0001-Fix-freeing-uninitialized-pointer-in-binbuf_pubkey2r.patch

Fix freeing uninitialized pointer in binbuf_pubkey2rsa() on error path

If we take the first error path (the one where the decoded string doesn't
make sense) in binbuf_pubkey2rsa() we call BN_free() on "exp" so we have to
make sure that we NULL-initialize it.
---
 crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c b/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
index 96a1e18200f9..4094a0714205 100644
--- a/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
+++ b/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
@@ -2544,7 +2544,7 @@ out:
 static RSA *
 binbuf_pubkey2rsa(vchar_t *binbuf)
 {
-	BIGNUM *exp, *mod;
+	BIGNUM *exp = NULL, *mod;
 	RSA *rsa_pub = NULL;
 
 	if (binbuf->v[0] > binbuf->l - 1) {

0002-Fix-ipsec-tools-Linux-build.patch

Fix ipsec-tools Linux build

This fixes building ipsec-tools on Linux (with OpenSSL 1.1.x),
a configuration that some of recent code changes have broken.
---
 crypto/dist/ipsec-tools/configure.ac          |  3 +-
 .../src/include-glibc/glibc-bugs.h            |  5 +++
 crypto/dist/ipsec-tools/src/racoon/eaytest.c  |  2 +-
 .../ipsec-tools/src/racoon/plainrsa-gen.c     | 32 +++++++++++--------
 crypto/dist/ipsec-tools/src/setkey/parse.y    |  4 +++
 crypto/dist/ipsec-tools/src/setkey/setkey.c   |  5 ++-
 6 files changed, 35 insertions(+), 16 deletions(-)

diff --git a/crypto/dist/ipsec-tools/configure.ac b/crypto/dist/ipsec-tools/configure.ac
index 4173746ce100..4c9a70b68839 100644
--- a/crypto/dist/ipsec-tools/configure.ac
+++ b/crypto/dist/ipsec-tools/configure.ac
@@ -18,10 +18,11 @@ AM_PROG_LEX
 AC_SUBST(LEXLIB)
 AC_PROG_EGREP
 
-CFLAGS_ADD="$CFLAGS_ADD -Wall -Werror -Wno-unused"
+CFLAGS_ADD="$CFLAGS_ADD -Wall -Wno-unused"
 
 case $host in
 *netbsd*)
+	CFLAGS_ADD="$CFLAGS_ADD -Werror"
 	LDFLAGS="-Wl,-R/usr/pkg/lib $LDFLAGS"
 	;;
 *linux*)
diff --git a/crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h b/crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h
index a992d2fb028d..4f8372ded882 100644
--- a/crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h
+++ b/crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h
@@ -5,8 +5,13 @@
 
 #define _XOPEN_SOURCE 500
 #define _BSD_SOURCE
+#define _DEFAULT_SOURCE
 
 #include <features.h>
 #include <sys/types.h>
 
+#ifndef __UNCONST
+#define __UNCONST(a)	((void *)(unsigned long)(const void *)(a))
+#endif
+
 #endif
diff --git a/crypto/dist/ipsec-tools/src/racoon/eaytest.c b/crypto/dist/ipsec-tools/src/racoon/eaytest.c
index 1474bdcb4fdd..b2a22f583dec 100644
--- a/crypto/dist/ipsec-tools/src/racoon/eaytest.c
+++ b/crypto/dist/ipsec-tools/src/racoon/eaytest.c
@@ -103,7 +103,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_txt)
 		printf ("PEM_read_PUBKEY(): %s\n", eay_strerror());
 		return -1;
 	}
-	error = eay_check_rsasign(src, sig, evp->pkey.rsa);
+	error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp));
 
