diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2019-11-03 16:06:58 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2019-11-03 16:06:58 +0000 |
| commit | bd4aeefe33e63f613512604e47bfca7b2187697d (patch) | |
| tree | adb35b5a9a00ee7ea591ab0c987f70167c23b597 /net-vpn | |
| parent | 48ece6662cbd443015f5a57ae6d8cbdbd69ef37c (diff) | |
gentoo resync : 03.11.2019
Diffstat (limited to 'net-vpn')
| -rw-r--r-- | net-vpn/Manifest.gz | bin | 6023 -> 6025 bytes | |||
| -rw-r--r-- | net-vpn/i2pd/Manifest | 1 | ||||
| -rw-r--r-- | net-vpn/i2pd/files/i2pd-2.25.0-link.patch | 13 | ||||
| -rw-r--r-- | net-vpn/ipsec-tools/Manifest | 3 | ||||
| -rw-r--r-- | net-vpn/ipsec-tools/files/ipsec-tools-add-openssl-1.1.x-support.patch | 1096 | ||||
| -rw-r--r-- | net-vpn/ipsec-tools/ipsec-tools-0.8.2-r5.ebuild | 4 | ||||
| -rw-r--r-- | net-vpn/openconnect/Manifest | 2 | ||||
| -rw-r--r-- | net-vpn/openconnect/openconnect-8.05.ebuild | 2 | ||||
| -rw-r--r-- | net-vpn/strongswan/Manifest | 2 | ||||
| -rw-r--r-- | net-vpn/strongswan/strongswan-5.8.1.ebuild | 308 | ||||
| -rw-r--r-- | net-vpn/tor/Manifest | 4 | ||||
| -rw-r--r-- | net-vpn/tor/tor-0.4.2.3_alpha.ebuild (renamed from net-vpn/tor/tor-0.4.2.2_alpha.ebuild) | 0 |
12 files changed, 1414 insertions, 21 deletions
diff --git a/net-vpn/Manifest.gz b/net-vpn/Manifest.gz Binary files differindex 5220b86b9efd..723ba2b068b7 100644 --- a/net-vpn/Manifest.gz +++ b/net-vpn/Manifest.gz diff --git a/net-vpn/i2pd/Manifest b/net-vpn/i2pd/Manifest index b6dcc42a16be..45819206afc2 100644 --- a/net-vpn/i2pd/Manifest +++ b/net-vpn/i2pd/Manifest @@ -1,7 +1,6 @@ AUX 99i2pd 44 BLAKE2B d7a2d45f79ecb34f50eaddc09f318339eedfb2444d0a96d97691c6f3950e63f8f827ec3697ec52f60e29c3e01f232d6c12cf776883672203f01645e5e2d5d994 SHA512 0bd08ff5b1b2ad8d91572efee848a760e2fb46d9c1a5ead3fbdde91d679d832d985905952b393eb523ec9d8f1815bf1512ae61fbc059d10f0773991ac097c23f AUX i2pd-2.14.0-fix_installed_components.patch 1033 BLAKE2B dc6a64bc143583184e7b6af1104d5c68dbd96e7a873c6ad335f3b7feba31fb70e155e1117a7f59c1571e8d368048a2a12d664fa170c5378ab553736e47c96d75 SHA512 b4d91487657d1d0b89b8a43eb962e7f87dfb56fdb40fd7e10f4818d1d87cd814833f72c823e808756545c580517b7ce8bf1e11e55d15addd84abc343587f9d66 AUX i2pd-2.25.0-lib-path.patch 725 BLAKE2B ad87fbfae2cb78945d0e0f62ea9d0ab45e1676908ebb11d6c4844a6160e0eb2714fa1221e886d158454a7ba3c19af7d1bb672035195993fb4633162a761e3bcb SHA512 1e1942c8c424ecefb0b62ee96973b2b238553a887a42cb5d9206cbea31e3136b7b3ad0b8ff1f290cbb507f1cc404e8a6e3c1a52551ac0aa719fbadbcf5ccc43b -AUX i2pd-2.25.0-link.patch 676 BLAKE2B c663a745b57399e4b1fb26e235c684c03ed61a1c448546ed9e6296ecf7c6cf82e02f896d35a03d8ba998b327344d663b7035ad11668644677a7a7eb049a39f33 SHA512 368662f0221edc193071464fcd0eb1235522956fdb5811f89e5246cb7f9a9796be227164b3e04a506638e0d7a3e9445f4dfba83d3da2ec0f0dc470c961f9551f AUX i2pd-2.6.0-r3.confd 322 BLAKE2B 1abce31d300785fe0f42eb0c15bc26f723e99bfe4f3d21ef4d83620c064838d0e27f89f287a97404276490b848bd1372a40b915d4830b7755d801c4bda551099 SHA512 083f4c860d7556bd14f2765b098743c25f996ef16de3982430ff27ac7711051738d48709654441099ea8c755b6d9a6e25b52286f7e8c928d3f39f1207a9517a9 AUX i2pd-2.6.0-r3.initd 1385 BLAKE2B 5c754a7e289f8d102b2690f78fb3e9b805c6eb46208fba8d8200886dcd30e5e7ba682bb9eb493d654bbec03b8fa7ec58cf885f91203db400280c9de4d9c1e377 SHA512 c09d9164fedac748162eeeafabf4776e16869e7ad06ba5f1b008fa57655fbe8f9633804575e44011b61130699e394bd0d8623b13e9614623b8a9b34e5ad6ecd5 AUX i2pd-2.6.0-r3.logrotate 215 BLAKE2B 07cd3e250996ae2d4632795174750779a199c31107ed82a561b3f1dca84c6a81b6bac178ea06256325a2946876b9e75f9f6c453e5836a23911d5ecd802dc8b59 SHA512 e6080b719cb1616a96b4e4e9ff7074881f88dc699147fd5a201861c5836cf4807a00767a2c370f36e847b0d4ddb2129d8c3c3fc8043325fb8f3d0bc27feca2a3 diff --git a/net-vpn/i2pd/files/i2pd-2.25.0-link.patch b/net-vpn/i2pd/files/i2pd-2.25.0-link.patch deleted file mode 100644 index 52c5dc745273..000000000000 --- a/net-vpn/i2pd/files/i2pd-2.25.0-link.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/build/CMakeLists.txt b/build/CMakeLists.txt -index e50bbc865..949f6a46e 100644 -https://github.com/PurpleI2P/i2pd/issues/1353 ---- a/build/CMakeLists.txt -+++ b/build/CMakeLists.txt -@@ -470,6 +470,7 @@ if (WITH_BINARY) - if (WITH_STATIC) - set(DL_LIB ${CMAKE_DL_LIBS}) - endif() -+ target_link_libraries(libi2pd ${Boost_LIBRARIES} ${ZLIB_LIBRARY}) - target_link_libraries( "${PROJECT_NAME}" libi2pd libi2pdclient ${DL_LIB} ${Boost_LIBRARIES} ${OPENSSL_LIBRARIES} ${ZLIB_LIBRARY} ${CMAKE_THREAD_LIBS_INIT} ${MINGW_EXTRA} ${DL_LIB} ${CMAKE_REQUIRED_LIBRARIES}) - - install(TARGETS "${PROJECT_NAME}" RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT Runtime) diff --git a/net-vpn/ipsec-tools/Manifest b/net-vpn/ipsec-tools/Manifest index 02d314232016..61c593be7917 100644 --- a/net-vpn/ipsec-tools/Manifest +++ b/net-vpn/ipsec-tools/Manifest @@ -1,5 +1,6 @@ AUX ipsec-tools-0.8.0-sysctl.patch 485 BLAKE2B 95d0ef609a8a744bf8b3451a9b6b8ee4e79d79c99bd7919d45c6fc99d61904e16b3213afbfcde4743dc1be8de0b4455f1da2b3faf210c21833cbd482ab7d0c52 SHA512 a2a96cea5c2b451665d54572e471a6c2b4fb72382dcd90bda536aaabf78cdd36d630d5c1fa56372b95066dc7dffd56480d3402fdbe2d56825a017b2cc075ac66 AUX ipsec-tools-CVE-2015-4047.patch 517 BLAKE2B 2ef6ddd4b78d7602bc4b19d76a794a1e172049b515932f00d3fe0f63b8157f3652a86f39473dc2f85b017d141790c5bc13378e79d008239899849484c4d9d42a SHA512 1dfda43a9d5919fbf274a28addbf798083f48094c65b88426d471a56e5339b72c9438c36efc6d6a3d74b4a084103c2fd4d1f974cbe494ee1228b2dbcaa304b49 +AUX ipsec-tools-add-openssl-1.1.x-support.patch 32066 BLAKE2B b8380408c90bb93f0b95938de2efc61c80d727ae61a1417134583a8c74055fcfe1f7f75893f1f701b0f301a16d8b4d14f1b8a09d1e81d238821bcc122dfe183f SHA512 f2bd85f1c51226da6fc50d3473129e4c2e3c0e46107337f8d676029b7072b98bf164b6813a16de7dd4481f80038453b55a5ff56e7f5ec08ab07641034258e778 AUX ipsec-tools-def-psk.patch 907 BLAKE2B 511982e1e7902f10442ca7ec7cd2a732f8a523f5fdc4a3630833d4280518296a3b4c735648c2793a40ad7d2d914019dc19699a51f0cdaddc35b13e94ea0d6b49 SHA512 683f168fac390df602ece1608db7f65370749c291e837497fa68fe4f39ddab907d10d67d4c80d583d7f12a1ea0bf02ba98d228e7c6e9267b49a1a8a7e57e99c4 AUX ipsec-tools-include-vendoridh.patch 434 BLAKE2B ae27d4fc5630ee372314a855ec0c17b9f9efc5f87cbc6b86c1decd685212478a4a5592bd64c2a5ed19779243114eca4bff7f7e243bdc508454ef0bf4d998245f SHA512 fc39e09dd7b1a2d3b6cdfbfad9f4978ab5d070ae2435cf77fe2283b566bea1d58cd26dbf6cafb563587200724c9602a32ce737fd163b757872e8a6d2c8007d5c AUX ipsec-tools.conf 1209 BLAKE2B 6d84eede1d77f09f1dac1db6866c7a877494cfbce69f01fb09f5961ae213547f2e5aca9ab068e375d2fdba8e326444e2b3f3d3cd6249f641e30127b8c5c52efb SHA512 727297a06b75b883a7bd730d84f7a7cec04f81b51df71a6d2419602d835abe3c958d27aac176e29e2463421792843517bda802b3437b306ab43e94d178593bfa @@ -11,5 +12,5 @@ AUX racoon.init.d-r3 1295 BLAKE2B 730b7c7069ea94f0e27fe3c0ed344d6f9631e0445d2368 AUX racoon.pam.d 156 BLAKE2B 91ebefbb1264fe3fe98df0a72ac22a4cd8a787b3b391af5769798e0b0185f0a588bc089d229c76138fd2db39fbe6bd33924f0d53e0513074d9c2d7abf88dcb78 SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c AUX racoon.service 244 BLAKE2B f7e268518787a67e9363c936b8a9e69763c41db1926f99f3f001fdf738b0b3a92cd62770ab6cc0189cea20ca22d3abe675c832363ad77974e3f531ffbf525e7b SHA512 56d84f36b307e1ea93f3cdc9fbb7b459f4b3b65ea2bb765f61def10d06a3ff09d61b8d53b21796a55022279e791d751f3bc1ccf0d0f85799a743371390930567 