summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAdrian Bunk <bunk@stusta.de>2019-05-22 15:15:45 +0300
committerKhem Raj <raj.khem@gmail.com>2019-05-23 08:26:14 -0700
commitbb4aa80bfbd67ddfafeaf7700aff993592387a21 (patch)
tree101d431e3555c37992c4823e9992367cd3e750fa
parentdb45f2c886253533df079a161bfd6a75c4070db4 (diff)
downloadmeta-openembedded-bb4aa80bfbd67ddfafeaf7700aff993592387a21.tar.gz
Remove ipsec-tools and umip
ipsec-tools is dead upstream and upstream recommends against using it: http://ipsec-tools.sourceforge.net/ More detailed explanation from the Debian maintainer: https://bugs.debian.org/917847 umip was the only package depending on ipsec-tools. umip is dormant upstream since 2013. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat
-rw-r--r--meta-networking/recipes-connectivity/umip/umip/0001-Add-format-string-to-fprintf-call.patch26
-rw-r--r--meta-networking/recipes-connectivity/umip/umip/0001-replace-SIGCLD-with-SIGCHLD-and-include-sys-types.h.patch38
-rw-r--r--meta-networking/recipes-connectivity/umip/umip/0001-support-openssl-1.1.x.patch88
-rw-r--r--meta-networking/recipes-connectivity/umip/umip/0002-replace-PTHREAD_MUTEX_FAST_NP-with-PTHREAD_MUTEX_NOR.patch143
-rw-r--r--meta-networking/recipes-connectivity/umip/umip/add-dependency-to-support-parallel-compilation.patch23
-rwxr-xr-xmeta-networking/recipes-connectivity/umip/umip/mip6d112
-rw-r--r--meta-networking/recipes-connectivity/umip/umip/mip6d.service10
-rw-r--r--meta-networking/recipes-connectivity/umip/umip_1.0.bb46
-rw-r--r--meta-networking/recipes-core/packagegroups/packagegroup-meta-networking.bb4
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Disable-gcc8-specific-warnings.patch86
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-build-with-clang.patch115
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-header-issues-found-with-musl-libc.patch249
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-ipsec-tools-add-openssl-1.1-support.patch1086
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch33
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch87
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-cfparse-clear-memory-equal-to-size-of-array.patch30
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch13
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch38
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch207
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch23
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch220
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch26
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch61
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf8
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample40
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service11
-rw-r--r--meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb98
27 files changed, 2 insertions, 2919 deletions
diff --git a/meta-networking/recipes-connectivity/umip/umip/0001-Add-format-string-to-fprintf-call.patch b/meta-networking/recipes-connectivity/umip/umip/0001-Add-format-string-to-fprintf-call.patch
deleted file mode 100644
index 8e5f4da362..0000000000
--- a/meta-networking/recipes-connectivity/umip/umip/0001-Add-format-string-to-fprintf-call.patch
+++ /dev/null
@@ -1,26 +0,0 @@
1From a0ad5128d14b022239445e251cf4a9826e86aa96 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Tue, 27 Jun 2017 07:48:31 -0700
4Subject: [PATCH] Add format string to fprintf() call
5
6Signed-off-by: Khem Raj <raj.khem@gmail.com>
7---
8 src/vt.c | 2 +-
9 1 file changed, 1 insertion(+), 1 deletion(-)
10
11diff --git a/src/vt.c b/src/vt.c
12index 795d393..a533d3d 100644
13--- a/src/vt.c
14+++ b/src/vt.c
15@@ -499,7 +499,7 @@ static int vt_cmd_dump_candidates(const struct vt_handle *vh,
16 }
17 llen += cmdlen;
18
19- ret = fprintf(vh->vh_stream, e->cmd);
20+ ret = fprintf(vh->vh_stream, "%s", e->cmd);
21 if (ret < 0)
22 return ret;
23
24--
252.13.2
26
diff --git a/meta-networking/recipes-connectivity/umip/umip/0001-replace-SIGCLD-with-SIGCHLD-and-include-sys-types.h.patch b/meta-networking/recipes-connectivity/umip/umip/0001-replace-SIGCLD-with-SIGCHLD-and-include-sys-types.h.patch
deleted file mode 100644
index 153bced396..0000000000
--- a/meta-networking/recipes-connectivity/umip/umip/0001-replace-SIGCLD-with-SIGCHLD-and-include-sys-types.h.patch
+++ /dev/null
@@ -1,38 +0,0 @@
1From f567740cf64978ac9db014c786b6d0267b244f33 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Sun, 4 Mar 2018 22:30:30 -0800
4Subject: [PATCH 1/2] replace SIGCLD with SIGCHLD and include sys/types.h
5
6Fixes
7main.c:129:10: error: 'SIGCLD' undeclared (first use in this function); did you mean 'SIGCHLD'?
8 signal(SIGCLD, sig_child);
9 ^~~~~~
10 SIGCHLD
11
12main.c:125:2: warning: implicit declaration of function 'umask' [-Wimplicit-function-declaration]
13 umask(0);
14 ^~~~~
15
16Signed-off-by: Khem Raj <raj.khem@gmail.com>
17---
18Upstream-Status: Pending
19
20 src/main.c | 5 +++--
21 1 file changed, 3 insertions(+), 2 deletions(-)
22
23Index: git/src/main.c
24===================================================================
25--- git.orig/src/main.c
26+++ git/src/main.c
27@@ -133,9 +133,9 @@ static void daemon_start(int ignsigcld)
28
29 if (ignsigcld) {
30 #ifdef SIGTSTP
31- signal(SIGCLD, sig_child);
32+ signal(SIGCHLD, sig_child);
33 #else
34- signal(SIGCLD, SIG_IGN);
35+ signal(SIGCHLD, SIG_IGN);
36 #endif
37 }
38 }
diff --git a/meta-networking/recipes-connectivity/umip/umip/0001-support-openssl-1.1.x.patch b/meta-networking/recipes-connectivity/umip/umip/0001-support-openssl-1.1.x.patch
deleted file mode 100644
index d8355e25f2..0000000000
--- a/meta-networking/recipes-connectivity/umip/umip/0001-support-openssl-1.1.x.patch
+++ /dev/null
@@ -1,88 +0,0 @@
1From 62784e8b6df8ff3a907c1f816154808bea9d7064 Mon Sep 17 00:00:00 2001
2From: Hongxu Jia <hongxu.jia@windriver.com>
3Date: Tue, 25 Sep 2018 14:38:14 +0800
4Subject: [PATCH] support openssl 1.1.x
5
6Long time no maintain from upstream since 2013
7(git://git.umip.org/umip/umip.git), backport a
8fix from openSUSE
9
10Upstream-Status: Backport [openSUSE]
11http://ftp.gwdg.de/pub/opensuse/source/distribution/leap/15.0/repo/oss/src/mipv6d-2.0.2.umip.0.4-lp150.1.2.src.rpm
12
13Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
14---
15 src/keygen.c | 12 ++++++++++++
16 src/mh.c | 17 ++++++++++++++++-
17 2 files changed, 28 insertions(+), 1 deletion(-)
18
19diff --git a/src/keygen.c b/src/keygen.c
20index e434a38..b902644 100644
21--- a/src/keygen.c
22+++ b/src/keygen.c
23@@ -172,6 +172,7 @@ static void build_kgen_token(struct in6_addr *addr, uint8_t *nonce,
24 uint8_t tmp[20];
25 #ifdef HAVE_LIBCRYPTO
26 unsigned int len = 20;
27+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1010006fL
28 HMAC_CTX ctx;
29
30 HMAC_CTX_init(&ctx);
31@@ -182,6 +183,17 @@ static void build_kgen_token(struct in6_addr *addr, uint8_t *nonce,
32 HMAC_Final(&ctx, tmp, &len);
33 HMAC_CTX_cleanup(&ctx);
34 #else
35+ HMAC_CTX *ctx;
36+ ctx = HMAC_CTX_new();
37+ HMAC_Init_ex(ctx, key_cn, sizeof(key_cn), EVP_sha1(), NULL);
38+ HMAC_Update(ctx, (unsigned char *)addr, sizeof(*addr));
39+ HMAC_Update(ctx, nonce, NONCE_LENGTH);
40+ HMAC_Update(ctx, &id, sizeof(id));
41+ HMAC_Final(ctx, tmp, &len);
42+ HMAC_CTX_free(ctx);
43+#endif // End of defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1010006fL
44+
45+#else
46 HMAC_SHA1_CTX ctx;
47
48 HMAC_SHA1_init(&ctx, key_cn, sizeof(key_cn));
49diff --git a/src/mh.c b/src/mh.c
50index cba9a33..212eb5a 100644
51--- a/src/mh.c
52+++ b/src/mh.c
53@@ -518,9 +518,10 @@ static int calculate_auth_data(const struct iovec *iov, int iovlen,
54
55 #ifdef HAVE_LIBCRYPTO
56 unsigned int len = HMAC_SHA1_HASH_LEN;
57- HMAC_CTX ctx;
58 const EVP_MD *evp_md = EVP_sha1();
59
60+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1010006fL
61+ HMAC_CTX ctx;
62 HMAC_CTX_init(&ctx);
63 HMAC_Init_ex(&ctx, key, HMAC_SHA1_KEY_SIZE, evp_md, NULL);
64
65@@ -532,6 +533,20 @@ static int calculate_auth_data(const struct iovec *iov, int iovlen,
66 HMAC_Final(&ctx, buf, &len);
67 HMAC_CTX_cleanup(&ctx);
68 #else
69+ HMAC_CTX *ctx;
70+ ctx = HMAC_CTX_new();
71+ HMAC_Init_ex(ctx, key, HMAC_SHA1_KEY_SIZE, evp_md, NULL);
72+
73+ HMAC_Update(ctx, (uint8_t *)coa, sizeof(*coa));
74+ HMAC_Update(ctx, (uint8_t *)cn, sizeof(*coa));
75+ for (i = 0; i < iovlen; i++) {
76+ HMAC_Update(ctx, (uint8_t *)iov[i].iov_base, iov[i].iov_len);
77+ }
78+ HMAC_Final(ctx, buf, &len);
79+ HMAC_CTX_free(ctx);
80+#endif
81+
82+#else
83 HMAC_SHA1_CTX ctx;
84
85 HMAC_SHA1_init(&ctx, key, HMAC_SHA1_KEY_SIZE);
86--
872.7.4
88
diff --git a/meta-networking/recipes-connectivity/umip/umip/0002-replace-PTHREAD_MUTEX_FAST_NP-with-PTHREAD_MUTEX_NOR.patch b/meta-networking/recipes-connectivity/umip/umip/0002-replace-PTHREAD_MUTEX_FAST_NP-with-PTHREAD_MUTEX_NOR.patch
deleted file mode 100644
index 90d12da149..0000000000
--- a/meta-networking/recipes-connectivity/umip/umip/0002-replace-PTHREAD_MUTEX_FAST_NP-with-PTHREAD_MUTEX_NOR.patch
+++ /dev/null
@@ -1,143 +0,0 @@
1From 19b6cf8099e1974b5fc39086fc54103b0cbc2658 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Sun, 4 Mar 2018 23:01:25 -0800
4Subject: [PATCH 2/2] replace PTHREAD_MUTEX_FAST_NP with PTHREAD_MUTEX_NORMAL
5
6PTHREAD_MUTEX_FAST_NP is not available on non-posix systems
7e.g. musl
8
9Signed-off-by: Khem Raj <raj.khem@gmail.com>
10---
11Upstream-Status: Pending
12
13 src/ha.c | 2 +-
14 src/icmp6.c | 2 +-
15 src/mh.c | 2 +-
16 src/mn.c | 2 +-
17 src/movement.c | 2 +-
18 src/mpdisc_ha.c | 2 +-
19 src/mpdisc_mn.c | 2 +-
20 src/tqueue.c | 2 +-
21 src/tunnelctl.c | 2 +-
22 9 files changed, 9 insertions(+), 9 deletions(-)
23
24diff --git a/src/ha.c b/src/ha.c
25index fbdcff0..b2f811e 100644
26--- a/src/ha.c
27+++ b/src/ha.c
28@@ -1246,7 +1246,7 @@ int ha_init(void)
29 {
30 pthread_mutexattr_t mattrs;
31 pthread_mutexattr_init(&mattrs);
32- pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_FAST_NP);
33+ pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_NORMAL);
34 if (pthread_mutex_init(&bu_worker_mutex, &mattrs) ||
35 pthread_cond_init(&cond, NULL))
36 return -1;
37diff --git a/src/icmp6.c b/src/icmp6.c
38index 3695135..6460634 100644
39--- a/src/icmp6.c
40+++ b/src/icmp6.c
41@@ -243,7 +243,7 @@ int icmp6_init(void)
42 return -1;
43 /* create ICMP listener thread */
44 pthread_mutexattr_init(&mattrs);
45- pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_FAST_NP);
46+ pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_NORMAL);
47 if (pthread_mutex_init(&icmp6_sock.send_mutex, &mattrs) ||
48 pthread_rwlock_init(&handler_lock, NULL) ||
49 pthread_create(&icmp6_listener, NULL, icmp6_listen, NULL))
50diff --git a/src/mh.c b/src/mh.c
51index 60e345e..7928f4c 100644
52--- a/src/mh.c
53+++ b/src/mh.c
54@@ -204,7 +204,7 @@ int mh_init(void)
55 return -1;
56
57 pthread_mutexattr_init(&mattrs);
58- pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_FAST_NP);
59+ pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_NORMAL);
60 if (pthread_mutex_init(&mh_sock.send_mutex, &mattrs) ||
61 pthread_rwlock_init(&handler_lock, NULL) ||
62 pthread_create(&mh_listener, NULL, mh_listen, NULL))
63diff --git a/src/mn.c b/src/mn.c
64index 092cfcb..8f7f448 100644
65--- a/src/mn.c
66+++ b/src/mn.c
67@@ -1478,7 +1478,7 @@ static struct home_addr_info *hai_copy(struct home_addr_info *conf_hai)
68 if (hai != NULL) {
69 pthread_mutexattr_t mattrs;
70 pthread_mutexattr_init(&mattrs);
71- pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_FAST_NP);
72+ pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_NORMAL);
73
74 memcpy(hai, conf_hai, sizeof(struct home_addr_info));
75
76diff --git a/src/movement.c b/src/movement.c
77index d985937..6400448 100644
78--- a/src/movement.c
79+++ b/src/movement.c
80@@ -2013,7 +2013,7 @@ int md_init(void)
81 int val;
82
83 pthread_mutexattr_init(&mattrs);
84- pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_FAST_NP);
85+ pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_NORMAL);
86 if (pthread_mutex_init(&iface_lock, &mattrs))
87 return -1;
88
89diff --git a/src/mpdisc_ha.c b/src/mpdisc_ha.c
90index 40ba05f..fd7a90d 100644
91--- a/src/mpdisc_ha.c
92+++ b/src/mpdisc_ha.c
93@@ -559,7 +559,7 @@ int mpd_ha_init(void)
94 {
95 pthread_mutexattr_t mattrs;
96 pthread_mutexattr_init(&mattrs);
97- pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_FAST_NP);
98+ pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_NORMAL);
99 if (pthread_mutex_init(&mpa_lock, &mattrs) ||
100 pthread_rwlock_init(&prefix_lock, NULL) ||
101 hash_init(&mpa_hash, DOUBLE_ADDR, MPA_BUCKETS) < 0)
102diff --git a/src/mpdisc_mn.c b/src/mpdisc_mn.c
103index 4873bd6..ada02bd 100644
104--- a/src/mpdisc_mn.c
105+++ b/src/mpdisc_mn.c
106@@ -267,7 +267,7 @@ int mpd_mn_init(void)
107 {
108 pthread_mutexattr_t mattrs;
109 pthread_mutexattr_init(&mattrs);
110- pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_FAST_NP);
111+ pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_NORMAL);
112 if (pthread_mutex_init(&mps_lock, &mattrs))
113 return -1;
114 if (hash_init(&mps_hash, DOUBLE_ADDR, MPS_BUCKETS) < 0)
115diff --git a/src/tqueue.c b/src/tqueue.c
116index 2f7aa0b..9c185b8 100644
117--- a/src/tqueue.c
118+++ b/src/tqueue.c
119@@ -65,7 +65,7 @@ int taskqueue_init(void)
120 {
121 pthread_mutexattr_t mattrs;
122 pthread_mutexattr_init(&mattrs);
123- pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_FAST_NP);
124+ pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_NORMAL);
125 if (pthread_mutex_init(&mutex, &mattrs) ||
126 pthread_cond_init(&cond, NULL) ||
127 pthread_create(&tq_runner, NULL, runner, NULL))
128diff --git a/src/tunnelctl.c b/src/tunnelctl.c
129index 23fc20b..813b8ec 100644
130--- a/src/tunnelctl.c
131+++ b/src/tunnelctl.c
132@@ -433,7 +433,7 @@ int tunnelctl_init(void)
133 return -1;
134
135 pthread_mutexattr_init(&mattrs);
136- pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_FAST_NP);
137+ pthread_mutexattr_settype(&mattrs, PTHREAD_MUTEX_NORMAL);
138 if (pthread_mutex_init(&tnl_lock, &mattrs))
139 return -1;
140
141--
1422.16.2
143
diff --git a/meta-networking/recipes-connectivity/umip/umip/add-dependency-to-support-parallel-compilation.patch b/meta-networking/recipes-connectivity/umip/umip/add-dependency-to-support-parallel-compilation.patch
deleted file mode 100644
index dbf0082640..0000000000
--- a/meta-networking/recipes-connectivity/umip/umip/add-dependency-to-support-parallel-compilation.patch
+++ /dev/null
@@ -1,23 +0,0 @@
1When "make -j10", the compilation will fail,
2because scan.c has included gram.h, but gram.h was produced
3after scan.c was compiled
4
5So add this dependency to ensure that gram.h is produced
6before scan.c is produced.
