Date: Wed, 5 Feb 2025 03:38:22 GMT From: Eugene Grosbein <eugen@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 63e90eb697a6 - main - security/ipsec-tools: re-add the port Message-ID: <202502050338.5153cMJk052814@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by eugen: URL: https://cgit.FreeBSD.org/ports/commit/?id=63e90eb697a6bc3eadb784e40e2060223a9a3d83 commit 63e90eb697a6bc3eadb784e40e2060223a9a3d83 Author: Eugene Grosbein <eugen@FreeBSD.org> AuthorDate: 2025-02-05 03:37:16 +0000 Commit: Eugene Grosbein <eugen@FreeBSD.org> CommitDate: 2025-02-05 03:37:16 +0000 security/ipsec-tools: re-add the port I use the software and will maintain the port. Our port has no known security issues, it has patches obtained from NetBSD CVS Repository. Change WWW to point to that repo. Still, download same distfile from the SourceForge. Add TIMESTAMP to distinfo. --- MOVED | 1 - security/Makefile | 1 + security/ipsec-tools/Makefile | 104 ++ security/ipsec-tools/distinfo | 3 + security/ipsec-tools/files/extra-patch-ipsec-tools | 1035 ++++++++++++++++++++ security/ipsec-tools/files/natt.diff | 155 +++ security/ipsec-tools/files/patch-handler.c | 22 + security/ipsec-tools/files/patch-isakmp.c | 30 + security/ipsec-tools/files/patch-isakmp_frag.c | 151 +++ security/ipsec-tools/files/patch-isakmp_inf.c | 22 + security/ipsec-tools/files/patch-isakmpinit | 64 ++ security/ipsec-tools/files/patch-reqid.diff | 176 ++++ .../files/patch-src-racoon-isakmp_cfg.c | 28 + .../ipsec-tools/files/patch-src_racoon_gssapi.c | 14 + security/ipsec-tools/files/racoon.in | 51 + .../ipsec-tools/files/wildcard-psk-oakley.c.diff | 22 + security/ipsec-tools/files/wildcard-psk.diff | 12 + security/ipsec-tools/pkg-descr | 22 + security/ipsec-tools/pkg-plist | 37 + 19 files changed, 1949 insertions(+), 1 deletion(-) diff --git a/MOVED b/MOVED index 28c102afcb93..7ff0d6f7fde2 100644 --- a/MOVED +++ b/MOVED @@ -4135,4 +4135,3 @@ devel/p5-Test-HTML-Tidy||2025-02-04|Has expired: Depends on expired textproc/p5- www/p5-CGI-Application-Plugin-HtmlTidy||2025-02-04|Has expired: Depends on expired textproc/p5-HTML-Tidy textproc/p5-HTML-Tidy||2025-02-04|Has expired: Depends on expired textproc/tidyp textproc/tidyp||2025-02-04|Has expired: The repository has been archived by upstream on Apr 14, 2019 -security/ipsec-tools||2025-02-04|Has expired: Deprecated by upstream in 2014, contains security issues diff --git a/security/Makefile b/security/Makefile index 9ac224036c64..5cfd261889ea 100644 --- a/security/Makefile +++ b/security/Makefile @@ -240,6 +240,7 @@ SUBDIR += intel-ipsec-mb SUBDIR += ipfmeta SUBDIR += ipguard + SUBDIR += ipsec-tools SUBDIR += ipv6toolkit SUBDIR += isal-kmod SUBDIR += ismtp diff --git a/security/ipsec-tools/Makefile b/security/ipsec-tools/Makefile new file mode 100644 index 000000000000..8ba6e0d49df7 --- /dev/null +++ b/security/ipsec-tools/Makefile @@ -0,0 +1,104 @@ +PORTNAME= ipsec-tools +PORTVERSION= 0.8.2 +PORTREVISION= 13 +CATEGORIES= security +MASTER_SITES= SF + +MAINTAINER= eugen@FreeBSD.org +COMMENT= KAME racoon IKE daemon, ipsec-tools version +WWW= http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/ + +LICENSE= BSD3CLAUSE + +USES= cpe libtool tar:bzip2 ssl + +CONFLICTS= racoon +INSTALL_TARGET= install-strip +USE_RC_SUBR= racoon +GNU_CONFIGURE= yes +GNU_CONFIGURE_MANPREFIX=${PREFIX}/share +USE_LDCONFIG= yes +CONFIGURE_ARGS= --enable-shared --sysconfdir=${PREFIX}/etc/racoon \ + --localstatedir=${STATEDIR:S/\/racoon//} + +STATEDIR= /var/db/racoon +SUB_LIST+= STATEDIR=${STATEDIR} REQUIREMOD=${REQUIREMOD} +PLIST_SUB+= STATEDIR=${STATEDIR} + +OPTIONS_DEFINE= IPV6 ADMINPORT STATS DPD NATT FRAG HYBRID PAM \ + RADIUS LDAP GSSAPI SAUNSPEC RC5 IDEA DOCS EXAMPLES WCPSKEY +OPTIONS_DEFAULT= ADMINPORT DPD NATT FRAG HYBRID WCPSKEY + +ADMINPORT_DESC= Enable Admin port +STATS_DESC= Statistics logging function +DPD_DESC= Dead Peer Detection +NATT_DESC= NAT-Traversal +FRAG_DESC= IKE fragmentation payload support +HYBRID_DESC= Hybrid, Xauth and Mode-cfg support +SAUNSPEC_DESC= Unspecified SA mode +RC5_DESC= RC5 encryption (patented) +IDEA_DESC= IDEA encryption (patented) +PAM_DESC= PAM authentication (Xauth server) +RADIUS_DESC= Radius authentication (Xauth server) +LDAP_DESC= LDAP authentication (Xauth server) +WCPSKEY_DESC= Allow wildcard matching for pre-shared keys + +PORTDOCS= * +PORTEXAMPLES= * + +IPV6_CONFIGURE_ENABLE= ipv6 +ADMINPORT_CONFIGURE_ENABLE=adminport +STATS_CONFIGURE_ENABLE= stats +DPD_CONFIGURE_ENABLE= dpd +NATT_CONFIGURE_ON= --enable-natt=yes --enable-natt-versions=rfc +NATT_CONFIGURE_OFF= --disable-natt +FRAG_CONFIGURE_ENABLE= frag +HYBRID_CONFIGURE_ENABLE=hybrid +PAM_CONFIGURE_WITH= libpam +GSSAPI_USES= iconv +GSSAPI_CFLAGS= -I${LOCALBASE}/include +GSSAPI_LDFLAGS= -L${LOCALBASE}/lib +GSSAPI_CONFIGURE_ENABLE=gssapi +RADIUS_CONFIGURE_WITH= libradius +LDAP_USES= ldap +LDAP_CONFIGURE_ON= --with-libldap=${LOCALBASE} +LDAP_CONFIGURE_OFF= --without-libldap +SAUNSPEC_CONFIGURE_ENABLE= samode-unspec +RC5_CONFIGURE_ENABLE= rc5 +IDEA_CONFIGURE_ENABLE= idea +NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff +WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff ${FILESDIR}/wildcard-psk-oakley.c.diff + +.include <bsd.port.pre.mk> + +.if ${OPSYS} == FreeBSD +REQUIREMOD?= ipsec +.endif + +post-patch: + @${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure + +post-install: + @${MKDIR} ${STAGEDIR}/${PREFIX}/etc/racoon + @if [ -z `/sbin/sysctl -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]; then \ + ${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"; \ + ${ECHO_MSG} " You must build the kernel if you want to run racoon on the host"; \ + fi ; + +post-install-EXAMPLES-on: + @${MKDIR} ${STAGEDIR}/${EXAMPLESDIR} + @${RM} ${WRKSRC}/src/racoon/samples/*.in + @${CP} -r ${WRKSRC}/src/racoon/samples/* ${STAGEDIR}/${EXAMPLESDIR} + +post-install-DOCS-on: + @${MKDIR} ${STAGEDIR}/${DOCSDIR} + ${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${STAGEDIR}/${DOCSDIR} + +.if ${OPSYS} == FreeBSD +. if ${SSL_DEFAULT} != openssl111 +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-ipsec-tools +PLIST_FILES+= include/racoon/openssl_compat.h +. endif +.endif + +.include <bsd.port.post.mk> diff --git a/security/ipsec-tools/distinfo b/security/ipsec-tools/distinfo new file mode 100644 index 000000000000..8f367a222f84 --- /dev/null +++ b/security/ipsec-tools/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1738726293 +SHA256 (ipsec-tools-0.8.2.tar.bz2) = 8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d +SIZE (ipsec-tools-0.8.2.tar.bz2) = 866465 diff --git a/security/ipsec-tools/files/extra-patch-ipsec-tools b/security/ipsec-tools/files/extra-patch-ipsec-tools new file mode 100644 index 000000000000..718ad0e807ba --- /dev/null +++ b/security/ipsec-tools/files/extra-patch-ipsec-tools @@ -0,0 +1,1035 @@ +--- src/racoon/Makefile.in ++++ src/racoon/Makefile.in +@@ -571,7 +571,7 @@ top_builddir = @top_builddir@ + top_srcdir = @top_srcdir@ + include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \ + schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \ +- isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h ++ isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h openssl_compat.h + + lib_LTLIBRARIES = libracoon.la + adminsockdir = ${localstatedir}/racoon +@@ -597,7 +597,7 @@ racoon_SOURCES = \ + gssapi.c dnssec.c getcertsbyname.c privsep.c \ + pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \ + policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \ +- proposal.c sainfo.c strnames.c \ ++ openssl_compat.c proposal.c sainfo.c strnames.c \ + plog.c logger.c schedule.c str2val.c \ + safefile.c backupsa.c genlist.c rsalist.c \ + cftoken.l cfparse.y prsa_tok.l prsa_par.y +@@ -617,12 +617,12 @@ racoonctl_LDADD = libracoon.la ../libipsec/libipsec.la + libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c + libracoon_la_CFLAGS = -DNOUSE_PRIVSEP $(AM_CFLAGS) + plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \ +- crypto_openssl.c logger.c ++ crypto_openssl.c logger.c openssl_compat.c + + EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS) + plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o + plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o +-eaytest_SOURCES = eaytest.c plog.c logger.c ++eaytest_SOURCES = eaytest.c plog.c logger.c openssl_compat.c + EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c + eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \ + $(CRYPTOBJS) +@@ -642,7 +642,7 @@ noinst_HEADERS = \ + debugrm.h isakmp.h misc.h sainfo.h \ + dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \ + isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \ +- throttle.h privsep.h \ ++ throttle.h privsep.h openssl_compat.h \ + cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \ + missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \ + missing/crypto/rijndael/rijndael-api-fst.h \ +--- src/racoon/algorithm.c ++++ src/racoon/algorithm.c +@@ -128,7 +128,7 @@ static struct enc_algorithm oakley_encdef[] = { + { "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16, + eay_aes_encrypt, eay_aes_decrypt, + eay_aes_weakkey, eay_aes_keylen, }, +-#ifdef HAVE_OPENSSL_CAMELLIA_H ++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) + { "camellia", algtype_camellia, OAKLEY_ATTR_ENC_ALG_CAMELLIA, 16, + eay_camellia_encrypt, eay_camellia_decrypt, + eay_camellia_weakkey, eay_camellia_keylen, }, +@@ -168,7 +168,7 @@ static struct enc_algorithm ipsec_encdef[] = { + { "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16, + NULL, NULL, + NULL, eay_twofish_keylen, }, +-#ifdef HAVE_OPENSSL_IDEA_H ++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) + { "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8, + NULL, NULL, + NULL, NULL, }, +@@ -179,7 +179,7 @@ static struct enc_algorithm ipsec_encdef[] = { + { "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8, + NULL, NULL, + NULL, NULL, }, +-#ifdef HAVE_OPENSSL_CAMELLIA_H ++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) + { "camellia", algtype_camellia, IPSECDOI_ESP_CAMELLIA, 16, + NULL, NULL, + NULL, eay_camellia_keylen, }, +--- src/racoon/cfparse.y ++++ src/racoon/cfparse.y +@@ -2564,7 +2564,7 @@ set_isakmp_proposal(rmconf) + plog(LLV_DEBUG2, LOCATION, NULL, + "encklen=%d\n", s->encklen); + +- memset(types, 0, ARRAYLEN(types)); ++ memset(types, 0, sizeof types); + types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; + types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; + types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; +--- src/racoon/crypto_openssl.c ++++ src/racoon/crypto_openssl.c +@@ -90,6 +90,7 @@ + #endif + #endif + #include "plog.h" ++#include "openssl_compat.h" + + #define USE_NEW_DES_API + +@@ -316,9 +317,12 @@ eay_cmp_asn1dn(n1, n2) + i = idx+1; + goto end; + } +- if ((ea->value->length == 1 && ea->value->data[0] == '*') || +- (eb->value->length == 1 && eb->value->data[0] == '*')) { +- if (OBJ_cmp(ea->object,eb->object)) { ++ ASN1_STRING *sa = X509_NAME_ENTRY_get_data(ea); ++ ASN1_STRING *sb = X509_NAME_ENTRY_get_data(eb); ++ if ((ASN1_STRING_length(sa) == 1 && ASN1_STRING_get0_data(sa)[0] == '*') || ++ (ASN1_STRING_length(sb) == 1 && ASN1_STRING_get0_data(sb)[0] == '*')) { ++ if (OBJ_cmp(X509_NAME_ENTRY_get_object(ea), ++ X509_NAME_ENTRY_get_object(eb))) { + i = idx+1; + goto end; + } +@@ -430,7 +434,7 @@ cb_check_cert_local(ok, ctx) + + if (!ok) { + X509_NAME_oneline( +- X509_get_subject_name(ctx->current_cert), ++ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), + buf, + 256); + /* +@@ -438,7 +442,8 @@ cb_check_cert_local(ok, ctx) + * ok if they are self signed. But we should still warn + * the user. + */ +- switch (ctx->error) { ++ int ctx_error = X509_STORE_CTX_get_error(ctx); ++ switch (ctx_error) { + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + case X509_V_ERR_INVALID_CA: +@@ -453,9 +458,9 @@ cb_check_cert_local(ok, ctx) + } + plog(log_tag, LOCATION, NULL, + "%s(%d) at depth:%d SubjectName:%s\n", +- X509_verify_cert_error_string(ctx->error), +- ctx->error, +- ctx->error_depth, ++ X509_verify_cert_error_string(ctx_error), ++ ctx_error, ++ X509_STORE_CTX_get_error_depth(ctx), + buf); + } + ERR_clear_error(); +@@ -477,10 +482,11 @@ cb_check_cert_remote(ok, ctx) + + if (!ok) { + X509_NAME_oneline( +- X509_get_subject_name(ctx->current_cert), ++ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), + buf, + 256); +- switch (ctx->error) { ++ int ctx_error=X509_STORE_CTX_get_error(ctx); ++ switch (ctx_error) { + case X509_V_ERR_UNABLE_TO_GET_CRL: + ok = 1; + log_tag = LLV_WARNING; +@@ -490,9 +496,9 @@ cb_check_cert_remote(ok, ctx) + } + plog(log_tag, LOCATION, NULL, + "%s(%d) at depth:%d SubjectName:%s\n", +- X509_verify_cert_error_string(ctx->error), +- ctx->error, +- ctx->error_depth, ++ X509_verify_cert_error_string(ctx_error), ++ ctx_error, ++ X509_STORE_CTX_get_error_depth(ctx), + buf); + } + ERR_clear_error(); +@@ -516,14 +522,15 @@ eay_get_x509asn1subjectname(cert) + if (x509 == NULL) + goto error; + ++ X509_NAME *subject_name = X509_get_subject_name(x509); + /* get the length of the name */ +- len = i2d_X509_NAME(x509->cert_info->subject, NULL); ++ len = i2d_X509_NAME(subject_name, NULL); + name = vmalloc(len); + if (!name) + goto error; + /* get the name */ + bp = (unsigned char *) name->v; +- len = i2d_X509_NAME(x509->cert_info->subject, &bp); ++ len = i2d_X509_NAME(subject_name, &bp); + + X509_free(x509); + +@@ -661,15 +668,16 @@ eay_get_x509asn1issuername(cert) + if (x509 == NULL) + goto error; + ++ X509_NAME *issuer_name = X509_get_issuer_name(x509); + /* get the length of the name */ +- len = i2d_X509_NAME(x509->cert_info->issuer, NULL); ++ len = i2d_X509_NAME(issuer_name, NULL); + name = vmalloc(len); + if (name == NULL) + goto error; + + /* get the name */ + bp = (unsigned char *) name->v; +- len = i2d_X509_NAME(x509->cert_info->issuer, &bp); ++ len = i2d_X509_NAME(issuer_name, &bp); + + X509_free(x509); + +@@ -850,7 +858,7 @@ eay_check_x509sign(source, sig, cert) + return -1; + } + +- res = eay_rsa_verify(source, sig, evp->pkey.rsa); ++ res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp)); + + EVP_PKEY_free(evp); + X509_free(x509); +@@ -992,7 +1000,7 @@ eay_get_x509sign(src, privkey) + if (evp == NULL) + return NULL; + +- sig = eay_rsa_sign(src, evp->pkey.rsa); ++ sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp)); + + EVP_PKEY_free(evp); + +@@ -1079,7 +1087,11 @@ eay_strerror() + int line, flags; + unsigned long es; + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */ ++#else + es = CRYPTO_thread_id(); ++#endif + + while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){ + n = snprintf(ebuf + len, sizeof(ebuf) - len, +@@ -1100,7 +1112,7 @@ vchar_t * + evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc) + { + vchar_t *res; +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx; + + if (!e) + return NULL; +@@ -1111,7 +1123,7 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc + if ((res = vmalloc(data->l)) == NULL) + return NULL; + +- EVP_CIPHER_CTX_init(&ctx); ++ ctx = EVP_CIPHER_CTX_new(); + + switch(EVP_CIPHER_nid(e)){ + case NID_bf_cbc: +@@ -1125,54 +1137,41 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc + /* XXX: can we do that also for algos with a fixed key size ? + */ + /* init context without key/iv +- */ +- if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc)) +- { +- OpenSSL_BUG(); +- vfree(res); +- return NULL; +- } ++ */ ++ if (!EVP_CipherInit(ctx, e, NULL, NULL, enc)) ++ goto out; + +- /* update key size +- */ +- if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l)) +- { +- OpenSSL_BUG(); +- vfree(res); +- return NULL; +- } +- +- /* finalize context init with desired key size +- */ +- if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v, ++ /* update key size ++ */ ++ if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l)) ++ goto out; ++ ++ /* finalize context init with desired key size ++ */ ++ if (!EVP_CipherInit(ctx, NULL, (u_char *) key->v, + (u_char *) iv->v, enc)) +- { +- OpenSSL_BUG(); +- vfree(res); +- return NULL; +- } ++ goto out; + break; + default: +- if (!EVP_CipherInit(&ctx, e, (u_char *) key->v, +- (u_char *) iv->v, enc)) { +- OpenSSL_BUG(); +- vfree(res); +- return NULL; +- } ++ if (!EVP_CipherInit(ctx, e, (u_char *) key->v, ++ (u_char *) iv->v, enc)) ++ goto out; + } + + /* disable openssl padding */ +- EVP_CIPHER_CTX_set_padding(&ctx, 0); ++ EVP_CIPHER_CTX_set_padding(ctx, 0); + +- if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) { +- OpenSSL_BUG(); +- vfree(res); +- return NULL; +- } ++ if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l)) ++ goto out; + +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + + return res; ++out: ++ EVP_CIPHER_CTX_free(ctx); ++ OpenSSL_BUG(); ++ vfree(res); ++ return NULL; + } + + int +@@ -1230,7 +1229,7 @@ eay_des_keylen(len) + return evp_keylen(len, EVP_des_cbc()); + } + +-#ifdef HAVE_OPENSSL_IDEA_H ++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) + /* + * IDEA-CBC + */ +@@ -1587,7 +1586,7 @@ eay_aes_keylen(len) + return len; + } + +-#if defined(HAVE_OPENSSL_CAMELLIA_H) ++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) + /* + * CAMELLIA-CBC + */ +@@ -1680,9 +1679,9 @@ eay_hmac_init(key, md) + vchar_t *key; + const EVP_MD *md; + { +- HMAC_CTX *c = racoon_malloc(sizeof(*c)); ++ HMAC_CTX *c = HMAC_CTX_new(); + +- HMAC_Init(c, key->v, key->l, md); ++ HMAC_Init_ex(c, key->v, key->l, md, NULL); + + return (caddr_t)c; + } +@@ -1761,8 +1760,7 @@ eay_hmacsha2_512_final(c) + + HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); + res->l = l; +- HMAC_cleanup((HMAC_CTX *)c); +- (void)racoon_free(c); ++ HMAC_CTX_free((HMAC_CTX *)c); + + if (SHA512_DIGEST_LENGTH != res->l) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -1811,8 +1809,7 @@ eay_hmacsha2_384_final(c) + + HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); + res->l = l; +- HMAC_cleanup((HMAC_CTX *)c); +- (void)racoon_free(c); ++ HMAC_CTX_free((HMAC_CTX *)c); + + if (SHA384_DIGEST_LENGTH != res->l) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -1861,8 +1858,7 @@ eay_hmacsha2_256_final(c) + + HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); + res->l = l; +- HMAC_cleanup((HMAC_CTX *)c); +- (void)racoon_free(c); ++ HMAC_CTX_free((HMAC_CTX *)c); + + if (SHA256_DIGEST_LENGTH != res->l) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -1912,8 +1908,7 @@ eay_hmacsha1_final(c) + + HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); + res->l = l; +- HMAC_cleanup((HMAC_CTX *)c); +- (void)racoon_free(c); ++ HMAC_CTX_free((HMAC_CTX *)c); + + if (SHA_DIGEST_LENGTH != res->l) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -1962,8 +1957,7 @@ eay_hmacmd5_final(c) + + HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); + res->l = l; +- HMAC_cleanup((HMAC_CTX *)c); +- (void)racoon_free(c); ++ HMAC_CTX_free((HMAC_CTX *)c); + + if (MD5_DIGEST_LENGTH != res->l) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -2266,6 +2260,7 @@ eay_dh_generate(prime, g, publen, pub, priv) + u_int32_t g; + { + BIGNUM *p = NULL; ++ BIGNUM *BNg = NULL; + DH *dh = NULL; + int error = -1; + +@@ -2276,25 +2271,28 @@ eay_dh_generate(prime, g, publen, pub, priv) + + if ((dh = DH_new()) == NULL) + goto end; +- dh->p = p; +- p = NULL; /* p is now part of dh structure */ +- dh->g = NULL; +- if ((dh->g = BN_new()) == NULL) ++ if ((BNg = BN_new()) == NULL) + goto end; +- if (!BN_set_word(dh->g, g)) ++ if (!BN_set_word(BNg, g)) + goto end; ++ if (! DH_set0_pqg(dh, p, NULL, BNg)) ++ goto end; ++ BNg = NULL; ++ p = NULL; /* p is now part of dh structure */ + + if (publen != 0) +- dh->length = publen; ++ DH_set_length(dh, publen); + + /* generate public and private number */ + if (!DH_generate_key(dh)) + goto end; + + /* copy results to buffers */ +- if (eay_bn2v(pub, dh->pub_key) < 0) ++ BIGNUM *pub_key, *priv_key; ++ DH_get0_key(dh, (const BIGNUM**) &pub_key, (const BIGNUM**) &priv_key); ++ if (eay_bn2v(pub, pub_key) < 0) + goto end; +- if (eay_bn2v(priv, dh->priv_key) < 0) { ++ if (eay_bn2v(priv, priv_key) < 0) { + vfree(*pub); + goto end; + } +@@ -2306,6 +2304,8 @@ end: + DH_free(dh); + if (p != 0) + BN_free(p); ++ if (BNg != 0) ++ BN_free(BNg); + return(error); + } + +@@ -2319,6 +2319,10 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) + int l; + unsigned char *v = NULL; + int error = -1; ++ BIGNUM *p = BN_new(); ++ BIGNUM *BNg = BN_new(); ++ BIGNUM *pub_key = BN_new(); ++ BIGNUM *priv_key = BN_new(); + + /* make public number to compute */ + if (eay_v2bn(&dh_pub, pub2) < 0) +@@ -2327,19 +2331,21 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) + /* make DH structure */ + if ((dh = DH_new()) == NULL) + goto end; +- if (eay_v2bn(&dh->p, prime) < 0) ++ if (p == NULL || BNg == NULL || pub_key == NULL || priv_key == NULL) + goto end; +- if (eay_v2bn(&dh->pub_key, pub) < 0) ++ ++ if (eay_v2bn(&p, prime) < 0) + goto end; +- if (eay_v2bn(&dh->priv_key, priv) < 0) ++ if (eay_v2bn(&pub_key, pub) < 