pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/racoon2
Module Name: pkgsrc
Committed By: christos
Date: Tue May 29 01:22:50 UTC 2018
Modified Files:
pkgsrc/security/racoon2: Makefile distinfo
pkgsrc/security/racoon2/patches: patch-lib_cftoken.l
Added Files:
pkgsrc/security/racoon2/patches: patch-iked_crypto__impl.h
patch-iked_crypto__openssl.c patch-iked_ike__conf.c
patch-iked_ikev1_ikev1.c patch-iked_ikev1_ipsec__doi.c
patch-iked_ikev1_oakley.c patch-iked_ikev1_pfkey.c
patch-iked_ikev2.c patch-iked_ikev2__child.c
patch-iked_ikev2__notify.c patch-kinkd-crypto__openssl.c
patch-kinkd-ipsec__doi.c patch-kinkd_bbkk__heimdal.c
patch-kinkd_isakmp__quick.c patch-kinkd_session.c
patch-lib_if__spmd.c patch-spmd_fqdn__query.c patch-spmd_main.c
patch-spmd_shell.c patch-spmd_spmd__pfkey.c patch-spmd_spmdctl.c
Log Message:
Buck Rogers in the 25th century: make this compile again.
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/security/racoon2/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/security/racoon2/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/security/racoon2/patches/patch-iked_crypto__impl.h \
pkgsrc/security/racoon2/patches/patch-iked_crypto__openssl.c \
pkgsrc/security/racoon2/patches/patch-iked_ike__conf.c \
pkgsrc/security/racoon2/patches/patch-iked_ikev1_ikev1.c \
pkgsrc/security/racoon2/patches/patch-iked_ikev1_ipsec__doi.c \
pkgsrc/security/racoon2/patches/patch-iked_ikev1_oakley.c \
pkgsrc/security/racoon2/patches/patch-iked_ikev1_pfkey.c \
pkgsrc/security/racoon2/patches/patch-iked_ikev2.c \
pkgsrc/security/racoon2/patches/patch-iked_ikev2__child.c \
pkgsrc/security/racoon2/patches/patch-iked_ikev2__notify.c \
pkgsrc/security/racoon2/patches/patch-kinkd-crypto__openssl.c \
pkgsrc/security/racoon2/patches/patch-kinkd-ipsec__doi.c \
pkgsrc/security/racoon2/patches/patch-kinkd_bbkk__heimdal.c \
pkgsrc/security/racoon2/patches/patch-kinkd_isakmp__quick.c \
pkgsrc/security/racoon2/patches/patch-kinkd_session.c \
pkgsrc/security/racoon2/patches/patch-lib_if__spmd.c \
pkgsrc/security/racoon2/patches/patch-spmd_fqdn__query.c \
pkgsrc/security/racoon2/patches/patch-spmd_main.c \
pkgsrc/security/racoon2/patches/patch-spmd_shell.c \
pkgsrc/security/racoon2/patches/patch-spmd_spmd__pfkey.c \
pkgsrc/security/racoon2/patches/patch-spmd_spmdctl.c
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/racoon2/patches/patch-lib_cftoken.l
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/racoon2/Makefile
diff -u pkgsrc/security/racoon2/Makefile:1.11 pkgsrc/security/racoon2/Makefile:1.12
--- pkgsrc/security/racoon2/Makefile:1.11 Sat Jul 9 02:38:56 2016
+++ pkgsrc/security/racoon2/Makefile Mon May 28 21:22:50 2018
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.11 2016/07/09 06:38:56 wiz Exp $
+# $NetBSD: Makefile,v 1.12 2018/05/29 01:22:50 christos Exp $
#
DISTNAME= racoon2-20100526a
-PKGREVISION= 9
+PKGREVISION= 10
CATEGORIES= security net
MASTER_SITES= ftp://ftp.racoon2.wide.ad.jp/pub/racoon2/
EXTRACT_SUFX= .tgz
Index: pkgsrc/security/racoon2/distinfo
diff -u pkgsrc/security/racoon2/distinfo:1.5 pkgsrc/security/racoon2/distinfo:1.6
--- pkgsrc/security/racoon2/distinfo:1.5 Tue Nov 3 20:18:07 2015
+++ pkgsrc/security/racoon2/distinfo Mon May 28 21:22:50 2018
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.5 2015/11/04 01:18:07 agc Exp $
+$NetBSD: distinfo,v 1.6 2018/05/29 01:22:50 christos Exp $
SHA1 (racoon2-20100526a.tgz) = 268429af8a031dbbc279580cf98ea18331f0e2d9
RMD160 (racoon2-20100526a.tgz) = 014cdcf78cc82ab21235a21491850cdcd1f883bf
@@ -9,7 +9,28 @@ SHA1 (patch-ab) = eb6d901108ebcca9057185
SHA1 (patch-ac) = 081a2d3d694d4c20cf1fa2d9718577577280288e
SHA1 (patch-ad) = 0d04dc7027c100de6bc04db00eddb30a12fd8715
SHA1 (patch-ae) = 937cf84a2b6f1e8f8d288703a0556faf500bab95
+SHA1 (patch-iked_crypto__impl.h) = e6b274258eb7428cbd01cefc33ae85e001260542
+SHA1 (patch-iked_crypto__openssl.c) = 0a013e5aa5ce9747da61b8095440a16ee78de4e9
+SHA1 (patch-iked_ike__conf.c) = 82e09465e69b082abb12b3fead16eae8a7bc103b
+SHA1 (patch-iked_ikev1_ikev1.c) = ce9b22b2be12bc4cd5fa0e171cbd39c0d88d5406
+SHA1 (patch-iked_ikev1_ipsec__doi.c) = 3673d0643359eb8a68bbd867e941e1a1aae02b01
+SHA1 (patch-iked_ikev1_oakley.c) = 8823a898ec8190d177d3eda8d6c474040b08d2a1
+SHA1 (patch-iked_ikev1_pfkey.c) = 064df06b876504b611008a8a20b44266a83c5789
+SHA1 (patch-iked_ikev2.c) = 857805c92e3c78ec5f05a9068acbba03e91030b3
+SHA1 (patch-iked_ikev2__child.c) = f7f268f3e7666a3e23efd3b71c4474eeb9f8a046
+SHA1 (patch-iked_ikev2__notify.c) = 688d5b46451912b00dbf1500e7ff66f4290d7d8a
+SHA1 (patch-kinkd-crypto__openssl.c) = 4acd36a5462d3296a53966f85fb39e8888650d5a
+SHA1 (patch-kinkd-ipsec__doi.c) = f72d62de7dce9e02d4de77162926491fef3761d1
+SHA1 (patch-kinkd_bbkk__heimdal.c) = 55a4e8121df28272d2838376823bc85ec108d93f
+SHA1 (patch-kinkd_isakmp__quick.c) = 1b177838621336bfabf0416d9fc09d6e581b8c05
+SHA1 (patch-kinkd_session.c) = 6b2ec8329d0fda0b850116c21bda2a4d06634f0d
SHA1 (patch-lib_cfparse.y) = 9e0b8ec9c09c315edde171103b97a8c403ba748e
SHA1 (patch-lib_cfsetup.c) = 70c2409bc69ff85cef6d2e2b4e222e12537c323e
-SHA1 (patch-lib_cftoken.l) = 1cbae5bd9199e204d12d5a5216521a21e55a84dc
+SHA1 (patch-lib_cftoken.l) = cbda1153f7fd34713248d3d7d188a50b27d9ddcd
SHA1 (patch-lib_if__pfkeyv2.c) = 9eb969ff0f289bc7c4aa1fa234c221b4d70d1da7
+SHA1 (patch-lib_if__spmd.c) = 0b5e5412afb826f502c040153ca5b0e50ad3d682
+SHA1 (patch-spmd_fqdn__query.c) = d44af49981bfc503fe097a40a0448215ff2367d8
+SHA1 (patch-spmd_main.c) = 7ee34b1a5b18d938806f490abe2d8cdf25caa426
+SHA1 (patch-spmd_shell.c) = 37a52cb9062fd44e0d358c7ae1605481a3604f71
+SHA1 (patch-spmd_spmd__pfkey.c) = 2bf3e70f41a779989d63d7099b2e7031a7441a27
+SHA1 (patch-spmd_spmdctl.c) = 26cd17a8b9932bbc5af8aa5d476eb0a5fad8e323
Index: pkgsrc/security/racoon2/patches/patch-lib_cftoken.l
diff -u pkgsrc/security/racoon2/patches/patch-lib_cftoken.l:1.1 pkgsrc/security/racoon2/patches/patch-lib_cftoken.l:1.2
--- pkgsrc/security/racoon2/patches/patch-lib_cftoken.l:1.1 Wed Oct 9 20:09:38 2013
+++ pkgsrc/security/racoon2/patches/patch-lib_cftoken.l Mon May 28 21:22:50 2018
@@ -1,24 +1,24 @@
-$NetBSD: patch-lib_cftoken.l,v 1.1 2013/10/10 00:09:38 joerg Exp $
+$NetBSD: patch-lib_cftoken.l,v 1.2 2018/05/29 01:22:50 christos Exp $
---- lib/cftoken.l.orig 2013-10-09 23:00:24.000000000 +0000
-+++ lib/cftoken.l
-@@ -53,7 +53,6 @@
+Fixes for modern flex
+
+--- lib/cftoken.l.orig 2018-05-28 17:21:27.733726555 -0400
++++ lib/cftoken.l 2018-05-28 17:21:57.559009640 -0400
+@@ -53,7 +53,7 @@
extern int yyget_lineno (void);
extern FILE *yyget_in (void);
extern FILE *yyget_out (void);
-extern int yyget_leng (void);
++extern yy_size_t yyget_leng (void);
extern char *yyget_text (void);
extern void yyset_lineno (int);
extern void yyset_in (FILE *);
-@@ -76,9 +75,9 @@ static char rcf_linebuf[CF_LINEBUFSIZE];
+@@ -76,7 +76,7 @@
#define YYDEBUG 1
#define DP \
if (cf_debug) { \
- fprintf(CF_ERRDEV, "%s:%d:%d[%s] len=%d\n", \
+ fprintf(CF_ERRDEV, "%s:%d:%d[%s] len=%zu\n", \
rcf_istk[rcf_istkp].path, rcf_istk[rcf_istkp].lineno, \
-- yy_start, yytext, yyleng); \
-+ yy_start, yytext, (size_t)yyleng); \
+ yy_start, yytext, yyleng); \
}
- #else
- #define DP
Added files:
Index: pkgsrc/security/racoon2/patches/patch-iked_crypto__impl.h
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-iked_crypto__impl.h:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-iked_crypto__impl.h Mon May 28 21:22:50 2018
@@ -0,0 +1,15 @@
+$NetBSD: patch-iked_crypto__impl.h,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Make unmodified argument const
+
+--- iked/crypto_impl.h 2010-02-01 05:30:51.000000000 -0500
++++ iked/crypto_impl.h 2018-05-28 16:44:16.016528535 -0400
+@@ -246,7 +246,7 @@
+ extern int eay_revbnl (rc_vchar_t *);
+ #include <openssl/bn.h>
+ extern int eay_v2bn (BIGNUM **, rc_vchar_t *);
+-extern int eay_bn2v (rc_vchar_t **, BIGNUM *);
++extern int eay_bn2v (rc_vchar_t **, const BIGNUM *);
+
+ extern const char *eay_version (void);
+
Index: pkgsrc/security/racoon2/patches/patch-iked_crypto__openssl.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-iked_crypto__openssl.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-iked_crypto__openssl.c Mon May 28 21:22:50 2018
@@ -0,0 +1,714 @@
+$NetBSD: patch-iked_crypto__openssl.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Adjust for openssl-1.1
+
+--- iked/crypto_openssl.c 2010-02-01 05:30:51.000000000 -0500
++++ iked/crypto_openssl.c 2018-05-28 17:08:27.806906241 -0400
+@@ -324,16 +324,17 @@
+ {
+ char buf[256];
+ int log_tag;
++ int ctx_error, ctx_error_depth;
+
+ if (!ok) {
+- X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
+- buf, 256);
++ X509_NAME_oneline(X509_get_subject_name(
++ X509_STORE_CTX_get0_cert(ctx)), buf, 256);
+ /*
+ * since we are just checking the certificates, it is
+ * ok if they are self signed. But we should still warn
+ * the user.
