* [Buildroot] [git commit] package/ipsec-tools: drop package
@ 2020-12-03 9:37 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2020-12-03 9:37 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=a3f58a74e0094bbf960ca9f4161c492b00a849ef
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Extract from http://ipsec-tools.sourceforge.net:
"The development of ipsec-tools has been ABANDONED.
ipsec-tools has security issues, and you should not use it. Please
switch to a secure alternative!"
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
Config.in.legacy | 9 +
package/Config.in | 1 -
package/ipsec-tools/0001-susv3-legacy.patch | 35 -
package/ipsec-tools/0002-configure-automake.patch | 21 -
.../0003-Don-t-link-against-libfl.patch | 92 --
package/ipsec-tools/0004-CVE-2015-4047.patch | 26 -
package/ipsec-tools/0005-CVE-2016-10396.patch | 208 ----
package/ipsec-tools/0006-openssl-1.1.patch | 1104 --------------------
package/ipsec-tools/Config.in | 75 --
package/ipsec-tools/ipsec-tools.hash | 6 -
package/ipsec-tools/ipsec-tools.mk | 85 --
11 files changed, 9 insertions(+), 1653 deletions(-)
diff --git a/Config.in.legacy b/Config.in.legacy
index 9eb18907dd..91689291c9 100644
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -144,6 +144,15 @@ endif
###############################################################################
+comment "Legacy options removed in 2021.02"
+
+config BR2_PACKAGE_IPSEC_TOOLS
+ bool "ipsec-tools package was removed"
+ select BR2_LEGACY
+ help
+ This package has been removed as it has security issues and
+ has been abandoned since 2014.
+
comment "Legacy options removed in 2020.11"
config BR2_PACKAGE_OPENCV
diff --git a/package/Config.in b/package/Config.in
index 8fcea06433..d32a271113 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2112,7 +2112,6 @@ menu "Networking applications"
source "package/iperf/Config.in"
source "package/iperf3/Config.in"
source "package/iproute2/Config.in"
- source "package/ipsec-tools/Config.in"
source "package/ipset/Config.in"
source "package/iptables/Config.in"
source "package/iptraf-ng/Config.in"
diff --git a/package/ipsec-tools/0001-susv3-legacy.patch b/package/ipsec-tools/0001-susv3-legacy.patch
deleted file mode 100644
index ea98505622..0000000000
--- a/package/ipsec-tools/0001-susv3-legacy.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-Replaces sysv3 legacy functions with modern equivalents.
-
-Signed-off-by: Julien Boibessot <julien.boibessot@armadeus.com>
-Index: ipsec-tools-0.7.3/src/racoon/pfkey.c
-===================================================================
---- ipsec-tools-0.7.3.orig/src/racoon/pfkey.c 2010-07-12 14:46:52.000000000 +0200
-+++ ipsec-tools-0.7.3/src/racoon/pfkey.c 2010-07-12 15:01:39.000000000 +0200
-@@ -3008,12 +3008,12 @@
- struct sockaddr *paddr;
-
- paddr = (struct sockaddr *)(xisr + 1);
-- bcopy(paddr, &(*p_isr)->saidx.src,
-+ memmove(&(*p_isr)->saidx.src, paddr,
- sysdep_sa_len(paddr));
-
- paddr = (struct sockaddr *)((caddr_t)paddr
- + sysdep_sa_len(paddr));
-- bcopy(paddr, &(*p_isr)->saidx.dst,
-+ memmove(&(*p_isr)->saidx.dst, paddr,
- sysdep_sa_len(paddr));
- }
-
-Index: ipsec-tools-0.7.3/src/racoon/racoonctl.c
-===================================================================
---- ipsec-tools-0.7.3.orig/src/racoon/racoonctl.c 2010-07-12 14:49:51.000000000 +0200
-+++ ipsec-tools-0.7.3/src/racoon/racoonctl.c 2010-07-12 15:00:52.000000000 +0200
-@@ -785,7 +785,7 @@
- errx(1, "cannot read source address");
-
- /* We get "ip[port]" strip the port */
-- if ((idx = index(srcaddr, '[')) == NULL)
-+ if ((idx = strchr(srcaddr, '[')) == NULL)
- errx(1, "unexpected source address format");
- *idx = '\0';
-
diff --git a/package/ipsec-tools/0002-configure-automake.patch b/package/ipsec-tools/0002-configure-automake.patch
deleted file mode 100644
index a006516f20..0000000000
--- a/package/ipsec-tools/0002-configure-automake.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Needed to fix broken autoreconf
-
-Downloaded from
-https://sources.debian.net/src/ipsec-tools/1:0.8.2%2B20140711-8/debian/patches/automake-options/
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
-
-Index: pkg-ipsec-tools/configure.ac
-===================================================================
---- pkg-ipsec-tools.orig/configure.ac 2014-06-28 17:25:22.000000000 +0200
-+++ pkg-ipsec-tools/configure.ac 2014-06-28 17:28:13.818373322 +0200
-@@ -6,7 +6,8 @@ AC_INIT(ipsec-tools, 0.8.2)
- AC_CONFIG_SRCDIR([configure.ac])
- AC_CONFIG_HEADERS(config.h)
-
--AM_INIT_AUTOMAKE(dist-bzip2)
-+AC_CONFIG_MACRO_DIR([.])
-+AM_INIT_AUTOMAKE([dist-bzip2 foreign serial-tests])
-
- AC_ENABLE_SHARED(no)
-
diff --git a/package/ipsec-tools/0003-Don-t-link-against-libfl.patch b/package/ipsec-tools/0003-Don-t-link-against-libfl.patch
deleted file mode 100644
index 4fa0a02d52..0000000000
--- a/package/ipsec-tools/0003-Don-t-link-against-libfl.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001
-From: Paul Barker <paul@paulbarker.me.uk>
-Date: Wed, 5 Mar 2014 13:39:14 +0000
-Subject: [PATCH] Don't link against libfl
-
-We can remove all references to yywrap by adding "%option noyywrap" statements
-to each flex source file that doesn't override yywrap. After this, we no longer
-need to link against libfl and so no longer get errors about undefined
-references to yylex.
-
-Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
-Upstream-status: Submitted 2014-03-11
- see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797
-
-Downloaded from
-http://cgit.openembedded.org/meta-openembedded/tree/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
----
- src/libipsec/Makefile.am | 1 -
- src/racoon/Makefile.am | 2 +-
- src/racoon/cftoken.l | 2 ++
- src/setkey/Makefile.am | 1 -
- src/setkey/token.l | 2 ++
- 5 files changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
-index 6a4e3b3..df1e106 100644
---- a/src/libipsec/Makefile.am
-+++ b/src/libipsec/Makefile.am
-@@ -26,7 +26,6 @@ libipsec_la_SOURCES = \
- # version is current:revision:age.