7
8Upstream-Status: Inappropriate [upstream is not active]
9
10Signed-off-by: Roy.Li <RongQing.Li@windriver.com>
11Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
12---
13 src/Makefile.am | 2 ++
14 1 file changed, 2 insertions(+)
15
16--- a/src/Makefile.am
17+++ b/src/Makefile.am
18@@ -81,3 +81,5 @@ CLEANFILES = gram.c gram.h \
19
20 DISTCLEANFILES = $(BUILT_SOURCES)
21 MAINTAINERCLEANFILES = Makefile.in
22+
23+scan.c: gram.h
diff --git a/meta-networking/recipes-connectivity/umip/umip/mip6d b/meta-networking/recipes-connectivity/umip/umip/mip6d
deleted file mode 100755
index ebd70a6cca..0000000000
--- a/meta-networking/recipes-connectivity/umip/umip/mip6d
+++ /dev/null
@@ -1,112 +0,0 @@
1#!/bin/sh
2#
3# mip6d Start script for the Mobile IPv6 daemon
4#
5# chkconfig: - 55 25
6# description: The mobile IPv6 daemon allows nodes to remain \
7# reachable while moving around in the IPv6 Internet.
8# processname: mip6d
9# config: /etc/mip6d.conf
10# config: /etc/sysconfig/mip6d
11#
12### BEGIN INIT INFO
13# Provides: mipv6-daemon
14# Required-Start: $local_fs $remote_fs $network $named
15# Required-Stop: $local_fs $remote_fs $network
16# Should-Start: $syslog
17# Should-Stop: $network $syslog
18# Default-Start:
19# Default-Stop: 0 1 6
20# Short-Description: Start and stop Mobile IPV6 daemon
21# Description: The mobile IPv6 daemon allows nodes to remain
22# reachable while moving around in the IPv6 Internet.
23### END INIT INFO
24
25# Source function library.
26. /etc/init.d/functions
27
28if [ -f /etc/sysconfig/mip6d ]; then
29 . /etc/sysconfig/mip6d
30fi
31
32mip6d=/usr/sbin/mip6d
33prog="mip6d"
34lockfile=/var/lock/subsys/$prog
35
36start() {
37 [ -x $mip6d ] || exit 5
38 echo -n $"Starting $prog: "
39 start-stop-daemon -S -x ${mip6d} && success || failure
40 retval=$?
41 echo
42 [ $retval -eq 0 ] && touch ${lockfile}
43 return $retval
44}
45
46stop() {
47 echo -n $"Stopping $prog: "
48 start-stop-daemon -K -x $mip6d
49 retval=$?
50 echo
51 [ $retval -eq 0 ] && rm -f ${lockfile}
52 return $retval
53}
54
55restart() {
56 stop
57 start
58}
59
60reload()
61{
62 echo -n $"Reloading $prog configuration: "
63 killproc $mip6d -HUP
64 retval=$?
65 echo
66 return $retval
67}
68
69force_reload() {
70 restart
71}
72
73rh_status() {
74 status $prog
75}
76
77rh_status_q() {
78 rh_status > /dev/null 2>&1
79}
80
81case "$1" in
82 start)
83 rh_status_q && exit 0
84 $1
85 ;;
86 stop)
87 rh_status_q || exit 0
88 $1
89 ;;
90 restart)
91 $1
92 ;;
93 reload)
94 rh_status_q || exit 7
95 $1
96 ;;
97 force-reload)
98 force_reload
99 ;;
100 status)
101 rh_status
102 ;;
103 condrestart|try-restart)
104 rh_status_q || exit 0
105 restart
106 ;;
107 *)
108 echo $"Usage: $prog {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
109 exit 2
110esac
111
112exit $?
diff --git a/meta-networking/recipes-connectivity/umip/umip/mip6d.service b/meta-networking/recipes-connectivity/umip/umip/mip6d.service
deleted file mode 100644
index 2b5a5b9f1d..0000000000
--- a/meta-networking/recipes-connectivity/umip/umip/mip6d.service
+++ /dev/null
@@ -1,10 +0,0 @@
1[Unit]
2Description=MIPL Mobile IPv6
3After=network.target
4
5[Service]
6EnvironmentFile=-@SYSCONFDIR@/sysconfig/mip6d
7ExecStart=@SBINDIR@/mip6d $ARGS
8
9[Install]
10WantedBy=multi-user.target
diff --git a/meta-networking/recipes-connectivity/umip/umip_1.0.bb b/meta-networking/recipes-connectivity/umip/umip_1.0.bb
deleted file mode 100644
index 43367b5503..0000000000
--- a/meta-networking/recipes-connectivity/umip/umip_1.0.bb
+++ /dev/null
@@ -1,46 +0,0 @@
1SUMMARY = "Mobile IPv6 and NEMO for Linux"
2DESCRIPTION = "UMIP is an open source implementation of Mobile IPv6 and NEMO \
3Basic Support for Linux. It is released under the GPLv2 license. It supports \
4the following IETF RFC: RFC6275 (Mobile IPv6), RFC3963 (NEMO), RFC3776 and \
5RFC4877 (IPsec and IKEv2)."
6HOMEPAGE = "http://umip.org/"
7SECTION = "System Environment/Base"
8LICENSE = "GPLv2"
9LIC_FILES_CHKSUM = "file://COPYING;md5=073dc31ccb2ebed70db54f1e8aeb4c33"
10DEPENDS = "openssl ipsec-tools radvd indent-native bison-native"
11
12SRC_URI = "git://git.umip.org/umip/umip.git \
13 file://add-dependency-to-support-parallel-compilation.patch \
14 file://mip6d \
15 file://mip6d.service \
16 file://0001-Add-format-string-to-fprintf-call.patch \
17 file://0001-replace-SIGCLD-with-SIGCHLD-and-include-sys-types.h.patch \
18 file://0002-replace-PTHREAD_MUTEX_FAST_NP-with-PTHREAD_MUTEX_NOR.patch \
19 file://0001-support-openssl-1.1.x.patch \
20 "
21SRCREV = "cbd441c5db719db554ff2b4fcb02fef88ae2f791"
22
23# Depends on ipsec-tools which is already MACHINE_ARCH (and also RRECOMMENDS kernel modules)
24PACKAGE_ARCH = "${MACHINE_ARCH}"
25
26S = "${WORKDIR}/git"
27
28EXTRA_OECONF = "--enable-vt"
29
30inherit autotools-brokensep systemd update-rc.d
31
32INITSCRIPT_NAME = "mip6d"
33INITSCRIPT_PARAMS = "start 64 . stop 36 0 1 2 3 4 5 6 ."
34
35SYSTEMD_SERVICE_${PN} = "mip6d.service"
36SYSTEMD_AUTO_ENABLE = "disable"
37
38do_install_append() {
39 install -D -m 0755 ${WORKDIR}/mip6d ${D}${sysconfdir}/init.d/mip6d
40 install -D -m 0644 ${WORKDIR}/mip6d.service ${D}${systemd_system_unitdir}/mip6d.service
41 sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' \
42 -e 's,@SBINDIR@,${sbindir},g' \
43 ${D}${systemd_system_unitdir}/mip6d.service
44}
45
46RRECOMMENDS_${PN} = "kernel-module-mip6 kernel-module-ipv6"
diff --git a/meta-networking/recipes-core/packagegroups/packagegroup-meta-networking.bb b/meta-networking/recipes-core/packagegroups/packagegroup-meta-networking.bb
index 64eabe4629..3770601a4b 100644
--- a/meta-networking/recipes-core/packagegroups/packagegroup-meta-networking.bb
+++ b/meta-networking/recipes-core/packagegroups/packagegroup-meta-networking.bb
@@ -34,7 +34,7 @@ RDEPENDS_packagegroup-meta-networking-connectivity = "\
34 openconnect ez-ipupdate mosquitto sethdlc crda \ 34 openconnect ez-ipupdate mosquitto sethdlc crda \
35 dibbler-server dibbler-client dibbler-requestor dibbler-relay \ 35 dibbler-server dibbler-client dibbler-requestor dibbler-relay \
36 libdnet ufw civetweb freeradius kea daq \ 36 libdnet ufw civetweb freeradius kea daq \
37 mbedtls relayd snort dhcpcd rdate vlan umip vpnc \ 37 mbedtls relayd snort dhcpcd rdate vlan vpnc \
38 inetutils wolfssl lftp miniupnpd networkmanager \ 38 inetutils wolfssl lftp miniupnpd networkmanager \
39 networkmanager-openvpn rdist nanomsg python-networkmanager \ 39 networkmanager-openvpn rdist nanomsg python-networkmanager \
40 wireless-regdb \ 40 wireless-regdb \
@@ -93,7 +93,7 @@ RDEPENDS_packagegroup-meta-networking-support = "\
93 ncp ndisc6 mtr tinyproxy ssmping ntp \ 93 ncp ndisc6 mtr tinyproxy ssmping ntp \
94 wpan-tools bridge-utils ifenslave celt051 pimd \ 94 wpan-tools bridge-utils ifenslave celt051 pimd \
95 nbd-client nbd-server nbd-trdump \ 95 nbd-client nbd-server nbd-trdump \
96 phytool fwknop htpdate tcpreplay ipsec-tools \ 96 phytool fwknop htpdate tcpreplay \
97 traceroute geoip-perl geoip geoipupdate esmtp \ 97 traceroute geoip-perl geoip geoipupdate esmtp \
98 libtdb netcf dnsmasq curlpp openipmi drbd-utils \ 98 libtdb netcf dnsmasq curlpp openipmi drbd-utils \
99 drbd tunctl dovecot ipvsadm stunnel chrony spice-protocol \ 99 drbd tunctl dovecot ipvsadm stunnel chrony spice-protocol \
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Disable-gcc8-specific-warnings.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Disable-gcc8-specific-warnings.patch
deleted file mode 100644
index 11a9103935..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Disable-gcc8-specific-warnings.patch
+++ /dev/null
@@ -1,86 +0,0 @@
1From 282d492e4cab7b4d9c7321f4c0c55b615948e280 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Fri, 11 May 2018 14:09:17 -0700
4Subject: [PATCH] Disable gcc8 specific warnings
5
6Signed-off-by: Khem Raj <raj.khem@gmail.com>
7---
8 src/libipsec/ipsec_dump_policy.c | 5 +++++
9 src/libipsec/pfkey_dump.c | 5 +++++
10 src/racoon/isakmp.c | 11 ++++++++++-
11 3 files changed, 20 insertions(+), 1 deletion(-)
12
13diff --git a/src/libipsec/ipsec_dump_policy.c b/src/libipsec/ipsec_dump_policy.c
14index 4d0eb77..c3fc842 100644
15--- a/src/libipsec/ipsec_dump_policy.c
16+++ b/src/libipsec/ipsec_dump_policy.c
17@@ -275,6 +275,10 @@ ipsec_dump_policy1(policy, delimiter, withports)
18 return buf;
19 }
20
21+#pragma GCC diagnostic push
22+#if defined(__GNUC__) && (__GNUC__ >= 8)
23+#pragma GCC diagnostic ignored "-Wformat-truncation"
24+#endif
25 static char *
26 ipsec_dump_ipsecrequest(buf, len, xisr, bound, withports)
27 char *buf;
28@@ -419,3 +423,4 @@ set_address(buf, len, sa, withports)
29
30 return buf;
31 }
32+#pragma GCC diagnostic pop
33diff --git a/src/libipsec/pfkey_dump.c b/src/libipsec/pfkey_dump.c
34index 4627ebc..451e535 100644
35--- a/src/libipsec/pfkey_dump.c
36+++ b/src/libipsec/pfkey_dump.c
37@@ -691,6 +691,10 @@ str_ipport(sa)
38 /*
39 * set "/prefix[port number]" to buffer.