+ */
+- switch (ctx->error) {
++ switch (ctx_error = X509_STORE_CTX_get_error(ctx)) {
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ #if OPENSSL_VERSION_NUMBER >= 0x00905100L
+ case X509_V_ERR_INVALID_CA:
+@@ -347,16 +348,17 @@
+ default:
+ log_tag = PLOG_PROTOERR;
+ }
++ ctx_error_depth = X509_STORE_CTX_get_error_depth(ctx);
+ #ifndef EAYDEBUG
+ plog(log_tag, PLOGLOC, NULL,
+ "%s(%d) at depth:%d SubjectName:%s\n",
+- X509_verify_cert_error_string(ctx->error),
+- ctx->error, ctx->error_depth, buf);
++ X509_verify_cert_error_string(ctx_error),
++ ctx_error, ctx_error_depth, buf);
+ #else
+ printf("%d: %s(%d) at depth:%d SubjectName:%s\n",
+ log_tag,
+- X509_verify_cert_error_string(ctx->error),
+- ctx->error, ctx->error_depth, buf);
++ X509_verify_cert_error_string(ctx_error),
++ ctx_error, ctx_error_depth, buf);
+ #endif
+ }
+ ERR_clear_error();
+@@ -991,6 +993,7 @@
+ BPP_const unsigned char *bp;
+ rc_vchar_t *sig = NULL;
+ int len;
++ RSA *rsa;
+ int pad = RSA_PKCS1_PADDING;
+
+ bp = (unsigned char *)privkey->v;
+@@ -1002,14 +1005,15 @@
+ /* XXX: to be handled EVP_dss() */
+ /* XXX: Where can I get such parameters ? From my cert ? */
+
+- len = RSA_size(evp->pkey.rsa);
++ rsa = EVP_PKEY_get0_RSA(evp);
++ len = RSA_size(rsa);
+
+ sig = rc_vmalloc(len);
+ if (sig == NULL)
+ return NULL;
+
+ len = RSA_private_encrypt(src->l, (unsigned char *)src->v,
+- (unsigned char *)sig->v, evp->pkey.rsa, pad);
++ (unsigned char *)sig->v, rsa, pad);
+ EVP_PKEY_free(evp);
+ if (len == 0 || (size_t)len != sig->l) {
+ rc_vfree(sig);
+@@ -1028,6 +1032,7 @@
+ BPP_const unsigned char *bp;
+ rc_vchar_t *xbuf = NULL;
+ int pad = RSA_PKCS1_PADDING;
++ RSA *rsa;
+ int len = 0;
+ int error;
+
+@@ -1040,7 +1045,8 @@
+ return -1;
+ }
+
+- len = RSA_size(evp->pkey.rsa);
++ rsa = EVP_PKEY_get0_RSA(evp);
++ len = RSA_size(rsa);
+
+ xbuf = rc_vmalloc(len);
+ if (xbuf == NULL) {
+@@ -1053,7 +1059,7 @@
+ }
+
+ len = RSA_public_decrypt(sig->l, (unsigned char *)sig->v,
+- (unsigned char *)xbuf->v, evp->pkey.rsa, pad);
++ (unsigned char *)xbuf->v, rsa, pad);
+ #ifndef EAYDEBUG
+ if (len == 0 || (size_t)len != src->l)
+ plog(PLOG_PROTOERR, PLOGLOC, NULL, "%s\n", eay_strerror());
+@@ -1089,7 +1095,8 @@
+ rc_vchar_t *sig = 0;
+ unsigned int siglen;
+ const EVP_MD *md;
+- EVP_MD_CTX ctx;
++ EVP_MD_CTX *ctx = NULL;
++ RSA *rsa;
+
+ bp = (unsigned char *)privkey->v;
+ /* convert private key from vmbuf to internal data */
+@@ -1100,7 +1107,8 @@
+ goto fail;
+ }
+
+- len = RSA_size(pkey->pkey.rsa);
++ rsa = EVP_PKEY_get0_RSA(pkey);
++ len = RSA_size(rsa);
+ sig = rc_vmalloc(len);
+ if (sig == NULL) {
+ plog(PLOG_INTERR, PLOGLOC, NULL, "failed allocating memory\n");
+@@ -1114,27 +1122,33 @@
+ "failed to find digest algorithm %s\n", hash_type);
+ goto fail;
+ }
+- EVP_MD_CTX_init(&ctx);
+- EVP_SignInit(&ctx, md);
+- EVP_SignUpdate(&ctx, octets->v, octets->l);
+- if (EVP_SignFinal(&ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
++ ctx = EVP_MD_CTX_new();
++ if (!ctx) {
++ plog(PLOG_INTERR, PLOGLOC, NULL,
++ "failed to allocate context\n");
++ goto fail;
++ }
++ EVP_SignInit(ctx, md);
++ EVP_SignUpdate(ctx, octets->v, octets->l);
++ if (EVP_SignFinal(ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "RSA_sign failed: %s\n", eay_strerror());
+- EVP_MD_CTX_cleanup(&ctx);
+ goto fail;
+ }
+- EVP_MD_CTX_cleanup(&ctx);
+ if (sig->l != siglen) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "unexpected signature length %d\n", siglen);
+ goto fail;
+ }
++ EVP_MD_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
+ return sig;
+
+ fail:
+ if (sig)
+ rc_vfree(sig);
++ if (ctx)
++ EVP_MD_CTX_free(ctx);
+ if (pkey)
+ EVP_PKEY_free(pkey);
+ return 0;
+@@ -1154,7 +1168,7 @@
+ EVP_PKEY *pkey;
+ BPP_const unsigned char *bp;
+ const EVP_MD *md;
+- EVP_MD_CTX ctx;
++ EVP_MD_CTX *ctx = NULL;
+
+ bp = (unsigned char *)pubkey->v;
+ pkey = d2i_PUBKEY(NULL, &bp, pubkey->l);
+@@ -1163,7 +1177,7 @@
+ "failed obtaining public key: %s\n", eay_strerror());
+ goto fail;
+ }
+- if (pkey->type != EVP_PKEY_RSA) {
++ if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) {
+ plog(PLOG_PROTOERR, PLOGLOC, NULL,
+ "public key is not for RSA\n");
+ goto fail;
+@@ -1175,23 +1189,29 @@
+ "failed to find the algorithm engine for %s\n", hash_type);
+ goto fail;
+ }
+- EVP_MD_CTX_init(&ctx);
+- EVP_VerifyInit(&ctx, md);
+- EVP_VerifyUpdate(&ctx, octets->v, octets->l);
+- if (EVP_VerifyFinal(&ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
++ ctx = EVP_MD_CTX_new();
++ if (!ctx) {
++ plog(PLOG_INTERR, PLOGLOC, NULL,
++ "failed to allocate context\n");
++ goto fail;
++ }
++ EVP_VerifyInit(ctx, md);
++ EVP_VerifyUpdate(ctx, octets->v, octets->l);
++ if (EVP_VerifyFinal(ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
+ plog(PLOG_PROTOERR, PLOGLOC, NULL,
+ "RSA_verify failed: %s\n", eay_strerror());
+- EVP_MD_CTX_cleanup(&ctx);
+ goto fail;
+ }
+- EVP_MD_CTX_cleanup(&ctx);
+
++ EVP_MD_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
+ return 0;
+
+ fail:
+ if (pkey)
+ EVP_PKEY_free(pkey);
++ if (ctx)
++ EVP_MD_CTX_free(ctx);
+ return -1;
+ }
+
+@@ -1204,7 +1224,8 @@
+ EVP_PKEY *pkey;
+ BPP_const unsigned char *bp;
+ const EVP_MD *md;
+- EVP_MD_CTX ctx;
++ EVP_MD_CTX *ctx = NULL;
++ DSA *dsa;
+ int len;
+ rc_vchar_t *sig = 0;
+ unsigned int siglen;
+@@ -1217,24 +1238,33 @@
+ goto fail;
+ }
+
+- len = DSA_size(pkey->pkey.dsa);
++ dsa = EVP_PKEY_get0_DSA(pkey);
++ len = DSA_size(dsa);
+ sig = rc_vmalloc(len);
+ if (sig == NULL) {
+ plog(PLOG_INTERR, PLOGLOC, NULL, "failed allocating memory\n");
+ goto fail;
+ }
+
++#if 0
+ md = EVP_dss1();
+- EVP_MD_CTX_init(&ctx);
+- EVP_SignInit(&ctx, md);
+- EVP_SignUpdate(&ctx, octets->v, octets->l);
+- if (EVP_SignFinal(&ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
++#else
++ md = NULL;
++ goto fail;
++#endif
++ ctx = EVP_MD_CTX_new();
++ if (!ctx) {
++ plog(PLOG_INTERR, PLOGLOC, NULL,
++ "failed to allocate context\n");
++ goto fail;
++ }
++ EVP_SignInit(ctx, md);
++ EVP_SignUpdate(ctx, octets->v, octets->l);
++ if (EVP_SignFinal(ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "DSS sign failed: %s\n", eay_strerror());
+- EVP_MD_CTX_cleanup(&ctx);
+ goto fail;
+ }
+- EVP_MD_CTX_cleanup(&ctx);
+
+ if (siglen > sig->l) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+@@ -1245,6 +1275,7 @@
+ if (siglen < sig->l)
+ sig = rc_vrealloc(sig, siglen);
+ EVP_PKEY_free(pkey);
++ EVP_MD_CTX_free(ctx);
+ return sig;
+
+ fail:
+@@ -1252,6 +1283,8 @@
+ rc_vfree(sig);
+ if (pkey)
+ EVP_PKEY_free(pkey);
++ if (ctx)
++ EVP_MD_CTX_free(ctx);
+ return 0;
+ }
+
+@@ -1265,7 +1298,7 @@
+ EVP_PKEY *pkey;
+ BPP_const unsigned char *bp;
+ const EVP_MD *md;
+- EVP_MD_CTX ctx;
++ EVP_MD_CTX *ctx = NULL;
+
+ bp = (unsigned char *)pubkey->v;
+ pkey = d2i_PUBKEY(NULL, &bp, pubkey->l);
+@@ -1274,30 +1307,40 @@
+ "failed obtaining public key: %s\n", eay_strerror());
+ goto fail;
+ }
+- if (pkey->type != EVP_PKEY_DSA) {
++ if (EVP_PKEY_id(pkey) != EVP_PKEY_DSA) {
+ plog(PLOG_PROTOERR, PLOGLOC, NULL,
+ "public key is not for DSS\n");
+ goto fail;
+ }
+
++#if 0
+ md = EVP_dss1();
+- EVP_MD_CTX_init(&ctx);
+- EVP_VerifyInit(&ctx, md);
+- EVP_VerifyUpdate(&ctx, octets->v, octets->l);
+- if (EVP_VerifyFinal(&ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
++#else
++ md = NULL;
++ goto fail;
++#endif
++ ctx = EVP_MD_CTX_new();
++ if (!ctx) {
++ plog(PLOG_INTERR, PLOGLOC, NULL,
++ "failed to allocate context\n");
++ goto fail;
++ }
++ EVP_VerifyInit(ctx, md);
++ EVP_VerifyUpdate(ctx, octets->v, octets->l);
++ if (EVP_VerifyFinal(ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
+ plog(PLOG_PROTOERR, PLOGLOC, NULL,
+ "DSS verify failed: %s\n", eay_strerror());
+- EVP_MD_CTX_cleanup(&ctx);
+ goto fail;
+ }
+- EVP_MD_CTX_cleanup(&ctx);
+-
++ EVP_MD_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
+ return 0;
+
+ fail:
+ if (pkey)
+ EVP_PKEY_free(pkey);
++ if (ctx)
++ EVP_MD_CTX_free(ctx);
+ return -1;
+ }
+
+@@ -1345,7 +1388,7 @@
+ evp_encrypt(const EVP_CIPHER *ciph, rc_vchar_t *data, rc_vchar_t *key, rc_vchar_t *iv)
+ {
+ rc_vchar_t *res;
+- EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX *ctx = NULL;
+ int outl;
+
+ if (!iv || iv->l < (size_t)EVP_CIPHER_block_size(ciph))
+@@ -1355,12 +1398,17 @@
+ if ((res = rc_vmalloc(data->l)) == NULL)
+ return NULL;
+
+- EVP_CIPHER_CTX_init(&ctx);
+- if (!EVP_EncryptInit(&ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
++ ctx = EVP_CIPHER_CTX_new();
++ if (!ctx) {
++ plog(PLOG_INTERR, PLOGLOC, NULL,
++ "failed to allocate context\n");
++ goto fail;
++ }
++ if (!EVP_EncryptInit(ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
+ goto fail;
+- if (!EVP_CIPHER_CTX_set_padding(&ctx, 0))
++ if (!EVP_CIPHER_CTX_set_padding(ctx, 0))