DIST ipsec-tools-0.8.2.tar.bz2 866465 BLAKE2B cf8c9175d96326fc5c74e6b1921bc66911256e289e6fe9cef77f26c197546902be3ebd5696af39c749a2abaac3f42010c9e2a281fd208122cd59222044b9dd4c SHA512 2b7d0efa908d3a699be7ef8b2b126a3809956cb7add50e8efb1cfdfc2d9b70c39ef517379cb9a4fad9e5f0c25937e98535b06c32bd3e729f5129da4ab133e30f -EBUILD ipsec-tools-0.8.2-r5.ebuild 7851 BLAKE2B 9f1567e8a33088595b1c4ab8ab279b597710a128916b1b7862048bf8eb41677aeb609f7e7bda69a19de261a367abbcabc4a8ee921bbdd7407af961e1ff753f6b SHA512 0362d6dfe3da7263836369cd8d49e64f3a1e9cfc99d81b8a97b5744d857daff71f28108bad53022893966957ea2026b918592b0af13b41309363411be30d3b4b +EBUILD ipsec-tools-0.8.2-r5.ebuild 7907 BLAKE2B 4f0dee8d6a083952e1db6f89b5cdacf701eb476943915d3efdc08a369ab9f03eddc9798f7f2931021555429a69aea1fa00bee99fc24d2e8303212c4b9fc8656d SHA512 3390b428d29df81755b2d419b049ee776ff60b38d8156ed7852e54fb47fa0441f3608ee23a8a254781fb4078d8cd12bfa624035924355464e891c7a344c2bb9a MISC metadata.xml 632 BLAKE2B 705ccbcd150c7180f882207dd5e7a8b0765b58f8296be9bb299e982207d88031b770186b665ee936ca834b2b8601a78f7d2ade63b88d6aa09808b2fe3a89be87 SHA512 7636e9dd2ed9069933b2215829660c3d7c1b43d9c4ad3303cf8889618bd659f68a27994ae520ec7e327060337a196e8b720140e5b32fc6830158be0f0fff1eb8 diff --git a/net-vpn/ipsec-tools/files/ipsec-tools-add-openssl-1.1.x-support.patch b/net-vpn/ipsec-tools/files/ipsec-tools-add-openssl-1.1.x-support.patch new file mode 100644 index 000000000000..5d55c59cbd81 --- /dev/null +++ b/net-vpn/ipsec-tools/files/ipsec-tools-add-openssl-1.1.x-support.patch @@ -0,0 +1,1096 @@ +From 071fec7181255b9234add44865a435dfdefee520 Mon Sep 17 00:00:00 2001 +In-Reply-To: <20180528120513.560-1-cote2004-github@yahoo.com> +References: <20180528120513.560-1-cote2004-github@yahoo.com> +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Wed, 30 May 2018 15:42:20 -0300 +Subject: [PATCH v2 1/1] ipsec-tools: add openssl 1.1 support +To: equeiroz@troianet.com.br + +This patch updates the calls to openssl 1.1 API, and adds a +compatibility layer so it compiles with (at least) openssl 1.0.2, I +haven't tested it with lower versions, but all that's needed is to edit +the openssl_compat.* files and add the missing functions there--they're +usually trivial. + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> +--- + src/racoon/Makefile.am | 10 +-- + src/racoon/algorithm.c | 6 +- + src/racoon/cfparse.y | 2 +- + src/racoon/crypto_openssl.c | 197 +++++++++++++++++++++------------------- + src/racoon/crypto_openssl.h | 2 +- + src/racoon/eaytest.c | 7 +- + src/racoon/ipsec_doi.c | 2 +- + src/racoon/openssl_compat.c | 213 ++++++++++++++++++++++++++++++++++++++++++++ + src/racoon/openssl_compat.h | 45 ++++++++++ + src/racoon/plainrsa-gen.c | 41 +++++---- + src/racoon/prsa_par.y | 28 ++++-- + src/racoon/rsalist.c | 5 +- + 12 files changed, 431 insertions(+), 127 deletions(-) + create mode 100644 src/racoon/openssl_compat.c + create mode 100644 src/racoon/openssl_compat.h + +diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am +index dbaded9..4c585f3 100644 +--- a/src/racoon/Makefile.am ++++ b/src/racoon/Makefile.am +@@ -4,7 +4,7 @@ sbin_PROGRAMS = racoon racoonctl plainrsa-gen + noinst_PROGRAMS = eaytest + include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \ + schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \ +- isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h ++ isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h openssl_compat.h + lib_LTLIBRARIES = libracoon.la + + adminsockdir=${localstatedir}/racoon +@@ -32,7 +32,7 @@ racoon_SOURCES = \ + gssapi.c dnssec.c getcertsbyname.c privsep.c \ + pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \ + policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \ +- proposal.c sainfo.c strnames.c \ ++ openssl_compat.c proposal.c sainfo.c strnames.c \ + plog.c logger.c schedule.c str2val.c \ + safefile.c backupsa.c genlist.c rsalist.c \ + cftoken.l cfparse.y prsa_tok.l prsa_par.y +@@ -51,12 +51,12 @@ libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c + libracoon_la_CFLAGS = -DNOUSE_PRIVSEP $(AM_CFLAGS) + + plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \ +- crypto_openssl.c logger.c ++ crypto_openssl.c logger.c openssl_compat.c + EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS) + plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o + plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o + +-eaytest_SOURCES = eaytest.c plog.c logger.c ++eaytest_SOURCES = eaytest.c plog.c logger.c openssl_compat.c + EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c + eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \ + $(CRYPTOBJS) +@@ -75,7 +75,7 @@ noinst_HEADERS = \ + debugrm.h isakmp.h misc.h sainfo.h \ + dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \ + isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \ +- throttle.h privsep.h \ ++ throttle.h privsep.h openssl_compat.h \ + cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \ + missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \ + missing/crypto/rijndael/rijndael-api-fst.h \ +diff --git a/src/racoon/algorithm.c b/src/racoon/algorithm.c +index 3fd50f6..66c874b 100644 +--- a/src/racoon/algorithm.c ++++ b/src/racoon/algorithm.c +@@ -128,7 +128,7 @@ static struct enc_algorithm oakley_encdef[] = { + { "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16, + eay_aes_encrypt, eay_aes_decrypt, + eay_aes_weakkey, eay_aes_keylen, }, +-#ifdef HAVE_OPENSSL_CAMELLIA_H ++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) + { "camellia", algtype_camellia, OAKLEY_ATTR_ENC_ALG_CAMELLIA, 16, + eay_camellia_encrypt, eay_camellia_decrypt, + eay_camellia_weakkey, eay_camellia_keylen, }, +@@ -168,7 +168,7 @@ static struct enc_algorithm ipsec_encdef[] = { + { "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16, + NULL, NULL, + NULL, eay_twofish_keylen, }, +-#ifdef HAVE_OPENSSL_IDEA_H ++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) + { "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8, + NULL, NULL, + NULL, NULL, }, +@@ -179,7 +179,7 @@ static struct enc_algorithm ipsec_encdef[] = { + { "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8, + NULL, NULL, + NULL, NULL, }, +-#ifdef HAVE_OPENSSL_CAMELLIA_H ++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) + { "camellia", algtype_camellia, IPSECDOI_ESP_CAMELLIA, 16, + NULL, NULL, + NULL, eay_camellia_keylen, }, +diff --git a/src/racoon/cfparse.y b/src/racoon/cfparse.y +index 0d9bd67..8415752 100644 +--- a/src/racoon/cfparse.y ++++ b/src/racoon/cfparse.y +@@ -2564,7 +2564,7 @@ set_isakmp_proposal(rmconf) + plog(LLV_DEBUG2, LOCATION, NULL, + "encklen=%d\n", s->encklen); + +- memset(types, 0, ARRAYLEN(types)); ++ memset(types, 0, sizeof types); + types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; + types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; + types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; +diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c +index 55b076a..8fb358f 100644 +--- a/src/racoon/crypto_openssl.c ++++ b/src/racoon/crypto_openssl.c +@@ -90,6 +90,7 @@ + #endif + #endif + #include "plog.h" ++#include "openssl_compat.h" + + #define USE_NEW_DES_API + +@@ -316,9 +317,12 @@ eay_cmp_asn1dn(n1, n2) + i = idx+1; + goto end; + } +- if ((ea->value->length == 1 && ea->value->data[0] == '*') || +- (eb->value->length == 1 && eb->value->data[0] == '*')) { +- if (OBJ_cmp(ea->object,eb->object)) { ++ ASN1_STRING *sa = X509_NAME_ENTRY_get_data(ea); ++ ASN1_STRING *sb = X509_NAME_ENTRY_get_data(eb); ++ if ((ASN1_STRING_length(sa) == 1 && ASN1_STRING_get0_data(sa)[0] == '*') || ++ (ASN1_STRING_length(sb) == 1 && ASN1_STRING_get0_data(sb)[0] == '*')) { ++ if (OBJ_cmp(X509_NAME_ENTRY_get_object(ea), ++ X509_NAME_ENTRY_get_object(eb))) { + i = idx+1; + goto end; + } +@@ -430,7 +434,7 @@ cb_check_cert_local(ok, ctx) + + if (!ok) { + X509_NAME_oneline( +- X509_get_subject_name(ctx->current_cert), ++ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), + buf, + 256); + /* +@@ -438,7 +442,8 @@ cb_check_cert_local(ok, ctx) + * ok if they are self signed. But we should still warn + * the user. + */ +- switch (ctx->error) { ++ int ctx_error = X509_STORE_CTX_get_error(ctx); ++ switch (ctx_error) { + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + case X509_V_ERR_INVALID_CA: +@@ -453,9 +458,9 @@ cb_check_cert_local(ok, ctx) + } + plog(log_tag, LOCATION, NULL, + "%s(%d) at depth:%d SubjectName:%s\n", +- X509_verify_cert_error_string(ctx->error), +- ctx->error, +- ctx->error_depth, ++ X509_verify_cert_error_string(ctx_error), ++ ctx_error, ++ X509_STORE_CTX_get_error_depth(ctx), + buf); + } + ERR_clear_error(); +@@ -477,10 +482,11 @@ cb_check_cert_remote(ok, ctx) + + if (!ok) { + X509_NAME_oneline( +- X509_get_subject_name(ctx->current_cert), ++ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), + buf, + 256); +- switch (ctx->error) { ++ int ctx_error=X509_STORE_CTX_get_error(ctx); ++ switch (ctx_error) { + case X509_V_ERR_UNABLE_TO_GET_CRL: + ok = 1; + log_tag = LLV_WARNING; +@@ -490,9 +496,9 @@ cb_check_cert_remote(ok, ctx) + } + plog(log_tag, LOCATION, NULL, + "%s(%d) at depth:%d SubjectName:%s\n", +- X509_verify_cert_error_string(ctx->error), +- ctx->error, +- ctx->error_depth, ++ X509_verify_cert_error_string(ctx_error), ++ ctx_error, ++ X509_STORE_CTX_get_error_depth(ctx), + buf); + } + ERR_clear_error(); +@@ -516,14 +522,15 @@ eay_get_x509asn1subjectname(cert) + if (x509 == NULL) + goto error; + ++ X509_NAME *subject_name = X509_get_subject_name(x509); + /* get the length of the name */ +- len = i2d_X509_NAME(x509->cert_info->subject, NULL); ++ len = i2d_X509_NAME(subject_name, NULL); + name = vmalloc(len); + if (!name) + goto error; + /* get the name */ + bp = (unsigned char *) name->v; +- len = i2d_X509_NAME(x509->cert_info->subject, &bp); ++ len = i2d_X509_NAME(subject_name, &bp); + + X509_free(x509); + +@@ -661,15 +668,16 @@ eay_get_x509asn1issuername(cert) + if (x509 == NULL) + goto error; + ++ X509_NAME *issuer_name = X509_get_issuer_name(x509); + /* get the length of the name */ +- len = i2d_X509_NAME(x509->cert_info->issuer, NULL); ++ len = i2d_X509_NAME(issuer_name, NULL); + name = vmalloc(len); + if (name == NULL) + goto error; + + /* get the name */ + bp = (unsigned char *) name->v; +- len = i2d_X509_NAME(x509->cert_info->issuer, &bp); ++ len = i2d_X509_NAME(issuer_name, &bp); + + X509_free(x509); + +@@ -850,7 +858,7 @@ eay_check_x509sign(source, sig, cert) + return -1; + } + +- res = eay_rsa_verify(source, sig, evp->pkey.rsa); ++ res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp)); + + EVP_PKEY_free(evp); + X509_free(x509); +@@ -992,7 +1000,7 @@ eay_get_x509sign(src, privkey) + if (evp == NULL) + return NULL; + +- sig = eay_rsa_sign(src, evp->pkey.rsa); ++ sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp)); + + EVP_PKEY_free(evp); + +@@ -1079,7 +1087,11 @@ eay_strerror() + int line, flags; + unsigned long es; + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */ ++#else + es = CRYPTO_thread_id(); ++#endif + + while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){ + n = snprintf(ebuf + len, sizeof(ebuf) - len, +@@ -1100,7 +1112,7 @@ vchar_t * + evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc) + { + vchar_t *res; +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx; + + if (!e) + return NULL; +@@ -1111,7 +1123,7 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc + if ((res = vmalloc(data->l)) == NULL) + return NULL; + +- EVP_CIPHER_CTX_init(&ctx); ++ ctx = EVP_CIPHER_CTX_new(); + + switch(EVP_CIPHER_nid(e)){ + case NID_bf_cbc: +@@ -1125,54 +1137,41 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc + /* XXX: can we do that also for algos with a fixed key size ? + */ + /* init context without key/iv +- */ +- if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc)) +- { +- OpenSSL_BUG(); +- vfree(res); +- return NULL; +- } ++ */ ++ if (!EVP_CipherInit(ctx, e, NULL, NULL, enc)) ++ goto out; + +- /* update key size +- */ +- if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l)) +- { +- OpenSSL_BUG(); +- vfree(res); +- return NULL; +- } +- +- /* finalize context init with desired key size +- */ +- if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v, ++ /* update key size ++ */ ++ if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l)) ++ goto out; ++ ++ /* finalize context init with desired key size ++ */ ++ if (!EVP_CipherInit(ctx, NULL, (u_char *) key->v, + (u_char *) iv->v, enc)) +- { +- OpenSSL_BUG(); +- vfree(res); +- return NULL; +- } ++ goto out; + break; + default: +- if (!EVP_CipherInit(&ctx, e, (u_char *) key->v, +- (u_char *) iv->v, enc)) { +- OpenSSL_BUG(); +- vfree(res); +- return NULL; +- } ++ if (!EVP_CipherInit(ctx, e, (u_char *) key->v, ++ (u_char *) iv->v, enc)) ++ goto out; + } + + /* disable openssl padding */ +- EVP_CIPHER_CTX_set_padding(&ctx, 0); ++ EVP_CIPHER_CTX_set_padding(ctx, 0); + +- if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) { +- OpenSSL_BUG(); +- vfree(res); +- return NULL; +- } ++ if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l)) ++ goto out; + +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + + return res; ++out: ++ EVP_CIPHER_CTX_free(ctx); ++ OpenSSL_BUG(); ++ vfree(res); ++ return NULL; + } + + int +@@ -1230,7 +1229,7 @@ eay_des_keylen(len) + return evp_keylen(len, EVP_des_cbc()); + } + +-#ifdef HAVE_OPENSSL_IDEA_H ++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) + /* + * IDEA-CBC + */ +@@ -1587,7 +1586,7 @@ eay_aes_keylen(len) + return len; + } + +-#if defined(HAVE_OPENSSL_CAMELLIA_H) ++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) + /* + * CAMELLIA-CBC + */ +@@ -1680,9 +1679,9 @@ eay_hmac_init(key, md) + vchar_t *key; + const EVP_MD *md; + { +- HMAC_CTX *c = racoon_malloc(sizeof(*c)); ++ HMAC_CTX *c = HMAC_CTX_new(); + +- HMAC_Init(c, key->v, key->l, md); ++ HMAC_Init_ex(c, key->v, key->l, md, NULL); + + return (caddr_t)c; + } +@@ -1761,8 +1760,7 @@ eay_hmacsha2_512_final(c) + + HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); + res->l = l; +- HMAC_cleanup((HMAC_CTX *)c); +- (void)racoon_free(c); ++ HMAC_CTX_free((HMAC_CTX *)c); + + if (SHA512_DIGEST_LENGTH != res->l) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -1811,8 +1809,7 @@ eay_hmacsha2_384_final(c) + + HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); + res->l = l; +- HMAC_cleanup((HMAC_CTX *)c); +- (void)racoon_free(c); ++ HMAC_CTX_free((HMAC_CTX *)c); + + if (SHA384_DIGEST_LENGTH != res->l) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -1861,8 +1858,7 @@ eay_hmacsha2_256_final(c) + + HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); + res->l = l; +- HMAC_cleanup((HMAC_CTX *)c); +- (void)racoon_free(c); ++ HMAC_CTX_free((HMAC_CTX *)c); + + if (SHA256_DIGEST_LENGTH != res->l) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -1912,8 +1908,7 @@ eay_hmacsha1_final(c) + + HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); + res->l = l; +- HMAC_cleanup((HMAC_CTX *)c); +- (void)racoon_free(c); ++ HMAC_CTX_free((HMAC_CTX *)c); + + if (SHA_DIGEST_LENGTH != res->l) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -1962,8 +1957,7 @@ eay_hmacmd5_final(c) + + HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); + res->l = l; +- HMAC_cleanup((HMAC_CTX *)c); +- (void)racoon_free(c); ++ HMAC_CTX_free((HMAC_CTX *)c); + + if (MD5_DIGEST_LENGTH != res->l) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -2266,6 +2260,7 @@ eay_dh_generate(prime, g, publen, pub, priv) + u_int32_t g; + { + BIGNUM *p = NULL; ++ BIGNUM *BNg = NULL; + DH *dh = NULL; + int error = -1; + +@@ -2276,25 +2271,28 @@ eay_dh_generate(prime, g, publen, pub, priv) + + if ((dh = DH_new()) == NULL) + goto end; +- dh->p = p; +- p = NULL; /* p is now part of dh structure */ +- dh->g = NULL; +- if ((dh->g = BN_new()) == NULL) ++ if ((BNg = BN_new()) == NULL) + goto end; +- if (!BN_set_word(dh->g, g)) ++ if (!BN_set_word(BNg, g)) + goto end; ++ if (! DH_set0_pqg(dh, p, NULL, BNg)) ++ goto end; ++ BNg = NULL; ++ p = NULL; /* p is now part of dh structure */ + + if (publen != 0) +- dh->length = publen; ++ DH_set_length(dh, publen); + + /* generate public and private number */ + if (!DH_generate_key(dh)) + goto end; + + /* copy results to buffers */ +- if (eay_bn2v(pub, dh->pub_key) < 0) ++ BIGNUM *pub_key, *priv_key; ++ DH_get0_key(dh, (const BIGNUM**) &pub_key, (const BIGNUM**) &priv_key); ++ if (eay_bn2v(pub, pub_key) < 0) + goto end; +- if (eay_bn2v(priv, dh->priv_key) < 0) { ++ if (eay_bn2v(priv, priv_key) < 0) { + vfree(*pub); + goto end; + } +@@ -2306,6 +2304,8 @@ end: + DH_free(dh); + if (p != 0) + BN_free(p); ++ if (BNg != 0) ++ BN_free(BNg); + return(error); + } + +@@ -2319,6 +2319,10 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) + int l; + unsigned char *v = NULL; + int error = -1; ++ BIGNUM *p = BN_new(); ++ BIGNUM *BNg = BN_new(); ++ BIGNUM *pub_key = BN_new(); ++ BIGNUM *priv_key = BN_new(); + + /* make public number to compute */ + if (eay_v2bn(&dh_pub, pub2) < 0) +@@ -2327,19 +2331,21 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) + /* make DH structure */ + if ((dh = DH_new()) == NULL) + goto end; +- if (eay_v2bn(&dh->p, prime) < 0) ++ if (p == NULL || BNg == NULL || pub_key == NULL || priv_key == NULL) + goto end; +- if (eay_v2bn(&dh->pub_key, pub) < 0) ++ ++ if (eay_v2bn(&p, prime) < 0) + goto end; +- if (eay_v2bn(&dh->priv_key, priv) < 0) ++ if (eay_v2bn(&pub_key, pub) < 0) + goto end; +- dh->length = pub2->l * 8; +- +- dh->g = NULL; +- if ((dh->g = BN_new()) == NULL) ++ if (eay_v2bn(&priv_key, priv) < 0) + goto end; +- if (!BN_set_word(dh->g, g)) ++ if (!BN_set_word(BNg, g)) + goto end; ++ DH_set0_key(dh, pub_key, priv_key); ++ DH_set_length(dh, pub2->l * 8); ++ DH_set0_pqg(dh, p, NULL, BNg); ++ pub_key = priv_key = p = BNg = NULL; + + if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL) + goto end; +@@ -2350,6 +2356,14 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) + error = 0; + + end: ++ if (p != NULL) ++ BN_free(p); ++ if (BNg != NULL) ++ BN_free(BNg); ++ if (pub_key != NULL) ++ BN_free(pub_key); ++ if (priv_key != NULL) ++ BN_free(priv_key); + if (dh_pub != NULL) + BN_free(dh_pub); + if (dh != NULL) +@@ -2400,12 +2414,14 @@ eay_bn2v(var, bn) + void + eay_init() + { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + OpenSSL_add_all_algorithms(); + ERR_load_crypto_strings(); + #ifdef HAVE_OPENSSL_ENGINE_H + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + #endif ++#endif + } + + vchar_t * +@@ -2504,8 +2520,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf) + goto out; + } + +- rsa_pub->n = mod; +- rsa_pub->e = exp; ++ RSA_set0_key(rsa_pub, mod, exp, NULL); + + out: + return rsa_pub; +@@ -2582,5 +2597,5 @@ eay_random() + const char * + eay_version() + { +- return SSLeay_version(SSLEAY_VERSION); ++ return OpenSSL_version(OPENSSL_VERSION); + } +diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h +index 66fac73..ee5b765 100644 +--- a/src/racoon/crypto_openssl.h ++++ b/src/racoon/crypto_openssl.h +@@ -124,7 +124,7 @@ extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); + extern int eay_aes_weakkey __P((vchar_t *)); + extern int eay_aes_keylen __P((int)); + +-#if defined(HAVE_OPENSSL_CAMELLIA_H) ++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) + /* Camellia */ + extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); + extern vchar_t *eay_camellia_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); +diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c +index 1474bdc..ae09db3 100644 +--- a/src/racoon/eaytest.c ++++ b/src/racoon/eaytest.c +@@ -62,6 +62,7 @@ + #include "dhgroup.h" + #include "crypto_openssl.h" + #include "gnuc.h" ++#include "openssl_compat.h" + + #include "package_version.h" + +@@ -103,7 +104,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_txt) + printf ("PEM_read_PUBKEY(): %s\n", eay_strerror()); + return -1; + } +- error = eay_check_rsasign(src, sig, evp->pkey.rsa); ++ error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp)); + + return error; + } +@@ -698,7 +699,7 @@ ciphertest(ac, av) + eay_cast_encrypt, eay_cast_decrypt) < 0) + return -1; + +-#ifdef HAVE_OPENSSL_IDEA_H ++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) + if (ciphertest_1 ("IDEA", + &data, 8, + &key, key.l, +@@ -715,7 +716,7 @@ ciphertest(ac, av) + eay_rc5_encrypt, eay_rc5_decrypt) < 0) + return -1; + #endif +-#if defined(HAVE_OPENSSL_CAMELLIA_H) ++#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) + if (ciphertest_1 ("CAMELLIA", + &data, 16, + &key, key.l, +diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c +index 84a4c71..b52469f 100644 +--- a/src/racoon/ipsec_doi.c ++++ b/src/racoon/ipsec_doi.c +@@ -715,7 +715,7 @@ out: + /* key length must not be specified on some algorithms */ + if (keylen) { + if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES +-#ifdef HAVE_OPENSSL_IDEA_H ++#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) + || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA + #endif + || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) { +diff --git a/src/racoon/openssl_compat.c b/src/racoon/openssl_compat.c +new file mode 100644 +index 0000000..864b5fb +--- /dev/null ++++ b/src/racoon/openssl_compat.c +@@ -0,0 +1,213 @@ ++/* ++ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include "openssl_compat.h" ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++#include <string.h> ++ ++static void *OPENSSL_zalloc(size_t num) ++{ ++ void *ret = OPENSSL_malloc(num); ++ ++ if (ret != NULL) ++ memset(ret, 0, num); ++ return ret; ++} ++ ++int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) ++{ ++ /* If the fields n and e in r are NULL, the corresponding input ++ * parameters MUST be non-NULL for n and e. d may be ++ * left NULL (in case only the public key is used). ++ */ ++ if ((r->n == NULL && n == NULL) ++ || (r->e == NULL && e == NULL)) ++ return 