40 */
41+#pragma GCC diagnostic push
42+#if defined(__GNUC__) && (__GNUC__ >= 8)
43+#pragma GCC diagnostic ignored "-Wformat-truncation"
44+#endif
45 static char *
46 str_prefport(family, pref, port, ulp)
47 u_int family, pref, port, ulp;
48@@ -735,6 +739,7 @@ str_prefport(family, pref, port, ulp)
49
50 return buf;
51 }
52+#pragma GCC diagnostic pop
53
54 static void
55 str_upperspec(ulp, p1, p2)
56diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
57index 7ff53a3..4addf24 100644
58--- a/src/racoon/isakmp.c
59+++ b/src/racoon/isakmp.c
60@@ -3124,7 +3124,12 @@ script_hook(iph1, script)
61 #endif
62
63 /* local address */
64+#pragma GCC diagnostic push
65+#if defined(__GNUC__) && (__GNUC__ >= 8)
66+#pragma GCC diagnostic ignored "-Wstringop-truncation"
67+#endif
68 GETNAMEINFO(iph1->local, addrstr, portstr);
69+#pragma GCC diagnostic pop
70
71 if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) {
72 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n");
73@@ -3138,8 +3143,12 @@ script_hook(iph1, script)
74
75 /* Peer address */
76 if (iph1->remote != NULL) {
77+#pragma GCC diagnostic push
78+#if defined(__GNUC__) && (__GNUC__ >= 8)
79+#pragma GCC diagnostic ignored "-Wstringop-truncation"
80+#endif
81 GETNAMEINFO(iph1->remote, addrstr, portstr);
82-
83+#pragma GCC diagnostic pop
84 if (script_env_append(&envp, &envc,
85 "REMOTE_ADDR", addrstr) != 0) {
86 plog(LLV_ERROR, LOCATION, NULL,
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-build-with-clang.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-build-with-clang.patch
deleted file mode 100644
index 5c09147450..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-build-with-clang.patch
+++ /dev/null
@@ -1,115 +0,0 @@
1From 9135ca401186fb14e5e5110bbb04d1ccc480360a Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Tue, 15 Nov 2016 04:15:44 +0000
4Subject: [PATCH] Fix build with clang
5
6Fixes for following errors found by clang
7
8src/racoon/eaytest.c:316:6: error: comparison of array 'dnstr_w1' not equal to a null pointer is always true
9 [-Werror,-Wtautological-pointer-compare]
10 if (dnstr_w1 != NULL) {
11 ^~~~~~~~ ~~~~
12src/racoon/eaytest.c:326:6: error: comparison of array 'dnstr_w1' not equal to a null pointer is always true
13 [-Werror,-Wtautological-pointer-compare]
14 if (dnstr_w1 != NULL) {
15 ^~~~~~~~ ~~~~
16
17src/racoon/isakmp.c:1134:11: error: promoted type 'int' of K&R function parameter is not compatible with the
18 parameter type 'u_int8_t' (aka 'unsigned char') declared in a previous prototype [-Werror,-Wknr-promoted-parameter]
19 u_int8_t etype;
20 ^
21src/racoon/isakmp.c:184:48: note: previous declaration is here
22 struct sockaddr *, struct sockaddr *, u_int8_t));
23 ^
24 1 error generated.
25
26src/racoon/racoonctl.c:1457:15: error: incompatible pointer types passing 'struct evt_async *' to parameter of type
27 'caddr_t' (aka 'char *') [-Werror,-Wincompatible-pointer-types]
28 print_cfg(ec, len);
29 ^~
30
31Signed-off-by: Khem Raj <raj.khem@gmail.com>
32---
33 src/racoon/eaytest.c | 4 ++--
34 src/racoon/isakmp.c | 10 +++++-----
35 src/racoon/racoonctl.c | 7 +++----
36 3 files changed, 10 insertions(+), 11 deletions(-)
37
38diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c
39index 1474bdc..d609e4f 100644
40--- a/src/racoon/eaytest.c
41+++ b/src/racoon/eaytest.c
42@@ -313,7 +313,7 @@ certtest(ac, av)
43
44 printf("exact match: succeed.\n");
45
46- if (dnstr_w1 != NULL) {
47+ if (dnstr_w1[0] != '\0') {
48 asn1dn = eay_str2asn1dn(dnstr_w1, strlen(dnstr_w1));
49 if (asn1dn == NULL || asn1dn->l == asn1dn0.l)
50 errx(1, "asn1dn length wrong for wildcard 1\n");
51@@ -323,7 +323,7 @@ certtest(ac, av)
52 printf("wildcard 1 match: succeed.\n");
53 }
54
55- if (dnstr_w1 != NULL) {
56+ if (dnstr_w1[0] != '\0') {
57 asn1dn = eay_str2asn1dn(dnstr_w2, strlen(dnstr_w2));
58 if (asn1dn == NULL || asn1dn->l == asn1dn0.l)
59 errx(1, "asn1dn length wrong for wildcard 2\n");
60diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
61index 2672f7a..da7ebe8 100644
62--- a/src/racoon/isakmp.c
63+++ b/src/racoon/isakmp.c
64@@ -567,7 +567,7 @@ isakmp_main(msg, remote, local)
65
66 /* it must be responder's 1st exchange. */
67 if (isakmp_ph1begin_r(msg, remote, local,
68- isakmp->etype) < 0)
69+ (u_int8_t)isakmp->etype) < 0)
70 return -1;
71 break;
72
73@@ -1128,10 +1128,10 @@ isakmp_ph1begin_i(rmconf, remote, local)
74
75 /* new negotiation of phase 1 for responder */
76 static int
77-isakmp_ph1begin_r(msg, remote, local, etype)
78- vchar_t *msg;
79- struct sockaddr *remote, *local;
80- u_int8_t etype;
81+isakmp_ph1begin_r(vchar_t *msg,
82+ struct sockaddr *remote,
83+ struct sockaddr *local,
84+ u_int8_t etype)
85 {
86 struct isakmp *isakmp = (struct isakmp *)msg->v;
87 struct ph1handle *iph1;
88diff --git a/src/racoon/racoonctl.c b/src/racoon/racoonctl.c
89index da28ecd..bbf068e 100644
90--- a/src/racoon/racoonctl.c
91+++ b/src/racoon/racoonctl.c
92@@ -1299,9 +1299,8 @@ print_evt(evtdump)
93 * Print ISAKMP mode config info (IP and banner)
94 */
95 void
96-print_cfg(buf, len)
97- caddr_t buf;
98- int len;
99+print_cfg(caddr_t buf,
100+ int len)
101 {
102 struct evt_async *evtdump = (struct evt_async *)buf;
103 struct isakmp_data *attr;
104@@ -1454,7 +1453,7 @@ handle_recv(combuf)
105 else if (evt_quit_event == ec->ec_type) {
106 switch (ec->ec_type) {
107 case EVT_PHASE1_MODE_CFG:
108- print_cfg(ec, len);
109+ print_cfg((caddr_t)ec, len);
110 break;
111 default:
112 print_evt(ec);
113--
1141.9.1
115
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-header-issues-found-with-musl-libc.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-header-issues-found-with-musl-libc.patch
deleted file mode 100644
index 630ecdb5f4..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-header-issues-found-with-musl-libc.patch
+++ /dev/null
@@ -1,249 +0,0 @@
1From 7d9585be093c9cb2428b373c0b0088bb778942d0 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Mon, 20 Mar 2017 21:37:47 -0700
4Subject: [PATCH] Fix header issues found with musl libc
5
6Signed-off-by: Khem Raj <raj.khem@gmail.com>
7---
8 src/libipsec/ipsec_strerror.h | 3 +++
9 src/libipsec/libpfkey.h | 4 +++-
10 src/racoon/admin.c | 2 +-
11 src/racoon/backupsa.c | 6 +++---
12 src/racoon/cftoken.l | 4 ++++
13 src/racoon/logger.h | 3 +++
14 src/racoon/misc.h | 3 +++
15 src/racoon/missing/crypto/sha2/sha2.h | 3 +++
16 src/racoon/netdb_dnssec.h | 3 +++
17 src/racoon/pfkey.c | 1 -
18 src/racoon/plog.h | 2 ++
19 src/racoon/str2val.h | 3 +++
20 src/racoon/vmbuf.h | 3 +++
21 src/setkey/extern.h | 3 ++-
22 src/setkey/setkey.c | 1 -
23 15 files changed, 36 insertions(+), 8 deletions(-)
24
25diff --git a/src/libipsec/ipsec_strerror.h b/src/libipsec/ipsec_strerror.h
26index 2b4264f..dac66a1 100644
27--- a/src/libipsec/ipsec_strerror.h
28+++ b/src/libipsec/ipsec_strerror.h
29@@ -34,6 +34,9 @@
30 #ifndef _IPSEC_STRERROR_H
31 #define _IPSEC_STRERROR_H
32
33+#undef __P
34+#define __P(protos) protos /* ANSI C prototypes */
35+
36 extern int __ipsec_errcode;
37 extern void __ipsec_set_strerror __P((const char *));
38
39diff --git a/src/libipsec/libpfkey.h b/src/libipsec/libpfkey.h
40index 61d2f2a..f7991b7 100644
41--- a/src/libipsec/libpfkey.h
42+++ b/src/libipsec/libpfkey.h
43@@ -34,6 +34,9 @@
44 #ifndef _LIBPFKEY_H
45 #define _LIBPFKEY_H
46
47+#undef __P
48+#define __P(protos) protos /* ANSI C prototypes */
49+
50 #ifndef KAME_LIBPFKEY_H
51 #define KAME_LIBPFKEY_H
52
53@@ -43,7 +46,6 @@
54
55 #define PRIORITY_OFFSET_POSITIVE_MAX 0x3fffffff
56 #define PRIORITY_OFFSET_NEGATIVE_MAX 0x40000000
57-
58 struct sadb_msg;
59 extern void pfkey_sadump __P((struct sadb_msg *));
60 extern void pfkey_sadump_withports __P((struct sadb_msg *));
61diff --git a/src/racoon/admin.c b/src/racoon/admin.c
62index 4b1875b..03ea3f8 100644
63--- a/src/racoon/admin.c
64+++ b/src/racoon/admin.c
65@@ -36,7 +36,6 @@
66 #include <sys/types.h>
67 #include <sys/param.h>
68 #include <sys/socket.h>
69-#include <sys/signal.h>
70 #include <sys/stat.h>
71 #include <sys/un.h>
72
73@@ -46,6 +45,7 @@
74 #include PATH_IPSEC_H
75
76
77+#include <signal.h>
78 #include <stdlib.h>
79 #include <stdio.h>
80 #include <string.h>
81diff --git a/src/racoon/backupsa.c b/src/racoon/backupsa.c
82index 82d74ca..95307ca 100644
83--- a/src/racoon/backupsa.c
84+++ b/src/racoon/backupsa.c
85@@ -276,9 +276,9 @@ do { \
86 GETNEXTNUM(sa_args.a_keylen, strtoul);
87 GETNEXTNUM(sa_args.flags, strtoul);
88 GETNEXTNUM(sa_args.l_alloc, strtoul);
89- GETNEXTNUM(sa_args.l_bytes, strtouq);
90- GETNEXTNUM(sa_args.l_addtime, strtouq);
91- GETNEXTNUM(sa_args.l_usetime, strtouq);
92+ GETNEXTNUM(sa_args.l_bytes, strtoull);
93+ GETNEXTNUM(sa_args.l_addtime, strtoull);
94+ GETNEXTNUM(sa_args.l_usetime, strtoull);
95 GETNEXTNUM(sa_args.seq, strtoul);
96
97 #undef GETNEXTNUM
98diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l
99index 1701922..787f4a9 100644
100--- a/src/racoon/cftoken.l
101+++ b/src/racoon/cftoken.l
102@@ -77,6 +77,10 @@
103
104 #include "cfparse.h"
105
106+#ifndef GLOB_TILDE
107+#define GLOB_TILDE 0
108+#endif
109+
110 int yyerrorcount = 0;
111
112 #if defined(YIPS_DEBUG)
113diff --git a/src/racoon/logger.h b/src/racoon/logger.h
114index 3fd3e94..67af5f0 100644
115--- a/src/racoon/logger.h
116+++ b/src/racoon/logger.h
117@@ -34,6 +34,9 @@
118 #ifndef _LOGGER_H
119 #define _LOGGER_H
120
121+#undef __P
122+#define __P(protos) protos /* ANSI C prototypes */
123+
124 struct log {
125 int head;
126 int siz;
127diff --git a/src/racoon/misc.h b/src/racoon/misc.h
128index 3e758d9..30d9825 100644
129--- a/src/racoon/misc.h
130+++ b/src/racoon/misc.h
131@@ -34,6 +34,9 @@
132 #ifndef _MISC_H
133 #define _MISC_H
134
135+#undef __P
136+#define __P(protos) protos /* ANSI C prototypes */
137+
138 #define BIT2STR(b) bit2str(b, sizeof(b)<<3)
139
140 #ifdef HAVE_FUNC_MACRO
141diff --git a/src/racoon/missing/crypto/sha2/sha2.h b/src/racoon/missing/crypto/sha2/sha2.h
142index 42bcc2a..c043dfe 100644
143--- a/src/racoon/missing/crypto/sha2/sha2.h
144+++ b/src/racoon/missing/crypto/sha2/sha2.h
145@@ -40,6 +40,9 @@
146 #ifndef __SHA2_H__
147 #define __SHA2_H__
148
149+#undef __P
150+#define __P(protos) protos /* ANSI C prototypes */
151+
152 #ifdef __cplusplus
153 extern "C" {
154 #endif
155diff --git a/src/racoon/netdb_dnssec.h b/src/racoon/netdb_dnssec.h
156index a11209d..98fd813 100644
157--- a/src/racoon/netdb_dnssec.h
158+++ b/src/racoon/netdb_dnssec.h
159@@ -34,6 +34,9 @@
160 #ifndef _NETDB_DNSSEC_H
161 #define _NETDB_DNSSEC_H
162
163+#undef __P
164+#define __P(protos) protos /* ANSI C prototypes */
165+
166 #ifndef T_CERT
167 #define T_CERT 37 /* defined by RFC2538 section 2 */
168 #endif
169diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c
170index 8f26c19..a06c30e 100644
171--- a/src/racoon/pfkey.c
172+++ b/src/racoon/pfkey.c
173@@ -59,7 +59,6 @@
174 #include <sys/param.h>
175 #include <sys/socket.h>
176 #include <sys/queue.h>
177-#include <sys/sysctl.h>
178
179 #include <net/route.h>
180 #include <net/pfkeyv2.h>
181diff --git a/src/racoon/plog.h b/src/racoon/plog.h
182index ed43c8b..920c850 100644
183--- a/src/racoon/plog.h
184+++ b/src/racoon/plog.h
185@@ -34,6 +34,8 @@
186 #ifndef _PLOG_H
187 #define _PLOG_H
188
189+#undef __P
190+#define __P(protos) protos /* ANSI C prototypes */
191 #ifdef HAVE_STDARG_H
192 #include <stdarg.h>
193 #else
194diff --git a/src/racoon/str2val.h b/src/racoon/str2val.h
195index 4a7cec1..d3d698e 100644
196--- a/src/racoon/str2val.h
197+++ b/src/racoon/str2val.h
198@@ -34,6 +34,9 @@
199 #ifndef _STR2VAL_H
200 #define _STR2VAL_H
201
202+#undef __P
203+#define __P(protos) protos /* ANSI C prototypes */
204+
205 extern caddr_t val2str __P((const char *, size_t));
206 extern char *str2val __P((const char *, int, size_t *));
207
208diff --git a/src/racoon/vmbuf.h b/src/racoon/vmbuf.h
209index 3f2f4ea..8287a00 100644
210--- a/src/racoon/vmbuf.h
211+++ b/src/racoon/vmbuf.h
212@@ -34,6 +34,9 @@
213 #ifndef _VMBUF_H
214 #define _VMBUF_H
215
216+#undef __P
217+#define __P(protos) protos /* ANSI C prototypes */
218+
219 /*
220 * bp v
221 * v v
222diff --git a/src/setkey/extern.h b/src/setkey/extern.h
223index 6f439fa..a1d9d14 100644
224--- a/src/setkey/extern.h
225+++ b/src/setkey/extern.h
226@@ -1,6 +1,7 @@
227 /* $NetBSD: extern.h,v 1.5 2009/03/06 11:45:03 tteras Exp $ */
228
229-
230+#undef __P
231+#define __P(protos) protos /* ANSI C prototypes */
232
233 void parse_init __P((void));
234 int parse __P((FILE **));
235diff --git a/src/setkey/setkey.c b/src/setkey/setkey.c
236index c400faa..51f8b75 100644
237--- a/src/setkey/setkey.c
238+++ b/src/setkey/setkey.c
239@@ -40,7 +40,6 @@
240 #include <sys/socket.h>
241 #include <sys/time.h>
242 #include <sys/stat.h>
243-#include <sys/sysctl.h>
244 #include <err.h>
245 #include <netinet/in.h>
246 #include <net/pfkeyv2.h>
247--
2482.12.0
249
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-ipsec-tools-add-openssl-1.1-support.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-ipsec-tools-add-openssl-1.1-support.patch
deleted file mode 100644
index 228274436a..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-ipsec-tools-add-openssl-1.1-support.patch
+++ /dev/null
@@ -1,1086 +0,0 @@
1From b572350a922187d43dd4629c3b43e19979fae3ef Mon Sep 17 00:00:00 2001
2From: Eneas U de Queiroz <cote2004-github@yahoo.com>
3Date: Tue, 25 Sep 2018 15:30:04 +0800
4Subject: [PATCH] ipsec-tools: add openssl 1.1 support
5
6To: equeiroz@troianet.com.br
7
8This patch updates the calls to openssl 1.1 API, and adds a
9compatibility layer so it compiles with (at least) openssl 1.0.2, I
10haven't tested it with lower versions, but all that's needed is to edit
11the openssl_compat.* files and add the missing functions there--they're
12usually trivial.
