);
- }
-diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h
-index 66fac73..ee5b765 100644
---- a/src/racoon/crypto_openssl.h
-+++ b/src/racoon/crypto_openssl.h
-@@ -124,7 +124,7 @@ extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
- extern int eay_aes_weakkey __P((vchar_t *));
- extern int eay_aes_keylen __P((int));
-
--#if defined(HAVE_OPENSSL_CAMELLIA_H)
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- /* Camellia */
- extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
- extern vchar_t *eay_camellia_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c
-index 1474bdc..ae09db3 100644
---- a/src/racoon/eaytest.c
-+++ b/src/racoon/eaytest.c
-@@ -62,6 +62,7 @@
- #include "dhgroup.h"
- #include "crypto_openssl.h"
- #include "gnuc.h"
-+#include "openssl_compat.h"
-
- #include "package_version.h"
-
-@@ -103,7 +104,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_txt)
- printf ("PEM_read_PUBKEY(): %s\n", eay_strerror());
- return -1;
- }
-- error = eay_check_rsasign(src, sig, evp->pkey.rsa);
-+ error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp));
-
- return error;
- }
-@@ -698,7 +699,7 @@ ciphertest(ac, av)
- eay_cast_encrypt, eay_cast_decrypt) < 0)
- return -1;
-
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- if (ciphertest_1 ("IDEA",
- &data, 8,
- &key, key.l,
-@@ -715,7 +716,7 @@ ciphertest(ac, av)
- eay_rc5_encrypt, eay_rc5_decrypt) < 0)
- return -1;
- #endif
--#if defined(HAVE_OPENSSL_CAMELLIA_H)
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- if (ciphertest_1 ("CAMELLIA",
- &data, 16,
- &key, key.l,
-diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
-index 84a4c71..b52469f 100644
---- a/src/racoon/ipsec_doi.c
-+++ b/src/racoon/ipsec_doi.c
-@@ -715,7 +715,7 @@ out:
- /* key length must not be specified on some algorithms */
- if (keylen) {
- if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA
- #endif
- || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) {
-diff --git a/src/racoon/openssl_compat.c b/src/racoon/openssl_compat.c
-new file mode 100644
-index 0000000..864b5fb
---- /dev/null
-+++ b/src/racoon/openssl_compat.c
-@@ -0,0 +1,213 @@
-+/*
-+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the OpenSSL license (the "License"). You may not use
-+ * this file except in compliance with the License. You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include "openssl_compat.h"
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+
-+#include <string.h>
-+
-+static void *OPENSSL_zalloc(size_t num)
-+{
-+ void *ret = OPENSSL_malloc(num);
-+
-+ if (ret != NULL)
-+ memset(ret, 0, num);
-+ return ret;
-+}
-+
-+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
-+{
-+ /* If the fields n and e in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL for n and e. d may be
-+ * left NULL (in case only the public key is used).
