Buck Rogers in the 25th century: make this compile again.

This commit is contained in:
christos 2018-05-29 01:22:50 +00:00
parent 3913cbb593
commit aa7ee0c9ec
24 changed files with 2265 additions and 13 deletions

View file

@ -1,8 +1,8 @@
# $NetBSD: Makefile,v 1.11 2016/07/09 06:38:56 wiz Exp $
# $NetBSD: Makefile,v 1.12 2018/05/29 01:22:50 christos Exp $
#
DISTNAME= racoon2-20100526a
PKGREVISION= 9
PKGREVISION= 10
CATEGORIES= security net
MASTER_SITES= ftp://ftp.racoon2.wide.ad.jp/pub/racoon2/
EXTRACT_SUFX= .tgz

View file

@ -1,4 +1,4 @@
$NetBSD: distinfo,v 1.5 2015/11/04 01:18:07 agc Exp $
$NetBSD: distinfo,v 1.6 2018/05/29 01:22:50 christos Exp $
SHA1 (racoon2-20100526a.tgz) = 268429af8a031dbbc279580cf98ea18331f0e2d9
RMD160 (racoon2-20100526a.tgz) = 014cdcf78cc82ab21235a21491850cdcd1f883bf
@ -9,7 +9,28 @@ SHA1 (patch-ab) = eb6d901108ebcca90571851817137b4b3f3c594b
SHA1 (patch-ac) = 081a2d3d694d4c20cf1fa2d9718577577280288e
SHA1 (patch-ad) = 0d04dc7027c100de6bc04db00eddb30a12fd8715
SHA1 (patch-ae) = 937cf84a2b6f1e8f8d288703a0556faf500bab95
SHA1 (patch-iked_crypto__impl.h) = e6b274258eb7428cbd01cefc33ae85e001260542
SHA1 (patch-iked_crypto__openssl.c) = 0a013e5aa5ce9747da61b8095440a16ee78de4e9
SHA1 (patch-iked_ike__conf.c) = 82e09465e69b082abb12b3fead16eae8a7bc103b
SHA1 (patch-iked_ikev1_ikev1.c) = ce9b22b2be12bc4cd5fa0e171cbd39c0d88d5406
SHA1 (patch-iked_ikev1_ipsec__doi.c) = 3673d0643359eb8a68bbd867e941e1a1aae02b01
SHA1 (patch-iked_ikev1_oakley.c) = 8823a898ec8190d177d3eda8d6c474040b08d2a1
SHA1 (patch-iked_ikev1_pfkey.c) = 064df06b876504b611008a8a20b44266a83c5789
SHA1 (patch-iked_ikev2.c) = 857805c92e3c78ec5f05a9068acbba03e91030b3
SHA1 (patch-iked_ikev2__child.c) = f7f268f3e7666a3e23efd3b71c4474eeb9f8a046
SHA1 (patch-iked_ikev2__notify.c) = 688d5b46451912b00dbf1500e7ff66f4290d7d8a
SHA1 (patch-kinkd-crypto__openssl.c) = 4acd36a5462d3296a53966f85fb39e8888650d5a
SHA1 (patch-kinkd-ipsec__doi.c) = f72d62de7dce9e02d4de77162926491fef3761d1
SHA1 (patch-kinkd_bbkk__heimdal.c) = 55a4e8121df28272d2838376823bc85ec108d93f
SHA1 (patch-kinkd_isakmp__quick.c) = 1b177838621336bfabf0416d9fc09d6e581b8c05
SHA1 (patch-kinkd_session.c) = 6b2ec8329d0fda0b850116c21bda2a4d06634f0d
SHA1 (patch-lib_cfparse.y) = 9e0b8ec9c09c315edde171103b97a8c403ba748e
SHA1 (patch-lib_cfsetup.c) = 70c2409bc69ff85cef6d2e2b4e222e12537c323e
SHA1 (patch-lib_cftoken.l) = 1cbae5bd9199e204d12d5a5216521a21e55a84dc
SHA1 (patch-lib_cftoken.l) = cbda1153f7fd34713248d3d7d188a50b27d9ddcd
SHA1 (patch-lib_if__pfkeyv2.c) = 9eb969ff0f289bc7c4aa1fa234c221b4d70d1da7
SHA1 (patch-lib_if__spmd.c) = 0b5e5412afb826f502c040153ca5b0e50ad3d682
SHA1 (patch-spmd_fqdn__query.c) = d44af49981bfc503fe097a40a0448215ff2367d8
SHA1 (patch-spmd_main.c) = 7ee34b1a5b18d938806f490abe2d8cdf25caa426
SHA1 (patch-spmd_shell.c) = 37a52cb9062fd44e0d358c7ae1605481a3604f71
SHA1 (patch-spmd_spmd__pfkey.c) = 2bf3e70f41a779989d63d7099b2e7031a7441a27
SHA1 (patch-spmd_spmdctl.c) = 26cd17a8b9932bbc5af8aa5d476eb0a5fad8e323

View file

@ -0,0 +1,15 @@
$NetBSD: patch-iked_crypto__impl.h,v 1.1 2018/05/29 01:22:50 christos Exp $
Make unmodified argument const
--- iked/crypto_impl.h 2010-02-01 05:30:51.000000000 -0500
+++ iked/crypto_impl.h 2018-05-28 16:44:16.016528535 -0400
@@ -246,7 +246,7 @@
extern int eay_revbnl (rc_vchar_t *);
#include <openssl/bn.h>
extern int eay_v2bn (BIGNUM **, rc_vchar_t *);
-extern int eay_bn2v (rc_vchar_t **, BIGNUM *);
+extern int eay_bn2v (rc_vchar_t **, const BIGNUM *);
extern const char *eay_version (void);