- # See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32
- libipsec_la_LDFLAGS = -version-info 0:1:0
--libipsec_la_LIBADD = $(LEXLIB)
-
- noinst_HEADERS = ipsec_strerror.h
-
-diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
-index dbaded9..0662957 100644
---- a/src/racoon/Makefile.am
-+++ b/src/racoon/Makefile.am
-@@ -38,7 +38,7 @@ racoon_SOURCES = \
- cftoken.l cfparse.y prsa_tok.l prsa_par.y
- EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
- isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
--racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
-+racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \
- $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
- racoon_DEPENDENCIES = \
- $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
-diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l
-index 490242c..1701922 100644
---- a/src/racoon/cftoken.l
-+++ b/src/racoon/cftoken.l
-@@ -106,6 +106,8 @@ static int incstackp = 0;
- static int yy_first_time = 1;
- %}
-
-+%option noyywrap
-+
- /* common seciton */
- nl \n
- ws [ \t]+
-diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am
-index 746c1f1..389e6cf 100644
---- a/src/setkey/Makefile.am
-+++ b/src/setkey/Makefile.am
-@@ -13,7 +13,6 @@ setkey_SOURCES = \
-
- setkey_LDFLAGS = ../libipsec/libipsec.la
- setkey_DEPENDENCIES = ../libipsec/libipsec.la
--setkey_LDADD = $(LEXLIB)
-
- noinst_HEADERS = vchar.h extern.h
- man8_MANS = setkey.8
-diff --git a/src/setkey/token.l b/src/setkey/token.l
-index ad3d843..eb23b76 100644
---- a/src/setkey/token.l
-+++ b/src/setkey/token.l
-@@ -88,6 +88,8 @@
- #endif
- %}
-
-+%option noyywrap
-+
- /* common section */
- nl \n
- ws [ \t]+
---
-1.9.0
-
diff --git a/package/ipsec-tools/0004-CVE-2015-4047.patch b/package/ipsec-tools/0004-CVE-2015-4047.patch
deleted file mode 100644
index f53fe5cc11..0000000000
--- a/package/ipsec-tools/0004-CVE-2015-4047.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-ipsec-tools: CVE-2015-4047: null pointer dereference crash in racoon
-
-See: https://bugs.gentoo.org/show_bug.cgi?id=550118
-
-Downloaded from
-https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch
-
-See also
-https://sources.debian.net/src/ipsec-tools/1:0.8.2%2B20140711-8/debian/patches/bug785778-null-pointer-deref.patch/
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
-
---- ./src/racoon/gssapi.c 9 Sep 2006 16:22:09 -0000 1.4
-+++ ./src/racoon/gssapi.c 19 May 2015 15:16:00 -0000 1.6
-@@ -192,6 +192,11 @@
- gss_name_t princ, canon_princ;
- OM_uint32 maj_stat, min_stat;
-
-+ if (iph1->rmconf == NULL) {
-+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
-+ return -1;
-+ }
-+
- gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
- if (gps == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
diff --git a/package/ipsec-tools/0005-CVE-2016-10396.patch b/package/ipsec-tools/0005-CVE-2016-10396.patch
deleted file mode 100644
index 8ef3b03753..0000000000
--- a/package/ipsec-tools/0005-CVE-2016-10396.patch
+++ /dev/null
@@ -1,208 +0,0 @@
-Fix CVE-2016-10396
-
-Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
-Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
-Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
-
-Downloaded from
-https://github.com/openwrt/packages/blob/master/net/ipsec-tools/patches/010-CVE-2016-10396.patch
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
-
-Index: ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/isakmp_frag.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
-@@ -1,4 +1,4 @@
--/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
-+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */
-
- /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
-
-@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
- return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
- }
-
-+static int
-+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
-+{
-+ struct isakmp_frag_item *pitem = NULL;
-+ struct isakmp_frag_item *citem = iph1->frag_chain;
-+
-+ /* no frag yet, just insert at beginning of list */
-+ if (iph1->frag_chain == NULL) {
-+ iph1->frag_chain = item;
-+ return 0;
-+ }
-+
-+ do {
-+ /* duplicate fragment number, abort (CVE-2016-10396) */
-+ if (citem->frag_num == item->frag_num)
-+ return -1;
-+
-+ /* need to insert before current item */
-+ if (citem->frag_num > item->frag_num) {
-+ if (pitem != NULL)
-+ pitem->frag_next = item;
-+ else
-+ /* insert at the beginning of the list */
-+ iph1->frag_chain = item;
-+ item->frag_next = citem;
-+ return 0;
-+ }
-+
-+ pitem = citem;
-+ citem = citem->frag_next;
-+ } while (citem != NULL);
-+
-+ /* we reached the end of the list, insert */
-+ pitem->frag_next = item;
-+ return 0;
-+}
-+
- int
- isakmp_frag_extract(iph1, msg)
- struct ph1handle *iph1;
-@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
- item->frag_next = NULL;
- item->frag_packet = buf;
-
-- /* Look for the last frag while inserting the new item in the chain */
-- if (item->frag_last)
-- last_frag = item->frag_num;
-+ /* Check for the last frag before inserting the new item in the chain */
-+ if (item->frag_last) {
-+ /* if we have the last fragment, indices must match */
-+ if (iph1->frag_last_index != 0 &&
-+ item->frag_last != iph1->frag_last_index) {
-+ plog(LLV_ERROR, LOCATION, NULL,
-+ "Repeated last fragment index mismatch\n");
-+ racoon_free(item);
-+ vfree(buf);
-+ return -1;
-+ }
-
-- if (iph1->frag_chain == NULL) {
-- iph1->frag_chain = item;
-- } else {
-- struct isakmp_frag_item *current;
-+ last_frag = iph1->frag_last_index = item->frag_num;
-+ }
-
-- current = iph1->frag_chain;
-- while (current->frag_next) {
-- if (current->frag_last)
-- last_frag = item->frag_num;
-- current = current->frag_next;
-- }
-- current->frag_next = item;
-+ /* insert fragment into chain */
-+ if (isakmp_frag_insert(iph1, item) == -1) {
-+ plog(LLV_ERROR, LOCATION, NULL,
-+ "Repeated fragment index mismatch\n");
-+ racoon_free(item);
-+ vfree(buf);
-+ return -1;
- }
-
-- /* If we saw the last frag, check if the chain is complete */
-+ /* If we saw the last frag, check if the chain is complete
-+ * we have a sorted list now, so just walk through */
- if (last_frag != 0) {
-+ item = iph1->frag_chain;
- for (i = 1; i <= last_frag; i++) {
-- item = iph1->frag_chain;
-- do {
-- if (item->frag_num == i)
-- break;
-- item = item->frag_next;
-- } while (item != NULL);
--
-+ if (item->frag_num != i)
-+ break;