-+ */
-+ if ((r->n == NULL && n == NULL)
-+ || (r->e == NULL && e == NULL))
-+ return 0;
-+
-+ if (n != NULL) {
-+ BN_free(r->n);
-+ r->n = n;
-+ }
-+ if (e != NULL) {
-+ BN_free(r->e);
-+ r->e = e;
-+ }
-+ if (d != NULL) {
-+ BN_free(r->d);
-+ r->d = d;
-+ }
-+
-+ return 1;
-+}
-+
-+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
-+{
-+ /* If the fields p and q in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((r->p == NULL && p == NULL)
-+ || (r->q == NULL && q == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(r->p);
-+ r->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(r->q);
-+ r->q = q;
-+ }
-+
-+ return 1;
-+}
-+
-+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
-+{
-+ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((r->dmp1 == NULL && dmp1 == NULL)
-+ || (r->dmq1 == NULL && dmq1 == NULL)
-+ || (r->iqmp == NULL && iqmp == NULL))
-+ return 0;
-+
-+ if (dmp1 != NULL) {
-+ BN_free(r->dmp1);
-+ r->dmp1 = dmp1;
-+ }
-+ if (dmq1 != NULL) {
-+ BN_free(r->dmq1);
-+ r->dmq1 = dmq1;
-+ }
-+ if (iqmp != NULL) {
-+ BN_free(r->iqmp);
-+ r->iqmp = iqmp;
-+ }
-+
-+ return 1;
-+}
-+
-+void RSA_get0_key(const RSA *r,
-+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
-+{
-+ if (n != NULL)
-+ *n = r->n;
-+ if (e != NULL)
-+ *e = r->e;
-+ if (d != NULL)
-+ *d = r->d;
-+}
-+
-+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
-+{
-+ if (p != NULL)
-+ *p = r->p;
-+ if (q != NULL)
-+ *q = r->q;
-+}
-+
-+void RSA_get0_crt_params(const RSA *r,
-+ const BIGNUM **dmp1, const BIGNUM **dmq1,
-+ const BIGNUM **iqmp)
-+{
-+ if (dmp1 != NULL)
-+ *dmp1 = r->dmp1;
-+ if (dmq1 != NULL)
-+ *dmq1 = r->dmq1;
-+ if (iqmp != NULL)
-+ *iqmp = r->iqmp;
-+}
-+
-+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-+{
-+ /* If the fields p and g in d are NULL, the corresponding input
-+ * parameters MUST be non-NULL. q may remain NULL.
-+ */
-+ if ((dh->p == NULL && p == NULL)
-+ || (dh->g == NULL && g == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(dh->p);
-+ dh->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(dh->q);
-+ dh->q = q;
-+ }
-+ if (g != NULL) {
-+ BN_free(dh->g);
-+ dh->g = g;
-+ }
-+
-+ if (q != NULL) {
-+ dh->length = BN_num_bits(q);
-+ }
-+
-+ return 1;
-+}
-+
-+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
-+{
-+ if (pub_key != NULL)
-+ *pub_key = dh->pub_key;
-+ if (priv_key != NULL)
-+ *priv_key = dh->priv_key;
-+}
-+
-+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
-+{
-+ /* If the field pub_key in dh is NULL, the corresponding input
-+ * parameters MUST be non-NULL. The priv_key field may
-+ * be left NULL.
-+ */
-+ if (dh->pub_key == NULL && pub_key == NULL)
-+ return 0;
-+
-+ if (pub_key != NULL) {
-+ BN_free(dh->pub_key);
-+ dh->pub_key = pub_key;
-+ }
-+ if (priv_key != NULL) {
-+ BN_free(dh->priv_key);
-+ dh->priv_key = priv_key;
-+ }
-+
-+ return 1;
-+}
-+
-+int DH_set_length(DH *dh, long length)
-+{
-+ dh->length = length;
-+ return 1;
-+}
-+
-+HMAC_CTX *HMAC_CTX_new(void)
-+{
-+ return OPENSSL_zalloc(sizeof(HMAC_CTX));
-+}
-+
-+void HMAC_CTX_free(HMAC_CTX *ctx)
-+{
-+ HMAC_CTX_cleanup(ctx);
-+ OPENSSL_free(ctx);
-+}
-+
-+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
-+{
-+ if (pkey->type != EVP_PKEY_RSA) {
-+ return NULL;
-+ }
-+ return pkey->pkey.rsa;
-+}
-+
-+
-+#endif /* OPENSSL_VERSION_NUMBER */
-diff --git a/src/racoon/openssl_compat.h b/src/racoon/openssl_compat.h
-new file mode 100644
-index 0000000..9e152c2
---- /dev/null
-+++ b/src/racoon/openssl_compat.h
-@@ -0,0 +1,45 @@
-+#ifndef OPENSSL_COMPAT_H
-+#define OPENSSL_COMPAT_H
-+
-+#include <openssl/opensslv.h>
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+
-+#include <openssl/rsa.h>
-+#include <openssl/dh.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+
-+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
-+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
-+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
-+void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
-+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
-+void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp);
-+
-+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
-+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
-+int DH_set_length(DH *dh, long length);
-+
-+HMAC_CTX *HMAC_CTX_new(void);
-+void HMAC_CTX_free(HMAC_CTX* ctx);
-+
-+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