View file

@ -0,0 +1,714 @@
$NetBSD: patch-iked_crypto__openssl.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Adjust for openssl-1.1
--- iked/crypto_openssl.c 2010-02-01 05:30:51.000000000 -0500
+++ iked/crypto_openssl.c 2018-05-28 17:08:27.806906241 -0400
@@ -324,16 +324,17 @@
{
char buf[256];
int log_tag;
+ int ctx_error, ctx_error_depth;
if (!ok) {
- X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
- buf, 256);
+ X509_NAME_oneline(X509_get_subject_name(
+ X509_STORE_CTX_get0_cert(ctx)), buf, 256);
/*
* since we are just checking the certificates, it is
* ok if they are self signed. But we should still warn
* the user.
*/
- switch (ctx->error) {
+ switch (ctx_error = X509_STORE_CTX_get_error(ctx)) {
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
#if OPENSSL_VERSION_NUMBER >= 0x00905100L
case X509_V_ERR_INVALID_CA:
@@ -347,16 +348,17 @@
default:
log_tag = PLOG_PROTOERR;
}
+ ctx_error_depth = X509_STORE_CTX_get_error_depth(ctx);
#ifndef EAYDEBUG
plog(log_tag, PLOGLOC, NULL,
"%s(%d) at depth:%d SubjectName:%s\n",
- X509_verify_cert_error_string(ctx->error),
- ctx->error, ctx->error_depth, buf);
+ X509_verify_cert_error_string(ctx_error),
+ ctx_error, ctx_error_depth, buf);
#else
printf("%d: %s(%d) at depth:%d SubjectName:%s\n",
log_tag,
- X509_verify_cert_error_string(ctx->error),
- ctx->error, ctx->error_depth, buf);
+ X509_verify_cert_error_string(ctx_error),
+ ctx_error, ctx_error_depth, buf);
#endif
}
ERR_clear_error();
@@ -991,6 +993,7 @@
BPP_const unsigned char *bp;
rc_vchar_t *sig = NULL;
int len;
+ RSA *rsa;
int pad = RSA_PKCS1_PADDING;
bp = (unsigned char *)privkey->v;
@@ -1002,14 +1005,15 @@
/* XXX: to be handled EVP_dss() */
/* XXX: Where can I get such parameters ? From my cert ? */
- len = RSA_size(evp->pkey.rsa);
+ rsa = EVP_PKEY_get0_RSA(evp);
+ len = RSA_size(rsa);
sig = rc_vmalloc(len);
if (sig == NULL)
return NULL;
len = RSA_private_encrypt(src->l, (unsigned char *)src->v,
- (unsigned char *)sig->v, evp->pkey.rsa, pad);
+ (unsigned char *)sig->v, rsa, pad);
EVP_PKEY_free(evp);
if (len == 0 || (size_t)len != sig->l) {
rc_vfree(sig);
@@ -1028,6 +1032,7 @@
BPP_const unsigned char *bp;
rc_vchar_t *xbuf = NULL;
int pad = RSA_PKCS1_PADDING;
+ RSA *rsa;
int len = 0;
int error;
@@ -1040,7 +1045,8 @@
return -1;
}
- len = RSA_size(evp->pkey.rsa);
+ rsa = EVP_PKEY_get0_RSA(evp);
+ len = RSA_size(rsa);
xbuf = rc_vmalloc(len);
if (xbuf == NULL) {
@@ -1053,7 +1059,7 @@
}
len = RSA_public_decrypt(sig->l, (unsigned char *)sig->v,
- (unsigned char *)xbuf->v, evp->pkey.rsa, pad);
+ (unsigned char *)xbuf->v, rsa, pad);
#ifndef EAYDEBUG
if (len == 0 || (size_t)len != src->l)
plog(PLOG_PROTOERR, PLOGLOC, NULL, "%s\n", eay_strerror());
@@ -1089,7 +1095,8 @@
rc_vchar_t *sig = 0;
unsigned int siglen;
const EVP_MD *md;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx = NULL;
+ RSA *rsa;
bp = (unsigned char *)privkey->v;
/* convert private key from vmbuf to internal data */
@@ -1100,7 +1107,8 @@
goto fail;
}
- len = RSA_size(pkey->pkey.rsa);
+ rsa = EVP_PKEY_get0_RSA(pkey);
+ len = RSA_size(rsa);
sig = rc_vmalloc(len);
if (sig == NULL) {
plog(PLOG_INTERR, PLOGLOC, NULL, "failed allocating memory\n");
@@ -1114,27 +1122,33 @@
"failed to find digest algorithm %s\n", hash_type);
goto fail;
}
- EVP_MD_CTX_init(&ctx);
- EVP_SignInit(&ctx, md);
- EVP_SignUpdate(&ctx, octets->v, octets->l);
- if (EVP_SignFinal(&ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
+ ctx = EVP_MD_CTX_new();
+ if (!ctx) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "failed to allocate context\n");
+ goto fail;
+ }
+ EVP_SignInit(ctx, md);
+ EVP_SignUpdate(ctx, octets->v, octets->l);
+ if (EVP_SignFinal(ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
plog(PLOG_INTERR, PLOGLOC, NULL,
"RSA_sign failed: %s\n", eay_strerror());
- EVP_MD_CTX_cleanup(&ctx);
goto fail;
}
- EVP_MD_CTX_cleanup(&ctx);
if (sig->l != siglen) {
plog(PLOG_INTERR, PLOGLOC, NULL,
"unexpected signature length %d\n", siglen);
goto fail;
}
+ EVP_MD_CTX_free(ctx);
EVP_PKEY_free(pkey);
return sig;
fail:
if (sig)
rc_vfree(sig);
+ if (ctx)
+ EVP_MD_CTX_free(ctx);
if (pkey)
EVP_PKEY_free(pkey);
return 0;
@@ -1154,7 +1168,7 @@
EVP_PKEY *pkey;
BPP_const unsigned char *bp;
const EVP_MD *md;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx = NULL;
bp = (unsigned char *)pubkey->v;
pkey = d2i_PUBKEY(NULL, &bp, pubkey->l);
@@ -1163,7 +1177,7 @@
"failed obtaining public key: %s\n", eay_strerror());
goto fail;
}
- if (pkey->type != EVP_PKEY_RSA) {
+ if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) {
plog(PLOG_PROTOERR, PLOGLOC, NULL,
"public key is not for RSA\n");
goto fail;
@@ -1175,23 +1189,29 @@
"failed to find the algorithm engine for %s\n", hash_type);
goto fail;
}
- EVP_MD_CTX_init(&ctx);
- EVP_VerifyInit(&ctx, md);
- EVP_VerifyUpdate(&ctx, octets->v, octets->l);
- if (EVP_VerifyFinal(&ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
+ ctx = EVP_MD_CTX_new();
+ if (!ctx) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "failed to allocate context\n");
+ goto fail;
+ }
+ EVP_VerifyInit(ctx, md);
+ EVP_VerifyUpdate(ctx, octets->v, octets->l);
+ if (EVP_VerifyFinal(ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
plog(PLOG_PROTOERR, PLOGLOC, NULL,
"RSA_verify failed: %s\n", eay_strerror());
- EVP_MD_CTX_cleanup(&ctx);
goto fail;
}
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(ctx);
EVP_PKEY_free(pkey);
return 0;
fail:
if (pkey)
EVP_PKEY_free(pkey);
+ if (ctx)
+ EVP_MD_CTX_free(ctx);
return -1;
}
@@ -1204,7 +1224,8 @@
EVP_PKEY *pkey;
BPP_const unsigned char *bp;
const EVP_MD *md;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx = NULL;
+ DSA *dsa;
int len;
rc_vchar_t *sig = 0;
unsigned int siglen;
@@ -1217,24 +1238,33 @@
goto fail;
}
- len = DSA_size(pkey->pkey.dsa);
+ dsa = EVP_PKEY_get0_DSA(pkey);
+ len = DSA_size(dsa);
sig = rc_vmalloc(len);
if (sig == NULL) {
plog(PLOG_INTERR, PLOGLOC, NULL, "failed allocating memory\n");
goto fail;
}
+#if 0
md = EVP_dss1();
- EVP_MD_CTX_init(&ctx);
- EVP_SignInit(&ctx, md);
- EVP_SignUpdate(&ctx, octets->v, octets->l);
- if (EVP_SignFinal(&ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
+#else
+ md = NULL;
+ goto fail;
+#endif
+ ctx = EVP_MD_CTX_new();
+ if (!ctx) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "failed to allocate context\n");
+ goto fail;
+ }
+ EVP_SignInit(ctx, md);
+ EVP_SignUpdate(ctx, octets->v, octets->l);
+ if (EVP_SignFinal(ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
plog(PLOG_INTERR, PLOGLOC, NULL,
"DSS sign failed: %s\n", eay_strerror());
- EVP_MD_CTX_cleanup(&ctx);
goto fail;
}
- EVP_MD_CTX_cleanup(&ctx);
if (siglen > sig->l) {
plog(PLOG_INTERR, PLOGLOC, NULL,
@@ -1245,6 +1275,7 @@
if (siglen < sig->l)
sig = rc_vrealloc(sig, siglen);
EVP_PKEY_free(pkey);
+ EVP_MD_CTX_free(ctx);
return sig;
fail:
@@ -1252,6 +1283,8 @@
rc_vfree(sig);
if (pkey)
EVP_PKEY_free(pkey);
+ if (ctx)
+ EVP_MD_CTX_free(ctx);
return 0;
}
@@ -1265,7 +1298,7 @@
EVP_PKEY *pkey;
BPP_const unsigned char *bp;
const EVP_MD *md;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx = NULL;
bp = (unsigned char *)pubkey->v;
pkey = d2i_PUBKEY(NULL, &bp, pubkey->l);
@@ -1274,30 +1307,40 @@
"failed obtaining public key: %s\n", eay_strerror());
goto fail;
}
- if (pkey->type != EVP_PKEY_DSA) {
+ if (EVP_PKEY_id(pkey) != EVP_PKEY_DSA) {
plog(PLOG_PROTOERR, PLOGLOC, NULL,
"public key is not for DSS\n");
goto fail;
}
+#if 0
md = EVP_dss1();
- EVP_MD_CTX_init(&ctx);
- EVP_VerifyInit(&ctx, md);
- EVP_VerifyUpdate(&ctx, octets->v, octets->l);
- if (EVP_VerifyFinal(&ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
+#else
+ md = NULL;
+ goto fail;
+#endif
+ ctx = EVP_MD_CTX_new();
+ if (!ctx) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "failed to allocate context\n");
+ goto fail;
+ }
+ EVP_VerifyInit(ctx, md);
+ EVP_VerifyUpdate(ctx, octets->v, octets->l);
+ if (EVP_VerifyFinal(ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
plog(PLOG_PROTOERR, PLOGLOC, NULL,
"DSS verify failed: %s\n", eay_strerror());
- EVP_MD_CTX_cleanup(&ctx);
goto fail;
}
- EVP_MD_CTX_cleanup(&ctx);
-
+ EVP_MD_CTX_free(ctx);
EVP_PKEY_free(pkey);
return 0;
fail:
if (pkey)
EVP_PKEY_free(pkey);
+ if (ctx)
+ EVP_MD_CTX_free(ctx);
return -1;
}
@@ -1345,7 +1388,7 @@
evp_encrypt(const EVP_CIPHER *ciph, rc_vchar_t *data, rc_vchar_t *key, rc_vchar_t *iv)
{
rc_vchar_t *res;
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx = NULL;
int outl;
if (!iv || iv->l < (size_t)EVP_CIPHER_block_size(ciph))
@@ -1355,12 +1398,17 @@
