As discussed on GitHub[0] the package should be removed.
[0]: https://github.com/openwrt/packages/issues/7832
> The package is effectively orphaned upstream and has been for some
time. Given the security-sensitive nature of the package, an active
maintainer community is essential for safe usage. Racoon's lack of
support for IKEv2, despite it being stable for a long time, and the
availability of next-generation tunneling systems such as wireguard,
also would seem to limit its future value. Setkey's functionality
has been subsumed by 'ip xfrm'.
> If you disagree that ipsec-tools should be removed from OpenWRT,
please say so now. If there are still use cases for it that are
not met by other IKE implmenentations that would be good to
know. But more importantly, I think you'll need to convince us
that ipsec-tools is actually safe to operate on today's Internet
given its current state of development.
Signed-off-by: Paul Spooren <mail@aparcar.org>
+++ /dev/null
-#
-# Copyright (C) 2006-2015 OpenWrt.org
-# 2014 Noah Meyerhans <frodo@morgul.net>
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-include $(INCLUDE_DIR)/kernel.mk
-
-PKG_NAME:=ipsec-tools
-PKG_VERSION:=0.8.2
-PKG_RELEASE:=9
-PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>, \
- Vitaly Protsko <villy@sft.ru>
-PKG_LICENSE := BSD-3-Clause
-
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_SOURCE_URL:=@SF/ipsec-tools
-PKG_HASH:=8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d
-
-PKG_BUILD_PARALLEL:=1
-PKG_INSTALL:=1
-
-PKG_FIXUP:=autoreconf
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/ipsec-tools
- SECTION:=net
- CATEGORY:=Network
- SUBMENU:=VPN
- DEPENDS:=+libopenssl +kmod-ipsec
- TITLE:=IPsec management tools
- URL:=http://ipsec-tools.sourceforge.net/
- MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
-endef
-
-CONFIGURE_ARGS += \
- --enable-shared \
- --enable-static \
- --with-kernel-headers="$(LINUX_DIR)/include" \
- --without-readline \
- --with-openssl="$(STAGING_DIR)/usr" \
- --without-libradius \
- --without-libpam \
- --enable-dpd \
- --enable-hybrid \
- --enable-security-context=no \
- --enable-natt \
- --enable-adminport \
- --enable-frag \
- $(call autoconf_bool,CONFIG_IPV6,ipv6)
-
-# override CFLAGS holding "-Werror" that break builds on compile warnings
-MAKE_FLAGS+=\
- CFLAGS="$(TARGET_CFLAGS) $(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS)"
-
-define Build/Prepare
- $(call Build/Prepare/Default)
- chmod -R u+w $(PKG_BUILD_DIR)
-endef
-
-define Build/Configure
- (cd $(PKG_BUILD_DIR); touch \
- configure.ac \
- aclocal.m4 \
- Makefile.in \
- config.h.in \
- configure \
- );
- $(call Build/Configure/Default)
-ifndef CONFIG_SHADOW_PASSWORDS
- echo "#undef HAVE_SHADOW_H" >> $(PKG_BUILD_DIR)/config.h
-endif
-endef
-
-define Package/ipsec-tools/install
- $(INSTALL_DIR) $(1)/etc/racoon
- $(INSTALL_CONF) ./files/functions.sh $(1)/etc/racoon/
- $(INSTALL_BIN) ./files/p1client-up $(1)/etc/racoon/
- $(INSTALL_BIN) ./files/p1client-down $(1)/etc/racoon/
- $(INSTALL_BIN) ./files/vpnctl $(1)/etc/racoon/
- $(INSTALL_DIR) $(1)/etc/init.d
- $(INSTALL_BIN) ./files/racoon.init $(1)/etc/init.d/racoon
- $(INSTALL_DIR) $(1)/etc/config
- $(INSTALL_CONF) ./files/racoon $(1)/etc/config/
- $(INSTALL_DIR) $(1)/usr/lib
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/
- $(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/plainrsa-gen $(1)/usr/sbin/
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoon $(1)/usr/sbin/
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoonctl $(1)/usr/sbin/
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/setkey $(1)/usr/sbin/
-endef
-
-define Package/ipsec-tools/conffiles
-/etc/config/racoon
-endef
-
-$(eval $(call BuildPackage,ipsec-tools))
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) 2015 Vitaly Protsko <villy@sft.ru>
-
-errno=0
-
-get_fieldval() {
- local __data="$3"
- local __rest
-
- test -z "$1" && return
-
- while true ; do
- __rest=${__data#* }
- test "$__rest" = "$__data" && break
-
- if [ "${__data/ *}" = "$2" ]; then
- eval "$1=${__rest/ *}"
- break
- fi
-
- __data="$__rest"
- done
-}
-
-manage_fw() {
- local cmd=/usr/sbin/iptables
- local mode
- local item
-
- if [ -z "$4" ]; then
- $log "Bad usage of manage_fw"
- errno=3; return 3
- fi
-
- case "$1" in
- add|up|1) mode=A ;;
- del|down|0) mode=D ;;
- *) return 3 ;;
- esac
-
- for item in $4 ; do
- $cmd -$mode forwarding_$2_rule -s $item -j ACCEPT
- $cmd -$mode output_$3_rule -d $item -j ACCEPT
- $cmd -$mode forwarding_$3_rule -d $item -j ACCEPT
- $cmd -t nat -$mode postrouting_$3_rule -d $item -j ACCEPT
- done
-}
-
-manage_sa() {
- local spdcmd
- local rtcmd
- local gate
- local litem
- local ritem
-
- if [ -z "$4" ]; then
- $log "Bad usage of manage_sa"
- errno=3; return 3
- fi
-
- case "$1" in
- add|up|1) spdcmd=add; rtcmd=add ;;
- del|down|0) spdcmd=delete; rtcmd=del ;;
- *) errno=3; return 3 ;;
- esac
-
- get_fieldval gate src "$(/usr/sbin/ip route get $4)"
- if [ -z "$gate" ]; then
- $log "Can not find outbound IP for $4"
- errno=3; return 3
- fi
-
-
- for litem in $2 ; do
- for ritem in $3 ; do
- echo "
-spd$spdcmd $litem $ritem any -P out ipsec esp/tunnel/$gate-$4/require;
-spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
-" | /usr/sbin/setkey -c 1>&2
- done
- done
-
- test -n "$5" && gate=$5
-
- for ritem in $3 ; do
- (sleep 3; /usr/sbin/ip route $rtcmd $ritem via $gate) &
- done
-}
-
-manage_nonesa() {
- local spdcmd
- local item
- local cout cin
-
- if [ -z "$4" ]; then
- $log "Bad usage of manage_nonesa"
- errno=3; return 3
- fi
-
- case "$1" in
- add|up|1) spdcmd=add ;;
- del|down|0) spdcmd=delete ;;
- *) errno=3; return 3 ;;
- esac
-
- case "$2" in
- local|remote) ;;
- *) errno=3; return 3 ;;
- esac
-
- for item in $3 ; do
- if [ "$2" = "local" ]; then
- cout="$4 $item"
- cin="$item $4"
- else
- cout="$item $4"
- cin="$4 $item"
- fi
- echo "
-spd$spdcmd $cout any -P out none;
-spd$spdcmd $cin any -P in none;
-" | /usr/sbin/setkey -c 1>&2
- done
-}
-
-. /lib/functions/network.sh
-
-get_zoneiflist() {
- local item
- local data
- local addr
-
- item=0
- data=$(uci get firewall.@zone[0].name)
- while [ -n "$data" ]; do
- test "$data" = "$1" && break
- let "item=$item+1"
- data=$(uci get firewall.@zone[$item].name)
- done
-
- if [ -z "$data" ]; then
- errno=1
- return $errno
- fi
- data=$(uci get firewall.@zone[$item].network)
-
- echo "$data"
-}
-
-get_zoneiplist() {
- local item
- local addr
- local data
- local result
-
- data=$(get_zoneiflist $1)
- test $? -gt 0 -o $errno -gt 0 -o -z "$data" && return $errno
-
- for item in $data ; do
- if network_is_up $item ; then
- network_get_ipaddrs addr $item
- test $? -eq 0 && result="$result $addr"
- fi
- done
-
- result=$(echo $result)
- echo "$result"
-}
-
-
-# EOF /etc/racoon/functions.sh
+++ /dev/null
-#!/bin/sh
-#
-
-log="logger -t p1client-down[$$]"
-
-. /lib/functions.sh
-. /etc/racoon/functions.sh
-
-if [ -z "$SPLIT_INCLUDE_CIDR" ]; then
- $log "Connection without server-pushed routing is not supported"
- exit 1
-fi
-
-$log "Shutting down tunnel to server $REMOTE_ADDR"
-$log "Closing tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4"
-
-config_load racoon
-config_get confIntZone racoon int_zone lan
-config_get confExtZone racoon ext_zone wan
-
-manage_fw del $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR"
-
-data=$(get_zoneiflist $confIntZone)
-if [ -n "$data" ]; then
- for item in $data ; do
- network_get_subnet locnet $item
- if [ -n "$locnet" ]; then
- manage_sa del "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4
- else
- $log "Can not find subnet on interface $item"
- fi
- done
-else
- $log "Can not find subnets in zone $confIntZone"
-fi
-
-get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)"
-ip address del $INTERNAL_ADDR4/32 dev $data
-
-
-# EOF /etc/racoon/p1client-down
+++ /dev/null
-#!/bin/sh
-#
-
-log="logger -t p1client-up[$$]"
-
-. /lib/functions.sh
-. /etc/racoon/functions.sh
-
-if [ -z "$SPLIT_INCLUDE_CIDR" ]; then
- $log "Connection without server-pushed routing is not supported"
- exit 1
-fi
-
-$log "Setting up tunnel to server $REMOTE_ADDR"
-$log "Making tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4"
-
-get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)"
-ip address add $INTERNAL_ADDR4/32 dev $data
-
-config_load racoon
-config_get confIntZone racoon int_zone lan
-config_get confExtZone racoon ext_zone wan
-
-data=$(get_zoneiflist $confIntZone)
-if [ -n "$data" ]; then
- for item in $data ; do
- network_get_subnet locnet $item
- if [ -n "$locnet" ]; then
- manage_sa add "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4
- else
- $log "Can not find subnet on interface $item"
- fi
- done
-else
- $log "Can not find interfaces in zone $confIntZone"
-fi
-
-manage_fw add $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR"
-
-
-# EOF /etc/racoon/p1client-up
+++ /dev/null
-#/etc/config/racoon
-#
-# Copyright 2015 Vitaly Protsko <villy@sft.ru>
-
-# * WARNING: this is "not working" example
-# * Defaults are commented out
-# * Resuting config will appear in /var/racoon/
-
-config racoon
-# option debug 0
-# option ext_zone 'wan'
-# option int_zone 'lan'
-# option port 500
