[Buildroot] [PATCH/next 0/7] Preparation for libopenssl version bump

[Buildroot] [PATCH/next 0/7] Preparation for libopenssl version bump

[Bernd Kuhls]

Hi,

this is the next bunch of patches to prepare the version bump of
libopenssl to version 1.1.x. These patches should keep compatability
with version 1.0.2o., tested with this defconfig:

BR2_x86_64=y
BR2_x86_core2=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-x86-64-core2-full-2018.05.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_6=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_16=y
BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_PACKAGE_ECRYPTFS_UTILS=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_RDESKTOP=y
BR2_PACKAGE_IBRCOMMON=y
BR2_PACKAGE_LIBOAUTH=y
BR2_PACKAGE_LIBTORRENT=y
BR2_PACKAGE_IPSEC_TOOLS=y
BR2_PACKAGE_IPSEC_TOOLS_NATT=y
BR2_PACKAGE_IPSEC_TOOLS_FRAG=y
BR2_PACKAGE_IPSEC_TOOLS_DPD=y
BR2_PACKAGE_IPSEC_TOOLS_READLINE=y
BR2_PACKAGE_IPSEC_TOOLS_HYBRID=y
BR2_PACKAGE_POUND=y

$ grep OPENSSL .config
  BR2_PACKAGE_OPENSSL=y
  BR2_PACKAGE_LIBOPENSSL=y
  # BR2_PACKAGE_LIBOPENSSL_BIN is not set
  # BR2_PACKAGE_LIBOPENSSL_ENGINES is not set
  BR2_PACKAGE_HAS_OPENSSL=y
  BR2_PACKAGE_PROVIDES_OPENSSL="libopenssl"
  BR2_PACKAGE_PROVIDES_HOST_OPENSSL="host-libopenssl"

Bernd Kuhls (7):
  package/ecryptfs-utils: Fix build with OpenSSL 1.1.x
  package/ibrcommon: add openssl 1.1 compatibility
  package/ipsec-tools: Fix build with OpenSSL 1.1.x
  package/liboauth: Fix build with OpenSSL 1.1.x
  package/libtorrent: Fix build with OpenSSL 1.1.x
  package/pound: Fix build with OpenSSL 1.1.x
  package/rdesktop: Fix build with OpenSSL 1.1.x

 package/ecryptfs-utils/0002-openssl110.patch  |  173 +++
 ...-added-openssl-1.1-compatibility-264.patch |  357 ++++++
 package/ibrcommon/ibrcommon.hash              |    2 +
 package/ipsec-tools/0006-openssl-1.1.patch    | 1104 +++++++++++++++++
 package/liboauth/0001-openssl-1.1.0.patch     |  154 +++
 package/libtorrent/0002-openssl110.patch      |  109 ++
 package/pound/0002-fix-openssl-1.1.0.patch    |  331 +++++
 package/rdesktop/0002-openssl11.patch         |  130 ++
 8 files changed, 2360 insertions(+)
 create mode 100644 package/ecryptfs-utils/0002-openssl110.patch
 create mode 100644 package/ibrcommon/0002-ibrcommon-added-openssl-1.1-compatibility-264.patch
 create mode 100644 package/ipsec-tools/0006-openssl-1.1.patch
 create mode 100644 package/liboauth/0001-openssl-1.1.0.patch
 create mode 100644 package/libtorrent/0002-openssl110.patch
 create mode 100644 package/pound/0002-fix-openssl-1.1.0.patch
 create mode 100644 package/rdesktop/0002-openssl11.patch

-- 
2.18.0

[Buildroot] [PATCH/next 1/7] package/ecryptfs-utils: Fix build with OpenSSL 1.1.x

[Bernd Kuhls]

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 package/ecryptfs-utils/0002-openssl110.patch | 173 +++++++++++++++++++
 1 file changed, 173 insertions(+)
 create mode 100644 package/ecryptfs-utils/0002-openssl110.patch

diff --git a/package/ecryptfs-utils/0002-openssl110.patch b/package/ecryptfs-utils/0002-openssl110.patch
new file mode 100644
index 0000000000..3ae29a607b
--- /dev/null
+++ b/package/ecryptfs-utils/0002-openssl110.patch
@@ -0,0 +1,173 @@
+Fix build with OpenSSL 1.1.x
+
+Downloaded from upstream commit
+https://code.launchpad.net/~jelle-vdwaa/ecryptfs/ecryptfs/+merge/319746
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+=== modified file 'src/key_mod/ecryptfs_key_mod_openssl.c'
+--- a/src/key_mod/ecryptfs_key_mod_openssl.c	2013-10-25 19:45:09 +0000
++++ b/src/key_mod/ecryptfs_key_mod_openssl.c	2017-06-02 18:27:28 +0000
+@@ -41,6 +41,7 @@
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <libgen.h>
++#include <openssl/bn.h>
+ #include <openssl/pem.h>
+ #include <openssl/rsa.h>
+ #include <openssl/err.h>
+@@ -55,6 +56,19 @@
+ 	char *passphrase;
+ };
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++static void RSA_get0_key(const RSA *r,
++                 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
++{
++   if (n != NULL)
++       *n = r->n;
++   if (e != NULL)
++       *e = r->e;
++   if (d != NULL)
++       *d = r->d;
++}
++#endif
++
+ static void
+ ecryptfs_openssl_destroy_openssl_data(struct openssl_data *openssl_data)
+ {
+@@ -142,6 +156,7 @@
+ {
+ 	int len, nbits, ebits, i;
+ 	int nbytes, ebytes;
++	const BIGNUM *key_n, *key_e;
+ 	unsigned char *hash;
+ 	unsigned char *data = NULL;
+ 	int rc = 0;
+@@ -152,11 +167,13 @@
+ 		rc = -ENOMEM;
+ 		goto out;
+ 	}
+-	nbits = BN_num_bits(key->n);
++	RSA_get0_key(key, &key_n, NULL, NULL);
++	nbits = BN_num_bits(key_n);
+ 	nbytes = nbits / 8;
+ 	if (nbits % 8)
+ 		nbytes++;
+-	ebits = BN_num_bits(key->e);
++	RSA_get0_key(key, NULL, &key_e, NULL);
++	ebits = BN_num_bits(key_e);
+ 	ebytes = ebits / 8;
+ 	if (ebits % 8)
+ 		ebytes++;
+@@ -179,11 +196,13 @@
+ 	data[i++] = '\02';
+ 	data[i++] = (nbits >> 8);
+ 	data[i++] = nbits;
+-	BN_bn2bin(key->n, &(data[i]));
++	RSA_get0_key(key, &key_n, NULL, NULL);
++	BN_bn2bin(key_n, &(data[i]));
+ 	i += nbytes;
+ 	data[i++] = (ebits >> 8);
+ 	data[i++] = ebits;
+-	BN_bn2bin(key->e, &(data[i]));
++	RSA_get0_key(key, NULL, &key_e, NULL);
++	BN_bn2bin(key_e, &(data[i]));
+ 	i += ebytes;
+ 	SHA1(data, len + 3, hash);
+ 	to_hex(sig, (char *)hash, ECRYPTFS_SIG_SIZE);
+@@ -278,7 +297,9 @@
+ 	BIO *in = NULL;
+ 	int rc;
+ 
++	#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	CRYPTO_malloc_init();
++	#endif
+ 	ERR_load_crypto_strings();
+ 	OpenSSL_add_all_algorithms();
+ 	ENGINE_load_builtin_engines();
+
+=== modified file 'src/key_mod/ecryptfs_key_mod_pkcs11_helper.c'
+--- a/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c	2013-10-25 19:45:09 +0000
++++ b/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c	2017-06-02 18:27:28 +0000
+@@ -41,6 +41,7 @@
+ #include <errno.h>
+ #include <stdlib.h>
+ #include <unistd.h>
++#include <openssl/bn.h>
+ #include <openssl/err.h>
+ #include <openssl/pem.h>
+ #include <openssl/x509.h>
+@@ -77,6 +78,19 @@
+ typedef const unsigned char *__pkcs11_openssl_d2i_t;
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++static void RSA_get0_key(const RSA *r,
++                 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
++{
++   if (n != NULL)
++       *n = r->n;
++   if (e != NULL)
++       *e = r->e;
++   if (d != NULL)
++       *d = r->d;
++}
++#endif
++
+ /**
+  * ecryptfs_pkcs11h_deserialize
+  * @pkcs11h_data: The deserialized version of the key module data;
+@@ -282,7 +296,11 @@
+ 		goto out;
+ 	}
+ 	
++	#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	if (pubkey->type != EVP_PKEY_RSA) {
++	#else
++	if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_RSA) {
++	#endif
+ 		syslog(LOG_ERR, "PKCS#11: Invalid public key algorithm");
+ 		rc = -EIO;
+ 		goto out;
+@@ -318,6 +336,7 @@
+ 	int nbytes, ebytes;
+ 	char *hash = NULL;
+ 	char *data = NULL;
++	const BIGNUM *rsa_n, *rsa_e;
+ 	int rc;
+ 
+ 	if ((rc = ecryptfs_pkcs11h_get_public_key(&rsa, blob))) {
+@@ -331,11 +350,13 @@
+ 		rc = -ENOMEM;
+ 		goto out;
+ 	}
+-	nbits = BN_num_bits(rsa->n);
++	RSA_get0_key(rsa, &rsa_n, NULL, NULL);
++	nbits = BN_num_bits(rsa_n);
+ 	nbytes = nbits / 8;
+ 	if (nbits % 8)
+ 		nbytes++;
+-	ebits = BN_num_bits(rsa->e);
++	RSA_get0_key(rsa, NULL, &rsa_e, NULL);
++	ebits = BN_num_bits(rsa_e);
+ 	ebytes = ebits / 8;
+ 	if (ebits % 8)
+ 		ebytes++;
+@@ -358,11 +379,13 @@
+ 	data[i++] = '\02';
+ 	data[i++] = (char)(nbits >> 8);
+ 	data[i++] = (char)nbits;
+-	BN_bn2bin(rsa->n, &(data[i]));
++	RSA_get0_key(rsa, &rsa_n, NULL, NULL);
++	BN_bn2bin(rsa_n, &(data[i]));
+ 	i += nbytes;
+ 	data[i++] = (char)(ebits >> 8);
+ 	data[i++] = (char)ebits;
+-	BN_bn2bin(rsa->e, &(data[i]));
++	RSA_get0_key(rsa, NULL, &rsa_e, NULL);
++	BN_bn2bin(rsa_e, &(data[i]));
+ 	i += ebytes;
+ 	SHA1(data, len + 3, hash);
+ 	to_hex(sig, hash, ECRYPTFS_SIG_SIZE);
+
-- 
2.18.0

[Buildroot] [PATCH/next 2/7] package/ibrcommon: add openssl 1.1 compatibility

[Bernd Kuhls]

Added license hashes.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 ...-added-openssl-1.1-compatibility-264.patch | 357 ++++++++++++++++++
 package/ibrcommon/ibrcommon.hash              |   2 +
 2 files changed, 359 insertions(+)
 create mode 100644 package/ibrcommon/0002-ibrcommon-added-openssl-1.1-compatibility-264.patch

