From patchwork Fri Nov 13 22:44:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabrice Fontaine X-Patchwork-Id: 1400171 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=TyEsr9B5; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CXtnd5t3Lz9sPB for ; Sat, 14 Nov 2020 09:44:37 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 237BB879B9; Fri, 13 Nov 2020 22:44:36 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A0M3owBH4W-T; Fri, 13 Nov 2020 22:44:32 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 35016879BF; Fri, 13 Nov 2020 22:44:32 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 99EC11BF38B for ; Fri, 13 Nov 2020 22:44:30 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 8B60A879BF for ; Fri, 13 Nov 2020 22:44:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0a4A1M-WLMK for ; Fri, 13 Nov 2020 22:44:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by hemlock.osuosl.org (Postfix) with ESMTPS id 6BE75879B9 for ; Fri, 13 Nov 2020 22:44:26 +0000 (UTC) Received: by mail-wm1-f44.google.com with SMTP id c16so12372687wmd.2 for ; Fri, 13 Nov 2020 14:44:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=LVV2sBZF+/nYxG6d4p8qGxjlhKzuLfZHF7L/yfx0Rmg=; b=TyEsr9B59F6lvOzskmqBiMbtA8lS6GCmz1Yip8rwRB9vsjvIdWTAdSN3wQjXzDrv13 cRwFJFCy2CM9+fVrnBSgB3zC10iZvuAzxmgk/z92tx5MzM05WBlBz9di826JXN3FFPOn hyrkaUQRKv0Eo7XNjBpRcslpeiDZHAwOpkrV5Q86GV2T/SQVtHWK9sMC0nygJyRRt3Zv 2QloyBjjfjLRXnVAAyIDKPck+LmJ8indk1GJm3zuKZOTO9AnK1K7LWuhfKCWtq/NFTwk xjUQpqAdcQY4fCoL3KumrVAfzaIsFm5bTsl3J31io3nDV6Z6zX+zIL+y3pnZOKYatoHw 2weQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=LVV2sBZF+/nYxG6d4p8qGxjlhKzuLfZHF7L/yfx0Rmg=; b=BowHkPsnT3OzNM4izC15bb8Ugz6NSJXzVzLeF5zf//ClpwwUsut8ND+uXwC9S/bbAB hLjLatXeNaKQVYQ2WkvEB3nO78W0hyvGj576ikliB7OAhodnsbza/NtL6yAgz0etR7z+ dFzJ3KdW/a+Lk+k3qEre8bwsie3a1yuN1yDEoR+1Jwh2l9+jksNsfTk20nOi/GRIVHC5 nl9aFp3wvZMoFQg0D87P2ZYJiQHJ90jelxwD3KR81tPaP48xhdwiZ1UpnEjoQEn4ayzp SquwmRcZPL9WSAcF8JkTaaDfDkdF016ZjNa4WNsCazL4pKT1w0BvtyZlcBfHwUImnNfV JnwQ== X-Gm-Message-State: AOAM533PN0EmjpvYXlHbJumOHjocWDZCkCSN7EGxp4RTRP9lsIr1tcd3 oD/jqQGJfQ+XBUshaxYGEXMTYlHy/DqhuA== X-Google-Smtp-Source: ABdhPJyv5eokMMNvJGylx8RG9hDDPAPRuhRn085XdnHyXhnG4z/TTDj+jK1tNMx1WORS1R48tc8WkA== X-Received: by 2002:a1c:a752:: with SMTP id q79mr4499885wme.24.1605307463351; Fri, 13 Nov 2020 14:44:23 -0800 (PST) Received: from kali.home (2a01cb0881b76d00c2afd0dfa851d2b9.ipv6.abo.wanadoo.fr. [2a01:cb08:81b7:6d00:c2af:d0df:a851:d2b9]) by smtp.gmail.com with ESMTPSA id 89sm12794445wrp.58.2020.11.13.14.44.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Nov 2020 14:44:22 -0800 (PST) From: Fabrice Fontaine To: buildroot@buildroot.org Date: Fri, 13 Nov 2020 23:44:08 +0100 Message-Id: <20201113224408.1246899-1-fontaine.fabrice@gmail.com> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Subject: [Buildroot] [PATCH 1/1] package/ipsec-tools: drop package X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fabrice Fontaine Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Extract from http://ipsec-tools.sourceforge.net: "The development of ipsec-tools has been ABANDONED. ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative!" Signed-off-by: Fabrice Fontaine --- Config.in.legacy | 7 + package/Config.in | 1 - package/ipsec-tools/0001-susv3-legacy.patch | 35 - .../ipsec-tools/0002-configure-automake.patch | 21 - .../0003-Don-t-link-against-libfl.patch | 92 -- package/ipsec-tools/0004-CVE-2015-4047.patch | 26 - package/ipsec-tools/0005-CVE-2016-10396.patch | 208 ---- package/ipsec-tools/0006-openssl-1.1.patch | 1104 ----------------- package/ipsec-tools/Config.in | 75 -- package/ipsec-tools/ipsec-tools.hash | 6 - package/ipsec-tools/ipsec-tools.mk | 85 -- 11 files changed, 7 insertions(+), 1653 deletions(-) delete mode 100644 package/ipsec-tools/0001-susv3-legacy.patch delete mode 100644 package/ipsec-tools/0002-configure-automake.patch delete mode 100644 package/ipsec-tools/0003-Don-t-link-against-libfl.patch delete mode 100644 package/ipsec-tools/0004-CVE-2015-4047.patch delete mode 100644 package/ipsec-tools/0005-CVE-2016-10396.patch delete mode 100644 package/ipsec-tools/0006-openssl-1.1.patch delete mode 100644 package/ipsec-tools/Config.in delete mode 100644 package/ipsec-tools/ipsec-tools.hash delete mode 100644 package/ipsec-tools/ipsec-tools.mk diff --git a/Config.in.legacy b/Config.in.legacy index 9eb18907dd..4ab766b751 100644 --- a/Config.in.legacy +++ b/Config.in.legacy @@ -146,6 +146,13 @@ endif comment "Legacy options removed in 2020.11" +config BR2_PACKAGE_IPSEC_TOOLS + bool "ipsec-tools package was removed" + select BR2_LEGACY + help + This package has been removed as it has security issues and + has been abandoned since 2014. + config BR2_PACKAGE_OPENCV bool "opencv package was removed" select BR2_LEGACY diff --git a/package/Config.in b/package/Config.in index 016a99ed1a..c7cfa44ffd 100644 --- a/package/Config.in +++ b/package/Config.in @@ -2111,7 +2111,6 @@ menu "Networking applications" source "package/iperf/Config.in" source "package/iperf3/Config.in" source "package/iproute2/Config.in" - source "package/ipsec-tools/Config.in" source "package/ipset/Config.in" source "package/iptables/Config.in" source "package/iptraf-ng/Config.in" diff --git a/package/ipsec-tools/0001-susv3-legacy.patch b/package/ipsec-tools/0001-susv3-legacy.patch deleted file mode 100644 index ea98505622..0000000000 --- a/package/ipsec-tools/0001-susv3-legacy.patch +++ /dev/null @@ -1,35 +0,0 @@ -Replaces sysv3 legacy functions with modern equivalents. - -Signed-off-by: Julien Boibessot -Index: ipsec-tools-0.7.3/src/racoon/pfkey.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/pfkey.c 2010-07-12 14:46:52.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/pfkey.c 2010-07-12 15:01:39.000000000 +0200 -@@ -3008,12 +3008,12 @@ - struct sockaddr *paddr; - - paddr = (struct sockaddr *)(xisr + 1); -- bcopy(paddr, &(*p_isr)->saidx.src, -+ memmove(&(*p_isr)->saidx.src, paddr, - sysdep_sa_len(paddr)); - - paddr = (struct sockaddr *)((caddr_t)paddr - + sysdep_sa_len(paddr)); -- bcopy(paddr, &(*p_isr)->saidx.dst, -+ memmove(&(*p_isr)->saidx.dst, paddr, - sysdep_sa_len(paddr)); - } - -Index: ipsec-tools-0.7.3/src/racoon/racoonctl.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/racoonctl.c 2010-07-12 14:49:51.