-# option natt_port 4500
-# following 4 or 6, no default
-# option ipversion 4
-
-config p1_proposal 'example_prop1'
-# option lifetime 28800
- option enc_alg 'aes'
- option hash_alg 'sha1'
- option auth_method 'rsasig'
- option dh_group 2
-
-config p1_proposal 'example_anon'
-# option lifetime 28800
- option enc_alg 'aes'
- option hash_alg 'sha1'
- option auth_method 'xauth_rsa_server'
- option dh_group 2
-
-config p1_proposal 'example_xauth'
-# option lifetime 28800
- option enc_alg 'aes'
- option hash_alg 'sha1'
- option auth_method 'xauth_rsa_client'
- option dh_group 2
-
-config p2_proposal 'example_prop2'
- option pfs_group 2
- option enc_alg 'aes'
- option auth_alg 'hmac_sha1'
-
-config p2_proposal 'example_in2'
- option pfs_group 2
-# option lifetime 14400
- option enc_alg 'aes'
- option auth_alg 'hmac_sha1'
-
-config sainfo 'office'
- option p2_proposal 'example_prop2'
- option local_net '192.168.8.0/24'
- option remote_net '192.168.1.0/24'
-# you can exclude some local or remote
-# addresses from SA rules
- list local_exclude '192.168.8.0/30'
- list remote_exclude '192.168.1.128/29'
-
-config sainfo 'welcome'
- option p2_proposal 'example_in2'
- option local_net '192.168.8.0/24'
- option remote_net '192.168.10.0/24'
- option dns4 '192.168.8.1'
- option defdomain 'myhome.local'
-
-config sainfo 'client'
- option p2_proposal 'std_p2'
-
-config tunnel 'Office'
- option enabled 1
-# initial_contact
-# option init 1
- option remote 'vpn.example.tld'
- option exchange_mode 'main'
- option certificate 'example_cert'
-# option peer_id_type 'asn1dn'
-# option prop_check 'obey'
-# option verify_id 1
-# option weak_p1check 1
-# option dpd_delay ''
- list p1_proposal 'example_prop1'
- list sainfo 'office'
-
-# WARNING: Only ONE tunnel with remote anonymous
-# can be configured and it can have only
-# ONE sainfo. Otherwise resulting racoon
-# configuration will be unusable
-config tunnel 'Incoming'
- option enabled 1
- option remote 'anonymous'
- option pre_shared_key 'testitnow'
- option exchange_mode 'aggressive,main'
- option my_id_type 'fqdn'
- option my_id 'myserver.homeip.net'
- list p1_proposal 'example_anon'
- list sainfo 'welcome'
-
-config tunnel 'Client'
- option enabled 1
- option remote 'vpn.example.tld'
- option username 'testuser'
- option password 'testW0rD'
-# option mode_cfg 1
- list p1_proposal 'example_xauth'
- list sainfo 'client'
-
-# Insert corresponding data in PEM format as one line
-config 'certificate' 'example_cert'
- option 'key' '-----BEGIN PRIVATE KEY----- ~ -----END PRIVATE KEY-----'
- option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----'
-
-config 'certificate' 'example_ca_cert'
- option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----'
+++ /dev/null
-#!/bin/sh /etc/rc.common
-#
-# Copyright (C) 2015 Vitaly Protsko <villy@sft.ru>
-
-#set -vx
-
-USE_PROCD=1
-
-START=60
-STOP=40
-
-let connWait=2/2
-confDir=/var/racoon
-confExtZone=
-confIntZone=
-confPort=
-confNATPort=
-confIPMode=
-
-confPh1ID=0
-
-log="logger -t init.d/racoon[$$] "
-
-. /etc/racoon/functions.sh
-
-setup_load() {
- config_get confExtZone "$1" ext_zone wan
- config_get confIntZone "$1" int_zone lan
- config_get confPort "$1" port 500
- config_get confNATPort "$1" natt_port 4500
- config_get confIPMode "$1" ipversion ""
-
- case X$confIPMode in
- X4|X6) ;;
- *) unset confIPMode ;;
- esac
-}
-
-write_header() {
- echo "
-# autogenerated, don't edit, look at /etc/config/racoon
-#
-path certificate \"$confDir/cert\";
-path script \"/etc/racoon\";
-path pre_shared_key \"$confDir/psk.txt\";
-path pidfile \"$confDir/racoon.pid\";
-padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; }
-timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; }
-"
-}
-
-setup_conf() {
- local conf=$confDir/racoon.conf
- local peerconf=$confDir/peers.txt
- local pskconf=$confDir/psk.txt
- local item
- local data
-
- data="$(get_zoneiplist $confExtZone)"
- if [ "X$data" = X ]; then
- $log "No IP addresses found for zone $confExtZone, exitng"
- errno=2; return 2
- fi
-
- write_header > $conf
- echo -n > $peerconf
- echo -n > $pskconf
- chmod 0600 $conf $peerconf $pskconf
-
- echo "listen {" >> $conf
- for item in $data ; do
- echo " isakmp $item [$confPort]; isakmp_natt $item [$confNATPort];" >> $conf
- done
- echo "}" >> $conf
-
- config_get_bool item "$1" debug 0
- data=warning
- test $item -ne 0 && data=debug
- echo "log $data;" >> $conf
-
- setup_fw add
-}
-
-setup_p1() {
- local conf=$confDir/racoon.conf
- local data
-
- echo " proposal {" >> $conf
- config_get data "$1" lifetime 28800
- echo " lifetime time $data sec;" >> $conf
-
- config_get data "$1" enc_alg
- test -n "$data" && echo " encryption_algorithm $data;" >> $conf
-
- config_get data "$1" hash_alg
- test -n "$data" && echo " hash_algorithm $data;" >> $conf
-
- config_get data "$1" auth_method
- test -n "$data" && echo " authentication_method $data;" >> $conf
-
- config_get data "$1" dh_group 2
- echo -e " dh_group $data;\n }" >> $conf
-}
-
-setup_fw() {
- local cmd=/usr/sbin/iptables
- local mode
-
- case "$1" in
- add|up|1) mode=A ;;
- del|down|0) mode=D ;;
- *) return 3 ;;
- esac
-
- $cmd -$mode input_${confExtZone}_rule -p AH -j ACCEPT
- $cmd -$mode input_${confExtZone}_rule -p ESP -j ACCEPT
- $cmd -$mode input_${confExtZone}_rule -p UDP --dport $confPort -j ACCEPT
- $cmd -$mode input_${confExtZone}_rule -p UDP --dport $confNATPort -j ACCEPT
-}
-
-setup_sa() {
- local conf=$confDir/racoon.conf
- local remote="${2/ *}"
- local client="${2#* }"
- local locnet
- local remnet
- local p2
- local data
-
- test "$2" = "$client" && unset client
-
- if [ -z "$client" ]; then
- config_get locnet "$1" local_net
- config_get remnet "$1" remote_net
- if [ -z "$locnet" ] || [ -z "$remnet" ]; then
- $log "Remote and local networks for $1 must be configured ($2)"
- errno=4; return 4
- fi
-
- if [ "$remote" = "anonymous" ]; then
- echo "sainfo anonymous {" >> $conf
- else
- echo "sainfo address $locnet any address $remnet any {" >> $conf
- fi
- else
- echo "sainfo anonymous {" >> $conf
- fi
-
- config_get p2 "$1" p2_proposal
- if [ -z "$p2" ]; then
- $log "Phase2 proposal must be configured in $1 sainfo"
- errno=5; return 5
- fi
-
- echo " remoteid $confPh1ID;" >> $conf
-
- config_get data "$p2" pfs_group
- test -n "$data" && echo " pfs_group $data;" >> $conf
- config_get data "$p2" lifetime 14400
- test -n "$data" && echo " lifetime time $data sec;" >> $conf
- config_get data "$p2" enc_alg
- test -n "$data" && echo " encryption_algorithm $data;" >> $conf
- config_get data "$p2" auth_alg
- test -n "$data" && echo " authentication_algorithm $data;" >> $conf
-
- echo -e " compression_algorithm deflate;\n}" >> $conf
-
- if [ "$remote" = "anonymous" ]; then
- echo -e "mode_cfg {\n auth_source system;\n conf_source local;" >> $conf
-
- config_get data "$1" dns4
- test -n "$data" && echo " dns4 $data;" >> $conf
- config_get data "$1" defdomain
- test -n "$data" && echo " default_domain \"$data\";" >> $conf
-
- data=${remnet%/*}
- let "data=${data##*.}+1"
- echo " network4 ${remnet%.*}.$data;" >> $conf
-
- let "data=255<<(24-${remnet#*/}+8)&255"
- echo " netmask4 255.255.255.$data;" >> $conf
-
- echo -e " split_network include $locnet;\n}" >> $conf
-
- elif [ -z "$client" ]; then
- config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet"
- config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet"
- manage_sa add "$locnet" "$remnet" $remote
- test $? -gt 0 -o $errno -gt 0 && return $errno
-
- manage_fw add $confIntZone $confExtZone "$remnet"
- fi
-}
-
-setup_tunnel() {
- local conf=$confDir/racoon.conf
- local peerconf=$confDir/peers.txt
- local data
- local remote
- local xauth
-
- config_get_bool data "$1" enabled 0
- test "$data" = "0" && return 0
-
- config_get remote "$1" remote
- if [ "$remote" = "anonymous" ]; then
- echo -e "remote anonymous {\n generate_policy on;" >> $conf
- else
- data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
- test -n "$data" && remote="$data"
- echo -e "remote \"$1\" {\n remote_address $remote;" >> $conf
- echo "$data" >> $peerconf
- fi
-
- config_get data "$1" pre_shared_key ""
- if [ -n "$data" ]; then
- if [ "$remote" != "anonymous" ]; then
- echo "$remote $data" >> $confDir/psk.txt
- else
- echo "* $data" >> $confDir/psk.txt
- fi
- fi
-
- let confPh1ID=$confPh1ID+1
- echo " ph1id $confPh1ID;" >> $conf
-
- config_get xauth "$1" username ""
-
- config_get data "$1" certificate ""
- if [ -n "$data" ]; then
- echo -en " verify_cert on;\n my_identifier asn1dn;\n certificate_type x509 " >> $conf
- echo -en "\"$data.crt\" \"$data.key\";\n send_cr off;\n peers_identifier " >> $conf
- else
- config_get data "$1" my_id_type ""
- if [ -n "$data" ]; then
- echo -n " my_identifier $data" >> $conf
- config_get data "$1" my_id ""
- if [ -n "$data" ]; then
- echo " \"$data\";" >> $conf
- elif [ -n "$xauth" ]; then
- echo " \"$xauth\";" >> $conf
- else
- echo ";" >> $conf
- fi
- elif [ -n "$xauth" ]; then
- echo " my_identifier user_fqdn \"$xauth\";" >> $conf
- fi
- echo -n " peers_identifier " >> $conf
- fi
-
- if [ "$remote" = "anonymous" ]; then
- echo "user_fqdn;" >> $conf
- else
- config_get data "$1" peer_id_type "asn1dn"
