From owner-svn-ports-all@freebsd.org Thu Mar 18 08:49:44 2021 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8B3B75B3013; Thu, 18 Mar 2021 08:49:44 +0000 (UTC) (envelope-from danfe@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F1LLc3QFcz4qX4; Thu, 18 Mar 2021 08:49:44 +0000 (UTC) (envelope-from danfe@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 67F3C1EC30; Thu, 18 Mar 2021 08:49:44 +0000 (UTC) (envelope-from danfe@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 12I8niHX067895; Thu, 18 Mar 2021 08:49:44 GMT (envelope-from danfe@FreeBSD.org) Received: (from danfe@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 12I8nfKW067882; Thu, 18 Mar 2021 08:49:41 GMT (envelope-from danfe@FreeBSD.org) Message-Id: <202103180849.12I8nfKW067882@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: danfe set sender to danfe@FreeBSD.org using -f From: Alexey Dokuchaev Date: Thu, 18 Mar 2021 08:49:41 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r568724 - in head/security/ike: . files X-SVN-Group: ports-head X-SVN-Commit-Author: danfe X-SVN-Commit-Paths: in head/security/ike: . files X-SVN-Commit-Revision: 568724 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2021 08:49:44 -0000 Author: danfe Date: Thu Mar 18 08:49:41 2021 New Revision: 568724 URL: https://svnweb.freebsd.org/changeset/ports/568724 Log: - Unbreak the build against modern OpenSSL versions - Remove useless line from the port description Added: head/security/ike/files/patch-source_iked_crypto.cpp (contents, props changed) head/security/ike/files/patch-source_iked_ike.cpp (contents, props changed) head/security/ike/files/patch-source_iked_ike.exch.config.cpp (contents, props changed) head/security/ike/files/patch-source_iked_ike.exch.inform.cpp (contents, props changed) head/security/ike/files/patch-source_iked_ike.exch.phase1.cpp (contents, props changed) head/security/ike/files/patch-source_iked_ike.exch.phase2.cpp (contents, props changed) head/security/ike/files/patch-source_iked_ike.idb.exch.cpp (contents, props changed) head/security/ike/files/patch-source_iked_ike.idb.phase1.cpp (contents, props changed) head/security/ike/files/patch-source_iked_ike.idb.phase2.cpp (contents, props changed) head/security/ike/files/patch-source_iked_ike.keyfile.cpp (contents, props changed) head/security/ike/files/patch-source_libike_manager.file.cpp (contents, props changed) Modified: head/security/ike/Makefile head/security/ike/pkg-descr Modified: head/security/ike/Makefile ============================================================================== --- head/security/ike/Makefile Thu Mar 18 08:28:55 2021 (r568723) +++ head/security/ike/Makefile Thu Mar 18 08:49:41 2021 (r568724) @@ -36,13 +36,6 @@ LDAP_USE= OPENLDAP=yes LDAP_CMAKE_ON= -DLDAP=YES NATT_CMAKE_ON= -DNATT=YES -.include - -.if ${SSL_DEFAULT} == base -BROKEN_FreeBSD_12= variable has incomplete type 'EVP_CIPHER_CTX' (aka 'evp_cipher_ctx_st') -BROKEN_FreeBSD_13= variable has incomplete type 'EVP_CIPHER_CTX' (aka 'evp_cipher_ctx_st') -.endif - post-install: @if ! ${SYSCTL} -a | ${GREP} -q ipsec; then \ ${ECHO_MSG} "===> -------------------------------------------------------------------------"; \ @@ -58,4 +51,6 @@ post-install-NATT-on: @${ECHO_MSG} "===> options IPSEC_NAT_T" @${ECHO_MSG} "===> -------------------------------------------------------------------------" -.include +.include + +PATCH_ARGS+= -l Added: head/security/ike/files/patch-source_iked_crypto.cpp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ike/files/patch-source_iked_crypto.cpp Thu Mar 18 08:49:41 2021 (r568724) @@ -0,0 +1,100 @@ +--- source/iked/crypto.cpp.orig 2012-12-11 06:56:33 UTC ++++ source/iked/crypto.cpp +@@ -376,10 +376,6 @@ bool dh_init( long group, DH ** dh_data, long * dh_siz + if( dh == NULL ) + return false; + +- dh->p = NULL; +- dh->g = NULL; +- dh->length = 0; +- + // + // set p ( prime ) value + // +@@ -387,49 +383,50 @@ bool dh_init( long group, DH ** dh_data, long * dh_siz + unsigned char * p_data = NULL; + size_t p_size = 0; + +- dh->p = BN_new(); +- if( dh->p == NULL ) ++ BIGNUM *p = BN_new(); ++ BIGNUM *g = BN_new(); ++ if( p == NULL || g == NULL ) + goto dh_failed; + + switch( group ) + { + case 1: +- if( !BN_bin2bn( group1, sizeof( group1 ), dh->p ) ) ++ if( !BN_bin2bn( group1, sizeof( group1 ), p ) ) + goto dh_failed; + break; + + case 2: +- if( !BN_bin2bn( group2, sizeof( group2 ), dh->p ) ) ++ if( !BN_bin2bn( group2, sizeof( group2 ), p ) ) + goto dh_failed; + break; + + case 5: +- if( !BN_bin2bn( group5, sizeof( group5 ), dh->p ) ) ++ if( !BN_bin2bn( group5, sizeof( group5 ), p ) ) + goto dh_failed; + break; + + case 14: +- if( !BN_bin2bn( group14, sizeof( group14 ), dh->p ) ) ++ if( !BN_bin2bn( group14, sizeof( group14 ), p ) ) + goto dh_failed; + break; + + case 15: +- if( !BN_bin2bn( group15, sizeof( group15 ), dh->p ) ) ++ if( !BN_bin2bn( group15, sizeof( group15 ), p ) ) + goto dh_failed; + break; + + case 16: +- if( !BN_bin2bn( group16, sizeof( group16 ), dh->p ) ) ++ if( !BN_bin2bn( group16, sizeof( group16 ), p ) ) + goto dh_failed; + break; + + case 17: +- if( !BN_bin2bn( group17, sizeof( group17 ), dh->p ) ) ++ if( !BN_bin2bn( group17, sizeof( group17 ), p ) ) + goto dh_failed; + break; + + case 18: +- if( !BN_bin2bn( group18, sizeof( group18 ), dh->p ) ) ++ if( !BN_bin2bn( group18, sizeof( group18 ), p ) ) + goto dh_failed; + break; + +@@ -441,13 +438,11 @@ bool dh_init( long group, DH ** dh_data, long * dh_siz + // set g ( generator ) value + // + +- dh->g = BN_new(); +- if( dh->g == NULL ) ++ if( !BN_set_word( g, 2 ) ) + goto dh_failed; + +- if( !BN_set_word( dh->g, 2 ) ) +- goto dh_failed; +- ++ DH_set0_pqg(dh, p, NULL, g); ++ + // + // generate private and public DH values + // +@@ -456,7 +451,7 @@ bool dh_init( long group, DH ** dh_data, long * dh_siz + goto dh_failed; + + *dh_data = dh; +- *dh_size = BN_num_bytes( dh->p ); ++ *dh_size = BN_num_bytes( DH_get0_p( dh ) ); + + return true; + Added: head/security/ike/files/patch-source_iked_ike.cpp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ike/files/patch-source_iked_ike.cpp Thu Mar 18 08:49:41 2021 (r568724) @@ -0,0 +1,90 @@ +--- source/iked/ike.cpp.orig 2009-02-12 02:35:43 UTC ++++ source/iked/ike.cpp +@@ -391,11 +391,11 @@ long _IKED::packet_ike_decrypt( IDB_PH1 * sa, PACKET_I + // init cipher key and iv + // + +- EVP_CIPHER_CTX ctx_cipher; +- EVP_CIPHER_CTX_init( &ctx_cipher ); ++ EVP_CIPHER_CTX *ctx_cipher; ++ ctx_cipher = EVP_CIPHER_CTX_new(); + + EVP_CipherInit_ex( +- &ctx_cipher, ++ ctx_cipher, + sa->evp_cipher, + NULL, + NULL, +@@ -403,11 +403,11 @@ long _IKED::packet_ike_decrypt( IDB_PH1 * sa, PACKET_I + 0 ); + + EVP_CIPHER_CTX_set_key_length( +- &ctx_cipher, ++ ctx_cipher, + ( int ) sa->key.size() ); + + EVP_CipherInit_ex( +- &ctx_cipher, ++ ctx_cipher, + NULL, + NULL, + sa->key.buff(), +@@ -419,12 +419,12 @@ long _IKED::packet_ike_decrypt( IDB_PH1 * sa, PACKET_I + // + + EVP_Cipher( +- &ctx_cipher, ++ ctx_cipher, + data + sizeof( IKE_HEADER ), + data + sizeof( IKE_HEADER ), + ( int ) size - sizeof( IKE_HEADER ) ); + +- EVP_CIPHER_CTX_cleanup( &ctx_cipher ); ++ EVP_CIPHER_CTX_free( ctx_cipher ); + + log.bin( + LLOG_DEBUG, +@@ -595,11 +595,11 @@ long _IKED::packet_ike_encrypt( IDB_PH1 * sa, PACKET_I + // encrypt all but header + // + +- EVP_CIPHER_CTX ctx_cipher; +- EVP_CIPHER_CTX_init( &ctx_cipher ); ++ EVP_CIPHER_CTX *ctx_cipher; ++ ctx_cipher = EVP_CIPHER_CTX_new(); + + EVP_CipherInit_ex( +- &ctx_cipher, ++ ctx_cipher, + sa->evp_cipher, + NULL, + NULL, +@@ -607,11 +607,11 @@ long _IKED::packet_ike_encrypt( IDB_PH1 * sa, PACKET_I + 1 ); + + EVP_CIPHER_CTX_set_key_length( +- &ctx_cipher, ++ ctx_cipher, + ( int ) sa->key.size() ); + + EVP_CipherInit_ex( +- &ctx_cipher, ++ ctx_cipher, + NULL, + NULL, + sa->key.buff(), +@@ -619,12 +619,12 @@ long _IKED::packet_ike_encrypt( IDB_PH1 * sa, PACKET_I + 1 ); + + EVP_Cipher( +- &ctx_cipher, ++ ctx_cipher, + data + sizeof( IKE_HEADER ), + data + sizeof( IKE_HEADER ), + ( int ) size - sizeof( IKE_HEADER ) ); + +- EVP_CIPHER_CTX_cleanup( &ctx_cipher ); ++ EVP_CIPHER_CTX_free( ctx_cipher ); + + // + // store cipher iv data Added: head/security/ike/files/patch-source_iked_ike.exch.config.cpp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ike/files/patch-source_iked_ike.exch.config.cpp Thu Mar 18 08:49:41 2021 (r568724) @@ -0,0 +1,48 @@ +--- source/iked/ike.exch.config.cpp.orig 2013-04-07 16:28:06 UTC ++++ source/iked/ike.exch.config.cpp +@@ -2481,15 +2481,15 @@ long _IKED::config_chk_hash( IDB_PH1 * ph1, IDB_CFG * + BDATA hash_c; + hash_c.size( ph1->hash_size ); + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, ( unsigned char * ) &msgid, 4 ); +- HMAC_Update( &ctx_prf, cfg->hda.buff(), cfg->hda.size() ); +- HMAC_Final( &ctx_prf, hash_c.buff(), NULL ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) &msgid, 4 ); ++ HMAC_Update( ctx_prf, cfg->hda.buff(), cfg->hda.size() ); ++ HMAC_Final( ctx_prf, hash_c.buff(), NULL ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + log.bin( + LLOG_DEBUG, +@@ -2543,15 +2543,15 @@ long _IKED::config_message_send( IDB_PH1 * ph1, IDB_CF + // create message authentication hash + // + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, ( unsigned char * ) &cfg->msgid, sizeof( cfg->msgid ) ); +- HMAC_Update( &ctx_prf, packet.buff() + beg, end - beg ); +- HMAC_Final( &ctx_prf, hash.buff(), 0 ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) &cfg->msgid, sizeof( cfg->msgid ) ); ++ HMAC_Update( ctx_prf, packet.buff() + beg, end - beg ); ++ HMAC_Final( ctx_prf, hash.buff(), 0 ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + memcpy( packet.buff() + off + 4, hash.buff(), hash.size() ); + Added: head/security/ike/files/patch-source_iked_ike.exch.inform.cpp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ike/files/patch-source_iked_ike.exch.inform.cpp Thu Mar 18 08:49:41 2021 (r568724) @@ -0,0 +1,48 @@ +--- source/iked/ike.exch.inform.cpp.orig 2010-12-02 16:06:10 UTC ++++ source/iked/ike.exch.inform.cpp +@@ -399,15 +399,15 @@ long _IKED::inform_chk_hash( IDB_PH1 * ph1, IDB_XCH * + BDATA hash_c; + hash_c.size( ph1->hash_size ); + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, ( unsigned char * ) &inform->msgid, 4 ); +- HMAC_Update( &ctx_prf, inform->hda.buff(), inform->hda.size() ); +- HMAC_Final( &ctx_prf, hash_c.buff(), NULL ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) &inform->msgid, 4 ); ++ HMAC_Update( ctx_prf, inform->hda.buff(), inform->hda.size() ); ++ HMAC_Final( ctx_prf, hash_c.buff(), NULL ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + log.bin( + LLOG_DEBUG, +@@ -439,15 +439,15 @@ long _IKED::inform_gen_hash( IDB_PH1 * ph1, IDB_XCH * + { + inform->hash_l.size( ph1->hash_size ); + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, ( unsigned char * ) &inform->msgid, sizeof( inform->msgid ) ); +- HMAC_Update( &ctx_prf, inform->hda.buff(), inform->hda.size() ); +- HMAC_Final( &ctx_prf, inform->hash_l.buff(), 0 ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) &inform->msgid, sizeof( inform->msgid ) ); ++ HMAC_Update( ctx_prf, inform->hda.buff(), inform->hda.size() ); ++ HMAC_Final( ctx_prf, inform->hash_l.buff(), 0 ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + log.bin( + LLOG_DEBUG, Added: head/security/ike/files/patch-source_iked_ike.exch.phase1.cpp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ike/files/patch-source_iked_ike.exch.phase1.cpp Thu Mar 18 08:49:41 2021 (r568724) @@ -0,0 +1,347 @@ +--- source/iked/ike.exch.phase1.cpp.orig 2012-02-08 05:09:35 UTC ++++ source/iked/ike.exch.phase1.cpp +@@ -1044,14 +1044,14 @@ long _IKED::process_phase1_send( IDB_PH1 * ph1 ) + BDATA psk_hash; + psk_hash.size( ph1->hash_size ); + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid.buff(), ( int ) ph1->skeyid.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, ph1->tunnel->peer->psk.buff(), ph1->tunnel->peer->psk.size() ); +- HMAC_Final( &ctx_prf, psk_hash.buff(), NULL ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid.buff(), ( int ) ph1->skeyid.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, ph1->tunnel->peer->psk.buff(), ph1->tunnel->peer->psk.size() ); ++ HMAC_Final( ctx_prf, psk_hash.buff(), NULL ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + // + // add the notification payload +@@ -1557,7 +1557,7 @@ long _IKED::phase1_gen_keys( IDB_PH1 * ph1 ) + { + BDATA prv; + prv.size( ph1->dh_size ); +- BN_bn2bin( ph1->dh->priv_key, prv.buff() ); ++ BN_bn2bin( DH_get0_priv_key( ph1->dh ), prv.buff() ); + + log.bin( + LLOG_DECODE, +@@ -1656,25 +1656,25 @@ long _IKED::phase1_gen_keys( IDB_PH1 * ph1 ) + case XAUTH_AUTH_INIT_PSK: + case XAUTH_AUTH_RESP_PSK: + { +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, ph1->tunnel->peer->psk.buff(), ( int ) ph1->tunnel->peer->psk.size(), ph1->evp_hash, NULL ); ++ HMAC_Init_ex( ctx_prf, ph1->tunnel->peer->psk.buff(), ( int ) ph1->tunnel->peer->psk.size(), ph1->evp_hash, NULL ); + + if( ph1->initiator ) + { +- HMAC_Update( &ctx_prf, ph1->nonce_l.buff(), ph1->nonce_l.size() ); +- HMAC_Update( &ctx_prf, ph1->nonce_r.buff(), ph1->nonce_r.size() ); ++ HMAC_Update( ctx_prf, ph1->nonce_l.buff(), ph1->nonce_l.size() ); ++ HMAC_Update( ctx_prf, ph1->nonce_r.buff(), ph1->nonce_r.size() ); + } + else + { +- HMAC_Update( &ctx_prf, ph1->nonce_r.buff(), ph1->nonce_r.size() ); +- HMAC_Update( &ctx_prf, ph1->nonce_l.buff(), ph1->nonce_l.size() ); ++ HMAC_Update( ctx_prf, ph1->nonce_r.buff(), ph1->nonce_r.size() ); ++ HMAC_Update( ctx_prf, ph1->nonce_l.buff(), ph1->nonce_l.size() ); + } + +- HMAC_Final( &ctx_prf, skeyid_data, NULL ); ++ HMAC_Final( ctx_prf, skeyid_data, NULL ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + break; + } +@@ -1704,14 +1704,14 @@ long _IKED::phase1_gen_keys( IDB_PH1 * ph1 ) + nonce.add( ph1->nonce_l ); + } + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, nonce.buff(), ( int ) nonce.