-+ item = item->frag_next;
- if (item == NULL) /* Not found */
- break;
- }
-
-- if (item != NULL) /* It is complete */
-+ if (i > last_frag) /* It is complete */
- return 1;
- }
-
-@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
- }
- data = buf->v;
-
-+ item = iph1->frag_chain;
- for (i = 1; i <= frag_count; i++) {
-- item = iph1->frag_chain;
-- do {
-- if (item->frag_num == i)
-- break;
-- item = item->frag_next;
-- } while (item != NULL);
--
-- if (item == NULL) {
-+ if (item->frag_num != i) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Missing fragment #%d\n", i);
- vfree(buf);
-@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
- }
- memcpy(data, item->frag_packet->v, item->frag_packet->l);
- data += item->frag_packet->l;
-+ item = item->frag_next;
- }
-
- out:
-Index: ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/isakmp_inf.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
-@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
- #endif
- #ifdef ENABLE_FRAG
- iph1->frag = 0;
-+ iph1->frag_last_index = 0;
- iph1->frag_chain = NULL;
- #endif
-
-Index: ipsec-tools-0.8.2/src/racoon/isakmp.c
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/isakmp.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp.c
-@@ -1071,6 +1071,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
- iph1->frag = 1;
- else
- iph1->frag = 0;
-+ iph1->frag_last_index = 0;
- iph1->frag_chain = NULL;
- #endif
- iph1->approval = NULL;
-@@ -1175,6 +1176,7 @@ isakmp_ph1begin_r(msg, remote, local, et
- #endif
- #ifdef ENABLE_FRAG
- iph1->frag = 0;
-+ iph1->frag_last_index = 0;
- iph1->frag_chain = NULL;
- #endif
- iph1->approval = NULL;
-Index: ipsec-tools-0.8.2/src/racoon/handler.h
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/handler.h
-+++ ipsec-tools-0.8.2/src/racoon/handler.h
-@@ -1,4 +1,4 @@
--/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
-+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
-
- /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
-
-@@ -141,6 +141,7 @@ struct ph1handle {
- #endif
- #ifdef ENABLE_FRAG
- int frag; /* IKE phase 1 fragmentation */
-+ int frag_last_index;
- struct isakmp_frag_item *frag_chain; /* Received fragments */
- #endif
-
diff --git a/package/ipsec-tools/0006-openssl-1.1.patch b/package/ipsec-tools/0006-openssl-1.1.patch
deleted file mode 100644
index 39a7da988d..0000000000
--- a/package/ipsec-tools/0006-openssl-1.1.patch
+++ /dev/null
@@ -1,1104 +0,0 @@
-From 071fec7181255b9234add44865a435dfdefee520 Mon Sep 17 00:00:00 2001
-In-Reply-To: <20180528120513.560-1-cote2004-github@yahoo.com>
-References: <20180528120513.560-1-cote2004-github@yahoo.com>
-From: Eneas U de Queiroz <cote2004-github@yahoo.com>
-Date: Wed, 30 May 2018 15:42:20 -0300
-Subject: [PATCH] ipsec-tools: add openssl 1.1 support
-To: equeiroz at troianet.com.br
-
-This patch updates the calls to openssl 1.1 API, and adds a
-compatibility layer so it compiles with (at least) openssl 1.0.2, I
-haven't tested it with lower versions, but all that's needed is to edit
-the openssl_compat.* files and add the missing functions there--they're
-usually trivial.
-
-Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
-
-Downloaded from
-https://github.com/openwrt/packages/blob/master/net/ipsec-tools/patches/015-openssl-1.1.patch
-
-Patch was sent upstream:
-https://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/20180528120513.560-1-cote2004-github%40yahoo.com/#msg36327963
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
----
- src/racoon/Makefile.am | 10 +--
- src/racoon/algorithm.c | 6 +-
- src/racoon/cfparse.y | 2 +-
- src/racoon/crypto_openssl.c | 197 +++++++++++++++++++++-------------------
- src/racoon/crypto_openssl.h | 2 +-
- src/racoon/eaytest.c | 7 +-
- src/racoon/ipsec_doi.c | 2 +-
- src/racoon/openssl_compat.c | 213 ++++++++++++++++++++++++++++++++++++++++++++
- src/racoon/openssl_compat.h | 45 ++++++++++
- src/racoon/plainrsa-gen.c | 41 +++++----
- src/racoon/prsa_par.y | 28 ++++--
- src/racoon/rsalist.c | 5 +-
- 12 files changed, 431 insertions(+), 127 deletions(-)
- create mode 100644 src/racoon/openssl_compat.c
- create mode 100644 src/racoon/openssl_compat.h
-
-diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
-index dbaded9..4c585f3 100644
---- a/src/racoon/Makefile.am
-+++ b/src/racoon/Makefile.am
-@@ -4,7 +4,7 @@ sbin_PROGRAMS = racoon racoonctl plainrsa-gen
- noinst_PROGRAMS = eaytest
- include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \
- schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \
-- isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h
-+ isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h openssl_compat.h
- lib_LTLIBRARIES = libracoon.la
-
- adminsockdir=${localstatedir}/racoon
-@@ -32,7 +32,7 @@ racoon_SOURCES = \
- gssapi.c dnssec.c getcertsbyname.c privsep.c \
- pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \
- policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \
-- proposal.c sainfo.c strnames.c \
-+ openssl_compat.c proposal.c sainfo.c strnames.c \
- plog.c logger.c schedule.c str2val.c \
- safefile.c backupsa.c genlist.c rsalist.c \
- cftoken.l cfparse.y prsa_tok.l prsa_par.y
-@@ -51,12 +51,12 @@ libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c
- libracoon_la_CFLAGS = -DNOUSE_PRIVSEP $(AM_CFLAGS)
-
- plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \
-- crypto_openssl.c logger.c
-+ crypto_openssl.c logger.c openssl_compat.c
- EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS)
- plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o
- plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o
-
--eaytest_SOURCES = eaytest.c plog.c logger.c
-+eaytest_SOURCES = eaytest.c plog.c logger.c openssl_compat.c
- EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c
- eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \
- $(CRYPTOBJS)
-@@ -75,7 +75,7 @@ noinst_HEADERS = \
- debugrm.h isakmp.h misc.h sainfo.h \
- dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \
- isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \
-- throttle.h privsep.h \
-+ throttle.h privsep.h openssl_compat.h \
- cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \
- missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \
- missing/crypto/rijndael/rijndael-api-fst.h \
-diff --git a/src/racoon/algorithm.c b/src/racoon/algorithm.c
-index 3fd50f6..66c874b 100644
---- a/src/racoon/algorithm.c
-+++ b/src/racoon/algorithm.c