- echo -n "$data" >> $conf
-
- config_get data "$1" peer_id ""
- test -n "$data" && echo -n " \"$data\"" >> $conf
-
- echo ";" >> $conf
- fi
-
- if [ -n "$xauth" ]; then
- config_get data "$1" password
- if [ -z "$data" ]; then
- $log "Password must be given in $1 tunnel"
- errno=7; return 7
- fi
- echo "$xauth $data" >> $confDir/psk.txt
-
- echo " xauth_login \"$xauth\";" >> $conf
- echo -e " script \"p1client-up\" phase1_up;\n script \"p1client-down\" phase1_down;" >> $conf
- fi
-
- config_get data "$1" exchange_mode
- if [ -z "$data" ]; then
- data=main
- test -n "$xauth" && data="${data},aggressive"
- fi
- echo -e " exchange_mode $data;\n nat_traversal on;\n support_proxy on;" >> $conf
-
- config_get data "$1" prop_check "obey"
- test -n "$data" && echo " proposal_check $data;" >> $conf
-
- config_get_bool data "$1" weak_p1check 1
- if [ $data -eq 0 ]; then data=off; else data=on; fi
- echo " weak_phase1_check $data;" >> $conf
-
- config_get_bool data "$1" verify_id 1
- if [ $data -eq 0 ]; then data=off; else data=on; fi
- echo " verify_identifier $data;" >> $conf
-
- config_get data "$1" dpd_delay ""
- test -n "$data" && echo " dpd_delay $data;" >> $conf
-
- unset data
- test -n "$xauth" && data="on"
- config_get data "$1" mode_cfg "$data"
- test -n "$data" && echo " mode_cfg $data;" >> $conf
-
- config_get_bool data "$1" init 0
- if [ $data -eq 0 ]; then data=off; else data=on; fi
- echo " initial_contact $data;" >> $conf
-
-
- config_list_foreach "$1" p1_proposal setup_p1
- echo "}" >> $conf
-
- config_list_foreach "$1" sainfo setup_sa "$remote $xauth"
-}
-
-setup_cert() {
- local item
- local data
-
- for item in key crt ; do
- config_get data "$1" $item ""
- test -z "$data" && continue
-
- echo "$data" |\
- sed 's/-\+[A-Z ]\+-\+/\n&\n/g' | sed 's/.\{50,50\}/&\n/g' | sed '/^$/d'\
- > $confDir/cert/$1.$item
-
- chmod 600 $confDir/cert/$1.$item
- done
-
- if [ -s $confDir/cert/$1.crt ]; then
- data=$(openssl x509 -noout -hash -in $confDir/cert/$1.crt)
- ln -sf $confDir/cert/$1.crt $confDir/cert/$data.0
- fi
-}
-
-destroy_sa() {
- local locnet
- local remnet
-
- config_get locnet "$1" local_net
- config_get remnet "$1" remote_net
- if [ -z "$locnet" ] || [ -z "$remnet" ]; then
- $log "Remote and local networks for $1 must be configured"
- errno=4; return 4
- fi
-
- config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet"
- config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet"
- manage_sa del "$locnet" "$remnet" $2
- manage_fw del $confIntZone $confExtZone "$remnet"
-}
-
-destroy_tunnel() {
- local data
-
- config_get_bool data "$1" enabled 0
- test "$data" = "0" && return 0
-
- config_get remote "$1" remote
- data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
- test -n "$data" && remote="$data"
-
- config_get data "$1" username ""
- if [ -z "$data" ]; then
- config_list_foreach "$1" sainfo destroy_sa $remote
- fi
-}
-
-destroy_conf() {
- setup_fw del
-}
-
-check_software() {
- local item
-
- for item in /usr/sbin/setkey /usr/bin/openssl /usr/sbin/ip ; do
- if [ ! -x $item ]; then
- $log "Needed program $item not found, exiting"
- errno=9; return 9
- fi
- done
-}
-
-cleanup_conf() {
- config_load racoon
- config_foreach setup_load racoon
- config_foreach destroy_conf racoon
- config_foreach destroy_tunnel tunnel
-
- /usr/sbin/setkey -P -F
- /usr/sbin/setkey -F
-}
-
-check_dir() {
- local item
-
- for item in $confDir $confDir/cert ; do
- if [ ! -d $item ]; then
- mkdir -m 0700 -p $item
- fi
- done
-}
-
-wait4wanzone() {
- local item=$connWait
- local data
-
- data="$(get_zoneiplist $confExtZone)"
- while [ $item -gt 0 ]; do
- test -n "$data" && break
- sleep 2
- let "item=$item-1"
- data="$(get_zoneiplist $confExtZone)"
- done
-
- test -z "$data" && return 10
-}
-
-start_service() {
- check_software
- test $? -gt 0 -o $errno -gt 0 && exit $errno
-
- check_dir
-
- config_load racoon
- config_foreach setup_load racoon
-
- config_foreach wait4wanzone racoon
- if [ $? -gt 0 ] || [ $errno -gt 0 ]; then
- $log "No active interfaces in $confExtZone zone found, exiting"
- exit $errno
- fi
-
- config_foreach setup_conf racoon
- test $? -gt 0 -o $errno -gt 0 && exit $errno
-
- config_foreach setup_tunnel tunnel
- test $? -gt 0 -o $errno -gt 0 && exit $errno
-
- config_foreach setup_cert certificate
-
- procd_open_instance
- procd_set_param command /usr/sbin/racoon
- test -n "$confIPMode" && procd_append_param command -$confIPMode
- procd_append_param command -F -f $confDir/racoon.conf
- procd_set_param file $confDir/racoon.conf
- procd_close_instance
-
- if [ -x /etc/racoon/vpnctl ]; then
- let connWait=$connWait*2+2
- ( sleep $connWait; /etc/racoon/vpnctl up ) &
- fi
-}
-
-service_triggers() {
- local item
- local data
-
- procd_add_reload_trigger "racoon" "network"
-
- config_load racoon
- config_foreach setup_load racoon
-
- data=$(get_zoneiflist $confExtZone)
- if [ $? -gt 0 ] || [ $errno -gt 0 ] || [ -z "$data" ]; then
- $log "Can not find interfaces for $confExtZone zone"
- else
- for item in $data ; do
- procd_add_reload_interface_trigger $item
- done
- fi
-}
-
-stop_service() {
- cleanup_conf
- procd_kill racoon
-}
-
-trap "cleanup_conf" 1 2 3 4 5 6 7 8 9 10
-
-
-# EOF /etc/init.d/racoon
+++ /dev/null
-#!/bin/sh
-#
-
-case X$1 in
- Xup|X1|Xstart) connMode=vpn-connect ;;
- Xdown|X0|Xstop) connMode=vpn-disconnect ;;
- *)
- echo "Usage: $0: up|1|start || down|0|stop"
- exit 1 ;;
-esac
-
-if [ -s /var/racoon/peers.txt ]; then
- (while read ipa ; do
- racoonctl $connMode $ipa
- done) < /var/racoon/peers.txt
-fi
-
-
-# EOF /usr/bin/vpnctl
+++ /dev/null
---- a/src/racoon/oakley.c
-+++ b/src/racoon/oakley.c
-@@ -2424,8 +2424,21 @@ oakley_skeyid(iph1)
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "couldn't find the pskey for %s.\n",
- saddrwop2str(iph1->remote));
-+ }
-+ }
-+ if (iph1->authstr == NULL) {
-+ /*
-+ * If we could not locate a psk above try and locate
-+ * the default psk, ie, "*".
-+ */
-+ iph1->authstr = privsep_getpsk("*", 1);
-+ if (iph1->authstr == NULL) {
-+ plog(LLV_ERROR, LOCATION, iph1->remote,
-+ "couldn't find the the default pskey either.\n");
- goto end;
- }
-+ plog(LLV_NOTIFY, LOCATION, iph1->remote,
-+ "Using default PSK.\n");
- }
- plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
- /* should be secret PSK */
+++ /dev/null
---- a/src/racoon/cftoken.l
-+++ b/src/racoon/cftoken.l
-@@ -104,6 +104,8 @@ static struct include_stack {
- static int incstackp = 0;
-
- static int yy_first_time = 1;
-+
-+int yywrap(void) { return 1; }
- %}
-
- /* common seciton */
---- a/src/setkey/token.l
-+++ b/src/setkey/token.l
-@@ -86,6 +86,8 @@
- #if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC)
- #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
- #endif
-+
-+int yywrap(void) { return 1; }
- %}
-
- /* common section */
+++ /dev/null
---- a/src/racoon/isakmp_cfg.c
-+++ b/src/racoon/isakmp_cfg.c
-@@ -38,7 +38,7 @@
- #include <sys/socket.h>
- #include <sys/queue.h>
-
--#include <utmpx.h>
-+#include <utmp.h>
- #if defined(__APPLE__) && defined(__MACH__)
- #include <util.h>
- #endif
-@@ -1664,7 +1664,8 @@ isakmp_cfg_accounting_system(port, raddr
- int inout;
- {
- int error = 0;
-- struct utmpx ut;
-+ struct utmp ut;
-+ char term[UT_LINESIZE];
- char addr[NI_MAXHOST];
-
- if (usr == NULL || usr[0]=='\0') {
-@@ -1673,34 +1674,37 @@ isakmp_cfg_accounting_system(port, raddr
- return -1;
- }
-
-- memset(&ut, 0, sizeof ut);
-- gettimeofday((struct timeval *)&ut.ut_tv, NULL);
-- snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port);
-+ sprintf(term, TERMSPEC, port);
-
- switch (inout) {
- case ISAKMP_CFG_LOGIN:
-- ut.ut_type = USER_PROCESS;
-- strncpy(ut.ut_user, usr, sizeof ut.ut_user);
-+ strncpy(ut.ut_name, usr, UT_NAMESIZE);
-+ ut.ut_name[UT_NAMESIZE - 1] = '\0';
-+
-+ strncpy(ut.ut_line, term, UT_LINESIZE);
-+ ut.ut_line[UT_LINESIZE - 1] = '\0';
-
- GETNAMEINFO_NULL(raddr, addr);
-- strncpy(ut.ut_host, addr, sizeof ut.ut_host);
-+ strncpy(ut.ut_host, addr, UT_HOSTSIZE);
-+ ut.ut_host[UT_HOSTSIZE - 1] = '\0';
-+
-+ ut.ut_time = time(NULL);
-
- plog(LLV_INFO, LOCATION, NULL,
- "Accounting : '%s' logging on '%s' from %s.\n",
-- ut.ut_user, ut.ut_id, addr);
--
-- pututxline(&ut);
-+ ut.ut_name, ut.ut_line, ut.ut_host);
-
-+ login(&ut);
-+
- break;
- case ISAKMP_CFG_LOGOUT:
-- ut.ut_type = DEAD_PROCESS;
-
- plog(LLV_INFO, LOCATION, NULL,
- "Accounting : '%s' unlogging from '%s'.\n",
-- usr, ut.ut_id);
--
-- pututxline(&ut);
-+ usr, term);
-
-+ logout(term);
-+
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
+++ /dev/null
---- a/src/racoon/ipsec_doi.c
-+++ b/src/racoon/ipsec_doi.c
-@@ -3581,8 +3581,8 @@ ipsecdoi_checkid1(iph1)
- iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
- if (id_b->type != IPSECDOI_ID_IPV4_ADDR
- && id_b->type != IPSECDOI_ID_IPV6_ADDR) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "Expecting IP address type in main mode, "
-+ plog(LLV_WARNING, LOCATION, NULL,
-+ "Expecting IP address type in main mode (RFC2409) , "
- "but %s.\n", s_ipsecdoi_ident(id_b->type));
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
+++ /dev/null
---- a/src/racoon/isakmp.c
-+++ b/src/racoon/isakmp.c
-@@ -31,6 +31,8 @@
- * SUCH DAMAGE.