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, shared.buff(), shared.size() ); +- HMAC_Final( &ctx_prf, skeyid_data, NULL ); ++ HMAC_Init_ex( ctx_prf, nonce.buff(), ( int ) nonce.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, shared.buff(), shared.size() ); ++ HMAC_Final( ctx_prf, skeyid_data, NULL ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + break; + } +@@ -1730,15 +1730,15 @@ long _IKED::phase1_gen_keys( IDB_PH1 * ph1 ) + // compute SKEYID_d + // + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid.buff(), ( int ) ph1->skeyid.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, shared.buff(), shared.size() ); +- HMAC_Update( &ctx_prf, ph1->cookies.i, ISAKMP_COOKIE_SIZE ); +- HMAC_Update( &ctx_prf, ph1->cookies.r, ISAKMP_COOKIE_SIZE ); +- HMAC_Update( &ctx_prf, ( unsigned char * ) "\0", 1 ); +- HMAC_Final( &ctx_prf, skeyid_data, NULL ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid.buff(), ( int ) ph1->skeyid.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, shared.buff(), shared.size() ); ++ HMAC_Update( ctx_prf, ph1->cookies.i, ISAKMP_COOKIE_SIZE ); ++ HMAC_Update( ctx_prf, ph1->cookies.r, ISAKMP_COOKIE_SIZE ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) "\0", 1 ); ++ HMAC_Final( ctx_prf, skeyid_data, NULL ); + + ph1->skeyid_d.set( skeyid_data, skeyid_size ); + +@@ -1753,13 +1753,13 @@ long _IKED::phase1_gen_keys( IDB_PH1 * ph1 ) + // compute SKEYID_a + // + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid.buff(), ( int ) ph1->skeyid.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, skeyid_data, skeyid_size ); +- HMAC_Update( &ctx_prf, shared.buff(), shared.size() ); +- HMAC_Update( &ctx_prf, ph1->cookies.i, ISAKMP_COOKIE_SIZE ); +- HMAC_Update( &ctx_prf, ph1->cookies.r, ISAKMP_COOKIE_SIZE ); +- HMAC_Update( &ctx_prf, ( unsigned char * ) "\1", 1 ); +- HMAC_Final( &ctx_prf, skeyid_data, NULL ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid.buff(), ( int ) ph1->skeyid.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, skeyid_data, skeyid_size ); ++ HMAC_Update( ctx_prf, shared.buff(), shared.size() ); ++ HMAC_Update( ctx_prf, ph1->cookies.i, ISAKMP_COOKIE_SIZE ); ++ HMAC_Update( ctx_prf, ph1->cookies.r, ISAKMP_COOKIE_SIZE ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) "\1", 1 ); ++ HMAC_Final( ctx_prf, skeyid_data, NULL ); + + ph1->skeyid_a.set( skeyid_data, skeyid_size ); + +@@ -1774,13 +1774,13 @@ long _IKED::phase1_gen_keys( IDB_PH1 * ph1 ) + // compute SKEYID_e + // + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid.buff(), ( int ) ph1->skeyid.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, skeyid_data, skeyid_size ); +- HMAC_Update( &ctx_prf, shared.buff(), shared.size() ); +- HMAC_Update( &ctx_prf, ph1->cookies.i, ISAKMP_COOKIE_SIZE ); +- HMAC_Update( &ctx_prf, ph1->cookies.r, ISAKMP_COOKIE_SIZE ); +- HMAC_Update( &ctx_prf, ( unsigned char * ) "\2", 1 ); +- HMAC_Final( &ctx_prf, skeyid_data, NULL ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid.buff(), ( int ) ph1->skeyid.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, skeyid_data, skeyid_size ); ++ HMAC_Update( ctx_prf, shared.buff(), shared.size() ); ++ HMAC_Update( ctx_prf, ph1->cookies.i, ISAKMP_COOKIE_SIZE ); ++ HMAC_Update( ctx_prf, ph1->cookies.r, ISAKMP_COOKIE_SIZE ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) "\2", 1 ); ++ HMAC_Final( ctx_prf, skeyid_data, NULL ); + + ph1->skeyid_e.set( skeyid_data, skeyid_size ); + +@@ -1821,15 +1821,15 @@ long _IKED::phase1_gen_keys( IDB_PH1 * ph1 ) + + // create extended key data + +- HMAC_Init_ex( &ctx_prf, skeyid_data, skeyid_size, ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, ( unsigned char * ) "\0", 1 ); +- HMAC_Final( &ctx_prf, key_data, NULL ); ++ HMAC_Init_ex( ctx_prf, skeyid_data, skeyid_size, ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) "\0", 1 ); ++ HMAC_Final( ctx_prf, key_data, NULL ); + + for( long size = skeyid_size; size < key_size; size += skeyid_size ) + { +- HMAC_Init_ex( &ctx_prf, skeyid_data, skeyid_size, ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, key_data + size - skeyid_size, skeyid_size ); +- HMAC_Final( &ctx_prf, key_data + size, NULL ); ++ HMAC_Init_ex( ctx_prf, skeyid_data, skeyid_size, ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, key_data + size - skeyid_size, skeyid_size ); ++ HMAC_Final( ctx_prf, key_data + size, NULL ); + } + } + else +@@ -1839,7 +1839,7 @@ long _IKED::phase1_gen_keys( IDB_PH1 * ph1 ) + memcpy( key_data, skeyid_data, key_size ); + } + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + if( proposal->ciph_kl ) + key_size = ( proposal->ciph_kl + 7 ) / 8; +@@ -1860,22 +1860,23 @@ long _IKED::phase1_gen_keys( IDB_PH1 * ph1 ) + unsigned char iv_data[ HMAC_MAX_MD_CBLOCK ]; + unsigned long iv_size = EVP_CIPHER_iv_length( ph1->evp_cipher ); + +- EVP_MD_CTX ctx_hash; +- EVP_DigestInit( &ctx_hash, ph1->evp_hash ); ++ EVP_MD_CTX *ctx_hash; ++ ctx_hash = EVP_MD_CTX_new(); ++ EVP_DigestInit( ctx_hash, ph1->evp_hash ); + + if( ph1->initiator ) + { +- EVP_DigestUpdate( &ctx_hash, ph1->xl.buff(), ph1->xl.size() ); +- EVP_DigestUpdate( &ctx_hash, ph1->xr.buff(), ph1->xr.size() ); ++ EVP_DigestUpdate( ctx_hash, ph1->xl.buff(), ph1->xl.size() ); ++ EVP_DigestUpdate( ctx_hash, ph1->xr.buff(), ph1->xr.size() ); + } + else + { +- EVP_DigestUpdate( &ctx_hash, ph1->xr.buff(), ph1->xr.size() ); +- EVP_DigestUpdate( &ctx_hash, ph1->xl.buff(), ph1->xl.size() ); ++ EVP_DigestUpdate( ctx_hash, ph1->xr.buff(), ph1->xr.size() ); ++ EVP_DigestUpdate( ctx_hash, ph1->xl.buff(), ph1->xl.size() ); + } + +- EVP_DigestFinal( &ctx_hash, iv_data, NULL ); +- EVP_MD_CTX_cleanup( &ctx_hash ); ++ EVP_DigestFinal( ctx_hash, iv_data, NULL ); ++ EVP_MD_CTX_free( ctx_hash ); + + ph1->iv.set( iv_data, iv_size ); + +@@ -1903,29 +1904,29 @@ long _IKED::phase1_gen_hash_i( IDB_PH1 * sa, BDATA & h + + hash.size( sa->hash_size ); + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, sa->skeyid.buff(), ( int ) sa->skeyid.size(), sa->evp_hash, NULL ); ++ HMAC_Init_ex( ctx_prf, sa->skeyid.buff(), ( int ) sa->skeyid.size(), sa->evp_hash, NULL ); + + if( sa->initiator ) + { +- HMAC_Update( &ctx_prf, sa->xl.buff(), sa->xl.size() ); +- HMAC_Update( &ctx_prf, sa->xr.buff(), sa->xr.size() ); ++ HMAC_Update( ctx_prf, sa->xl.buff(), sa->xl.size() ); ++ HMAC_Update( ctx_prf, sa->xr.buff(), sa->xr.size() ); + } + else + { +- HMAC_Update( &ctx_prf, sa->xr.buff(), sa->xr.size() ); +- HMAC_Update( &ctx_prf, sa->xl.buff(), sa->xl.size() ); ++ HMAC_Update( ctx_prf, sa->xr.buff(), sa->xr.size() ); ++ HMAC_Update( ctx_prf, sa->xl.buff(), sa->xl.size() ); + } + +- HMAC_Update( &ctx_prf, sa->cookies.i, ISAKMP_COOKIE_SIZE ); +- HMAC_Update( &ctx_prf, sa->cookies.r, ISAKMP_COOKIE_SIZE ); +- HMAC_Update( &ctx_prf, sa->hda.buff(), sa->hda.size() ); +- HMAC_Update( &ctx_prf, sa->idi.buff(), sa->idi.size() ); +- HMAC_Final( &ctx_prf, hash.buff(), NULL ); ++ HMAC_Update( ctx_prf, sa->cookies.i, ISAKMP_COOKIE_SIZE ); ++ HMAC_Update( ctx_prf, sa->cookies.r, ISAKMP_COOKIE_SIZE ); ++ HMAC_Update( ctx_prf, sa->hda.buff(), sa->hda.size() ); ++ HMAC_Update( ctx_prf, sa->idi.buff(), sa->idi.size() ); ++ HMAC_Final( ctx_prf, hash.buff(), NULL ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + log.bin( + LLOG_DEBUG, +@@ -1945,29 +1946,29 @@ long _IKED::phase1_gen_hash_r( IDB_PH1 * sa, BDATA & h + + hash.size( sa->hash_size ); + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, sa->skeyid.buff(), ( int ) sa->skeyid.size(), sa->evp_hash, NULL ); ++ HMAC_Init_ex( ctx_prf, sa->skeyid.buff(), ( int ) sa->skeyid.size(), sa->evp_hash, NULL ); + + if( sa->initiator ) + { +- HMAC_Update( &ctx_prf, sa->xr.buff(), sa->xr.size() ); +- HMAC_Update( &ctx_prf, sa->xl.buff(), sa->xl.size() ); ++ HMAC_Update( ctx_prf, sa->xr.buff(), sa->xr.size() ); ++ HMAC_Update( ctx_prf, sa->xl.buff(), sa->xl.size() ); + } + else + { +- HMAC_Update( &ctx_prf, sa->xl.buff(), sa->xl.size() ); +- HMAC_Update( &ctx_prf, sa->xr.buff(), sa->xr.size() ); ++ HMAC_Update( ctx_prf, sa->xl.buff(), sa->xl.size() ); ++ HMAC_Update( ctx_prf, sa->xr.buff(), sa->xr.size() ); + } + +- HMAC_Update( &ctx_prf, sa->cookies.r, ISAKMP_COOKIE_SIZE ); +- HMAC_Update( &ctx_prf, sa->cookies.i, ISAKMP_COOKIE_SIZE ); +- HMAC_Update( &ctx_prf, sa->hda.buff(), sa->hda.size() ); +- HMAC_Update( &ctx_prf, sa->idr.buff(), sa->idr.size() ); +- HMAC_Final( &ctx_prf, hash.buff(), NULL ); ++ HMAC_Update( ctx_prf, sa->cookies.r, ISAKMP_COOKIE_SIZE ); ++ HMAC_Update( ctx_prf, sa->cookies.i, ISAKMP_COOKIE_SIZE ); ++ HMAC_Update( ctx_prf, sa->hda.buff(), sa->hda.size() ); ++ HMAC_Update( ctx_prf, sa->idr.buff(), sa->idr.size() ); ++ HMAC_Final( ctx_prf, hash.buff(), NULL ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + log.bin( + LLOG_DEBUG, +@@ -2569,14 +2570,14 @@ long _IKED::phase1_gen_natd( IDB_PH1 * ph1 ) + // hash for remote address + // + +- EVP_MD_CTX ctx_hash; +- EVP_DigestInit( &ctx_hash, ph1->evp_hash ); +- EVP_DigestUpdate( &ctx_hash, ph1->cookies.i, ISAKMP_COOKIE_SIZE ); +- EVP_DigestUpdate( &ctx_hash, ph1->cookies.r, ISAKMP_COOKIE_SIZE ); +- EVP_DigestUpdate( &ctx_hash, &ph1->tunnel->saddr_r.saddr4.sin_addr.s_addr, 4 ); +- EVP_DigestUpdate( &ctx_hash, &ph1->tunnel->saddr_r.saddr4.sin_port, 2 ); +- EVP_DigestFinal( &ctx_hash, natd.buff(), NULL ); +- EVP_MD_CTX_cleanup( &ctx_hash ); ++ EVP_MD_CTX *ctx_hash; ++ ctx_hash = EVP_MD_CTX_new(); ++ EVP_DigestInit( ctx_hash, ph1->evp_hash ); ++ EVP_DigestUpdate( ctx_hash, ph1->cookies.i, ISAKMP_COOKIE_SIZE ); ++ EVP_DigestUpdate( ctx_hash, ph1->cookies.r, ISAKMP_COOKIE_SIZE ); ++ EVP_DigestUpdate( ctx_hash, &ph1->tunnel->saddr_r.saddr4.sin_addr.s_addr, 4 ); ++ EVP_DigestUpdate( ctx_hash, &ph1->tunnel->saddr_r.saddr4.sin_port, 2 ); ++ EVP_DigestFinal( ctx_hash, natd.buff(), NULL ); + + ph1->natd_hash_l.add( natd ); + +@@ -2585,13 +2586,13 @@ long _IKED::phase1_gen_natd( IDB_PH1 * ph1 ) + // hash for local address + // + +- EVP_DigestInit( &ctx_hash, ph1->evp_hash ); +- EVP_DigestUpdate( &ctx_hash, ph1->cookies.i, ISAKMP_COOKIE_SIZE ); +- EVP_DigestUpdate( &ctx_hash, ph1->cookies.r, ISAKMP_COOKIE_SIZE ); +- EVP_DigestUpdate( &ctx_hash, &ph1->tunnel->saddr_l.saddr4.sin_addr.s_addr, 4 ); +- EVP_DigestUpdate( &ctx_hash, &ph1->tunnel->saddr_l.saddr4.sin_port, 2 ); +- EVP_DigestFinal( &ctx_hash, natd.buff(), NULL ); +- EVP_MD_CTX_cleanup( &ctx_hash ); ++ EVP_DigestInit( ctx_hash, ph1->evp_hash ); ++ EVP_DigestUpdate( ctx_hash, ph1->cookies.i, ISAKMP_COOKIE_SIZE ); ++ EVP_DigestUpdate( ctx_hash, ph1->cookies.r, ISAKMP_COOKIE_SIZE ); ++ EVP_DigestUpdate( ctx_hash, &ph1->tunnel->saddr_l.saddr4.sin_addr.s_addr, 4 ); ++ EVP_DigestUpdate( ctx_hash, &ph1->tunnel->saddr_l.saddr4.sin_port, 2 ); ++ EVP_DigestFinal( ctx_hash, natd.buff(), NULL ); ++ EVP_MD_CTX_free( ctx_hash ); + + ph1->natd_hash_l.add( natd ); + Added: head/security/ike/files/patch-source_iked_ike.exch.phase2.cpp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ike/files/patch-source_iked_ike.exch.phase2.cpp Thu Mar 18 08:49:41 2021 (r568724) @@ -0,0 +1,153 @@ +--- source/iked/ike.exch.phase2.cpp.orig 2010-12-22 21:35:36 UTC ++++ source/iked/ike.exch.phase2.cpp +@@ -1008,14 +1008,14 @@ long _IKED::phase2_gen_hash_i( IDB_PH1 * ph1, IDB_PH2 + + hash.size( ph1->hash_size ); + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, input.buff(), input.size() ); +- HMAC_Final( &ctx_prf, hash.buff(), NULL ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, input.buff(), input.size() ); ++ HMAC_Final( ctx_prf, hash.buff(), NULL ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + log.bin( + LLOG_DEBUG, +@@ -1048,14 +1048,14 @@ long _IKED::phase2_gen_hash_r( IDB_PH1 * ph1, IDB_PH2 + + hash.size( ph1->hash_size ); + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, input.buff(), input.size() ); +- HMAC_Final( &ctx_prf, hash.buff(), NULL ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, input.buff(), input.size() ); ++ HMAC_Final( ctx_prf, hash.buff(), NULL ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + log.bin( + LLOG_DEBUG, +@@ -1093,14 +1093,14 @@ long _IKED::phase2_gen_hash_p( IDB_PH1 * ph1, IDB_PH2 + + hash.size( ph1->hash_size ); + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, input.buff(), input.size() ); +- HMAC_Final( &ctx_prf, hash.buff(), 0 ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid_a.buff(), ( int ) ph1->skeyid_a.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, input.buff(), input.size() ); ++ HMAC_Final( ctx_prf, hash.buff(), 0 ); + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + log.bin( + LLOG_DEBUG, +@@ -1555,7 +1555,7 @@ long _IKED::phase2_gen_keys( IDB_PH1 * ph1, IDB_PH2 * + { + BDATA prv; + prv.size( ph2->dh_size ); +- BN_bn2bin( ph2->dh->priv_key, prv.buff() ); ++ BN_bn2bin( DH_get0_priv_key( ph2->dh ), prv.buff() ); + + log.bin( + LLOG_DECODE, +@@ -1817,56 +1817,56 @@ long _IKED::phase2_gen_keys( IDB_PH1 * ph1, IDB_PH2 * + // K3 = prf( SKEYID_d, K2 | [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b ) + // + +- HMAC_CTX ctx_prf; +- HMAC_CTX_init( &ctx_prf ); ++ HMAC_CTX *ctx_prf; ++ ctx_prf = HMAC_CTX_new(); + +- HMAC_Init_ex( &ctx_prf, ph1->skeyid_d.buff(), ( int ) ph1->skeyid_d.size(), ph1->evp_hash, NULL ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid_d.buff(), ( int ) ph1->skeyid_d.size(), ph1->evp_hash, NULL ); + + if( ph2->dhgr_id ) +- HMAC_Update( &ctx_prf, shared.buff(), shared.size() ); ++ HMAC_Update( ctx_prf, shared.buff(), shared.size() ); + +- HMAC_Update( &ctx_prf, ( unsigned char * ) &proposal->proto, 1 ); +- HMAC_Update( &ctx_prf, ( unsigned char * ) &proposal->spi, 4 ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) &proposal->proto, 1 ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) &proposal->spi, 4 ); + + if( ph2->initiator ) + { +- HMAC_Update( &ctx_prf, ph2->nonce_l.buff(), ph2->nonce_l.size() ); +- HMAC_Update( &ctx_prf, ph2->nonce_r.buff(), ph2->nonce_r.size() ); ++ HMAC_Update( ctx_prf, ph2->nonce_l.buff(), ph2->nonce_l.size() ); ++ HMAC_Update( ctx_prf, ph2->nonce_r.buff(), ph2->nonce_r.size() ); + } + else + { +- HMAC_Update( &ctx_prf, ph2->nonce_r.buff(), ph2->nonce_r.size() ); +- HMAC_Update( &ctx_prf, ph2->nonce_l.buff(), ph2->nonce_l.size() ); ++ HMAC_Update( ctx_prf, ph2->nonce_r.buff(), ph2->nonce_r.size() ); ++ HMAC_Update( ctx_prf, ph2->nonce_l.buff(), ph2->nonce_l.size() ); + } + +- HMAC_Final( &ctx_prf, key_data, NULL ); ++ HMAC_Final( ctx_prf, key_data, NULL ); + + for( long size = skeyid_size; size < key_size; size += skeyid_size ) + { +- HMAC_Init_ex( &ctx_prf, ph1->skeyid_d.buff(), ( int ) ph1->skeyid_d.size(), ph1->evp_hash, NULL ); +- HMAC_Update( &ctx_prf, key_data + size - skeyid_size, skeyid_size ); ++ HMAC_Init_ex( ctx_prf, ph1->skeyid_d.buff(), ( int ) ph1->skeyid_d.size(), ph1->evp_hash, NULL ); ++ HMAC_Update( ctx_prf, key_data + size - skeyid_size, skeyid_size ); + + if( ph2->dhgr_id ) +- HMAC_Update( &ctx_prf, shared.buff(), shared.size() ); ++ HMAC_Update( ctx_prf, shared.buff(), shared.size() ); + +- HMAC_Update( &ctx_prf, ( unsigned char * ) &proposal->proto, 1 ); +- HMAC_Update( &ctx_prf, ( unsigned char * ) &proposal->spi, 4 ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) &proposal->proto, 1 ); ++ HMAC_Update( ctx_prf, ( unsigned char * ) &proposal->spi, 4 ); + + if( ph2->initiator ) + { +- HMAC_Update( &ctx_prf, ph2->nonce_l.buff(), ph2->nonce_l.size() ); +- HMAC_Update( &ctx_prf, ph2->nonce_r.buff(), ph2->nonce_r.size() ); ++ HMAC_Update( ctx_prf, ph2->nonce_l.buff(), ph2->nonce_l.size() ); ++ HMAC_Update( ctx_prf, ph2->nonce_r.buff(), ph2->nonce_r.size() ); + } + else + { +- HMAC_Update( &ctx_prf, ph2->nonce_r.buff(), ph2->nonce_r.size() ); +- HMAC_Update( &ctx_prf, ph2->nonce_l.buff(), ph2->nonce_l.size() ); ++ HMAC_Update( ctx_prf, ph2->nonce_r.buff(), ph2->nonce_r.size() ); ++ HMAC_Update( ctx_prf, ph2->nonce_l.buff(), ph2->nonce_l.size() ); + } + +- HMAC_Final( &ctx_prf, key_data + size, 0 ); ++ HMAC_Final( ctx_prf, key_data + size, 0 ); + } + +- HMAC_CTX_cleanup( &ctx_prf ); ++ HMAC_CTX_free( ctx_prf ); + + // + // separate encrypt and auth key data Added: head/security/ike/files/patch-source_iked_ike.idb.exch.cpp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ike/files/patch-source_iked_ike.idb.exch.cpp Thu Mar 18 08:49:41 2021 (r568724) @@ -0,0 +1,22 @@ +--- source/iked/ike.idb.exch.cpp.orig 2011-01-15 22:09:32 UTC ++++ source/iked/ike.idb.exch.cpp +@@ -134,12 +134,13 @@ bool _IDB_XCH::new_msgiv( IDB_PH1 * ph1 ) + unsigned char iv_data[ EVP_MAX_MD_SIZE ]; + unsigned long iv_size = EVP_CIPHER_iv_length( ph1->evp_cipher ); + +- EVP_MD_CTX ctx_hash; +- EVP_DigestInit( &ctx_hash, ph1->evp_hash ); +- EVP_DigestUpdate( &ctx_hash, ph1->iv.buff(), ph1->iv.size() ); +- EVP_DigestUpdate( &ctx_hash, &msgid, 4 ); +- EVP_DigestFinal( &ctx_hash, iv_data, NULL ); +- EVP_MD_CTX_cleanup( &ctx_hash ); ++ EVP_MD_CTX *ctx_hash; ++ ctx_hash = EVP_MD_CTX_new(); ++ EVP_DigestInit( ctx_hash, ph1->evp_hash ); ++ EVP_DigestUpdate( ctx_hash, ph1->iv.buff(), ph1->iv.size() ); ++ EVP_DigestUpdate( ctx_hash, &msgid, 4 ); ++ EVP_DigestFinal( ctx_hash, iv_data, NULL ); ++ EVP_MD_CTX_free( ctx_hash ); + + iv.set( iv_data, iv_size ); + Added: head/security/ike/files/patch-source_iked_ike.idb.phase1.cpp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ike/files/patch-source_iked_ike.idb.phase1.cpp Thu Mar 18 08:49:41 2021 (r568724) @@ -0,0 +1,11 @@ +--- source/iked/ike.idb.phase1.cpp.orig 2011-02-01 07:21:32 UTC ++++ source/iked/ike.idb.phase1.cpp +@@ -676,7 +676,7 @@ bool _IDB_PH1::setup_dhgrp( IKE_PROPOSAL * proposal ) + } + + xl.size( dh_size ); +- long result = BN_bn2bin( dh->pub_key, xl.buff() ); ++ long result = BN_bn2bin( DH_get0_pub_key( dh ), xl.buff() ); + + // + // fixup public buffer alignment Added: head/security/ike/files/patch-source_iked_ike.idb.phase2.cpp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ike/files/patch-source_iked_ike.idb.phase2.cpp