-@@ -128,7 +128,7 @@ static struct enc_algorithm oakley_encdef[] = {
- { "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16,
- eay_aes_encrypt, eay_aes_decrypt,
- eay_aes_weakkey, eay_aes_keylen, },
--#ifdef HAVE_OPENSSL_CAMELLIA_H
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- { "camellia", algtype_camellia, OAKLEY_ATTR_ENC_ALG_CAMELLIA, 16,
- eay_camellia_encrypt, eay_camellia_decrypt,
- eay_camellia_weakkey, eay_camellia_keylen, },
-@@ -168,7 +168,7 @@ static struct enc_algorithm ipsec_encdef[] = {
- { "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16,
- NULL, NULL,
- NULL, eay_twofish_keylen, },
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- { "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8,
- NULL, NULL,
- NULL, NULL, },
-@@ -179,7 +179,7 @@ static struct enc_algorithm ipsec_encdef[] = {
- { "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8,
- NULL, NULL,
- NULL, NULL, },
--#ifdef HAVE_OPENSSL_CAMELLIA_H
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- { "camellia", algtype_camellia, IPSECDOI_ESP_CAMELLIA, 16,
- NULL, NULL,
- NULL, eay_camellia_keylen, },
-diff --git a/src/racoon/cfparse.y b/src/racoon/cfparse.y
-index 0d9bd67..8415752 100644
---- a/src/racoon/cfparse.y
-+++ b/src/racoon/cfparse.y
-@@ -2564,7 +2564,7 @@ set_isakmp_proposal(rmconf)
- plog(LLV_DEBUG2, LOCATION, NULL,
- "encklen=%d\n", s->encklen);
-
-- memset(types, 0, ARRAYLEN(types));
-+ memset(types, 0, sizeof types);
- types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
- types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
- types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
-diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c
-index 55b076a..8fb358f 100644
---- a/src/racoon/crypto_openssl.c
-+++ b/src/racoon/crypto_openssl.c
-@@ -90,6 +90,7 @@
- #endif
- #endif
- #include "plog.h"
-+#include "openssl_compat.h"
-
- #define USE_NEW_DES_API
-
-@@ -316,9 +317,12 @@ eay_cmp_asn1dn(n1, n2)
- i = idx+1;
- goto end;
- }
-- if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
-- (eb->value->length == 1 && eb->value->data[0] == '*')) {
-- if (OBJ_cmp(ea->object,eb->object)) {
-+ ASN1_STRING *sa = X509_NAME_ENTRY_get_data(ea);
-+ ASN1_STRING *sb = X509_NAME_ENTRY_get_data(eb);
-+ if ((ASN1_STRING_length(sa) == 1 && ASN1_STRING_get0_data(sa)[0] == '*') ||
-+ (ASN1_STRING_length(sb) == 1 && ASN1_STRING_get0_data(sb)[0] == '*')) {
-+ if (OBJ_cmp(X509_NAME_ENTRY_get_object(ea),
-+ X509_NAME_ENTRY_get_object(eb))) {
- i = idx+1;
- goto end;
- }
-@@ -430,7 +434,7 @@ cb_check_cert_local(ok, ctx)
-
- if (!ok) {
- X509_NAME_oneline(
-- X509_get_subject_name(ctx->current_cert),
-+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
- buf,
- 256);
- /*
-@@ -438,7 +442,8 @@ cb_check_cert_local(ok, ctx)
- * ok if they are self signed. But we should still warn
- * the user.
- */
-- switch (ctx->error) {
-+ int ctx_error = X509_STORE_CTX_get_error(ctx);
-+ switch (ctx_error) {
- case X509_V_ERR_CERT_HAS_EXPIRED:
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- case X509_V_ERR_INVALID_CA:
-@@ -453,9 +458,9 @@ cb_check_cert_local(ok, ctx)
- }
- plog(log_tag, LOCATION, NULL,
- "%s(%d) at depth:%d SubjectName:%s\n",
-- X509_verify_cert_error_string(ctx->error),
-- ctx->error,
-- ctx->error_depth,
-+ X509_verify_cert_error_string(ctx_error),
-+ ctx_error,
-+ X509_STORE_CTX_get_error_depth(ctx),
- buf);
- }
- ERR_clear_error();
-@@ -477,10 +482,11 @@ cb_check_cert_remote(ok, ctx)
-
- if (!ok) {
- X509_NAME_oneline(
-- X509_get_subject_name(ctx->current_cert),
-+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
- buf,
- 256);
-- switch (ctx->error) {
-+ int ctx_error=X509_STORE_CTX_get_error(ctx);
-+ switch (ctx_error) {
- case X509_V_ERR_UNABLE_TO_GET_CRL:
- ok = 1;
- log_tag = LLV_WARNING;
-@@ -490,9 +496,9 @@ cb_check_cert_remote(ok, ctx)
- }
- plog(log_tag, LOCATION, NULL,
- "%s(%d) at depth:%d SubjectName:%s\n",
-- X509_verify_cert_error_string(ctx->error),
-- ctx->error,
-- ctx->error_depth,
-+ X509_verify_cert_error_string(ctx_error),
-+ ctx_error,
-+ X509_STORE_CTX_get_error_depth(ctx),
- buf);
- }
- ERR_clear_error();
-@@ -516,14 +522,15 @@ eay_get_x509asn1subjectname(cert)
- if (x509 == NULL)
- goto error;
-
-+ X509_NAME *subject_name = X509_get_subject_name(x509);
- /* get the length of the name */
-- len = i2d_X509_NAME(x509->cert_info->subject, NULL);
-+ len = i2d_X509_NAME(subject_name, NULL);
- name = vmalloc(len);
- if (!name)
- goto error;
- /* get the name */
- bp = (unsigned char *) name->v;
-- len = i2d_X509_NAME(x509->cert_info->subject, &bp);
-+ len = i2d_X509_NAME(subject_name, &bp);
-
- X509_free(x509);
-
-@@ -661,15 +668,16 @@ eay_get_x509asn1issuername(cert)
- if (x509 == NULL)
- goto error;
-
-+ X509_NAME *issuer_name = X509_get_issuer_name(x509);
- /* get the length of the name */
-- len = i2d_X509_NAME(x509->cert_info->issuer, NULL);
-+ len = i2d_X509_NAME(issuer_name, NULL);
- name = vmalloc(len);
- if (name == NULL)
- goto error;
-
- /* get the name */
- bp = (unsigned char *) name->v;
-- len = i2d_X509_NAME(x509->cert_info->issuer, &bp);
-+ len = i2d_X509_NAME(issuer_name, &bp);
-
- X509_free(x509);
-
-@@ -850,7 +858,7 @@ eay_check_x509sign(source, sig, cert)
- return -1;
- }
-
-- res = eay_rsa_verify(source, sig, evp->pkey.rsa);
-+ res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp));
-
- EVP_PKEY_free(evp);
- X509_free(x509);
-@@ -992,7 +1000,7 @@ eay_get_x509sign(src, privkey)
- if (evp == NULL)
- return NULL;
-
-- sig = eay_rsa_sign(src, evp->pkey.rsa);
-+ sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
-
- EVP_PKEY_free(evp);
-
-@@ -1079,7 +1087,11 @@ eay_strerror()
- int line, flags;
- unsigned long es;
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */
-+#else
- es = CRYPTO_thread_id();
-+#endif
-
- while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){
- n = snprintf(ebuf + len, sizeof(ebuf) - len,
-@@ -1100,7 +1112,7 @@ vchar_t *
- evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc)
- {
- vchar_t *res;
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx;
-
- if (!e)
- return NULL;
-@@ -1111,7 +1123,7 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
-- EVP_CIPHER_CTX_init(&ctx);
-+ ctx = EVP_CIPHER_CTX_new();
-
- switch(EVP_CIPHER_nid(e)){
- case NID_bf_cbc:
-@@ -1125,54 +1137,41 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc
- /* XXX: can we do that also for algos with a fixed key size ?