-+
-+#define ASN1_STRING_length(s) s->length
-+#define ASN1_STRING_get0_data(s) s->data
-+
-+#define X509_get_subject_name(x) x->cert_info->subject
-+#define X509_get_issuer_name(x) x->cert_info->issuer
-+#define X509_NAME_ENTRY_get_data(n) n->value
-+#define X509_NAME_ENTRY_get_object(n) n->object
-+#define X509_STORE_CTX_get_current_cert(ctx) ctx->current_cert
-+#define X509_STORE_CTX_get_error(ctx) ctx->error
-+#define X509_STORE_CTX_get_error_depth(ctx) ctx->error_depth
-+
-+#define OPENSSL_VERSION SSLEAY_VERSION
-+#define OpenSSL_version SSLeay_version
-+
-+#endif /* OPENSSL_VERSION_NUMBER */
-+
-+#endif /* OPENSSL_COMPAT_H */
-diff --git a/src/racoon/plainrsa-gen.c b/src/racoon/plainrsa-gen.c
-index cad1861..b949b08 100644
---- a/src/racoon/plainrsa-gen.c
-+++ b/src/racoon/plainrsa-gen.c
-@@ -60,6 +60,7 @@
- #include "vmbuf.h"
- #include "plog.h"
- #include "crypto_openssl.h"
-+#include "openssl_compat.h"
-
- #include "package_version.h"
-
-@@ -90,12 +91,14 @@ mix_b64_pubkey(const RSA *key)
- char *binbuf;
- long binlen, ret;
- vchar_t *res;
--
-- binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n);
-+ const BIGNUM *e, *n;
-+
-+ RSA_get0_key(key, &n, &e, NULL);
-+ binlen = 1 + BN_num_bytes(e) + BN_num_bytes(n);
- binbuf = malloc(binlen);
- memset(binbuf, 0, binlen);
-- binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]);
-- ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
-+ binbuf[0] = BN_bn2bin(e, (unsigned char *) &binbuf[1]);
-+ ret = BN_bn2bin(n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
- if (1 + binbuf[0] + ret != binlen) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Pubkey generation failed. This is really strange...\n");
-@@ -131,16 +134,20 @@ print_rsa_key(FILE *fp, const RSA *key)
-
- fprintf(fp, "# : PUB 0s%s\n", pubkey64->v);
- fprintf(fp, ": RSA\t{\n");
-- fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n));
-+ const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
-+ RSA_get0_key(key, &n, &e, &d);
-+ RSA_get0_factors(key, &p, &q);
-+ RSA_get0_crt_params(key, &dmp1, &dmq1, &iqmp);
-+ fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(n));
- fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v);
-- fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n)));
-- fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e)));
-- fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d)));
-- fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p)));
-- fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q)));
-- fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1)));
-- fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1)));
-- fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp)));
-+ fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(n)));
-+ fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(e)));
-+ fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(d)));
-+ fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(p)));
-+ fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(q)));
-+ fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(dmp1)));
-+ fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(dmq1)));
-+ fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(iqmp)));
- fprintf(fp, " }\n");
-
- vfree(pubkey64);
-@@ -203,11 +210,13 @@ int
- gen_rsa_key(FILE *fp, size_t bits, unsigned long exp)
- {
- int ret;
-- RSA *key;
-+ RSA *key = RSA_new();
-+ BIGNUM *e = BN_new();
-
-- key = RSA_generate_key(bits, exp, NULL, NULL);
-- if (!key) {
-+ BN_set_word(e, exp);
-+ if (! RSA_generate_key_ex(key, bits, e, NULL)) {
- fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror());
-+ RSA_free(key);
- return -1;
- }
-
-diff --git a/src/racoon/prsa_par.y b/src/racoon/prsa_par.y
-index 1987e4d..27ce4c6 100644
---- a/src/racoon/prsa_par.y
-+++ b/src/racoon/prsa_par.y
-@@ -68,6 +68,7 @@
- #include "isakmp_var.h"
- #include "handler.h"
- #include "crypto_openssl.h"
-+#include "openssl_compat.h"
- #include "sockmisc.h"
- #include "rsalist.h"
-
-@@ -85,7 +86,18 @@ char *prsa_cur_fname = NULL;
- struct genlist *prsa_cur_list = NULL;
- enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY;
-
--static RSA *rsa_cur;
-+struct my_rsa_st {
-+ BIGNUM *n;
-+ BIGNUM *e;
-+ BIGNUM *d;
-+ BIGNUM *p;
-+ BIGNUM *q;
-+ BIGNUM *dmp1;
-+ BIGNUM *dmq1;
-+ BIGNUM *iqmp;
-+};
-+
-+static struct my_rsa_st *rsa_cur;
-
- void
- prsaerror(const char *s, ...)