+ goto fail;
+- if (!EVP_EncryptUpdate(&ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
++ if (!EVP_EncryptUpdate(ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
+ data->l))
+ goto fail;
+ if ((size_t)outl != data->l) {
+@@ -1369,16 +1417,17 @@
+ outl, (unsigned long)data->l);
+ goto fail;
+ }
+- if (!EVP_EncryptFinal(&ctx, NULL, &outl))
++ if (!EVP_EncryptFinal(ctx, NULL, &outl))
+ goto fail;
+
+- EVP_CIPHER_CTX_cleanup(&ctx);
++ EVP_CIPHER_CTX_free(ctx);
+ return res;
+
+ fail:
+ if (res)
+ rc_vfree(res);
+- EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ctx)
++ EVP_CIPHER_CTX_free(ctx);
+ return NULL;
+ }
+
+@@ -1386,7 +1435,7 @@
+ evp_decrypt(const EVP_CIPHER *ciph, rc_vchar_t *data, rc_vchar_t *key, rc_vchar_t *iv)
+ {
+ rc_vchar_t *res;
+- EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX *ctx = NULL;
+ int outl;
+
+ if (!iv || iv->l < (size_t)EVP_CIPHER_block_size(ciph))
+@@ -1396,12 +1445,17 @@
+ if ((res = rc_vmalloc(data->l)) == NULL)
+ return NULL;
+
+- EVP_CIPHER_CTX_init(&ctx);
+- if (!EVP_DecryptInit(&ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
++ ctx = EVP_CIPHER_CTX_new();
++ if (!ctx) {
++ plog(PLOG_INTERR, PLOGLOC, NULL,
++ "failed to allocate context\n");
++ goto fail;
++ }
++ if (!EVP_DecryptInit(ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
+ goto fail;
+- if (!EVP_CIPHER_CTX_set_padding(&ctx, 0))
++ if (!EVP_CIPHER_CTX_set_padding(ctx, 0))
+ goto fail;
+- if (!EVP_DecryptUpdate(&ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
++ if (!EVP_DecryptUpdate(ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
+ data->l))
+ goto fail;
+ if ((size_t)outl != data->l) {
+@@ -1410,15 +1464,16 @@
+ outl, (unsigned long)data->l);
+ goto fail;
+ }
+- if (!EVP_DecryptFinal(&ctx, NULL, &outl))
++ if (!EVP_DecryptFinal(ctx, NULL, &outl))
+ goto fail;
+- EVP_CIPHER_CTX_cleanup(&ctx);
++ EVP_CIPHER_CTX_free(ctx);
+ return res;
+
+ fail:
+ if (res)
+ rc_vfree(res);
+- EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ctx)
++ EVP_CIPHER_CTX_cleanup(ctx);
+ return NULL;
+ }
+
+@@ -1963,45 +2018,55 @@
+ * are used as the nonce value in the counter block.
+ */
+
+- uint8_t *nonce;
+- union {
+- uint8_t bytes[AES_BLOCK_SIZE];
+- struct aes_ctrblk {
+- uint32_t nonce;
+- uint8_t iv[AES_CTR_IV_SIZE];
+- uint32_t block_counter;
+- } fields;
+- } ctrblk;
+- uint8_t ecount_buf[AES_BLOCK_SIZE];
+- AES_KEY k;
+- unsigned int num;
+- rc_vchar_t *resultbuf;
++ int len;
++ rc_vchar_t *resultbuf = NULL;
++ EVP_CIPHER_CTX *ctx = NULL;
+
+ /*
+ * if (data->l > AES_BLOCK_SIZE * UINT32_MAX) return 0;
+ */
+
+- if (iv->l != AES_CTR_IV_SIZE)
+- return 0;
+- nonce = (unsigned char *)key->v + key->l - AES_CTR_NONCE_SIZE;
+- if (AES_set_encrypt_key((unsigned char *)key->v,
+- (key->l - AES_CTR_NONCE_SIZE) << 3, &k) < 0)
++ if (iv->l != AES_CTR_IV_SIZE) {
++ plog(PLOG_INTERR, PLOGLOC, 0, "bad iv size");
+ return 0;
++ }
++
++ ctx = EVP_CIPHER_CTX_new();
++ if (ctx == NULL) {
++ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_CIPHER_CTX_new failed");
++ goto fail;
++ }
++
++ if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_ctr(), NULL, (unsigned char *)key->v, (unsigned char *)iv->v)) {
++ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_EncryptInit_ex failed");
++ goto fail;
++ }
+
+ resultbuf = rc_vmalloc(data->l);
+- if (!resultbuf)
+- return 0;
++ if (!resultbuf) {
++ plog(PLOG_INTERR, PLOGLOC, 0, "allocate resultbuf failed");
++ goto fail;
++ }
+
+- memcpy(&ctrblk.fields.nonce, nonce, AES_CTR_NONCE_SIZE);
+- memcpy(&ctrblk.fields.iv[0], iv->v, AES_CTR_IV_SIZE);
+- ctrblk.fields.block_counter = htonl(1);
+-
+- num = 0;
+- AES_ctr128_encrypt((unsigned char *)data->v,
+- (unsigned char *)resultbuf->v, data->l, &k,
+- &ctrblk.bytes[0], ecount_buf, &num);
++ if (!EVP_EncryptUpdate(ctx, (unsigned char *)resultbuf->v, &len, (unsigned char *)data->v, data->l)) {
++ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_EncryptUpdate failed");
++ goto fail;
++ }
+
++ if (!EVP_EncryptFinal_ex(ctx, (unsigned char *)resultbuf->v + len, &len)) {
++ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_EncryptFinal_ex failed");
++ goto fail;
++ }
++
++ EVP_CIPHER_CTX_free(ctx);
+ return resultbuf;
++
++fail:
++ EVP_CIPHER_CTX_free(ctx);
++ if (resultbuf)
++ rc_free(resultbuf);
++
++ return NULL;
+ }
+
+ /* for ipsec part */
+@@ -2038,14 +2103,9 @@
+ static caddr_t
+ eay_hmac_init(rc_vchar_t *key, const EVP_MD *md)
+ {
+- HMAC_CTX *c = racoon_malloc(sizeof(*c));
++ HMAC_CTX *c = HMAC_CTX_new();
+
+-#if OPENSSL_VERSION_NUMBER < 0x0090700fL
+- HMAC_Init(c, key->v, key->l, md);
+-#else
+- HMAC_CTX_init(c);
+ HMAC_Init_ex(c, key->v, key->l, md, NULL);
+-#endif
+
+ return (caddr_t)c;
+ }
+@@ -2053,12 +2113,7 @@
+ void
+ eay_hmac_dispose(HMAC_CTX *c)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x0090700fL
+- HMAC_cleanup(c);
+-#else
+- HMAC_CTX_cleanup(c);
+-#endif
+- (void)racoon_free(c);
++ HMAC_CTX_free(c);
+ }
+
+ #ifdef WITH_SHA2
+@@ -2972,15 +3027,16 @@
+ eay_random_uint32(void)
+ {
+ uint32_t value;
+- (void)RAND_pseudo_bytes((uint8_t *)&value, sizeof(value));
++ (void)RAND_bytes((uint8_t *)&value, sizeof(value));
+ return value;
+ }
+
+ /* DH */
+ int
+-eay_dh_generate(rc_vchar_t *prime, uint32_t g, unsigned int publen, rc_vchar_t **pub, rc_vchar_t **priv)
++eay_dh_generate(rc_vchar_t *prime, uint32_t gg, unsigned int publen, rc_vchar_t **pub, rc_vchar_t **priv)
+ {
+- BIGNUM *p = NULL;
++ BIGNUM *p = NULL, *g = NULL;
++ const BIGNUM *pub_key, *priv_key;
+ DH *dh = NULL;
+ int error = -1;
+
+@@ -2991,25 +3047,27 @@
+
+ if ((dh = DH_new()) == NULL)
+ goto end;
+- dh->p = p;
+- p = NULL; /* p is now part of dh structure */
+- dh->g = NULL;
+- if ((dh->g = BN_new()) == NULL)
++ if ((g = BN_new()) == NULL)
+ goto end;
+- if (!BN_set_word(dh->g, g))
++ if (!BN_set_word(g, gg))
+ goto end;
+
++ if (!DH_set0_pqg(dh, p, NULL, g))
++ goto end;
++ g = p = NULL;
++
+ if (publen != 0)
+- dh->length = publen;
++ DH_set_length(dh, publen);
+
+ /* generate public and private number */
+ if (!DH_generate_key(dh))
+ goto end;
+
++ DH_get0_key(dh, &pub_key, &priv_key);
+ /* copy results to buffers */
+- if (eay_bn2v(pub, dh->pub_key) < 0)
++ if (eay_bn2v(pub, pub_key) < 0)
+ goto end;
+- if (eay_bn2v(priv, dh->priv_key) < 0) {
++ if (eay_bn2v(priv, priv_key) < 0) {
+ rc_vfree(*pub);
+ goto end;
+ }
+@@ -3019,44 +3077,57 @@
+ end:
+ if (dh != NULL)
+ DH_free(dh);
+- if (p != 0)
++ if (p != NULL)
+ BN_free(p);
++ if (g != NULL)
++ BN_free(g);
+ return (error);
+ }
+
+ int
+-eay_dh_compute (rc_vchar_t *prime, uint32_t g, rc_vchar_t *pub,
++eay_dh_compute (rc_vchar_t *prime, uint32_t gg, rc_vchar_t *pub,
+ rc_vchar_t *priv, rc_vchar_t *pub2, rc_vchar_t **key)
+ {
+- BIGNUM *dh_pub = NULL;
++ BIGNUM *dh_pub = NULL, *p = NULL, *g = NULL,
++ *pub_key = NULL, *priv_key = NULL;
+ DH *dh = NULL;
+ int l;
+ unsigned char *v = NULL;
+ int error = -1;
+
+- /* make public number to compute */
+- if (eay_v2bn(&dh_pub, pub2) < 0)
+- goto end;
+-
+ /* make DH structure */
+ if ((dh = DH_new()) == NULL)
+ goto end;
+- if (eay_v2bn(&dh->p, prime) < 0)
++
++ if (eay_v2bn(&p, prime) < 0)
++ goto end;
++ if ((g = BN_new()) == NULL)
+ goto end;
+- if (eay_v2bn(&dh->pub_key, pub) < 0)
++ if (!BN_set_word(g, gg))
+ goto end;
+- if (eay_v2bn(&dh->priv_key, priv) < 0)
++ if (!DH_set0_pqg(dh, p, NULL, g))
+ goto end;
+- dh->length = pub2->l * 8;
++ p = NULL;
++ g = NULL;
+
+- dh->g = NULL;
+- if ((dh->g = BN_new()) == NULL)
++ if (eay_v2bn(&pub_key, pub) < 0)
+ goto end;
+- if (!BN_set_word(dh->g, g))
++ if (eay_v2bn(&priv_key, priv) < 0)
+ goto end;
++ if (!DH_set0_key(dh, pub_key, priv_key))
++ goto end;
++ pub_key = NULL;
++ priv_key = NULL;
++
++ DH_set_length(dh, pub2->l * 8);
+
+ if ((v = racoon_calloc(prime->l, sizeof(unsigned char))) == NULL)
+ goto end;
++
++ /* make public number to compute */
++ if (eay_v2bn(&dh_pub, pub2) < 0)
++ goto end;
++
+ if ((l = DH_compute_key(v, dh_pub, dh)) == -1)
+ goto end;
+ memcpy((*key)->v + (prime->l - l), v, l);
+@@ -3066,6 +3137,14 @@
+ end:
+ if (dh_pub != NULL)
+ BN_free(dh_pub);
++ if (pub_key != NULL)
++ BN_free(pub_key);
++ if (priv_key != NULL)
++ BN_free(priv_key);
++ if (p != NULL)
++ BN_free(p);
++ if (g != NULL)
++ BN_free(g);
+ if (dh != NULL)
+ DH_free(dh);
+ if (v != NULL)
+@@ -3083,9 +3162,9 @@
+ }
+
+ int
+-eay_bn2v(rc_vchar_t **var, BIGNUM *bn)
++eay_bn2v(rc_vchar_t **var, const BIGNUM *bn)
+ {
+- *var = rc_vmalloc(bn->top * BN_BYTES);
++ *var = rc_vmalloc(BN_num_bytes(bn));
+ if (*var == NULL)
+ return (-1);
+
Index: pkgsrc/security/racoon2/patches/patch-iked_ike__conf.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-iked_ike__conf.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-iked_ike__conf.c Mon May 28 21:22:50 2018