- */
-
-+#define __packed __attribute__((__packed__))
-+
- #include "config.h"
-
- #include <sys/types.h>
+++ /dev/null
---- a/configure.ac
-+++ b/configure.ac
-@@ -74,9 +74,10 @@ case "$host_os" in
- [ KERNEL_INCLUDE="/lib/modules/`uname -r`/build/include" ])
-
- AC_CHECK_HEADER($KERNEL_INCLUDE/linux/pfkeyv2.h, ,
-- [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h,
-- KERNEL_INCLUDE=/usr/src/linux/include ,
-- [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] )
-+ [ AC_CHECK_HEADER($KERNEL_INCLUDE/uapi/linux/pfkeyv2.h, ,
-+ [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h,
-+ KERNEL_INCLUDE=/usr/src/linux/include ,
-+ [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] ) ] )
- AC_SUBST(KERNEL_INCLUDE)
- # We need the configure script to run with correct kernel headers.
- # However we don't want to point to kernel source tree in compile time,
-@@ -643,7 +644,14 @@ AC_EGREP_CPP(yes,
- #ifdef SADB_X_EXT_NAT_T_TYPE
- yes
- #endif
--], [kernel_natt="yes"])
-+], [kernel_natt="yes"], [
-+ AC_EGREP_CPP(yes,
-+ [#include <uapi/linux/pfkeyv2.h>
-+ #ifdef SADB_X_EXT_NAT_T_TYPE
-+ yes
-+ #endif
-+ ], [kernel_natt="yes"])
-+])
- ;;
- freebsd*|netbsd*)
- # NetBSD case
---- a/src/include-glibc/Makefile.am
-+++ b/src/include-glibc/Makefile.am
-@@ -1,14 +1,7 @@
--
--.includes: ${top_builddir}/config.status
-- ln -snf $(KERNEL_INCLUDE)/linux
-- touch .includes
--
--all: .includes
--
- EXTRA_DIST = \
- glibc-bugs.h \
- net/pfkeyv2.h \
- netinet/ipsec.h \
- sys/queue.h
-
--DISTCLEANFILES = .includes linux
-+DISTCLEANFILES = linux
+++ /dev/null
---- a/configure.ac
-+++ b/configure.ac
-@@ -732,7 +732,8 @@ case $host in
- ],
- [AC_MSG_RESULT(yes)
- AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])],
-- [AC_MSG_RESULT(no)])
-+ [AC_MSG_RESULT(forced)
-+ AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])])
- ;;
- *)
- AC_MSG_RESULT(no)
+++ /dev/null
-Fix null dereference in racoon/gssapi.c (CVE-2015-4047)
-
---- a/src/racoon/gssapi.c
-+++ b/src/racoon/gssapi.c
-@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
- gss_name_t princ, canon_princ;
- OM_uint32 maj_stat, min_stat;
-
-+ if (iph1->rmconf == NULL) {
-+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
-+ return -1;
-+ }
-+
- gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
- if (gps == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
+++ /dev/null
---- a/src/racoon/grabmyaddr.c
-+++ b/src/racoon/grabmyaddr.c
-@@ -47,7 +47,6 @@
- #include <net/route.h>
- #include <net/if.h>
- #include <net/if_dl.h>
--#include <sys/sysctl.h>
- #define USE_ROUTE
- #endif
-
---- a/src/racoon/pfkey.c
-+++ b/src/racoon/pfkey.c
-@@ -59,7 +59,6 @@
- #include <sys/param.h>
- #include <sys/socket.h>
- #include <sys/queue.h>
--#include <sys/sysctl.h>
-
- #include <net/route.h>
- #include <net/pfkeyv2.h>
---- a/src/setkey/setkey.c
-+++ b/src/setkey/setkey.c
-@@ -40,7 +40,6 @@
- #include <sys/socket.h>
- #include <sys/time.h>
- #include <sys/stat.h>
--#include <sys/sysctl.h>
- #include <err.h>
- #include <netinet/in.h>
- #include <net/pfkeyv2.h>
---- a/src/libipsec/ipsec_strerror.h
-+++ b/src/libipsec/ipsec_strerror.h
-@@ -34,6 +34,8 @@
- #ifndef _IPSEC_STRERROR_H
- #define _IPSEC_STRERROR_H
-
-+#include <sys/cdefs.h>
-+
- extern int __ipsec_errcode;
- extern void __ipsec_set_strerror __P((const char *));
-
---- a/src/libipsec/libpfkey.h
-+++ b/src/libipsec/libpfkey.h
-@@ -34,6 +34,8 @@
- #ifndef _LIBPFKEY_H
- #define _LIBPFKEY_H
-
-+#include <sys/cdefs.h>
-+
- #ifndef KAME_LIBPFKEY_H
- #define KAME_LIBPFKEY_H
-
---- a/src/racoon/backupsa.c
-+++ b/src/racoon/backupsa.c
-@@ -276,9 +276,9 @@ do { \
- GETNEXTNUM(sa_args.a_keylen, strtoul);
- GETNEXTNUM(sa_args.flags, strtoul);
- GETNEXTNUM(sa_args.l_alloc, strtoul);
-- GETNEXTNUM(sa_args.l_bytes, strtouq);
-- GETNEXTNUM(sa_args.l_addtime, strtouq);
-- GETNEXTNUM(sa_args.l_usetime, strtouq);
-+ GETNEXTNUM(sa_args.l_bytes, strtoull);
-+ GETNEXTNUM(sa_args.l_addtime, strtoull);
-+ GETNEXTNUM(sa_args.l_usetime, strtoull);
- GETNEXTNUM(sa_args.seq, strtoul);
-
- #undef GETNEXTNUM
---- a/src/racoon/cftoken.l
-+++ b/src/racoon/cftoken.l
-@@ -77,6 +77,10 @@
-
- #include "cfparse.h"
-
-+#ifndef GLOB_TILDE
-+#define GLOB_TILDE 0
-+#endif
-+
- int yyerrorcount = 0;
-
- #if defined(YIPS_DEBUG)
---- a/src/racoon/logger.h
-+++ b/src/racoon/logger.h
-@@ -34,6 +34,8 @@
- #ifndef _LOGGER_H
- #define _LOGGER_H
-
-+#include <sys/cdefs.h>
-+
- struct log {
- int head;
- int siz;
---- a/src/racoon/misc.h
-+++ b/src/racoon/misc.h
-@@ -34,6 +34,8 @@
- #ifndef _MISC_H
- #define _MISC_H
-
-+#include <sys/cdefs.h>
-+
- #define BIT2STR(b) bit2str(b, sizeof(b)<<3)
-
- #ifdef HAVE_FUNC_MACRO
---- a/src/racoon/missing/crypto/sha2/sha2.h
-+++ b/src/racoon/missing/crypto/sha2/sha2.h
-@@ -40,6 +40,8 @@
- #ifndef __SHA2_H__
- #define __SHA2_H__
-
-+#include <sys/cdefs.h>
-+
- #ifdef __cplusplus
- extern "C" {
- #endif
---- a/src/racoon/netdb_dnssec.h
-+++ b/src/racoon/netdb_dnssec.h
-@@ -34,6 +34,8 @@
- #ifndef _NETDB_DNSSEC_H
- #define _NETDB_DNSSEC_H
-
-+#include <sys/cdefs.h>
-+
- #ifndef T_CERT
- #define T_CERT 37 /* defined by RFC2538 section 2 */
- #endif
---- a/src/racoon/plog.h
-+++ b/src/racoon/plog.h
-@@ -34,6 +34,8 @@
- #ifndef _PLOG_H
- #define _PLOG_H
-
-+#include <sys/cdefs.h>
-+
- #ifdef HAVE_STDARG_H
- #include <stdarg.h>
- #else
---- a/src/racoon/str2val.h
-+++ b/src/racoon/str2val.h
-@@ -34,6 +34,8 @@
- #ifndef _STR2VAL_H
- #define _STR2VAL_H
-
-+#include <sys/cdefs.h>
-+
- extern caddr_t val2str __P((const char *, size_t));
- extern char *str2val __P((const char *, int, size_t *));
-
---- a/src/racoon/vmbuf.h
-+++ b/src/racoon/vmbuf.h
-@@ -34,6 +34,8 @@
- #ifndef _VMBUF_H
- #define _VMBUF_H
-
-+#include <sys/cdefs.h>
-+
- /*
- * bp v
- * v v
---- a/src/setkey/extern.h
-+++ b/src/setkey/extern.h
-@@ -1,6 +1,6 @@
- /* $NetBSD: extern.h,v 1.5 2009/03/06 11:45:03 tteras Exp $ */
-
--
-+#include <sys/cdefs.h>
-
- void parse_init __P((void));
- int parse __P((FILE **));
---- a/src/racoon/isakmp_cfg.c
-+++ b/src/racoon/isakmp_cfg.c
-@@ -1694,8 +1694,6 @@ isakmp_cfg_accounting_system(port, raddr
- "Accounting : '%s' logging on '%s' from %s.\n",
- ut.ut_name, ut.ut_line, ut.ut_host);
-
-- login(&ut);
--
- break;
- case ISAKMP_CFG_LOGOUT:
-
-@@ -1703,8 +1701,6 @@ isakmp_cfg_accounting_system(port, raddr
- "Accounting : '%s' unlogging from '%s'.\n",
- usr, term);
-
-- logout(term);
--
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
+++ /dev/null
-Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
-Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
-Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
-
-Index: ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/isakmp_frag.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
-@@ -1,4 +1,4 @@
--/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
-+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */
-
- /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
-
-@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
- return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
- }
-
-+static int
-+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
-+{
-+ struct isakmp_frag_item *pitem = NULL;
-+ struct isakmp_frag_item *citem = iph1->frag_chain;
-+
-+ /* no frag yet, just insert at beginning of list */
-+ if (iph1->frag_chain == NULL) {
-+ iph1->frag_chain = item;
-+ return 0;
-+ }
-+
-+ do {
-+ /* duplicate fragment number, abort (CVE-2016-10396) */
-+ if (citem->frag_num == item->frag_num)
-+ return -1;
-+
-+ /* need to insert before current item */
-+ if (citem->frag_num > item->frag_num) {
-+ if (pitem != NULL)
-+ pitem->frag_next = item;
-+ else
-+ /* insert at the beginning of the list */
-+ iph1->frag_chain = item;
-+ item->frag_next = citem;
-+ return 0;
-+ }
-+
-+ pitem = citem;
-+ citem = citem->frag_next;
-+ } while (citem != NULL);
-+
-+ /* we reached the end of the list, insert */
-+ pitem->frag_next = item;
-+ return 0;
-+}
-+
- int
- isakmp_frag_extract(iph1, msg)
- struct ph1handle *iph1;
-@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
- item->frag_next = NULL;
- item->frag_packet = buf;
-
-- /* Look for the last frag while inserting the new item in the chain */
-- if (item->frag_last)
-- last_frag = item->frag_num;
-+ /* Check for the last frag before inserting the new item in the chain */
-+ if (item->frag_last) {
-+ /* if we have the last fragment, indices must match */
-+ if (iph1->frag_last_index != 0 &&
-+ item->frag_last != iph1->frag_last_index) {
-+ plog(LLV_ERROR, LOCATION, NULL,
-+ "Repeated last fragment index mismatch\n");
-+ racoon_free(item);
-+ vfree(buf);
-+ return -1;
-+ }
-
-- if (iph1->frag_chain == NULL) {
-- iph1->frag_chain = item;
-- } else {
-- struct isakmp_frag_item *current;
-+ last_frag = iph1->frag_last_index = item->frag_num;
-+ }
-
-- current = iph1->frag_chain;
-- while (current->frag_next) {
-- if (current->frag_last)
-- last_frag = item->frag_num;
-- current = current->frag_next;
-- }
-- current->frag_next = item;
-+ /* insert fragment into chain */
-+ if (isakmp_frag_insert(iph1, item) == -1) {
-+ plog(LLV_ERROR, LOCATION, NULL,
-+ "Repeated fragment index mismatch\n");
-+ racoon_free(item);
-+ vfree(buf);
-+ return -1;
- }
-
-- /* If we saw the last frag, check if the chain is complete */
-+ /* If we saw the last frag, check if the chain is complete
-+ * we have a sorted list now, so just walk through */
- if (last_frag != 0) {
-+ item = iph1->frag_chain;
- for (i = 1; i <= last_frag; i++) {
-- item = iph1->frag_chain;
-- do {
-- if (item->frag_num == i)
-- break;
-- item = item->frag_next;
-- } while (item != NULL);
--
-+ if (item->frag_num != i)
-+ break;
-+ item = item->frag_next;
- if (item == NULL) /* Not found */
- break;
- }
-
-- if (item != NULL) /* It is complete */
-+ if (i > last_frag) /* It is complete */
- return 1;
- }
-
-@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
- }
- data = buf->v;
-
-+ item = iph1->frag_chain;
- for (i = 1; i <= frag_count; i++) {
-- item = iph1->frag_chain;
-- do {
-- if (item->frag_num == i)
-- break;
-- item = item->frag_next;
-- } while (item != NULL);
--
-- if (item == NULL) {
-+ if (item->frag_num != i) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Missing fragment #%d\n", i);
- vfree(buf);
-@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
- }
- memcpy(data, item->frag_packet->v, item->frag_packet->l);
- data += item->frag_packet->l;
-+ item = item->frag_next;
- }
-
- out:
-Index: ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/isakmp_inf.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
-@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
- #endif
- #ifdef ENABLE_FRAG
- iph1->frag = 0;
-+ iph1->frag_last_index = 0;
- iph1->frag_chain = NULL;
- #endif
-
-Index: ipsec-tools-0.8.2/src/racoon/isakmp.c
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/isakmp.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp.c
-@@ -1071,6 +1071,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
- iph1->frag = 1;
- else
- iph1->frag = 0;
-+ iph1->frag_last_index = 0;
- iph1->frag_chain = NULL;
- #endif
- iph1->approval = NULL;
-@@ -1175,6 +1176,7 @@ isakmp_ph1begin_r(msg, remote, local, et
- #endif
- #ifdef ENABLE_FRAG
- iph1->frag = 0;
-+ iph1->frag_last_index = 0;
- iph1->frag_chain = NULL;
- #endif
- iph1->approval = NULL;
-Index: ipsec-tools-0.8.2/src/racoon/handler.h
-===================================================================
---- ipsec-tools-0.8.2.orig/src/racoon/handler.h
-+++ ipsec-tools-0.8.2/src/racoon/handler.h
-@@ -1,4 +1,4 @@
--/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
-+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
-
- /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
-
-@@ -141,6 +141,7 @@ struct ph1handle {
- #endif
- #ifdef ENABLE_FRAG
- int frag; /* IKE phase 1 fragmentation */
-+ int frag_last_index;
- struct isakmp_frag_item *frag_chain; /* Received fragments */
- #endif
-
+++ /dev/null
---- a/src/racoon/isakmp_xauth.c
-+++ b/src/racoon/isakmp_xauth.c
-@@ -376,6 +376,7 @@ xauth_reply(iph1, port, id, res)
- struct ph1handle *iph1;
- int port;
- int id;
-+ int res;
- {
- struct xauth_state *xst = &iph1->mode_cfg->xauth;
- char *usr = xst->authdata.generic.usr;
-
+++ /dev/null
-From 071fec7181255b9234add44865a435dfdefee520 Mon Sep 17 00:00:00 2001
-In-Reply-To: <20180528120513.560-1-cote2004-github@yahoo.com>
-References: <20180528120513.560-1-cote2004-github@yahoo.com>
-From: Eneas U de Queiroz <cote2004-github@yahoo.com>
-Date: Wed, 30 May 2018 15:42:20 -0300
-Subject: [PATCH v2 1/1] ipsec-tools: add openssl 1.1 support
-To: equeiroz@troianet.com.br
-
-This patch updates the calls to openssl 1.1 API, and adds a
-compatibility layer so it compiles with (at least) openssl 1.0.2, I
-haven't tested it with lower versions, but all that's needed is to edit
-the openssl_compat.* files and add the missing functions there--they're
-usually trivial.