if ((res = rc_vmalloc(data->l)) == NULL)
return NULL;
- EVP_CIPHER_CTX_init(&ctx);
- if (!EVP_EncryptInit(&ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
+ ctx = EVP_CIPHER_CTX_new();
+ if (!ctx) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "failed to allocate context\n");
+ goto fail;
+ }
+ if (!EVP_EncryptInit(ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
goto fail;
- if (!EVP_CIPHER_CTX_set_padding(&ctx, 0))
+ if (!EVP_CIPHER_CTX_set_padding(ctx, 0))
goto fail;
- if (!EVP_EncryptUpdate(&ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
+ if (!EVP_EncryptUpdate(ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
data->l))
goto fail;
if ((size_t)outl != data->l) {
@@ -1369,16 +1417,17 @@
outl, (unsigned long)data->l);
goto fail;
}
- if (!EVP_EncryptFinal(&ctx, NULL, &outl))
+ if (!EVP_EncryptFinal(ctx, NULL, &outl))
goto fail;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_free(ctx);
return res;
fail:
if (res)
rc_vfree(res);
- EVP_CIPHER_CTX_cleanup(&ctx);
+ if (ctx)
+ EVP_CIPHER_CTX_free(ctx);
return NULL;
}
@@ -1386,7 +1435,7 @@
evp_decrypt(const EVP_CIPHER *ciph, rc_vchar_t *data, rc_vchar_t *key, rc_vchar_t *iv)
{
rc_vchar_t *res;
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx = NULL;
int outl;
if (!iv || iv->l < (size_t)EVP_CIPHER_block_size(ciph))
@@ -1396,12 +1445,17 @@
if ((res = rc_vmalloc(data->l)) == NULL)
return NULL;
- EVP_CIPHER_CTX_init(&ctx);
- if (!EVP_DecryptInit(&ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
+ ctx = EVP_CIPHER_CTX_new();
+ if (!ctx) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "failed to allocate context\n");
+ goto fail;
+ }
+ if (!EVP_DecryptInit(ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
goto fail;
- if (!EVP_CIPHER_CTX_set_padding(&ctx, 0))
+ if (!EVP_CIPHER_CTX_set_padding(ctx, 0))
goto fail;
- if (!EVP_DecryptUpdate(&ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
+ if (!EVP_DecryptUpdate(ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
data->l))
goto fail;
if ((size_t)outl != data->l) {
@@ -1410,15 +1464,16 @@
outl, (unsigned long)data->l);
goto fail;
}
- if (!EVP_DecryptFinal(&ctx, NULL, &outl))
+ if (!EVP_DecryptFinal(ctx, NULL, &outl))
goto fail;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_free(ctx);
return res;
fail:
if (res)
rc_vfree(res);
- EVP_CIPHER_CTX_cleanup(&ctx);
+ if (ctx)
+ EVP_CIPHER_CTX_cleanup(ctx);
return NULL;
}
@@ -1963,45 +2018,55 @@
* are used as the nonce value in the counter block.
*/
- uint8_t *nonce;
- union {
- uint8_t bytes[AES_BLOCK_SIZE];
- struct aes_ctrblk {
- uint32_t nonce;
- uint8_t iv[AES_CTR_IV_SIZE];
- uint32_t block_counter;
- } fields;
- } ctrblk;
- uint8_t ecount_buf[AES_BLOCK_SIZE];
- AES_KEY k;
- unsigned int num;
- rc_vchar_t *resultbuf;
+ int len;
+ rc_vchar_t *resultbuf = NULL;
+ EVP_CIPHER_CTX *ctx = NULL;
/*
* if (data->l > AES_BLOCK_SIZE * UINT32_MAX) return 0;
*/
- if (iv->l != AES_CTR_IV_SIZE)
- return 0;
- nonce = (unsigned char *)key->v + key->l - AES_CTR_NONCE_SIZE;
- if (AES_set_encrypt_key((unsigned char *)key->v,
- (key->l - AES_CTR_NONCE_SIZE) << 3, &k) < 0)
+ if (iv->l != AES_CTR_IV_SIZE) {
+ plog(PLOG_INTERR, PLOGLOC, 0, "bad iv size");
return 0;
+ }
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL) {
+ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_CIPHER_CTX_new failed");
+ goto fail;
+ }
+
+ if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_ctr(), NULL, (unsigned char *)key->v, (unsigned char *)iv->v)) {
+ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_EncryptInit_ex failed");
+ goto fail;
+ }
resultbuf = rc_vmalloc(data->l);
- if (!resultbuf)
- return 0;
+ if (!resultbuf) {
+ plog(PLOG_INTERR, PLOGLOC, 0, "allocate resultbuf failed");
+ goto fail;
+ }
- memcpy(&ctrblk.fields.nonce, nonce, AES_CTR_NONCE_SIZE);
- memcpy(&ctrblk.fields.iv[0], iv->v, AES_CTR_IV_SIZE);
- ctrblk.fields.block_counter = htonl(1);
-
- num = 0;
- AES_ctr128_encrypt((unsigned char *)data->v,
- (unsigned char *)resultbuf->v, data->l, &k,
- &ctrblk.bytes[0], ecount_buf, &num);
+ if (!EVP_EncryptUpdate(ctx, (unsigned char *)resultbuf->v, &len, (unsigned char *)data->v, data->l)) {
+ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_EncryptUpdate failed");
+ goto fail;
+ }
+ if (!EVP_EncryptFinal_ex(ctx, (unsigned char *)resultbuf->v + len, &len)) {
+ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_EncryptFinal_ex failed");
+ goto fail;
+ }
+
+ EVP_CIPHER_CTX_free(ctx);
return resultbuf;
+
+fail:
+ EVP_CIPHER_CTX_free(ctx);
+ if (resultbuf)
+ rc_free(resultbuf);
+
+ return NULL;
}
/* for ipsec part */
@@ -2038,14 +2103,9 @@
static caddr_t
eay_hmac_init(rc_vchar_t *key, const EVP_MD *md)
{
- HMAC_CTX *c = racoon_malloc(sizeof(*c));
+ HMAC_CTX *c = HMAC_CTX_new();
-#if OPENSSL_VERSION_NUMBER < 0x0090700fL
- HMAC_Init(c, key->v, key->l, md);
-#else
- HMAC_CTX_init(c);
HMAC_Init_ex(c, key->v, key->l, md, NULL);
-#endif
return (caddr_t)c;
}
@@ -2053,12 +2113,7 @@
void
eay_hmac_dispose(HMAC_CTX *c)
{
-#if OPENSSL_VERSION_NUMBER < 0x0090700fL
- HMAC_cleanup(c);
-#else
- HMAC_CTX_cleanup(c);
-#endif
- (void)racoon_free(c);
+ HMAC_CTX_free(c);
}
#ifdef WITH_SHA2
@@ -2972,15 +3027,16 @@
eay_random_uint32(void)
{
uint32_t value;
- (void)RAND_pseudo_bytes((uint8_t *)&value, sizeof(value));
+ (void)RAND_bytes((uint8_t *)&value, sizeof(value));
return value;
}
/* DH */
int
-eay_dh_generate(rc_vchar_t *prime, uint32_t g, unsigned int publen, rc_vchar_t **pub, rc_vchar_t **priv)
+eay_dh_generate(rc_vchar_t *prime, uint32_t gg, unsigned int publen, rc_vchar_t **pub, rc_vchar_t **priv)
{
- BIGNUM *p = NULL;
+ BIGNUM *p = NULL, *g = NULL;
+ const BIGNUM *pub_key, *priv_key;
DH *dh = NULL;
int error = -1;
@@ -2991,25 +3047,27 @@
if ((dh = DH_new()) == NULL)
goto end;
- dh->p = p;
- p = NULL; /* p is now part of dh structure */
- dh->g = NULL;
- if ((dh->g = BN_new()) == NULL)
+ if ((g = BN_new()) == NULL)
goto end;
- if (!BN_set_word(dh->g, g))
+ if (!BN_set_word(g, gg))
goto end;
+ if (!DH_set0_pqg(dh, p, NULL, g))
+ goto end;
+ g = p = NULL;
+
if (publen != 0)
- dh->length = publen;
+ DH_set_length(dh, publen);
/* generate public and private number */
if (!DH_generate_key(dh))
goto end;
+ DH_get0_key(dh, &pub_key, &priv_key);
/* copy results to buffers */
- if (eay_bn2v(pub, dh->pub_key) < 0)
+ if (eay_bn2v(pub, pub_key) < 0)
goto end;
- if (eay_bn2v(priv, dh->priv_key) < 0) {
+ if (eay_bn2v(priv, priv_key) < 0) {
rc_vfree(*pub);
goto end;
}
@@ -3019,44 +3077,57 @@
end:
if (dh != NULL)
DH_free(dh);
- if (p != 0)
+ if (p != NULL)
BN_free(p);
+ if (g != NULL)
+ BN_free(g);
return (error);
}
int
-eay_dh_compute (rc_vchar_t *prime, uint32_t g, rc_vchar_t *pub,
+eay_dh_compute (rc_vchar_t *prime, uint32_t gg, rc_vchar_t *pub,
rc_vchar_t *priv, rc_vchar_t *pub2, rc_vchar_t **key)
{
- BIGNUM *dh_pub = NULL;
+ BIGNUM *dh_pub = NULL, *p = NULL, *g = NULL,
+ *pub_key = NULL, *priv_key = NULL;
DH *dh = NULL;
int l;
unsigned char *v = NULL;
int error = -1;
- /* make public number to compute */
- if (eay_v2bn(&dh_pub, pub2) < 0)
- goto end;
-
/* make DH structure */
if ((dh = DH_new()) == NULL)
goto end;
- if (eay_v2bn(&dh->p, prime) < 0)
+
+ if (eay_v2bn(&p, prime) < 0)
+ goto end;
+ if ((g = BN_new()) == NULL)
goto end;
- if (eay_v2bn(&dh->pub_key, pub) < 0)
+ if (!BN_set_word(g, gg))
goto end;
- if (eay_v2bn(&dh->priv_key, priv) < 0)
+ if (!DH_set0_pqg(dh, p, NULL, g))
goto end;
- dh->length = pub2->l * 8;
+ p = NULL;
+ g = NULL;
- dh->g = NULL;
- if ((dh->g = BN_new()) == NULL)
+ if (eay_v2bn(&pub_key, pub) < 0)
goto end;
- if (!BN_set_word(dh->g, g))
+ if (eay_v2bn(&priv_key, priv) < 0)
goto end;
+ if (!DH_set0_key(dh, pub_key, priv_key))
+ goto end;
+ pub_key = NULL;
+ priv_key = NULL;
+
+ DH_set_length(dh, pub2->l * 8);
if ((v = racoon_calloc(prime->l, sizeof(unsigned char))) == NULL)
goto end;
+
+ /* make public number to compute */
+ if (eay_v2bn(&dh_pub, pub2) < 0)
+ goto end;
+
if ((l = DH_compute_key(v, dh_pub, dh)) == -1)
goto end;
memcpy((*key)->v + (prime->l - l), v, l);
@@ -3066,6 +3137,14 @@
end:
if (dh_pub != NULL)
BN_free(dh_pub);
+ if (pub_key != NULL)
+ BN_free(pub_key);
+ if (priv_key != NULL)
+ BN_free(priv_key);
+ if (p != NULL)
+ BN_free(p);
+ if (g != NULL)
+ BN_free(g);
if (dh != NULL)
DH_free(dh);
if (v != NULL)
@@ -3083,9 +3162,9 @@
}
int
-eay_bn2v(rc_vchar_t **var, BIGNUM *bn)
+eay_bn2v(rc_vchar_t **var, const BIGNUM *bn)
{
- *var = rc_vmalloc(bn->top * BN_BYTES);
+ *var = rc_vmalloc(BN_num_bytes(bn));
if (*var == NULL)
return (-1);