0; ++ ++ if (n != NULL) { ++ BN_free(r->n); ++ r->n = n; ++ } ++ if (e != NULL) { ++ BN_free(r->e); ++ r->e = e; ++ } ++ if (d != NULL) { ++ BN_free(r->d); ++ r->d = d; ++ } ++ ++ return 1; ++} ++ ++int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) ++{ ++ /* If the fields p and q in r are NULL, the corresponding input ++ * parameters MUST be non-NULL. ++ */ ++ if ((r->p == NULL && p == NULL) ++ || (r->q == NULL && q == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(r->p); ++ r->p = p; ++ } ++ if (q != NULL) { ++ BN_free(r->q); ++ r->q = q; ++ } ++ ++ return 1; ++} ++ ++int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) ++{ ++ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input ++ * parameters MUST be non-NULL. ++ */ ++ if ((r->dmp1 == NULL && dmp1 == NULL) ++ || (r->dmq1 == NULL && dmq1 == NULL) ++ || (r->iqmp == NULL && iqmp == NULL)) ++ return 0; ++ ++ if (dmp1 != NULL) { ++ BN_free(r->dmp1); ++ r->dmp1 = dmp1; ++ } ++ if (dmq1 != NULL) { ++ BN_free(r->dmq1); ++ r->dmq1 = dmq1; ++ } ++ if (iqmp != NULL) { ++ BN_free(r->iqmp); ++ r->iqmp = iqmp; ++ } ++ ++ return 1; ++} ++ ++void RSA_get0_key(const RSA *r, ++ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) ++{ ++ if (n != NULL) ++ *n = r->n; ++ if (e != NULL) ++ *e = r->e; ++ if (d != NULL) ++ *d = r->d; ++} ++ ++void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) ++{ ++ if (p != NULL) ++ *p = r->p; ++ if (q != NULL) ++ *q = r->q; ++} ++ ++void RSA_get0_crt_params(const RSA *r, ++ const BIGNUM **dmp1, const BIGNUM **dmq1, ++ const BIGNUM **iqmp) ++{ ++ if (dmp1 != NULL) ++ *dmp1 = r->dmp1; ++ if (dmq1 != NULL) ++ *dmq1 = r->dmq1; ++ if (iqmp != NULL) ++ *iqmp = r->iqmp; ++} ++ ++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* If the fields p and g in d are NULL, the corresponding input ++ * parameters MUST be non-NULL. q may remain NULL. ++ */ ++ if ((dh->p == NULL && p == NULL) ++ || (dh->g == NULL && g == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(dh->p); ++ dh->p = p; ++ } ++ if (q != NULL) { ++ BN_free(dh->q); ++ dh->q = q; ++ } ++ if (g != NULL) { ++ BN_free(dh->g); ++ dh->g = g; ++ } ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits(q); ++ } ++ ++ return 1; ++} ++ ++void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) ++{ ++ if (pub_key != NULL) ++ *pub_key = dh->pub_key; ++ if (priv_key != NULL) ++ *priv_key = dh->priv_key; ++} ++ ++int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) ++{ ++ /* If the field pub_key in dh is NULL, the corresponding input ++ * parameters MUST be non-NULL. The priv_key field may ++ * be left NULL. ++ */ ++ if (dh->pub_key == NULL && pub_key == NULL) ++ return 0; ++ ++ if (pub_key != NULL) { ++ BN_free(dh->pub_key); ++ dh->pub_key = pub_key; ++ } ++ if (priv_key != NULL) { ++ BN_free(dh->priv_key); ++ dh->priv_key = priv_key; ++ } ++ ++ return 1; ++} ++ ++int DH_set_length(DH *dh, long length) ++{ ++ dh->length = length; ++ return 1; ++} ++ ++HMAC_CTX *HMAC_CTX_new(void) ++{ ++ return OPENSSL_zalloc(sizeof(HMAC_CTX)); ++} ++ ++void HMAC_CTX_free(HMAC_CTX *ctx) ++{ ++ HMAC_CTX_cleanup(ctx); ++ OPENSSL_free(ctx); ++} ++ ++RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey) ++{ ++ if (pkey->type != EVP_PKEY_RSA) { ++ return NULL; ++ } ++ return pkey->pkey.rsa; ++} ++ ++ ++#endif /* OPENSSL_VERSION_NUMBER */ +diff --git a/src/racoon/openssl_compat.h b/src/racoon/openssl_compat.h +new file mode 100644 +index 0000000..9e152c2 +--- /dev/null ++++ b/src/racoon/openssl_compat.h +@@ -0,0 +1,45 @@ ++#ifndef OPENSSL_COMPAT_H ++#define OPENSSL_COMPAT_H ++ ++#include <openssl/opensslv.h> ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++#include <openssl/rsa.h> ++#include <openssl/dh.h> ++#include <openssl/evp.h> ++#include <openssl/hmac.h> ++ ++int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); ++int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); ++int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); ++void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); ++void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); ++void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp); ++ ++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); ++void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); ++int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); ++int DH_set_length(DH *dh, long length); ++ ++HMAC_CTX *HMAC_CTX_new(void); ++void HMAC_CTX_free(HMAC_CTX* ctx); ++ ++RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); ++ ++#define ASN1_STRING_length(s) s->length ++#define ASN1_STRING_get0_data(s) s->data ++ ++#define X509_get_subject_name(x) x->cert_info->subject ++#define X509_get_issuer_name(x) x->cert_info->issuer ++#define X509_NAME_ENTRY_get_data(n) n->value ++#define X509_NAME_ENTRY_get_object(n) n->object ++#define X509_STORE_CTX_get_current_cert(ctx) ctx->current_cert ++#define X509_STORE_CTX_get_error(ctx) ctx->error ++#define X509_STORE_CTX_get_error_depth(ctx) ctx->error_depth ++ ++#define OPENSSL_VERSION SSLEAY_VERSION ++#define OpenSSL_version SSLeay_version ++ ++#endif /* OPENSSL_VERSION_NUMBER */ ++ ++#endif /* OPENSSL_COMPAT_H */ +diff --git a/src/racoon/plainrsa-gen.c b/src/racoon/plainrsa-gen.c +index cad1861..b949b08 100644 +--- a/src/racoon/plainrsa-gen.c ++++ b/src/racoon/plainrsa-gen.c +@@ -60,6 +60,7 @@ + #include "vmbuf.h" + #include "plog.h" + #include "crypto_openssl.h" ++#include "openssl_compat.h" + + #include "package_version.h" + +@@ -90,12 +91,14 @@ mix_b64_pubkey(const RSA *key) + char *binbuf; + long binlen, ret; + vchar_t *res; +- +- binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n); ++ const BIGNUM *e, *n; ++ ++ RSA_get0_key(key, &n, &e, NULL); ++ binlen = 1 + BN_num_bytes(e) + BN_num_bytes(n); + binbuf = malloc(binlen); + memset(binbuf, 0, binlen); +- binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]); +- ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1])); ++ binbuf[0] = BN_bn2bin(e, (unsigned char *) &binbuf[1]); ++ ret = BN_bn2bin(n, (unsigned char *) (&binbuf[binbuf[0] + 1])); + if (1 + binbuf[0] + ret != binlen) { + plog(LLV_ERROR, LOCATION, NULL, + "Pubkey generation failed. This is really strange...\n"); +@@ -131,16 +134,20 @@ print_rsa_key(FILE *fp, const RSA *key) + + fprintf(fp, "# : PUB 0s%s\n", pubkey64->v); + fprintf(fp, ": RSA\t{\n"); +- fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n)); ++ const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; ++ RSA_get0_key(key, &n, &e, &d); ++ RSA_get0_factors(key, &p, &q); ++ RSA_get0_crt_params(key, &dmp1, &dmq1, &iqmp); ++ fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(n)); + fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v); +- fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n))); +- fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e))); +- fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d))); +- fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p))); +- fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q))); +- fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1))); +- fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1))); +- fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp))); ++ fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(n))); ++ fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(e))); ++ fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(d))); ++ fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(p))); ++ fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(q))); ++ fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(dmp1))); ++ fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(dmq1))); ++ fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(iqmp))); + fprintf(fp, " }\n"); + + vfree(pubkey64); +@@ -203,11 +210,13 @@ int + gen_rsa_key(FILE *fp, size_t bits, unsigned long exp) + { + int ret; +- RSA *key; ++ RSA *key = RSA_new(); ++ BIGNUM *e = BN_new(); + +- key = RSA_generate_key(bits, exp, NULL, NULL); +- if (!key) { ++ BN_set_word(e, exp); ++ if (! RSA_generate_key_ex(key, bits, e, NULL)) { + fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror()); ++ RSA_free(key); + return -1; + } + +diff --git a/src/racoon/prsa_par.y b/src/racoon/prsa_par.y +index 1987e4d..27ce4c6 100644 +--- a/src/racoon/prsa_par.y ++++ b/src/racoon/prsa_par.y +@@ -68,6 +68,7 @@ + #include "isakmp_var.h" + #include "handler.h" + #include "crypto_openssl.h" ++#include "openssl_compat.h" + #include "sockmisc.h" + #include "rsalist.h" + +@@ -85,7 +86,18 @@ char *prsa_cur_fname = NULL; + struct genlist *prsa_cur_list = NULL; + enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY; + +-static RSA *rsa_cur; ++struct my_rsa_st { ++ BIGNUM *n; ++ BIGNUM *e; ++ BIGNUM *d; ++ BIGNUM *p; ++ BIGNUM *q; ++ BIGNUM *dmp1; ++ BIGNUM *dmq1; ++ BIGNUM *iqmp; ++}; ++ ++static struct my_rsa_st *rsa_cur; + + void + prsaerror(const char *s, ...) +@@ -201,8 +213,12 @@ rsa_statement: + rsa_cur->iqmp = NULL; + } + } +- $$ = rsa_cur; +- rsa_cur = RSA_new(); ++ RSA * rsa_tmp = RSA_new(); ++ RSA_set0_key(rsa_tmp, rsa_cur->n, rsa_cur->e, rsa_cur->d); ++ RSA_set0_factors(rsa_tmp, rsa_cur->p, rsa_cur->q); ++ RSA_set0_crt_params(rsa_tmp, rsa_cur->dmp1, rsa_cur->dmq1, rsa_cur->iqmp); ++ $$ = rsa_tmp; ++ memset(rsa_cur, 0, sizeof(struct my_rsa_st)); + } + | TAG_PUB BASE64 + { +@@ -351,10 +367,12 @@ prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type) + prsa_cur_fname = fname; + prsa_cur_list = list; + prsa_cur_type = type; +- rsa_cur = RSA_new(); ++ rsa_cur = malloc(sizeof(struct my_rsa_st)); ++ memset(rsa_cur, 0, sizeof(struct my_rsa_st)); + ret = prsaparse(); + if (rsa_cur) { +- RSA_free(rsa_cur); ++ memset(rsa_cur, 0, sizeof(struct my_rsa_st)); ++ free(rsa_cur); + rsa_cur = NULL; + } + fclose (fp); +diff --git a/src/racoon/rsalist.c b/src/racoon/rsalist.c +index f152c82..96e8363 100644 +--- a/src/racoon/rsalist.c ++++ b/src/racoon/rsalist.c +@@ -52,6 +52,7 @@ + #include "genlist.h" + #include "remoteconf.h" + #include "crypto_openssl.h" ++#include "openssl_compat.h" + + #ifndef LIST_FIRST + #define LIST_FIRST(head) ((head)->lh_first) +@@ -98,7 +99,9 @@ rsa_key_dup(struct rsa_key *key) + return NULL; + + if (key->rsa) { +- new->rsa = key->rsa->d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa); ++ const BIGNUM *d; ++ RSA_get0_key(key->rsa, NULL, NULL, &d); ++ new->rsa = (d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa)); + if (new->rsa == NULL) + goto dup_error; + } +-- +2.16.1 + diff --git a/net-vpn/ipsec-tools/ipsec-tools-0.8.2-r5.ebuild b/net-vpn/ipsec-tools/ipsec-tools-0.8.2-r5.ebuild index 1fd2ccbcc73f..1355050b3636 100644 --- a/net-vpn/ipsec-tools/ipsec-tools-0.8.2-r5.ebuild +++ b/net-vpn/ipsec-tools/ipsec-tools-0.8.2-r5.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2016 Gentoo Foundation +# Copyright 1999-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="6" @@ -188,7 +188,7 @@ src_prepare() { eapply "${FILESDIR}/${PN}-include-vendoridh.patch" eapply "${FILESDIR}"/${PN}-0.8.0-sysctl.patch #425770 eapply "${FILESDIR}"/${PN}-CVE-2015-4047.patch - + eapply "${FILESDIR}"/${PN}-add-openssl-1.1.x-support.patch AT_M4DIR="${S}" eautoreconf eapply_user diff --git a/net-vpn/openconnect/Manifest b/net-vpn/openconnect/Manifest index 44b031fbd538..241c650cfa6b 100644 --- a/net-vpn/openconnect/Manifest +++ b/net-vpn/openconnect/Manifest @@ -12,6 +12,6 @@ DIST vpnc-scripts-20190611.tar.gz 21439 BLAKE2B 8388cc3f4b795588bed146cf5e6be33f EBUILD openconnect-7.08-r1.ebuild 3720 BLAKE2B 8fff58b2aa115deab2eb95cc397ec5cfb97fa196320a48439484ffda5aa63fe5a057f26ed56e4ee27506f446432ed4c8c738e0834f7ac4f77395427e18bc0456 SHA512 0b6c4e0590b5de04fad4be0b08306bca4359812f6521cdbd5ced8c83567591b5ed32761d9d9562c1b784203eda0f323046b79c40f91bbd2adfa835cf4e3ee672 EBUILD openconnect-8.02.ebuild 3637 BLAKE2B 9ed3a5704bf71fb5267b130b81474cbedecdbbd4f8d581d13e0c34de89669045412b3a902d1c6612af0f2f88b57457453aaa31e252b2e3ff63f4cf4aabe9f503 SHA512 8d6aea2fd2d98bc8c2efdf1ebb3c5762c1b702a9c9c197cc0d9e54788c29e13d7bf5cd684aa7f731b6dc0908544e6c5a3ef9a32981ea4177022feacc20a982df EBUILD openconnect-8.03.ebuild 3652 BLAKE2B 68b4751d07f76012a0d9d8bc82b95964ea7a07ea22cab13cb1341b0b135bef7d2130996b595bafe169d1fd2c762a72f19fb2a5691b84d0921ea2d96f39b65da7 SHA512 97fa1d1e602f167e38d2975feb8e360edc73971867056beb2460c953de3384d5f907c0bb3e98e64ef51a85d1c96f28316bc474d34e1ead3fbf512c35140c868a -EBUILD openconnect-8.05.ebuild 3648 BLAKE2B 78bee0588b9c732c8981109f23cb0857e3f7a340fa0637bf8ab6c0ef7ad4e27a385f15703007dd06741dc9594fdaf34f4153b89b5c4b49863c4bd3b342207d59 SHA512 6f1228f2a90d84ebaab8594704bd923e7bbda6db30c7053ca3fe655be5346ba97a93f70fbfec844b529daafb2e11e0f5cc230f3030ed43d10f987aefc6636042 +EBUILD openconnect-8.05.ebuild 3647 BLAKE2B e0b20122e71045793dbfcb66c56c47037169e9fe9a07daf37ed006c3ca545790c884d35dd26c52599ea50aeb234cc0738534a054da2c887151b9aae0dee9c09f SHA512 d7e59bf715b70d393f13074acff9293f31c1ec29553a08cec3de309acc9bcac00c3381051fe4376ef34c0ffd9fb28c4ceaf72cee346ecc86b7965e871f7a7854 EBUILD openconnect-9999.ebuild 3652 BLAKE2B ac70d76584cd14439234b062d36cf5ddb845b1afacebc918c5a192b34e323870c42784817513a396349389156a4c06cf6879f0fc4013150bf104bc3446c8cd8f SHA512 dd769d358266f197be0edacba22863db42fb4f47752955e984579fbfee403fb12f26529e8c29a36ff96542eaeacaa920593824bfed630568b389ec7775224b92 MISC metadata.xml 581 BLAKE2B 488e0e33a9dd9a0fd7565b64928544f1aaa2c7f75967727a6f92d6757ebe180346ddd50e0359c53d408165fafa69e2443fbfc554dfbc2f3681773eb38d812127 SHA512 f59ce889438b4d5398c30a0f733abd17706b98acb583be80cbc1dce235f851671d6d2486c53d211176c97ca326233d3175d061a3862f416397fa7b75463d2de5 diff --git a/net-vpn/openconnect/openconnect-8.05.ebuild b/net-vpn/openconnect/openconnect-8.05.ebuild index 61a28e66bad7..1288c9d12a72 100644 --- a/net-vpn/openconnect/openconnect-8.05.ebuild +++ b/net-vpn/openconnect/openconnect-8.05.ebuild @@ -13,7 +13,7 @@ if [[ ${PV} == 9999 ]]; then inherit git-r3 autotools else ARCHIVE_URI="ftp://ftp.infradead.org/pub/${PN}/${P}.tar.gz" - KEYWORDS="amd64 ~arm arm64 ppc64 x86" + KEYWORDS="amd64 arm arm64 ppc64 x86" fi VPNC_VER=20190611 SRC_URI="${ARCHIVE_URI} diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest index 314384bb04b3..76372becd788 100644 --- a/net-vpn/strongswan/Manifest +++ b/net-vpn/strongswan/Manifest @@ -1,4 +1,6 @@ AUX ipsec 451 BLAKE2B deb3fff7043e04c1630119bb0cbbd6fa9b6f15666131ac9744a32d35cf3bc0629fe99cf9936b9cdb464627c1a8c121b8485f164166efda428825a55aab557d18 SHA512 d11ccc36ee89df5974547441fdb6c539dd3a7a5e235e318c1beddca7d4f5cace857f2dc75752e6fa913177eec9c3afcbed52de5bc08e8c314096d439cbc3bc6c DIST strongswan-5.7.2.tar.bz2 4997818 BLAKE2B