-
-Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
----
- src/racoon/Makefile.am | 10 +--
- src/racoon/algorithm.c | 6 +-
- src/racoon/cfparse.y | 2 +-
- src/racoon/crypto_openssl.c | 197 +++++++++++++++++++++-------------------
- src/racoon/crypto_openssl.h | 2 +-
- src/racoon/eaytest.c | 7 +-
- src/racoon/ipsec_doi.c | 2 +-
- src/racoon/openssl_compat.c | 213 ++++++++++++++++++++++++++++++++++++++++++++
- src/racoon/openssl_compat.h | 45 ++++++++++
- src/racoon/plainrsa-gen.c | 41 +++++----
- src/racoon/prsa_par.y | 28 ++++--
- src/racoon/rsalist.c | 5 +-
- 12 files changed, 431 insertions(+), 127 deletions(-)
- create mode 100644 src/racoon/openssl_compat.c
- create mode 100644 src/racoon/openssl_compat.h
-
-diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
-index dbaded9..4c585f3 100644
---- a/src/racoon/Makefile.am
-+++ b/src/racoon/Makefile.am
-@@ -4,7 +4,7 @@ sbin_PROGRAMS = racoon racoonctl plainrsa-gen
- noinst_PROGRAMS = eaytest
- include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \
- schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \
-- isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h
-+ isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h openssl_compat.h
- lib_LTLIBRARIES = libracoon.la
-
- adminsockdir=${localstatedir}/racoon
-@@ -32,7 +32,7 @@ racoon_SOURCES = \
- gssapi.c dnssec.c getcertsbyname.c privsep.c \
- pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \
- policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \
-- proposal.c sainfo.c strnames.c \
-+ openssl_compat.c proposal.c sainfo.c strnames.c \
- plog.c logger.c schedule.c str2val.c \
- safefile.c backupsa.c genlist.c rsalist.c \
- cftoken.l cfparse.y prsa_tok.l prsa_par.y
-@@ -51,12 +51,12 @@ libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c
- libracoon_la_CFLAGS = -DNOUSE_PRIVSEP $(AM_CFLAGS)
-
- plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \
-- crypto_openssl.c logger.c
-+ crypto_openssl.c logger.c openssl_compat.c
- EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS)
- plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o
- plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o
-
--eaytest_SOURCES = eaytest.c plog.c logger.c
-+eaytest_SOURCES = eaytest.c plog.c logger.c openssl_compat.c
- EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c
- eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \
- $(CRYPTOBJS)
-@@ -75,7 +75,7 @@ noinst_HEADERS = \
- debugrm.h isakmp.h misc.h sainfo.h \
- dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \
- isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \
-- throttle.h privsep.h \
-+ throttle.h privsep.h openssl_compat.h \
- cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \
- missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \
- missing/crypto/rijndael/rijndael-api-fst.h \
-diff --git a/src/racoon/algorithm.c b/src/racoon/algorithm.c
-index 3fd50f6..66c874b 100644
---- a/src/racoon/algorithm.c
-+++ b/src/racoon/algorithm.c
-@@ -128,7 +128,7 @@ static struct enc_algorithm oakley_encdef[] = {
- { "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16,
- eay_aes_encrypt, eay_aes_decrypt,
- eay_aes_weakkey, eay_aes_keylen, },
--#ifdef HAVE_OPENSSL_CAMELLIA_H
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- { "camellia", algtype_camellia, OAKLEY_ATTR_ENC_ALG_CAMELLIA, 16,
- eay_camellia_encrypt, eay_camellia_decrypt,
- eay_camellia_weakkey, eay_camellia_keylen, },
-@@ -168,7 +168,7 @@ static struct enc_algorithm ipsec_encdef[] = {
- { "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16,
- NULL, NULL,
- NULL, eay_twofish_keylen, },
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- { "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8,
- NULL, NULL,
- NULL, NULL, },
-@@ -179,7 +179,7 @@ static struct enc_algorithm ipsec_encdef[] = {
- { "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8,
- NULL, NULL,
- NULL, NULL, },
--#ifdef HAVE_OPENSSL_CAMELLIA_H
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- { "camellia", algtype_camellia, IPSECDOI_ESP_CAMELLIA, 16,
- NULL, NULL,
- NULL, eay_camellia_keylen, },
-diff --git a/src/racoon/cfparse.y b/src/racoon/cfparse.y
-index 0d9bd67..8415752 100644
---- a/src/racoon/cfparse.y
-+++ b/src/racoon/cfparse.y
-@@ -2564,7 +2564,7 @@ set_isakmp_proposal(rmconf)
- plog(LLV_DEBUG2, LOCATION, NULL,
- "encklen=%d\n", s->encklen);
-
-- memset(types, 0, ARRAYLEN(types));
-+ memset(types, 0, sizeof types);
- types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
- types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
- types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
-diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c
-index 55b076a..8fb358f 100644
---- a/src/racoon/crypto_openssl.c
-+++ b/src/racoon/crypto_openssl.c
-@@ -90,6 +90,7 @@
- #endif
- #endif
- #include "plog.h"
-+#include "openssl_compat.h"
-
- #define USE_NEW_DES_API
-
-@@ -316,9 +317,12 @@ eay_cmp_asn1dn(n1, n2)
- i = idx+1;
- goto end;
- }
-- if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
-- (eb->value->length == 1 && eb->value->data[0] == '*')) {
-- if (OBJ_cmp(ea->object,eb->object)) {
-+ ASN1_STRING *sa = X509_NAME_ENTRY_get_data(ea);
-+ ASN1_STRING *sb = X509_NAME_ENTRY_get_data(eb);
-+ if ((ASN1_STRING_length(sa) == 1 && ASN1_STRING_get0_data(sa)[0] == '*') ||
-+ (ASN1_STRING_length(sb) == 1 && ASN1_STRING_get0_data(sb)[0] == '*')) {
-+ if (OBJ_cmp(X509_NAME_ENTRY_get_object(ea),
-+ X509_NAME_ENTRY_get_object(eb))) {
- i = idx+1;
- goto end;
- }
-@@ -430,7 +434,7 @@ cb_check_cert_local(ok, ctx)
-
- if (!ok) {
- X509_NAME_oneline(
-- X509_get_subject_name(ctx->current_cert),
-+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
- buf,
- 256);
- /*
-@@ -438,7 +442,8 @@ cb_check_cert_local(ok, ctx)
- * ok if they are self signed. But we should still warn
- * the user.
- */
-- switch (ctx->error) {
-+ int ctx_error = X509_STORE_CTX_get_error(ctx);
-+ switch (ctx_error) {
- case X509_V_ERR_CERT_HAS_EXPIRED:
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- case X509_V_ERR_INVALID_CA:
-@@ -453,9 +458,9 @@ cb_check_cert_local(ok, ctx)
- }
- plog(log_tag, LOCATION, NULL,
- "%s(%d) at depth:%d SubjectName:%s\n",
-- X509_verify_cert_error_string(ctx->error),
-- ctx->error,
-- ctx->error_depth,
-+ X509_verify_cert_error_string(ctx_error),
-+ ctx_error,
-+ X509_STORE_CTX_get_error_depth(ctx),
- buf);
- }
- ERR_clear_error();
-@@ -477,10 +482,11 @@ cb_check_cert_remote(ok, ctx)
-
- if (!ok) {
- X509_NAME_oneline(
-- X509_get_subject_name(ctx->current_cert),
-+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
- buf,
- 256);
-- switch (ctx->error) {
-+ int ctx_error=X509_STORE_CTX_get_error(ctx);
-+ switch (ctx_error) {
- case X509_V_ERR_UNABLE_TO_GET_CRL:
- ok = 1;
- log_tag = LLV_WARNING;
-@@ -490,9 +496,9 @@ cb_check_cert_remote(ok, ctx)
- }
- plog(log_tag, LOCATION, NULL,
- "%s(%d) at depth:%d SubjectName:%s\n",
-- X509_verify_cert_error_string(ctx->error),
-- ctx->error,
-- ctx->error_depth,
-+ X509_verify_cert_error_string(ctx_error),
-+ ctx_error,
-+ X509_STORE_CTX_get_error_depth(ctx),
- buf);
- }
- ERR_clear_error();
-@@ -516,14 +522,15 @@ eay_get_x509asn1subjectname(cert)
- if (x509 == NULL)
- goto error;
-
-+ X509_NAME *subject_name = X509_get_subject_name(x509);
- /* get the length of the name */
-- len = i2d_X509_NAME(x509->cert_info->subject, NULL);
-+ len = i2d_X509_NAME(subject_name, NULL);
- name = vmalloc(len);
- if (!name)
- goto error;
- /* get the name */
- bp = (unsigned char *) name->v;
-- len = i2d_X509_NAME(x509->cert_info->subject, &bp);
-+ len = i2d_X509_NAME(subject_name, &bp);
-
- X509_free(x509);
-
-@@ -661,15 +668,16 @@ eay_get_x509asn1issuername(cert)
- if (x509 == NULL)
- goto error;
-
-+ X509_NAME *issuer_name = X509_get_issuer_name(x509);
- /* get the length of the name */
-- len = i2d_X509_NAME(x509->cert_info->issuer, NULL);
-+ len = i2d_X509_NAME(issuer_name, NULL);
- name = vmalloc(len);
- if (name == NULL)
- goto error;
-
- /* get the name */
- bp = (unsigned char *) name->v;
-- len = i2d_X509_NAME(x509->cert_info->issuer, &bp);
-+ len = i2d_X509_NAME(issuer_name, &bp);
-
- X509_free(x509);
-
-@@ -850,7 +858,7 @@ eay_check_x509sign(source, sig, cert)
- return -1;
- }
-
-- res = eay_rsa_verify(source, sig, evp->pkey.rsa);
-+ res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp));
-
- EVP_PKEY_free(evp);
- X509_free(x509);
-@@ -992,7 +1000,7 @@ eay_get_x509sign(src, privkey)
- if (evp == NULL)
- return NULL;
-
-- sig = eay_rsa_sign(src, evp->pkey.rsa);
-+ sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
-
- EVP_PKEY_free(evp);
-
-@@ -1079,7 +1087,11 @@ eay_strerror()
- int line, flags;
- unsigned long es;
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */
-+#else
- es = CRYPTO_thread_id();
-+#endif
-
- while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){
- n = snprintf(ebuf + len, sizeof(ebuf) - len,
-@@ -1100,7 +1112,7 @@ vchar_t *
- evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc)
- {
- vchar_t *res;
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx;
-
- if (!e)
- return NULL;
-@@ -1111,7 +1123,7 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
-- EVP_CIPHER_CTX_init(&ctx);
-+ ctx = EVP_CIPHER_CTX_new();
-
- switch(EVP_CIPHER_nid(e)){
- case NID_bf_cbc:
-@@ -1125,54 +1137,41 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc
- /* XXX: can we do that also for algos with a fixed key size ?