diff --git a/package/ibrcommon/0002-ibrcommon-added-openssl-1.1-compatibility-264.patch b/package/ibrcommon/0002-ibrcommon-added-openssl-1.1-compatibility-264.patch
new file mode 100644
index 0000000000..90e5147f54
--- /dev/null
+++ b/package/ibrcommon/0002-ibrcommon-added-openssl-1.1-compatibility-264.patch
@@ -0,0 +1,357 @@
+From a801d10a081e3130e24042256a43190c9eb6c112 Mon Sep 17 00:00:00 2001
+From: Eneas Queiroz <35331380+cotequeiroz@users.noreply.github.com>
+Date: Wed, 23 May 2018 03:09:02 -0300
+Subject: [PATCH] ibrcommon: added openssl 1.1 compatibility (#264)
+
+This patch adds compatibility to openssl 1.1.0.
+
+Backported from master branch:
+https://github.com/ibrdtn/ibrdtn/commit/a801d10a081e3130e24042256a43190c9eb6c112
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ ibrcommon/ibrcommon/ssl/HMacStream.cpp      | 11 +++---
+ ibrcommon/ibrcommon/ssl/HMacStream.h        |  2 +-
+ ibrcommon/ibrcommon/ssl/RSASHA256Stream.cpp | 28 +++++++------
+ ibrcommon/ibrcommon/ssl/RSASHA256Stream.h   |  2 +-
+ ibrcommon/ibrcommon/ssl/iostreamBIO.cpp     | 44 ++++++++++++++++-----
+ ibrcommon/ibrcommon/ssl/openssl_compat.h    | 38 ++++++++++++++++++
+ 6 files changed, 95 insertions(+), 30 deletions(-)
+ create mode 100644 ibrcommon/ibrcommon/ssl/openssl_compat.h
+
+diff --git a/ibrcommon/ssl/HMacStream.cpp b/ibrcommon/ssl/HMacStream.cpp
+index e5d317e3..66d8ce42 100644
+--- a/ibrcommon/ssl/HMacStream.cpp
++++ b/ibrcommon/ssl/HMacStream.cpp
+@@ -20,29 +20,30 @@
+  */
+ 
+ #include "ibrcommon/ssl/HMacStream.h"
++#include "openssl_compat.h"
+ 
+ namespace ibrcommon
+ {
+ 	HMacStream::HMacStream(const unsigned char * const key, const int key_size)
+ 	 : HashStream(EVP_MAX_MD_SIZE, BUFF_SIZE), key_(key), key_size_(key_size)
+ 	{
+-		HMAC_CTX_init(&ctx_);
+-		HMAC_Init_ex(&ctx_, key_, key_size_, EVP_sha1(), NULL);
++		ctx_ = HMAC_CTX_new();
++		HMAC_Init_ex(ctx_, key_, key_size_, EVP_sha1(), NULL);
+ 	}
+ 
+ 	HMacStream::~HMacStream()
+ 	{
+-		HMAC_CTX_cleanup(&ctx_);
++		HMAC_CTX_free(ctx_);
+ 	}
+ 
+ 	void HMacStream::update(char *buf, const size_t size)
+ 	{
+ 		// hashing
+-		HMAC_Update(&ctx_, (unsigned char*)buf, size);
++		HMAC_Update(ctx_, (unsigned char*)buf, size);
+ 	}
+ 
+ 	void HMacStream::finalize(char * hash, unsigned int &size)
+ 	{
+-		HMAC_Final(&ctx_, (unsigned char*)hash, &size);
++		HMAC_Final(ctx_, (unsigned char*)hash, &size);
+ 	}
+ }
+diff --git a/ibrcommon/ssl/HMacStream.h b/ibrcommon/ssl/HMacStream.h
+index 7dcea168..d04bceb8 100644
+--- a/ibrcommon/ssl/HMacStream.h
++++ b/ibrcommon/ssl/HMacStream.h
+@@ -44,7 +44,7 @@ namespace ibrcommon
+ 		const unsigned char * const key_;
+ 		const int key_size_;
+ 
+-		HMAC_CTX ctx_;
++		HMAC_CTX* ctx_;
+ 	};
+ }
+ 
+diff --git a/ibrcommon/ssl/RSASHA256Stream.cpp b/ibrcommon/ssl/RSASHA256Stream.cpp
+index d94430ed..d25c5d2f 100644
+--- a/ibrcommon/ssl/RSASHA256Stream.cpp
++++ b/ibrcommon/ssl/RSASHA256Stream.cpp
+@@ -21,6 +21,7 @@
+ 
+ #include "ibrcommon/ssl/RSASHA256Stream.h"
+ #include "ibrcommon/Logger.h"
++#include "openssl_compat.h"
+ #include <openssl/err.h>
+ 
+ namespace ibrcommon
+@@ -30,11 +31,11 @@ namespace ibrcommon
+ 	{
+ 		// Initialize get pointer.  This should be zero so that underflow is called upon first read.
+ 		setp(&out_buf_[0], &out_buf_[BUFF_SIZE - 1]);
+-		EVP_MD_CTX_init(&_ctx);
++		_ctx = EVP_MD_CTX_new();
+ 
+ 		if (!_verify)
+ 		{
+-			if (!EVP_SignInit_ex(&_ctx, EVP_sha256(), NULL))
++			if (!EVP_SignInit_ex(_ctx, EVP_sha256(), NULL))
+ 			{
+ 				IBRCOMMON_LOGGER_TAG("RSASHA256Stream", critical) << "failed to initialize the signature function" << IBRCOMMON_LOGGER_ENDL;
+ 				ERR_print_errors_fp(stderr);
+@@ -42,7 +43,7 @@ namespace ibrcommon
+ 		}
+ 		else
+ 		{
+-			if (!EVP_VerifyInit_ex(&_ctx, EVP_sha256(), NULL))
++			if (!EVP_VerifyInit_ex(_ctx, EVP_sha256(), NULL))
+ 			{
+ 				IBRCOMMON_LOGGER_TAG("RSASHA256Stream", critical) << "failed to initialize the verification function" << IBRCOMMON_LOGGER_ENDL;
+ 				ERR_print_errors_fp(stderr);
+@@ -52,18 +53,19 @@ namespace ibrcommon
+ 
+ 	RSASHA256Stream::~RSASHA256Stream()
+ 	{
+-		EVP_MD_CTX_cleanup(&_ctx);
++		EVP_MD_CTX_free(_ctx);
+ 	}
+ 
+ 	void RSASHA256Stream::reset()
+ 	{
+-		EVP_MD_CTX_cleanup(&_ctx);
+-
+-		EVP_MD_CTX_init(&_ctx);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++		EVP_MD_CTX_cleanup(_ctx);
++#endif
++		EVP_MD_CTX_init(_ctx);
+ 
+ 		if (!_verify)
+ 		{
+-			if (!EVP_SignInit_ex(&_ctx, EVP_sha256(), NULL))
++			if (!EVP_SignInit_ex(_ctx, EVP_sha256(), NULL))
+ 			{
+ 				IBRCOMMON_LOGGER_TAG("RSASHA256Stream", critical) << "failed to initialize the signature function" << IBRCOMMON_LOGGER_ENDL;
+ 				ERR_print_errors_fp(stderr);
+@@ -71,7 +73,7 @@ namespace ibrcommon
+ 		}
+ 		else
+ 		{
+-			if (!EVP_VerifyInit_ex(&_ctx, EVP_sha256(), NULL))
++			if (!EVP_VerifyInit_ex(_ctx, EVP_sha256(), NULL))
+ 			{
+ 				IBRCOMMON_LOGGER_TAG("RSASHA256Stream", critical) << "failed to initialize the verfication function" << IBRCOMMON_LOGGER_ENDL;
+ 				ERR_print_errors_fp(stderr);
+@@ -91,7 +93,7 @@ namespace ibrcommon
+ 			std::vector<unsigned char> sign(EVP_PKEY_size(_pkey));
+ 			unsigned int size = EVP_PKEY_size(_pkey);
+ 
+-			_return_code = EVP_SignFinal(&_ctx, &sign[0], &size, _pkey);
++			_return_code = EVP_SignFinal(_ctx, &sign[0], &size, _pkey);
+ 
+ 			_sign = std::string((const char*)&sign[0], size);
+ 
+@@ -107,7 +109,7 @@ namespace ibrcommon
+ 		if (!_sign_valid)
+ 		{
+ 			sync();
+-			_return_code = EVP_VerifyFinal(&_ctx, reinterpret_cast<const unsigned char *>(their_sign.c_str()), static_cast<unsigned int>(their_sign.size()), _pkey);
++			_return_code = EVP_VerifyFinal(_ctx, reinterpret_cast<const unsigned char *>(their_sign.c_str()), static_cast<unsigned int>(their_sign.size()), _pkey);
+ 			_sign_valid = true;
+ 		}
+ 		return _return_code;
+@@ -145,7 +147,7 @@ namespace ibrcommon
+ 		if (!_verify)
+ 			// hashing
+ 		{
+-			if (!EVP_SignUpdate(&_ctx, &out_buf_[0], iend - ibegin))
++			if (!EVP_SignUpdate(_ctx, &out_buf_[0], iend - ibegin))
+ 			{
+ 				IBRCOMMON_LOGGER_TAG("RSASHA256Stream", critical) << "failed to feed data into the signature function" << IBRCOMMON_LOGGER_ENDL;
+ 				ERR_print_errors_fp(stderr);
+@@ -153,7 +155,7 @@ namespace ibrcommon
+ 		}
+ 		else
+ 		{
+-			if (!EVP_VerifyUpdate(&_ctx, &out_buf_[0], iend - ibegin))
++			if (!EVP_VerifyUpdate(_ctx, &out_buf_[0], iend - ibegin))
+ 			{
+ 				IBRCOMMON_LOGGER_TAG("RSASHA256Stream", critical) << "failed to feed data into the verification function" << IBRCOMMON_LOGGER_ENDL;
+ 				ERR_print_errors_fp(stderr);
+diff --git a/ibrcommon/ssl/RSASHA256Stream.h b/ibrcommon/ssl/RSASHA256Stream.h
+index 344f8e10..6f3a1168 100644
+--- a/ibrcommon/ssl/RSASHA256Stream.h
++++ b/ibrcommon/ssl/RSASHA256Stream.h
+@@ -106,7 +106,7 @@ namespace ibrcommon
+ 
+ 		/** the context in which the streamed data will be feed into for
+ 		calculation of the hash/signature */
+-		EVP_MD_CTX _ctx;
++		EVP_MD_CTX * _ctx;
+ 
+ 		/** tells if the context needs to be finalized to get a valid signature or
+ 		verification */
+diff --git a/ibrcommon/ssl/iostreamBIO.cpp b/ibrcommon/ssl/iostreamBIO.cpp
+index 18c1b55c..ea6c63eb 100644
+--- a/ibrcommon/ssl/iostreamBIO.cpp
++++ b/ibrcommon/ssl/iostreamBIO.cpp
+@@ -23,6 +23,7 @@
+ 
+ #include "ibrcommon/Logger.h"
+ 
++#include "openssl_compat.h"
+ #include <openssl/err.h>
+ 
+ namespace ibrcommon
+@@ -42,7 +43,20 @@ static int create(BIO *bio);
+ //static int destroy(BIO *bio);
+ //static long (*callback_ctrl)(BIO *, int, bio_info_cb *);
+ 
+-
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++BIO_METHOD * BIO_iostream_method()
++{
++	static BIO_METHOD *iostream_method = NULL;
++	if (iostream_method) {
++		iostream_method = BIO_meth_new(iostreamBIO::type, iostreamBIO::name);
++		BIO_meth_set_write(iostream_method, bwrite);
++		BIO_meth_set_read(iostream_method, bread);
++		BIO_meth_set_ctrl(iostream_method, ctrl);
++		BIO_meth_set_create(iostream_method, create);
++	}
++	return iostream_method;
++}
++#else
+ static BIO_METHOD iostream_method =
+ {
+ 		iostreamBIO::type,
+@@ -56,12 +70,17 @@ static BIO_METHOD iostream_method =
+ 		NULL,//destroy,
+ 		NULL//callback_ctrl
+ };
++BIO_METHOD * BIO_iostream_method()
++{
++	return &iostream_method;
++}
++#endif
+ 
+ iostreamBIO::iostreamBIO(iostream *stream)
+ 	:	_stream(stream)
+ {
+ 	/* create BIO */
+-	_bio = BIO_new(&iostream_method);
++	_bio = BIO_new(BIO_iostream_method());
+ 	if(!_bio){
+ 		/* creation failed, throw exception */
+ 		char err_buf[ERR_BUF_SIZE];
+@@ -72,7 +91,7 @@ iostreamBIO::iostreamBIO(iostream *stream)
+ 	}
+ 
+ 	/* save the iostream in the bio object */
+-	_bio->ptr = stream;
++	BIO_set_data(_bio, (void *) stream);
+ }
+ 
+ BIO * iostreamBIO::getBIO(){
+@@ -81,10 +100,10 @@ BIO * iostreamBIO::getBIO(){
+ 
+ static int create(BIO *bio)
+ {
+-	bio->ptr = NULL;
+-	/* (from openssl memory bio) */
+-	bio->shutdown=1;
+-	bio->init=1;
++	BIO_set_data(bio, NULL);
++	BIO_set_shutdown(bio, 1);
++	BIO_set_init(bio, 1);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	/* from bss_mem.c (openssl):
+ 	 * bio->num is used to hold the value to return on 'empty', if it is
+ 	 * 0, should_retry is not set
+@@ -93,6 +112,7 @@ static int create(BIO *bio)
+ 	 * it is set to 0 since the underlying stream is blocking
+ 	 */
+ 	bio->num= 0;
++#endif
+ 
+ 	return 1;
+ }
+@@ -102,7 +122,7 @@ static int create(BIO *bio)
+ static long ctrl(BIO *bio, int cmd, long  num, void *)
+ {
+ 	long ret;
+-	iostream *stream = reinterpret_cast<iostream*>(bio->ptr);
++	iostream *stream = reinterpret_cast<iostream*>(BIO_get_data(bio));
+ 
+ 	IBRCOMMON_LOGGER_DEBUG_TAG("iostreamBIO", 90) << "ctrl called, cmd: " << cmd << ", num: " << num << "." << IBRCOMMON_LOGGER_ENDL;
+ 
+@@ -147,8 +167,12 @@ static long ctrl(BIO *bio, int cmd, long  num, void *)
+ 
+ static int bread(BIO *bio, char *buf, int len)
+ {
+-	iostream *stream = reinterpret_cast<iostream*>(bio->ptr);
++	iostream *stream = reinterpret_cast<iostream*>(BIO_get_data(bio));
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	int num_bytes = 0;
++#else
+ 	int num_bytes = bio->num;
++#endif
+ 
+ 	try{
+ 		/* make sure to read at least 1 byte and then read as much as we can */
+@@ -170,7 +194,7 @@ static int bwrite(BIO *bio, const char *buf, int len)
+ 	if(len == 0){
+ 		return 0;
+ 	}
+-	iostream *stream = reinterpret_cast<iostream*>(bio->ptr);
++	iostream *stream = reinterpret_cast<iostream*>(BIO_get_data(bio));
+ 
+ 	/* write the data */
+ 	try{
+diff --git a/ibrcommon/ssl/openssl_compat.h b/ibrcommon/ssl/openssl_compat.h
+new file mode 100644
+index 00000000..e491677f
+--- /dev/null
++++ b/ibrcommon/ssl/openssl_compat.h
+@@ -0,0 +1,38 @@
++#ifndef OPENSSL_COMPAT_H
++#define OPENSSL_COMPAT_H
++
++#include <openssl/crypto.h>
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++
++static inline EVP_MD_CTX * EVP_MD_CTX_new()
++{
++	EVP_MD_CTX *ctx;
++
++	ctx = (EVP_MD_CTX *) OPENSSL_malloc(sizeof(EVP_MD_CTX));
++	EVP_MD_CTX_init(ctx);
++        return ctx;
++}
++#define EVP_MD_CTX_free(c) if (c != NULL) OPENSSL_free(c)
++
++static inline HMAC_CTX * HMAC_CTX_new()
++{
++        HMAC_CTX *ctx;
++
++        ctx = (HMAC_CTX *) OPENSSL_malloc(sizeof(HMAC_CTX));
++        HMAC_CTX_init(ctx);
++        return ctx;
++}
++#define HMAC_CTX_free(c) if (c != NULL) OPENSSL_free(c)
++
++#define BIO_get_data(b) b->ptr
++#define BIO_set_data(b, v) b->ptr=v
++#define BIO_set_shutdown(b, v) b->shutdown=v
++#define BIO_set_init(b, v) b->init=v
++
++#endif /* OPENSSL_VERSION_NUMBER */
++
++#endif /* OPENSSL_COMPAT_H */
++
+-- 
+2.18.0
+
diff --git a/package/ibrcommon/ibrcommon.hash b/package/ibrcommon/ibrcommon.hash
index 21a0ec6f19..9d13f06d38 100644
--- a/package/ibrcommon/ibrcommon.hash
+++ b/package/ibrcommon/ibrcommon.hash
@@ -1,2 +1,4 @@
 # Locally calculated
 sha256	  9c457c1ebc01e6216524636628c647bef34ab11bd96f0e0788be8749374fdc20	ibrcommon-1.0.1.tar.gz
+sha256	  1a0b57773a46d9d4cc2f0d1780a17acc38af506bb1e0234aaa85f8ccd6dc0b92	COPYING
+sha256	  9b8a430c2136ebcf76bd37f50da7d7a80ede413ec6604cc4694ea536e779854c	README
-- 
2.18.0