- */
- /* init context without key/iv
-- */
-- if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
-- {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ */
-+ if (!EVP_CipherInit(ctx, e, NULL, NULL, enc))
-+ goto out;
-
-- /* update key size
-- */
-- if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
-- {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
--
-- /* finalize context init with desired key size
-- */
-- if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
-+ /* update key size
-+ */
-+ if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l))
-+ goto out;
-+
-+ /* finalize context init with desired key size
-+ */
-+ if (!EVP_CipherInit(ctx, NULL, (u_char *) key->v,
- (u_char *) iv->v, enc))
-- {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ goto out;
- break;
- default:
-- if (!EVP_CipherInit(&ctx, e, (u_char *) key->v,
-- (u_char *) iv->v, enc)) {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ if (!EVP_CipherInit(ctx, e, (u_char *) key->v,
-+ (u_char *) iv->v, enc))
-+ goto out;
- }
-
- /* disable openssl padding */
-- EVP_CIPHER_CTX_set_padding(&ctx, 0);
-+ EVP_CIPHER_CTX_set_padding(ctx, 0);
-
-- if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l))
-+ goto out;
-
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_free(ctx);
-
- return res;
-+out:
-+ EVP_CIPHER_CTX_free(ctx);
-+ OpenSSL_BUG();
-+ vfree(res);
-+ return NULL;
- }
-
- int
-@@ -1230,7 +1229,7 @@ eay_des_keylen(len)
- return evp_keylen(len, EVP_des_cbc());
- }
-
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- /*
- * IDEA-CBC
- */
-@@ -1587,7 +1586,7 @@ eay_aes_keylen(len)
- return len;
- }
-
--#if defined(HAVE_OPENSSL_CAMELLIA_H)
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- /*
- * CAMELLIA-CBC
- */
-@@ -1680,9 +1679,9 @@ eay_hmac_init(key, md)
- vchar_t *key;
- const EVP_MD *md;
- {
-- HMAC_CTX *c = racoon_malloc(sizeof(*c));
-+ HMAC_CTX *c = HMAC_CTX_new();
-
-- HMAC_Init(c, key->v, key->l, md);
-+ HMAC_Init_ex(c, key->v, key->l, md, NULL);
-
- return (caddr_t)c;
- }
-@@ -1761,8 +1760,7 @@ eay_hmacsha2_512_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA512_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1811,8 +1809,7 @@ eay_hmacsha2_384_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA384_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1861,8 +1858,7 @@ eay_hmacsha2_256_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA256_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1912,8 +1908,7 @@ eay_hmacsha1_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1962,8 +1957,7 @@ eay_hmacmd5_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (MD5_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -2266,6 +2260,7 @@ eay_dh_generate(prime, g, publen, pub, priv)
- u_int32_t g;
- {
- BIGNUM *p = NULL;
-+ BIGNUM *BNg = NULL;
- DH *dh = NULL;
- int error = -1;
-
-@@ -2276,25 +2271,28 @@ eay_dh_generate(prime, g, publen, pub, priv)
-
- if ((dh = DH_new()) == NULL)
- goto end;
-- dh->p = p;
-- p = NULL; /* p is now part of dh structure */
-- dh->g = NULL;
-- if ((dh->g = BN_new()) == NULL)
-+ if ((BNg = BN_new()) == NULL)
- goto end;
-- if (!BN_set_word(dh->g, g))
-+ if (!BN_set_word(BNg, g))
- goto end;
-+ if (! DH_set0_pqg(dh, p, NULL, BNg))
-+ goto end;
-+ BNg = NULL;
-+ p = NULL; /* p is now part of dh structure */
-
- if (publen != 0)
-- dh->length = publen;
-+ DH_set_length(dh, publen);
-
- /* generate public and private number */
- if (!DH_generate_key(dh))
- goto end;
-
- /* copy results to buffers */
-- if (eay_bn2v(pub, dh->pub_key) < 0)
-+ BIGNUM *pub_key, *priv_key;
-+ DH_get0_key(dh, (const BIGNUM**) &pub_key, (const BIGNUM**) &priv_key);
-+ if (eay_bn2v(pub, pub_key) < 0)
- goto end;
-- if (eay_bn2v(priv, dh->priv_key) < 0) {
-+ if (eay_bn2v(priv, priv_key) < 0) {
- vfree(*pub);
- goto end;
- }
-@@ -2306,6 +2304,8 @@ end:
- DH_free(dh);
- if (p != 0)
- BN_free(p);
-+ if (BNg != 0)
-+ BN_free(BNg);
- return(error);
- }
-
-@@ -2319,6 +2319,10 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
- int l;
- unsigned char *v = NULL;
- int error = -1;
-+ BIGNUM *p = BN_new();
-+ BIGNUM *BNg = BN_new();
-+ BIGNUM *pub_key = BN_new();
-+ BIGNUM *priv_key = BN_new();
-
- /* make public number to compute */
- if (eay_v2bn(&dh_pub, pub2) < 0)
-@@ -2327,19 +2331,21 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
- /* make DH structure */
- if ((dh = DH_new()) == NULL)
- goto end;
-- if (eay_v2bn(&dh->p, prime) < 0)
-+ if (p == NULL || BNg == NULL || pub_key == NULL || priv_key == NULL)
- goto end;
-- if (eay_v2bn(&dh->pub_key, pub) < 0)
-+
-+ if (eay_v2bn(&p, prime) < 0)
- goto end;
-- if (eay_v2bn(&dh->priv_key, priv) < 0)
-+ if (eay_v2bn(&pub_key, pub) < 0)
- goto end;
-- dh->length = pub2->l * 8;
--
-- dh->g = NULL;
-- if ((dh->g = BN_new()) == NULL)
-+ if (eay_v2bn(&priv_key, priv) < 0)
- goto end;
-- if (!BN_set_word(dh->g, g))
-+ if (!BN_set_word(BNg, g))
- goto end;
-+ DH_set0_key(dh, pub_key, priv_key);
-+ DH_set_length(dh, pub2->l * 8);
-+ DH_set0_pqg(dh, p, NULL, BNg);
-+ pub_key = priv_key = p = BNg = NULL;
-
- if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
- goto end;
-@@ -2350,6 +2356,14 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
- error = 0;
-
- end:
-+ if (p != NULL)
-+ BN_free(p);
-+ if (BNg != NULL)
-+ BN_free(BNg);
-+ if (pub_key != NULL)
-+ BN_free(pub_key);
-+ if (priv_key != NULL)
-+ BN_free(priv_key);
- if (dh_pub != NULL)
- BN_free(dh_pub);
- if (dh != NULL)
-@@ -2400,12 +2414,14 @@ eay_bn2v(var, bn)
- void
- eay_init()
- {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- OpenSSL_add_all_algorithms();
- ERR_load_crypto_strings();
- #ifdef HAVE_OPENSSL_ENGINE_H
- ENGINE_load_builtin_engines();
- ENGINE_register_all_complete();
- #endif
-+#endif
- }
-
- vchar_t *