- */
- /* init context without key/iv
-- */
-- if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
-- {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ */
-+ if (!EVP_CipherInit(ctx, e, NULL, NULL, enc))
-+ goto out;
-
-- /* update key size
-- */
-- if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
-- {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
--
-- /* finalize context init with desired key size
-- */
-- if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
-+ /* update key size
-+ */
-+ if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l))
-+ goto out;
-+
-+ /* finalize context init with desired key size
-+ */
-+ if (!EVP_CipherInit(ctx, NULL, (u_char *) key->v,
- (u_char *) iv->v, enc))
-- {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ goto out;
- break;
- default:
-- if (!EVP_CipherInit(&ctx, e, (u_char *) key->v,
-- (u_char *) iv->v, enc)) {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ if (!EVP_CipherInit(ctx, e, (u_char *) key->v,
-+ (u_char *) iv->v, enc))
-+ goto out;
- }
-
- /* disable openssl padding */
-- EVP_CIPHER_CTX_set_padding(&ctx, 0);
-+ EVP_CIPHER_CTX_set_padding(ctx, 0);
-
-- if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
-- OpenSSL_BUG();
-- vfree(res);
-- return NULL;
-- }
-+ if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l))
-+ goto out;
-
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_free(ctx);
-
- return res;
-+out:
-+ EVP_CIPHER_CTX_free(ctx);
-+ OpenSSL_BUG();
-+ vfree(res);
-+ return NULL;
- }
-
- int
-@@ -1230,7 +1229,7 @@ eay_des_keylen(len)
- return evp_keylen(len, EVP_des_cbc());
- }
-
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- /*
- * IDEA-CBC
- */
-@@ -1587,7 +1586,7 @@ eay_aes_keylen(len)
- return len;
- }
-
--#if defined(HAVE_OPENSSL_CAMELLIA_H)
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- /*
- * CAMELLIA-CBC
- */
-@@ -1680,9 +1679,9 @@ eay_hmac_init(key, md)
- vchar_t *key;
- const EVP_MD *md;
- {
-- HMAC_CTX *c = racoon_malloc(sizeof(*c));
-+ HMAC_CTX *c = HMAC_CTX_new();
-
-- HMAC_Init(c, key->v, key->l, md);
-+ HMAC_Init_ex(c, key->v, key->l, md, NULL);
-
- return (caddr_t)c;
- }
-@@ -1761,8 +1760,7 @@ eay_hmacsha2_512_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA512_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1811,8 +1809,7 @@ eay_hmacsha2_384_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA384_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1861,8 +1858,7 @@ eay_hmacsha2_256_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA256_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1912,8 +1908,7 @@ eay_hmacsha1_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (SHA_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1962,8 +1957,7 @@ eay_hmacmd5_final(c)
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
-- HMAC_cleanup((HMAC_CTX *)c);
-- (void)racoon_free(c);
-+ HMAC_CTX_free((HMAC_CTX *)c);
-
- if (MD5_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -2266,6 +2260,7 @@ eay_dh_generate(prime, g, publen, pub, priv)
- u_int32_t g;
- {
- BIGNUM *p = NULL;
-+ BIGNUM *BNg = NULL;
- DH *dh = NULL;
- int error = -1;
-
-@@ -2276,25 +2271,28 @@ eay_dh_generate(prime, g, publen, pub, priv)
-
- if ((dh = DH_new()) == NULL)
- goto end;
-- dh->p = p;
-- p = NULL; /* p is now part of dh structure */
-- dh->g = NULL;
-- if ((dh->g = BN_new()) == NULL)
-+ if ((BNg = BN_new()) == NULL)
- goto end;
-- if (!BN_set_word(dh->g, g))
-+ if (!BN_set_word(BNg, g))
- goto end;
-+ if (! DH_set0_pqg(dh, p, NULL, BNg))
-+ goto end;
-+ BNg = NULL;
-+ p = NULL; /* p is now part of dh structure */
-
- if (publen != 0)
-- dh->length = publen;
-+ DH_set_length(dh, publen);
-
- /* generate public and private number */
- if (!DH_generate_key(dh))
- goto end;
-
- /* copy results to buffers */
-- if (eay_bn2v(pub, dh->pub_key) < 0)
-+ BIGNUM *pub_key, *priv_key;
-+ DH_get0_key(dh, (const BIGNUM**) &pub_key, (const BIGNUM**) &priv_key);
-+ if (eay_bn2v(pub, pub_key) < 0)
- goto end;
-- if (eay_bn2v(priv, dh->priv_key) < 0) {
-+ if (eay_bn2v(priv, priv_key) < 0) {
- vfree(*pub);
- goto end;
- }
-@@ -2306,6 +2304,8 @@ end:
- DH_free(dh);
- if (p != 0)
- BN_free(p);
-+ if (BNg != 0)
-+ BN_free(BNg);
- return(error);
- }
-
-@@ -2319,6 +2319,10 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
- int l;
- unsigned char *v = NULL;
- int error = -1;
-+ BIGNUM *p = BN_new();
-+ BIGNUM *BNg = BN_new();
-+ BIGNUM *pub_key = BN_new();
-+ BIGNUM *priv_key = BN_new();
-
- /* make public number to compute */
- if (eay_v2bn(&dh_pub, pub2) < 0)
-@@ -2327,19 +2331,21 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
- /* make DH structure */
- if ((dh = DH_new()) == NULL)
- goto end;
-- if (eay_v2bn(&dh->p, prime) < 0)
-+ if (p == NULL || BNg == NULL || pub_key == NULL || priv_key == NULL)
- goto end;
-- if (eay_v2bn(&dh->pub_key, pub) < 0)
-+
-+ if (eay_v2bn(&p, prime) < 0)
- goto end;
-- if (eay_v2bn(&dh->priv_key, priv) < 0)
-+ if (eay_v2bn(&pub_key, pub) < 0)
- goto end;
-- dh->length = pub2->l * 8;
--
-- dh->g = NULL;
-- if ((dh->g = BN_new()) == NULL)
-+ if (eay_v2bn(&priv_key, priv) < 0)
- goto end;
-- if (!BN_set_word(dh->g, g))
-+ if (!BN_set_word(BNg, g))
- goto end;
-+ DH_set0_key(dh, pub_key, priv_key);
-+ DH_set_length(dh, pub2->l * 8);
-+ DH_set0_pqg(dh, p, NULL, BNg);
-+ pub_key = priv_key = p = BNg = NULL;
-
- if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
- goto end;
-@@ -2350,6 +2356,14 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
- error = 0;
-
- end:
-+ if (p != NULL)
-+ BN_free(p);
-+ if (BNg != NULL)
-+ BN_free(BNg);
-+ if (pub_key != NULL)
-+ BN_free(pub_key);
-+ if (priv_key != NULL)
-+ BN_free(priv_key);
- if (dh_pub != NULL)
- BN_free(dh_pub);
- if (dh != NULL)
-@@ -2400,12 +2414,14 @@ eay_bn2v(var, bn)
- void
- eay_init()
- {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- OpenSSL_add_all_algorithms();
- ERR_load_crypto_strings();
- #ifdef HAVE_OPENSSL_ENGINE_H
- ENGINE_load_builtin_engines();
- ENGINE_register_all_complete();
- #endif
-+#endif
- }
-
- vchar_t *
-@@ -2504,8 +2520,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf)
- goto out;
- }
-
-- rsa_pub->n = mod;
-- rsa_pub->e = exp;
-+ RSA_set0_key(rsa_pub, mod, exp, NULL);
-
- out:
- return rsa_pub;
-@@ -2582,5 +2597,5 @@ eay_random()
- const char *
- eay_version()
- {
-- return SSLeay_version(SSLEAY_VERSION);
-+ return OpenSSL_version(OPENSSL_VERSION);
- }
-diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h
-index 66fac73..ee5b765 100644
---- a/src/racoon/crypto_openssl.h
-+++ b/src/racoon/crypto_openssl.h
-@@ -124,7 +124,7 @@ extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
- extern int eay_aes_weakkey __P((vchar_t *));
- extern int eay_aes_keylen __P((int));
-
--#if defined(HAVE_OPENSSL_CAMELLIA_H)
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- /* Camellia */
- extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
- extern vchar_t *eay_camellia_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c
-index 1474bdc..ae09db3 100644
---- a/src/racoon/eaytest.c
-+++ b/src/racoon/eaytest.c
-@@ -62,6 +62,7 @@
- #include "dhgroup.h"
- #include "crypto_openssl.h"
- #include "gnuc.h"
-+#include "openssl_compat.h"
-
- #include "package_version.h"
-
-@@ -103,7 +104,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_txt)
- printf ("PEM_read_PUBKEY(): %s\n", eay_strerror());
- return -1;
- }
-- error = eay_check_rsasign(src, sig, evp->pkey.rsa);
-+ error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp));
-
- return error;
- }
-@@ -698,7 +699,7 @@ ciphertest(ac, av)
- eay_cast_encrypt, eay_cast_decrypt) < 0)
- return -1;
-
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- if (ciphertest_1 ("IDEA",
- &data, 8,
- &key, key.l,
-@@ -715,7 +716,7 @@ ciphertest(ac, av)
- eay_rc5_encrypt, eay_rc5_decrypt) < 0)
- return -1;
- #endif
--#if defined(HAVE_OPENSSL_CAMELLIA_H)
-+#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA)
- if (ciphertest_1 ("CAMELLIA",
- &data, 16,
- &key, key.l,
-diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
-index 84a4c71..b52469f 100644
---- a/src/racoon/ipsec_doi.c
-+++ b/src/racoon/ipsec_doi.c
-@@ -715,7 +715,7 @@ out:
- /* key length must not be specified on some algorithms */
- if (keylen) {
- if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES
--#ifdef HAVE_OPENSSL_IDEA_H
-+#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA)
- || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA
- #endif
- || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) {
-diff --git a/src/racoon/openssl_compat.c b/src/racoon/openssl_compat.c
-new file mode 100644
-index 0000000..864b5fb
---- /dev/null
-+++ b/src/racoon/openssl_compat.c
-@@ -0,0 +1,213 @@
-+/*
-+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the OpenSSL license (the "License"). You may not use
-+ * this file except in compliance with the License. You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include "openssl_compat.h"
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+
-+#include <string.h>
-+
-+static void *OPENSSL_zalloc(size_t num)
-+{
-+ void *ret = OPENSSL_malloc(num);
-+
-+ if (ret != NULL)
-+ memset(ret, 0, num);
-+ return ret;
-+}
-+
-+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
-+{
-+ /* If the fields n and e in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL for n and e. d may be
-+ * left NULL (in case only the public key is used).
-+ */
-+ if ((r->n == NULL && n == NULL)
-+ || (r->e == NULL && e == NULL))
-+ return 0;
-+
-+ if (n != NULL) {
-+ BN_free(r->n);
-+ r->n = n;
-+ }
-+ if (e != NULL) {
-+ BN_free(r->e);
-+ r->e = e;
-+ }
-+ if (d != NULL) {
-+ BN_free(r->d);
-+ r->d = d;
-+ }
-+
-+ return 1;
-+}
-+
-+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
-+{
-+ /* If the fields p and q in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((r->p == NULL && p == NULL)
-+ || (r->q == NULL && q == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(r->p);
-+ r->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(r->q);
-+ r->q = q;
-+ }
-+
-+ return 1;
-+}
-+
-+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
-+{
-+ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((r->dmp1 == NULL && dmp1 == NULL)
-+ || (r->dmq1 == NULL && dmq1 == NULL)
-+ || (r->iqmp == NULL && iqmp == NULL))
-+ return 0;
-+
-+ if (dmp1 != NULL) {
-+ BN_free(r->dmp1);
-+ r->dmp1 = dmp1;
-+ }
-+ if (dmq1 != NULL) {
-+ BN_free(r->dmq1);
-+ r->dmq1 = dmq1;
-+ }
-+ if (iqmp != NULL) {
-+ BN_free(r->iqmp);
-+ r->iqmp = iqmp;
-+ }
-+
-+ return 1;
-+}
-+
-+void RSA_get0_key(const RSA *r,
-+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
-+{
-+ if (n != NULL)
-+ *n = r->n;
-+ if (e != NULL)
-+ *e = r->e;
-+ if (d != NULL)
-+ *d = r->d;
-+}
-+
-+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
-+{
-+ if (p != NULL)
-+ *p = r->p;
-+ if (q != NULL)
-+ *q = r->q;
-+}
-+
-+void RSA_get0_crt_params(const RSA *r,
-+ const BIGNUM **dmp1, const BIGNUM **dmq1,
-+ const BIGNUM **iqmp)
-+{
-+ if (dmp1 != NULL)
-+ *dmp1 = r->dmp1;
-+ if (dmq1 != NULL)
-+ *dmq1 = r->dmq1;
-+ if (iqmp != NULL)
-+ *iqmp = r->iqmp;
-+}
-+
-+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-+{
-+ /* If the fields p and g in d are NULL, the corresponding input
-+ * parameters MUST be non-NULL. q may remain NULL.