13
14Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
15
16Upstream-Status: Submitted [https://sourceforge.net/p/ipsec-tools/mailman/message/36327963/]
17https://github.com/openwrt/packages/blob/master/net/ipsec-tools/patches/015-openssl-1.1.patch
18
19Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
20---
21 src/racoon/Makefile.am | 10 +--
22 src/racoon/algorithm.c | 6 +-
23 src/racoon/crypto_openssl.c | 197 +++++++++++++++++++++-------------------
24 src/racoon/crypto_openssl.h | 2 +-
25 src/racoon/eaytest.c | 7 +-
26 src/racoon/ipsec_doi.c | 2 +-
27 src/racoon/openssl_compat.c | 213 ++++++++++++++++++++++++++++++++++++++++++++
28 src/racoon/openssl_compat.h | 45 ++++++++++
29 src/racoon/plainrsa-gen.c | 41 +++++----
30 src/racoon/prsa_par.y | 28 ++++--
31 src/racoon/rsalist.c | 5 +-
32 11 files changed, 430 insertions(+), 126 deletions(-)
33 create mode 100644 src/racoon/openssl_compat.c
34 create mode 100644 src/racoon/openssl_compat.h
35
36diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
37index 0662957..272b009 100644
38--- a/src/racoon/Makefile.am
39+++ b/src/racoon/Makefile.am
40@@ -4,7 +4,7 @@ sbin_PROGRAMS = racoon racoonctl plainrsa-gen
41 noinst_PROGRAMS = eaytest
42 include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \
43 schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \
44- isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h
45+ isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h openssl_compat.h
46 lib_LTLIBRARIES = libracoon.la
47
48 adminsockdir=${localstatedir}/racoon
49@@ -32,7 +32,7 @@ racoon_SOURCES = \
50 gssapi.c dnssec.c getcertsbyname.c privsep.c \
51 pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \
52 policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \
53- proposal.c sainfo.c strnames.c \
54+ openssl_compat.c proposal.c sainfo.c strnames.c \
55 plog.c logger.c schedule.c str2val.c \
56 safefile.c backupsa.c genlist.c rsalist.c \
57 cftoken.l cfparse.y prsa_tok.l prsa_par.y
58@@ -51,12 +51,12 @@ libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c
59 libracoon_la_CFLAGS = -DNOUSE_PRIVSEP $(AM_CFLAGS)
60
61 plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \
62- crypto_openssl.c logger.c
63+ crypto_openssl.c logger.c openssl_compat.c
64 EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS)
65 plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o
66 plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o
67
68-eaytest_SOURCES = eaytest.c plog.c logger.c
69+eaytest_SOURCES = eaytest.c plog.c logger.c openssl_compat.c
70 EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c
71 eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \
72 $(CRYPTOBJS)
73@@ -75,7 +75,7 @@ noinst_HEADERS = \
74 debugrm.h isakmp.h misc.h sainfo.h \
75 dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \
76 isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \
77- throttle.h privsep.h \
78+ throttle.h privsep.h openssl_compat.h \
79 cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \
80 missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \
81 missing/crypto/rijndael/rijndael-api-fst.h \
82diff --git a/src/racoon/algorithm.c b/src/racoon/algorithm.c
83index 3fd50f6..66c874b 100644
84--- a/src/racoon/algorithm.c
85+++ b/src/racoon/algorithm.c
86@@ -128,7 +128,7 @@ static struct enc_algorithm oakley_encdef[] = {
87 { "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16,
88 eay_aes_encrypt, eay_aes_decrypt,
89 eay_aes_weakkey, eay_aes_keylen, },
90-#ifdef HAVE_OPENSSL_CAMELLIA_H
91+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
92 { "camellia", algtype_camellia, OAKLEY_ATTR_ENC_ALG_CAMELLIA, 16,
93 eay_camellia_encrypt, eay_camellia_decrypt,
94 eay_camellia_weakkey, eay_camellia_keylen, },
95@@ -168,7 +168,7 @@ static struct enc_algorithm ipsec_encdef[] = {
96 { "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16,
97 NULL, NULL,
98 NULL, eay_twofish_keylen, },
99-#ifdef HAVE_OPENSSL_IDEA_H
100+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
101 { "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8,
102 NULL, NULL,
103 NULL, NULL, },
104@@ -179,7 +179,7 @@ static struct enc_algorithm ipsec_encdef[] = {
105 { "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8,
106 NULL, NULL,
107 NULL, NULL, },
108-#ifdef HAVE_OPENSSL_CAMELLIA_H
109+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
110 { "camellia", algtype_camellia, IPSECDOI_ESP_CAMELLIA, 16,
111 NULL, NULL,
112 NULL, eay_camellia_keylen, },
113diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c
114index 55b076a..8fb358f 100644
115--- a/src/racoon/crypto_openssl.c
116+++ b/src/racoon/crypto_openssl.c
117@@ -90,6 +90,7 @@
118 #endif
119 #endif
120 #include "plog.h"
121+#include "openssl_compat.h"
122
123 #define USE_NEW_DES_API
124
125@@ -316,9 +317,12 @@ eay_cmp_asn1dn(n1, n2)
126 i = idx+1;
127 goto end;
128 }
129- if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
130- (eb->value->length == 1 && eb->value->data[0] == '*')) {
131- if (OBJ_cmp(ea->object,eb->object)) {
132+ ASN1_STRING *sa = X509_NAME_ENTRY_get_data(ea);
133+ ASN1_STRING *sb = X509_NAME_ENTRY_get_data(eb);
134+ if ((ASN1_STRING_length(sa) == 1 && ASN1_STRING_get0_data(sa)[0] == '*') ||
135+ (ASN1_STRING_length(sb) == 1 && ASN1_STRING_get0_data(sb)[0] == '*')) {
136+ if (OBJ_cmp(X509_NAME_ENTRY_get_object(ea),
137+ X509_NAME_ENTRY_get_object(eb))) {
138 i = idx+1;
139 goto end;
140 }
141@@ -430,7 +434,7 @@ cb_check_cert_local(ok, ctx)
142
143 if (!ok) {
144 X509_NAME_oneline(
145- X509_get_subject_name(ctx->current_cert),
146+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
147 buf,
148 256);
149 /*
150@@ -438,7 +442,8 @@ cb_check_cert_local(ok, ctx)
151 * ok if they are self signed. But we should still warn
152 * the user.
153 */
154- switch (ctx->error) {
155+ int ctx_error = X509_STORE_CTX_get_error(ctx);
156+ switch (ctx_error) {
157 case X509_V_ERR_CERT_HAS_EXPIRED:
158 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
159 case X509_V_ERR_INVALID_CA:
160@@ -453,9 +458,9 @@ cb_check_cert_local(ok, ctx)
161 }
162 plog(log_tag, LOCATION, NULL,
163 "%s(%d) at depth:%d SubjectName:%s\n",
164- X509_verify_cert_error_string(ctx->error),
165- ctx->error,
166- ctx->error_depth,
167+ X509_verify_cert_error_string(ctx_error),
168+ ctx_error,
169+ X509_STORE_CTX_get_error_depth(ctx),
170 buf);
171 }
172 ERR_clear_error();
173@@ -477,10 +482,11 @@ cb_check_cert_remote(ok, ctx)
174
175 if (!ok) {
176 X509_NAME_oneline(
177- X509_get_subject_name(ctx->current_cert),
178+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
179 buf,
180 256);
181- switch (ctx->error) {
182+ int ctx_error=X509_STORE_CTX_get_error(ctx);
183+ switch (ctx_error) {
184 case X509_V_ERR_UNABLE_TO_GET_CRL:
185 ok = 1;
186 log_tag = LLV_WARNING;
187@@ -490,9 +496,9 @@ cb_check_cert_remote(ok, ctx)
188 }
189 plog(log_tag, LOCATION, NULL,
190 "%s(%d) at depth:%d SubjectName:%s\n",
191- X509_verify_cert_error_string(ctx->error),
192- ctx->error,
193- ctx->error_depth,
194+ X509_verify_cert_error_string(ctx_error),
195+ ctx_error,
196+ X509_STORE_CTX_get_error_depth(ctx),
197 buf);
198 }
199 ERR_clear_error();
200@@ -516,14 +522,15 @@ eay_get_x509asn1subjectname(cert)
201 if (x509 == NULL)
202 goto error;
203
204+ X509_NAME *subject_name = X509_get_subject_name(x509);
205 /* get the length of the name */
206- len = i2d_X509_NAME(x509->cert_info->subject, NULL);
207+ len = i2d_X509_NAME(subject_name, NULL);
208 name = vmalloc(len);
209 if (!name)
210 goto error;
211 /* get the name */
212 bp = (unsigned char *) name->v;
213- len = i2d_X509_NAME(x509->cert_info->subject, &bp);
214+ len = i2d_X509_NAME(subject_name, &bp);
215
216 X509_free(x509);
217
218@@ -661,15 +668,16 @@ eay_get_x509asn1issuername(cert)
219 if (x509 == NULL)
220 goto error;
221
222+ X509_NAME *issuer_name = X509_get_issuer_name(x509);
223 /* get the length of the name */
224- len = i2d_X509_NAME(x509->cert_info->issuer, NULL);
225+ len = i2d_X509_NAME(issuer_name, NULL);
226 name = vmalloc(len);
227 if (name == NULL)
228 goto error;
229
230 /* get the name */
231 bp = (unsigned char *) name->v;
232- len = i2d_X509_NAME(x509->cert_info->issuer, &bp);
233+ len = i2d_X509_NAME(issuer_name, &bp);
234
235 X509_free(x509);
236
237@@ -850,7 +858,7 @@ eay_check_x509sign(source, sig, cert)
238 return -1;
239 }
240
241- res = eay_rsa_verify(source, sig, evp->pkey.rsa);
242+ res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp));
243
244 EVP_PKEY_free(evp);
245 X509_free(x509);
246@@ -992,7 +1000,7 @@ eay_get_x509sign(src, privkey)
247 if (evp == NULL)
248 return NULL;
249
250- sig = eay_rsa_sign(src, evp->pkey.rsa);
251+ sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
252
253 EVP_PKEY_free(evp);
254
255@@ -1079,7 +1087,11 @@ eay_strerror()
256 int line, flags;
257 unsigned long es;
258
259+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
260+ es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */
261+#else
262 es = CRYPTO_thread_id();
263+#endif
264
265 while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){
266 n = snprintf(ebuf + len, sizeof(ebuf) - len,
267@@ -1100,7 +1112,7 @@ vchar_t *
268 evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc)
269 {
270 vchar_t *res;
271- EVP_CIPHER_CTX ctx;
272+ EVP_CIPHER_CTX *ctx;
273
274 if (!e)
275 return NULL;
276@@ -1111,7 +1123,7 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc
277 if ((res = vmalloc(data->l)) == NULL)
278 return NULL;
279
280- EVP_CIPHER_CTX_init(&ctx);
281+ ctx = EVP_CIPHER_CTX_new();
282
283 switch(EVP_CIPHER_nid(e)){
284 case NID_bf_cbc:
285@@ -1125,54 +1137,41 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc
286 /* XXX: can we do that also for algos with a fixed key size ?