View file

@ -0,0 +1,36 @@
$NetBSD: patch-iked_ike__conf.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Comment out impossible case (switch is enum)
--- iked/ike_conf.c.orig 2009-07-28 01:32:40.000000000 -0400
+++ iked/ike_conf.c 2018-05-28 19:48:04.934126933 -0400
@@ -4025,12 +4025,14 @@
SA_CONF(comp_alg, sa, comp_alg, 0);
switch (sa_protocol) {
+#if 0
case 0:
++*err;
plog(PLOG_INTERR, PLOGLOC, 0,
"sa %s does not have sa_protocol field\n",
sa_index);
break;
+#endif
case RCT_SATYPE_ESP:
if (!enc_alg) {
++*err;
@@ -4226,12 +4228,14 @@
if (!action)
POLICY_DEFAULT(action, action, 0);
switch (action) {
+#if 0
case 0:
++error;
plog(PLOG_INTERR, PLOGLOC, 0,
"policy %s lacks action field\n",
rc_vmem2str(policy->pl_index));
continue;
+#endif
case RCT_ACT_AUTO_IPSEC:
break;
default:

View file

@ -0,0 +1,24 @@
$NetBSD: patch-iked_ikev1_ikev1.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Remove unused
--- iked/ikev1/ikev1.c.orig 2008-07-07 05:36:08.000000000 -0400
+++ iked/ikev1/ikev1.c 2018-05-28 19:50:20.088751812 -0400
@@ -1457,8 +1457,6 @@
#define IKEV1_DEFAULT_RETRY_CHECKPH1 30
if (!iph1) {
- struct sched *sc;
-
if (isakmp_ph1begin_i(rm_info, iph2->dst, iph2->src) < 0) {
plog(PLOG_INTERR, PLOGLOC, 0,
"failed to initiate phase 1 negotiation for %s\n",
@@ -1467,7 +1465,7 @@
goto fail;
}
iph2->retry_checkph1 = IKEV1_DEFAULT_RETRY_CHECKPH1;
- sc = sched_new(1, isakmp_chkph1there_stub, iph2);
+ sched_new(1, isakmp_chkph1there_stub, iph2);
plog(PLOG_INFO, PLOGLOC, 0,
"IPsec-SA request for %s queued "
"since no phase1 found\n",

View file

@ -0,0 +1,48 @@
$NetBSD: patch-iked_ikev1_ipsec__doi.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Fix memset argument
Fix unused
--- iked/ikev1/ipsec_doi.c.orig 2008-07-07 05:36:08.000000000 -0400
+++ iked/ikev1/ipsec_doi.c 2018-05-28 21:19:12.197533568 -0400
@@ -220,7 +220,9 @@
rc_vchar_t *newsa;
struct isakmpsa *sa, tsa;
struct prop_pair *s, *p;
+#if 0
int prophlen;
+#endif
int i;
if (iph1->approval) {
@@ -232,8 +234,10 @@
if (pair[i] == NULL)
continue;
for (s = pair[i]; s; s = s->next) {
+#if 0
prophlen = sizeof(struct isakmp_pl_p)
+ s->prop->spi_size;
+#endif
/* compare proposal and select one */
for (p = s; p; p = p->tnext) {
sa = get_ph1approvalx(p, iph1->proposal,
@@ -254,8 +258,10 @@
if (pair[i] == NULL)
continue;
for (s = pair[i]; s; s = s->next) {
+#if 0
prophlen = sizeof(struct isakmp_pl_p)
+ s->prop->spi_size;
+#endif
for (p = s; p; p = p->tnext) {
print_ph1mismatched(p,
iph1->proposal);
@@ -1238,7 +1244,7 @@
"failed to get buffer.\n");
return NULL;
}
- memset(pair, 0, sizeof(pair));
+ memset(pair, 0, sizeof(*pair));
bp = (caddr_t)(sab + 1);
tlen = sa->l - sizeof(*sab);

View file

@ -0,0 +1,91 @@
$NetBSD: patch-iked_ikev1_oakley.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Remove unused variables
--- iked/ikev1/oakley.c.orig 2008-07-07 05:36:08.000000000 -0400
+++ iked/ikev1/oakley.c 2018-05-28 19:39:44.411098687 -0400
@@ -585,7 +585,6 @@
{
rc_vchar_t *buf = 0, *res = 0;
int len;
- int error = -1;
/* create buffer */
len = 1 + sizeof(uint32_t) + body->l;
@@ -610,8 +609,6 @@
if (res == NULL)
goto end;
- error = 0;
-
plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH computed:\n");
plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
@@ -637,7 +634,6 @@
rc_vchar_t *buf = NULL, *res = NULL;
char *p;
int len;
- int error = -1;
/* create buffer */
len = sizeof(uint32_t) + body->l;
@@ -663,8 +659,6 @@
if (res == NULL)
goto end;
- error = 0;
-
plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH computed:\n");
plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
@@ -687,7 +681,6 @@
rc_vchar_t *buf = NULL, *res = NULL, *bp;
char *p, *bp2;
int len, bl;
- int error = -1;
#ifdef HAVE_GSSAPI
rc_vchar_t *gsstokens = NULL;
#endif
@@ -780,8 +773,6 @@
if (res == NULL)
goto end;
- error = 0;
-
plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH (%s) computed:\n",
iph1->side == INITIATOR ? "init" : "resp");
plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
@@ -811,7 +802,6 @@
rc_vchar_t *hash = NULL; /* for signature mode */
char *p;
int len;
- int error = -1;
/* sanity check */
if (iph1->etype != ISAKMP_ETYPE_BASE) {
@@ -925,8 +915,6 @@
if (res == NULL)
goto end;
- error = 0;
-
plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH_I computed:\n");
plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
@@ -950,7 +938,6 @@
rc_vchar_t *hash = NULL;
char *p;
int len;
- int error = -1;
/* sanity check */
if (iph1->etype != ISAKMP_ETYPE_BASE) {
@@ -1049,8 +1036,6 @@
if (res == NULL)
goto end;
- error = 0;
-
plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH computed:\n");
plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);

View file

@ -0,0 +1,71 @@
$NetBSD: patch-iked_ikev1_pfkey.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Fix unused
--- iked/ikev1/pfkey.c.orig 2008-04-01 06:39:13.000000000 -0400
+++ iked/ikev1/pfkey.c 2018-05-28 19:55:26.598592949 -0400
@@ -562,7 +562,9 @@
unsigned int satype, mode;
struct saprop *pp;
struct saproto *pr;
+#ifdef notyet
uint32_t minspi, maxspi;
+#endif
#if 0
int proxy = 0;
#endif
@@ -613,13 +615,15 @@
}
/* this works around a bug in Linux kernel where it
* allocates 4 byte spi's for IPCOMP */
- else if (satype == SADB_X_SATYPE_IPCOMP) {
+#ifdef notyet
+ if (satype == SADB_X_SATYPE_IPCOMP) {
minspi = 0x100;
maxspi = 0xffff;
} else {
minspi = 0;
maxspi = 0;
}
+#endif
mode = ipsecdoi2rc_mode(pr->encmode);
if (mode == 0) {
plog(PLOG_INTERR, PLOGLOC, NULL,
@@ -635,8 +639,10 @@
param.pref_dst = 0;
param.satype = satype;
param.samode = mode;
- /* param.minspi = minspi; */
- /* param.maxspi = maxspi; */
+#ifdef notyet
+ param.minspi = minspi;
+ param.maxspi = maxspi;
+#endif
param.reqid = pr->reqid_in;
param.seq = iph2->seq;
if (iph2->sadb_request.method->getspi(&param)) {
@@ -747,7 +753,9 @@
unsigned int e_keylen, a_keylen, flags;
int satype, mode;
struct rcpfk_msg param;
+#if 0
unsigned int wsize = 4; /* XXX static size of window */
+#endif
/* sanity check */
if (iph2->approval == NULL) {
@@ -773,10 +781,13 @@
plog(PLOG_PROTOERR, PLOGLOC, 0,
"invalid proto_id %d\n", pr->proto_id);
return -1;
- } else if (satype == RCT_SATYPE_IPCOMP) {
+ }
+#if 0
+ if (satype == RCT_SATYPE_IPCOMP) {
/* IPCOMP has no replay window */
wsize = 0;
}
+#endif
mode = ipsecdoi2rc_mode(pr->encmode);
if (mode == 0) {
plog(PLOG_PROTOERR, PLOGLOC, 0,

View file

@ -0,0 +1,78 @@
$NetBSD: patch-iked_ikev2.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Remove unused
--- iked/ikev2.c.orig 2010-02-01 05:30:51.000000000 -0500
+++ iked/ikev2.c 2018-05-28 19:59:33.332024762 -0400
@@ -1945,8 +1945,6 @@
struct ikev2_payload_header *p;
int type;
struct ikev2_payload_header *id_i = 0;
- struct ikev2_payload_header *cert = 0;
- struct ikev2_payload_header *certreq = 0;
struct ikev2_payload_header *id_r = 0;
struct ikev2payl_auth *auth = 0;
struct ikev2_payload_header *sa_i2 = 0;
@@ -2010,10 +2008,8 @@
* accept up to four X.509 certificates in support of authentication,
*/
#endif
- cert = p;
break;
case IKEV2_PAYLOAD_CERTREQ:
- certreq = p;
break;
case IKEV2_PAYLOAD_ID_R:
if (id_r)
@@ -2639,7 +2635,6 @@
int type;
struct ikev2_payload_header *p;
struct ikev2_payload_header *id_r = 0;
- struct ikev2_payload_header *cert = 0;
struct ikev2payl_auth *auth = 0;
struct ikev2_payload_header *sa_r2 = 0;
struct ikev2_payload_header *ts_i = 0;
@@ -2669,7 +2664,6 @@
* accept up to four X.509 certificates in support of authentication,
*/
#endif
- cert = p;
break;
case IKEV2_PAYLOAD_AUTH:
if (auth)
@@ -2791,7 +2785,6 @@
int type;
struct ikev2_payload_header *p;
struct ikev2_payload_header *cfg = 0;
- struct ikev2_payload_header *id_r = 0;
struct ikev2_payload_header *sa_r2 = 0;
struct ikev2_payload_header *ts_i = 0;
struct ikev2_payload_header *ts_r = 0;
@@ -2834,7 +2827,6 @@
case IKEV2_PAYLOAD_ENCRYPTED:
break;
case IKEV2_PAYLOAD_ID_R:
- id_r = p;
break;
case IKEV2_PAYLOAD_SA:
sa_r2 = p;
@@ -4541,7 +4533,9 @@
int i;
uint32_t spi;
struct ikev2_child_sa *child_sa;
+#if 0
struct rcf_policy *policy;
+#endif
d = (struct ikev2payl_delete *)p;
protocol_id = d->dh.protocol_id;
@@ -4641,7 +4635,9 @@
break;
}
+#if 0
policy = child_sa->selector->pl;
+#endif
/* (draft-17)
* If by chance both ends of a set