[Buildroot] [PATCH/next 3/7] package/ipsec-tools: Fix build with OpenSSL 1.1.x

[Bernd Kuhls]

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 package/ipsec-tools/0006-openssl-1.1.patch | 1104 ++++++++++++++++++++
 1 file changed, 1104 insertions(+)
 create mode 100644 package/ipsec-tools/0006-openssl-1.1.patch

diff --git a/package/ipsec-tools/0006-openssl-1.1.patch b/package/ipsec-tools/0006-openssl-1.1.patch
new file mode 100644
index 0000000000..39a7da988d
--- /dev/null
+++ b/package/ipsec-tools/0006-openssl-1.1.patch
@@ -0,0 +1,1104 @@
+From 071fec7181255b9234add44865a435dfdefee520 Mon Sep 17 00:00:00 2001
+In-Reply-To: <20180528120513.560-1-cote2004-github@yahoo.com>
+References: <20180528120513.560-1-cote2004-github@yahoo.com>
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 30 May 2018 15:42:20 -0300
+Subject: [PATCH] ipsec-tools: add openssl 1.1 support
+To: equeiroz at troianet.com.br
+
+This patch updates the calls to openssl 1.1 API, and adds a
+compatibility layer so it compiles with (at least) openssl 1.0.2, I
+haven't tested it with lower versions, but all that's needed is to edit
+the openssl_compat.* files and add the missing functions there--they're
+usually trivial.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Downloaded from
+https://github.com/openwrt/packages/blob/master/net/ipsec-tools/patches/015-openssl-1.1.patch
+
+Patch was sent upstream:
+https://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/20180528120513.560-1-cote2004-github%40yahoo.com/#msg36327963
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ src/racoon/Makefile.am      |  10 +--
+ src/racoon/algorithm.c      |   6 +-
+ src/racoon/cfparse.y        |   2 +-
+ src/racoon/crypto_openssl.c | 197 +++++++++++++++++++++-------------------
+ src/racoon/crypto_openssl.h |   2 +-
+ src/racoon/eaytest.c        |   7 +-
+ src/racoon/ipsec_doi.c      |   2 +-
+ src/racoon/openssl_compat.c | 213 ++++++++++++++++++++++++++++++++++++++++++++
+ src/racoon/openssl_compat.h |  45 ++++++++++
+ src/racoon/plainrsa-gen.c   |  41 +++++----
+ src/racoon/prsa_par.y       |  28 ++++--
+ src/racoon/rsalist.c        |   5 +-
+ 12 files changed, 431 insertions(+), 127 deletions(-)
+ create mode 100644 src/racoon/openssl_compat.c
+ create mode 100644 src/racoon/openssl_compat.h
+
+diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
+index dbaded9..4c585f3 100644
+--- a/src/racoon/Makefile.am
++++ b/src/racoon/Makefile.am
+@@ -4,7 +4,7 @@ sbin_PROGRAMS = racoon racoonctl plainrsa-gen
+ noinst_PROGRAMS = eaytest
+ include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \
+ 	schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \
+-	isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h
++	isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h openssl_compat.h
+ lib_LTLIBRARIES = libracoon.la
+ 
+ adminsockdir=${localstatedir}/racoon
+@@ -32,7 +32,7 @@ racoon_SOURCES = \
+ 	gssapi.c dnssec.c getcertsbyname.c privsep.c \
+ 	pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \
+ 	policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \
+-	proposal.c sainfo.c strnames.c \
++	openssl_compat.c proposal.c sainfo.c strnames.c \
+ 	plog.c logger.c schedule.c str2val.c \
+ 	safefile.c backupsa.c genlist.c rsalist.c \
+ 	cftoken.l cfparse.y prsa_tok.l prsa_par.y 
+@@ -51,12 +51,12 @@ libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c
+ libracoon_la_CFLAGS = -DNOUSE_PRIVSEP $(AM_CFLAGS)
+ 
+ plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \
+-	crypto_openssl.c logger.c 
++	crypto_openssl.c logger.c openssl_compat.c
+ EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS)
+ plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o
+ plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o
+ 
+-eaytest_SOURCES = eaytest.c plog.c logger.c
++eaytest_SOURCES = eaytest.c plog.c logger.c openssl_compat.c
+ EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c
+ eaytest_LDADD =	crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \
+ 	$(CRYPTOBJS)
+@@ -75,7 +75,7 @@ noinst_HEADERS = \
+ 	debugrm.h         isakmp.h      misc.h          sainfo.h \
+ 	dhgroup.h         isakmp_agg.h  netdb_dnssec.h  schedule.h \
+ 	isakmp_cfg.h      isakmp_xauth.h isakmp_unity.h isakmp_frag.h \
+-	throttle.h	  privsep.h \
++	throttle.h	  privsep.h     openssl_compat.h \
+ 	cfparse_proto.h	  cftoken_proto.h genlist.h     rsalist.h \
+ 	missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \
+ 	missing/crypto/rijndael/rijndael-api-fst.h \
+diff --git a/src/racoon/algorithm.c b/src/racoon/algorithm.c
+index 3fd50f6..66c874b 100644
+--- a/src/racoon/algorithm.c
++++ b/src/racoon/algorithm.c
+@@ -128,7 +128,7 @@ static struct enc_algorithm oakley_encdef[] = {
+ { "aes",	algtype_aes,	OAKLEY_ATTR_ENC_ALG_AES,	16,
+ 		eay_aes_encrypt,	eay_aes_decrypt,
+ 		eay_aes_weakkey,	eay_aes_keylen, },
+-#ifdef HAVE_OPENSSL_CAMELLIA_H
++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
+ { "camellia",	algtype_camellia,	OAKLEY_ATTR_ENC_ALG_CAMELLIA,	16,
+ 		eay_camellia_encrypt,	eay_camellia_decrypt,
+ 		eay_camellia_weakkey,	eay_camellia_keylen, },
+@@ -168,7 +168,7 @@ static struct enc_algorithm ipsec_encdef[] = {
+ { "twofish",	algtype_twofish,	IPSECDOI_ESP_TWOFISH,		16,
+ 		NULL,			NULL,
+ 		NULL,			eay_twofish_keylen, },
+-#ifdef HAVE_OPENSSL_IDEA_H
++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
+ { "3idea",	algtype_3idea,		IPSECDOI_ESP_3IDEA,		8,
+ 		NULL,			NULL,
+ 		NULL,			NULL, },
+@@ -179,7 +179,7 @@ static struct enc_algorithm ipsec_encdef[] = {
+ { "rc4",	algtype_rc4,		IPSECDOI_ESP_RC4,		8,
+ 		NULL,			NULL,
+ 		NULL,			NULL, },
+-#ifdef HAVE_OPENSSL_CAMELLIA_H
++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
+ { "camellia",	algtype_camellia,	IPSECDOI_ESP_CAMELLIA,		16,
+ 		NULL,			NULL,
+ 		NULL,			eay_camellia_keylen, },
+diff --git a/src/racoon/cfparse.y b/src/racoon/cfparse.y
+index 0d9bd67..8415752 100644
+--- a/src/racoon/cfparse.y
++++ b/src/racoon/cfparse.y
+@@ -2564,7 +2564,7 @@ set_isakmp_proposal(rmconf)
+ 		plog(LLV_DEBUG2, LOCATION, NULL,
+ 			"encklen=%d\n", s->encklen);
+ 
+-		memset(types, 0, ARRAYLEN(types));
++		memset(types, 0, sizeof types);
+ 		types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
+ 		types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
+ 		types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
+diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c
+index 55b076a..8fb358f 100644
+--- a/src/racoon/crypto_openssl.c
++++ b/src/racoon/crypto_openssl.c
+@@ -90,6 +90,7 @@
+ #endif
+ #endif
+ #include "plog.h"
++#include "openssl_compat.h"
+ 
+ #define USE_NEW_DES_API
+ 
+@@ -316,9 +317,12 @@ eay_cmp_asn1dn(n1, n2)
+ 			i = idx+1;
+ 			goto end;
+ 		}
+-		if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
+-		    (eb->value->length == 1 && eb->value->data[0] == '*')) {
+-	    		if (OBJ_cmp(ea->object,eb->object)) {
++		ASN1_STRING *sa = X509_NAME_ENTRY_get_data(ea);
++		ASN1_STRING *sb = X509_NAME_ENTRY_get_data(eb);
++		if ((ASN1_STRING_length(sa) == 1 && ASN1_STRING_get0_data(sa)[0] == '*') ||
++		    (ASN1_STRING_length(sb) == 1 && ASN1_STRING_get0_data(sb)[0] == '*')) {
++	    		if (OBJ_cmp(X509_NAME_ENTRY_get_object(ea),
++				    X509_NAME_ENTRY_get_object(eb))) {
+ 				i = idx+1;
+ 				goto end;
+ 	    		}
+@@ -430,7 +434,7 @@ cb_check_cert_local(ok, ctx)
+ 
+ 	if (!ok) {
+ 		X509_NAME_oneline(
+-				X509_get_subject_name(ctx->current_cert),
++				X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
+ 				buf,
+ 				256);
+ 		/*
+@@ -438,7 +442,8 @@ cb_check_cert_local(ok, ctx)
+ 		 * ok if they are self signed. But we should still warn
+ 		 * the user.
+  		 */
+-		switch (ctx->error) {
++		int ctx_error = X509_STORE_CTX_get_error(ctx);
++		switch (ctx_error) {
+ 		case X509_V_ERR_CERT_HAS_EXPIRED:
+ 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ 		case X509_V_ERR_INVALID_CA:
+@@ -453,9 +458,9 @@ cb_check_cert_local(ok, ctx)
+ 		}
+ 		plog(log_tag, LOCATION, NULL,
+ 			"%s(%d) at depth:%d SubjectName:%s\n",
+-			X509_verify_cert_error_string(ctx->error),
+-			ctx->error,
+-			ctx->error_depth,
++			X509_verify_cert_error_string(ctx_error),
++			ctx_error,
++			X509_STORE_CTX_get_error_depth(ctx),
+ 			buf);
+ 	}
+ 	ERR_clear_error();
+@@ -477,10 +482,11 @@ cb_check_cert_remote(ok, ctx)
+ 
+ 	if (!ok) {
+ 		X509_NAME_oneline(
+-				X509_get_subject_name(ctx->current_cert),
++				X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
+ 				buf,
+ 				256);
+-		switch (ctx->error) {
++		int ctx_error=X509_STORE_CTX_get_error(ctx);
++		switch (ctx_error) {
+ 		case X509_V_ERR_UNABLE_TO_GET_CRL:
+ 			ok = 1;
+ 			log_tag = LLV_WARNING;
+@@ -490,9 +496,9 @@ cb_check_cert_remote(ok, ctx)
+ 		}
+ 		plog(log_tag, LOCATION, NULL,
+ 			"%s(%d) at depth:%d SubjectName:%s\n",
+-			X509_verify_cert_error_string(ctx->error),
+-			ctx->error,
+-			ctx->error_depth,
++			X509_verify_cert_error_string(ctx_error),
++			ctx_error,
++			X509_STORE_CTX_get_error_depth(ctx),
+ 			buf);
+ 	}
+ 	ERR_clear_error();
+@@ -516,14 +522,15 @@ eay_get_x509asn1subjectname(cert)
+ 	if (x509 == NULL)
+ 		goto error;
+ 
++	X509_NAME *subject_name = X509_get_subject_name(x509);
+ 	/* get the length of the name */
+-	len = i2d_X509_NAME(x509->cert_info->subject, NULL);
++	len = i2d_X509_NAME(subject_name, NULL);
+ 	name = vmalloc(len);
+ 	if (!name)
+ 		goto error;
+ 	/* get the name */
+ 	bp = (unsigned char *) name->v;
+-	len = i2d_X509_NAME(x509->cert_info->subject, &bp);
++	len = i2d_X509_NAME(subject_name, &bp);
+ 
+ 	X509_free(x509);
+ 
+@@ -661,15 +668,16 @@ eay_get_x509asn1issuername(cert)
+ 	if (x509 == NULL)
+ 		goto error;
+ 
++	X509_NAME *issuer_name = X509_get_issuer_name(x509);
+ 	/* get the length of the name */
+-	len = i2d_X509_NAME(x509->cert_info->issuer, NULL);
++	len = i2d_X509_NAME(issuer_name, NULL);
+ 	name = vmalloc(len);
+ 	if (name == NULL)
+ 		goto error;
+ 
+ 	/* get the name */
+ 	bp = (unsigned char *) name->v;
+-	len = i2d_X509_NAME(x509->cert_info->issuer, &bp);
++	len = i2d_X509_NAME(issuer_name, &bp);
+ 
+ 	X509_free(x509);
+ 
+@@ -850,7 +858,7 @@ eay_check_x509sign(source, sig, cert)
+ 		return -1;
+ 	}
+ 
+-	res = eay_rsa_verify(source, sig, evp->pkey.rsa);
++	res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp));
+ 
+ 	EVP_PKEY_free(evp);
+ 	X509_free(x509);
+@@ -992,7 +1000,7 @@ eay_get_x509sign(src, privkey)
+ 	if (evp == NULL)
+ 		return NULL;
+ 
+-	sig = eay_rsa_sign(src, evp->pkey.rsa);
++	sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
+ 
+ 	EVP_PKEY_free(evp);
+ 
+@@ -1079,7 +1087,11 @@ eay_strerror()
+ 	int line, flags;
+ 	unsigned long es;
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */
++#else
+ 	es = CRYPTO_thread_id();
++#endif
+ 
+ 	while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){
+ 		n = snprintf(ebuf + len, sizeof(ebuf) - len,
+@@ -1100,7 +1112,7 @@ vchar_t *
+ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc)
+ {
+ 	vchar_t *res;
+-	EVP_CIPHER_CTX ctx;
++	EVP_CIPHER_CTX *ctx;
+ 
+ 	if (!e)
+ 		return NULL;