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/racoonctl.c 2010-07-12 15:00:52.000000000 +0200 -@@ -785,7 +785,7 @@ - errx(1, "cannot read source address"); - - /* We get "ip[port]" strip the port */ -- if ((idx = index(srcaddr, '[')) == NULL) -+ if ((idx = strchr(srcaddr, '[')) == NULL) - errx(1, "unexpected source address format"); - *idx = '\0'; - diff --git a/package/ipsec-tools/0002-configure-automake.patch b/package/ipsec-tools/0002-configure-automake.patch deleted file mode 100644 index a006516f20..0000000000 --- a/package/ipsec-tools/0002-configure-automake.patch +++ /dev/null @@ -1,21 +0,0 @@ -Needed to fix broken autoreconf - -Downloaded from -https://sources.debian.net/src/ipsec-tools/1:0.8.2%2B20140711-8/debian/patches/automake-options/ - -Signed-off-by: Bernd Kuhls - -Index: pkg-ipsec-tools/configure.ac -=================================================================== ---- pkg-ipsec-tools.orig/configure.ac 2014-06-28 17:25:22.000000000 +0200 -+++ pkg-ipsec-tools/configure.ac 2014-06-28 17:28:13.818373322 +0200 -@@ -6,7 +6,8 @@ AC_INIT(ipsec-tools, 0.8.2) - AC_CONFIG_SRCDIR([configure.ac]) - AC_CONFIG_HEADERS(config.h) - --AM_INIT_AUTOMAKE(dist-bzip2) -+AC_CONFIG_MACRO_DIR([.]) -+AM_INIT_AUTOMAKE([dist-bzip2 foreign serial-tests]) - - AC_ENABLE_SHARED(no) - diff --git a/package/ipsec-tools/0003-Don-t-link-against-libfl.patch b/package/ipsec-tools/0003-Don-t-link-against-libfl.patch deleted file mode 100644 index 4fa0a02d52..0000000000 --- a/package/ipsec-tools/0003-Don-t-link-against-libfl.patch +++ /dev/null @@ -1,92 +0,0 @@ -From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001 -From: Paul Barker -Date: Wed, 5 Mar 2014 13:39:14 +0000 -Subject: [PATCH] Don't link against libfl - -We can remove all references to yywrap by adding "%option noyywrap" statements -to each flex source file that doesn't override yywrap. After this, we no longer -need to link against libfl and so no longer get errors about undefined -references to yylex. - -Signed-off-by: Paul Barker -Upstream-status: Submitted 2014-03-11 - see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797 - -Downloaded from -http://cgit.openembedded.org/meta-openembedded/tree/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch - -Signed-off-by: Bernd Kuhls ---- - src/libipsec/Makefile.am | 1 - - src/racoon/Makefile.am | 2 +- - src/racoon/cftoken.l | 2 ++ - src/setkey/Makefile.am | 1 - - src/setkey/token.l | 2 ++ - 5 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am -index 6a4e3b3..df1e106 100644 ---- a/src/libipsec/Makefile.am -+++ b/src/libipsec/Makefile.am -@@ -26,7 +26,6 @@ libipsec_la_SOURCES = \ - # version is current:revision:age. - # See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32 - libipsec_la_LDFLAGS = -version-info 0:1:0 --libipsec_la_LIBADD = $(LEXLIB) - - noinst_HEADERS = ipsec_strerror.h - -diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am -index dbaded9..0662957 100644 ---- a/src/racoon/Makefile.am -+++ b/src/racoon/Makefile.am -@@ -38,7 +38,7 @@ racoon_SOURCES = \ - cftoken.l cfparse.y prsa_tok.l prsa_par.y - EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \ - isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS) --racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \ -+racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \ - $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la - racoon_DEPENDENCIES = \ - $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \ -diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l -index 490242c..1701922 100644 ---- a/src/racoon/cftoken.l -+++ b/src/racoon/cftoken.l -@@ -106,6 +106,8 @@ static int incstackp = 0; - static int yy_first_time = 1; - %} - -+%option noyywrap -+ - /* common seciton */ - nl \n - ws [ \t]+ -diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am -index 746c1f1..389e6cf 100644 ---- a/src/setkey/Makefile.am -+++ b/src/setkey/Makefile.am -@@ -13,7 +13,6 @@ setkey_SOURCES = \ - - setkey_LDFLAGS = ../libipsec/libipsec.la - setkey_DEPENDENCIES = ../libipsec/libipsec.la --setkey_LDADD = $(LEXLIB) - - noinst_HEADERS = vchar.h extern.h - man8_MANS = setkey.8 -diff --git a/src/setkey/token.l b/src/setkey/token.l -index ad3d843..eb23b76 100644 ---- a/src/setkey/token.l -+++ b/src/setkey/token.l -@@ -88,6 +88,8 @@ - #endif - %} - -+%option noyywrap -+ - /* common section */ - nl \n - ws [ \t]+ --- -1.9.0 - diff --git a/package/ipsec-tools/0004-CVE-2015-4047.patch b/package/ipsec-tools/0004-CVE-2015-4047.patch deleted file mode 100644 index f53fe5cc11..0000000000 --- a/package/ipsec-tools/0004-CVE-2015-4047.patch +++ /dev/null @@ -1,26 +0,0 @@ -ipsec-tools: CVE-2015-4047: null pointer dereference crash in racoon - -See: https://bugs.gentoo.org/show_bug.cgi?id=550118 - -Downloaded from -https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch - -See also -https://sources.debian.net/src/ipsec-tools/1:0.8.2%2B20140711-8/debian/patches/bug785778-null-pointer-deref.patch/ - -Signed-off-by: Bernd Kuhls - ---- ./src/racoon/gssapi.c 9 Sep 2006 16:22:09 -0000 1.4 -+++ ./src/racoon/gssapi.c 19 May 2015 15:16:00 -0000 1.6 -@@ -192,6 +192,11 @@ - gss_name_t princ, canon_princ; - OM_uint32 maj_stat, min_stat; - -+ if (iph1->rmconf == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); -+ return -1; -+ } -+ - gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); diff --git a/package/ipsec-tools/0005-CVE-2016-10396.patch b/package/ipsec-tools/0005-CVE-2016-10396.patch deleted file mode 100644 index 8ef3b03753..0000000000 --- a/package/ipsec-tools/0005-CVE-2016-10396.patch +++ /dev/null @@ -1,208 +0,0 @@ -Fix CVE-2016-10396 - -Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 -Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682 -Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 - -Downloaded from -https://github.com/openwrt/packages/blob/master/net/ipsec-tools/patches/010-CVE-2016-10396.patch - -Signed-off-by: Bernd Kuhls - -Index: ipsec-tools-0.8.2/src/racoon/isakmp_frag.c -=================================================================== ---- ipsec-tools-0.8.2.orig/src/racoon/isakmp_frag.c -+++ ipsec-tools-0.8.2/src/racoon/isakmp_frag.c -@@ -1,4 +1,4 @@ --/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */ -+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */ - - /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */ - -@@ -173,6 +173,43 @@ vendorid_frag_cap(gen) - return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); - } - -+static int -+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) -+{ -+ struct isakmp_frag_item *pitem = NULL; -+ struct isakmp_frag_item *citem = iph1->frag_chain; -+ -+ /* no frag yet, just insert at beginning of list */ -+ if (iph1->frag_chain == NULL) { -+ iph1->frag_chain = item; -+ return 0; -+ } -+ -+ do { -+ /* duplicate fragment number, abort (CVE-2016-10396) */ -+ if (citem->frag_num == item->frag_num) -+ return -1; -+ -+ /* need to insert before current item */ -+ if (citem->frag_num > item->frag_num) { -+ if (pitem != NULL) -+ pitem->frag_next = item; -+ else -+ /* insert at the beginning of the list */ -+ iph1->frag_chain = item; -+ item->frag_next = citem; -+ return 0; -+ } -+ -+ pitem = citem; -+ citem = citem->frag_next; -+ } while (citem != NULL); -+ -+ /* we reached the end of the list, insert */ -+ pitem->frag_next = item; -+ return 0; -+} -+ - int - isakmp_frag_extract(iph1, msg) - struct ph1handle *iph1; -@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg) - item->frag_next = NULL; - item->frag_packet = buf; - -- /* Look for the last frag while inserting the new item in the chain */ -- if (item->frag_last) -- last_frag = item->frag_num; -+ /* Check for the last frag before inserting the new item in the chain */ -+ if (item->frag_last) { -+ /* if we have the last fragment, indices must match */ -+ if (iph1->frag_last_index != 0 && -+ item->frag_last != iph1->frag_last_index) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "Repeated last fragment index mismatch\n"); -+ racoon_free(item); -+ vfree(buf); -+ return -1; -+ } - -- if (iph1->frag_chain == NULL) { -- iph1->frag_chain = item; -- } else { -- struct isakmp_frag_item *current; -+ last_frag = iph1->frag_last_index = item->frag_num; -+ } - -- current = iph1->frag_chain; -- while (current->frag_next) { -- if (current->frag_last) -- last_frag = item->frag_num; -- current = current->frag_next; -- } -- current->frag_next = item; -+ /* insert fragment into chain */ -+ if (isakmp_frag_insert(iph1, item) == -1) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "Repeated fragment index mismatch\n"); -+ racoon_free(item); -+ vfree(buf); -+ return -1; - } - -- /* If we saw the last frag, check if the chain is complete */ -+ /* If we saw the last frag, check if the chain is complete -+ * we have a sorted list now, so just walk through */ - if (last_frag != 0) { -+ item = iph1->frag_chain; - for (i = 1; i <= last_frag; i++) { -- item = iph1->frag_chain; -- do { -- if (item->frag_num == i) -- break; -- item = item->frag_next; -- } while (item != NULL); -- -+ if (item->frag_num != i) -+ break; -+ item = item->frag_next; - if (item == NULL) /* Not found */ - break; - } - -- if (item != NULL) /* It is complete */ -+ if (i > last_frag) /* It is complete */ - return 1; - } - -@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1) - } - data = buf->v; - -+ item = iph1->frag_chain; - for (i = 1; i <= frag_count; i++) { -- item = iph1->frag_chain; -- do { -- if (item->frag_num == i) -- break; -- item = item->frag_next; -- } while (item != NULL); -- -- if (item == NULL) { -+ if (item->frag_num != i) { - plog(LLV_ERROR, LOCATION, NULL, - "Missing fragment #%d\n", i); - vfree(buf); -@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1) - } - memcpy(data, item->frag_packet->v, item->frag_packet->l); - data += item->frag_packet->l; -+ item = item->frag_next; - } - - out: -Index: ipsec-tools-0.8.2/src/racoon/isakmp_inf.c -=================================================================== ---- ipsec-tools-0.8.2.orig/src/racoon/isakmp_inf.c -+++ ipsec-tools-0.8.2/src/racoon/isakmp_inf.c -@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca - #endif - #ifdef ENABLE_FRAG - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - -Index: ipsec-tools-0.8.2/src/racoon/isakmp.c -=================================================================== ---- ipsec-tools-0.8.2.orig/src/racoon/isakmp.c -+++ ipsec-tools-0.8.2/src/racoon/isakmp.c -@@ -1071,6 +1071,7 @@ isakmp_ph1begin_i(rmconf, remote, local) - iph1->frag = 1; - else - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - iph1->approval = NULL; -@@ -1175,6 +1176,7 @@ isakmp_ph1begin_r(msg, remote, local, et - #endif - #ifdef ENABLE_FRAG - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - iph1->approval = NULL; -Index: ipsec-tools-0.8.2/src/racoon/handler.h -=================================================================== ---- ipsec-tools-0.8.2.orig/src/racoon/handler.h -+++ ipsec-tools-0.8.2/src/racoon/handler.h -@@ -1,4 +1,4 @@ --/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */ -+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */ - - /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ - -@@ -141,6 +141,7 @@ struct ph1handle { - #endif - #ifdef ENABLE_FRAG - int frag; /* IKE phase 1 fragmentation */ -+ int frag_last_index; - struct isakmp_frag_item *frag_chain; /* Received fragments */ - #endif - diff --git a/package/ipsec-tools/0006-openssl-1.1.patch b/package/ipsec-tools/0006-openssl-1.1.patch deleted file mode 100644 index 39a7da988d..0000000000 --- a/package/ipsec-tools/0006-openssl-1.1.patch +++ /dev/null @@ -1,1104 +0,0 @@ -From 071fec7181255b9234add44865a435dfdefee520 Mon Sep 17 00:00:00 2001 -In-Reply-To: <20180528120513.560-1-cote2004-github@yahoo.com> -References: <20180528120513.560-1-cote2004-github@yahoo.com> -From: Eneas U de Queiroz -Date: Wed, 30 May 2018 15:42:20 -0300 -Subject: [PATCH] ipsec-tools: add openssl 1.1 support -To: equeiroz@troianet.com.br - -This patch updates the calls to openssl 1.1 API, and adds a -compatibility layer so it compiles with (at least) openssl 1.0.2, I -haven't tested it with lower versions, but all that's needed is to edit -the openssl_compat.* files and add the missing functions there--they're -usually trivial. - -Signed-off-by: Eneas U de Queiroz - -Downloaded from -https://github.com/openwrt/packages/blob/master/net/ipsec-tools/patches/015-openssl-1.1.patch - -Patch was sent upstream: -https://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/20180528120513.560-1-cote2004-github%40yahoo.com/#msg36327963 - -Signed-off-by: Bernd Kuhls ---- - src/racoon/Makefile.am | 10 +-- - src/racoon/algorithm.c | 6 +- - src/racoon/cfparse.y | 2 +- - src/racoon/crypto_openssl.c | 197 +++++++++++++++++++++------------------- - src/racoon/crypto_openssl.h | 2 +- - src/racoon/eaytest.c | 7 +- - src/racoon/ipsec_doi.c | 2 +- - src/racoon/openssl_compat.c | 213 ++++++++++++++++++++++++++++++++++++++++++++ - src/racoon/openssl_compat.h | 45 ++++++++++ - src/racoon/plainrsa-gen.c | 41 +++++---- - src/racoon/prsa_par.y | 28 ++++-- - src/racoon/rsalist.c | 5 +- - 12 files changed, 431 insertions(+), 127 deletions(-) - create mode 100644 src/racoon/openssl_compat.c - create mode 100644 src/racoon/openssl_compat.h - -diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am -index dbaded9..4c585f3 100644 ---- a/src/racoon/Makefile.am -+++ b/src/racoon/Makefile.am -@@ -4,7 +4,7 @@ sbin_PROGRAMS = racoon racoonctl plainrsa-gen - noinst_PROGRAMS = eaytest - include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \ - schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \ -- isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h -+ isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h openssl_compat.h - lib_LTLIBRARIES = libracoon.la - - adminsockdir=${localstatedir}/racoon -@@ -32,7 +32,7 @@ racoon_SOURCES = \ - gssapi.c dnssec.c getcertsbyname.c privsep.c \ - pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \ - policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \ -- proposal.c sainfo.c strnames.c \ -+ openssl_compat.c proposal.c