@@ -0,0 +1,36 @@
+$NetBSD: patch-iked_ike__conf.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Comment out impossible case (switch is enum)
+
+--- iked/ike_conf.c.orig 2009-07-28 01:32:40.000000000 -0400
++++ iked/ike_conf.c 2018-05-28 19:48:04.934126933 -0400
+@@ -4025,12 +4025,14 @@
+ SA_CONF(comp_alg, sa, comp_alg, 0);
+
+ switch (sa_protocol) {
++#if 0
+ case 0:
+ ++*err;
+ plog(PLOG_INTERR, PLOGLOC, 0,
+ "sa %s does not have sa_protocol field\n",
+ sa_index);
+ break;
++#endif
+ case RCT_SATYPE_ESP:
+ if (!enc_alg) {
+ ++*err;
+@@ -4226,12 +4228,14 @@
+ if (!action)
+ POLICY_DEFAULT(action, action, 0);
+ switch (action) {
++#if 0
+ case 0:
+ ++error;
+ plog(PLOG_INTERR, PLOGLOC, 0,
+ "policy %s lacks action field\n",
+ rc_vmem2str(policy->pl_index));
+ continue;
++#endif
+ case RCT_ACT_AUTO_IPSEC:
+ break;
+ default:
Index: pkgsrc/security/racoon2/patches/patch-iked_ikev1_ikev1.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-iked_ikev1_ikev1.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-iked_ikev1_ikev1.c Mon May 28 21:22:50 2018
@@ -0,0 +1,24 @@
+$NetBSD: patch-iked_ikev1_ikev1.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Remove unused
+
+--- iked/ikev1/ikev1.c.orig 2008-07-07 05:36:08.000000000 -0400
++++ iked/ikev1/ikev1.c 2018-05-28 19:50:20.088751812 -0400
+@@ -1457,8 +1457,6 @@
+ #define IKEV1_DEFAULT_RETRY_CHECKPH1 30
+
+ if (!iph1) {
+- struct sched *sc;
+-
+ if (isakmp_ph1begin_i(rm_info, iph2->dst, iph2->src) < 0) {
+ plog(PLOG_INTERR, PLOGLOC, 0,
+ "failed to initiate phase 1 negotiation for %s\n",
+@@ -1467,7 +1465,7 @@
+ goto fail;
+ }
+ iph2->retry_checkph1 = IKEV1_DEFAULT_RETRY_CHECKPH1;
+- sc = sched_new(1, isakmp_chkph1there_stub, iph2);
++ sched_new(1, isakmp_chkph1there_stub, iph2);
+ plog(PLOG_INFO, PLOGLOC, 0,
+ "IPsec-SA request for %s queued "
+ "since no phase1 found\n",
Index: pkgsrc/security/racoon2/patches/patch-iked_ikev1_ipsec__doi.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-iked_ikev1_ipsec__doi.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-iked_ikev1_ipsec__doi.c Mon May 28 21:22:50 2018
@@ -0,0 +1,48 @@
+$NetBSD: patch-iked_ikev1_ipsec__doi.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Fix memset argument
+Fix unused
+
+--- iked/ikev1/ipsec_doi.c.orig 2008-07-07 05:36:08.000000000 -0400
++++ iked/ikev1/ipsec_doi.c 2018-05-28 21:19:12.197533568 -0400
+@@ -220,7 +220,9 @@
+ rc_vchar_t *newsa;
+ struct isakmpsa *sa, tsa;
+ struct prop_pair *s, *p;
++#if 0
+ int prophlen;
++#endif
+ int i;
+
+ if (iph1->approval) {
+@@ -232,8 +234,10 @@
+ if (pair[i] == NULL)
+ continue;
+ for (s = pair[i]; s; s = s->next) {
++#if 0
+ prophlen = sizeof(struct isakmp_pl_p)
+ + s->prop->spi_size;
++#endif
+ /* compare proposal and select one */
+ for (p = s; p; p = p->tnext) {
+ sa = get_ph1approvalx(p, iph1->proposal,
+@@ -254,8 +258,10 @@
+ if (pair[i] == NULL)
+ continue;
+ for (s = pair[i]; s; s = s->next) {
++#if 0
+ prophlen = sizeof(struct isakmp_pl_p)
+ + s->prop->spi_size;
++#endif
+ for (p = s; p; p = p->tnext) {
+ print_ph1mismatched(p,
+ iph1->proposal);
+@@ -1238,7 +1244,7 @@
+ "failed to get buffer.\n");
+ return NULL;
+ }
+- memset(pair, 0, sizeof(pair));
++ memset(pair, 0, sizeof(*pair));
+
+ bp = (caddr_t)(sab + 1);
+ tlen = sa->l - sizeof(*sab);
Index: pkgsrc/security/racoon2/patches/patch-iked_ikev1_oakley.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-iked_ikev1_oakley.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-iked_ikev1_oakley.c Mon May 28 21:22:50 2018
@@ -0,0 +1,91 @@
+$NetBSD: patch-iked_ikev1_oakley.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Remove unused variables
+
+--- iked/ikev1/oakley.c.orig 2008-07-07 05:36:08.000000000 -0400
++++ iked/ikev1/oakley.c 2018-05-28 19:39:44.411098687 -0400
+@@ -585,7 +585,6 @@
+ {
+ rc_vchar_t *buf = 0, *res = 0;
+ int len;
+- int error = -1;
+
+ /* create buffer */
+ len = 1 + sizeof(uint32_t) + body->l;
+@@ -610,8 +609,6 @@
+ if (res == NULL)
+ goto end;
+
+- error = 0;
+-
+ plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH computed:\n");
+ plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
+
+@@ -637,7 +634,6 @@
+ rc_vchar_t *buf = NULL, *res = NULL;
+ char *p;
+ int len;
+- int error = -1;
+
+ /* create buffer */
+ len = sizeof(uint32_t) + body->l;
+@@ -663,8 +659,6 @@
+ if (res == NULL)
+ goto end;
+
+- error = 0;
+-
+ plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH computed:\n");
+ plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
+
+@@ -687,7 +681,6 @@
+ rc_vchar_t *buf = NULL, *res = NULL, *bp;
+ char *p, *bp2;
+ int len, bl;
+- int error = -1;
+ #ifdef HAVE_GSSAPI
+ rc_vchar_t *gsstokens = NULL;
+ #endif
+@@ -780,8 +773,6 @@
+ if (res == NULL)
+ goto end;
+
+- error = 0;
+-
+ plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH (%s) computed:\n",
+ iph1->side == INITIATOR ? "init" : "resp");
+ plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
+@@ -811,7 +802,6 @@
+ rc_vchar_t *hash = NULL; /* for signature mode */
+ char *p;
+ int len;
+- int error = -1;
+
+ /* sanity check */
+ if (iph1->etype != ISAKMP_ETYPE_BASE) {
+@@ -925,8 +915,6 @@
+ if (res == NULL)
+ goto end;
+
+- error = 0;
+-
+ plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH_I computed:\n");
+ plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
+
+@@ -950,7 +938,6 @@
+ rc_vchar_t *hash = NULL;
+ char *p;
+ int len;
+- int error = -1;
+
+ /* sanity check */
+ if (iph1->etype != ISAKMP_ETYPE_BASE) {
+@@ -1049,8 +1036,6 @@
+ if (res == NULL)
+ goto end;
+
+- error = 0;
+-
+ plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH computed:\n");
+ plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
+
Index: pkgsrc/security/racoon2/patches/patch-iked_ikev1_pfkey.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-iked_ikev1_pfkey.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-iked_ikev1_pfkey.c Mon May 28 21:22:50 2018
@@ -0,0 +1,71 @@
+$NetBSD: patch-iked_ikev1_pfkey.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Fix unused
+
+--- iked/ikev1/pfkey.c.orig 2008-04-01 06:39:13.000000000 -0400
++++ iked/ikev1/pfkey.c 2018-05-28 19:55:26.598592949 -0400
+@@ -562,7 +562,9 @@
+ unsigned int satype, mode;
+ struct saprop *pp;
+ struct saproto *pr;
++#ifdef notyet
+ uint32_t minspi, maxspi;
++#endif
+ #if 0
+ int proxy = 0;
+ #endif
+@@ -613,13 +615,15 @@
+ }
+ /* this works around a bug in Linux kernel where it
+ * allocates 4 byte spi's for IPCOMP */
+- else if (satype == SADB_X_SATYPE_IPCOMP) {
++#ifdef notyet
++ if (satype == SADB_X_SATYPE_IPCOMP) {
+ minspi = 0x100;
+ maxspi = 0xffff;
+ } else {
+ minspi = 0;
+ maxspi = 0;
+ }
++#endif
+ mode = ipsecdoi2rc_mode(pr->encmode);
+ if (mode == 0) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+@@ -635,8 +639,10 @@
+ param.pref_dst = 0;
+ param.satype = satype;
+ param.samode = mode;
+- /* param.minspi = minspi; */
+- /* param.maxspi = maxspi; */
++#ifdef notyet
++ param.minspi = minspi;
++ param.maxspi = maxspi;
++#endif
+ param.reqid = pr->reqid_in;
+ param.seq = iph2->seq;
+ if (iph2->sadb_request.method->getspi(¶m)) {
+@@ -747,7 +753,9 @@
+ unsigned int e_keylen, a_keylen, flags;
+ int satype, mode;
+ struct rcpfk_msg param;
++#if 0
+ unsigned int wsize = 4; /* XXX static size of window */
++#endif
+
+ /* sanity check */
+ if (iph2->approval == NULL) {
+@@ -773,10 +781,13 @@
+ plog(PLOG_PROTOERR, PLOGLOC, 0,
+ "invalid proto_id %d\n", pr->proto_id);
+ return -1;
+- } else if (satype == RCT_SATYPE_IPCOMP) {
++ }
++#if 0
++ if (satype == RCT_SATYPE_IPCOMP) {
+ /* IPCOMP has no replay window */
+ wsize = 0;
+ }
++#endif
+ mode = ipsecdoi2rc_mode(pr->encmode);
+ if (mode == 0) {
+ plog(PLOG_PROTOERR, PLOGLOC, 0,
Index: pkgsrc/security/racoon2/patches/patch-iked_ikev2.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-iked_ikev2.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-iked_ikev2.c Mon May 28 21:22:50 2018
@@ -0,0 +1,78 @@
+$NetBSD: patch-iked_ikev2.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Remove unused
+
+--- iked/ikev2.c.orig 2010-02-01 05:30:51.000000000 -0500
++++ iked/ikev2.c 2018-05-28 19:59:33.332024762 -0400
+@@ -1945,8 +1945,6 @@
+ struct ikev2_payload_header *p;
+ int type;
+ struct ikev2_payload_header *id_i = 0;
+- struct ikev2_payload_header *cert = 0;
+- struct ikev2_payload_header *certreq = 0;
+ struct ikev2_payload_header *id_r = 0;
+ struct ikev2payl_auth *auth = 0;
+ struct ikev2_payload_header *sa_i2 = 0;
+@@ -2010,10 +2008,8 @@
+ * accept up to four X.509 certificates in support of authentication,
+ */
+ #endif
+- cert = p;
+ break;
+ case IKEV2_PAYLOAD_CERTREQ:
+- certreq = p;
+ break;
+ case IKEV2_PAYLOAD_ID_R:
+ if (id_r)
+@@ -2639,7 +2635,6 @@
+ int type;
+ struct ikev2_payload_header *p;
+ struct ikev2_payload_header *id_r = 0;
+- struct ikev2_payload_header *cert = 0;
+ struct ikev2payl_auth *auth = 0;
+ struct ikev2_payload_header *sa_r2 = 0;
+ struct ikev2_payload_header *ts_i = 0;
+@@ -2669,7 +2664,6 @@
+ * accept up to four X.509 certificates in support of authentication,
+ */
+ #endif
+- cert = p;
+ break;
+ case IKEV2_PAYLOAD_AUTH:
+ if (auth)
+@@ -2791,7 +2785,6 @@
+ int type;
+ struct ikev2_payload_header *p;
+ struct ikev2_payload_header *cfg = 0;
+- struct ikev2_payload_header *id_r = 0;
+ struct ikev2_payload_header *sa_r2 = 0;
+ struct ikev2_payload_header *ts_i = 0;
+ struct ikev2_payload_header *ts_r = 0;
+@@ -2834,7 +2827,6 @@
+ case IKEV2_PAYLOAD_ENCRYPTED:
+ break;
+ case IKEV2_PAYLOAD_ID_R:
+- id_r = p;
+ break;
+ case IKEV2_PAYLOAD_SA:
+ sa_r2 = p;
+@@ -4541,7 +4533,9 @@
+ int i;
+ uint32_t spi;
+ struct ikev2_child_sa *child_sa;
++#if 0
+ struct rcf_policy *policy;
++#endif
+
+ d = (struct ikev2payl_delete *)p;
+ protocol_id = d->dh.protocol_id;
+@@ -4641,7 +4635,9 @@
+ break;
+ }
+
++#if 0
+ policy = child_sa->selector->pl;
++#endif
+
+ /* (draft-17)
+ * If by chance both ends of a set
Index: pkgsrc/security/racoon2/patches/patch-iked_ikev2__child.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-iked_ikev2__child.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-iked_ikev2__child.c Mon May 28 21:22:50 2018
@@ -0,0 +1,26 @@
+$NetBSD: patch-iked_ikev2__child.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Comment out unused
+
+--- iked/ikev2_child.c.orig 2008-09-10 04:30:58.000000000 -0400
++++ iked/ikev2_child.c 2018-05-28 20:02:17.518182437 -0400
+@@ -1373,7 +1373,9 @@
+ struct prop_pair *matching_proposal = 0;
+ struct prop_pair *matching_my_proposal = 0;
+ struct prop_pair **new_my_proposal_list = 0;
++#ifdef notyet
+ rc_vchar_t *g_ir;
++#endif
+ int err = 0;
+
+ /* update IPsec SA with received parameter */
+@@ -1451,8 +1453,8 @@
+ use_transport_mode ? "transport" : "tunnel"));
+ }
+
+- g_ir = 0;
+ #ifdef notyet
++ g_ir = 0;
+ /* if (ke_i && ke_r) g_ir = g^i^r */
+ #endif
+
Index: pkgsrc/security/racoon2/patches/patch-iked_ikev2__notify.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-iked_ikev2__notify.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-iked_ikev2__notify.c Mon May 28 21:22:50 2018
@@ -0,0 +1,24 @@
+$NetBSD: patch-iked_ikev2__notify.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Fix unused
+
+--- iked/ikev2_notify.c.orig 2008-02-06 03:09:00.000000000 -0500
++++ iked/ikev2_notify.c 2018-05-28 20:05:41.431368140 -0400
+@@ -281,12 +281,16 @@
+ struct ikev2_child_param *child_param,
+ int *http_cert_lookup_supported)
+ {
+- struct ikev2_header *ikehdr;
+ struct ikev2payl_notify *notify;
++#ifdef notyet
++ struct ikev2_header *ikehdr;
+ uint32_t message_id;
++#endif
+
++#ifdef notyet
+ ikehdr = (struct ikev2_header *)msg->v;
+ message_id = get_uint32(&ikehdr->message_id);
++#endif
+ notify = (struct ikev2payl_notify *)payload;
+
+ switch (get_notify_type(notify)) {
Index: pkgsrc/security/racoon2/patches/patch-kinkd-crypto__openssl.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-kinkd-crypto__openssl.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-kinkd-crypto__openssl.c Mon May 28 21:22:50 2018
@@ -0,0 +1,117 @@
+$NetBSD: patch-kinkd-crypto__openssl.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Fix signness issues
+
+--- kinkd/crypto_openssl.c.orig 2008-02-07 05:12:28.000000000 -0500
++++ kinkd/crypto_openssl.c 2018-05-28 19:32:47.287261308 -0400
+@@ -239,7 +239,7 @@
+ rc_vchar_t *res;
+ AES_KEY k;
+
+- if (AES_set_encrypt_key(key->v, key->l << 3, &k) < 0)
++ if (AES_set_encrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
+ return NULL;
+ /* allocate buffer for result */
+ if ((res = rc_vmalloc(data->l)) == NULL) {
+@@ -247,7 +247,7 @@
+ EXITREQ_NOMEM();
+ return NULL;
+ }
+- AES_cbc_encrypt(data->v, res->v, data->l, &k, iv->v, AES_ENCRYPT);
++ AES_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_ENCRYPT);
+
+ return res;
+ }
+@@ -258,7 +258,7 @@
+ rc_vchar_t *res;
+ AES_KEY k;
+
+- if (AES_set_decrypt_key(key->v, key->l << 3, &k) < 0)
++ if (AES_set_decrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
+ return NULL;
+ /* allocate buffer for result */
+ if ((res = rc_vmalloc(data->l)) == NULL) {
+@@ -266,7 +266,7 @@
+ EXITREQ_NOMEM();
+ return NULL;
+ }
+- AES_cbc_encrypt(data->v, res->v, data->l, &k, iv->v, AES_DECRYPT);
++ AES_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_DECRYPT);
+
+ return res;
+ }
+@@ -291,7 +291,7 @@
+ rc_vchar_t *res;
+ AES_KEY k;
+
+- if (AES_set_encrypt_key(key->v, key->l << 3, &k) < 0)
++ if (AES_set_encrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
+ return NULL;
+ /* allocate buffer for result */
+ if ((res = rc_vmalloc(data->l)) == NULL) {
+@@ -299,7 +299,7 @@
+ EXITREQ_NOMEM();
+ return NULL;
+ }
+- AES_cts_encrypt(data->v, res->v, data->l, &k, iv->v, AES_ENCRYPT);
++ AES_cts_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_ENCRYPT);
+
+ return res;
+ }
+@@ -310,7 +310,7 @@
+ rc_vchar_t *res;
+ AES_KEY k;
+
+- if (AES_set_decrypt_key(key->v, key->l << 3, &k) < 0)
++ if (AES_set_decrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
+ return NULL;
+ /* allocate buffer for result */
+ if ((res = rc_vmalloc(data->l)) == NULL) {
+@@ -318,7 +318,7 @@
+ EXITREQ_NOMEM();
+ return NULL;
+ }
+- AES_cts_encrypt(data->v, res->v, data->l, &k, iv->v, AES_DECRYPT);
++ AES_cts_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_DECRYPT);
+
+ return res;
+ }
+@@ -348,17 +348,17 @@
+ memcpy(lastblk, ivec, AES_BLOCK_SIZE);
+ for (i = 0; i < fraglen; i++)
+ lastblk[i] ^= (in + cbclen + AES_BLOCK_SIZE)[i];
+- AES_encrypt(lastblk, out + cbclen, key);
++ AES_encrypt((unsigned char *)lastblk, out + cbclen, key);
+ } else {
+ /* Decrypt the last plainblock. */
+- AES_decrypt(in + cbclen, lastblk, key);
++ AES_decrypt(in + cbclen, (unsigned char *)lastblk, key);
+ for (i = 0; i < fraglen; i++)
+ (out + cbclen + AES_BLOCK_SIZE)[i] =
+ lastblk[i] ^ (in + cbclen + AES_BLOCK_SIZE)[i];
+
+ /* Decrypt the second last block. */
+ memcpy(lastblk, in + cbclen + AES_BLOCK_SIZE, fraglen);
+- AES_decrypt(lastblk, out + cbclen, key);
++ AES_decrypt((unsigned char *)lastblk, out + cbclen, key);
+ if (cbclen == 0)
+ for (i = 0; i < AES_BLOCK_SIZE; i++)
+ (out + cbclen)[i] ^= ivec[i];
+@@ -738,7 +738,7 @@
+ if ((res = rc_vmalloc(SHA_DIGEST_LENGTH)) == 0)
+ return(0);
+
+- SHA1_Final(res->v, (SHA_CTX *)c);
++ SHA1_Final((unsigned char *)res->v, (SHA_CTX *)c);
+ (void)free(c);
+
+ return(res);
+@@ -792,7 +792,7 @@
+ if ((res = rc_vmalloc(MD5_DIGEST_LENGTH)) == 0)
+ return(0);
+
+- MD5_Final(res->v, (MD5_CTX *)c);
++ MD5_Final((unsigned char *)res->v, (MD5_CTX *)c);
+ (void)free(c);
+
+ return(res);
Index: pkgsrc/security/racoon2/patches/patch-kinkd-ipsec__doi.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-kinkd-ipsec__doi.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-kinkd-ipsec__doi.c Mon May 28 21:22:50 2018
@@ -0,0 +1,34 @@
+$NetBSD: patch-kinkd-ipsec__doi.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Fix wrong memset
+Fix pointer signness
+
+--- kinkd/ipsec_doi.c.orig 2018-05-28 19:34:49.793231430 -0400
++++ kinkd/ipsec_doi.c 2018-05-28 19:35:27.322259892 -0400
+@@ -654,7 +654,7 @@
+ "failed to get buffer.\n");
+ return NULL;
+ }
+- memset(pair, 0, sizeof(pair));
++ memset(pair, 0, sizeof(*pair));
+
+ bp = (caddr_t)(sab + 1);
+ tlen = sa->l - sizeof(*sab);
+@@ -2034,7 +2034,7 @@
+
+ /* set prefix */
+ if (len2) {
+- unsigned char *p = new->v + sizeof(struct ipsecdoi_id_b) + len1;
++ unsigned char *p = (unsigned char *)new->v + sizeof(struct ipsecdoi_id_b) + len1;
+ unsigned int bits = prefixlen;
+
+ while (bits >= 8) {
+@@ -2141,7 +2141,7 @@
+ plen = 0;
+ max = alen <<3;
+
+- p = buf->v
++ p = (unsigned char *)buf->v
+ + sizeof(struct ipsecdoi_id_b)
+ + alen;
+
Index: pkgsrc/security/racoon2/patches/patch-kinkd_bbkk__heimdal.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-kinkd_bbkk__heimdal.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-kinkd_bbkk__heimdal.c Mon May 28 21:22:50 2018
@@ -0,0 +1,310 @@
+$NetBSD: patch-kinkd_bbkk__heimdal.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Avoid deprecated API's
+Include private header since we are using private functions
+Fix function calls with missing args
+
+--- kinkd/bbkk_heimdal.c.orig 2007-08-03 01:42:24.000000000 -0400
++++ kinkd/bbkk_heimdal.c 2018-05-28 21:07:22.720866945 -0400
+@@ -40,6 +40,10 @@
+ #include <string.h>
+ #if defined(HAVE_KRB5_KRB5_H)
+ # include <krb5/krb5.h>
++# include <openssl/evp.h>
++typedef void *krb5_pk_init_ctx;