View file

@ -0,0 +1,26 @@
$NetBSD: patch-iked_ikev2__child.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Comment out unused
--- iked/ikev2_child.c.orig 2008-09-10 04:30:58.000000000 -0400
+++ iked/ikev2_child.c 2018-05-28 20:02:17.518182437 -0400
@@ -1373,7 +1373,9 @@
struct prop_pair *matching_proposal = 0;
struct prop_pair *matching_my_proposal = 0;
struct prop_pair **new_my_proposal_list = 0;
+#ifdef notyet
rc_vchar_t *g_ir;
+#endif
int err = 0;
/* update IPsec SA with received parameter */
@@ -1451,8 +1453,8 @@
use_transport_mode ? "transport" : "tunnel"));
}
- g_ir = 0;
#ifdef notyet
+ g_ir = 0;
/* if (ke_i && ke_r) g_ir = g^i^r */
#endif

View file

@ -0,0 +1,24 @@
$NetBSD: patch-iked_ikev2__notify.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Fix unused
--- iked/ikev2_notify.c.orig 2008-02-06 03:09:00.000000000 -0500
+++ iked/ikev2_notify.c 2018-05-28 20:05:41.431368140 -0400
@@ -281,12 +281,16 @@
struct ikev2_child_param *child_param,
int *http_cert_lookup_supported)
{
- struct ikev2_header *ikehdr;
struct ikev2payl_notify *notify;
+#ifdef notyet
+ struct ikev2_header *ikehdr;
uint32_t message_id;
+#endif
+#ifdef notyet
ikehdr = (struct ikev2_header *)msg->v;
message_id = get_uint32(&ikehdr->message_id);
+#endif
notify = (struct ikev2payl_notify *)payload;
switch (get_notify_type(notify)) {

View file

@ -0,0 +1,117 @@
$NetBSD: patch-kinkd-crypto__openssl.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Fix signness issues
--- kinkd/crypto_openssl.c.orig 2008-02-07 05:12:28.000000000 -0500
+++ kinkd/crypto_openssl.c 2018-05-28 19:32:47.287261308 -0400
@@ -239,7 +239,7 @@
rc_vchar_t *res;
AES_KEY k;
- if (AES_set_encrypt_key(key->v, key->l << 3, &k) < 0)
+ if (AES_set_encrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
return NULL;
/* allocate buffer for result */
if ((res = rc_vmalloc(data->l)) == NULL) {
@@ -247,7 +247,7 @@
EXITREQ_NOMEM();
return NULL;
}
- AES_cbc_encrypt(data->v, res->v, data->l, &k, iv->v, AES_ENCRYPT);
+ AES_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_ENCRYPT);
return res;
}
@@ -258,7 +258,7 @@
rc_vchar_t *res;
AES_KEY k;
- if (AES_set_decrypt_key(key->v, key->l << 3, &k) < 0)
+ if (AES_set_decrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
return NULL;
/* allocate buffer for result */
if ((res = rc_vmalloc(data->l)) == NULL) {
@@ -266,7 +266,7 @@
EXITREQ_NOMEM();
return NULL;
}
- AES_cbc_encrypt(data->v, res->v, data->l, &k, iv->v, AES_DECRYPT);
+ AES_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_DECRYPT);
return res;
}
@@ -291,7 +291,7 @@
rc_vchar_t *res;
AES_KEY k;
- if (AES_set_encrypt_key(key->v, key->l << 3, &k) < 0)
+ if (AES_set_encrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
return NULL;
/* allocate buffer for result */
if ((res = rc_vmalloc(data->l)) == NULL) {
@@ -299,7 +299,7 @@
EXITREQ_NOMEM();
return NULL;
}
- AES_cts_encrypt(data->v, res->v, data->l, &k, iv->v, AES_ENCRYPT);
+ AES_cts_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_ENCRYPT);
return res;
}
@@ -310,7 +310,7 @@
rc_vchar_t *res;
AES_KEY k;
- if (AES_set_decrypt_key(key->v, key->l << 3, &k) < 0)
+ if (AES_set_decrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
return NULL;
/* allocate buffer for result */
if ((res = rc_vmalloc(data->l)) == NULL) {
@@ -318,7 +318,7 @@
EXITREQ_NOMEM();
return NULL;
}
- AES_cts_encrypt(data->v, res->v, data->l, &k, iv->v, AES_DECRYPT);
+ AES_cts_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_DECRYPT);
return res;
}
@@ -348,17 +348,17 @@
memcpy(lastblk, ivec, AES_BLOCK_SIZE);
for (i = 0; i < fraglen; i++)
lastblk[i] ^= (in + cbclen + AES_BLOCK_SIZE)[i];
- AES_encrypt(lastblk, out + cbclen, key);
+ AES_encrypt((unsigned char *)lastblk, out + cbclen, key);
} else {
/* Decrypt the last plainblock. */
- AES_decrypt(in + cbclen, lastblk, key);
+ AES_decrypt(in + cbclen, (unsigned char *)lastblk, key);
for (i = 0; i < fraglen; i++)
(out + cbclen + AES_BLOCK_SIZE)[i] =
lastblk[i] ^ (in + cbclen + AES_BLOCK_SIZE)[i];
/* Decrypt the second last block. */
memcpy(lastblk, in + cbclen + AES_BLOCK_SIZE, fraglen);
- AES_decrypt(lastblk, out + cbclen, key);
+ AES_decrypt((unsigned char *)lastblk, out + cbclen, key);
if (cbclen == 0)
for (i = 0; i < AES_BLOCK_SIZE; i++)
(out + cbclen)[i] ^= ivec[i];
@@ -738,7 +738,7 @@
if ((res = rc_vmalloc(SHA_DIGEST_LENGTH)) == 0)
return(0);
- SHA1_Final(res->v, (SHA_CTX *)c);
+ SHA1_Final((unsigned char *)res->v, (SHA_CTX *)c);
(void)free(c);
return(res);
@@ -792,7 +792,7 @@
if ((res = rc_vmalloc(MD5_DIGEST_LENGTH)) == 0)
return(0);
- MD5_Final(res->v, (MD5_CTX *)c);
+ MD5_Final((unsigned char *)res->v, (MD5_CTX *)c);
(void)free(c);
return(res);

View file

@ -0,0 +1,34 @@
$NetBSD: patch-kinkd-ipsec__doi.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Fix wrong memset
Fix pointer signness
--- kinkd/ipsec_doi.c.orig 2018-05-28 19:34:49.793231430 -0400
+++ kinkd/ipsec_doi.c 2018-05-28 19:35:27.322259892 -0400
@@ -654,7 +654,7 @@
"failed to get buffer.\n");
return NULL;
}
- memset(pair, 0, sizeof(pair));
+ memset(pair, 0, sizeof(*pair));
bp = (caddr_t)(sab + 1);
tlen = sa->l - sizeof(*sab);
@@ -2034,7 +2034,7 @@
/* set prefix */
if (len2) {
- unsigned char *p = new->v + sizeof(struct ipsecdoi_id_b) + len1;
+ unsigned char *p = (unsigned char *)new->v + sizeof(struct ipsecdoi_id_b) + len1;
unsigned int bits = prefixlen;
while (bits >= 8) {
@@ -2141,7 +2141,7 @@
plen = 0;
max = alen <<3;
- p = buf->v
+ p = (unsigned char *)buf->v
+ sizeof(struct ipsecdoi_id_b)
+ alen;