+@@ -1111,7 +1123,7 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc
+ 	if ((res = vmalloc(data->l)) == NULL)
+ 		return NULL;
+ 
+-	EVP_CIPHER_CTX_init(&ctx);
++	ctx = EVP_CIPHER_CTX_new();
+ 
+ 	switch(EVP_CIPHER_nid(e)){
+ 	case NID_bf_cbc:
+@@ -1125,54 +1137,41 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc
+ 		/* XXX: can we do that also for algos with a fixed key size ?
+ 		 */
+ 		/* init context without key/iv
+-         */
+-        if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
+-        {
+-            OpenSSL_BUG();
+-            vfree(res);
+-            return NULL;
+-        }
++                 */
++		if (!EVP_CipherInit(ctx, e, NULL, NULL, enc))
++			goto out;
+ 		
+-        /* update key size
+-         */
+-        if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
+-        {
+-            OpenSSL_BUG();
+-            vfree(res);
+-            return NULL;
+-        }
+-
+-        /* finalize context init with desired key size
+-         */
+-        if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
++		/* update key size
++		 */
++		if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l))
++			goto out;
++
++		/* finalize context init with desired key size
++		 */
++		if (!EVP_CipherInit(ctx, NULL, (u_char *) key->v,
+ 							(u_char *) iv->v, enc))
+-        {
+-            OpenSSL_BUG();
+-            vfree(res);
+-            return NULL;
+-		}
++			goto out;
+ 		break;
+ 	default:
+-		if (!EVP_CipherInit(&ctx, e, (u_char *) key->v, 
+-							(u_char *) iv->v, enc)) {
+-			OpenSSL_BUG();
+-			vfree(res);
+-			return NULL;
+-		}
++		if (!EVP_CipherInit(ctx, e, (u_char *) key->v,
++							(u_char *) iv->v, enc))
++            		goto out;
+ 	}
+ 
+ 	/* disable openssl padding */
+-	EVP_CIPHER_CTX_set_padding(&ctx, 0); 
++	EVP_CIPHER_CTX_set_padding(ctx, 0);
+ 	
+-	if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
+-		OpenSSL_BUG();
+-		vfree(res);
+-		return NULL;
+-	}
++	if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l))
++		goto out;
+ 
+-	EVP_CIPHER_CTX_cleanup(&ctx);
++	EVP_CIPHER_CTX_free(ctx);
+ 
+ 	return res;
++out:
++	EVP_CIPHER_CTX_free(ctx);
++	OpenSSL_BUG();
++	vfree(res);
++	return NULL;
+ }
+ 
+ int
+@@ -1230,7 +1229,7 @@ eay_des_keylen(len)
+ 	return evp_keylen(len, EVP_des_cbc());
+ }
+ 
+-#ifdef HAVE_OPENSSL_IDEA_H
++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
+ /*
+  * IDEA-CBC
+  */
+@@ -1587,7 +1586,7 @@ eay_aes_keylen(len)
+ 	return len;
+ }
+ 
+-#if defined(HAVE_OPENSSL_CAMELLIA_H)
++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
+ /*
+  * CAMELLIA-CBC
+  */
+@@ -1680,9 +1679,9 @@ eay_hmac_init(key, md)
+ 	vchar_t *key;
+ 	const EVP_MD *md;
+ {
+-	HMAC_CTX *c = racoon_malloc(sizeof(*c));
++	HMAC_CTX *c = HMAC_CTX_new();
+ 
+-	HMAC_Init(c, key->v, key->l, md);
++	HMAC_Init_ex(c, key->v, key->l, md, NULL);
+ 
+ 	return (caddr_t)c;
+ }
+@@ -1761,8 +1760,7 @@ eay_hmacsha2_512_final(c)
+ 
+ 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
+ 	res->l = l;
+-	HMAC_cleanup((HMAC_CTX *)c);
+-	(void)racoon_free(c);
++	HMAC_CTX_free((HMAC_CTX *)c);
+ 
+ 	if (SHA512_DIGEST_LENGTH != res->l) {
+ 		plog(LLV_ERROR, LOCATION, NULL,
+@@ -1811,8 +1809,7 @@ eay_hmacsha2_384_final(c)
+ 
+ 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
+ 	res->l = l;
+-	HMAC_cleanup((HMAC_CTX *)c);
+-	(void)racoon_free(c);
++	HMAC_CTX_free((HMAC_CTX *)c);
+ 
+ 	if (SHA384_DIGEST_LENGTH != res->l) {
+ 		plog(LLV_ERROR, LOCATION, NULL,
+@@ -1861,8 +1858,7 @@ eay_hmacsha2_256_final(c)
+ 
+ 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
+ 	res->l = l;
+-	HMAC_cleanup((HMAC_CTX *)c);
+-	(void)racoon_free(c);
++	HMAC_CTX_free((HMAC_CTX *)c);
+ 
+ 	if (SHA256_DIGEST_LENGTH != res->l) {
+ 		plog(LLV_ERROR, LOCATION, NULL,
+@@ -1912,8 +1908,7 @@ eay_hmacsha1_final(c)
+ 
+ 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
+ 	res->l = l;
+-	HMAC_cleanup((HMAC_CTX *)c);
+-	(void)racoon_free(c);
++	HMAC_CTX_free((HMAC_CTX *)c);
+ 
+ 	if (SHA_DIGEST_LENGTH != res->l) {
+ 		plog(LLV_ERROR, LOCATION, NULL,
+@@ -1962,8 +1957,7 @@ eay_hmacmd5_final(c)
+ 
+ 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
+ 	res->l = l;
+-	HMAC_cleanup((HMAC_CTX *)c);
+-	(void)racoon_free(c);
++	HMAC_CTX_free((HMAC_CTX *)c);
+ 
+ 	if (MD5_DIGEST_LENGTH != res->l) {
+ 		plog(LLV_ERROR, LOCATION, NULL,
+@@ -2266,6 +2260,7 @@ eay_dh_generate(prime, g, publen, pub, priv)
+ 	u_int32_t g;
+ {
+ 	BIGNUM *p = NULL;
++	BIGNUM *BNg = NULL;
+ 	DH *dh = NULL;
+ 	int error = -1;
+ 
+@@ -2276,25 +2271,28 @@ eay_dh_generate(prime, g, publen, pub, priv)
+ 
+ 	if ((dh = DH_new()) == NULL)
+ 		goto end;
+-	dh->p = p;
+-	p = NULL;	/* p is now part of dh structure */
+-	dh->g = NULL;
+-	if ((dh->g = BN_new()) == NULL)
++	if ((BNg = BN_new()) == NULL)
+ 		goto end;
+-	if (!BN_set_word(dh->g, g))
++	if (!BN_set_word(BNg, g))
+ 		goto end;
++	if (! DH_set0_pqg(dh, p, NULL, BNg))
++		goto end;
++	BNg = NULL;
++	p = NULL;	/* p is now part of dh structure */
+ 
+ 	if (publen != 0)
+-		dh->length = publen;
++		DH_set_length(dh, publen);
+ 
+ 	/* generate public and private number */
+ 	if (!DH_generate_key(dh))
+ 		goto end;
+ 
+ 	/* copy results to buffers */
+-	if (eay_bn2v(pub, dh->pub_key) < 0)
++	BIGNUM *pub_key, *priv_key;
++	DH_get0_key(dh, (const BIGNUM**) &pub_key, (const BIGNUM**) &priv_key);
++	if (eay_bn2v(pub, pub_key) < 0)
+ 		goto end;
+-	if (eay_bn2v(priv, dh->priv_key) < 0) {
++	if (eay_bn2v(priv, priv_key) < 0) {
+ 		vfree(*pub);
+ 		goto end;
+ 	}
+@@ -2306,6 +2304,8 @@ end:
+ 		DH_free(dh);
+ 	if (p != 0)
+ 		BN_free(p);
++	if (BNg != 0)
++		BN_free(BNg);
+ 	return(error);
+ }
+ 
+@@ -2319,6 +2319,10 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
+ 	int l;
+ 	unsigned char *v = NULL;
+ 	int error = -1;
++	BIGNUM *p = BN_new();
++	BIGNUM *BNg = BN_new();
++	BIGNUM *pub_key = BN_new();
++	BIGNUM *priv_key = BN_new();
+ 
+ 	/* make public number to compute */
+ 	if (eay_v2bn(&dh_pub, pub2) < 0)
+@@ -2327,19 +2331,21 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
+ 	/* make DH structure */
+ 	if ((dh = DH_new()) == NULL)
+ 		goto end;
+-	if (eay_v2bn(&dh->p, prime) < 0)
++	if (p == NULL || BNg == NULL || pub_key == NULL || priv_key == NULL)
+ 		goto end;
+-	if (eay_v2bn(&dh->pub_key, pub) < 0)
++
++	if (eay_v2bn(&p, prime) < 0)
+ 		goto end;
+-	if (eay_v2bn(&dh->priv_key, priv) < 0)
++	if (eay_v2bn(&pub_key, pub) < 0)
+ 		goto end;
+-	dh->length = pub2->l * 8;
+-
+-	dh->g = NULL;
+-	if ((dh->g = BN_new()) == NULL)
++	if (eay_v2bn(&priv_key, priv) < 0)
+ 		goto end;
+-	if (!BN_set_word(dh->g, g))
++	if (!BN_set_word(BNg, g))
+ 		goto end;
++	DH_set0_key(dh, pub_key, priv_key);
++	DH_set_length(dh, pub2->l * 8);
++	DH_set0_pqg(dh, p, NULL, BNg);
++	pub_key = priv_key = p = BNg = NULL;
+ 
+ 	if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
+ 		goto end;
+@@ -2350,6 +2356,14 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
+ 	error = 0;
+ 
+ end:
++	if (p != NULL)
++		BN_free(p);
++	if (BNg != NULL)
++		BN_free(BNg);
++	if (pub_key != NULL)
++		BN_free(pub_key);
++	if (priv_key != NULL)
++		BN_free(priv_key);
+ 	if (dh_pub != NULL)
+ 		BN_free(dh_pub);
+ 	if (dh != NULL)
+@@ -2400,12 +2414,14 @@ eay_bn2v(var, bn)
+ void
+ eay_init()
+ {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	OpenSSL_add_all_algorithms();
+ 	ERR_load_crypto_strings();
+ #ifdef HAVE_OPENSSL_ENGINE_H
+ 	ENGINE_load_builtin_engines();
+ 	ENGINE_register_all_complete();
+ #endif
++#endif
+ }
+ 
+ vchar_t *
+@@ -2504,8 +2520,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf)
+ 		goto out;
+ 	}
+ 	
+-	rsa_pub->n = mod;
+-	rsa_pub->e = exp;
++	RSA_set0_key(rsa_pub, mod, exp, NULL);
+ 
+ out:
+ 	return rsa_pub;
+@@ -2582,5 +2597,5 @@ eay_random()
+ const char *
+ eay_version()
+ {
+-	return SSLeay_version(SSLEAY_VERSION);
++	return OpenSSL_version(OPENSSL_VERSION);
+ }
+diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h
+index 66fac73..ee5b765 100644
+--- a/src/racoon/crypto_openssl.h
++++ b/src/racoon/crypto_openssl.h
+@@ -124,7 +124,7 @@ extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
+ extern int eay_aes_weakkey __P((vchar_t *));
+ extern int eay_aes_keylen __P((int));
+ 
+-#if defined(HAVE_OPENSSL_CAMELLIA_H)
++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
+ /* Camellia */
+ extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
+ extern vchar_t *eay_camellia_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
+diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c
+index 1474bdc..ae09db3 100644
+--- a/src/racoon/eaytest.c
++++ b/src/racoon/eaytest.c
+@@ -62,6 +62,7 @@
+ #include "dhgroup.h"
+ #include "crypto_openssl.h"
+ #include "gnuc.h"
++#include "openssl_compat.h"
+ 
+ #include "package_version.h"
+ 
+@@ -103,7 +104,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_txt)
+ 		printf ("PEM_read_PUBKEY(): %s\n", eay_strerror());
+ 		return -1;
+ 	}
+-	error = eay_check_rsasign(src, sig, evp->pkey.rsa);
++	error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp));
+ 
+ 	return error;
+ }
+@@ -698,7 +699,7 @@ ciphertest(ac, av)
+ 			  eay_cast_encrypt, eay_cast_decrypt) < 0)
+ 	  return -1;
+ 	
+-#ifdef HAVE_OPENSSL_IDEA_H
++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
+ 	if (ciphertest_1 ("IDEA",
+ 			  &data, 8,
+ 			  &key, key.l,
+@@ -715,7 +716,7 @@ ciphertest(ac, av)
+ 			  eay_rc5_encrypt, eay_rc5_decrypt) < 0)
+ 	  return -1;
+ #endif
+-#if defined(HAVE_OPENSSL_CAMELLIA_H)
++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
+ 	if (ciphertest_1 ("CAMELLIA",
+ 			  &data, 16,
+ 			  &key, key.l,
+diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
+index 84a4c71..b52469f 100644
+--- a/src/racoon/ipsec_doi.c
++++ b/src/racoon/ipsec_doi.c
+@@ -715,7 +715,7 @@ out:
+ 	/* key length must not be specified on some algorithms */
+ 	if (keylen) {
+ 		if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES
+-#ifdef HAVE_OPENSSL_IDEA_H
++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
+ 		 || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA
+ #endif
+ 		 || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) {
+diff --git a/src/racoon/openssl_compat.c b/src/racoon/openssl_compat.c
+new file mode 100644
+index 0000000..864b5fb
+--- /dev/null
++++ b/src/racoon/openssl_compat.c
+@@ -0,0 +1,213 @@
++/*
++ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include "openssl_compat.h"
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++
++#include <string.h>
++
++static void *OPENSSL_zalloc(size_t num)
++{
++    void *ret = OPENSSL_malloc(num);
++
++    if (ret != NULL)
++        memset(ret, 0, num);
++    return ret;
++}
++
++int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
++{
++    /* If the fields n and e in r are NULL, the corresponding input
++     * parameters MUST be non-NULL for n and e.  d may be
++     * left NULL (in case only the public key is used).
++     */
++    if ((r->n == NULL && n == NULL)
++        || (r->e == NULL && e == NULL))
++        return 0;
++
++    if (n != NULL) {
++        BN_free(r->n);
++        r->n = n;
++    }
++    if (e != NULL) {