-@@ -2504,8 +2520,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf)
- goto out;
- }
-
-- rsa_pub->n = mod;
-- rsa_pub->e = exp;
-+ RSA_set0_key(rsa_pub, mod, exp, NULL);
-
- out:
- return rsa_pub;
-@@ -2582,5 +2597,5 @@ eay_random()
- const char *
- eay_version()
- {
-- return SSLeay_version(SSLEAY_VERSION);
-+ return OpenSSL_version(OPENSSL_VERSION);
- }
-diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h
-index 66fac73..ee5b765 100644
---- a/src/racoon/crypto_openssl.h
-+++ b/src/racoon/crypto_openssl.h
-@@ -124,7 +124,7 @@ extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
- extern int eay_aes_weakkey __P((vchar_t *));
- extern int eay_aes_keylen __P((int));
-
--#if defined(HAVE_OPENSSL_CAMELLIA_H)
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- /* Camellia */
- extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
- extern vchar_t *eay_camellia_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c
-index 1474bdc..ae09db3 100644
---- a/src/racoon/eaytest.c
-+++ b/src/racoon/eaytest.c
-@@ -62,6 +62,7 @@
- #include "dhgroup.h"
- #include "crypto_openssl.h"
- #include "gnuc.h"
-+#include "openssl_compat.h"
-
- #include "package_version.h"
-
-@@ -103,7 +104,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_txt)
- printf ("PEM_read_PUBKEY(): %s\n", eay_strerror());
- return -1;
- }
-- error = eay_check_rsasign(src, sig, evp->pkey.rsa);
-+ error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp));
-
- return error;
- }
-@@ -698,7 +699,7 @@ ciphertest(ac, av)
- eay_cast_encrypt, eay_cast_decrypt) < 0)
- return -1;
-
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- if (ciphertest_1 ("IDEA",
- &data, 8,
- &key, key.l,
-@@ -715,7 +716,7 @@ ciphertest(ac, av)
- eay_rc5_encrypt, eay_rc5_decrypt) < 0)
- return -1;
- #endif
--#if defined(HAVE_OPENSSL_CAMELLIA_H)
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- if (ciphertest_1 ("CAMELLIA",
- &data, 16,
- &key, key.l,
-diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
-index 84a4c71..b52469f 100644
---- a/src/racoon/ipsec_doi.c
-+++ b/src/racoon/ipsec_doi.c
-@@ -715,7 +715,7 @@ out:
- /* key length must not be specified on some algorithms */
- if (keylen) {
- if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA
- #endif
- || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) {
-diff --git a/src/racoon/openssl_compat.c b/src/racoon/openssl_compat.c
-new file mode 100644
-index 0000000..864b5fb
---- /dev/null
-+++ b/src/racoon/openssl_compat.c
-@@ -0,0 +1,213 @@
-+/*
-+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the OpenSSL license (the "License"). You may not use
-+ * this file except in compliance with the License. You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include "openssl_compat.h"
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+
-+#include <string.h>
-+
-+static void *OPENSSL_zalloc(size_t num)
-+{
-+ void *ret = OPENSSL_malloc(num);
-+
-+ if (ret != NULL)
-+ memset(ret, 0, num);
-+ return ret;
-+}
-+
-+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
-+{
-+ /* If the fields n and e in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL for n and e. d may be
-+ * left NULL (in case only the public key is used).
-+ */
-+ if ((r->n == NULL && n == NULL)
-+ || (r->e == NULL && e == NULL))
-+ return 0;
-+
-+ if (n != NULL) {
-+ BN_free(r->n);
-+ r->n = n;
-+ }
-+ if (e != NULL) {
-+ BN_free(r->e);
-+ r->e = e;
-+ }
-+ if (d != NULL) {
-+ BN_free(r->d);
-+ r->d = d;
-+ }
-+
-+ return 1;
-+}
-+
-+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
-+{
-+ /* If the fields p and q in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((r->p == NULL && p == NULL)
-+ || (r->q == NULL && q == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(r->p);
-+ r->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(r->q);
-+ r->q = q;
-+ }
-+
-+ return 1;
-+}
-+
-+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
-+{
-+ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((r->dmp1 == NULL && dmp1 == NULL)
-+ || (r->dmq1 == NULL && dmq1 == NULL)
-+ || (r->iqmp == NULL && iqmp == NULL))
-+ return 0;
-+
-+ if (dmp1 != NULL) {
-+ BN_free(r->dmp1);
-+ r->dmp1 = dmp1;
-+ }
-+ if (dmq1 != NULL) {
-+ BN_free(r->dmq1);
-+ r->dmq1 = dmq1;
-+ }
-+ if (iqmp != NULL) {
-+ BN_free(r->iqmp);
-+ r->iqmp = iqmp;
-+ }
-+
-+ return 1;
-+}
-+
-+void RSA_get0_key(const RSA *r,
-+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
-+{
-+ if (n != NULL)
-+ *n = r->n;
-+ if (e != NULL)
-+ *e = r->e;
-+ if (d != NULL)
-+ *d = r->d;
-+}
-+
-+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
-+{
-+ if (p != NULL)
-+ *p = r->p;
-+ if (q != NULL)
-+ *q = r->q;
-+}
-+
-+void RSA_get0_crt_params(const RSA *r,
-+ const BIGNUM **dmp1, const BIGNUM **dmq1,
-+ const BIGNUM **iqmp)
-+{
-+ if (dmp1 != NULL)
-+ *dmp1 = r->dmp1;
-+ if (dmq1 != NULL)
-+ *dmq1 = r->dmq1;
-+ if (iqmp != NULL)
-+ *iqmp = r->iqmp;
-+}
-+
-+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-+{
-+ /* If the fields p and g in d are NULL, the corresponding input
-+ * parameters MUST be non-NULL. q may remain NULL.
-+ */
-+ if ((dh->p == NULL && p == NULL)
-+ || (dh->g == NULL && g == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(dh->p);
-+ dh->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(dh->q);
-+ dh->q = q;
-+ }
-+ if (g != NULL) {
-+ BN_free(dh->g);
-+ dh->g = g;
-+ }
-+
-+ if (q != NULL) {
-+ dh->length = BN_num_bits(q);
-+ }
-+
-+ return 1;
-+}
-+
-+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
-+{
-+ if (pub_key != NULL)
-+ *pub_key = dh->pub_key;
-+ if (priv_key != NULL)
-+ *priv_key = dh->priv_key;
-+}
-+
-+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
-+{
-+ /* If the field pub_key in dh is NULL, the corresponding input
-+ * parameters MUST be non-NULL. The priv_key field may
-+ * be left NULL.