287 */
288 /* init context without key/iv
289- */
290- if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
291- {
292- OpenSSL_BUG();
293- vfree(res);
294- return NULL;
295- }
296+ */
297+ if (!EVP_CipherInit(ctx, e, NULL, NULL, enc))
298+ goto out;
299
300- /* update key size
301- */
302- if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
303- {
304- OpenSSL_BUG();
305- vfree(res);
306- return NULL;
307- }
308-
309- /* finalize context init with desired key size
310- */
311- if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
312+ /* update key size
313+ */
314+ if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l))
315+ goto out;
316+
317+ /* finalize context init with desired key size
318+ */
319+ if (!EVP_CipherInit(ctx, NULL, (u_char *) key->v,
320 (u_char *) iv->v, enc))
321- {
322- OpenSSL_BUG();
323- vfree(res);
324- return NULL;
325- }
326+ goto out;
327 break;
328 default:
329- if (!EVP_CipherInit(&ctx, e, (u_char *) key->v,
330- (u_char *) iv->v, enc)) {
331- OpenSSL_BUG();
332- vfree(res);
333- return NULL;
334- }
335+ if (!EVP_CipherInit(ctx, e, (u_char *) key->v,
336+ (u_char *) iv->v, enc))
337+ goto out;
338 }
339
340 /* disable openssl padding */
341- EVP_CIPHER_CTX_set_padding(&ctx, 0);
342+ EVP_CIPHER_CTX_set_padding(ctx, 0);
343
344- if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
345- OpenSSL_BUG();
346- vfree(res);
347- return NULL;
348- }
349+ if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l))
350+ goto out;
351
352- EVP_CIPHER_CTX_cleanup(&ctx);
353+ EVP_CIPHER_CTX_free(ctx);
354
355 return res;
356+out:
357+ EVP_CIPHER_CTX_free(ctx);
358+ OpenSSL_BUG();
359+ vfree(res);
360+ return NULL;
361 }
362
363 int
364@@ -1230,7 +1229,7 @@ eay_des_keylen(len)
365 return evp_keylen(len, EVP_des_cbc());
366 }
367
368-#ifdef HAVE_OPENSSL_IDEA_H
369+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
370 /*
371 * IDEA-CBC
372 */
373@@ -1587,7 +1586,7 @@ eay_aes_keylen(len)
374 return len;
375 }
376
377-#if defined(HAVE_OPENSSL_CAMELLIA_H)
378+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
379 /*
380 * CAMELLIA-CBC
381 */
382@@ -1680,9 +1679,9 @@ eay_hmac_init(key, md)
383 vchar_t *key;
384 const EVP_MD *md;
385 {
386- HMAC_CTX *c = racoon_malloc(sizeof(*c));
387+ HMAC_CTX *c = HMAC_CTX_new();
388
389- HMAC_Init(c, key->v, key->l, md);
390+ HMAC_Init_ex(c, key->v, key->l, md, NULL);
391
392 return (caddr_t)c;
393 }
394@@ -1761,8 +1760,7 @@ eay_hmacsha2_512_final(c)
395
396 HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
397 res->l = l;
398- HMAC_cleanup((HMAC_CTX *)c);
399- (void)racoon_free(c);
400+ HMAC_CTX_free((HMAC_CTX *)c);
401
402 if (SHA512_DIGEST_LENGTH != res->l) {
403 plog(LLV_ERROR, LOCATION, NULL,
404@@ -1811,8 +1809,7 @@ eay_hmacsha2_384_final(c)
405
406 HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
407 res->l = l;
408- HMAC_cleanup((HMAC_CTX *)c);
409- (void)racoon_free(c);
410+ HMAC_CTX_free((HMAC_CTX *)c);
411
412 if (SHA384_DIGEST_LENGTH != res->l) {
413 plog(LLV_ERROR, LOCATION, NULL,
414@@ -1861,8 +1858,7 @@ eay_hmacsha2_256_final(c)
415
416 HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
417 res->l = l;
418- HMAC_cleanup((HMAC_CTX *)c);
419- (void)racoon_free(c);
420+ HMAC_CTX_free((HMAC_CTX *)c);
421
422 if (SHA256_DIGEST_LENGTH != res->l) {
423 plog(LLV_ERROR, LOCATION, NULL,
424@@ -1912,8 +1908,7 @@ eay_hmacsha1_final(c)
425
426 HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
427 res->l = l;
428- HMAC_cleanup((HMAC_CTX *)c);
429- (void)racoon_free(c);
430+ HMAC_CTX_free((HMAC_CTX *)c);
431
432 if (SHA_DIGEST_LENGTH != res->l) {
433 plog(LLV_ERROR, LOCATION, NULL,
434@@ -1962,8 +1957,7 @@ eay_hmacmd5_final(c)
435
436 HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
437 res->l = l;
438- HMAC_cleanup((HMAC_CTX *)c);
439- (void)racoon_free(c);
440+ HMAC_CTX_free((HMAC_CTX *)c);
441
442 if (MD5_DIGEST_LENGTH != res->l) {
443 plog(LLV_ERROR, LOCATION, NULL,
444@@ -2266,6 +2260,7 @@ eay_dh_generate(prime, g, publen, pub, priv)
445 u_int32_t g;
446 {
447 BIGNUM *p = NULL;
448+ BIGNUM *BNg = NULL;
449 DH *dh = NULL;
450 int error = -1;
451
452@@ -2276,25 +2271,28 @@ eay_dh_generate(prime, g, publen, pub, priv)
453
454 if ((dh = DH_new()) == NULL)
455 goto end;
456- dh->p = p;
457- p = NULL; /* p is now part of dh structure */
458- dh->g = NULL;
459- if ((dh->g = BN_new()) == NULL)
460+ if ((BNg = BN_new()) == NULL)
461 goto end;
462- if (!BN_set_word(dh->g, g))
463+ if (!BN_set_word(BNg, g))
464 goto end;
465+ if (! DH_set0_pqg(dh, p, NULL, BNg))
466+ goto end;
467+ BNg = NULL;
468+ p = NULL; /* p is now part of dh structure */
469
470 if (publen != 0)
471- dh->length = publen;
472+ DH_set_length(dh, publen);
473
474 /* generate public and private number */
475 if (!DH_generate_key(dh))
476 goto end;
477
478 /* copy results to buffers */
479- if (eay_bn2v(pub, dh->pub_key) < 0)
480+ BIGNUM *pub_key, *priv_key;
481+ DH_get0_key(dh, (const BIGNUM**) &pub_key, (const BIGNUM**) &priv_key);
482+ if (eay_bn2v(pub, pub_key) < 0)
483 goto end;
484- if (eay_bn2v(priv, dh->priv_key) < 0) {
485+ if (eay_bn2v(priv, priv_key) < 0) {
486 vfree(*pub);
487 goto end;
488 }
489@@ -2306,6 +2304,8 @@ end:
490 DH_free(dh);
491 if (p != 0)
492 BN_free(p);
493+ if (BNg != 0)
494+ BN_free(BNg);
495 return(error);
496 }
497
498@@ -2319,6 +2319,10 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
499 int l;
500 unsigned char *v = NULL;
501 int error = -1;
502+ BIGNUM *p = BN_new();
503+ BIGNUM *BNg = BN_new();
504+ BIGNUM *pub_key = BN_new();
505+ BIGNUM *priv_key = BN_new();
506
507 /* make public number to compute */
508 if (eay_v2bn(&dh_pub, pub2) < 0)
509@@ -2327,19 +2331,21 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
510 /* make DH structure */
511 if ((dh = DH_new()) == NULL)
512 goto end;
513- if (eay_v2bn(&dh->p, prime) < 0)
514+ if (p == NULL || BNg == NULL || pub_key == NULL || priv_key == NULL)
515 goto end;
516- if (eay_v2bn(&dh->pub_key, pub) < 0)
517+
518+ if (eay_v2bn(&p, prime) < 0)
519 goto end;
520- if (eay_v2bn(&dh->priv_key, priv) < 0)
521+ if (eay_v2bn(&pub_key, pub) < 0)
522 goto end;
523- dh->length = pub2->l * 8;
524-
525- dh->g = NULL;
526- if ((dh->g = BN_new()) == NULL)
527+ if (eay_v2bn(&priv_key, priv) < 0)
528 goto end;
529- if (!BN_set_word(dh->g, g))
530+ if (!BN_set_word(BNg, g))
531 goto end;
532+ DH_set0_key(dh, pub_key, priv_key);
533+ DH_set_length(dh, pub2->l * 8);
534+ DH_set0_pqg(dh, p, NULL, BNg);
535+ pub_key = priv_key = p = BNg = NULL;
536
537 if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
538 goto end;
539@@ -2350,6 +2356,14 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
540 error = 0;
541
542 end:
543+ if (p != NULL)
544+ BN_free(p);
545+ if (BNg != NULL)
546+ BN_free(BNg);
547+ if (pub_key != NULL)
548+ BN_free(pub_key);
549+ if (priv_key != NULL)
550+ BN_free(priv_key);
551 if (dh_pub != NULL)
552 BN_free(dh_pub);
553 if (dh != NULL)
554@@ -2400,12 +2414,14 @@ eay_bn2v(var, bn)
555 void
556 eay_init()
557 {
558+#if OPENSSL_VERSION_NUMBER < 0x10100000L
559 OpenSSL_add_all_algorithms();
560 ERR_load_crypto_strings();
561 #ifdef HAVE_OPENSSL_ENGINE_H
562 ENGINE_load_builtin_engines();
563 ENGINE_register_all_complete();
564 #endif
565+#endif
566 }
567
568 vchar_t *
569@@ -2504,8 +2520,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf)
570 goto out;
571 }
572
573- rsa_pub->n = mod;
574- rsa_pub->e = exp;
575+ RSA_set0_key(rsa_pub, mod, exp, NULL);
576
577 out:
578 return rsa_pub;
579@@ -2582,5 +2597,5 @@ eay_random()
580 const char *
581 eay_version()
582 {
583- return SSLeay_version(SSLEAY_VERSION);
584+ return OpenSSL_version(OPENSSL_VERSION);
585 }
586diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h
587index 66fac73..ee5b765 100644
588--- a/src/racoon/crypto_openssl.h
589+++ b/src/racoon/crypto_openssl.h
590@@ -124,7 +124,7 @@ extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
591 extern int eay_aes_weakkey __P((vchar_t *));
592 extern int eay_aes_keylen __P((int));
593
594-#if defined(HAVE_OPENSSL_CAMELLIA_H)
595+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
596 /* Camellia */
597 extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
598 extern vchar_t *eay_camellia_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
599diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c
600index d609e4f..d2d20da 100644
601--- a/src/racoon/eaytest.c
602+++ b/src/racoon/eaytest.c
603@@ -62,6 +62,7 @@
604 #include "dhgroup.h"
605 #include "crypto_openssl.h"
606 #include "gnuc.h"
607+#include "openssl_compat.h"
608
609 #include "package_version.h"
610
611@@ -103,7 +104,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_txt)
612 printf ("PEM_read_PUBKEY(): %s\n", eay_strerror());
613 return -1;
614 }
615- error = eay_check_rsasign(src, sig, evp->pkey.rsa);
616+ error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp));
617
618 return error;
619 }
620@@ -698,7 +699,7 @@ ciphertest(ac, av)
621 eay_cast_encrypt, eay_cast_decrypt) < 0)
622 return -1;
623
624-#ifdef HAVE_OPENSSL_IDEA_H
625+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
626 if (ciphertest_1 ("IDEA",
627 &data, 8,
628 &key, key.l,
629@@ -715,7 +716,7 @@ ciphertest(ac, av)
630 eay_rc5_encrypt, eay_rc5_decrypt) < 0)
631 return -1;
632 #endif
633-#if defined(HAVE_OPENSSL_CAMELLIA_H)
634+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
635 if (ciphertest_1 ("CAMELLIA",
636 &data, 16,
637 &key, key.l,
638diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
639index 08e4325..7b1604d 100644
640--- a/src/racoon/ipsec_doi.c
641+++ b/src/racoon/ipsec_doi.c
642@@ -715,7 +715,7 @@ out:
643 /* key length must not be specified on some algorithms */
644 if (keylen) {
645 if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES
646-#ifdef HAVE_OPENSSL_IDEA_H
647+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
648 || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA
649 #endif
650 || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) {
651diff --git a/src/racoon/openssl_compat.c b/src/racoon/openssl_compat.c
652new file mode 100644
653index 0000000..864b5fb
654--- /dev/null
655+++ b/src/racoon/openssl_compat.c
656@@ -0,0 +1,213 @@
657+/*
658+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
659+ *
660+ * Licensed under the OpenSSL license (the "License"). You may not use
661+ * this file except in compliance with the License. You can obtain a copy
662+ * in the file LICENSE in the source distribution or at
663+ * https://www.openssl.org/source/license.html
664+ */
665+
666+#include "openssl_compat.h"
667+
668+#if OPENSSL_VERSION_NUMBER < 0x10100000L
669+
670+#include <string.h>
671+
672+static void *OPENSSL_zalloc(size_t num)
673+{
674+ void *ret = OPENSSL_malloc(num);
675+
676+ if (ret != NULL)
677+ memset(ret, 0, num);
678+ return ret;
679+}
680+
681+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
682+{
683+ /* If the fields n and e in r are NULL, the corresponding input
684+ * parameters MUST be non-NULL for n and e. d may be
685+ * left NULL (in case only the public key is used).
686+ */
687+ if ((r->n == NULL && n == NULL)
688+ || (r->e == NULL && e == NULL))
689+ return 0;
690+
691+ if (n != NULL) {
692+ BN_free(r->n);
693+ r->n = n;
694+ }
695+ if (e != NULL) {
696+ BN_free(r->e);
697+ r->e = e;
698+ }
699+ if (d != NULL) {
700+ BN_free(r->d);
701+ r->d = d;
702+ }
703+
704+ return 1;
705+}
706+
707+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
708+{
709+ /* If the fields p and q in r are NULL, the corresponding input
710+ * parameters MUST be non-NULL.
711+ */
712+ if ((r->p == NULL && p == NULL)
713+ || (r->q == NULL && q == NULL))
714+ return 0;
715+
716+ if (p != NULL) {
717+ BN_free(r->p);
718+ r->p = p;
719+ }
720+ if (q != NULL) {
721+ BN_free(r->q);
722+ r->q = q;
723+ }
724+
725+ return 1;
726+}
727+
728+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
729+{
730+ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
731+ * parameters MUST be non-NULL.