sainfo.c strnames.c \ - plog.c logger.c schedule.c str2val.c \ - safefile.c backupsa.c genlist.c rsalist.c \ - cftoken.l cfparse.y prsa_tok.l prsa_par.y -@@ -51,12 +51,12 @@ libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c - libracoon_la_CFLAGS = -DNOUSE_PRIVSEP $(AM_CFLAGS) - - plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \ -- crypto_openssl.c logger.c -+ crypto_openssl.c logger.c openssl_compat.c - EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS) - plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o - plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o - --eaytest_SOURCES = eaytest.c plog.c logger.c -+eaytest_SOURCES = eaytest.c plog.c logger.c openssl_compat.c - EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c - eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \ - $(CRYPTOBJS) -@@ -75,7 +75,7 @@ noinst_HEADERS = \ - debugrm.h isakmp.h misc.h sainfo.h \ - dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \ - isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \ -- throttle.h privsep.h \ -+ throttle.h privsep.h openssl_compat.h \ - cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \ - missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \ - missing/crypto/rijndael/rijndael-api-fst.h \ -diff --git a/src/racoon/algorithm.c b/src/racoon/algorithm.c -index 3fd50f6..66c874b 100644 ---- a/src/racoon/algorithm.c -+++ b/src/racoon/algorithm.c -@@ -128,7 +128,7 @@ static struct enc_algorithm oakley_encdef[] = { - { "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16, - eay_aes_encrypt, eay_aes_decrypt, - eay_aes_weakkey, eay_aes_keylen, }, --#ifdef HAVE_OPENSSL_CAMELLIA_H -+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) - { "camellia", algtype_camellia, OAKLEY_ATTR_ENC_ALG_CAMELLIA, 16, - eay_camellia_encrypt, eay_camellia_decrypt, - eay_camellia_weakkey, eay_camellia_keylen, }, -@@ -168,7 +168,7 @@ static struct enc_algorithm ipsec_encdef[] = { - { "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16, - NULL, NULL, - NULL, eay_twofish_keylen, }, --#ifdef HAVE_OPENSSL_IDEA_H -+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) - { "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8, - NULL, NULL, - NULL, NULL, }, -@@ -179,7 +179,7 @@ static struct enc_algorithm ipsec_encdef[] = { - { "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8, - NULL, NULL, - NULL, NULL, }, --#ifdef HAVE_OPENSSL_CAMELLIA_H -+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) - { "camellia", algtype_camellia, IPSECDOI_ESP_CAMELLIA, 16, - NULL, NULL, - NULL, eay_camellia_keylen, }, -diff --git a/src/racoon/cfparse.y b/src/racoon/cfparse.y -index 0d9bd67..8415752 100644 ---- a/src/racoon/cfparse.y -+++ b/src/racoon/cfparse.y -@@ -2564,7 +2564,7 @@ set_isakmp_proposal(rmconf) - plog(LLV_DEBUG2, LOCATION, NULL, - "encklen=%d\n", s->encklen); - -- memset(types, 0, ARRAYLEN(types)); -+ memset(types, 0, sizeof types); - types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; - types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; - types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; -diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c -index 55b076a..8fb358f 100644 ---- a/src/racoon/crypto_openssl.c -+++ b/src/racoon/crypto_openssl.c -@@ -90,6 +90,7 @@ - #endif - #endif - #include "plog.h" -+#include "openssl_compat.h" - - #define USE_NEW_DES_API - -@@ -316,9 +317,12 @@ eay_cmp_asn1dn(n1, n2) - i = idx+1; - goto end; - } -- if ((ea->value->length == 1 && ea->value->data[0] == '*') || -- (eb->value->length == 1 && eb->value->data[0] == '*')) { -- if (OBJ_cmp(ea->object,eb->object)) { -+ ASN1_STRING *sa = X509_NAME_ENTRY_get_data(ea); -+ ASN1_STRING *sb = X509_NAME_ENTRY_get_data(eb); -+ if ((ASN1_STRING_length(sa) == 1 && ASN1_STRING_get0_data(sa)[0] == '*') || -+ (ASN1_STRING_length(sb) == 1 && ASN1_STRING_get0_data(sb)[0] == '*')) { -+ if (OBJ_cmp(X509_NAME_ENTRY_get_object(ea), -+ X509_NAME_ENTRY_get_object(eb))) { - i = idx+1; - goto end; - } -@@ -430,7 +434,7 @@ cb_check_cert_local(ok, ctx) - - if (!ok) { - X509_NAME_oneline( -- X509_get_subject_name(ctx->current_cert), -+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), - buf, - 256); - /* -@@ -438,7 +442,8 @@ cb_check_cert_local(ok, ctx) - * ok if they are self signed. But we should still warn - * the user. - */ -- switch (ctx->error) { -+ int ctx_error = X509_STORE_CTX_get_error(ctx); -+ switch (ctx_error) { - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: - case X509_V_ERR_INVALID_CA: -@@ -453,9 +458,9 @@ cb_check_cert_local(ok, ctx) - } - plog(log_tag, LOCATION, NULL, - "%s(%d) at depth:%d SubjectName:%s\n", -- X509_verify_cert_error_string(ctx->error), -- ctx->error, -- ctx->error_depth, -+ X509_verify_cert_error_string(ctx_error), -+ ctx_error, -+ X509_STORE_CTX_get_error_depth(ctx), - buf); - } - ERR_clear_error(); -@@ -477,10 +482,11 @@ cb_check_cert_remote(ok, ctx) - - if (!ok) { - X509_NAME_oneline( -- X509_get_subject_name(ctx->current_cert), -+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), - buf, - 256); -- switch (ctx->error) { -+ int ctx_error=X509_STORE_CTX_get_error(ctx); -+ switch (ctx_error) { - case X509_V_ERR_UNABLE_TO_GET_CRL: - ok = 1; - log_tag = LLV_WARNING; -@@ -490,9 +496,9 @@ cb_check_cert_remote(ok, ctx) - } - plog(log_tag, LOCATION, NULL, - "%s(%d) at depth:%d SubjectName:%s\n", -- X509_verify_cert_error_string(ctx->error), -- ctx->error, -- ctx->error_depth, -+ X509_verify_cert_error_string(ctx_error), -+ ctx_error, -+ X509_STORE_CTX_get_error_depth(ctx), - buf); - } - ERR_clear_error(); -@@ -516,14 +522,15 @@ eay_get_x509asn1subjectname(cert) - if (x509 == NULL) - goto error; - -+ X509_NAME *subject_name = X509_get_subject_name(x509); - /* get the length of the name */ -- len = i2d_X509_NAME(x509->cert_info->subject, NULL); -+ len = i2d_X509_NAME(subject_name, NULL); - name = vmalloc(len); - if (!name) - goto error; - /* get the name */ - bp = (unsigned char *) name->v; -- len = i2d_X509_NAME(x509->cert_info->subject, &bp); -+ len = i2d_X509_NAME(subject_name, &bp); - - X509_free(x509); - -@@ -661,15 +668,16 @@ eay_get_x509asn1issuername(cert) - if (x509 == NULL) - goto error; - -+ X509_NAME *issuer_name = X509_get_issuer_name(x509); - /* get the length of the name */ -- len = i2d_X509_NAME(x509->cert_info->issuer, NULL); -+ len = i2d_X509_NAME(issuer_name, NULL); - name = vmalloc(len); - if (name == NULL) - goto error; - - /* get the name */ - bp = (unsigned char *) name->v; -- len = i2d_X509_NAME(x509->cert_info->issuer, &bp); -+ len = i2d_X509_NAME(issuer_name, &bp); - - X509_free(x509); - -@@ -850,7 +858,7 @@ eay_check_x509sign(source, sig, cert) - return -1; - } - -- res = eay_rsa_verify(source, sig, evp->pkey.rsa); -+ res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp)); - - EVP_PKEY_free(evp); - X509_free(x509); -@@ -992,7 +1000,7 @@ eay_get_x509sign(src, privkey) - if (evp == NULL) - return NULL; - -- sig = eay_rsa_sign(src, evp->pkey.rsa); -+ sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp)); - - EVP_PKEY_free(evp); - -@@ -1079,7 +1087,11 @@ eay_strerror() - int line, flags; - unsigned long es; - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */ -+#else - es = CRYPTO_thread_id(); -+#endif - - while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){ - n = snprintf(ebuf + len, sizeof(ebuf) - len, -@@ -1100,7 +1112,7 @@ vchar_t * - evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc) - { - vchar_t *res; -- EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX *ctx; - - if (!e) - return NULL; -@@ -1111,7 +1123,7 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc - if ((res = vmalloc(data->l)) == NULL) - return NULL; - -- EVP_CIPHER_CTX_init(&ctx); -+ ctx = EVP_CIPHER_CTX_new(); - - switch(EVP_CIPHER_nid(e)){ - case NID_bf_cbc: -@@ -1125,54 +1137,41 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc - /* XXX: can we do that also for algos with a fixed key size ? - */ - /* init context without key/iv -- */ -- if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc)) -- { -- OpenSSL_BUG(); -- vfree(res); -- return NULL; -- } -+ */ -+ if (!EVP_CipherInit(ctx, e, NULL, NULL, enc)) -+ goto out; - -- /* update key size -- */ -- if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l)) -- { -- OpenSSL_BUG(); -- vfree(res); -- return NULL; -- } -- -- /* finalize context init with desired key size -- */ -- if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v, -+ /* update key size -+ */ -+ if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l)) -+ goto out; -+ -+ /* finalize context init with desired key size -+ */ -+ if (!EVP_CipherInit(ctx, NULL, (u_char *) key->v, - (u_char *) iv->v, enc)) -- { -- OpenSSL_BUG(); -- vfree(res); -- return NULL; -- } -+ goto out; - break; - default: -- if (!EVP_CipherInit(&ctx, e, (u_char *) key->v, -- (u_char *) iv->v, enc)) { -- OpenSSL_BUG(); -- vfree(res); -- return NULL; -- } -+ if (!EVP_CipherInit(ctx, e, (u_char *) key->v, -+ (u_char *) iv->v, enc)) -+ goto out; - } - - /* disable openssl padding */ -- EVP_CIPHER_CTX_set_padding(&ctx, 0); -+ EVP_CIPHER_CTX_set_padding(ctx, 0); - -- if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) { -- OpenSSL_BUG(); -- vfree(res); -- return NULL; -- } -+ if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l)) -+ goto out; - -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - - return res; -+out: -+ EVP_CIPHER_CTX_free(ctx); -+ OpenSSL_BUG(); -+ vfree(res); -+ return NULL; - } - - int -@@ -1230,7 +1229,7 @@ eay_des_keylen(len) - return evp_keylen(len, EVP_des_cbc()); - } - --#ifdef HAVE_OPENSSL_IDEA_H -+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) - /* - * IDEA-CBC - */ -@@ -1587,7 +1586,7 @@ eay_aes_keylen(len) - return len; - } - --#if defined(HAVE_OPENSSL_CAMELLIA_H) -+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) - /* - * CAMELLIA-CBC - */ -@@ -1680,9 +1679,9 @@ eay_hmac_init(key, md) - vchar_t *key; - const EVP_MD *md; - { -- HMAC_CTX *c = racoon_malloc(sizeof(*c)); -+ HMAC_CTX *c = HMAC_CTX_new(); - -- HMAC_Init(c, key->v, key->l, md); -+ HMAC_Init_ex(c, key->v, key->l, md, NULL); - - return (caddr_t)c; - } -@@ -1761,8 +1760,7 @@ eay_hmacsha2_512_final(c) - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; -- HMAC_cleanup((HMAC_CTX *)c); -- (void)racoon_free(c); -+ HMAC_CTX_free((HMAC_CTX *)c); - - if (SHA512_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -1811,8 +1809,7 @@ eay_hmacsha2_384_final(c) - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; -- HMAC_cleanup((HMAC_CTX *)c); -- (void)racoon_free(c); -+ HMAC_CTX_free((HMAC_CTX *)c); - - if (SHA384_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -1861,8 +1858,7 @@ eay_hmacsha2_256_final(c) - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; -- HMAC_cleanup((HMAC_CTX *)c); -- (void)racoon_free(c); -+ HMAC_CTX_free((HMAC_CTX *)c); - - if (SHA256_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -1912,8 +1908,7 @@ eay_hmacsha1_final(c) - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; -- HMAC_cleanup((HMAC_CTX *)c); -- (void)racoon_free(c); -+ HMAC_CTX_free((HMAC_CTX *)c); - - if (SHA_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -1962,8 +1957,7 @@ eay_hmacmd5_final(c) - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; -- HMAC_cleanup((HMAC_CTX *)c); -- (void)racoon_free(c); -+ HMAC_CTX_free((HMAC_CTX *)c); - - if (MD5_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -2266,6 +2260,7 @@ eay_dh_generate(prime, g, publen, pub, priv) - u_int32_t g; - { - BIGNUM *p = NULL; -+ BIGNUM *BNg = NULL; - DH *dh = NULL; - int error = -1; - -@@ -2276,25 +2271,28 @@ eay_dh_generate(prime, g, publen, pub, priv) - - if ((dh = DH_new()) == NULL) - goto end; -- dh->p = p; -- p = NULL; /* p is now part of dh structure */ -- dh->g = NULL; -- if ((dh->g = BN_new()) == NULL) -+ if ((BNg = BN_new()) == NULL) - goto end; -- if (!BN_set_word(dh->g, g)) -+ if (!BN_set_word(BNg, g)) - goto end; -+ if (! DH_set0_pqg(dh, p, NULL, BNg)) -+ goto end; -+ BNg = NULL; -+ p = NULL; /* p is now part of dh structure */ - - if (publen != 0) -- dh->length = publen; -+ DH_set_length(dh, publen); - - /* generate public and private number */ - if (!DH_generate_key(dh)) - goto end; - - /* copy results to buffers */ -- if (eay_bn2v(pub, dh->pub_key) < 0) -+ BIGNUM *pub_key, *priv_key; -+ DH_get0_key(dh, (const BIGNUM**) &pub_key, (const BIGNUM**) &priv_key); -+ if (eay_bn2v(pub, pub_key) < 0) - goto end; -- if (eay_bn2v(priv, dh->priv_key) < 0) { -+ if (eay_bn2v(priv, priv_key) < 0) { - vfree(*pub); - goto end; - } -@@ -2306,6 +2304,8 @@ end: - DH_free(dh); - if (p != 0) - BN_free(p); -+ if (BNg != 0) -+ BN_free(BNg); - return(error); - } - -@@ -2319,6 +2319,10 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) - int l; - unsigned char *v = NULL; - int error = -1; -+ BIGNUM *p = BN_new(); -+ BIGNUM *BNg = BN_new(); -+ BIGNUM *pub_key = BN_new(); -+ BIGNUM *priv_key = BN_new(); - - /* make public number to compute */ - if (eay_v2bn(&dh_pub, pub2) < 0) -@@ -2327,19 +2331,21 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) - /* make DH structure */ - if ((dh = DH_new()) == NULL) - goto end; -- if (eay_v2bn(&dh->p, prime) < 0) -+ if (p == NULL || BNg == NULL || pub_key == NULL || priv_key == NULL) - goto end; -- if (eay_v2bn(&dh->pub_key, pub) < 0) -+ -+ if (eay_v2bn(&p, prime) < 0) - goto end; -- if (eay_v2bn(&dh->priv_key, priv) < 0) -+ if (eay_v2bn(&pub_key, pub) < 0) - goto end; -- dh->length = pub2->l * 8; -- -- dh->g = NULL; -- if ((dh->g = BN_new()) == NULL) -+ if (eay_v2bn(&priv_key, priv) < 0) - goto end; -- if (!BN_set_word(dh->g, g)) -+ if (!BN_set_word(BNg, g)) - goto