-+ */
-+ if (dh->pub_key == NULL && pub_key == NULL)
-+ return 0;
-+
-+ if (pub_key != NULL) {
-+ BN_free(dh->pub_key);
-+ dh->pub_key = pub_key;
-+ }
-+ if (priv_key != NULL) {
-+ BN_free(dh->priv_key);
-+ dh->priv_key = priv_key;
-+ }
-+
-+ return 1;
-+}
-+
-+int DH_set_length(DH *dh, long length)
-+{
-+ dh->length = length;
-+ return 1;
-+}
-+
-+HMAC_CTX *HMAC_CTX_new(void)
-+{
-+ return OPENSSL_zalloc(sizeof(HMAC_CTX));
-+}
-+
-+void HMAC_CTX_free(HMAC_CTX *ctx)
-+{
-+ HMAC_CTX_cleanup(ctx);
-+ OPENSSL_free(ctx);
-+}
-+
-+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
-+{
-+ if (pkey->type != EVP_PKEY_RSA) {
-+ return NULL;
-+ }
-+ return pkey->pkey.rsa;
-+}
-+
-+
-+#endif /* OPENSSL_VERSION_NUMBER */
-diff --git a/src/racoon/openssl_compat.h b/src/racoon/openssl_compat.h
-new file mode 100644
-index 0000000..9e152c2
---- /dev/null
-+++ b/src/racoon/openssl_compat.h
-@@ -0,0 +1,45 @@
-+#ifndef OPENSSL_COMPAT_H
-+#define OPENSSL_COMPAT_H
-+
-+#include <openssl/opensslv.h>
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+
-+#include <openssl/rsa.h>
-+#include <openssl/dh.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+
-+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
-+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
-+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
-+void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
-+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
-+void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp);
-+
-+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
-+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
-+int DH_set_length(DH *dh, long length);
-+
-+HMAC_CTX *HMAC_CTX_new(void);
-+void HMAC_CTX_free(HMAC_CTX* ctx);
-+
-+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
-+
-+#define ASN1_STRING_length(s) s->length
-+#define ASN1_STRING_get0_data(s) s->data
-+
-+#define X509_get_subject_name(x) x->cert_info->subject
-+#define X509_get_issuer_name(x) x->cert_info->issuer
-+#define X509_NAME_ENTRY_get_data(n) n->value
-+#define X509_NAME_ENTRY_get_object(n) n->object
-+#define X509_STORE_CTX_get_current_cert(ctx) ctx->current_cert
-+#define X509_STORE_CTX_get_error(ctx) ctx->error
-+#define X509_STORE_CTX_get_error_depth(ctx) ctx->error_depth
-+
-+#define OPENSSL_VERSION SSLEAY_VERSION
-+#define OpenSSL_version SSLeay_version
-+
-+#endif /* OPENSSL_VERSION_NUMBER */
-+
-+#endif /* OPENSSL_COMPAT_H */
-diff --git a/src/racoon/plainrsa-gen.c b/src/racoon/plainrsa-gen.c
-index cad1861..b949b08 100644
---- a/src/racoon/plainrsa-gen.c
-+++ b/src/racoon/plainrsa-gen.c
-@@ -60,6 +60,7 @@
- #include "vmbuf.h"
- #include "plog.h"
- #include "crypto_openssl.h"
-+#include "openssl_compat.h"
-
- #include "package_version.h"
-
-@@ -90,12 +91,14 @@ mix_b64_pubkey(const RSA *key)
- char *binbuf;
- long binlen, ret;
- vchar_t *res;
--
-- binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n);
-+ const BIGNUM *e, *n;
-+
-+ RSA_get0_key(key, &n, &e, NULL);
-+ binlen = 1 + BN_num_bytes(e) + BN_num_bytes(n);
- binbuf = malloc(binlen);
- memset(binbuf, 0, binlen);
-- binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]);
-- ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
-+ binbuf[0] = BN_bn2bin(e, (unsigned char *) &binbuf[1]);
-+ ret = BN_bn2bin(n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
- if (1 + binbuf[0] + ret != binlen) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Pubkey generation failed. This is really strange...\n");
-@@ -131,16 +134,20 @@ print_rsa_key(FILE *fp, const RSA *key)
-
- fprintf(fp, "# : PUB 0s%s\n", pubkey64->v);
- fprintf(fp, ": RSA\t{\n");
-- fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n));
-+ const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
-+ RSA_get0_key(key, &n, &e, &d);
-+ RSA_get0_factors(key, &p, &q);
-+ RSA_get0_crt_params(key, &dmp1, &dmq1, &iqmp);
-+ fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(n));
- fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v);
-- fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n)));
-- fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e)));
-- fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d)));
-- fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p)));
-- fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q)));
-- fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1)));
-- fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1)));
-- fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp)));
-+ fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(n)));
-+ fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(e)));
-+ fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(d)));
-+ fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(p)));
-+ fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(q)));
-+ fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(dmp1)));
-+ fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(dmq1)));
-+ fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(iqmp)));
- fprintf(fp, " }\n");
-
- vfree(pubkey64);
-@@ -203,11 +210,13 @@ int
- gen_rsa_key(FILE *fp, size_t bits, unsigned long exp)
- {
- int ret;
-- RSA *key;
-+ RSA *key = RSA_new();
-+ BIGNUM *e = BN_new();
-
-- key = RSA_generate_key(bits, exp, NULL, NULL);
-- if (!key) {
-+ BN_set_word(e, exp);
-+ if (! RSA_generate_key_ex(key, bits, e, NULL)) {
- fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror());
-+ RSA_free(key);
- return -1;
- }
-
-diff --git a/src/racoon/prsa_par.y b/src/racoon/prsa_par.y
-index 1987e4d..27ce4c6 100644
---- a/src/racoon/prsa_par.y
-+++ b/src/racoon/prsa_par.y
-@@ -68,6 +68,7 @@
- #include "isakmp_var.h"
- #include "handler.h"
- #include "crypto_openssl.h"
-+#include "openssl_compat.h"
- #include "sockmisc.h"
- #include "rsalist.h"
-
-@@ -85,7 +86,18 @@ char *prsa_cur_fname = NULL;
- struct genlist *prsa_cur_list = NULL;
- enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY;
-
--static RSA *rsa_cur;
-+struct my_rsa_st {
-+ BIGNUM *n;
-+ BIGNUM *e;
-+ BIGNUM *d;
-+ BIGNUM *p;
-+ BIGNUM *q;
-+ BIGNUM *dmp1;
-+ BIGNUM *dmq1;
-+ BIGNUM *iqmp;
-+};
-+
-+static struct my_rsa_st *rsa_cur;
-
- void
- prsaerror(const char *s, ...)