732+ */
733+ if ((r->dmp1 == NULL && dmp1 == NULL)
734+ || (r->dmq1 == NULL && dmq1 == NULL)
735+ || (r->iqmp == NULL && iqmp == NULL))
736+ return 0;
737+
738+ if (dmp1 != NULL) {
739+ BN_free(r->dmp1);
740+ r->dmp1 = dmp1;
741+ }
742+ if (dmq1 != NULL) {
743+ BN_free(r->dmq1);
744+ r->dmq1 = dmq1;
745+ }
746+ if (iqmp != NULL) {
747+ BN_free(r->iqmp);
748+ r->iqmp = iqmp;
749+ }
750+
751+ return 1;
752+}
753+
754+void RSA_get0_key(const RSA *r,
755+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
756+{
757+ if (n != NULL)
758+ *n = r->n;
759+ if (e != NULL)
760+ *e = r->e;
761+ if (d != NULL)
762+ *d = r->d;
763+}
764+
765+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
766+{
767+ if (p != NULL)
768+ *p = r->p;
769+ if (q != NULL)
770+ *q = r->q;
771+}
772+
773+void RSA_get0_crt_params(const RSA *r,
774+ const BIGNUM **dmp1, const BIGNUM **dmq1,
775+ const BIGNUM **iqmp)
776+{
777+ if (dmp1 != NULL)
778+ *dmp1 = r->dmp1;
779+ if (dmq1 != NULL)
780+ *dmq1 = r->dmq1;
781+ if (iqmp != NULL)
782+ *iqmp = r->iqmp;
783+}
784+
785+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
786+{
787+ /* If the fields p and g in d are NULL, the corresponding input
788+ * parameters MUST be non-NULL. q may remain NULL.
789+ */
790+ if ((dh->p == NULL && p == NULL)
791+ || (dh->g == NULL && g == NULL))
792+ return 0;
793+
794+ if (p != NULL) {
795+ BN_free(dh->p);
796+ dh->p = p;
797+ }
798+ if (q != NULL) {
799+ BN_free(dh->q);
800+ dh->q = q;
801+ }
802+ if (g != NULL) {
803+ BN_free(dh->g);
804+ dh->g = g;
805+ }
806+
807+ if (q != NULL) {
808+ dh->length = BN_num_bits(q);
809+ }
810+
811+ return 1;
812+}
813+
814+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
815+{
816+ if (pub_key != NULL)
817+ *pub_key = dh->pub_key;
818+ if (priv_key != NULL)
819+ *priv_key = dh->priv_key;
820+}
821+
822+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
823+{
824+ /* If the field pub_key in dh is NULL, the corresponding input
825+ * parameters MUST be non-NULL. The priv_key field may
826+ * be left NULL.
827+ */
828+ if (dh->pub_key == NULL && pub_key == NULL)
829+ return 0;
830+
831+ if (pub_key != NULL) {
832+ BN_free(dh->pub_key);
833+ dh->pub_key = pub_key;
834+ }
835+ if (priv_key != NULL) {
836+ BN_free(dh->priv_key);
837+ dh->priv_key = priv_key;
838+ }
839+
840+ return 1;
841+}
842+
843+int DH_set_length(DH *dh, long length)
844+{
845+ dh->length = length;
846+ return 1;
847+}
848+
849+HMAC_CTX *HMAC_CTX_new(void)
850+{
851+ return OPENSSL_zalloc(sizeof(HMAC_CTX));
852+}
853+
854+void HMAC_CTX_free(HMAC_CTX *ctx)
855+{
856+ HMAC_CTX_cleanup(ctx);
857+ OPENSSL_free(ctx);
858+}
859+
860+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
861+{
862+ if (pkey->type != EVP_PKEY_RSA) {
863+ return NULL;
864+ }
865+ return pkey->pkey.rsa;
866+}
867+
868+
869+#endif /* OPENSSL_VERSION_NUMBER */
870diff --git a/src/racoon/openssl_compat.h b/src/racoon/openssl_compat.h
871new file mode 100644
872index 0000000..9e152c2
873--- /dev/null
874+++ b/src/racoon/openssl_compat.h
875@@ -0,0 +1,45 @@
876+#ifndef OPENSSL_COMPAT_H
877+#define OPENSSL_COMPAT_H
878+
879+#include <openssl/opensslv.h>
880+#if OPENSSL_VERSION_NUMBER < 0x10100000L
881+
882+#include <openssl/rsa.h>
883+#include <openssl/dh.h>
884+#include <openssl/evp.h>
885+#include <openssl/hmac.h>
886+
887+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
888+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
889+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
890+void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
891+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
892+void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp);
893+
894+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
895+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
896+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
897+int DH_set_length(DH *dh, long length);
898+
899+HMAC_CTX *HMAC_CTX_new(void);
900+void HMAC_CTX_free(HMAC_CTX* ctx);
901+
902+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
903+
904+#define ASN1_STRING_length(s) s->length
905+#define ASN1_STRING_get0_data(s) s->data
906+
907+#define X509_get_subject_name(x) x->cert_info->subject
908+#define X509_get_issuer_name(x) x->cert_info->issuer
909+#define X509_NAME_ENTRY_get_data(n) n->value
910+#define X509_NAME_ENTRY_get_object(n) n->object
911+#define X509_STORE_CTX_get_current_cert(ctx) ctx->current_cert
912+#define X509_STORE_CTX_get_error(ctx) ctx->error
913+#define X509_STORE_CTX_get_error_depth(ctx) ctx->error_depth
914+
915+#define OPENSSL_VERSION SSLEAY_VERSION
916+#define OpenSSL_version SSLeay_version
917+
918+#endif /* OPENSSL_VERSION_NUMBER */
919+
920+#endif /* OPENSSL_COMPAT_H */
921diff --git a/src/racoon/plainrsa-gen.c b/src/racoon/plainrsa-gen.c
922index cad1861..b949b08 100644
923--- a/src/racoon/plainrsa-gen.c
924+++ b/src/racoon/plainrsa-gen.c
925@@ -60,6 +60,7 @@
926 #include "vmbuf.h"
927 #include "plog.h"
928 #include "crypto_openssl.h"
929+#include "openssl_compat.h"
930
931 #include "package_version.h"
932
933@@ -90,12 +91,14 @@ mix_b64_pubkey(const RSA *key)
934 char *binbuf;
935 long binlen, ret;
936 vchar_t *res;
937-
938- binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n);
939+ const BIGNUM *e, *n;
940+
941+ RSA_get0_key(key, &n, &e, NULL);
942+ binlen = 1 + BN_num_bytes(e) + BN_num_bytes(n);
943 binbuf = malloc(binlen);
944 memset(binbuf, 0, binlen);
945- binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]);
946- ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
947+ binbuf[0] = BN_bn2bin(e, (unsigned char *) &binbuf[1]);
948+ ret = BN_bn2bin(n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
949 if (1 + binbuf[0] + ret != binlen) {
950 plog(LLV_ERROR, LOCATION, NULL,
951 "Pubkey generation failed. This is really strange...\n");
952@@ -131,16 +134,20 @@ print_rsa_key(FILE *fp, const RSA *key)
953
954 fprintf(fp, "# : PUB 0s%s\n", pubkey64->v);
955 fprintf(fp, ": RSA\t{\n");
956- fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n));
957+ const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
958+ RSA_get0_key(key, &n, &e, &d);
959+ RSA_get0_factors(key, &p, &q);
960+ RSA_get0_crt_params(key, &dmp1, &dmq1, &iqmp);
961+ fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(n));
962 fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v);
963- fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n)));
964- fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e)));
965- fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d)));
966- fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p)));
967- fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q)));
968- fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1)));
969- fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1)));
970- fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp)));
971+ fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(n)));
972+ fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(e)));
973+ fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(d)));
974+ fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(p)));
975+ fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(q)));
976+ fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(dmp1)));
977+ fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(dmq1)));
978+ fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(iqmp)));
979 fprintf(fp, " }\n");
980
981 vfree(pubkey64);
982@@ -203,11 +210,13 @@ int
983 gen_rsa_key(FILE *fp, size_t bits, unsigned long exp)
984 {
985 int ret;
986- RSA *key;
987+ RSA *key = RSA_new();
988+ BIGNUM *e = BN_new();
989
990- key = RSA_generate_key(bits, exp, NULL, NULL);
991- if (!key) {
992+ BN_set_word(e, exp);
993+ if (! RSA_generate_key_ex(key, bits, e, NULL)) {
994 fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror());
995+ RSA_free(key);
996 return -1;
997 }
998
999diff --git a/src/racoon/prsa_par.y b/src/racoon/prsa_par.y
1000index 1987e4d..27ce4c6 100644
1001--- a/src/racoon/prsa_par.y
1002+++ b/src/racoon/prsa_par.y
1003@@ -68,6 +68,7 @@
1004 #include "isakmp_var.h"
1005 #include "handler.h"
1006 #include "crypto_openssl.h"
1007+#include "openssl_compat.h"
1008 #include "sockmisc.h"
1009 #include "rsalist.h"
1010
1011@@ -85,7 +86,18 @@ char *prsa_cur_fname = NULL;
1012 struct genlist *prsa_cur_list = NULL;
1013 enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY;
1014
1015-static RSA *rsa_cur;
1016+struct my_rsa_st {
1017+ BIGNUM *n;
1018+ BIGNUM *e;
1019+ BIGNUM *d;
1020+ BIGNUM *p;
1021+ BIGNUM *q;
1022+ BIGNUM *dmp1;
1023+ BIGNUM *dmq1;
1024+ BIGNUM *iqmp;
1025+};
1026+
1027+static struct my_rsa_st *rsa_cur;
1028
1029 void
1030 prsaerror(const char *s, ...)
1031@@ -201,8 +213,12 @@ rsa_statement:
1032 rsa_cur->iqmp = NULL;
1033 }
1034 }
1035- $$ = rsa_cur;
1036- rsa_cur = RSA_new();
1037+ RSA * rsa_tmp = RSA_new();
1038+ RSA_set0_key(rsa_tmp, rsa_cur->n, rsa_cur->e, rsa_cur->d);
1039+ RSA_set0_factors(rsa_tmp, rsa_cur->p, rsa_cur->q);
1040+ RSA_set0_crt_params(rsa_tmp, rsa_cur->dmp1, rsa_cur->dmq1, rsa_cur->iqmp);
1041+ $$ = rsa_tmp;
1042+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
1043 }
1044 | TAG_PUB BASE64
1045 {
1046@@ -351,10 +367,12 @@ prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type)
1047 prsa_cur_fname = fname;
1048 prsa_cur_list = list;
1049 prsa_cur_type = type;
1050- rsa_cur = RSA_new();
1051+ rsa_cur = malloc(sizeof(struct my_rsa_st));
1052+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
1053 ret = prsaparse();
1054 if (rsa_cur) {
1055- RSA_free(rsa_cur);
1056+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
1057+ free(rsa_cur);
1058 rsa_cur = NULL;
1059 }
1060 fclose (fp);
1061diff --git a/src/racoon/rsalist.c b/src/racoon/rsalist.c
1062index f152c82..96e8363 100644
1063--- a/src/racoon/rsalist.c
1064+++ b/src/racoon/rsalist.c
1065@@ -52,6 +52,7 @@
1066 #include "genlist.h"
1067 #include "remoteconf.h"
1068 #include "crypto_openssl.h"
1069+#include "openssl_compat.h"
1070
1071 #ifndef LIST_FIRST
1072 #define LIST_FIRST(head) ((head)->lh_first)
1073@@ -98,7 +99,9 @@ rsa_key_dup(struct rsa_key *key)
1074 return NULL;
1075
1076 if (key->rsa) {
1077- new->rsa = key->rsa->d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa);
1078+ const BIGNUM *d;
1079+ RSA_get0_key(key->rsa, NULL, NULL, &d);
1080+ new->rsa = (d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa));
1081 if (new->rsa == NULL)
1082 goto dup_error;
1083 }
1084--
10852.7.4
1086
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch
deleted file mode 100644
index d5602c03db..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch
+++ /dev/null
@@ -1,33 +0,0 @@
1From 738a9857be9c92ad2f70be88ccee238e3154a936 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe.macdonald@windriver.com>
3Date: Wed, 2 Oct 2013 14:20:37 -0400
4Subject: [PATCH] racoon/pfkey: avoid potential null-pointer dereference
5
6Building with -Werror=maybe-uninitialized revealed that 'remote' from
7pk_recvmigrate() could be used with uninitialized data in
8migrate_sp_ike_addresses(). Ensure it is always at a minimum assigned
9NULL.
10
11Upstream-Status: Pending
12
13Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
14---
15 src/racoon/pfkey.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c
19index d00b166..e0dc1db 100644
20--- a/src/racoon/pfkey.c
21+++ b/src/racoon/pfkey.c
22@@ -3352,7 +3352,7 @@ pk_recvmigrate(mhp)
23 struct sockaddr *old_saddr, *new_saddr;
24 struct sockaddr *old_daddr, *new_daddr;
25 struct sockaddr *old_local, *old_remote;
26- struct sockaddr *local, *remote;
27+ struct sockaddr *local, *remote = NULL;
28 struct sadb_x_kmaddress *kmaddr;
29 struct sadb_x_policy *xpl;
30 struct sadb_x_ipsecrequest *xisr_list;
31--
321.7.9.5
33
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch
deleted file mode 100644
index 13e9d73fc4..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch
+++ /dev/null
@@ -1,87 +0,0 @@
1From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001
2From: Paul Barker <paul@paulbarker.me.uk>
3Date: Wed, 5 Mar 2014 13:39:14 +0000
4Subject: [PATCH] Don't link against libfl
5
6We can remove all references to yywrap by adding "%option noyywrap" statements
7to each flex source file that doesn't override yywrap. After this, we no longer
8need to link against libfl and so no longer get errors about undefined
9references to yylex.
10
11Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
12Upstream-status: Submitted 2014-03-11
13 see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797
14---
15 src/libipsec/Makefile.am | 1 -
16 src/racoon/Makefile.am | 2 +-
17 src/racoon/cftoken.l | 2 ++
18 src/setkey/Makefile.am | 1 -
19 src/setkey/token.l | 2 ++
20 5 files changed, 5 insertions(+), 3 deletions(-)
21
22diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
23index 6a4e3b3..df1e106 100644
24--- a/src/libipsec/Makefile.am
25+++ b/src/libipsec/Makefile.am
26@@ -26,7 +26,6 @@ libipsec_la_SOURCES = \
27 # version is current:revision:age.