end; -+ DH_set0_key(dh, pub_key, priv_key); -+ DH_set_length(dh, pub2->l * 8); -+ DH_set0_pqg(dh, p, NULL, BNg); -+ pub_key = priv_key = p = BNg = NULL; - - if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL) - goto end; -@@ -2350,6 +2356,14 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) - error = 0; - - end: -+ if (p != NULL) -+ BN_free(p); -+ if (BNg != NULL) -+ BN_free(BNg); -+ if (pub_key != NULL) -+ BN_free(pub_key); -+ if (priv_key != NULL) -+ BN_free(priv_key); - if (dh_pub != NULL) - BN_free(dh_pub); - if (dh != NULL) -@@ -2400,12 +2414,14 @@ eay_bn2v(var, bn) - void - eay_init() - { -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - OpenSSL_add_all_algorithms(); - ERR_load_crypto_strings(); - #ifdef HAVE_OPENSSL_ENGINE_H - ENGINE_load_builtin_engines(); - ENGINE_register_all_complete(); - #endif -+#endif - } - - vchar_t * -@@ -2504,8 +2520,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf) - goto out; - } - -- rsa_pub->n = mod; -- rsa_pub->e = exp; -+ RSA_set0_key(rsa_pub, mod, exp, NULL); - - out: - return rsa_pub; -@@ -2582,5 +2597,5 @@ eay_random() - const char * - eay_version() - { -- return SSLeay_version(SSLEAY_VERSION); -+ return OpenSSL_version(OPENSSL_VERSION); - } -diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h -index 66fac73..ee5b765 100644 ---- a/src/racoon/crypto_openssl.h -+++ b/src/racoon/crypto_openssl.h -@@ -124,7 +124,7 @@ extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); - extern int eay_aes_weakkey __P((vchar_t *)); - extern int eay_aes_keylen __P((int)); - --#if defined(HAVE_OPENSSL_CAMELLIA_H) -+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) - /* Camellia */ - extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); - extern vchar_t *eay_camellia_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c -index 1474bdc..ae09db3 100644 ---- a/src/racoon/eaytest.c -+++ b/src/racoon/eaytest.c -@@ -62,6 +62,7 @@ - #include "dhgroup.h" - #include "crypto_openssl.h" - #include "gnuc.h" -+#include "openssl_compat.h" - - #include "package_version.h" - -@@ -103,7 +104,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_txt) - printf ("PEM_read_PUBKEY(): %s\n", eay_strerror()); - return -1; - } -- error = eay_check_rsasign(src, sig, evp->pkey.rsa); -+ error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp)); - - return error; - } -@@ -698,7 +699,7 @@ ciphertest(ac, av) - eay_cast_encrypt, eay_cast_decrypt) < 0) - return -1; - --#ifdef HAVE_OPENSSL_IDEA_H -+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) - if (ciphertest_1 ("IDEA", - &data, 8, - &key, key.l, -@@ -715,7 +716,7 @@ ciphertest(ac, av) - eay_rc5_encrypt, eay_rc5_decrypt) < 0) - return -1; - #endif --#if defined(HAVE_OPENSSL_CAMELLIA_H) -+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) - if (ciphertest_1 ("CAMELLIA", - &data, 16, - &key, key.l, -diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c -index 84a4c71..b52469f 100644 ---- a/src/racoon/ipsec_doi.c -+++ b/src/racoon/ipsec_doi.c -@@ -715,7 +715,7 @@ out: - /* key length must not be specified on some algorithms */ - if (keylen) { - if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES --#ifdef HAVE_OPENSSL_IDEA_H -+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) - || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA - #endif - || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) { -diff --git a/src/racoon/openssl_compat.c b/src/racoon/openssl_compat.c -new file mode 100644 -index 0000000..864b5fb ---- /dev/null -+++ b/src/racoon/openssl_compat.c -@@ -0,0 +1,213 @@ -+/* -+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the OpenSSL license (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include "openssl_compat.h" -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+#include -+ -+static void *OPENSSL_zalloc(size_t num) -+{ -+ void *ret = OPENSSL_malloc(num); -+ -+ if (ret != NULL) -+ memset(ret, 0, num); -+ return ret; -+} -+ -+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) -+{ -+ /* If the fields n and e in r are NULL, the corresponding input -+ * parameters MUST be non-NULL for n and e. d may be -+ * left NULL (in case only the public key is used). -+ */ -+ if ((r->n == NULL && n == NULL) -+ || (r->e == NULL && e == NULL)) -+ return 0; -+ -+ if (n != NULL) { -+ BN_free(r->n); -+ r->n = n; -+ } -+ if (e != NULL) { -+ BN_free(r->e); -+ r->e = e; -+ } -+ if (d != NULL) { -+ BN_free(r->d); -+ r->d = d; -+ } -+ -+ return 1; -+} -+ -+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) -+{ -+ /* If the fields p and q in r are NULL, the corresponding input -+ * parameters MUST be non-NULL. -+ */ -+ if ((r->p == NULL && p == NULL) -+ || (r->q == NULL && q == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free(r->p); -+ r->p = p; -+ } -+ if (q != NULL) { -+ BN_free(r->q); -+ r->q = q; -+ } -+ -+ return 1; -+} -+ -+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) -+{ -+ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input -+ * parameters MUST be non-NULL. -+ */ -+ if ((r->dmp1 == NULL && dmp1 == NULL) -+ || (r->dmq1 == NULL && dmq1 == NULL) -+ || (r->iqmp == NULL && iqmp == NULL)) -+ return 0; -+ -+ if (dmp1 != NULL) { -+ BN_free(r->dmp1); -+ r->dmp1 = dmp1; -+ } -+ if (dmq1 != NULL) { -+ BN_free(r->dmq1); -+ r->dmq1 = dmq1; -+ } -+ if (iqmp != NULL) { -+ BN_free(r->iqmp); -+ r->iqmp = iqmp; -+ } -+ -+ return 1; -+} -+ -+void RSA_get0_key(const RSA *r, -+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) -+{ -+ if (n != NULL) -+ *n = r->n; -+ if (e != NULL) -+ *e = r->e; -+ if (d != NULL) -+ *d = r->d; -+} -+ -+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) -+{ -+ if (p != NULL) -+ *p = r->p; -+ if (q != NULL) -+ *q = r->q; -+} -+ -+void RSA_get0_crt_params(const RSA *r, -+ const BIGNUM **dmp1, const BIGNUM **dmq1, -+ const BIGNUM **iqmp) -+{ -+ if (dmp1 != NULL) -+ *dmp1 = r->dmp1; -+ if (dmq1 != NULL) -+ *dmq1 = r->dmq1; -+ if (iqmp != NULL) -+ *iqmp = r->iqmp; -+} -+ -+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -+{ -+ /* If the fields p and g in d are NULL, the corresponding input -+ * parameters MUST be non-NULL. q may remain NULL. -+ */ -+ if ((dh->p == NULL && p == NULL) -+ || (dh->g == NULL && g == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free(dh->p); -+ dh->p = p; -+ } -+ if (q != NULL) { -+ BN_free(dh->q); -+ dh->q = q; -+ } -+ if (g != NULL) { -+ BN_free(dh->g); -+ dh->g = g; -+ } -+ -+ if (q != NULL) { -+ dh->length = BN_num_bits(q); -+ } -+ -+ return 1; -+} -+ -+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) -+{ -+ if (pub_key != NULL) -+ *pub_key = dh->pub_key; -+ if (priv_key != NULL) -+ *priv_key = dh->priv_key; -+} -+ -+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) -+{ -+ /* If the field pub_key in dh is NULL, the corresponding input -+ * parameters