View file

@ -0,0 +1,310 @@
$NetBSD: patch-kinkd_bbkk__heimdal.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Avoid deprecated API's
Include private header since we are using private functions
Fix function calls with missing args
--- kinkd/bbkk_heimdal.c.orig 2007-08-03 01:42:24.000000000 -0400
+++ kinkd/bbkk_heimdal.c 2018-05-28 21:07:22.720866945 -0400
@@ -40,6 +40,10 @@
#include <string.h>
#if defined(HAVE_KRB5_KRB5_H)
# include <krb5/krb5.h>
+# include <openssl/evp.h>
+typedef void *krb5_pk_init_ctx;
+# include <krb5/pkinit_asn1.h>
+# include <krb5/krb5-private.h>
#else
# include <krb5.h>
#endif
@@ -147,7 +151,7 @@
if (DEBUG_KRB5() && cause != NULL)
kinkd_log(KLLV_DEBUG,
"bbkk: %s: %s\n",
- cause, krb5_get_err_text(con->context, ret));
+ cause, krb5_get_error_message(con->context, ret));
if (con->rcache != NULL)
krb5_rc_close(con->context, con->rcache);
if (con->ccache != NULL)
@@ -185,7 +189,7 @@
{
krb5_error_code ret;
krb5_principal principal;
- krb5_get_init_creds_opt opt;
+ krb5_get_init_creds_opt *opt;
krb5_creds cred;
krb5_keytab kt;
krb5_deltat start_time = 0;
@@ -198,7 +202,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_parse_name: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
return ret;
}
ret = krb5_kt_default(con->context, &kt);
@@ -206,25 +210,26 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_kt_default: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
krb5_free_principal(con->context, principal);
return ret;
}
memset(&cred, 0, sizeof(cred));
- krb5_get_init_creds_opt_init(&opt);
+ krb5_get_init_creds_opt_alloc(con->context, &opt);
krb5_get_init_creds_opt_set_default_flags(con->context, "kinit",
- principal->realm, &opt); /* XXX may not be kinit... */
+ principal->realm, opt); /* XXX may not be kinit... */
ret = krb5_get_init_creds_keytab(con->context, &cred, principal, kt,
- start_time, NULL /* server */, &opt);
+ start_time, NULL /* server */, opt);
krb5_kt_close(con->context, kt);
krb5_free_principal(con->context, principal);
+ krb5_get_init_creds_opt_free(con->context, opt);
if (ret != 0) {
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_get_init_creds_keytab: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
return ret;
}
@@ -236,10 +241,10 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_cc_store_cred: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
return ret;
}
- krb5_free_creds_contents(con->context, &cred);
+ krb5_free_cred_contents(con->context, &cred);
return 0;
}
@@ -261,7 +266,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_parse_name: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
return ret;
}
ret = krb5_parse_name(con->context, cprinc_str, &client);
@@ -269,7 +274,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_parse_name: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
krb5_free_principal(con->context, server);
return ret;
}
@@ -292,7 +297,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_cc_remove_cred: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
krb5_free_principal(con->context, client);
krb5_free_principal(con->context, server);
return ret;
@@ -311,7 +316,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_get_credentials: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
return ret;
}
*cred = (void *)out_cred;
@@ -354,7 +359,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_copy_creds_contents: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
goto cleanup;
}
int_auth_con = NULL;
@@ -364,12 +369,12 @@
*/
ret = krb5_mk_req_extended(con->context, &int_auth_con,
AP_OPTS_MUTUAL_REQUIRED, NULL /* in_data */, &cred_copy, &ap_req);
- krb5_free_creds_contents(con->context, &cred_copy);
+ krb5_free_cred_contents(con->context, &cred_copy);
if (ret != 0) {
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_mk_req_extended: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
goto cleanup;
}
@@ -414,7 +419,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_rd_rep: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
return ret;
}
@@ -462,7 +467,7 @@
if (ret != 0) {
kinkd_log(KLLV_SYSERR,
"krb5e_force_get_key: (%d) %s\n",
- ret, krb5_get_err_text(con->context, ret));
+ ret, krb5_get_error_message(con->context, ret));
krb5_auth_con_free(con->context, auth_context);
return ret;
}
@@ -470,7 +475,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_rd_req: (%d)%s\n",
- saveret, krb5_get_err_text(con->context, saveret));
+ saveret, krb5_get_error_message(con->context, saveret));
krb5_auth_con_free(con->context, auth_context);
return saveret;
}
@@ -492,7 +497,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_rc_store: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
if (ticket != NULL)
krb5_free_ticket(con->context, ticket);
krb5_auth_con_free(con->context, auth_context);
@@ -507,7 +512,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_mk_rep: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
/*
* XXX Heimdal-0.6.x
* Heimdal-0.6.x frees only ticket contents, not containter;
@@ -536,7 +541,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_rd_req: (%d)%s\n",
- saveret, krb5_get_err_text(con->context, saveret));
+ saveret, krb5_get_error_message(con->context, saveret));
if (ticket != NULL)
krb5_free_ticket(con->context, ticket);
return saveret;
@@ -584,7 +589,7 @@
time_t ctime, *ctimep;
int cusec, *cusecp;
- e_text = krb5_get_err_text(con->context, ecode);
+ e_text = krb5_get_error_message(con->context, ecode);
if (ecode < KRB5KDC_ERR_NONE || KRB5_ERR_RCSID <= ecode) {
kinkd_log(KLLV_SYSWARN,
"non protocol errror (%d), use GENERIC\n", ecode);
@@ -609,7 +614,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_mk_error: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
return ret;
}
@@ -635,7 +640,7 @@
if (DEBUG_KRB5())
kinkd_log(KLLV_DEBUG,
"bbkk: krb5_rd_error: %s\n",
- krb5_get_err_text(con->context, ret));
+ krb5_get_error_message(con->context, ret));
return ret;
}
@@ -926,7 +931,7 @@
if (con == NULL)
return "Failed in initialization, so no message is available";
else
- return krb5_get_err_text(con->context, ecode);
+ return krb5_get_error_message(con->context, ecode);
}
@@ -951,7 +956,7 @@
keyblock = NULL;
if ((t = (krb5_ticket *)malloc(sizeof(*t))) == NULL) {
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
return ENOMEM;
}
*t = t0;
@@ -966,14 +971,14 @@
principalname2krb5_principal(&server,
ap_req.ticket.sname, ap_req.ticket.realm);
#else
- _krb5_principalname2krb5_principal(&server,
+ _krb5_principalname2krb5_principal(context, &server,
ap_req.ticket.sname, ap_req.ticket.realm);
#endif
if (ap_req.ap_options.use_session_key && ac->keyblock == NULL) {
- krb5_set_error_string(context, "krb5_rd_req: user to user "
- "auth without session key given");
ret = KRB5KRB_AP_ERR_NOKEY;
+ krb5_set_error_message(context, ret,
+ "krb5_rd_req: user to user auth without session key given");
goto fail;
}
@@ -1009,6 +1014,13 @@
}
/* decrypt ticket */
+#if 1
+ ret = krb5_decrypt_ticket(context, &ap_req.ticket,
+ ac->keyblock != NULL ? ac->keyblock : keyblock,
+ &t->ticket, 0);
+ if (ret != 0)
+ goto fail;
+#else
{
krb5_data plain;
size_t len;
@@ -1030,6 +1042,7 @@
if (ret != 0)
goto fail;
}
+#endif
/* get keyblock from ticket */
if (ac->keyblock != NULL) {
@@ -1039,6 +1052,11 @@
krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock);
/* handle authenticator */
+#if 1
+ ret = krb5_auth_con_getauthenticator(context, ac, &ac->authenticator);
+ if (ret != 0)
+ goto fail;
+#else
{
krb5_data plain;
size_t len;
@@ -1059,6 +1077,7 @@
if (ret != 0)
goto fail;
}
+#endif
if (ac->authenticator->seq_number)
krb5_auth_con_setremoteseqnumber(context, ac,
*ac->authenticator->seq_number);

View file

@ -0,0 +1,61 @@
$NetBSD: patch-kinkd_isakmp__quick.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Fix unused
--- kinkd/isakmp_quick.c.orig 2009-09-04 15:59:33.000000000 -0400
+++ kinkd/isakmp_quick.c 2018-05-28 21:12:13.401432933 -0400
@@ -191,9 +191,11 @@
}
if (iph2->id_p) {
+#if 0
uint8_t dummy_plen;
uint16_t dummy_ulproto;
int ret;
+#endif
plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
@@ -212,9 +214,11 @@
#endif
}
if (iph2->id) {
+#if 0
uint8_t dummy_plen;
uint16_t dummy_ulproto;
int ret;
+#endif
plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
@@ -258,7 +262,9 @@
{
rc_vchar_t *pbuf = NULL; /* for payload parsing */
struct isakmp_parse_t *pa;
+#if 0
int f_id;
+#endif
int error = ISAKMP_INTERNAL_ERROR;
/*
@@ -290,7 +296,9 @@
* parse the payloads.
*/
iph2->sa_ret = NULL;
+#if 0
f_id = 0; /* flag to use checking ID */
+#endif
for (; pa->type; pa++) {
switch (pa->type) {
@@ -319,9 +327,9 @@
case ISAKMP_NPTYPE_ID:
{
+#if 0 /* ID payloads are not supported yet. */
rc_vchar_t *vp;
-#if 0 /* ID payloads are not supported yet. */
/* check ID value */
if (f_id == 0) {
/* for IDci */

View file

@ -0,0 +1,15 @@
$NetBSD: patch-kinkd_session.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Fix pointer to integer cast
--- kinkd/session.c.orig 2006-08-11 16:44:34.000000000 -0400
+++ kinkd/session.c 2018-05-28 21:09:41.263580997 -0400
@@ -290,7 +290,7 @@
{
int signo;
- signo = (int)arg;
+ signo = (int)(intptr_t)arg;
switch (signo) {
case SIGHUP:

View file

@ -1,24 +1,24 @@
$NetBSD: patch-lib_cftoken.l,v 1.1 2013/10/10 00:09:38 joerg Exp $
$NetBSD: patch-lib_cftoken.l,v 1.2 2018/05/29 01:22:50 christos Exp $
--- lib/cftoken.l.orig 2013-10-09 23:00:24.000000000 +0000
+++ lib/cftoken.l
@@ -53,7 +53,6 @@
Fixes for modern flex
--- lib/cftoken.l.orig 2018-05-28 17:21:27.733726555 -0400
+++ lib/cftoken.l 2018-05-28 17:21:57.559009640 -0400
@@ -53,7 +53,7 @@
extern int yyget_lineno (void);
extern FILE *yyget_in (void);
extern FILE *yyget_out (void);
-extern int yyget_leng (void);
+extern yy_size_t yyget_leng (void);
extern char *yyget_text (void);
extern void yyset_lineno (int);
extern void yyset_in (FILE *);
@@ -76,9 +75,9 @@ static char rcf_linebuf[CF_LINEBUFSIZE];
@@ -76,7 +76,7 @@
#define YYDEBUG 1
#define DP \
if (cf_debug) { \
- fprintf(CF_ERRDEV, "%s:%d:%d[%s] len=%d\n", \
+ fprintf(CF_ERRDEV, "%s:%d:%d[%s] len=%zu\n", \
rcf_istk[rcf_istkp].path, rcf_istk[rcf_istkp].lineno, \
- yy_start, yytext, yyleng); \
+ yy_start, yytext, (size_t)yyleng); \
yy_start, yytext, yyleng); \
}
#else
#define DP