-@@ -201,8 +213,12 @@ rsa_statement:
- rsa_cur->iqmp = NULL;
- }
- }
-- $$ = rsa_cur;
-- rsa_cur = RSA_new();
-+ RSA * rsa_tmp = RSA_new();
-+ RSA_set0_key(rsa_tmp, rsa_cur->n, rsa_cur->e, rsa_cur->d);
-+ RSA_set0_factors(rsa_tmp, rsa_cur->p, rsa_cur->q);
-+ RSA_set0_crt_params(rsa_tmp, rsa_cur->dmp1, rsa_cur->dmq1, rsa_cur->iqmp);
-+ $$ = rsa_tmp;
-+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
- }
- | TAG_PUB BASE64
- {
-@@ -351,10 +367,12 @@ prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type)
- prsa_cur_fname = fname;
- prsa_cur_list = list;
- prsa_cur_type = type;
-- rsa_cur = RSA_new();
-+ rsa_cur = malloc(sizeof(struct my_rsa_st));
-+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
- ret = prsaparse();
- if (rsa_cur) {
-- RSA_free(rsa_cur);
-+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
-+ free(rsa_cur);
- rsa_cur = NULL;
- }
- fclose (fp);
-diff --git a/src/racoon/rsalist.c b/src/racoon/rsalist.c
-index f152c82..96e8363 100644
---- a/src/racoon/rsalist.c
-+++ b/src/racoon/rsalist.c
-@@ -52,6 +52,7 @@
- #include "genlist.h"
- #include "remoteconf.h"
- #include "crypto_openssl.h"
-+#include "openssl_compat.h"
-
- #ifndef LIST_FIRST
- #define LIST_FIRST(head) ((head)->lh_first)
-@@ -98,7 +99,9 @@ rsa_key_dup(struct rsa_key *key)
- return NULL;
-
- if (key->rsa) {
-- new->rsa = key->rsa->d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa);
-+ const BIGNUM *d;
-+ RSA_get0_key(key->rsa, NULL, NULL, &d);
-+ new->rsa = (d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa));
- if (new->rsa == NULL)
- goto dup_error;
- }
---
-2.16.1
-
diff --git a/package/ipsec-tools/Config.in b/package/ipsec-tools/Config.in
deleted file mode 100644
index 59154123e6..0000000000
--- a/package/ipsec-tools/Config.in
+++ /dev/null
@@ -1,75 +0,0 @@
-config BR2_PACKAGE_IPSEC_TOOLS
- bool "ipsec-tools"
- depends on BR2_USE_MMU # fork()
- depends on !BR2_TOOLCHAIN_USES_MUSL # Use __P() macro all over the tree
- select BR2_PACKAGE_OPENSSL
- select BR2_PACKAGE_FLEX
- help
- This package is required to support IPSec for Linux 2.6+
-
- http://ipsec-tools.sourceforge.net/
-
-if BR2_PACKAGE_IPSEC_TOOLS
-
-config BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT
- bool "Enable racoonctl(8)"
- default y
- help
- Lets racoon to listen to racoon admin port, which is to
- be contacted by racoonctl(8).
-
-config BR2_PACKAGE_IPSEC_TOOLS_NATT
- bool "Enable NAT-Traversal"
- help
- This needs kernel support, which is available on Linux. On
- NetBSD, NAT-Traversal kernel support has not been integrated
- yet, you can get it from here:
-
- http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff If you
-
- live in a country where software patents are legal, using
- NAT-Traversal might infringe a patent.
-
-config BR2_PACKAGE_IPSEC_TOOLS_FRAG
- bool "Enable IKE fragmentation"
- help
- Enable IKE fragmentation, which is a workaround for
- broken routers that drop fragmented packets
-
-config BR2_PACKAGE_IPSEC_TOOLS_DPD
- bool "Enable DPD (Dead Peer Detection)"
- help
- Enable dead peer detection support
-
-config BR2_PACKAGE_IPSEC_TOOLS_STATS
- bool "Enable statistics logging function"
- default y
-
-config BR2_PACKAGE_IPSEC_TOOLS_READLINE
- bool "Enable readline input support"
- select BR2_PACKAGE_READLINE
-
-config BR2_PACKAGE_IPSEC_TOOLS_HYBRID
- bool "Enable hybrid, both mode-cfg and xauth support"
- help
- Hybrid mode is required for successful interoperability
- (e.g. Cisco VPN Client).
-
-choice
- prompt "Security context"
- default BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE
- help
- Selects whether or not to enable security context support.
-
-config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE
- bool "Disable security context support"
-
-config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_ENABLE
- bool "Enable SELinux security context support"
-
-config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_KERNEL
- bool "Enable kernel security context"
-
-endchoice
-
-endif
diff --git a/package/ipsec-tools/ipsec-tools.hash b/package/ipsec-tools/ipsec-tools.hash
deleted file mode 100644
index 7a944eb8ee..0000000000
--- a/package/ipsec-tools/ipsec-tools.hash
+++ /dev/null
@@ -1,6 +0,0 @@
-# From http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/0.8.2/
-md5 d53ec14a0a3ece64e09e5e34b3350b41 ipsec-tools-0.8.2.tar.bz2
-sha1 7d92cae9fde59fb4f125636698c43b0a3df3d0f0 ipsec-tools-0.8.2.tar.bz2
-
-# Locally calculated
-sha256 3f4af4aef0b2599928bee9875935b8fad8449ddbb98ea7da74c20c3dff5cdef7 src/setkey/setkey.c
diff --git a/package/ipsec-tools/ipsec-tools.mk b/package/ipsec-tools/ipsec-tools.mk
deleted file mode 100644
index 72bd8c196c..0000000000
--- a/package/ipsec-tools/ipsec-tools.mk
+++ /dev/null
@@ -1,85 +0,0 @@
-################################################################################
-#
-# ipsec-tools
-#
-################################################################################
-
-IPSEC_TOOLS_VERSION = 0.8.2
-IPSEC_TOOLS_SOURCE = ipsec-tools-$(IPSEC_TOOLS_VERSION).tar.bz2
-IPSEC_TOOLS_SITE = http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/$(IPSEC_TOOLS_VERSION)
-IPSEC_TOOLS_LICENSE = BSD-3-Clause
-IPSEC_TOOLS_LICENSE_FILES = src/setkey/setkey.c
-IPSEC_TOOLS_INSTALL_STAGING = YES
-IPSEC_TOOLS_MAKE = $(MAKE1)
-IPSEC_TOOLS_DEPENDENCIES = openssl flex host-pkgconf host-flex host-bison
-# we patch configure.ac
-IPSEC_TOOLS_AUTORECONF = YES
-
-# 0004-CVE-2015-4047.patch
-IPSEC_TOOLS_IGNORE_CVES += CVE-2015-4047
-# 0005-CVE-2016-10396.patch
-IPSEC_TOOLS_IGNORE_CVES += CVE-2016-10396
-
-# configure hardcodes -Werror, so override CFLAGS on make invocation
-IPSEC_TOOLS_MAKE_OPTS = CFLAGS='$(TARGET_CFLAGS)'
-
-IPSEC_TOOLS_CONF_ENV = LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
-
-IPSEC_TOOLS_CONF_OPTS = \
- --without-libpam \
- --disable-gssapi \
- --with-kernel-headers=$(STAGING_DIR)/usr/include
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-adminport
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-adminport
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_NATT),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-natt
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-natt
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_FRAG),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-frag
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-frag
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_DPD),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-dpd
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-dpd
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_STATS),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-stats
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-stats
-endif
-
-ifneq ($(BR2_PACKAGE_IPSEC_TOOLS_READLINE),y)
-IPSEC_TOOLS_CONF_OPTS += --without-readline
-else
-IPSEC_TOOLS_DEPENDENCIES += readline
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_HYBRID),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-hybrid
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-hybrid
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-security-context=no
-endif
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_ENABLE),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-security-context=yes
-endif
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_KERNEL),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-security-context=kernel
-endif
-
-$(eval $(autotools-package))
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-12-03 9:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-03 9:37 [Buildroot] [git commit] package/ipsec-tools: drop package Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.