-@@ -201,8 +213,12 @@ rsa_statement:
- rsa_cur->iqmp = NULL;
- }
- }
-- $$ = rsa_cur;
-- rsa_cur = RSA_new();
-+ RSA * rsa_tmp = RSA_new();
-+ RSA_set0_key(rsa_tmp, rsa_cur->n, rsa_cur->e, rsa_cur->d);
-+ RSA_set0_factors(rsa_tmp, rsa_cur->p, rsa_cur->q);
-+ RSA_set0_crt_params(rsa_tmp, rsa_cur->dmp1, rsa_cur->dmq1, rsa_cur->iqmp);
-+ $$ = rsa_tmp;
-+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
- }
- | TAG_PUB BASE64
- {
-@@ -351,10 +367,12 @@ prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type)
- prsa_cur_fname = fname;
- prsa_cur_list = list;
- prsa_cur_type = type;
-- rsa_cur = RSA_new();
-+ rsa_cur = malloc(sizeof(struct my_rsa_st));
-+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
- ret = prsaparse();
- if (rsa_cur) {
-- RSA_free(rsa_cur);
-+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
-+ free(rsa_cur);
- rsa_cur = NULL;
- }
- fclose (fp);
-diff --git a/src/racoon/rsalist.c b/src/racoon/rsalist.c
-index f152c82..96e8363 100644
---- a/src/racoon/rsalist.c
-+++ b/src/racoon/rsalist.c
-@@ -52,6 +52,7 @@
- #include "genlist.h"
- #include "remoteconf.h"
- #include "crypto_openssl.h"
-+#include "openssl_compat.h"
-
- #ifndef LIST_FIRST
- #define LIST_FIRST(head) ((head)->lh_first)
-@@ -98,7 +99,9 @@ rsa_key_dup(struct rsa_key *key)
- return NULL;
-
- if (key->rsa) {
-- new->rsa = key->rsa->d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa);
-+ const BIGNUM *d;
-+ RSA_get0_key(key->rsa, NULL, NULL, &d);
-+ new->rsa = (d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa));
- if (new->rsa == NULL)
- goto dup_error;
- }
---
-2.16.1
-
+++ /dev/null
---- a/src/racoon/crypto_openssl.c
-+++ b/src/racoon/crypto_openssl.c
-@@ -1087,7 +1087,7 @@ eay_strerror()
- int line, flags;
- unsigned long es;
-
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
- es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */
- #else
- es = CRYPTO_thread_id();
---- a/src/racoon/openssl_compat.h
-+++ b/src/racoon/openssl_compat.h
-@@ -5,6 +5,7 @@
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
-
- #include <openssl/rsa.h>
-+#include <openssl/bn.h>
- #include <openssl/dh.h>
- #include <openssl/evp.h>
- #include <openssl/hmac.h>
git.99rst.org / openwrt-packages.git / commitdiff