++        BN_free(r->e);
++        r->e = e;
++    }
++    if (d != NULL) {
++        BN_free(r->d);
++        r->d = d;
++    }
++
++    return 1;
++}
++
++int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
++{
++    /* If the fields p and q in r are NULL, the corresponding input
++     * parameters MUST be non-NULL.
++     */
++    if ((r->p == NULL && p == NULL)
++        || (r->q == NULL && q == NULL))
++        return 0;
++
++    if (p != NULL) {
++        BN_free(r->p);
++        r->p = p;
++    }
++    if (q != NULL) {
++        BN_free(r->q);
++        r->q = q;
++    }
++
++    return 1;
++}
++
++int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
++{
++    /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
++     * parameters MUST be non-NULL.
++     */
++    if ((r->dmp1 == NULL && dmp1 == NULL)
++        || (r->dmq1 == NULL && dmq1 == NULL)
++        || (r->iqmp == NULL && iqmp == NULL))
++        return 0;
++
++    if (dmp1 != NULL) {
++        BN_free(r->dmp1);
++        r->dmp1 = dmp1;
++    }
++    if (dmq1 != NULL) {
++        BN_free(r->dmq1);
++        r->dmq1 = dmq1;
++    }
++    if (iqmp != NULL) {
++        BN_free(r->iqmp);
++        r->iqmp = iqmp;
++    }
++
++    return 1;
++}
++
++void RSA_get0_key(const RSA *r,
++                  const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
++{
++    if (n != NULL)
++        *n = r->n;
++    if (e != NULL)
++        *e = r->e;
++    if (d != NULL)
++        *d = r->d;
++}
++
++void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
++{
++    if (p != NULL)
++        *p = r->p;
++    if (q != NULL)
++        *q = r->q;
++}
++
++void RSA_get0_crt_params(const RSA *r,
++                         const BIGNUM **dmp1, const BIGNUM **dmq1,
++                         const BIGNUM **iqmp)
++{
++    if (dmp1 != NULL)
++        *dmp1 = r->dmp1;
++    if (dmq1 != NULL)
++        *dmq1 = r->dmq1;
++    if (iqmp != NULL)
++        *iqmp = r->iqmp;
++}
++
++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
++{
++    /* If the fields p and g in d are NULL, the corresponding input
++     * parameters MUST be non-NULL.  q may remain NULL.
++     */
++    if ((dh->p == NULL && p == NULL)
++        || (dh->g == NULL && g == NULL))
++        return 0;
++
++    if (p != NULL) {
++        BN_free(dh->p);
++        dh->p = p;
++    }
++    if (q != NULL) {
++        BN_free(dh->q);
++        dh->q = q;
++    }
++    if (g != NULL) {
++        BN_free(dh->g);
++        dh->g = g;
++    }
++
++    if (q != NULL) {
++        dh->length = BN_num_bits(q);
++    }
++
++    return 1;
++}
++
++void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
++{
++    if (pub_key != NULL)
++        *pub_key = dh->pub_key;
++    if (priv_key != NULL)
++        *priv_key = dh->priv_key;
++}
++
++int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
++{
++    /* If the field pub_key in dh is NULL, the corresponding input
++     * parameters MUST be non-NULL.  The priv_key field may
++     * be left NULL.
++     */
++    if (dh->pub_key == NULL && pub_key == NULL)
++        return 0;
++
++    if (pub_key != NULL) {
++        BN_free(dh->pub_key);
++        dh->pub_key = pub_key;
++    }
++    if (priv_key != NULL) {
++        BN_free(dh->priv_key);
++        dh->priv_key = priv_key;
++    }
++
++    return 1;
++}
++
++int DH_set_length(DH *dh, long length)
++{
++    dh->length = length;
++    return 1;
++}
++
++HMAC_CTX *HMAC_CTX_new(void)
++{
++    return OPENSSL_zalloc(sizeof(HMAC_CTX));
++}
++
++void HMAC_CTX_free(HMAC_CTX *ctx)
++{
++    HMAC_CTX_cleanup(ctx);
++    OPENSSL_free(ctx);
++}
++
++RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
++{
++    if (pkey->type != EVP_PKEY_RSA) {
++        return NULL;
++    }
++    return pkey->pkey.rsa;
++}
++
++
++#endif /* OPENSSL_VERSION_NUMBER */
+diff --git a/src/racoon/openssl_compat.h b/src/racoon/openssl_compat.h
+new file mode 100644
+index 0000000..9e152c2
+--- /dev/null
++++ b/src/racoon/openssl_compat.h
+@@ -0,0 +1,45 @@
++#ifndef OPENSSL_COMPAT_H
++#define OPENSSL_COMPAT_H
++
++#include <openssl/opensslv.h>
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++
++#include <openssl/rsa.h>
++#include <openssl/dh.h>
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++
++int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
++int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
++int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
++void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
++void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
++void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp);
++
++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
++void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
++int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
++int DH_set_length(DH *dh, long length);
++
++HMAC_CTX *HMAC_CTX_new(void);
++void HMAC_CTX_free(HMAC_CTX* ctx);
++
++RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
++
++#define ASN1_STRING_length(s) s->length
++#define ASN1_STRING_get0_data(s) s->data
++
++#define X509_get_subject_name(x) x->cert_info->subject
++#define X509_get_issuer_name(x) x->cert_info->issuer
++#define X509_NAME_ENTRY_get_data(n) n->value
++#define X509_NAME_ENTRY_get_object(n) n->object
++#define X509_STORE_CTX_get_current_cert(ctx) ctx->current_cert
++#define X509_STORE_CTX_get_error(ctx) ctx->error
++#define X509_STORE_CTX_get_error_depth(ctx) ctx->error_depth
++
++#define OPENSSL_VERSION SSLEAY_VERSION
++#define OpenSSL_version SSLeay_version
++
++#endif /* OPENSSL_VERSION_NUMBER */
++
++#endif /* OPENSSL_COMPAT_H */
+diff --git a/src/racoon/plainrsa-gen.c b/src/racoon/plainrsa-gen.c
+index cad1861..b949b08 100644
+--- a/src/racoon/plainrsa-gen.c
++++ b/src/racoon/plainrsa-gen.c
+@@ -60,6 +60,7 @@
+ #include "vmbuf.h"
+ #include "plog.h"
+ #include "crypto_openssl.h"
++#include "openssl_compat.h"
+ 
+ #include "package_version.h"
+ 
+@@ -90,12 +91,14 @@ mix_b64_pubkey(const RSA *key)
+ 	char *binbuf;
+ 	long binlen, ret;
+ 	vchar_t *res;
+-	
+-	binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n);
++	const BIGNUM *e, *n;
++
++	RSA_get0_key(key, &n, &e, NULL);
++	binlen = 1 + BN_num_bytes(e) + BN_num_bytes(n);
+ 	binbuf = malloc(binlen);
+ 	memset(binbuf, 0, binlen);
+-	binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]);
+-	ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
++	binbuf[0] = BN_bn2bin(e, (unsigned char *) &binbuf[1]);
++	ret = BN_bn2bin(n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
+ 	if (1 + binbuf[0] + ret != binlen) {
+ 		plog(LLV_ERROR, LOCATION, NULL,
+ 		     "Pubkey generation failed. This is really strange...\n");
+@@ -131,16 +134,20 @@ print_rsa_key(FILE *fp, const RSA *key)
+ 	
+ 	fprintf(fp, "# : PUB 0s%s\n", pubkey64->v);
+ 	fprintf(fp, ": RSA\t{\n");
+-	fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n));
++	const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
++	RSA_get0_key(key, &n, &e, &d);
++	RSA_get0_factors(key, &p, &q);
++	RSA_get0_crt_params(key, &dmp1, &dmq1, &iqmp);
++	fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(n));
+ 	fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v);
+-	fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n)));
+-	fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e)));
+-	fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d)));
+-	fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p)));
+-	fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q)));
+-	fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1)));
+-	fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1)));
+-	fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp)));
++	fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(n)));
++	fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(e)));
++	fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(d)));
++	fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(p)));
++	fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(q)));
++	fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(dmp1)));
++	fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(dmq1)));
++	fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(iqmp)));
+ 	fprintf(fp, "  }\n");
+ 
+ 	vfree(pubkey64);
+@@ -203,11 +210,13 @@ int
+ gen_rsa_key(FILE *fp, size_t bits, unsigned long exp)
+ {
+ 	int ret;
+-	RSA *key;
++	RSA *key = RSA_new();
++	BIGNUM *e = BN_new();
+ 
+-	key = RSA_generate_key(bits, exp, NULL, NULL);
+-	if (!key) {
++	BN_set_word(e, exp);
++	if (! RSA_generate_key_ex(key, bits, e, NULL)) {
+ 		fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror());
++		RSA_free(key);
+ 		return -1;
+ 	}
+ 	
+diff --git a/src/racoon/prsa_par.y b/src/racoon/prsa_par.y
+index 1987e4d..27ce4c6 100644
+--- a/src/racoon/prsa_par.y
++++ b/src/racoon/prsa_par.y
+@@ -68,6 +68,7 @@
+ #include "isakmp_var.h"
+ #include "handler.h"
+ #include "crypto_openssl.h"
++#include "openssl_compat.h"
+ #include "sockmisc.h"
+ #include "rsalist.h"
+ 
+@@ -85,7 +86,18 @@ char *prsa_cur_fname = NULL;
+ struct genlist *prsa_cur_list = NULL;
+ enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY;
+ 
+-static RSA *rsa_cur;
++struct my_rsa_st {
++	BIGNUM *n;
++	BIGNUM *e;
++	BIGNUM *d;
++	BIGNUM *p;
++	BIGNUM *q;
++	BIGNUM *dmp1;
++	BIGNUM *dmq1;
++	BIGNUM *iqmp;
++};
++
++static struct my_rsa_st *rsa_cur;
+ 
+ void
+ prsaerror(const char *s, ...)
+@@ -201,8 +213,12 @@ rsa_statement:
+ 				rsa_cur->iqmp = NULL;
+ 			}
+ 		}
+-		$$ = rsa_cur;
+-		rsa_cur = RSA_new();
++		RSA * rsa_tmp = RSA_new();
++		RSA_set0_key(rsa_tmp, rsa_cur->n, rsa_cur->e, rsa_cur->d);
++		RSA_set0_factors(rsa_tmp, rsa_cur->p, rsa_cur->q);
++		RSA_set0_crt_params(rsa_tmp, rsa_cur->dmp1, rsa_cur->dmq1, rsa_cur->iqmp);
++		$$ = rsa_tmp;
++		memset(rsa_cur, 0, sizeof(struct my_rsa_st));
+ 	}
+ 	| TAG_PUB BASE64
+ 	{
+@@ -351,10 +367,12 @@ prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type)
+ 	prsa_cur_fname = fname;
+ 	prsa_cur_list = list;
+ 	prsa_cur_type = type;
+-	rsa_cur = RSA_new();
++	rsa_cur = malloc(sizeof(struct my_rsa_st));
++	memset(rsa_cur, 0, sizeof(struct my_rsa_st));
+ 	ret = prsaparse();
+ 	if (rsa_cur) {
+-		RSA_free(rsa_cur);
++		memset(rsa_cur, 0, sizeof(struct my_rsa_st));
++		free(rsa_cur);
+ 		rsa_cur = NULL;
+ 	}
+ 	fclose (fp);
+diff --git a/src/racoon/rsalist.c b/src/racoon/rsalist.c
+index f152c82..96e8363 100644
+--- a/src/racoon/rsalist.c
++++ b/src/racoon/rsalist.c
+@@ -52,6 +52,7 @@
+ #include "genlist.h"
+ #include "remoteconf.h"
+ #include "crypto_openssl.h"
++#include "openssl_compat.h"
+ 
+ #ifndef LIST_FIRST
+ #define LIST_FIRST(head)        ((head)->lh_first)
+@@ -98,7 +99,9 @@ rsa_key_dup(struct rsa_key *key)
+ 		return NULL;
+ 
+ 	if (key->rsa) {
+-		new->rsa = key->rsa->d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa);
++		const BIGNUM *d;
++		RSA_get0_key(key->rsa, NULL, NULL, &d);
++		new->rsa = (d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa));
+ 		if (new->rsa == NULL)
+ 			goto dup_error;
+ 	}
+-- 
+2.16.1
+
-- 
2.18.0