View file

@ -0,0 +1,68 @@
$NetBSD: patch-lib_if__spmd.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Adjust for OpenSSL v1.1
--- lib/if_spmd.c.orig 2008-03-27 06:05:42.000000000 -0400
+++ lib/if_spmd.c 2018-05-28 13:31:19.367838157 -0400
@@ -1100,7 +1100,7 @@
spmd_if_login_response(struct spmd_cid *pci)
{
unsigned char md[EVP_MAX_MD_SIZE];
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
size_t hash_len;
unsigned int md_len;
int error, used, i;
@@ -1108,28 +1108,33 @@
error = -1;
- EVP_MD_CTX_init(&ctx);
- if (!EVP_DigestInit_ex(&ctx, SPMD_DIGEST_ALG, SPMD_EVP_ENGINE)) {
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "failed to allocate Message Digest context\n");
+ goto fail_early;
+ }
+ if (!EVP_DigestInit_ex(ctx, SPMD_DIGEST_ALG, SPMD_EVP_ENGINE)) {
plog(PLOG_INTERR, PLOGLOC, NULL,
"failed to initilize Message Digest function\n");
goto fail_early;
}
- if (!EVP_DigestUpdate(&ctx, pci->challenge, strlen(pci->challenge))) {
+ if (!EVP_DigestUpdate(ctx, pci->challenge, strlen(pci->challenge))) {
plog(PLOG_INTERR, PLOGLOC, NULL,
"failed to hash Challenge\n");
goto fail;
}
- if (!EVP_DigestUpdate(&ctx, pci->password, strlen(pci->password))) {
+ if (!EVP_DigestUpdate(ctx, pci->password, strlen(pci->password))) {
plog(PLOG_INTERR, PLOGLOC, NULL,
"failed to hash Password\n");
goto fail;
}
- if (sizeof(md) < EVP_MD_CTX_size(&ctx)) {
+ if (sizeof(md) < EVP_MD_CTX_size(ctx)) {
plog(PLOG_INTERR, PLOGLOC, NULL,
"Message Digest buffer is not enough\n");
goto fail;
}
- if (!EVP_DigestFinal_ex(&ctx, md, &md_len)) {
+ if (!EVP_DigestFinal_ex(ctx, md, &md_len)) {
plog(PLOG_INTERR, PLOGLOC, NULL,
"failed to get Message Digest value\n");
goto fail;
@@ -1154,11 +1159,7 @@
error = 0;
fail:
- if (!EVP_MD_CTX_cleanup(&ctx)) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
- "failed to cleanup Message Digest context\n");
- error = -1; /* error again */
- }
+ EVP_MD_CTX_free(ctx);
fail_early:
return error;
}

View file

@ -0,0 +1,29 @@
$NetBSD: patch-spmd_fqdn__query.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Fix unused
--- spmd/fqdn_query.c.orig 2007-07-25 08:22:18.000000000 -0400
+++ spmd/fqdn_query.c 2018-05-28 19:43:35.179657737 -0400
@@ -163,10 +163,9 @@
fqdn_query_response(struct task *t)
{
char data[MAX_UDP_DNS_SIZE];
- int ret;
/* just discard */
- ret = recvfrom(t->fd, data, sizeof(data), t->flags, t->sa, &(t->salen));
+ (void)recvfrom(t->fd, data, sizeof(data), t->flags, t->sa, &(t->salen));
spmd_free(t->sa);
close(t->fd);
@@ -178,9 +177,8 @@
fqdn_query_send(struct task *t)
{
struct task *newt = NULL;
- int ret=0;
- ret = sendto(t->fd, t->msg, t->len, t->flags, t->sa, t->salen);
+ (void)sendto(t->fd, t->msg, t->len, t->flags, t->sa, t->salen);
newt = task_alloc(0);
newt->fd = t->fd;

View file

@ -0,0 +1,21 @@
$NetBSD: patch-spmd_main.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Fix unused variable
--- spmd/main.c.orig 2008-07-11 18:35:46.000000000 -0400
+++ spmd/main.c 2018-05-28 19:26:45.583066490 -0400
@@ -378,11 +378,12 @@
do_daemon(void)
{
pid_t pid;
- int en;
openlog("spmd", LOG_PID, LOG_DAEMON);
if (daemon(0, 0) < 0) {
- en = errno;
+#ifdef __linux__ /* glibc specific ? */
+ int en = errno;
+#endif
perror("daemon()");
#ifdef __linux__ /* glibc specific ? */
if (en == 0) {

View file

@ -0,0 +1,61 @@
$NetBSD: patch-spmd_shell.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Fix for OpenSSL 1.1
--- spmd/shell.c 2008-01-25 01:13:01.000000000 -0500
+++ spmd/shell.c 2018-05-28 13:54:05.166565802 -0400
@@ -655,7 +655,7 @@
char *p;
int i;
const EVP_MD *m;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int digest_len;
@@ -693,27 +693,27 @@
}
}
#endif
- EVP_MD_CTX_init(&ctx);
- if (!EVP_DigestInit_ex(&ctx, m, SPMD_EVP_ENGINE)) {
- SPMD_PLOG(SPMD_L_INTERR, "Failed to initilize Message Digest function");
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL) {
+ SPMD_PLOG(SPMD_L_INTERR, "Failed to allocate Message Digest context");
goto fin;
}
- if (!EVP_DigestUpdate(&ctx, seed, seed_len)) {
+ if (!EVP_DigestInit_ex(ctx, m, SPMD_EVP_ENGINE)) {
+ SPMD_PLOG(SPMD_L_INTERR, "Failed to initialize Message Digest function");
+ goto fin;
+ }
+ if (!EVP_DigestUpdate(ctx, seed, seed_len)) {
SPMD_PLOG(SPMD_L_INTERR, "Failed to hash Seed");
goto fin;
}
- if (!EVP_DigestFinal_ex(&ctx, digest, &digest_len)) {
+ if (!EVP_DigestFinal_ex(ctx, digest, &digest_len)) {
SPMD_PLOG(SPMD_L_INTERR, "Failed to get Message Digest value");
goto fin;
}
- if (digest_len != EVP_MD_CTX_size(&ctx)) {
+ if (digest_len != EVP_MD_CTX_size(ctx)) {
SPMD_PLOG(SPMD_L_INTERR, "Message Digest length is not enough");
goto fin;
}
- if (!EVP_MD_CTX_cleanup(&ctx)) {
- SPMD_PLOG(SPMD_L_INTERR, "Failed to cleanup Message Digest context");
- goto fin;
- }
challenge_len = digest_len*2+1;
challenge = spmd_calloc(challenge_len);
@@ -729,6 +729,7 @@
}
fin:
+ EVP_MD_CTX_free(ctx);
spmd_free(seed);
just_fin:
return challenge;

View file

@ -0,0 +1,22 @@
$NetBSD: patch-spmd_spmd__pfkey.c,v 1.1 2018/05/29 01:22:50 christos Exp $
Remove unused.
--- spmd/spmd_pfkey.c.orig 2008-07-11 18:35:46.000000000 -0400
+++ spmd/spmd_pfkey.c 2018-05-28 19:45:26.942125292 -0400
@@ -326,7 +326,6 @@
spmd_nonfqdn_sp_add(struct rcf_selector *sl)
{
struct rcf_policy *pl = NULL;
- struct rcf_ipsec *ips = NULL;
struct rc_addrlist *al = NULL;
struct rc_addrlist *ipal = NULL;
struct rc_addrlist *ipal_tmp = NULL;
@@ -373,7 +372,6 @@
if (!sl->pl->ips) {
return -1;
}
- ips = sl->pl->ips;
/* check rcf_ipsec{} sa_* set or NULL */
if (set_satype(sl, rc)<0) {