MUST be non-NULL. The priv_key field may -+ * be left NULL. -+ */ -+ if (dh->pub_key == NULL && pub_key == NULL) -+ return 0; -+ -+ if (pub_key != NULL) { -+ BN_free(dh->pub_key); -+ dh->pub_key = pub_key; -+ } -+ if (priv_key != NULL) { -+ BN_free(dh->priv_key); -+ dh->priv_key = priv_key; -+ } -+ -+ return 1; -+} -+ -+int DH_set_length(DH *dh, long length) -+{ -+ dh->length = length; -+ return 1; -+} -+ -+HMAC_CTX *HMAC_CTX_new(void) -+{ -+ return OPENSSL_zalloc(sizeof(HMAC_CTX)); -+} -+ -+void HMAC_CTX_free(HMAC_CTX *ctx) -+{ -+ HMAC_CTX_cleanup(ctx); -+ OPENSSL_free(ctx); -+} -+ -+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey) -+{ -+ if (pkey->type != EVP_PKEY_RSA) { -+ return NULL; -+ } -+ return pkey->pkey.rsa; -+} -+ -+ -+#endif /* OPENSSL_VERSION_NUMBER */ -diff --git a/src/racoon/openssl_compat.h b/src/racoon/openssl_compat.h -new file mode 100644 -index 0000000..9e152c2 ---- /dev/null -+++ b/src/racoon/openssl_compat.h -@@ -0,0 +1,45 @@ -+#ifndef OPENSSL_COMPAT_H -+#define OPENSSL_COMPAT_H -+ -+#include -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+#include -+#include -+#include -+#include -+ -+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); -+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); -+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); -+void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); -+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); -+void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp); -+ -+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); -+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); -+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); -+int DH_set_length(DH *dh, long length); -+ -+HMAC_CTX *HMAC_CTX_new(void); -+void HMAC_CTX_free(HMAC_CTX* ctx); -+ -+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); -+ -+#define ASN1_STRING_length(s) s->length -+#define ASN1_STRING_get0_data(s) s->data -+ -+#define X509_get_subject_name(x) x->cert_info->subject -+#define X509_get_issuer_name(x) x->cert_info->issuer -+#define X509_NAME_ENTRY_get_data(n) n->value -+#define X509_NAME_ENTRY_get_object(n) n->object -+#define X509_STORE_CTX_get_current_cert(ctx) ctx->current_cert -+#define X509_STORE_CTX_get_error(ctx) ctx->error -+#define X509_STORE_CTX_get_error_depth(ctx) ctx->error_depth -+ -+#define OPENSSL_VERSION SSLEAY_VERSION -+#define OpenSSL_version SSLeay_version -+ -+#endif /* OPENSSL_VERSION_NUMBER */ -+ -+#endif /* OPENSSL_COMPAT_H */ -diff --git a/src/racoon/plainrsa-gen.c b/src/racoon/plainrsa-gen.c -index cad1861..b949b08 100644 ---- a/src/racoon/plainrsa-gen.c -+++ b/src/racoon/plainrsa-gen.c -@@ -60,6 +60,7 @@ - #include "vmbuf.h" - #include "plog.h" - #include "crypto_openssl.h" -+#include "openssl_compat.h" - - #include "package_version.h" - -@@ -90,12 +91,14 @@ mix_b64_pubkey(const RSA *key) - char *binbuf; - long binlen, ret; - vchar_t *res; -- -- binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n); -+ const BIGNUM *e, *n; -+ -+ RSA_get0_key(key, &n, &e, NULL); -+ binlen = 1 + BN_num_bytes(e) + BN_num_bytes(n); - binbuf = malloc(binlen); - memset(binbuf, 0, binlen); -- binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]); -- ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1])); -+ binbuf[0] = BN_bn2bin(e, (unsigned char *) &binbuf[1]); -+ ret = BN_bn2bin(n, (unsigned char *) (&binbuf[binbuf[0] + 1])); - if (1 + binbuf[0] + ret != binlen) { - plog(LLV_ERROR, LOCATION, NULL, - "Pubkey generation failed. This is really strange...\n"); -@@ -131,16 +134,20 @@ print_rsa_key(FILE *fp, const RSA *key) - - fprintf(fp, "# : PUB 0s%s\n", pubkey64->v); - fprintf(fp, ": RSA\t{\n"); -- fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n)); -+ const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; -+ RSA_get0_key(key, &n, &e, &d); -+ RSA_get0_factors(key, &p, &q); -+ RSA_get0_crt_params(key, &dmp1, &dmq1, &iqmp); -+ fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(n)); - fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v); -- fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n))); -- fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e))); -- fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d))); -- fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p))); -- fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q))); -- fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1))); -- fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1))); -- fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp))); -+ fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(n))); -+ fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(e))); -+ fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(d))); -+ fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(p))); -+ fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(q))); -+ fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(dmp1))); -+ fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(dmq1))); -+ fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(iqmp))); - fprintf(fp, " }\n"); - - vfree(pubkey64); -@@ -203,11 +210,13 @@ int - gen_rsa_key(FILE *fp, size_t bits, unsigned long exp) - { - int ret; -- RSA *key; -+ RSA *key = RSA_new(); -+ BIGNUM *e = BN_new(); - -- key = RSA_generate_key(bits, exp, NULL, NULL); -- if (!key) { -+ BN_set_word(e, exp); -+ if (! RSA_generate_key_ex(key, bits, e, NULL)) { - fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror()); -+ RSA_free(key); - return -1; - } - -diff --git a/src/racoon/prsa_par.y b/src/racoon/prsa_par.y -index 1987e4d..27ce4c6 100644 ---- a/src/racoon/prsa_par.y -+++ b/src/racoon/prsa_par.y -@@ -68,6 +68,7 @@ - #include "isakmp_var.h" - #include "handler.h" - #include "crypto_openssl.h" -+#include "openssl_compat.h" - #include "sockmisc.h" - #include "rsalist.h" - -@@ -85,7 +86,18 @@ char *prsa_cur_fname = NULL; - struct genlist *prsa_cur_list = NULL; - enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY; - --static RSA *rsa_cur; -+struct my_rsa_st { -+ BIGNUM *n; -+ BIGNUM *e; -+ BIGNUM *d; -+ BIGNUM *p; -+ BIGNUM *q; -+ BIGNUM *dmp1; -+ BIGNUM *dmq1; -+ BIGNUM *iqmp; -+}; -+ -+static struct my_rsa_st *rsa_cur; - - void - prsaerror(const char *s, ...) -@@ -201,8 +213,12 @@ rsa_statement: - rsa_cur->iqmp = NULL; - } - } -- $$ = rsa_cur; -- rsa_cur = RSA_new(); -+ RSA * rsa_tmp = RSA_new(); -+ RSA_set0_key(rsa_tmp, rsa_cur->n, rsa_cur->e, rsa_cur->d); -+ RSA_set0_factors(rsa_tmp, rsa_cur->p, rsa_cur->q); -+ RSA_set0_crt_params(rsa_tmp, rsa_cur->dmp1, rsa_cur->dmq1, rsa_cur->iqmp); -+ $$ = rsa_tmp; -+ memset(rsa_cur, 0, sizeof(struct my_rsa_st)); - } - | TAG_PUB BASE64 - { -@@ -351,10 +367,12 @@ prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type) - prsa_cur_fname = fname; - prsa_cur_list = list; - prsa_cur_type = type; -- rsa_cur = RSA_new(); -+ rsa_cur = malloc(sizeof(struct my_rsa_st)); -+ memset(rsa_cur, 0, sizeof(struct my_rsa_st)); - ret = prsaparse(); - if (rsa_cur) { -- RSA_free(rsa_cur); -+ memset(rsa_cur, 0, sizeof(struct my_rsa_st)); -+ free(rsa_cur); - rsa_cur = NULL; - } - fclose (fp); -diff --git a/src/racoon/rsalist.c b/src/racoon/rsalist.c -index f152c82..96e8363 100644 ---- a/src/racoon/rsalist.c -+++ b/src/racoon/rsalist.c -@@ -52,6 +52,7 @@ - #include "genlist.h" - #include "remoteconf.h" - #include "crypto_openssl.h" -+#include "openssl_compat.h" - - #ifndef LIST_FIRST - #define LIST_FIRST(head) ((head)->lh_first) -@@ -98,7 +99,9 @@ rsa_key_dup(struct rsa_key *key) - return NULL; - - if (key->rsa) { -- new->rsa = key->rsa->d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa); -+ const BIGNUM *d; -+ RSA_get0_key(key->rsa, NULL, NULL, &d); -+ new->rsa = (d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa)); - if (new->rsa == NULL) - goto dup_error; - } --- -2.16.1 - diff --git a/package/ipsec-tools/Config.in b/package/ipsec-tools/Config.in deleted file mode 100644 index 59154123e6..0000000000 --- a/package/ipsec-tools/Config.in +++ /dev/null @@ -1,75 +0,0 @@ -config BR2_PACKAGE_IPSEC_TOOLS - bool "ipsec-tools" - depends on BR2_USE_MMU # fork() - depends on !BR2_TOOLCHAIN_USES_MUSL # Use __P() macro all over the tree - select BR2_PACKAGE_OPENSSL - select BR2_PACKAGE_FLEX - help - This package is required to support IPSec for Linux 2.6+ - - http://ipsec-tools.sourceforge.net/ - -if BR2_PACKAGE_IPSEC_TOOLS - -config BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT - bool "Enable racoonctl(8)" - default y - help - Lets racoon to listen to racoon admin port, which is to - be contacted by racoonctl(8). - -config BR2_PACKAGE_IPSEC_TOOLS_NATT - bool "Enable NAT-Traversal" - help - This needs kernel support, which is available on Linux. On - NetBSD, NAT-Traversal kernel support has not been integrated - yet, you can get it from here: - - http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff If you - - live in a country where software patents are legal, using - NAT-Traversal might infringe a patent. - -config BR2_PACKAGE_IPSEC_TOOLS_FRAG - bool "Enable IKE fragmentation" - help - Enable IKE fragmentation, which is a workaround for - broken routers that drop fragmented packets - -config BR2_PACKAGE_IPSEC_TOOLS_DPD - bool "Enable DPD (Dead Peer Detection)" - help - Enable dead peer detection support - -config BR2_PACKAGE_IPSEC_TOOLS_STATS - bool "Enable statistics logging function" - default y - -config BR2_PACKAGE_IPSEC_TOOLS_READLINE - bool "Enable readline input support" - select BR2_PACKAGE_READLINE - -config BR2_PACKAGE_IPSEC_TOOLS_HYBRID - bool "Enable hybrid, both mode-cfg and xauth support" - help - Hybrid mode is required for successful interoperability - (e.g. Cisco VPN Client). - -choice - prompt "Security context" - default BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE - help - Selects whether or not to enable security context support. - -config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE - bool "Disable security context support" - -config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_ENABLE - bool "Enable SELinux security context support" - -config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_KERNEL - bool "Enable kernel security context" - -endchoice - -endif diff --git a/package/ipsec-tools/ipsec-tools.hash b/package/ipsec-tools/ipsec-tools.hash deleted file mode 100644 index 7a944eb8ee..0000000000 --- a/package/ipsec-tools/ipsec-tools.hash +++ /dev/null @@ -1,6 +0,0 @@ -# From http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/0.8.2/ -md5 d53ec14a0a3ece64e09e5e34b3350b41 ipsec-tools-0.8.2.tar.bz2 -sha1 7d92cae9fde59fb4f125636698c43b0a3df3d0f0 ipsec-tools-0.8.2.tar.bz2 - -# Locally calculated -sha256 3f4af4aef0b2599928bee9875935b8fad8449ddbb98ea7da74c20c3dff5cdef7 src/setkey/setkey.c diff --git a/package/ipsec-tools/ipsec-tools.mk b/package/ipsec-tools/ipsec-tools.mk deleted file mode 100644 index 72bd8c196c..0000000000 --- a/package/ipsec-tools/ipsec-tools.mk +++ /dev/null @@ -1,85 +0,0 @@ -################################################################################ -# -# ipsec-tools -# -################################################################################ - -IPSEC_TOOLS_VERSION = 0.8.2 -IPSEC_TOOLS_SOURCE = ipsec-tools-$(IPSEC_TOOLS_VERSION).tar.bz2 -IPSEC_TOOLS_SITE = http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/$(IPSEC_TOOLS_VERSION) -IPSEC_TOOLS_LICENSE = BSD-3-Clause -IPSEC_TOOLS_LICENSE_FILES = src/setkey/setkey.c -IPSEC_TOOLS_INSTALL_STAGING = YES -IPSEC_TOOLS_MAKE = $(MAKE1) -IPSEC_TOOLS_DEPENDENCIES = openssl flex host-pkgconf host-flex host-bison -# we patch configure.ac -IPSEC_TOOLS_AUTORECONF = YES - -# 0004-CVE-2015-4047.patch -IPSEC_TOOLS_IGNORE_CVES += CVE-2015-4047 -# 0005-CVE-2016-10396.patch -IPSEC_TOOLS_IGNORE_CVES += CVE-2016-10396 - -# configure hardcodes -Werror, so override CFLAGS on make invocation -IPSEC_TOOLS_MAKE_OPTS = CFLAGS='$(TARGET_CFLAGS)' - -IPSEC_TOOLS_CONF_ENV = LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` - -IPSEC_TOOLS_CONF_OPTS = \ - --without-libpam \ - --disable-gssapi \ - --with-kernel-headers=$(STAGING_DIR)/usr/include - -ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT),y) -IPSEC_TOOLS_CONF_OPTS += --enable-adminport -else -IPSEC_TOOLS_CONF_OPTS += --disable-adminport -endif - -ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_NATT),y) -IPSEC_TOOLS_CONF_OPTS += --enable-natt -else -IPSEC_TOOLS_CONF_OPTS += --disable-natt -endif - -ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_FRAG),y) -IPSEC_TOOLS_CONF_OPTS += --enable-frag -else -IPSEC_TOOLS_CONF_OPTS += --disable-frag -endif - -ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_DPD),y) -IPSEC_TOOLS_CONF_OPTS += --enable-dpd -else -IPSEC_TOOLS_CONF_OPTS += --disable-dpd -endif - -ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_STATS),y) -IPSEC_TOOLS_CONF_OPTS += --enable-stats -else -IPSEC_TOOLS_CONF_OPTS += --disable-stats -endif - -ifneq ($(BR2_PACKAGE_IPSEC_TOOLS_READLINE),y) -IPSEC_TOOLS_CONF_OPTS += --without-readline -else -IPSEC_TOOLS_DEPENDENCIES += readline -endif - -ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_HYBRID),y) -IPSEC_TOOLS_CONF_OPTS += --enable-hybrid -else -IPSEC_TOOLS_CONF_OPTS += --disable-hybrid -endif - -ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE),y) -IPSEC_TOOLS_CONF_OPTS += --enable-security-context=no -endif -ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_ENABLE),y) -IPSEC_TOOLS_CONF_OPTS += --enable-security-context=yes -endif -ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_KERNEL),y) -IPSEC_TOOLS_CONF_OPTS += --enable-security-context=kernel -endif - -$(eval $(autotools-package))