0) + goto end; +- dh->length = pub2->l * 8; +- +- dh->g = NULL; +- if ((dh->g = BN_new()) == NULL) ++ if (eay_v2bn(&priv_key, priv) < 0) + goto end; +- if (!BN_set_word(dh->g, g)) ++ if (!BN_set_word(BNg, g)) + goto end; ++ DH_set0_key(dh, pub_key, priv_key); ++ DH_set_length(dh, pub2->l * 8); ++ DH_set0_pqg(dh, p, NULL, BNg); ++ pub_key = priv_key = p = BNg = NULL; + + if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL) + goto end; +@@ -2350,6 +2356,14 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) + error = 0; + + end: ++ if (p != NULL) ++ BN_free(p); ++ if (BNg != NULL) ++ BN_free(BNg); ++ if (pub_key != NULL) ++ BN_free(pub_key); ++ if (priv_key != NULL) ++ BN_free(priv_key); + if (dh_pub != NULL) + BN_free(dh_pub); + if (dh != NULL) +@@ -2400,12 +2414,14 @@ eay_bn2v(var, bn) + void + eay_init() + { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + OpenSSL_add_all_algorithms(); + ERR_load_crypto_strings(); + #ifdef HAVE_OPENSSL_ENGINE_H + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + #endif ++#endif + } + + vchar_t * +@@ -2504,8 +2520,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf) + goto out; + } + +- rsa_pub->n = mod; +- rsa_pub->e = exp; ++ RSA_set0_key(rsa_pub, mod, exp, NULL); + + out: + return rsa_pub; +@@ -2582,5 +2597,5 @@ eay_random() + const char * + eay_version() + { +- return SSLeay_version(SSLEAY_VERSION); ++ return OpenSSL_version(OPENSSL_VERSION); + } +--- src/racoon/crypto_openssl.h ++++ src/racoon/crypto_openssl.h +@@ -124,7 +124,7 @@ extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); + extern int eay_aes_weakkey __P((vchar_t *)); + extern int eay_aes_keylen __P((int)); + +-#if defined(HAVE_OPENSSL_CAMELLIA_H) ++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) + /* Camellia */ + extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); + extern vchar_t *eay_camellia_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); +--- src/racoon/eaytest.c ++++ src/racoon/eaytest.c +@@ -62,6 +62,7 @@ + #include "dhgroup.h" + #include "crypto_openssl.h" + #include "gnuc.h" ++#include "openssl_compat.h" + + #include "package_version.h" + +@@ -103,7 +104,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_txt) + printf ("PEM_read_PUBKEY(): %s\n", eay_strerror()); + return -1; + } +- error = eay_check_rsasign(src, sig, evp->pkey.rsa); ++ error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp)); + + return error; + } +@@ -698,7 +699,7 @@ ciphertest(ac, av) + eay_cast_encrypt, eay_cast_decrypt) < 0) + return -1; + +-#ifdef HAVE_OPENSSL_IDEA_H ++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) + if (ciphertest_1 ("IDEA", + &data, 8, + &key, key.l, +@@ -715,7 +716,7 @@ ciphertest(ac, av) + eay_rc5_encrypt, eay_rc5_decrypt) < 0) + return -1; + #endif +-#if defined(HAVE_OPENSSL_CAMELLIA_H) ++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) + if (ciphertest_1 ("CAMELLIA", + &data, 16, + &key, key.l, +--- src/racoon/ipsec_doi.c ++++ src/racoon/ipsec_doi.c +@@ -715,7 +715,7 @@ out: + /* key length must not be specified on some algorithms */ + if (keylen) { + if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES +-#ifdef HAVE_OPENSSL_IDEA_H ++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) + || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA + #endif + || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) { +--- /dev/null ++++ src/racoon/openssl_compat.c +@@ -0,0 +1,213 @@ ++/* ++ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include "openssl_compat.h" ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++#include <string.h> ++ ++static void *OPENSSL_zalloc(size_t num) ++{ ++ void *ret = OPENSSL_malloc(num); ++ ++ if (ret != NULL) ++ memset(ret, 0, num); ++ return ret; ++} ++ ++int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) ++{ ++ /* If the fields n and e in r are NULL, the corresponding input ++ * parameters MUST be non-NULL for n and e. d may be ++ * left NULL (in case only the public key is used). ++ */ ++ if ((r->n == NULL && n == NULL) ++ || (r->e == NULL && e == NULL)) ++ return 0; ++ ++ if (n != NULL) { ++ BN_free(r->n); ++ r->n = n; ++ } ++ if (e != NULL) { ++ BN_free(r->e); ++ r->e = e; ++ } ++ if (d != NULL) { ++ BN_free(r->d); ++ r->d = d; ++ } ++ ++ return 1; ++} ++ ++int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) ++{ ++ /* If the fields p and q in r are NULL, the corresponding input ++ * parameters MUST be non-NULL. ++ */ ++ if ((r->p == NULL && p == NULL) ++ || (r->q == NULL && q == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(r->p); ++ r->p = p; ++ } ++ if (q != NULL) { ++ BN_free(r->q); ++ r->q = q; ++ } ++ ++ return 1; ++} ++ ++int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) ++{ ++ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input ++ * parameters MUST be non-NULL. ++ */ ++ if ((r->dmp1 == NULL && dmp1 == NULL) ++ || (r->dmq1 == NULL && dmq1 == NULL) ++ || (r->iqmp == NULL && iqmp == NULL)) ++ return 0; ++ ++ if (dmp1 != NULL) { ++ BN_free(r->dmp1); ++ r->dmp1 = dmp1; ++ } ++ if (dmq1 != NULL) { ++ BN_free(r->dmq1); ++ r->dmq1 = dmq1; ++ } ++ if (iqmp != NULL) { ++ BN_free(r->iqmp); ++ r->iqmp = iqmp; ++ } ++ ++ return 1; ++} ++ ++void RSA_get0_key(const RSA *r, ++ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) ++{ ++ if (n != NULL) ++ *n = r->n; ++ if (e != NULL) ++ *e = r->e; ++ if (d != NULL) ++ *d = r->d; ++} ++ ++void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) ++{ ++ if (p != NULL) ++ *p = r->p; ++ if (q != NULL) ++ *q = r->q; ++} ++ ++void RSA_get0_crt_params(const RSA *r, ++ const BIGNUM **dmp1, const BIGNUM **dmq1, ++ const BIGNUM **iqmp) ++{ ++ if (dmp1 != NULL) ++ *dmp1 = r->dmp1; ++ if (dmq1 != NULL) ++ *dmq1 = r->dmq1; ++ if (iqmp != NULL) ++ *iqmp = r->iqmp; ++} ++ ++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* If the fields p and g in d are NULL, the corresponding input ++ * parameters MUST be non-NULL. q may remain NULL. ++ */ ++ if ((dh->p == NULL && p == NULL) ++ || (dh->g == NULL && g == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(dh->p); ++ dh->p = p; ++ } ++ if (q != NULL) { ++ BN_free(dh->q); ++ dh->q = q; ++ } ++ if (g != NULL) { ++ BN_free(dh->g); ++ dh->g = g; ++ } ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits(q); ++ } ++ ++ return 1; ++} ++ ++void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) ++{ ++ if (pub_key != NULL) ++ *pub_key = dh->pub_key; ++ if (priv_key != NULL) ++ *priv_key = dh->priv_key; ++} ++ ++int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) ++{ ++ /* If the field pub_key in dh is NULL, the corresponding input ++ * parameters MUST be non-NULL. The priv_key field may ++ * be left NULL. ++ */ ++ if (dh->pub_key == NULL && pub_key == NULL) ++ return 0; ++ ++ if (pub_key != NULL) { ++ BN_free(dh->pub_key); ++ dh->pub_key = pub_key; ++ } ++ if (priv_key != NULL) { ++ BN_free(dh->priv_key); ++ dh->priv_key = priv_key; ++ } ++ *** 1125 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202502050338.5153cMJk052814>