e5a160ea8d31ae14c9731e414e42653ecb12f259fbe76ec7289f44afe5687f4123d89750a8f57c9ea006aec7f0be28e0f0c56d6c0a4bc96f0e1ba69c29da904f SHA512 e2169dbbc0c03737e34af90d7bc07e444408c5e2ac1f81764eeccbac8b142b984ce9ed512a89071075a930e0997632267f6912aa5b352eee2edbd551b5a64e7e +DIST strongswan-5.8.1.tar.bz2 4517921 BLAKE2B 07a82309515a054b267a063fc0e2f49fd03d16b221b1ee26a33c8d367df140797320e1ef7007a39074e40c472022d941656b3ae93d2eb860152cdc5a5d3dbc8a SHA512 630d24643b3d61e931bb25cdd083ad3c55f92fe41f3fcd3198012eee486fb3b1a16dc3f80936162afb7da9e471d45d92b7d183a00153a558babb2a79e5f6813f EBUILD strongswan-5.7.2.ebuild 9449 BLAKE2B 41d9e5addd32f8fdc21cf241b0d5b6203b1d7d30d15e018a7f3aa432c9a177426316d6d67da50e6bcb4c06f0d2fef7f03a6868803524e44e5e327e53d45b6594 SHA512 dc7c9ef870d7d9945fea138d31b861ffc9eba28503734a70e8105fe0e50a970ac71d5ce6d8096268bb331c60d386f9cdba40832c81373b00e92d2f5533a10783 +EBUILD strongswan-5.8.1.ebuild 9518 BLAKE2B db4991eb7b6e43922688321d117f04e8490e54a0bbd0940e95d1e64c9d67f7afbf5d4b4dc0e91dcb14038aca24dbb5d56105f12d9eed1720db1a557e5b547860 SHA512 211ce40c3d861e4019812989efeebacb11ff1aee0710999a3c00a0988676b8bc893d35318c5fd9b2fdf5dd8d79321c1fd5db7a47e2f1e2b19adb2dd10238a72b MISC metadata.xml 4135 BLAKE2B 13739675c455765d7ce73df9744779636d36d3f93eee4567c931fb40e528e56d34912e26a82bd35e377fbd34613c0b7044841ff6c2dc26694187d0de355f8b86 SHA512 e09ef1afdf5002dab542312753cbce56e830b906aa5c5ac8fd5c7b57cbaf021eb0c466241cf810f446693b8dedd90f185f3e2c7a53a0b9a43e14913dcdd83b23 diff --git a/net-vpn/strongswan/strongswan-5.8.1.ebuild b/net-vpn/strongswan/strongswan-5.8.1.ebuild new file mode 100644 index 000000000000..58ef88965e76 --- /dev/null +++ b/net-vpn/strongswan/strongswan-5.8.1.ebuild @@ -0,0 +1,308 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" +inherit linux-info systemd user + +DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE" +HOMEPAGE="https://www.strongswan.org/" +SRC_URI="https://download.strongswan.org/${P}.tar.bz2" + +LICENSE="GPL-2 RSA DES" +SLOT="0" +KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86" +IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11" + +STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici" +STRONGSWAN_PLUGINS_OPT="aesni blowfish ccm chapoly ctr forecast gcm ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist" +for mod in $STRONGSWAN_PLUGINS_STD; do + IUSE="${IUSE} +strongswan_plugins_${mod}" +done + +for mod in $STRONGSWAN_PLUGINS_OPT; do + IUSE="${IUSE} strongswan_plugins_${mod}" +done + +COMMON_DEPEND="!net-misc/openswan + gmp? ( >=dev-libs/gmp-4.1.5:= ) + gcrypt? ( dev-libs/libgcrypt:0 ) + caps? ( sys-libs/libcap ) + curl? ( net-misc/curl ) + ldap? ( net-nds/openldap ) + openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist] ) + mysql? ( dev-db/mysql-connector-c:= ) + sqlite? ( >=dev-db/sqlite-3.3.1 ) + systemd? ( sys-apps/systemd ) + networkmanager? ( net-misc/networkmanager ) + pam? ( sys-libs/pam ) + strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns )" +DEPEND="${COMMON_DEPEND} + virtual/linux-sources + sys-kernel/linux-headers" +RDEPEND="${COMMON_DEPEND} + virtual/logger + sys-apps/iproute2 + !net-vpn/libreswan + selinux? ( sec-policy/selinux-ipsec )" + +UGID="ipsec" + +pkg_setup() { + linux-info_pkg_setup + + elog "Linux kernel version: ${KV_FULL}" + + if ! kernel_is -ge 2 6 16; then + eerror + eerror "This ebuild currently only supports ${PN} with the" + eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16." + eerror + fi + + if kernel_is -lt 2 6 34; then + ewarn + ewarn "IMPORTANT KERNEL NOTES: Please read carefully..." + ewarn + + if kernel_is -lt 2 6 29; then + ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to" + ewarn "include all required IPv6 modules even if you just intend" + ewarn "to run on IPv4 only." + ewarn + ewarn "This has been fixed with kernels >= 2.6.29." + ewarn + fi + + if kernel_is -lt 2 6 33; then + ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards" + ewarn "compliant implementation for SHA-2 HMAC support in ESP and" + ewarn "miss SHA384 and SHA512 HMAC support altogether." + ewarn + ewarn "If you need any of those features, please use kernel >= 2.6.33." + ewarn + fi + + if kernel_is -lt 2 6 34; then + ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only" + ewarn "ESP cipher is only included in kernels >= 2.6.34." + ewarn + ewarn "If you need it, please use kernel >= 2.6.34." + ewarn + fi + fi + + if use non-root; then + enewgroup ${UGID} + enewuser ${UGID} -1 -1 -1 ${UGID} + fi +} + +src_configure() { + local myconf="" + + if use non-root; then + myconf="${myconf} --with-user=${UGID} --with-group=${UGID}" + fi + + # If a user has already enabled db support, those plugins will + # most likely be desired as well. Besides they don't impose new + # dependencies and come at no cost (except for space). + if use mysql || use sqlite; then + myconf="${myconf} --enable-attr-sql --enable-sql" + fi + + # strongSwan builds and installs static libs by default which are + # useless to the user (and to strongSwan for that matter) because no + # header files or alike get installed... so disabling them is safe. + if use pam && use eap; then + myconf="${myconf} --enable-eap-gtc" + else + myconf="${myconf} --disable-eap-gtc" + fi + + for mod in $STRONGSWAN_PLUGINS_STD; do + if use strongswan_plugins_${mod}; then + myconf+=" --enable-${mod}" + fi + done + + for mod in $STRONGSWAN_PLUGINS_OPT; do + if use strongswan_plugins_${mod}; then + myconf+=" --enable-${mod}" + fi + done + + econf \ + --disable-static \ + --enable-ikev1 \ + --enable-ikev2 \ + --enable-swanctl \ + --enable-socket-dynamic \ + $(use_enable curl) \ + $(use_enable constraints) \ + $(use_enable ldap) \ + $(use_enable debug leak-detective) \ + $(use_enable dhcp) \ + $(use_enable eap eap-sim) \ + $(use_enable eap eap-sim-file) \ + $(use_enable eap eap-simaka-sql) \ + $(use_enable eap eap-simaka-pseudonym) \ + $(use_enable eap eap-simaka-reauth) \ + $(use_enable eap eap-identity) \ + $(use_enable eap eap-md5) \ + $(use_enable eap eap-aka) \ + $(use_enable eap eap-aka-3gpp2) \ + $(use_enable eap md4) \ + $(use_enable eap eap-mschapv2) \ + $(use_enable eap eap-radius) \ + $(use_enable eap eap-tls) \ + $(use_enable eap eap-ttls) \ + $(use_enable eap xauth-eap) \ + $(use_enable eap eap-dynamic) \ + $(use_enable farp) \ + $(use_enable gmp) \ + $(use_enable gcrypt) \ + $(use_enable mysql) \ + $(use_enable networkmanager nm) \ + $(use_enable openssl) \ + $(use_enable pam xauth-pam) \ + $(use_enable pkcs11) \ + $(use_enable sqlite) \ + $(use_enable systemd) \ + $(use_with caps capabilities libcap) \ + --with-piddir=/run \ + --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ + ${myconf} +} + +src_install() { + emake DESTDIR="${D}" install + + if ! use systemd; then + rm -rf "${ED}"/lib/systemd || die + fi + + doinitd "${FILESDIR}"/ipsec + + local dir_ugid + if use non-root; then + fowners ${UGID}:${UGID} \ + /etc/ipsec.conf \ + /etc/strongswan.conf + + dir_ugid="${UGID}" + else + dir_ugid="root" + fi + + diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid} + dodir /etc/ipsec.d \ + /etc/ipsec.d/aacerts \ + /etc/ipsec.d/acerts \ + /etc/ipsec.d/cacerts \ + /etc/ipsec.d/certs \ + /etc/ipsec.d/crls \ + /etc/ipsec.d/ocspcerts \ + /etc/ipsec.d/private \ + /etc/ipsec.d/reqs + + dodoc NEWS README TODO || die + + # shared libs are used only internally and there are no static libs, + # so it's safe to get rid of the .la files + find "${D}" -name '*.la' -delete || die "Failed to remove .la files." +} + +pkg_preinst() { + has_version "<net-vpn/strongswan-4.3.6-r1" + upgrade_from_leq_4_3_6=$(( !