-+ */
-+ if ((dh->p == NULL && p == NULL)
-+ || (dh->g == NULL && g == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(dh->p);
-+ dh->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(dh->q);
-+ dh->q = q;
-+ }
-+ if (g != NULL) {
-+ BN_free(dh->g);
-+ dh->g = g;
-+ }
-+
-+ if (q != NULL) {
-+ dh->length = BN_num_bits(q);
-+ }
-+
-+ return 1;
-+}
-+
-+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
-+{
-+ if (pub_key != NULL)
-+ *pub_key = dh->pub_key;
-+ if (priv_key != NULL)
-+ *priv_key = dh->priv_key;
-+}
-+
-+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
-+{
-+ /* If the field pub_key in dh is NULL, the corresponding input
-+ * parameters MUST be non-NULL. The priv_key field may
-+ * be left NULL.
-+ */
-+ if (dh->pub_key == NULL && pub_key == NULL)
-+ return 0;
-+
-+ if (pub_key != NULL) {
-+ BN_free(dh->pub_key);
-+ dh->pub_key = pub_key;
-+ }
-+ if (priv_key != NULL) {
-+ BN_free(dh->priv_key);
-+ dh->priv_key = priv_key;
-+ }
-+
-+ return 1;
-+}
-+
-+int DH_set_length(DH *dh, long length)
-+{
-+ dh->length = length;
-+ return 1;
-+}
-+
-+HMAC_CTX *HMAC_CTX_new(void)
-+{
-+ return OPENSSL_zalloc(sizeof(HMAC_CTX));
-+}
-+
-+void HMAC_CTX_free(HMAC_CTX *ctx)
-+{
-+ HMAC_CTX_cleanup(ctx);
-+ OPENSSL_free(ctx);
-+}
-+
-+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
-+{
-+ if (pkey->type != EVP_PKEY_RSA) {
-+ return NULL;
-+ }
-+ return pkey->pkey.rsa;
-+}
-+
-+
-+#endif /* OPENSSL_VERSION_NUMBER */
-diff --git a/src/racoon/openssl_compat.h b/src/racoon/openssl_compat.h
-new file mode 100644
-index 0000000..9e152c2
---- /dev/null
-+++ b/src/racoon/openssl_compat.h
-@@ -0,0 +1,45 @@
-+#ifndef OPENSSL_COMPAT_H
-+#define OPENSSL_COMPAT_H
-+
-+#include <openssl/opensslv.h>
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+
-+#include <openssl/rsa.h>
-+#include <openssl/dh.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+
-+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
-+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
-+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
-+void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
-+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
-+void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp);
-+
-+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
-+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
-+int DH_set_length(DH *dh, long length);
-+
-+HMAC_CTX *HMAC_CTX_new(void);
-+void HMAC_CTX_free(HMAC_CTX* ctx);
-+
-+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
-+
-+#define ASN1_STRING_length(s) s->length
-+#define ASN1_STRING_get0_data(s) s->data
-+
-+#define X509_get_subject_name(x) x->cert_info->subject
-+#define X509_get_issuer_name(x) x->cert_info->issuer
-+#define X509_NAME_ENTRY_get_data(n) n->value
-+#define X509_NAME_ENTRY_get_object(n) n->object
-+#define X509_STORE_CTX_get_current_cert(ctx) ctx->current_cert
-+#define X509_STORE_CTX_get_error(ctx) ctx->error
-+#define X509_STORE_CTX_get_error_depth(ctx) ctx->error_depth
-+
-+#define OPENSSL_VERSION SSLEAY_VERSION
-+#define OpenSSL_version SSLeay_version
-+
-+#endif /* OPENSSL_VERSION_NUMBER */
-+
-+#endif /* OPENSSL_COMPAT_H */
-diff --git a/src/racoon/plainrsa-gen.c b/src/racoon/plainrsa-gen.c
-index cad1861..b949b08 100644
---- a/src/racoon/plainrsa-gen.c
-+++ b/src/racoon/plainrsa-gen.c
-@@ -60,6 +60,7 @@
- #include "vmbuf.h"
- #include "plog.h"
- #include "crypto_openssl.h"
-+#include "openssl_compat.h"
-
- #include "package_version.h"
-
-@@ -90,12 +91,14 @@ mix_b64_pubkey(const RSA *key)
- char *binbuf;
- long binlen, ret;
- vchar_t *res;
--
-- binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n);
-+ const BIGNUM *e, *n;
-+
-+ RSA_get0_key(key, &n, &e, NULL);
-+ binlen = 1 + BN_num_bytes(e) + BN_num_bytes(n);
- binbuf = malloc(binlen);
- memset(binbuf, 0, binlen);
-- binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]);
-- ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
-+ binbuf[0] = BN_bn2bin(e, (unsigned char *) &binbuf[1]);
-+ ret = BN_bn2bin(n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
- if (1 + binbuf[0] + ret != binlen) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Pubkey generation failed. This is really strange...\n");
-@@ -131,16 +134,20 @@ print_rsa_key(FILE *fp, const RSA *key)
-
- fprintf(fp, "# : PUB 0s%s\n", pubkey64->v);
- fprintf(fp, ": RSA\t{\n");
-- fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n));
-+ const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
-+ RSA_get0_key(key, &n, &e, &d);
-+ RSA_get0_factors(key, &p, &q);
-+ RSA_get0_crt_params(key, &dmp1, &dmq1, &iqmp);
-+ fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(n));
- fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v);
-- fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n)));
-- fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e)));
-- fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d)));
-- fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p)));
-- fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q)));
-- fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1)));
-- fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1)));
-- fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp)));
-+ fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(n)));
-+ fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(e)));
-+ fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(d)));
-+ fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(p)));
-+ fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(q)));
-+ fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(dmp1)));
-+ fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(dmq1)));
-+ fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(iqmp)));
- fprintf(fp, " }\n");
-
- vfree(pubkey64);
-@@ -203,11 +210,13 @@ int
- gen_rsa_key(FILE *fp, size_t bits, unsigned long exp)
- {
- int ret;
-- RSA *key;
-+ RSA *key = RSA_new();
-+ BIGNUM *e = BN_new();
-
-- key = RSA_generate_key(bits, exp, NULL, NULL);
-- if (!key) {
-+ BN_set_word(e, exp);
-+ if (! RSA_generate_key_ex(key, bits, e, NULL)) {
- fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror());
-+ RSA_free(key);
- return -1;
- }
-
-diff --git a/src/racoon/prsa_par.y b/src/racoon/prsa_par.y
-index 1987e4d..27ce4c6 100644
---- a/src/racoon/prsa_par.y
-+++ b/src/racoon/prsa_par.y
-@@ -68,6 +68,7 @@
- #include "isakmp_var.h"
- #include "handler.h"
- #include "crypto_openssl.h"
-+#include "openssl_compat.h"
- #include "sockmisc.h"
- #include "rsalist.h"
-
-@@ -85,7 +86,18 @@ char *prsa_cur_fname = NULL;
- struct genlist *prsa_cur_list = NULL;
- enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY;
-
--static RSA *rsa_cur;
-+struct my_rsa_st {
-+ BIGNUM *n;
-+ BIGNUM *e;
-+ BIGNUM *d;
-+ BIGNUM *p;
-+ BIGNUM *q;
-+ BIGNUM *dmp1;
-+ BIGNUM *dmq1;
-+ BIGNUM *iqmp;
-+};
-+
-+static struct my_rsa_st *rsa_cur;
-
- void
- prsaerror(const char *s, ...)
-@@ -201,8 +213,12 @@ rsa_statement:
- rsa_cur->iqmp = NULL;
- }
- }
-- $$ = rsa_cur;
-- rsa_cur = RSA_new();
-+ RSA * rsa_tmp = RSA_new();
-+ RSA_set0_key(rsa_tmp, rsa_cur->n, rsa_cur->e, rsa_cur->d);
-+ RSA_set0_factors(rsa_tmp, rsa_cur->p, rsa_cur->q);
-+ RSA_set0_crt_params(rsa_tmp, rsa_cur->dmp1, rsa_cur->dmq1, rsa_cur->iqmp);
-+ $$ = rsa_tmp;
-+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
- }
- | TAG_PUB BASE64
- {
-@@ -351,10 +367,12 @@ prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type)
- prsa_cur_fname = fname;
- prsa_cur_list = list;
- prsa_cur_type = type;
-- rsa_cur = RSA_new();
-+ rsa_cur = malloc(sizeof(struct my_rsa_st));
-+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
- ret = prsaparse();
- if (rsa_cur) {
-- RSA_free(rsa_cur);
-+ memset(rsa_cur, 0, sizeof(struct my_rsa_st));
-+ free(rsa_cur);
- rsa_cur = NULL;
- }
- fclose (fp);
-diff --git a/src/racoon/rsalist.c b/src/racoon/rsalist.c
-index f152c82..96e8363 100644
---- a/src/racoon/rsalist.c
-+++ b/src/racoon/rsalist.c
-@@ -52,6 +52,7 @@
- #include "genlist.h"
- #include "remoteconf.h"
- #include "crypto_openssl.h"
-+#include "openssl_compat.h"
-
- #ifndef LIST_FIRST
- #define LIST_FIRST(head) ((head)->lh_first)
-@@ -98,7 +99,9 @@ rsa_key_dup(struct rsa_key *key)
- return NULL;
-
- if (key->rsa) {
-- new->rsa = key->rsa->d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa);
-+ const BIGNUM *d;
-+ RSA_get0_key(key->rsa, NULL, NULL, &d);
-+ new->rsa = (d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa));
- if (new->rsa == NULL)
- goto dup_error;
- }
---
-2.16.1
-
+++ /dev/null
---- a/src/racoon/crypto_openssl.c
-+++ b/src/racoon/crypto_openssl.c
-@@ -1087,7 +1087,7 @@ eay_strerror()
- int line, flags;
- unsigned long es;
-
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
- es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */
- #else
- es = CRYPTO_thread_id();
---- a/src/racoon/openssl_compat.h
-+++ b/src/racoon/openssl_compat.h
-@@ -5,6 +5,7 @@
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
-
- #include <openssl/rsa.h>
-+#include <openssl/bn.h>
- #include <openssl/dh.h>
- #include <openssl/evp.h>
- #include <openssl/hmac.h>