28 # See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32
29 libipsec_la_LDFLAGS = -version-info 0:1:0
30-libipsec_la_LIBADD = $(LEXLIB)
31
32 noinst_HEADERS = ipsec_strerror.h
33
34diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
35index dbaded9..0662957 100644
36--- a/src/racoon/Makefile.am
37+++ b/src/racoon/Makefile.am
38@@ -38,7 +38,7 @@ racoon_SOURCES = \
39 cftoken.l cfparse.y prsa_tok.l prsa_par.y
40 EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
41 isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
42-racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
43+racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \
44 $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
45 racoon_DEPENDENCIES = \
46 $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
47diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l
48index 490242c..1701922 100644
49--- a/src/racoon/cftoken.l
50+++ b/src/racoon/cftoken.l
51@@ -106,6 +106,8 @@ static int incstackp = 0;
52 static int yy_first_time = 1;
53 %}
54
55+%option noyywrap
56+
57 /* common seciton */
58 nl \n
59 ws [ \t]+
60diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am
61index 746c1f1..389e6cf 100644
62--- a/src/setkey/Makefile.am
63+++ b/src/setkey/Makefile.am
64@@ -13,7 +13,6 @@ setkey_SOURCES = \
65
66 setkey_LDFLAGS = ../libipsec/libipsec.la
67 setkey_DEPENDENCIES = ../libipsec/libipsec.la
68-setkey_LDADD = $(LEXLIB)
69
70 noinst_HEADERS = vchar.h extern.h
71 man8_MANS = setkey.8
72diff --git a/src/setkey/token.l b/src/setkey/token.l
73index ad3d843..eb23b76 100644
74--- a/src/setkey/token.l
75+++ b/src/setkey/token.l
76@@ -88,6 +88,8 @@
77 #endif
78 %}
79
80+%option noyywrap
81+
82 /* common section */
83 nl \n
84 ws [ \t]+
85--
861.9.0
87
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-cfparse-clear-memory-equal-to-size-of-array.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-cfparse-clear-memory-equal-to-size-of-array.patch
deleted file mode 100644
index e9dd84aaa9..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-cfparse-clear-memory-equal-to-size-of-array.patch
+++ /dev/null
@@ -1,30 +0,0 @@
1From a5c59f6a1479947d33dba5191724cc5fc88a614b Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Sat, 22 Apr 2017 10:39:57 -0700
4Subject: [PATCH 2/2] cfparse: clear memory equal to size of array
5
6Fixes compiler error
7cfparse.y: In function 'set_isakmp_proposal':
8cfparse.y:2567:3: error: 'memset' used with length equal to number of elements without multiplication by element size [-Werror=memset-elt-size]
9
10Signed-off-by: Khem Raj <raj.khem@gmail.com>
11---
12 src/racoon/cfparse.y | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15diff --git a/src/racoon/cfparse.y b/src/racoon/cfparse.y
16index 0d9bd67..5d9c67b 100644
17--- a/src/racoon/cfparse.y
18+++ b/src/racoon/cfparse.y
19@@ -2564,7 +2564,7 @@ set_isakmp_proposal(rmconf)
20 plog(LLV_DEBUG2, LOCATION, NULL,
21 "encklen=%d\n", s->encklen);
22
23- memset(types, 0, ARRAYLEN(types));
24+ memset(types, 0, sizeof(types));
25 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
26 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
27 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
28--
292.12.2
30
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch
deleted file mode 100644
index 8d270a62b9..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch
+++ /dev/null
@@ -1,13 +0,0 @@
1Index: ipsec-tools-0.8.1/configure.ac
2===================================================================
3--- ipsec-tools-0.8.1.orig/configure.ac 2013-01-08 12:43:29.000000000 +0000
4+++ ipsec-tools-0.8.1/configure.ac 2014-07-18 07:51:30.045555880 +0000
5@@ -6,7 +6,7 @@
6 AC_CONFIG_SRCDIR([configure.ac])
7 AC_CONFIG_HEADERS(config.h)
8
9-AM_INIT_AUTOMAKE(dist-bzip2)
10+AM_INIT_AUTOMAKE([foreign dist-bzip2])
11
12 AC_ENABLE_SHARED(no)
13
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch
deleted file mode 100644
index 7e033af5ee..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch
+++ /dev/null
@@ -1,38 +0,0 @@
1[PATCH] fix CVE-2015-4047
2
3Upstream-Status: Backport
4
5CVE: CVE-2015-4047
6
7http://www.openwall.com/lists/oss-security/2015/05/20/1
8
9racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause
10a denial of service (NULL pointer dereference and IKE daemon crash) via
11a series of crafted UDP requests.
12
13https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4047
14
15Signed-off-by: Roy Li <rongqing.li@windriver.com>
16---
17 src/racoon/gssapi.c | 5 +++++
18 1 file changed, 5 insertions(+)
19
20diff --git a/src/racoon/gssapi.c b/src/racoon/gssapi.c
21index e64b201..1ad3b42 100644
22--- a/src/racoon/gssapi.c
23+++ b/src/racoon/gssapi.c
24@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
25 gss_name_t princ, canon_princ;
26 OM_uint32 maj_stat, min_stat;
27
28+ if (iph1->rmconf == NULL) {
29+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
30+ return -1;
31+ }
32+
33 gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
34 if (gps == NULL) {
35 plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
36--
371.9.1
38
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch
deleted file mode 100644
index fec4804c02..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch
+++ /dev/null
@@ -1,207 +0,0 @@
1Upstream-Status: Backport [https://anonscm.debian.org/cgit/pkg-ipsec-tools/pkg-ipsec-tools.git/plain/debian/patches/CVE-2016-10396.patch?id=62ac12648a4eb7c5ba5dba0f81998d1acf310d8b]
2
3CVE: CVE-2016-10396
4
5Signed-off-by: Kai Kang <kai.kang@windriver.com>
6---
7Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
8Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
9Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
10
11Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c
12===================================================================
13--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c
14+++ pkg-ipsec-tools/src/racoon/isakmp_frag.c
15@@ -1,4 +1,4 @@
16-/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
17+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */
18
19 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
20
21@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
22 return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
23 }
24
25+static int
26+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
27+{
28+ struct isakmp_frag_item *pitem = NULL;
29+ struct isakmp_frag_item *citem = iph1->frag_chain;
30+
31+ /* no frag yet, just insert at beginning of list */
32+ if (iph1->frag_chain == NULL) {
33+ iph1->frag_chain = item;
34+ return 0;
35+ }
36+
37+ do {
38+ /* duplicate fragment number, abort (CVE-2016-10396) */
39+ if (citem->frag_num == item->frag_num)
40+ return -1;
41+
42+ /* need to insert before current item */
43+ if (citem->frag_num > item->frag_num) {
44+ if (pitem != NULL)
45+ pitem->frag_next = item;
46+ else
47+ /* insert at the beginning of the list */
48+ iph1->frag_chain = item;
49+ item->frag_next = citem;
50+ return 0;
51+ }
52+
53+ pitem = citem;
54+ citem = citem->frag_next;
55+ } while (citem != NULL);
56+
57+ /* we reached the end of the list, insert */
58+ pitem->frag_next = item;
59+ return 0;
60+}
61+
62 int
63 isakmp_frag_extract(iph1, msg)
64 struct ph1handle *iph1;
65@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
66 item->frag_next = NULL;
67 item->frag_packet = buf;
68
69- /* Look for the last frag while inserting the new item in the chain */
70- if (item->frag_last)
71- last_frag = item->frag_num;
72+ /* Check for the last frag before inserting the new item in the chain */
73+ if (item->frag_last) {
74+ /* if we have the last fragment, indices must match */
75+ if (iph1->frag_last_index != 0 &&
76+ item->frag_last != iph1->frag_last_index) {
77+ plog(LLV_ERROR, LOCATION, NULL,
78+ "Repeated last fragment index mismatch\n");
79+ racoon_free(item);
80+ vfree(buf);
81+ return -1;
82+ }
83
84- if (iph1->frag_chain == NULL) {
85- iph1->frag_chain = item;
86- } else {
87- struct isakmp_frag_item *current;
88+ last_frag = iph1->frag_last_index = item->frag_num;
89+ }
90
91- current = iph1->frag_chain;
92- while (current->frag_next) {
93- if (current->frag_last)
94- last_frag = item->frag_num;
95- current = current->frag_next;
96- }
97- current->frag_next = item;
98+ /* insert fragment into chain */
99+ if (isakmp_frag_insert(iph1, item) == -1) {
100+ plog(LLV_ERROR, LOCATION, NULL,
101+ "Repeated fragment index mismatch\n");
102+ racoon_free(item);
103+ vfree(buf);
104+ return -1;
105 }
106
107- /* If we saw the last frag, check if the chain is complete */
108+ /* If we saw the last frag, check if the chain is complete
109+ * we have a sorted list now, so just walk through */
110 if (last_frag != 0) {
111+ item = iph1->frag_chain;
112 for (i = 1; i <= last_frag; i++) {
113- item = iph1->frag_chain;
114- do {
115- if (item->frag_num == i)
116- break;
117- item = item->frag_next;
118- } while (item != NULL);
119-
120+ if (item->frag_num != i)
121+ break;
122+ item = item->frag_next;
123 if (item == NULL) /* Not found */
124 break;
125 }
126
127- if (item != NULL) /* It is complete */
128+ if (i > last_frag) /* It is complete */
129 return 1;
130 }
131
132@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
133 }
134 data = buf->v;
135
136+ item = iph1->frag_chain;
137 for (i = 1; i <= frag_count; i++) {
138- item = iph1->frag_chain;
139- do {
140- if (item->frag_num == i)
141- break;
142- item = item->frag_next;
143- } while (item != NULL);
144-
145- if (item == NULL) {
146+ if (item->frag_num != i) {
147 plog(LLV_ERROR, LOCATION, NULL,
148 "Missing fragment #%d\n", i);
149 vfree(buf);
150@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
151 }
152 memcpy(data, item->frag_packet->v, item->frag_packet->l);
153 data += item->frag_packet->l;
154+ item = item->frag_next;
155 }
156
157 out:
158Index: pkg-ipsec-tools/src/racoon/isakmp_inf.c
159===================================================================
160--- pkg-ipsec-tools.orig/src/racoon/isakmp_inf.c
161+++ pkg-ipsec-tools/src/racoon/isakmp_inf.c
162@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
163 #endif
164 #ifdef ENABLE_FRAG
165 iph1->frag = 0;
166+ iph1->frag_last_index = 0;
167 iph1->frag_chain = NULL;
168 #endif
169
170Index: pkg-ipsec-tools/src/racoon/isakmp.c
171===================================================================
172--- pkg-ipsec-tools.orig/src/racoon/isakmp.c
173+++ pkg-ipsec-tools/src/racoon/isakmp.c
174@@ -1072,6 +1072,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
175 iph1->frag = 1;
176 else
177 iph1->frag = 0;
178+ iph1->frag_last_index = 0;
179 iph1->frag_chain = NULL;
180 #endif
181 iph1->approval = NULL;
182@@ -1176,6 +1177,7 @@ isakmp_ph1begin_r(msg, remote, local, et
183 #endif
184 #ifdef ENABLE_FRAG
185 iph1->frag = 0;
186+ iph1->frag_last_index = 0;
187 iph1->frag_chain = NULL;
188 #endif
189 iph1->approval = NULL;
190Index: pkg-ipsec-tools/src/racoon/handler.h
191===================================================================
192--- pkg-ipsec-tools.orig/src/racoon/handler.h
193+++ pkg-ipsec-tools/src/racoon/handler.h
194@@ -1,4 +1,4 @@
195-/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
196+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
197
198 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
199
200@@ -141,6 +141,7 @@ struct ph1handle {
201 #endif
202 #ifdef ENABLE_FRAG
203 int frag; /* IKE phase 1 fragmentation */
204+ int frag_last_index;
205 struct isakmp_frag_item *frag_chain; /* Received fragments */
206 #endif
207
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch
deleted file mode 100644
index 36efc49179..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch
+++ /dev/null
@@ -1,23 +0,0 @@
1squahes below warning
2 warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
3
4Seen with glibc 2.20
5
6Signed-off-by: Khem Raj <raj.khem@gmail.com>
7Upstream-Status: Pending
8Index: ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h
9===================================================================
10--- ipsec-tools-0.8.2.orig/src/include-glibc/glibc-bugs.h 2006-09-09 09:22:08.000000000 -0700
11+++ ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h 2014-09-03 22:27:22.551563888 -0700
12@@ -4,7 +4,11 @@
13 #define __GLIBC_BUGS_H__ 1
14
15 #define _XOPEN_SOURCE 500
16+/* Legacy feature macro.*/
17 #define _BSD_SOURCE
18+/* New feature macro that provides everything _BSD_SOURCE and
19+ * _SVID_SOURCE provided and possibly more. */
20+#define _DEFAULT_SOURCE
21
22 #include <features.h>
23 #include <sys/types.h>
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch
deleted file mode 100644
index e82db087c5..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch
+++ /dev/null
@@ -1,220 +0,0 @@
1racoon: Resend UPDATE message when received EINTR message
2
3Upstream-Status: Pending
4
5While kernel is processing the UPDATE message which is sent from racoon,
6it maybe interrupted by system signal and if this case happens,
7kernel responds with an EINTR message to racoon and kernel fails to
8establish the corresponding SA.
9Fix this problem by resend the UPDATE message when EINTR(Interrupted
10system call) error happens.