[Buildroot] [PATCH/next 4/7] package/liboauth: Fix build with OpenSSL 1.1.x

[Bernd Kuhls]

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 package/liboauth/0001-openssl-1.1.0.patch | 154 ++++++++++++++++++++++
 1 file changed, 154 insertions(+)
 create mode 100644 package/liboauth/0001-openssl-1.1.0.patch

diff --git a/package/liboauth/0001-openssl-1.1.0.patch b/package/liboauth/0001-openssl-1.1.0.patch
new file mode 100644
index 0000000000..a33ac0a20b
--- /dev/null
+++ b/package/liboauth/0001-openssl-1.1.0.patch
@@ -0,0 +1,154 @@
+Submitted by:            DJ Lucas (dj_AT_linuxfromscratch_DOT_org)
+Date:                    2017-05-27
+Initial Package Version: 1.0.3
+Update by:               Bruce Dubbs
+Date:                    2017-06-14
+Upstream Status:         Submitted
+Origin:                  https://github.com/x42/liboauth/issues/9
+Description:             Fixes build issue with OpenSSL-1.1.0.
+Update:                  Additional fix from upstream.  Three lines changed.
+
+Downloaded from
+http://www.linuxfromscratch.org/patches/blfs/svn/liboauth-1.0.3-openssl-1.1.0-2.patch
+
+Patch was sent upstream: https://github.com/x42/liboauth/issues/9
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+diff -Naurp liboauth-1.0.3-orig/src/hash.c liboauth-1.0.3/src/hash.c
+--- liboauth-1.0.3-orig/src/hash.c	2013-10-04 08:02:50.000000000 -0500
++++ liboauth-1.0.3/src/hash.c	2017-05-27 00:51:04.708633351 -0500
+@@ -362,6 +362,11 @@ looser:
+ #include "oauth.h" // base64 encode fn's.
+ #include <openssl/hmac.h>
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000
++#define EVP_MD_CTX_new EVP_MD_CTX_create
++#define EVP_MD_CTX_free EVP_MD_CTX_destroy
++#endif
++
+ char *oauth_sign_hmac_sha1 (const char *m, const char *k) {
+   return(oauth_sign_hmac_sha1_raw (m, strlen(m), k, strlen(k)));
+ }
+@@ -386,7 +391,7 @@ char *oauth_sign_rsa_sha1 (const char *m
+   unsigned char *sig = NULL;
+   unsigned char *passphrase = NULL;
+   unsigned int len=0;
+-  EVP_MD_CTX md_ctx;
++  EVP_MD_CTX *md_ctx;
+ 
+   EVP_PKEY *pkey;
+   BIO *in;
+@@ -399,24 +404,31 @@ char *oauth_sign_rsa_sha1 (const char *m
+     return xstrdup("liboauth/OpenSSL: can not read private key");
+   }
+ 
++  md_ctx = EVP_MD_CTX_new();
++  if (md_ctx == NULL) {
++          return xstrdup("liboauth/OpenSSL: failed to allocate EVP_MD_CTX");
++  }
++
+   len = EVP_PKEY_size(pkey);
+   sig = (unsigned char*)xmalloc((len+1)*sizeof(char));
+ 
+-  EVP_SignInit(&md_ctx, EVP_sha1());
+-  EVP_SignUpdate(&md_ctx, m, strlen(m));
+-  if (EVP_SignFinal (&md_ctx, sig, &len, pkey)) {
++  EVP_SignInit(md_ctx, EVP_sha1());
++  EVP_SignUpdate(md_ctx, m, strlen(m));
++  if (EVP_SignFinal (md_ctx, sig, &len, pkey)) {
+     char *tmp;
+     sig[len] = '\0';
+     tmp = oauth_encode_base64(len,sig);
+     OPENSSL_free(sig);
+     EVP_PKEY_free(pkey);
++    EVP_MD_CTX_free(md_ctx);
+     return tmp;
+   }
++  EVP_MD_CTX_free(md_ctx);
+   return xstrdup("liboauth/OpenSSL: rsa-sha1 signing failed");
+ }
+ 
+ int oauth_verify_rsa_sha1 (const char *m, const char *c, const char *s) {
+-  EVP_MD_CTX md_ctx;
++  EVP_MD_CTX *md_ctx;
+   EVP_PKEY *pkey;
+   BIO *in;
+   X509 *cert = NULL;
+@@ -437,13 +449,18 @@ int oauth_verify_rsa_sha1 (const char *m
+     return -2;
+   }
+ 
++	md_ctx = EVP_MD_CTX_new();
++	if (md_ctx == NULL) {
++		return -2;
++	}
++
+   b64d= (unsigned char*) xmalloc(sizeof(char)*strlen(s));
+   slen = oauth_decode_base64(b64d, s);
+ 
+-  EVP_VerifyInit(&md_ctx, EVP_sha1());
+-  EVP_VerifyUpdate(&md_ctx, m, strlen(m));
+-  err = EVP_VerifyFinal(&md_ctx, b64d, slen, pkey);
+-  EVP_MD_CTX_cleanup(&md_ctx);
++  EVP_VerifyInit(md_ctx, EVP_sha1());
++  EVP_VerifyUpdate(md_ctx, m, strlen(m));
++  err = EVP_VerifyFinal(md_ctx, b64d, slen, pkey);
++  EVP_MD_CTX_free(pkey);
+   EVP_PKEY_free(pkey);
+   xfree(b64d);
+   return (err);
+@@ -455,35 +472,41 @@ int oauth_verify_rsa_sha1 (const char *m
+  */
+ char *oauth_body_hash_file(char *filename) {
+   unsigned char fb[BUFSIZ];
+-  EVP_MD_CTX ctx;
++  EVP_MD_CTX *ctx;
+   size_t len=0;
+   unsigned char *md;
+   FILE *F= fopen(filename, "r");
+   if (!F) return NULL;
+ 
+-  EVP_MD_CTX_init(&ctx);
+-  EVP_DigestInit(&ctx,EVP_sha1());
++  ctx = EVP_MD_CTX_new();
++  if (ctx == NULL) {
++          return xstrdup("liboauth/OpenSSL: failed to allocate EVP_MD_CTX");
++  }
++  EVP_DigestInit(ctx,EVP_sha1());
+   while (!feof(F) && (len=fread(fb,sizeof(char),BUFSIZ, F))>0) {
+-    EVP_DigestUpdate(&ctx, fb, len);
++    EVP_DigestUpdate(ctx, fb, len);
+   }
+   fclose(F);
+   len=0;
+   md=(unsigned char*) xcalloc(EVP_MD_size(EVP_sha1()),sizeof(unsigned char));
+-  EVP_DigestFinal(&ctx, md,(unsigned int*) &len);
+-  EVP_MD_CTX_cleanup(&ctx);
++  EVP_DigestFinal(ctx, md,(unsigned int*) &len);
++  EVP_MD_CTX_free(ctx);
+   return oauth_body_hash_encode(len, md);
+ }
+ 
+ char *oauth_body_hash_data(size_t length, const char *data) {
+-  EVP_MD_CTX ctx;
++  EVP_MD_CTX *ctx;
+   size_t len=0;
+   unsigned char *md;
+   md=(unsigned char*) xcalloc(EVP_MD_size(EVP_sha1()),sizeof(unsigned char));
+-  EVP_MD_CTX_init(&ctx);
+-  EVP_DigestInit(&ctx,EVP_sha1());
+-  EVP_DigestUpdate(&ctx, data, length);
+-  EVP_DigestFinal(&ctx, md,(unsigned int*) &len);
+-  EVP_MD_CTX_cleanup(&ctx);
++  ctx = EVP_MD_CTX_new();
++  if (ctx == NULL) {
++          return xstrdup("liboauth/OpenSSL: failed to allocate EVP_MD_CTX");
++  }
++  EVP_DigestInit(ctx,EVP_sha1());
++  EVP_DigestUpdate(ctx, data, length);
++  EVP_DigestFinal(ctx, md,(unsigned int*) &len);
++  EVP_MD_CTX_free(ctx);
+   return oauth_body_hash_encode(len, md);
+ }
+ 
-- 
2.18.0

[Buildroot] [PATCH/next 5/7] package/libtorrent: Fix build with OpenSSL 1.1.x

[Bernd Kuhls]