Thu Mar 18 08:49:41 2021 (r568724) @@ -0,0 +1,11 @@ +--- source/iked/ike.idb.phase2.cpp.orig 2012-11-19 23:28:52 UTC ++++ source/iked/ike.idb.phase2.cpp +@@ -438,7 +438,7 @@ bool _IDB_PH2::setup_dhgrp() + } + + xl.size( dh_size ); +- long result = BN_bn2bin( dh->pub_key, xl.buff() ); ++ long result = BN_bn2bin( DH_get0_pub_key( dh ), xl.buff() ); + + // + // fixup public buffer alignment Added: head/security/ike/files/patch-source_iked_ike.keyfile.cpp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ike/files/patch-source_iked_ike.keyfile.cpp Thu Mar 18 08:49:41 2021 (r568724) @@ -0,0 +1,82 @@ +--- source/iked/ike.keyfile.cpp.orig 2012-12-15 22:14:32 UTC ++++ source/iked/ike.keyfile.cpp +@@ -663,15 +663,19 @@ static int verify_cb( int ok, X509_STORE_CTX * store_c + { + long ll = LLOG_ERROR; + char name[ 512 ]; ++ int error, error_depth; + +- X509_NAME * x509_name = X509_get_subject_name( store_ctx->current_cert ); ++ X509_NAME * x509_name = X509_get_subject_name( X509_STORE_CTX_get_current_cert(store_ctx) ); + + X509_NAME_oneline( + x509_name, + name, + 512 ); ++ ++ error = X509_STORE_CTX_get_error(store_ctx); ++ error_depth = X509_STORE_CTX_get_error_depth(store_ctx); + +- switch( store_ctx->error ) ++ switch( error ) + { + case X509_V_ERR_UNABLE_TO_GET_CRL: + ok = 1; +@@ -683,9 +687,9 @@ static int verify_cb( int ok, X509_STORE_CTX * store_c + ll, + "ii : %s(%d) at depth:%d\n" + "ii : subject :%s\n", +- X509_verify_cert_error_string( store_ctx->error ), +- store_ctx->error, +- store_ctx->error_depth, ++ X509_verify_cert_error_string( error ), ++ error, ++ error_depth, + name ); + } + +@@ -857,7 +861,7 @@ bool prvkey_rsa_load_pem( BDATA & prvkey, FILE * fp, B + if( evp_pkey == NULL ) + return false; + +- bool converted = prvkey_rsa_2_bdata( prvkey, evp_pkey->pkey.rsa ); ++ bool converted = prvkey_rsa_2_bdata( prvkey, EVP_PKEY_get0_RSA(evp_pkey) ); + EVP_PKEY_free( evp_pkey ); + + return converted; +@@ -883,7 +887,7 @@ bool prvkey_rsa_load_p12( BDATA & prvkey, FILE * fp, B + if( evp_pkey == NULL ) + return false; + +- bool converted = prvkey_rsa_2_bdata( prvkey, evp_pkey->pkey.rsa ); ++ bool converted = prvkey_rsa_2_bdata( prvkey, EVP_PKEY_get0_RSA(evp_pkey) ); + EVP_PKEY_free( evp_pkey ); + + return converted; +@@ -939,7 +943,7 @@ bool prvkey_rsa_load_pem( BDATA & prvkey, BDATA & inpu + if( evp_pkey == NULL ) + return false; + +- bool converted = prvkey_rsa_2_bdata( prvkey, evp_pkey->pkey.rsa ); ++ bool converted = prvkey_rsa_2_bdata( prvkey, EVP_PKEY_get0_RSA(evp_pkey) ); + EVP_PKEY_free( evp_pkey ); + + return converted; +@@ -976,7 +980,7 @@ bool prvkey_rsa_load_p12( BDATA & prvkey, BDATA & inpu + if( evp_pkey == NULL ) + return false; + +- bool converted = prvkey_rsa_2_bdata( prvkey, evp_pkey->pkey.rsa ); ++ bool converted = prvkey_rsa_2_bdata( prvkey, EVP_PKEY_get0_RSA(evp_pkey) ); + EVP_PKEY_free( evp_pkey ); + + return converted; +@@ -1010,7 +1014,7 @@ bool _IKED::pubkey_rsa_read( BDATA & cert, BDATA & pub + if( evp_pkey == NULL ) + return false; + +- bool result = pubkey_rsa_2_bdata( pubkey, evp_pkey->pkey.rsa ); ++ bool result = pubkey_rsa_2_bdata( pubkey, EVP_PKEY_get0_RSA(evp_pkey) ); + + EVP_PKEY_free( evp_pkey ); + Added: head/security/ike/files/patch-source_libike_manager.file.cpp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ike/files/patch-source_libike_manager.file.cpp Thu Mar 18 08:49:41 2021 (r568724) @@ -0,0 +1,26 @@ +--- source/libike/manager.file.cpp.orig 2011-02-06 16:40:00 UTC ++++ source/libike/manager.file.cpp +@@ -679,11 +679,11 @@ bool _CONFIG_MANAGER::file_pcf_load( CONFIG & config, + BDATA pwd; + data.get( pwd ); + +- EVP_CIPHER_CTX ctx_cipher; +- EVP_CIPHER_CTX_init( &ctx_cipher ); ++ EVP_CIPHER_CTX *ctx_cipher; ++ ctx_cipher = EVP_CIPHER_CTX_new(); + + EVP_CipherInit_ex( +- &ctx_cipher, ++ ctx_cipher, + EVP_des_ede3_cbc(), + NULL, + key, +@@ -691,7 +691,7 @@ bool _CONFIG_MANAGER::file_pcf_load( CONFIG & config, + 0 ); + + EVP_Cipher( +- &ctx_cipher, ++ ctx_cipher, + pwd.buff(), + pwd.buff(), + ( unsigned int ) pwd.size() ); Modified: head/security/ike/pkg-descr ============================================================================== --- head/security/ike/pkg-descr Thu Mar 18 08:28:55 2021 (r568723) +++ head/security/ike/pkg-descr Thu Mar 18 08:49:41 2021 (r568724) @@ -5,6 +5,4 @@ running the ipsec-tools racoon daemon. The latest vers high level of compatibility with Cisco, Juniper, Zywall, Fortigate and many other commercial IPsec VPN gateways. *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***