11
12Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
13---
14--- a/src/libipsec/libpfkey.h
15+++ b/src/libipsec/libpfkey.h
16@@ -92,6 +92,12 @@
17 u_int16_t ctxstrlen; /* length of security context string */
18 };
19
20+struct update_msg_info {
21+ struct sadb_msg *update_msg;
22+ int so;
23+ int len;
24+};
25+
26 /* The options built into libipsec */
27 extern int libipsec_opt;
28 #define LIBIPSEC_OPT_NATT 0x01
29--- a/src/libipsec/pfkey.c
30+++ b/src/libipsec/pfkey.c
31@@ -1219,7 +1219,8 @@
32 }
33 #endif
34
35-
36+struct update_msg_info update_msg_send = {NULL, 0, 0};
37+
38 /* sending SADB_ADD or SADB_UPDATE message to the kernel */
39 static int
40 pfkey_send_x1(struct pfkey_send_sa_args *sa_parms)
41@@ -1483,10 +1484,24 @@
42
43 /* send message */
44 len = pfkey_send(sa_parms->so, newmsg, len);
45- free(newmsg);
46
47- if (len < 0)
48- return -1;
49+ if (newmsg->sadb_msg_type == SADB_UPDATE) {
50+ if (update_msg_send.update_msg)
51+ free(update_msg_send.update_msg);
52+ update_msg_send.update_msg = newmsg;
53+ update_msg_send.so = sa_parms->so;
54+ update_msg_send.len = len;
55+
56+ if (len < 0) {
57+ free(update_msg_send.update_msg);
58+ update_msg_send.update_msg = NULL;
59+ return -1;
60+ }
61+ } else {
62+ free(newmsg);
63+ if (len < 0)
64+ return -1;
65+ }
66
67 __ipsec_errcode = EIPSEC_NO_ERROR;
68 return len;
69--- a/src/racoon/session.c
70+++ b/src/racoon/session.c
71@@ -100,6 +100,8 @@
72
73 #include "sainfo.h"
74
75+extern struct update_msg_info update_msg_send;
76+
77 struct fd_monitor {
78 int (*callback)(void *ctx, int fd);
79 void *ctx;
80@@ -348,6 +350,11 @@
81 close_sockets();
82 backupsa_clean();
83
84+ if (update_msg_send.update_msg) {
85+ free(update_msg_send.update_msg);
86+ update_msg_send.update_msg = NULL;
87+ }
88+
89 plog(LLV_INFO, LOCATION, NULL, "racoon process %d shutdown\n", getpid());
90
91 exit(0);
92--- a/src/racoon/pfkey.c
93+++ b/src/racoon/pfkey.c
94@@ -103,10 +103,12 @@
95 #include "crypto_openssl.h"
96 #include "grabmyaddr.h"
97+#include "../libipsec/libpfkey.h"
98
99 #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
100 #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
101 #endif
102
103+extern struct update_msg_info update_msg_send;
104 /* prototype */
105 static u_int ipsecdoi2pfkey_aalg __P((u_int));
106 static u_int ipsecdoi2pfkey_ealg __P((u_int));
107@@ -253,6 +255,13 @@
108 s_pfkey_type(msg->sadb_msg_type),
109 strerror(msg->sadb_msg_errno));
110
111+ if (msg->sadb_msg_errno == EINTR &&
112+ update_msg_send.update_msg) {
113+ plog(LLV_DEBUG, LOCATION, NULL,
114+ "pfkey update resend\n");
115+ send(update_msg_send.so, (void *)update_msg_send.update_msg, (socklen_t)update_msg_send.len, 0);
116+ }
117+
118 goto end;
119 }
120
121@@ -498,6 +507,11 @@
122 {
123 flushsp();
124
125+ if (update_msg_send.update_msg) {
126+ free(update_msg_send.update_msg);
127+ update_msg_send.update_msg = NULL;
128+ }
129+
130 if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
131 plog(LLV_ERROR, LOCATION, NULL,
132 "libipsec sending spddump failed: %s\n",
133@@ -1295,6 +1309,8 @@
134 return 0;
135 }
136
137+int update_received = 0;
138+
139 static int
140 pk_recvupdate(mhp)
141 caddr_t *mhp;
142@@ -1307,6 +1323,13 @@
143 int incomplete = 0;
144 struct saproto *pr;
145
146+ update_received = 1;
147+
148+ if (update_msg_send.update_msg) {
149+ free(update_msg_send.update_msg);
150+ update_msg_send.update_msg = NULL;
151+ }
152+
153 /* ignore this message because of local test mode. */
154 if (f_local)
155 return 0;
156@@ -4163,3 +4186,8 @@
157
158 return buf;
159 }
160+
161+int receive_from_isakmp()
162+{
163+ return pfkey_handler(NULL, lcconf->sock_pfkey);
164+}
165--- a/src/racoon/pfkey.h
166+++ b/src/racoon/pfkey.h
167@@ -71,5 +71,6 @@
168 extern u_int32_t pk_getseq __P((void));
169 extern const char *sadbsecas2str
170 __P((struct sockaddr *, struct sockaddr *, int, u_int32_t, int));
171+extern int receive_from_isakmp __P((void));
172
173 #endif /* _PFKEY_H */
174--- a/src/racoon/isakmp_quick.c
175+++ b/src/racoon/isakmp_quick.c
176@@ -774,6 +774,8 @@
177 return error;
178 }
179
180+extern int update_received;
181+
182 /*
183 * send to responder
184 * HDR*, HASH(3)
185@@ -892,6 +894,11 @@
186 }
187 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
188
189+ while (!update_received)
190+ receive_from_isakmp();
191+
192+ update_received = 0;
193+
194 /* Do ADD for responder */
195 if (pk_sendadd(iph2) < 0) {
196 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
197@@ -1035,6 +1042,11 @@
198 }
199 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
200
201+ while (!update_received)
202+ receive_from_isakmp();
203+
204+ update_received = 0;
205+
206 /* Do ADD for responder */
207 if (pk_sendadd(iph2) < 0) {
208 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
209@@ -1989,6 +2001,11 @@
210 }
211 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
212
213+ while (!update_received)
214+ receive_from_isakmp();
215+
216+ update_received = 0;
217+
218 /* Do ADD for responder */
219 if (pk_sendadd(iph2) < 0) {
220 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch
deleted file mode 100644
index e272bc20fa..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch
+++ /dev/null
@@ -1,26 +0,0 @@
1Subject: [PATCH] ipsec-tools: racoon: check several invalid ivm
2
3Upstream-Status: Pending
4
5Add checking for invalid ivm, or it will crash racoon.
6
7Signed-off-by: Ming Liu <ming.liu@windriver.com>
8---
9 isakmp_cfg.c | 5 +++++
10 1 file changed, 5 insertions(+)
11
12diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
13--- a/src/racoon/isakmp_cfg.c
14+++ b/src/racoon/isakmp_cfg.c
15@@ -171,6 +171,11 @@ isakmp_cfg_r(iph1, msg)
16 iph1->mode_cfg->last_msgid != packet->msgid )
17 iph1->mode_cfg->ivm =
18 isakmp_cfg_newiv(iph1, packet->msgid);
19+ if(iph1->mode_cfg->ivm == NULL) {
20+ plog(LLV_ERROR, LOCATION, NULL,
21+ "failed to create new IV\n");
22+ return;
23+ }
24 ivm = iph1->mode_cfg->ivm;
25
26 dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive);
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch
deleted file mode 100644
index de1bdb4077..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch
+++ /dev/null
@@ -1,61 +0,0 @@
1Subject: [PATCH] ipsec-tools: racoon: check several invalid pointers
2
3Upstream-Status: Pending
4
5Add checking for invalid pointers, or it will crash racoon.
6
7Signed-off-by: Ming Liu <ming.liu@windriver.com>
8---
9 ipsec_doi.c | 5 +++--
10 isakmp_cfg.c | 7 +++++++
11 isakmp_quick.c | 6 ++++--
12 3 files changed, 14 insertions(+), 4 deletions(-)
13
14diff -urpN a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
15--- a/src/racoon/ipsec_doi.c
16+++ b/src/racoon/ipsec_doi.c
17@@ -3374,8 +3374,9 @@ ipsecdoi_chkcmpids( idt, ids, exact )
18
19 /* handle wildcard IDs */
20
21- if (idt == NULL || ids == NULL)
22- {
23+ if (idt == NULL || ids == NULL ||
24+ idt->v == NULL || idt->l == 0 ||
25+ ids->v == NULL || ids->l == 0) {
26 if( !exact )
27 {
28 plog(LLV_DEBUG, LOCATION, NULL,
29diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
30--- a/src/racoon/isakmp_cfg.c
31+++ b/src/racoon/isakmp_cfg.c
32@@ -1138,6 +1138,13 @@ isakmp_cfg_newiv(iph1, msgid)
33 return NULL;
34 }
35
36+ if (iph1->ivm == NULL || iph1->ivm->iv == NULL ||
37+ iph1->ivm->iv->v == NULL || iph1->ivm->iv->l == 0) {
38+ plog(LLV_ERROR, LOCATION, NULL,
39+ "isakmp_cfg_newiv called with invalid IV management\n");
40+ return NULL;
41+ }
42+
43 if (ics->ivm != NULL)
44 oakley_delivm(ics->ivm);
45
46diff -urpN a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
47--- a/src/racoon/isakmp_quick.c
48+++ b/src/racoon/isakmp_quick.c
49@@ -2243,8 +2243,10 @@ get_proposal_r(iph2)
50 int error = ISAKMP_INTERNAL_ERROR;
51
52 /* check the existence of ID payload */
53- if ((iph2->id_p != NULL && iph2->id == NULL)
54- || (iph2->id_p == NULL && iph2->id != NULL)) {
55+ if ((iph2->id_p != NULL &&
56+ (iph2->id == NULL || iph2->id->v == NULL || iph2->id->l == 0)) ||
57+ (iph2->id != NULL &&
58+ (iph2->id_p == NULL || iph2->id_p->v == NULL || iph2->id_p->l == 0))) {
59 plog(LLV_ERROR, LOCATION, NULL,
60 "Both IDs wasn't found in payload.\n");
61 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf
deleted file mode 100644
index 6b507508b1..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf
+++ /dev/null
@@ -1,8 +0,0 @@
1# Defaults for racoon service
2# sourced by racoon.service
3# installed at /etc/default/racoon by the maintainer scripts
4#
5# This is a POSIX shell fragment
6#
7# Arguments to pass to racoon
8RACOON_ARGS=""
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample
deleted file mode 100644
index 2948a4a35b..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample
+++ /dev/null
@@ -1,40 +0,0 @@
1#
2# NOTE: This file will not be used if you use racoon-tool(8) to manage your
3# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
4# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
5# of this file.
6#
7# Simple racoon.conf
8#
9#
10# Please look in /usr/share/doc/racoon/examples for
11# examples that come with the source.
12#
13# Please read racoon.conf(5) for details, and alsoread setkey(8).
14#
15#
16# Also read the Linux IPSEC Howto up at
17# http://www.ipsec-howto.org/t1.html
18#
19log notify;
20path pre_shared_key "/etc/racoon/psk.txt";
21path certificate "/etc/racoon/certs";
22
23#remote 172.31.1.1 {
24# exchange_mode main,aggressive;
25# proposal {
26# encryption_algorithm 3des;
27# hash_algorithm sha1;
28# authentication_method pre_shared_key;
29# dh_group modp1024;
30# }
31# generate_policy off;
32#}
33#
34#sainfo address 192.168.203.10[any] any address 192.168.22.0/24[any] any {
35# pfs_group modp768;
36# encryption_algorithm 3des;
37# authentication_algorithm hmac_md5;
38# compression_algorithm deflate;
39#}
40
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service
deleted file mode 100644
index a10e770279..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service
+++ /dev/null
@@ -1,11 +0,0 @@
1[Unit]
2Description=Racoon IKEv1 key management daemon for IPSEC
3After=syslog.target network.target
4
5[Service]
6Type=forking
7EnvironmentFile=-@SYSCONFDIR@/default/racoon
8ExecStart=@SBINDIR@/racoon $RACOON_ARGS
9
10[Install]
11WantedBy=multi-user.target
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb b/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
deleted file mode 100644
index a6d473b594..0000000000
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
+++ /dev/null
@@ -1,98 +0,0 @@
1DESCRIPTION = "IPsec-Tools is a port of KAME's IPsec utilities to the \
2Linux-2.6 IPsec implementation."
3HOMEPAGE = "http://ipsec-tools.sourceforge.net/"
4SECTION = "net"
5LICENSE = "BSD"
6LIC_FILES_CHKSUM = "file://src/libipsec/pfkey.c;beginline=6;endline=31;md5=bc9b7ff40beff19fe6bc6aef26bd2b24"
7
8DEPENDS = "virtual/kernel openssl readline flex-native bison-native"
9
10PACKAGE_ARCH = "${MACHINE_ARCH}"
11
12SRC_URI = "http://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-${PV}.tar.bz2 \
13 file://0002-Don-t-link-against-libfl.patch \
14 file://configure.patch \
15 file://0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch \
16 file://racoon-check-invalid-pointers.patch \
17 file://racoon-check-invalid-ivm.patch \
18 file://glibc-2.20.patch \
19 file://racoon-Resend-UPDATE-message-when-received-EINTR-message.patch \
20 file://racoon.conf.sample \
21 file://racoon.conf \
22 file://racoon.service \
23 file://fix-CVE-2015-4047.patch \
24 file://0001-Fix-build-with-clang.patch \
25 file://0001-Fix-header-issues-found-with-musl-libc.patch \
26 file://0002-cfparse-clear-memory-equal-to-size-of-array.patch \
27 file://fix-CVE-2016-10396.patch \
28 file://0001-Disable-gcc8-specific-warnings.patch \
29 file://0001-ipsec-tools-add-openssl-1.1-support.patch \
30 "
31SRC_URI[md5sum] = "d53ec14a0a3ece64e09e5e34b3350b41"
32SRC_URI[sha256sum] = "8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d"
33
34inherit autotools systemd
35
36# Options:
37# --enable-adminport enable admin port
38# --enable-rc5 enable RC5 encryption (patented)
39# --enable-idea enable IDEA encryption (patented)
40# --enable-gssapi enable GSS-API authentication
41# --enable-hybrid enable hybrid, both mode-cfg and xauth support
42# --enable-frag enable IKE fragmentation payload support
43# --enable-stats enable statistics logging function
44# --enable-dpd enable dead peer detection
45# --enable-samode-unspec enable to use unspecified a mode of SA
46# --disable-ipv6 disable ipv6 support
47# --enable-natt enable NAT-Traversal (yes/no/kernel)
48# --enable-natt-versions=list list of supported NAT-T versions delimited by coma.
49# --with-kernel-headers=/lib/modules/<uname>/build/include
50# where your Linux Kernel headers are installed
51# --with-readline support readline input (yes by default)
52# --with-flex use directiory (default: no)
53# --with-flexlib=<LIB> specify flex library.
54# --with-openssl=DIR specify OpenSSL directory
55# --with-libradius=DIR specify libradius path (like/usr/pkg)
56# --with-libpam=DIR specify libpam path (like/usr/pkg)
57#
58# Note: if you give it the actual kernel headers it won't build, it actually
59# needs to point at the linux-libc-headers version of the kernel headers.
60#
61EXTRA_OECONF = "--with-kernel-headers=${STAGING_INCDIR} \
62 --with-readline \
63 --with-openssl=${STAGING_LIBDIR}/.. \
64 --without-libradius \
65 --disable-security-context \
66 --enable-shared \
67 --enable-dpd \
68 --enable-natt=yes \
69 --sysconfdir=${sysconfdir}/racoon \
70 ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', '--enable-ipv6=yes', '', d)}"
71
72# See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530527
73CFLAGS += "-fno-strict-aliasing"
74
75PACKAGECONFIG ??= ""
76PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,"
77PACKAGECONFIG[selinux] = "--enable-security-context,--disable-security-context,libselinux,"
78
79SYSTEMD_SERVICE_${PN} = "racoon.service"
80
81do_install_append() {
82 install -d ${D}${sysconfdir}/racoon
83 install -m 0644 ${WORKDIR}/racoon.conf.sample ${D}${sysconfdir}/racoon/racoon.conf
84
85 if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
86 install -d ${D}${systemd_unitdir}/system
87 install -m 0644 ${WORKDIR}/racoon.service ${D}${systemd_unitdir}/system
88
89 sed -i -e 's#@SYSCONFDIR@#${sysconfdir}#g' ${D}${systemd_unitdir}/system/racoon.service
90 sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/racoon.service
91
92 install -d ${D}${sysconfdir}/default/
93 install -m 0644 ${WORKDIR}/racoon.conf ${D}${sysconfdir}/default/racoon
94 fi
95}
96
97FILES_${PN} += "${sysconfdir}/racoon/racoon.conf \
98 ${sysconfdir}/default/racoon"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-04 02:38:20 +0000