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 package/libtorrent/0002-openssl110.patch | 109 +++++++++++++++++++++++
 1 file changed, 109 insertions(+)
 create mode 100644 package/libtorrent/0002-openssl110.patch

diff --git a/package/libtorrent/0002-openssl110.patch b/package/libtorrent/0002-openssl110.patch
new file mode 100644
index 0000000000..b0cfc2deef
--- /dev/null
+++ b/package/libtorrent/0002-openssl110.patch
@@ -0,0 +1,109 @@
+From 7b29b6bd2547e72e22b9b7981df27092842d2a10 Mon Sep 17 00:00:00 2001
+From: rakshasa <sundell.software@gmail.com>
+Date: Tue, 20 Dec 2016 19:51:02 +0900
+Subject: [PATCH] Added support for openssl 1.1.
+
+Downloaded from upstream commit
+https://github.com/rakshasa/libtorrent/commit/7b29b6bd2547e72e22b9b7981df27092842d2a10
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ configure.ac                |  4 ++++
+ src/utils/diffie_hellman.cc | 36 ++++++++++++++++++++++++++++++++++--
+ 2 files changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 5b1ea237..b885714d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -71,12 +71,15 @@ AC_ARG_ENABLE(openssl,
+   [  --disable-openssl       Don't use OpenSSL's SHA1 implementation.],
+   [
+     if test "$enableval" = "yes"; then
++dnl move to scripts.
+       PKG_CHECK_MODULES(OPENSSL, libcrypto,
+         CXXFLAGS="$CXXFLAGS $OPENSSL_CFLAGS";
+         LIBS="$LIBS $OPENSSL_LIBS")
+ 
+       AC_DEFINE(USE_OPENSSL, 1, Using OpenSSL.)
+       AC_DEFINE(USE_OPENSSL_SHA, 1, Using OpenSSL's SHA1 implementation.)
++      AC_CHECK_LIB([crypto], [DH_set0_pqg], [AC_DEFINE(USE_OPENSSL_1_1, 1, Using OpenSSL 1.1.)])
++
+     else
+       AC_DEFINE(USE_NSS_SHA, 1, Using Mozilla's SHA1 implementation.)
+     fi
+@@ -87,6 +90,7 @@ AC_ARG_ENABLE(openssl,
+ 
+     AC_DEFINE(USE_OPENSSL, 1, Using OpenSSL.)
+     AC_DEFINE(USE_OPENSSL_SHA, 1, Using OpenSSL's SHA1 implementation.)
++    AC_CHECK_LIB([crypto], [DH_set0_pqg], [AC_DEFINE(USE_OPENSSL_1_1, 1, Using OpenSSL 1.1.)])
+   ]
+ )
+ 
+diff --git a/src/utils/diffie_hellman.cc b/src/utils/diffie_hellman.cc
+index aa653d45..7ec13165 100644
+--- a/src/utils/diffie_hellman.cc
++++ b/src/utils/diffie_hellman.cc
+@@ -54,11 +54,23 @@ DiffieHellman::DiffieHellman(const unsigned char *prime, int primeLength,
+   m_secret(NULL), m_size(0) {
+ 
+ #ifdef USE_OPENSSL
++
+   m_dh = DH_new();
++
++#ifdef USE_OPENSSL_1_1
++  BIGNUM * const dh_p = BN_bin2bn(prime, primeLength, NULL);
++  BIGNUM * const dh_g = BN_bin2bn(generator, generatorLength, NULL);
++
++  if (dh_p == NULL || dh_g == NULL ||
++      !DH_set0_pqg(m_dh, dh_p, NULL, dh_g))
++	  throw internal_error("Could not generate Diffie-Hellman parameters");
++#else
+   m_dh->p = BN_bin2bn(prime, primeLength, NULL);
+   m_dh->g = BN_bin2bn(generator, generatorLength, NULL);
++#endif
+ 
+   DH_generate_key(m_dh);
++
+ #else
+   throw internal_error("Compiled without encryption support.");
+ #endif
+@@ -74,7 +86,19 @@ DiffieHellman::~DiffieHellman() {
+ bool
+ DiffieHellman::is_valid() const {
+ #ifdef USE_OPENSSL
++  if (m_dh == NULL)
++    return false;
++
++#ifdef USE_OPENSSL_1_1
++  const BIGNUM *pub_key;
++
++  DH_get0_key(m_dh, &pub_key, NULL);
++
++  return pub_key != NULL;
++#else
+   return m_dh != NULL && m_dh->pub_key != NULL;
++#endif
++
+ #else
+   return false;
+ #endif
+@@ -103,8 +127,16 @@ DiffieHellman::store_pub_key(unsigned char* dest, unsigned int length) {
+ #ifdef USE_OPENSSL
+   std::memset(dest, 0, length);
+ 
+-  if ((int)length >= BN_num_bytes(m_dh->pub_key))
+-    BN_bn2bin(m_dh->pub_key, dest + length - BN_num_bytes(m_dh->pub_key));
++  const BIGNUM *pub_key;
++
++#ifdef USE_OPENSSL_1_1
++  DH_get0_key(m_dh, &pub_key, NULL);
++#else
++  pub_key = m_dh->pub_key;
++#endif
++
++  if ((int)length >= BN_num_bytes(pub_key))
++    BN_bn2bin(pub_key, dest + length - BN_num_bytes(pub_key));
+ #endif
+ }
+ 
-- 
2.18.0

[Buildroot] [PATCH/next 6/7] package/pound: Fix build with OpenSSL 1.1.x

[Bernd Kuhls]

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 package/pound/0002-fix-openssl-1.1.0.patch | 331 +++++++++++++++++++++
 1 file changed, 331 insertions(+)
 create mode 100644 package/pound/0002-fix-openssl-1.1.0.patch

diff --git a/package/pound/0002-fix-openssl-1.1.0.patch b/package/pound/0002-fix-openssl-1.1.0.patch
new file mode 100644
index 0000000000..a94a6386b7
--- /dev/null
+++ b/package/pound/0002-fix-openssl-1.1.0.patch
@@ -0,0 +1,331 @@
+From a2c9dde4d055ea8942afb150b7fc3a807d4e5d60 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Wed, 28 Feb 2018 13:44:01 +0000
+Subject: [PATCH] Support for Openssl 1.1
+
+Downloaded from github fork:
+https://github.com/graygnuorg/pound/commit/a2c9dde4d055ea8942afb150b7fc3a807d4e5d60
+
+This patch was announced on the upstream mailinglist:
+http://www.apsis.ch/pound/pound_list/archive/2018/2018-03/1519920322000
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ .gitignore |  15 ++++++++
+ config.c   |  17 +++++++--
+ http.c     |  12 ++++++-
+ pound.h    |   4 ++-
+ svc.c      | 101 +++++++++++++++++++++++++++++++++++++++++++----------
+ 5 files changed, 125 insertions(+), 24 deletions(-)
+ create mode 100644 .gitignore
+
+diff --git a/config.c b/config.c
+index d41a3ee..e8fec0f 100644
+--- a/config.c
++++ b/config.c
+@@ -174,6 +174,16 @@ conf_fgets(char *buf, const int max)
+     }
+ }
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++# define general_name_string(n) \
++	strndup(ASN1_STRING_get0_data(n->d.dNSName),	\
++	        ASN1_STRING_length(n->d.dNSName) + 1)
++#else
++# define general_name_string(n) \
++	strndup(ASN1_STRING_data(n->d.dNSName),	\
++	       ASN1_STRING_length(n->d.dNSName) + 1)
++#endif
++
+ unsigned char **
+ get_subjectaltnames(X509 *x509, unsigned int *count)
+ {
+@@ -194,8 +204,7 @@ get_subjectaltnames(X509 *x509, unsigned int *count)
+         name = sk_GENERAL_NAME_pop(san_stack);
+         switch(name->type) {
+             case GEN_DNS:
+-                temp[local_count] = strndup(ASN1_STRING_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName)
+-                                    + 1);
++ 	        temp[local_count] = general_name_string(name);
+                 if(temp[local_count] == NULL)
+                     conf_err("out of memory");
+                 local_count++;
+@@ -565,7 +574,9 @@ parse_service(const char *svc_name)
+     pthread_mutex_init(&res->mut, NULL);
+     if(svc_name)
+         strncpy(res->name, svc_name, KEY_SIZE);
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    if((res->sessions = lh_TABNODE_new(t_hash, t_cmp)) == NULL)    
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     if((res->sessions = LHM_lh_new(TABNODE, t)) == NULL)
+ #else
+     if((res->sessions = lh_new(LHASH_HASH_FN(t_hash), LHASH_COMP_FN(t_cmp))) == NULL)
+diff --git a/http.c b/http.c
+index dd211e4..c8e756a 100644
+--- a/http.c
++++ b/http.c
+@@ -527,12 +527,22 @@ log_bytes(char *res, const LONG cnt)
+ 
+ /* Cleanup code. This should really be in the pthread_cleanup_push, except for bugs in some implementations */
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++# define clear_error()
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
++# define clear_error() \
++	if(ssl != NULL) { ERR_clear_error(); ERR_remove_thread_state(NULL); }
++#else
++# define clear_error() \
++	if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); }
++#endif
++
+ #define clean_all() {   \
+     if(ssl != NULL) { BIO_ssl_shutdown(cl); } \
+     if(be != NULL) { BIO_flush(be); BIO_reset(be); BIO_free_all(be); be = NULL; } \
+     if(cl != NULL) { BIO_flush(cl); BIO_reset(cl); BIO_free_all(cl); cl = NULL; } \
+     if(x509 != NULL) { X509_free(x509); x509 = NULL; } \
+-    if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); } \
++    clear_error(); \
+ }
+ 
+ /*
+diff --git a/pound.h b/pound.h
+index fa22c36..9603b91 100644
+--- a/pound.h
++++ b/pound.h
+@@ -344,7 +344,9 @@ typedef struct _tn {
+ /* maximal session key size */
+ #define KEY_SIZE    127
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++  DEFINE_LHASH_OF(TABNODE);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ DECLARE_LHASH_OF(TABNODE);
+ #endif
+ 
+diff --git a/svc.c b/svc.c
+index 60ba488..063b92c 100644
+--- a/svc.c
++++ b/svc.c
+@@ -27,10 +27,17 @@
+ 
+ #include    "pound.h"
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++# define TABNODE_GET_DOWN_LOAD(t) lh_TABNODE_get_down_load(t)
++# define TABNODE_SET_DOWN_LOAD(t,n) lh_TABNODE_set_down_load(t,n)
++#else
+ #ifndef LHASH_OF
+ #define LHASH_OF(x) LHASH
+ #define CHECKED_LHASH_OF(type, h) h
+ #endif
++# define TABNODE_GET_DOWN_LOAD(t) (CHECKED_LHASH_OF(TABNODE, t)->down_load)
++# define TABNODE_SET_DOWN_LOAD(t,n) (CHECKED_LHASH_OF(TABNODE, t)->down_load = n)
++#endif
+ 
+ /*
+  * Add a new key/content pair to a hash table
+@@ -58,7 +65,9 @@ t_add(LHASH_OF(TABNODE) *const tab, const char *key, const void *content, const
+     }
+     memcpy(t->content, content, cont_len);
+     t->last_acc = time(NULL);
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    if((old = lh_TABNODE_insert(tab, t)) != NULL) {
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     if((old = LHM_lh_insert(TABNODE, tab, t)) != NULL) {
+ #else
+     if((old = (TABNODE *)lh_insert(tab, t)) != NULL) {
+@@ -82,7 +91,9 @@ t_find(LHASH_OF(TABNODE) *const tab, char *const key)
+     TABNODE t, *res;
+ 
+     t.key = key;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    if((res = lh_TABNODE_retrieve(tab, &t)) != NULL) {
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     if((res = (TABNODE *)LHM_lh_retrieve(TABNODE, tab, &t)) != NULL) {
+ #else
+     if((res = (TABNODE *)lh_retrieve(tab, &t)) != NULL) {
+@@ -102,7 +113,9 @@ t_remove(LHASH_OF(TABNODE) *const tab, char *const key)
+     TABNODE t, *res;
+ 
+     t.key = key;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    if((res = lh_TABNODE_delete(tab, &t)) != NULL) {    
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     if((res = LHM_lh_delete(TABNODE, tab, &t)) != NULL) {
+ #else
+     if((res = (TABNODE *)lh_delete(tab, &t)) != NULL) {
+@@ -127,7 +140,9 @@ t_old_doall_arg(TABNODE *t, ALL_ARG *a)
+     TABNODE *res;
+ 
+     if(t->last_acc < a->lim)
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++        if((res = lh_TABNODE_delete(a->tab, t)) != NULL) {	    
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+         if((res = LHM_lh_delete(TABNODE, a->tab, t)) != NULL) {
+ #else
+         if((res = lh_delete(a->tab, t)) != NULL) {
+@@ -145,6 +160,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE, ALL_ARG)
+ IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE *, ALL_ARG *)
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++IMPLEMENT_LHASH_DOALL_ARG(TABNODE,ALL_ARG);
++#endif
++
+ /*
+  * Expire all old nodes
+  */
+@@ -156,14 +175,16 @@ t_expire(LHASH_OF(TABNODE) *const tab, const time_t lim)
+ 
+     a.tab = tab;
+     a.lim = lim;
+-    down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load;
+-    CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++    down_load = TABNODE_GET_DOWN_LOAD(tab);
++    TABNODE_SET_DOWN_LOAD(tab, 0);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    lh_TABNODE_doall_ALL_ARG(tab, t_old_doall_arg, &a);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_old), ALL_ARG, &a);
+ #else
+     lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_old), &a);
+ #endif
+-    CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load;
++    TABNODE_SET_DOWN_LOAD(tab, down_load);
+     return;
+ }
+ 
+@@ -173,7 +194,9 @@ t_cont_doall_arg(TABNODE *t, ALL_ARG *arg)
+     TABNODE *res;
+ 
+     if(memcmp(t->content, arg->content, arg->cont_len) == 0)
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++        if((res = lh_TABNODE_delete(arg->tab, t)) != NULL) {
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+         if((res = LHM_lh_delete(TABNODE, arg->tab, t)) != NULL) {
+ #else
+         if((res = lh_delete(arg->tab, t)) != NULL) {
+@@ -203,15 +226,16 @@ t_clean(LHASH_OF(TABNODE) *const tab, void *const content, const size_t cont_len
+     a.tab = tab;
+     a.content = content;
+     a.cont_len = cont_len;
+-    down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load;
+-    CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++    down_load = TABNODE_GET_DOWN_LOAD(tab);
++    TABNODE_SET_DOWN_LOAD(tab, 0);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    lh_TABNODE_doall_ALL_ARG(tab, t_cont_doall_arg, &a);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_cont), ALL_ARG, &a);
+ #else
+     lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_cont), &a);
+ #endif
+-    CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load;
+-    return;
++    TABNODE_SET_DOWN_LOAD(tab, down_load);
+ }
+ 
+ /*
+@@ -1262,6 +1286,31 @@ RSA_tmp_callback(/* not used */SSL *ssl, /* not used */int is_export, int keylen
+     return res;
+ }
+ 
++static int
++generate_key(RSA **ret_rsa, unsigned long bits)
++{
++#if OPENSSL_VERSION_NUMBER > 0x00908000L
++    int rc = 0;
++    RSA *rsa;
++
++    rsa = RSA_new();
++    if (rsa) {
++	BIGNUM *bne = BN_new();
++	if (BN_set_word(bne, RSA_F4))
++	    rc = RSA_generate_key_ex(rsa, bits, bne, NULL);
++	BN_free(bne);
++	if (rc)
++	    *ret_rsa = rsa;
++	else
++	    RSA_free(rsa);
++    }
++    return rc;
++#else
++    *ret_rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL);
++    return *ret_rsa != NULL;
++#endif
++}
++
+ /*
+  * Periodically regenerate ephemeral RSA keys
+  * runs every T_RSA_KEYS seconds
+@@ -1274,8 +1323,9 @@ do_RSAgen(void)
+     RSA *t_RSA1024_keys[N_RSA_KEYS];
+ 
+     for(n = 0; n < N_RSA_KEYS; n++) {
+-        t_RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL);
+-        t_RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL);
++        /* FIXME: Error handling */
++        generate_key(&t_RSA512_keys[n], 512);
++	generate_key(&t_RSA1024_keys[n], 1024);
+     }
+     if(ret_val = pthread_mutex_lock(&RSA_mut))
+         logmsg(LOG_WARNING, "thr_RSAgen() lock: %s", strerror(ret_val));
+@@ -1329,11 +1379,11 @@ init_timer(void)
+      * Pre-generate ephemeral RSA keys
+      */
+     for(n = 0; n < N_RSA_KEYS; n++) {
+-        if((RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
++        if(!generate_key(&RSA512_keys[n], 512)) {
+             logmsg(LOG_WARNING,"RSA_generate(%d, 512) failed", n);
+             return;
+         }
+-        if((RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) {
++        if(!generate_key(&RSA1024_keys[n], 1024)) {
+             logmsg(LOG_WARNING,"RSA_generate(%d, 1024) failed", n);
+             return;
+         }
+@@ -1420,6 +1470,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE, DUMP_ARG)
+ IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE *, DUMP_ARG *)
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++IMPLEMENT_LHASH_DOALL_ARG(TABNODE,DUMP_ARG);
++#endif
++	
+ /*
+  * write sessions to the control socket
+  */
+@@ -1430,7 +1484,9 @@ dump_sess(const int control_sock, LHASH_OF(TABNODE) *const sess, BACKEND *const
+ 
+     a.control_sock = control_sock;
+     a.backends = backends;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    lh_TABNODE_doall_DUMP_ARG(sess, t_dump_doall_arg, &a);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+     LHM_lh_doall_arg(TABNODE, sess, LHASH_DOALL_ARG_FN(t_dump), DUMP_ARG, &a);
+ #else
+     lh_doall_arg(sess, LHASH_DOALL_ARG_FN(t_dump), &a);
+@@ -1664,6 +1720,13 @@ thr_control(void *arg)
+     }
+ }
+ 
++#ifndef SSL3_ST_SR_CLNT_HELLO_A
++# define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
++#endif
++#ifndef SSL23_ST_SR_CLNT_HELLO_A
++# define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
++#endif
++		
+ void
+ SSLINFO_callback(const SSL *ssl, int where, int rc)
+ {
-- 
2.18.0