$? )) + + has_version "<net-vpn/strongswan-4.3.6-r1[-caps]" + previous_4_3_6_with_caps=$(( !$? )) +} + +pkg_postinst() { + if ! use openssl && ! use gcrypt; then + elog + elog "${PN} has been compiled without both OpenSSL and libgcrypt support." + elog "Please note that this might effect availability and speed of some" + elog "cryptographic features. You are advised to enable the OpenSSL plugin." + elif ! use openssl; then + elog + elog "${PN} has been compiled without the OpenSSL plugin. This might effect" + elog "availability and speed of some cryptographic features. There will be" + elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21," + elog "25, 26) and ECDSA." + fi + + if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then + chmod 0750 "${ROOT}"/etc/ipsec.d \ + "${ROOT}"/etc/ipsec.d/aacerts \ + "${ROOT}"/etc/ipsec.d/acerts \ + "${ROOT}"/etc/ipsec.d/cacerts \ + "${ROOT}"/etc/ipsec.d/certs \ + "${ROOT}"/etc/ipsec.d/crls \ + "${ROOT}"/etc/ipsec.d/ocspcerts \ + "${ROOT}"/etc/ipsec.d/private \ + "${ROOT}"/etc/ipsec.d/reqs + + ewarn + ewarn "The default permissions for /etc/ipsec.d/* have been tightened for" + ewarn "security reasons. Your system installed directories have been" + ewarn "updated accordingly. Please check if necessary." + ewarn + + if [[ $previous_4_3_6_with_caps == 1 ]]; then + if ! use non-root; then + ewarn + ewarn "IMPORTANT: You previously had ${PN} installed without root" + ewarn "privileges because it was implied by the 'caps' USE flag." + ewarn "This has been changed. If you want ${PN} with user privileges," + ewarn "you have to re-emerge it with the 'non-root' USE flag enabled." + ewarn + fi + fi + fi + if ! use caps && ! use non-root; then + ewarn + ewarn "You have decided to run ${PN} with root privileges and built it" + ewarn "without support for POSIX capability dropping. It is generally" + ewarn "strongly suggested that you reconsider- especially if you intend" + ewarn "to run ${PN} as server with a public ip address." + ewarn + ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled." + ewarn + fi + if use non-root; then + elog + elog "${PN} has been installed without superuser privileges (USE=non-root)." + elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'" + elog "but also a few to the IKEv2 daemon 'charon'." + elog + elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot" + elog + elog "pluto uses a helper script by default to insert/remove routing and" + elog "policy rules upon connection start/stop which requires superuser" + elog "privileges. charon in contrast does this internally and can do so" + elog "even with reduced (user) privileges." + elog + elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown" + elog "script to pluto or charon which requires superuser privileges, you" + elog "can work around this limitation by using sudo to grant the" + elog "user \"ipsec\" the appropriate rights." + elog "For example (the default case):" + elog "/etc/sudoers:" + elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec" + elog "Under the specific connection block in /etc/ipsec.conf:" + elog " leftupdown=\"sudo -E ipsec _updown iptables\"" + elog + fi + elog + elog "Make sure you have _all_ required kernel modules available including" + elog "the appropriate cryptographic algorithms. A list is available at:" + elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules" + elog + elog "The up-to-date manual is available online at:" + elog " http://wiki.strongswan.org/" + elog +} diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest index 393e3d56b95e..ac2680c2f26a 100644 --- a/net-vpn/tor/Manifest +++ b/net-vpn/tor/Manifest @@ -6,8 +6,8 @@ AUX tor.initd-r8 953 BLAKE2B 7af04f23c95b7edd90bfb6989741973cb63a846ad8a34be9a07 AUX torrc-r1 140 BLAKE2B 4b7e0795c09e737c5dda014c2b87811757bb8d68d581ece49f5002a2c42ee29c64899c635daf27b3465194a73ca5fd21a3a7ca655682fa5f5ffc7f4b2360b125 SHA512 6e3c481b34f2cb6f48bf87fe10565daded00415cc233332d43e18206d46eb7b32f92c55035584b5992e7a056e79e862124a573a9724f7762f76d4c4f0824de82 DIST tor-0.4.0.5.tar.gz 7203877 BLAKE2B e03710038615a5b9baf327933917c369bb3fabd4df6dd9f16053a0b72bcf20219e956e74258d0e39ae297d406035a89fab017d2e28c795f5d713c3933ad7cd29 SHA512 f6bccc52aaa436a501077b0891ecd3a9779f288b3b15fd76fa2c612e60aba04763b5951f55b2357e6271797b2f924bee9a6d2c1ee20419daa02d9d38ec68510b DIST tor-0.4.1.6.tar.gz 7390096 BLAKE2B b98f06b771953de781f446528096ff3c688599bae4c141f14a6be06373deebf11f6c15faf2168aee672bf75fcd25f42e2142e469046cd0a442b558c7cf41b28b SHA512 9e4625216e25b9498d6054a9920e5a8932ca7b28c5131062eac637b69c80cdf05bc3fd008b833e5359d8849e256f1f405abd56b07f50fd91077b153ba60503da -DIST tor-0.4.2.2-alpha.tar.gz 7532174 BLAKE2B 330726ed996f6778f6a3277b84e7a3c17e265cd69279d3b937feda5cb95bcf6393a07b8ba79671611b6ec9983cb578e777fc5b99e2585b24f75bd281c13a37d3 SHA512 b4dc18855decc82539a124be3456724b79f23858e5c62f6a4d0b85cf9f5198ef5c979f75db561019c6946951202924213aaae4da710dfeb551aefd47f822eb11 +DIST tor-0.4.2.3-alpha.tar.gz 7534968 BLAKE2B 64b85aee7e630bedc4942ecb27e717593d703282798d9e0286c5d96095bc6406ba79f522bd0c13becd262443b7a41782647d87bb61d088aebcaa561198e30e6f SHA512 e7f350bafa76d329ff6f1a5776243e975154a50d8d347eda7fdfb1009f6b5ceb17024c5aa6d254476a89009ec968cc06929c50f5fa85957fc18a8536bfc88317 EBUILD tor-0.4.0.5.ebuild 2232 BLAKE2B fed112e92aa7b11f4646ea94db9fea5ef81a80dd57a4b95990d906142991ee8f4b900601a011246ff6e707069c255555195041929c97e753d16a16bc8d820719 SHA512 44a4958239f006307178121e4cb49f79ca2063561dc593af840456895eaa4f7d272592a1a3658645b29fe9e82a71e73a731eccbc7cab0ebbbfe37b41068f1c1b EBUILD tor-0.4.1.6.ebuild 2239 BLAKE2B 39c3e2a21e9f906c345dee3ae273ee1e852048e143fe7abe7435492eff04eca387adf27a3675c5e280aaed6152a47250120d308a8befd1b724ae80861ed529c4 SHA512 e01822b58b6d3338b16b8a733225f806e6d2158535cfac1f34b7aca20709f955dee41effa3b5522d2a6fe40869d1b2a725bae0be251ddd4dbca266f356d7e631 -EBUILD tor-0.4.2.2_alpha.ebuild 2295 BLAKE2B 92e7ecc2f02306ca006556ba43c7dd965a571a08e0b58494e31c12fb74fdfbf6b669c33c6bb958b978a6cacad78e51aba77508e970a21d1932d7ff188cf575b3 SHA512 e19e6925c717bbff7fb175895178e1aeb091f155d5affa452675e8b220d8779f8433df58d74b5e49b2c2a34898ca8cd53f2215ba4049f7c02da9a0a2c857071a +EBUILD tor-0.4.2.3_alpha.ebuild 2295 BLAKE2B 92e7ecc2f02306ca006556ba43c7dd965a571a08e0b58494e31c12fb74fdfbf6b669c33c6bb958b978a6cacad78e51aba77508e970a21d1932d7ff188cf575b3 SHA512 e19e6925c717bbff7fb175895178e1aeb091f155d5affa452675e8b220d8779f8433df58d74b5e49b2c2a34898ca8cd53f2215ba4049f7c02da9a0a2c857071a MISC metadata.xml 502 BLAKE2B 62cfa9bebca4f57461228105fc7433ba9d56494197768549f6dc62ec048654918bfc04958c321239b5f223c5d263415b346168ab30c6ea3cc78a5b0bef93f08f SHA512 70b258fd1bab0a13d24e20ccff51ba8b0b1f3a526986a0140c5d2344c781f257ff0f7b60cb6a193b6727faf21d7a4ce96071b9b09373fd9636ed2f01ee1f2000 diff --git a/net-vpn/tor/tor-0.4.2.2_alpha.ebuild b/net-vpn/tor/tor-0.4.2.3_alpha.ebuild index 6d81ed7168e8..6d81ed7168e8 100644 --- a/net-vpn/tor/tor-0.4.2.2_alpha.ebuild +++ b/net-vpn/tor/tor-0.4.2.3_alpha.ebuild |