++# include <krb5/pkinit_asn1.h>
++# include <krb5/krb5-private.h>
+ #else
+ # include <krb5.h>
+ #endif
+@@ -147,7 +151,7 @@
+ if (DEBUG_KRB5() && cause != NULL)
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: %s: %s\n",
+- cause, krb5_get_err_text(con->context, ret));
++ cause, krb5_get_error_message(con->context, ret));
+ if (con->rcache != NULL)
+ krb5_rc_close(con->context, con->rcache);
+ if (con->ccache != NULL)
+@@ -185,7 +189,7 @@
+ {
+ krb5_error_code ret;
+ krb5_principal principal;
+- krb5_get_init_creds_opt opt;
++ krb5_get_init_creds_opt *opt;
+ krb5_creds cred;
+ krb5_keytab kt;
+ krb5_deltat start_time = 0;
+@@ -198,7 +202,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_parse_name: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ return ret;
+ }
+ ret = krb5_kt_default(con->context, &kt);
+@@ -206,25 +210,26 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_kt_default: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ krb5_free_principal(con->context, principal);
+ return ret;
+ }
+
+ memset(&cred, 0, sizeof(cred));
+- krb5_get_init_creds_opt_init(&opt);
++ krb5_get_init_creds_opt_alloc(con->context, &opt);
+ krb5_get_init_creds_opt_set_default_flags(con->context, "kinit",
+- principal->realm, &opt); /* XXX may not be kinit... */
++ principal->realm, opt); /* XXX may not be kinit... */
+
+ ret = krb5_get_init_creds_keytab(con->context, &cred, principal, kt,
+- start_time, NULL /* server */, &opt);
++ start_time, NULL /* server */, opt);
+ krb5_kt_close(con->context, kt);
+ krb5_free_principal(con->context, principal);
++ krb5_get_init_creds_opt_free(con->context, opt);
+ if (ret != 0) {
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_get_init_creds_keytab: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ return ret;
+ }
+
+@@ -236,10 +241,10 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_cc_store_cred: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ return ret;
+ }
+- krb5_free_creds_contents(con->context, &cred);
++ krb5_free_cred_contents(con->context, &cred);
+
+ return 0;
+ }
+@@ -261,7 +266,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_parse_name: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ return ret;
+ }
+ ret = krb5_parse_name(con->context, cprinc_str, &client);
+@@ -269,7 +274,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_parse_name: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ krb5_free_principal(con->context, server);
+ return ret;
+ }
+@@ -292,7 +297,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_cc_remove_cred: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ krb5_free_principal(con->context, client);
+ krb5_free_principal(con->context, server);
+ return ret;
+@@ -311,7 +316,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_get_credentials: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ return ret;
+ }
+ *cred = (void *)out_cred;
+@@ -354,7 +359,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_copy_creds_contents: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ goto cleanup;
+ }
+ int_auth_con = NULL;
+@@ -364,12 +369,12 @@
+ */
+ ret = krb5_mk_req_extended(con->context, &int_auth_con,
+ AP_OPTS_MUTUAL_REQUIRED, NULL /* in_data */, &cred_copy, &ap_req);
+- krb5_free_creds_contents(con->context, &cred_copy);
++ krb5_free_cred_contents(con->context, &cred_copy);
+ if (ret != 0) {
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_mk_req_extended: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ goto cleanup;
+ }
+
+@@ -414,7 +419,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_rd_rep: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ return ret;
+ }
+
+@@ -462,7 +467,7 @@
+ if (ret != 0) {
+ kinkd_log(KLLV_SYSERR,
+ "krb5e_force_get_key: (%d) %s\n",
+- ret, krb5_get_err_text(con->context, ret));
++ ret, krb5_get_error_message(con->context, ret));
+ krb5_auth_con_free(con->context, auth_context);
+ return ret;
+ }
+@@ -470,7 +475,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_rd_req: (%d)%s\n",
+- saveret, krb5_get_err_text(con->context, saveret));
++ saveret, krb5_get_error_message(con->context, saveret));
+ krb5_auth_con_free(con->context, auth_context);
+ return saveret;
+ }
+@@ -492,7 +497,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_rc_store: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ if (ticket != NULL)
+ krb5_free_ticket(con->context, ticket);
+ krb5_auth_con_free(con->context, auth_context);
+@@ -507,7 +512,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_mk_rep: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ /*
+ * XXX Heimdal-0.6.x
+ * Heimdal-0.6.x frees only ticket contents, not containter;
+@@ -536,7 +541,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_rd_req: (%d)%s\n",
+- saveret, krb5_get_err_text(con->context, saveret));
++ saveret, krb5_get_error_message(con->context, saveret));
+ if (ticket != NULL)
+ krb5_free_ticket(con->context, ticket);
+ return saveret;
+@@ -584,7 +589,7 @@
+ time_t ctime, *ctimep;
+ int cusec, *cusecp;
+
+- e_text = krb5_get_err_text(con->context, ecode);
++ e_text = krb5_get_error_message(con->context, ecode);
+ if (ecode < KRB5KDC_ERR_NONE || KRB5_ERR_RCSID <= ecode) {
+ kinkd_log(KLLV_SYSWARN,
+ "non protocol errror (%d), use GENERIC\n", ecode);
+@@ -609,7 +614,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_mk_error: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ return ret;
+ }
+
+@@ -635,7 +640,7 @@
+ if (DEBUG_KRB5())
+ kinkd_log(KLLV_DEBUG,
+ "bbkk: krb5_rd_error: %s\n",
+- krb5_get_err_text(con->context, ret));
++ krb5_get_error_message(con->context, ret));
+ return ret;
+ }
+
+@@ -926,7 +931,7 @@
+ if (con == NULL)
+ return "Failed in initialization, so no message is available";
+ else
+- return krb5_get_err_text(con->context, ecode);
++ return krb5_get_error_message(con->context, ecode);
+ }
+
+
+@@ -951,7 +956,7 @@
+ keyblock = NULL;
+
+ if ((t = (krb5_ticket *)malloc(sizeof(*t))) == NULL) {
+- krb5_clear_error_string(context);
++ krb5_clear_error_message(context);
+ return ENOMEM;
+ }
+ *t = t0;
+@@ -966,14 +971,14 @@
+ principalname2krb5_principal(&server,
+ ap_req.ticket.sname, ap_req.ticket.realm);
+ #else
+- _krb5_principalname2krb5_principal(&server,
++ _krb5_principalname2krb5_principal(context, &server,
+ ap_req.ticket.sname, ap_req.ticket.realm);
+ #endif
+
+ if (ap_req.ap_options.use_session_key && ac->keyblock == NULL) {
+- krb5_set_error_string(context, "krb5_rd_req: user to user "
+- "auth without session key given");
+ ret = KRB5KRB_AP_ERR_NOKEY;
++ krb5_set_error_message(context, ret,
++ "krb5_rd_req: user to user auth without session key given");
+ goto fail;
+ }
+
+@@ -1009,6 +1014,13 @@
+ }
+
+ /* decrypt ticket */
++#if 1
++ ret = krb5_decrypt_ticket(context, &ap_req.ticket,
++ ac->keyblock != NULL ? ac->keyblock : keyblock,
++ &t->ticket, 0);
++ if (ret != 0)
++ goto fail;
++#else
+ {
+ krb5_data plain;
+ size_t len;
+@@ -1030,6 +1042,7 @@
+ if (ret != 0)
+ goto fail;
+ }
++#endif
+
+ /* get keyblock from ticket */
+ if (ac->keyblock != NULL) {
+@@ -1039,6 +1052,11 @@
+ krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock);
+
+ /* handle authenticator */
++#if 1
++ ret = krb5_auth_con_getauthenticator(context, ac, &ac->authenticator);
++ if (ret != 0)
++ goto fail;
++#else
+ {
+ krb5_data plain;
+ size_t len;
+@@ -1059,6 +1077,7 @@
+ if (ret != 0)
+ goto fail;
+ }
++#endif
+ if (ac->authenticator->seq_number)
+ krb5_auth_con_setremoteseqnumber(context, ac,
+ *ac->authenticator->seq_number);
Index: pkgsrc/security/racoon2/patches/patch-kinkd_isakmp__quick.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-kinkd_isakmp__quick.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-kinkd_isakmp__quick.c Mon May 28 21:22:50 2018
@@ -0,0 +1,61 @@
+$NetBSD: patch-kinkd_isakmp__quick.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Fix unused
+
+--- kinkd/isakmp_quick.c.orig 2009-09-04 15:59:33.000000000 -0400
++++ kinkd/isakmp_quick.c 2018-05-28 21:12:13.401432933 -0400
+@@ -191,9 +191,11 @@
+ }
+
+ if (iph2->id_p) {
++#if 0
+ uint8_t dummy_plen;
+ uint16_t dummy_ulproto;
+ int ret;
++#endif
+
+ plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
+ plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
+@@ -212,9 +214,11 @@
+ #endif
+ }
+ if (iph2->id) {
++#if 0
+ uint8_t dummy_plen;
+ uint16_t dummy_ulproto;
+ int ret;
++#endif
+
+ plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
+ plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
+@@ -258,7 +262,9 @@
+ {
+ rc_vchar_t *pbuf = NULL; /* for payload parsing */
+ struct isakmp_parse_t *pa;
++#if 0
+ int f_id;
++#endif
+ int error = ISAKMP_INTERNAL_ERROR;
+
+ /*
+@@ -290,7 +296,9 @@
+ * parse the payloads.