View file

@ -0,0 +1,366 @@
$NetBSD: patch-spmd_spmdctl.c,v 1.1 2018/05/29 01:22:50 christos Exp $
- Fix inefficient snprintfs, and detect errors.
- Fix wrong memset length
*** spmd/spmdctl.c.orig Sun Mar 28 21:52:00 2010
--- spmd/spmdctl.c Mon May 28 14:17:08 2018
***************
*** 38,43 ****
--- 38,44 ----
#include <netdb.h>
#include <netinet/tcp.h>
#include <signal.h>
+ #include <stdarg.h>
#include <errno.h>
#include "spmd_includes.h"
#include "spmd_internal.h"
***************
*** 154,159 ****
--- 155,176 ----
return len;
}
+ static ssize_t __attribute__((__format__(__printf__, 2, 3)))
+ sc_writestr(int fd, const char *fmt, ...)
+ {
+ char buf[2048];
+ va_list ap;
+ va_start(ap, fmt);
+ int len = vsnprintf(buf, sizeof(buf), fmt, ap);
+ va_end(ap);
+ if (len == -1) {
+ perror("sc_writestr");
+ return -1;
+ }
+
+ return sc_writemsg(fd, buf, (size_t)len);
+ }
+
static int
sc_getline(int fd, char *buf, int len)
{
***************
*** 247,253 ****
sc_parse_alloc_sp_entry(const char *str, struct sp_entry *pre)
{
char *ap, *cp;
! size_t slid_len=0, len=0;
struct sp_entry *sd=NULL;
sd = malloc(sizeof(*sd));
--- 264,270 ----
sc_parse_alloc_sp_entry(const char *str, struct sp_entry *pre)
{
char *ap, *cp;
! size_t slid_len=0;
struct sp_entry *sd=NULL;
sd = malloc(sizeof(*sd));
***************
*** 261,267 ****
sd->sa_dst = (struct sockaddr *)&sd->ss_sa_dst;
if (str) {
- len = strlen(str);
ap = (char *)str;
cp = strpbrk(ap, " ");
if (!cp) {
--- 278,283 ----
***************
*** 575,581 ****
sc_setup_pfkey(struct rcpfk_msg *rc)
{
! memset(rc, 0, sizeof(rc));
memset(&pfkey_cbs, 0, sizeof(pfkey_cbs));
pfkey_cbs.cb_spddump = &sc_spddump_cb;
--- 591,597 ----
sc_setup_pfkey(struct rcpfk_msg *rc)
{
! memset(rc, 0, sizeof(*rc));
memset(&pfkey_cbs, 0, sizeof(pfkey_cbs));
pfkey_cbs.cb_spddump = &sc_spddump_cb;
***************
*** 657,665 ****
sc_policy(int s, char *selector_index, uint64_t lifetime, sa_mode_t samode,
const char *sp_src, const char *sp_dst, const char *sa_src, const char *sa_dst, int flag)
{
- char wbuf[BUFSIZ];
char rbuf[BUFSIZ];
- int w;
char sl[512]; /* XXX */
char lt[32];
int ps;
--- 673,679 ----
***************
*** 669,697 ****
if (flag == TYPE_POLICY_ADD) {
if (samode == SA_MODE_TRANSPORT) {
snprintf(sl, sizeof(sl), "%s", selector_index);
snprintf(lt, sizeof(lt), "%" PRIu64, lifetime);
! snprintf(wbuf, sizeof(wbuf), "POLICY ADD %s %s TRANSPORT %s %s\r\n",
! sl, lt, sp_src, sp_dst);
! w= sc_writemsg(s, wbuf, strlen(wbuf));
! }
! else if (samode == SA_MODE_TUNNEL) {
! return -1;
! snprintf(sl, sizeof(sl), "%s", selector_index);
! snprintf(lt, sizeof(lt), "%" PRIu64, lifetime);
! snprintf(wbuf, sizeof(wbuf), "POLICY ADD %s %s TUNNEL %s %s %s %s\r\n",
! sl, lt, sp_src, sp_dst, sa_src, sa_dst);
! w= sc_writemsg(s, wbuf, strlen(wbuf));
} else {
return -1;
}
} else if (flag == TYPE_POLICY_DEL) {
! snprintf(sl, sizeof(sl), "%s", selector_index);
! snprintf(wbuf, sizeof(wbuf), "POLICY DELETE %s\r\n", sl);
! w= sc_writemsg(s, wbuf, strlen(wbuf));
} else if (flag == TYPE_POLICY_DUMP) {
! snprintf(wbuf, sizeof(wbuf), "POLICY DUMP\r\n");
! w= sc_writemsg(s, wbuf, strlen(wbuf));
goto dump;
} else {
return -1;
--- 683,710 ----
if (flag == TYPE_POLICY_ADD) {
if (samode == SA_MODE_TRANSPORT) {
+ if (sc_writestr(s,
+ "POLICY ADD %s %" PRIu64 " TRANSPORT %s %s\r\n",
+ selector_index, lifetime, sp_src, sp_dst) < 0)
+ return -1;
+ } else if (samode == SA_MODE_TUNNEL) {
snprintf(sl, sizeof(sl), "%s", selector_index);
snprintf(lt, sizeof(lt), "%" PRIu64, lifetime);
! if (sc_writestr(s,
! "POLICY ADD %s %" PRIu64 " TUNNEL %s %s %s %s\r\n",
! selector_index, lifetime, sp_src, sp_dst, sa_src,
! sa_dst) < 0)
! return -1;
!
} else {
return -1;
}
} else if (flag == TYPE_POLICY_DEL) {
! if (sc_writestr(s, "POLICY DELETE %s\r\n", selector_index) < 0)
! return -1;
} else if (flag == TYPE_POLICY_DUMP) {
! if (sc_writestr(s, "POLICY DUMP\r\n") < 0)
! return -1;
goto dump;
} else {
return -1;
***************
*** 752,768 ****
sc_migrate(int s, char *selector_index, const char *src0, const char *dst0,
const char *src, const char *dst)
{
- char wbuf[BUFSIZ];
char rbuf[BUFSIZ];
- int w;
- char sl[512]; /* XXX */
-
- snprintf(sl, sizeof(sl), "%s", selector_index);
- snprintf(wbuf, sizeof(wbuf),
- "MIGRATE %s %s %s %s %s\r\n",
- sl, src0, dst0, src, dst);
- w = sc_writemsg(s, wbuf, strlen(wbuf));
if (sc_getline(s, rbuf, sizeof(rbuf)) < 0) {
fprintf(stderr, "can't get response from spmd\n");
return -1;
--- 765,775 ----
sc_migrate(int s, char *selector_index, const char *src0, const char *dst0,
const char *src, const char *dst)
{
char rbuf[BUFSIZ];
+ if (sc_writestr(s, "MIGRATE %s %s %s %s %s\r\n",
+ selector_index, src0, dst0, src, dst) < 0)
+ return -1;
if (sc_getline(s, rbuf, sizeof(rbuf)) < 0) {
fprintf(stderr, "can't get response from spmd\n");
return -1;
***************
*** 777,786 ****
static int
sc_status(int s)
{
- int w;
char rbuf[512];
! w = sc_writemsg(s, "STAT\r\n", strlen("STAT\r\n"));
while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
if (rbuf[0] != '2')
return -1;
--- 784,793 ----
static int
sc_status(int s)
{
char rbuf[512];
! if (sc_writestr(s, "STAT\r\n") < 0)
! return -1;
while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
if (rbuf[0] != '2')
return -1;
***************
*** 795,803 ****
static int
sc_ns(int s, char *addr, int flag)
{
- int w;
char rbuf[512];
- char wbuf[512];
char naddr[NI_MAXHOST];
int match=0;
--- 802,808 ----
***************
*** 811,817 ****
if (flag == TYPE_NS_ADD) {
! w = sc_writemsg(s, "NS LIST\r\n", strlen("NS LIST\r\n"));
while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
if (rbuf[0] != '2')
return -1;
--- 816,823 ----
if (flag == TYPE_NS_ADD) {
! if (sc_writestr(s, "NS LIST\r\n") < 0)
! return -1;
while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
if (rbuf[0] != '2')
return -1;
***************
*** 823,838 ****
}
if (match) {
! snprintf(wbuf, sizeof(wbuf), "NS CHANGE %s\r\n", naddr);
! w= sc_writemsg(s, wbuf, strlen(wbuf));
} else {
! snprintf(wbuf, sizeof(wbuf), "NS ADD %s\r\n", naddr);
! w= sc_writemsg(s, wbuf, strlen(wbuf));
}
return 0;
} else if (flag == TYPE_NS_DEL) {
int lines=0;
! w = sc_writemsg(s, "NS LIST\r\n", strlen("NS LIST\r\n"));
while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
if (rbuf[0] != '2')
return -1;
--- 829,845 ----
}
if (match) {
! if (sc_writestr(s, "NS CHANGE %s\r\n", naddr) < 0)
! return -1;
} else {
! if (sc_writestr(s, "NS ADD %s\r\n", naddr) < 0)
! return -1;
}
return 0;
} else if (flag == TYPE_NS_DEL) {
int lines=0;
! if (sc_writestr(s, "NS LIST\r\n") < 0)
! return -1;
while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
if (rbuf[0] != '2')
return -1;
***************
*** 845,856 ****
}
if (match && lines >1) {
! snprintf(wbuf, sizeof(wbuf), "NS DELETE %s\r\n", naddr);
! w= sc_writemsg(s, wbuf, strlen(wbuf));
}
return 0;
} else if (flag == TYPE_NS_LST) {
! sc_writemsg(s, "NS LIST\r\n", strlen("NS LIST\r\n"));
while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
if (rbuf[0] != '2')
return -1;
--- 852,864 ----
}
if (match && lines >1) {
! if (sc_writestr(s, "NS DELETE %s\r\n", naddr) < 0)
! return -1;
}
return 0;
} else if (flag == TYPE_NS_LST) {
! if (sc_writestr(s, "NS LIST\r\n") < 0)
! return -1;
while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
if (rbuf[0] != '2')
return -1;
***************
*** 977,983 ****
{
char rbuf[512];
char wbuf[512];
! int r,w;
int s = -1;
struct rc_addrlist *rcl_top = NULL, *rcl;
struct sockaddr *sa;
--- 985,991 ----
{
char rbuf[512];
char wbuf[512];
! int r;
int s = -1;
struct rc_addrlist *rcl_top = NULL, *rcl;
struct sockaddr *sa;
***************
*** 1111,1118 ****
fprintf(stdout, "hash=%s\n", cid.hash);
}
! snprintf(wbuf, sizeof(wbuf), "LOGIN %s\r\n", cid.hash);
! w = sc_writemsg(s, wbuf, strlen(wbuf));
r = sc_getline(s, rbuf, sizeof(rbuf));
if (r<0) {
perror("LOGIN:read");
--- 1119,1126 ----
fprintf(stdout, "hash=%s\n", cid.hash);
}
! if (sc_writestr(s, "LOGIN %s\r\n", cid.hash) < 0)
! exit(EXIT_FAILURE);
r = sc_getline(s, rbuf, sizeof(rbuf));
if (r<0) {
perror("LOGIN:read");
***************
*** 1134,1142 ****
sc_quit(int s)
{
char rbuf[512];
! int r,w;
! w = sc_writemsg(s, "QUIT\r\n", strlen("QUIT\r\n"));
r = sc_getline(s, rbuf, sizeof(rbuf));
if (r<0) {
perror("QUIT:read");
--- 1142,1153 ----
sc_quit(int s)
{
char rbuf[512];
! int r;
! if (sc_writestr(s, "QUIT\r\n")) {
! close(s);
! return -1;
! }
r = sc_getline(s, rbuf, sizeof(rbuf));
if (r<0) {
perror("QUIT:read");