[Buildroot] [PATCH/next 7/7] package/rdesktop: Fix build with OpenSSL 1.1.x

[Bernd Kuhls]

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 package/rdesktop/0002-openssl11.patch | 130 ++++++++++++++++++++++++++
 1 file changed, 130 insertions(+)
 create mode 100644 package/rdesktop/0002-openssl11.patch

diff --git a/package/rdesktop/0002-openssl11.patch b/package/rdesktop/0002-openssl11.patch
new file mode 100644
index 0000000000..050d6f6903
--- /dev/null
+++ b/package/rdesktop/0002-openssl11.patch
@@ -0,0 +1,130 @@
+From bd6aa6acddf0ba640a49834807872f4cc0d0a773 Mon Sep 17 00:00:00 2001
+From: Jani Hakala <jjhakala@gmail.com>
+Date: Thu, 16 Jun 2016 14:28:15 +0300
+Subject: [PATCH] Fix OpenSSL 1.1 compability issues
+
+Some data types have been made opaque in OpenSSL version 1.1 so
+stack allocation and accessing struct fields directly does not work.
+
+Downloaded from upstream commit
+https://github.com/rdesktop/rdesktop/commit/bd6aa6acddf0ba640a49834807872f4cc0d0a773
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ ssl.c | 65 ++++++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 40 insertions(+), 25 deletions(-)
+
+diff --git a/ssl.c b/ssl.c
+index 48751255..032e9b9e 100644
+--- a/ssl.c
++++ b/ssl.c
+@@ -88,7 +88,7 @@ rdssl_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint8 *
+ 		  uint8 * exponent)
+ {
+ 	BN_CTX *ctx;
+-	BIGNUM mod, exp, x, y;
++	BIGNUM *mod, *exp, *x, *y;
+ 	uint8 inr[SEC_MAX_MODULUS_SIZE];
+ 	int outlen;
+ 
+@@ -98,24 +98,24 @@ rdssl_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint8 *
+ 	reverse(inr, len);
+ 
+ 	ctx = BN_CTX_new();
+-	BN_init(&mod);
+-	BN_init(&exp);
+-	BN_init(&x);
+-	BN_init(&y);
+-
+-	BN_bin2bn(modulus, modulus_size, &mod);
+-	BN_bin2bn(exponent, SEC_EXPONENT_SIZE, &exp);
+-	BN_bin2bn(inr, len, &x);
+-	BN_mod_exp(&y, &x, &exp, &mod, ctx);
+-	outlen = BN_bn2bin(&y, out);
++	mod = BN_new();
++	exp = BN_new();
++	x = BN_new();
++	y = BN_new();
++
++	BN_bin2bn(modulus, modulus_size, mod);
++	BN_bin2bn(exponent, SEC_EXPONENT_SIZE, exp);
++	BN_bin2bn(inr, len, x);
++	BN_mod_exp(y, x, exp, mod, ctx);
++	outlen = BN_bn2bin(y, out);
+ 	reverse(out, outlen);
+ 	if (outlen < (int) modulus_size)
+ 		memset(out + outlen, 0, modulus_size - outlen);
+ 
+-	BN_free(&y);
+-	BN_clear_free(&x);
+-	BN_free(&exp);
+-	BN_free(&mod);
++	BN_free(y);
++	BN_clear_free(x);
++	BN_free(exp);
++	BN_free(mod);
+ 	BN_CTX_free(ctx);
+ }
+ 
+@@ -146,12 +146,20 @@ rdssl_cert_to_rkey(RDSSL_CERT * cert, uint32 * key_len)
+ 
+ 	   Kudos to Richard Levitte for the following (. intiutive .) 
+ 	   lines of code that resets the OID and let's us extract the key. */
+-	nid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm);
++
++	X509_PUBKEY *key = NULL;
++	X509_ALGOR *algor = NULL;
++
++	key = X509_get_X509_PUBKEY(cert);
++	algor = X509_PUBKEY_get0_param(NULL, NULL, 0, &algor, key);
++
++	nid = OBJ_obj2nid(algor->algorithm);
++
+ 	if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption))
+ 	{
+ 		DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n"));
+-		ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm);
+-		cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
++		X509_PUBKEY_set0_param(key, OBJ_nid2obj(NID_rsaEncryption),
++				       0, NULL, NULL, 0);
+ 	}
+ 	epk = X509_get_pubkey(cert);
+ 	if (NULL == epk)
+@@ -201,14 +209,24 @@ rdssl_rkey_get_exp_mod(RDSSL_RKEY * rkey, uint8 * exponent, uint32 max_exp_len,
+ {
+ 	int len;
+ 
+-	if ((BN_num_bytes(rkey->e) > (int) max_exp_len) ||
+-	    (BN_num_bytes(rkey->n) > (int) max_mod_len))
++	BIGNUM *e = NULL;
++	BIGNUM *n = NULL;
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++	e = rkey->e;
++	n = rkey->n;
++#else
++	RSA_get0_key(rkey, &e, &n, NULL);
++#endif
++
++	if ((BN_num_bytes(e) > (int) max_exp_len) ||
++	    (BN_num_bytes(n) > (int) max_mod_len))
+ 	{
+ 		return 1;
+ 	}
+-	len = BN_bn2bin(rkey->e, exponent);
++	len = BN_bn2bin(e, exponent);
+ 	reverse(exponent, len);
+-	len = BN_bn2bin(rkey->n, modulus);
++	len = BN_bn2bin(n, modulus);
+ 	reverse(modulus, len);
+ 	return 0;
+ }
+@@ -229,8 +247,5 @@ void
+ rdssl_hmac_md5(const void *key, int key_len, const unsigned char *msg, int msg_len,
+ 	       unsigned char *md)
+ {
+-	HMAC_CTX ctx;
+-	HMAC_CTX_init(&ctx);
+ 	HMAC(EVP_md5(), key, key_len, msg, msg_len, md, NULL);
+-	HMAC_CTX_cleanup(&ctx);
+ }
-- 
2.18.0

[Buildroot] [PATCH/next 1/7] package/ecryptfs-utils: Fix build with OpenSSL 1.1.x

[Thomas Petazzoni]

Hello,

On Sat, 25 Aug 2018 11:16:56 +0200, Bernd Kuhls wrote:
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ---
>  package/ecryptfs-utils/0002-openssl110.patch | 173 +++++++++++++++++++
>  1 file changed, 173 insertions(+)
>  create mode 100644 package/ecryptfs-utils/0002-openssl110.patch

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH/next 2/7] package/ibrcommon: add openssl 1.1 compatibility

[Thomas Petazzoni]

Hello,

On Sat, 25 Aug 2018 11:16:57 +0200, Bernd Kuhls wrote:
> Added license hashes.
> 
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ---
>  ...-added-openssl-1.1-compatibility-264.patch | 357 ++++++++++++++++++
>  package/ibrcommon/ibrcommon.hash              |   2 +
>  2 files changed, 359 insertions(+)
>  create mode 100644 package/ibrcommon/0002-ibrcommon-added-openssl-1.1-compatibility-264.patch

Applied after dropping the change on the license file hashes, it should
be done separately. Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH/next 4/7] package/liboauth: Fix build with OpenSSL 1.1.x

[Thomas Petazzoni]

Hello,

On Sat, 25 Aug 2018 11:16:59 +0200, Bernd Kuhls wrote:
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ---
>  package/liboauth/0001-openssl-1.1.0.patch | 154 ++++++++++++++++++++++
>  1 file changed, 154 insertions(+)
>  create mode 100644 package/liboauth/0001-openssl-1.1.0.patch

Applied to master after reformatting the patch to be Git-formatted.
Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH/next 5/7] package/libtorrent: Fix build with OpenSSL 1.1.x

[Thomas Petazzoni]

Hello,

On Sat, 25 Aug 2018 11:17:00 +0200, Bernd Kuhls wrote:
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ---
>  package/libtorrent/0002-openssl110.patch | 109 +++++++++++++++++++++++
>  1 file changed, 109 insertions(+)
>  create mode 100644 package/libtorrent/0002-openssl110.patch

Applied to master, thanks. Please use "git format-patch" to generate
patches, and keep the file name proposed by git format-patch.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH/next 3/7] package/ipsec-tools: Fix build with OpenSSL 1.1.x

[Thomas Petazzoni]

Hello,

On Sat, 25 Aug 2018 11:16:58 +0200, Bernd Kuhls wrote:
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ---
>  package/ipsec-tools/0006-openssl-1.1.patch | 1104 ++++++++++++++++++++
>  1 file changed, 1104 insertions(+)
>  create mode 100644 package/ipsec-tools/0006-openssl-1.1.patch

So, I was a bit uneasy with applying such a large patch that isn't
accepted upstream. But upstream seems to be dead/unresponsive, and
Debian has added the same patch (with very minor differences).

So, I've applied to master. Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH/next 7/7] package/rdesktop: Fix build with OpenSSL 1.1.x

[Thomas Petazzoni]

Hello,

On Sat, 25 Aug 2018 11:17:02 +0200, Bernd Kuhls wrote:
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ---
>  package/rdesktop/0002-openssl11.patch | 130 ++++++++++++++++++++++++++
>  1 file changed, 130 insertions(+)
>  create mode 100644 package/rdesktop/0002-openssl11.patch

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com