+ */
+ iph2->sa_ret = NULL;
++#if 0
+ f_id = 0; /* flag to use checking ID */
++#endif
+ for (; pa->type; pa++) {
+
+ switch (pa->type) {
+@@ -319,9 +327,9 @@
+
+ case ISAKMP_NPTYPE_ID:
+ {
++#if 0 /* ID payloads are not supported yet. */
+ rc_vchar_t *vp;
+
+-#if 0 /* ID payloads are not supported yet. */
+ /* check ID value */
+ if (f_id == 0) {
+ /* for IDci */
Index: pkgsrc/security/racoon2/patches/patch-kinkd_session.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-kinkd_session.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-kinkd_session.c Mon May 28 21:22:50 2018
@@ -0,0 +1,15 @@
+$NetBSD: patch-kinkd_session.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Fix pointer to integer cast
+
+--- kinkd/session.c.orig 2006-08-11 16:44:34.000000000 -0400
++++ kinkd/session.c 2018-05-28 21:09:41.263580997 -0400
+@@ -290,7 +290,7 @@
+ {
+ int signo;
+
+- signo = (int)arg;
++ signo = (int)(intptr_t)arg;
+
+ switch (signo) {
+ case SIGHUP:
Index: pkgsrc/security/racoon2/patches/patch-lib_if__spmd.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-lib_if__spmd.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-lib_if__spmd.c Mon May 28 21:22:50 2018
@@ -0,0 +1,68 @@
+$NetBSD: patch-lib_if__spmd.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Adjust for OpenSSL v1.1
+
+--- lib/if_spmd.c.orig 2008-03-27 06:05:42.000000000 -0400
++++ lib/if_spmd.c 2018-05-28 13:31:19.367838157 -0400
+@@ -1100,7 +1100,7 @@
+ spmd_if_login_response(struct spmd_cid *pci)
+ {
+ unsigned char md[EVP_MAX_MD_SIZE];
+- EVP_MD_CTX ctx;
++ EVP_MD_CTX *ctx;
+ size_t hash_len;
+ unsigned int md_len;
+ int error, used, i;
+@@ -1108,28 +1108,33 @@
+
+ error = -1;
+
+- EVP_MD_CTX_init(&ctx);
+- if (!EVP_DigestInit_ex(&ctx, SPMD_DIGEST_ALG, SPMD_EVP_ENGINE)) {
++ ctx = EVP_MD_CTX_new();
++ if (ctx == NULL) {
++ plog(PLOG_INTERR, PLOGLOC, NULL,
++ "failed to allocate Message Digest context\n");
++ goto fail_early;
++ }
++ if (!EVP_DigestInit_ex(ctx, SPMD_DIGEST_ALG, SPMD_EVP_ENGINE)) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "failed to initilize Message Digest function\n");
+ goto fail_early;
+ }
+- if (!EVP_DigestUpdate(&ctx, pci->challenge, strlen(pci->challenge))) {
++ if (!EVP_DigestUpdate(ctx, pci->challenge, strlen(pci->challenge))) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "failed to hash Challenge\n");
+ goto fail;
+ }
+- if (!EVP_DigestUpdate(&ctx, pci->password, strlen(pci->password))) {
++ if (!EVP_DigestUpdate(ctx, pci->password, strlen(pci->password))) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "failed to hash Password\n");
+ goto fail;
+ }
+- if (sizeof(md) < EVP_MD_CTX_size(&ctx)) {
++ if (sizeof(md) < EVP_MD_CTX_size(ctx)) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "Message Digest buffer is not enough\n");
+ goto fail;
+ }
+- if (!EVP_DigestFinal_ex(&ctx, md, &md_len)) {
++ if (!EVP_DigestFinal_ex(ctx, md, &md_len)) {
+ plog(PLOG_INTERR, PLOGLOC, NULL,
+ "failed to get Message Digest value\n");
+ goto fail;
+@@ -1154,11 +1159,7 @@
+
+ error = 0;
+ fail:
+- if (!EVP_MD_CTX_cleanup(&ctx)) {
+- plog(PLOG_INTERR, PLOGLOC, NULL,
+- "failed to cleanup Message Digest context\n");
+- error = -1; /* error again */
+- }
++ EVP_MD_CTX_free(ctx);
+ fail_early:
+ return error;
+ }
Index: pkgsrc/security/racoon2/patches/patch-spmd_fqdn__query.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-spmd_fqdn__query.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-spmd_fqdn__query.c Mon May 28 21:22:50 2018
@@ -0,0 +1,29 @@
+$NetBSD: patch-spmd_fqdn__query.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Fix unused
+
+--- spmd/fqdn_query.c.orig 2007-07-25 08:22:18.000000000 -0400
++++ spmd/fqdn_query.c 2018-05-28 19:43:35.179657737 -0400
+@@ -163,10 +163,9 @@
+ fqdn_query_response(struct task *t)
+ {
+ char data[MAX_UDP_DNS_SIZE];
+- int ret;
+
+ /* just discard */
+- ret = recvfrom(t->fd, data, sizeof(data), t->flags, t->sa, &(t->salen));
++ (void)recvfrom(t->fd, data, sizeof(data), t->flags, t->sa, &(t->salen));
+
+ spmd_free(t->sa);
+ close(t->fd);
+@@ -178,9 +177,8 @@
+ fqdn_query_send(struct task *t)
+ {
+ struct task *newt = NULL;
+- int ret=0;
+
+- ret = sendto(t->fd, t->msg, t->len, t->flags, t->sa, t->salen);
++ (void)sendto(t->fd, t->msg, t->len, t->flags, t->sa, t->salen);
+
+ newt = task_alloc(0);
+ newt->fd = t->fd;
Index: pkgsrc/security/racoon2/patches/patch-spmd_main.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-spmd_main.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-spmd_main.c Mon May 28 21:22:50 2018
@@ -0,0 +1,21 @@
+$NetBSD: patch-spmd_main.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Fix unused variable
+
+--- spmd/main.c.orig 2008-07-11 18:35:46.000000000 -0400
++++ spmd/main.c 2018-05-28 19:26:45.583066490 -0400
+@@ -378,11 +378,12 @@
+ do_daemon(void)
+ {
+ pid_t pid;
+- int en;
+
+ openlog("spmd", LOG_PID, LOG_DAEMON);
+ if (daemon(0, 0) < 0) {
+- en = errno;
++#ifdef __linux__ /* glibc specific ? */
++ int en = errno;
++#endif
+ perror("daemon()");
+ #ifdef __linux__ /* glibc specific ? */
+ if (en == 0) {
Index: pkgsrc/security/racoon2/patches/patch-spmd_shell.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-spmd_shell.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-spmd_shell.c Mon May 28 21:22:50 2018
@@ -0,0 +1,61 @@
+$NetBSD: patch-spmd_shell.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Fix for OpenSSL 1.1
+
+--- spmd/shell.c 2008-01-25 01:13:01.000000000 -0500
++++ spmd/shell.c 2018-05-28 13:54:05.166565802 -0400
+@@ -655,7 +655,7 @@
+ char *p;
+ int i;
+ const EVP_MD *m;
+- EVP_MD_CTX ctx;
++ EVP_MD_CTX *ctx;
+ unsigned char digest[EVP_MAX_MD_SIZE];
+ unsigned int digest_len;
+
+@@ -693,27 +693,27 @@
+ }
+ }
+ #endif
+- EVP_MD_CTX_init(&ctx);
+- if (!EVP_DigestInit_ex(&ctx, m, SPMD_EVP_ENGINE)) {
+- SPMD_PLOG(SPMD_L_INTERR, "Failed to initilize Message Digest function");
++ ctx = EVP_MD_CTX_new();
++ if (ctx == NULL) {
++ SPMD_PLOG(SPMD_L_INTERR, "Failed to allocate Message Digest context");
+ goto fin;
+ }
+- if (!EVP_DigestUpdate(&ctx, seed, seed_len)) {
++ if (!EVP_DigestInit_ex(ctx, m, SPMD_EVP_ENGINE)) {
++ SPMD_PLOG(SPMD_L_INTERR, "Failed to initialize Message Digest function");
++ goto fin;
++ }
++ if (!EVP_DigestUpdate(ctx, seed, seed_len)) {
+ SPMD_PLOG(SPMD_L_INTERR, "Failed to hash Seed");
+ goto fin;
+ }
+- if (!EVP_DigestFinal_ex(&ctx, digest, &digest_len)) {
++ if (!EVP_DigestFinal_ex(ctx, digest, &digest_len)) {
+ SPMD_PLOG(SPMD_L_INTERR, "Failed to get Message Digest value");
+ goto fin;
+ }
+- if (digest_len != EVP_MD_CTX_size(&ctx)) {
++ if (digest_len != EVP_MD_CTX_size(ctx)) {
+ SPMD_PLOG(SPMD_L_INTERR, "Message Digest length is not enough");
+ goto fin;
+ }
+- if (!EVP_MD_CTX_cleanup(&ctx)) {
+- SPMD_PLOG(SPMD_L_INTERR, "Failed to cleanup Message Digest context");
+- goto fin;
+- }
+
+ challenge_len = digest_len*2+1;
+ challenge = spmd_calloc(challenge_len);
+@@ -729,6 +729,7 @@
+ }
+
+ fin:
++ EVP_MD_CTX_free(ctx);
+ spmd_free(seed);
+ just_fin:
+ return challenge;
Index: pkgsrc/security/racoon2/patches/patch-spmd_spmd__pfkey.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-spmd_spmd__pfkey.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-spmd_spmd__pfkey.c Mon May 28 21:22:50 2018
@@ -0,0 +1,22 @@
+$NetBSD: patch-spmd_spmd__pfkey.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+Remove unused.
+
+--- spmd/spmd_pfkey.c.orig 2008-07-11 18:35:46.000000000 -0400
++++ spmd/spmd_pfkey.c 2018-05-28 19:45:26.942125292 -0400
+@@ -326,7 +326,6 @@
+ spmd_nonfqdn_sp_add(struct rcf_selector *sl)
+ {
+ struct rcf_policy *pl = NULL;
+- struct rcf_ipsec *ips = NULL;
+ struct rc_addrlist *al = NULL;
+ struct rc_addrlist *ipal = NULL;
+ struct rc_addrlist *ipal_tmp = NULL;
+@@ -373,7 +372,6 @@
+ if (!sl->pl->ips) {
+ return -1;
+ }
+- ips = sl->pl->ips;
+
+ /* check rcf_ipsec{} sa_* set or NULL */
+ if (set_satype(sl, rc)<0) {
Index: pkgsrc/security/racoon2/patches/patch-spmd_spmdctl.c
diff -u /dev/null pkgsrc/security/racoon2/patches/patch-spmd_spmdctl.c:1.1
--- /dev/null Mon May 28 21:22:51 2018
+++ pkgsrc/security/racoon2/patches/patch-spmd_spmdctl.c Mon May 28 21:22:50 2018
@@ -0,0 +1,366 @@
+$NetBSD: patch-spmd_spmdctl.c,v 1.1 2018/05/29 01:22:50 christos Exp $
+
+- Fix inefficient snprintfs, and detect errors.
+- Fix wrong memset length
+
+*** spmd/spmdctl.c.orig Sun Mar 28 21:52:00 2010
+--- spmd/spmdctl.c Mon May 28 14:17:08 2018
+***************
+*** 38,43 ****
+--- 38,44 ----
+ #include <netdb.h>
+ #include <netinet/tcp.h>
+ #include <signal.h>
++ #include <stdarg.h>
+ #include <errno.h>
+ #include "spmd_includes.h"
+ #include "spmd_internal.h"
+***************
+*** 154,159 ****
+--- 155,176 ----
+ return len;
+ }
+
++ static ssize_t __attribute__((__format__(__printf__, 2, 3)))
++ sc_writestr(int fd, const char *fmt, ...)
++ {
++ char buf[2048];
++ va_list ap;
++ va_start(ap, fmt);
++ int len = vsnprintf(buf, sizeof(buf), fmt, ap);
++ va_end(ap);
++ if (len == -1) {
++ perror("sc_writestr");
++ return -1;
++ }
++
++ return sc_writemsg(fd, buf, (size_t)len);
++ }
++
+ static int
+ sc_getline(int fd, char *buf, int len)
+ {
+***************
+*** 247,253 ****
+ sc_parse_alloc_sp_entry(const char *str, struct sp_entry *pre)
+ {
+ char *ap, *cp;
+! size_t slid_len=0, len=0;
+ struct sp_entry *sd=NULL;
+
+ sd = malloc(sizeof(*sd));
+--- 264,270 ----
+ sc_parse_alloc_sp_entry(const char *str, struct sp_entry *pre)
+ {
+ char *ap, *cp;
+! size_t slid_len=0;
+ struct sp_entry *sd=NULL;
+
+ sd = malloc(sizeof(*sd));
+***************
+*** 261,267 ****
+ sd->sa_dst = (struct sockaddr *)&sd->ss_sa_dst;
+
+ if (str) {
+- len = strlen(str);
+ ap = (char *)str;
+ cp = strpbrk(ap, " ");
+ if (!cp) {
+--- 278,283 ----
+***************
+*** 575,581 ****
+ sc_setup_pfkey(struct rcpfk_msg *rc)
+ {
+
+! memset(rc, 0, sizeof(rc));
+ memset(&pfkey_cbs, 0, sizeof(pfkey_cbs));
+ pfkey_cbs.cb_spddump = &sc_spddump_cb;
+
+--- 591,597 ----
+ sc_setup_pfkey(struct rcpfk_msg *rc)
+ {
+
+! memset(rc, 0, sizeof(*rc));
+ memset(&pfkey_cbs, 0, sizeof(pfkey_cbs));
+ pfkey_cbs.cb_spddump = &sc_spddump_cb;
+
+***************
+*** 657,665 ****
+ sc_policy(int s, char *selector_index, uint64_t lifetime, sa_mode_t samode,
+ const char *sp_src, const char *sp_dst, const char *sa_src, const char *sa_dst, int flag)
+ {
+- char wbuf[BUFSIZ];
+ char rbuf[BUFSIZ];
+- int w;
+ char sl[512]; /* XXX */
+ char lt[32];
+ int ps;
+--- 673,679 ----
+***************
+*** 669,697 ****
+
+ if (flag == TYPE_POLICY_ADD) {
+ if (samode == SA_MODE_TRANSPORT) {
+ snprintf(sl, sizeof(sl), "%s", selector_index);
+ snprintf(lt, sizeof(lt), "%" PRIu64, lifetime);
+! snprintf(wbuf, sizeof(wbuf), "POLICY ADD %s %s TRANSPORT %s %s\r\n",
+! sl, lt, sp_src, sp_dst);
+! w= sc_writemsg(s, wbuf, strlen(wbuf));
+! }
+! else if (samode == SA_MODE_TUNNEL) {
+! return -1;
+! snprintf(sl, sizeof(sl), "%s", selector_index);
+! snprintf(lt, sizeof(lt), "%" PRIu64, lifetime);
+! snprintf(wbuf, sizeof(wbuf), "POLICY ADD %s %s TUNNEL %s %s %s %s\r\n",
+! sl, lt, sp_src, sp_dst, sa_src, sa_dst);
+! w= sc_writemsg(s, wbuf, strlen(wbuf));
+ } else {
+ return -1;
+ }
+ } else if (flag == TYPE_POLICY_DEL) {
+! snprintf(sl, sizeof(sl), "%s", selector_index);
+! snprintf(wbuf, sizeof(wbuf), "POLICY DELETE %s\r\n", sl);
+! w= sc_writemsg(s, wbuf, strlen(wbuf));
+ } else if (flag == TYPE_POLICY_DUMP) {
+! snprintf(wbuf, sizeof(wbuf), "POLICY DUMP\r\n");
+! w= sc_writemsg(s, wbuf, strlen(wbuf));
+ goto dump;
+ } else {
+ return -1;
+--- 683,710 ----
+
+ if (flag == TYPE_POLICY_ADD) {
+ if (samode == SA_MODE_TRANSPORT) {
++ if (sc_writestr(s,
++ "POLICY ADD %s %" PRIu64 " TRANSPORT %s %s\r\n",
++ selector_index, lifetime, sp_src, sp_dst) < 0)
++ return -1;
++ } else if (samode == SA_MODE_TUNNEL) {
+ snprintf(sl, sizeof(sl), "%s", selector_index);
+ snprintf(lt, sizeof(lt), "%" PRIu64, lifetime);
+! if (sc_writestr(s,
+! "POLICY ADD %s %" PRIu64 " TUNNEL %s %s %s %s\r\n",
+! selector_index, lifetime, sp_src, sp_dst, sa_src,
+! sa_dst) < 0)
+! return -1;
+!
+ } else {
+ return -1;
+ }
+ } else if (flag == TYPE_POLICY_DEL) {
+! if (sc_writestr(s, "POLICY DELETE %s\r\n", selector_index) < 0)
+! return -1;
+ } else if (flag == TYPE_POLICY_DUMP) {
+! if (sc_writestr(s, "POLICY DUMP\r\n") < 0)
+! return -1;
+ goto dump;
+ } else {
+ return -1;
+***************
+*** 752,768 ****
+ sc_migrate(int s, char *selector_index, const char *src0, const char *dst0,
+ const char *src, const char *dst)
+ {
+- char wbuf[BUFSIZ];
+ char rbuf[BUFSIZ];
+- int w;
+- char sl[512]; /* XXX */
+-
+- snprintf(sl, sizeof(sl), "%s", selector_index);
+- snprintf(wbuf, sizeof(wbuf),
+- "MIGRATE %s %s %s %s %s\r\n",
+- sl, src0, dst0, src, dst);
+- w = sc_writemsg(s, wbuf, strlen(wbuf));
+
+ if (sc_getline(s, rbuf, sizeof(rbuf)) < 0) {
+ fprintf(stderr, "can't get response from spmd\n");
+ return -1;
+--- 765,775 ----
+ sc_migrate(int s, char *selector_index, const char *src0, const char *dst0,
+ const char *src, const char *dst)
+ {
+ char rbuf[BUFSIZ];
+
++ if (sc_writestr(s, "MIGRATE %s %s %s %s %s\r\n",
++ selector_index, src0, dst0, src, dst) < 0)
++ return -1;
+ if (sc_getline(s, rbuf, sizeof(rbuf)) < 0) {
+ fprintf(stderr, "can't get response from spmd\n");
+ return -1;
+***************
+*** 777,786 ****
+ static int
+ sc_status(int s)
+ {
+- int w;
+ char rbuf[512];
+
+! w = sc_writemsg(s, "STAT\r\n", strlen("STAT\r\n"));
+ while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
+ if (rbuf[0] != '2')
+ return -1;
+--- 784,793 ----
+ static int
+ sc_status(int s)
+ {
+ char rbuf[512];
+
+! if (sc_writestr(s, "STAT\r\n") < 0)
+! return -1;
+ while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
+ if (rbuf[0] != '2')
+ return -1;
+***************
+*** 795,803 ****
+ static int
+ sc_ns(int s, char *addr, int flag)
+ {
+- int w;
+ char rbuf[512];
+- char wbuf[512];
+ char naddr[NI_MAXHOST];
+ int match=0;
+
+--- 802,808 ----
+***************
+*** 811,817 ****
+
+
+ if (flag == TYPE_NS_ADD) {
+! w = sc_writemsg(s, "NS LIST\r\n", strlen("NS LIST\r\n"));
+ while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
+ if (rbuf[0] != '2')
+ return -1;
+--- 816,823 ----
+
+
+ if (flag == TYPE_NS_ADD) {
+! if (sc_writestr(s, "NS LIST\r\n") < 0)
+! return -1;
+ while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
+ if (rbuf[0] != '2')
+ return -1;
+***************
+*** 823,838 ****
+ }
+
+ if (match) {
+! snprintf(wbuf, sizeof(wbuf), "NS CHANGE %s\r\n", naddr);
+! w= sc_writemsg(s, wbuf, strlen(wbuf));
+ } else {
+! snprintf(wbuf, sizeof(wbuf), "NS ADD %s\r\n", naddr);
+! w= sc_writemsg(s, wbuf, strlen(wbuf));
+ }
+ return 0;
+ } else if (flag == TYPE_NS_DEL) {
+ int lines=0;
+! w = sc_writemsg(s, "NS LIST\r\n", strlen("NS LIST\r\n"));
+ while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
+ if (rbuf[0] != '2')
+ return -1;
+--- 829,845 ----
+ }
+
+ if (match) {
+! if (sc_writestr(s, "NS CHANGE %s\r\n", naddr) < 0)
+! return -1;
+ } else {
+! if (sc_writestr(s, "NS ADD %s\r\n", naddr) < 0)
+! return -1;
+ }
+ return 0;
+ } else if (flag == TYPE_NS_DEL) {
+ int lines=0;
+! if (sc_writestr(s, "NS LIST\r\n") < 0)
+! return -1;
+ while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
+ if (rbuf[0] != '2')
+ return -1;
+***************
+*** 845,856 ****
+ }
+
+ if (match && lines >1) {
+! snprintf(wbuf, sizeof(wbuf), "NS DELETE %s\r\n", naddr);
+! w= sc_writemsg(s, wbuf, strlen(wbuf));
+ }
+ return 0;
+ } else if (flag == TYPE_NS_LST) {
+! sc_writemsg(s, "NS LIST\r\n", strlen("NS LIST\r\n"));
+ while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
+ if (rbuf[0] != '2')
+ return -1;
+--- 852,864 ----
+ }
+
+ if (match && lines >1) {
+! if (sc_writestr(s, "NS DELETE %s\r\n", naddr) < 0)
+! return -1;
+ }
+ return 0;
+ } else if (flag == TYPE_NS_LST) {
+! if (sc_writestr(s, "NS LIST\r\n") < 0)
+! return -1;
+ while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
+ if (rbuf[0] != '2')
+ return -1;
+***************
+*** 977,983 ****
+ {
+ char rbuf[512];
+ char wbuf[512];
+! int r,w;
+ int s = -1;
+ struct rc_addrlist *rcl_top = NULL, *rcl;
+ struct sockaddr *sa;
+--- 985,991 ----
+ {
+ char rbuf[512];
+ char wbuf[512];
+! int r;
+ int s = -1;
+ struct rc_addrlist *rcl_top = NULL, *rcl;
+ struct sockaddr *sa;
+***************
+*** 1111,1118 ****
+ fprintf(stdout, "hash=%s\n", cid.hash);
+ }
+
+! snprintf(wbuf, sizeof(wbuf), "LOGIN %s\r\n", cid.hash);
+! w = sc_writemsg(s, wbuf, strlen(wbuf));
+ r = sc_getline(s, rbuf, sizeof(rbuf));
+ if (r<0) {
+ perror("LOGIN:read");
+--- 1119,1126 ----
+ fprintf(stdout, "hash=%s\n", cid.hash);
+ }
+
+! if (sc_writestr(s, "LOGIN %s\r\n", cid.hash) < 0)
+! exit(EXIT_FAILURE);
+ r = sc_getline(s, rbuf, sizeof(rbuf));
+ if (r<0) {
+ perror("LOGIN:read");
+***************
+*** 1134,1142 ****
+ sc_quit(int s)
+ {
+ char rbuf[512];
+! int r,w;
+
+! w = sc_writemsg(s, "QUIT\r\n", strlen("QUIT\r\n"));
+ r = sc_getline(s, rbuf, sizeof(rbuf));
+ if (r<0) {
+ perror("QUIT:read");
+--- 1142,1153 ----
+ sc_quit(int s)
+ {
+ char rbuf[512];
+! int r;
+
+! if (sc_writestr(s, "QUIT\r\n")) {
+! close(s);
+! return -1;
+! }
+ r = sc_getline(s, rbuf, sizeof(rbuf));
+ if (r<0) {
+ perror("QUIT:read");
Home |
Main Index |
Thread Index |
Old Index