 	return error;
 }
diff --git a/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c b/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
index cad1861b7d47..eae7f1d6e682 100644
--- a/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
+++ b/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
@@ -90,12 +90,14 @@ mix_b64_pubkey(const RSA *key)
 	char *binbuf;
 	long binlen, ret;
 	vchar_t *res;
-	
-	binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n);
+	const BIGNUM *e, *n;
+
+	RSA_get0_key(key, &n, &e, NULL);
+	binlen = 1 + BN_num_bytes(e) + BN_num_bytes(n);
 	binbuf = malloc(binlen);
 	memset(binbuf, 0, binlen);
-	binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]);
-	ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
+	binbuf[0] = BN_bn2bin(e, (unsigned char *) &binbuf[1]);
+	ret = BN_bn2bin(n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
 	if (1 + binbuf[0] + ret != binlen) {
 		plog(LLV_ERROR, LOCATION, NULL,
 		     "Pubkey generation failed. This is really strange...\n");
@@ -131,16 +133,20 @@ print_rsa_key(FILE *fp, const RSA *key)
 	
 	fprintf(fp, "# : PUB 0s%s\n", pubkey64->v);
 	fprintf(fp, ": RSA\t{\n");
-	fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n));
+	const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
+	RSA_get0_key(key, &n, &e, &d);
+	RSA_get0_factors(key, &p, &q);
+	RSA_get0_crt_params(key, &dmp1, &dmq1, &iqmp);
+	fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(n));
 	fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v);
-	fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n)));
-	fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e)));
-	fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d)));
-	fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p)));
-	fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q)));
-	fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1)));
-	fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1)));
-	fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp)));
+	fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(n)));
+	fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(e)));
+	fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(d)));
+	fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(p)));
+	fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(q)));
+	fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(dmp1)));
+	fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(dmq1)));
+	fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(iqmp)));
 	fprintf(fp, "  }\n");
 
 	vfree(pubkey64);
diff --git a/crypto/dist/ipsec-tools/src/setkey/parse.y b/crypto/dist/ipsec-tools/src/setkey/parse.y
index dfcfbe28c3a7..0cf1e2af299f 100644
--- a/crypto/dist/ipsec-tools/src/setkey/parse.y
+++ b/crypto/dist/ipsec-tools/src/setkey/parse.y
@@ -968,6 +968,7 @@ setkeymsg_spdaddr(unsigned int type, unsigned int upper, vchar_t *policy,
 	struct sockaddr *sa;
 	int salen;
 #ifdef HAVE_POLICY_FWD
+	struct sadb_x_policy *sp;
 	struct sadb_x_ipsecrequest *ps = NULL;
 	int saved_level, saved_id = 0;
 #endif
@@ -981,6 +982,9 @@ setkeymsg_spdaddr(unsigned int type, unsigned int upper, vchar_t *policy,
 	setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0);
 	l = sizeof(struct sadb_msg);
 
+#ifdef HAVE_POLICY_FWD
+	sp = (struct sadb_x_policy*) (buf + l);
+#endif
 	memcpy(buf + l, policy->buf, policy->len);
 	l += policy->len;
 
diff --git a/crypto/dist/ipsec-tools/src/setkey/setkey.c b/crypto/dist/ipsec-tools/src/setkey/setkey.c
index 6d2574112d30..5779cb0f494f 100644
--- a/crypto/dist/ipsec-tools/src/setkey/setkey.c
+++ b/crypto/dist/ipsec-tools/src/setkey/setkey.c
@@ -396,7 +396,10 @@ sendkeyshort(u_int type)
 	sendkeymsg((char *)&msg, sizeof(msg));
 }
 
-static void __dead
+static void
+#ifdef __dead
+__dead
+#endif
 promisc(void)
 {
 	struct sadb_msg msg;

0003-Use-CLOCK_BOOTTIME-for-measuring-time-intervals-in-r.patch

Use CLOCK_BOOTTIME for measuring time intervals in racoon, if available

The difference between CLOCK_BOOTTIME and CLOCK_MONOTONIC is that
CLOCK_MONOTONIC stops when the machine is sleeping.

Linux kernel uses CLOCK_BOOTTIME for measuring things like SA expiry times.
We should do likewise, so we don't get a different view than the kernel and
our peers when exactly our SAs expire when the machine gets suspended and
then resumed.
---
 crypto/dist/ipsec-tools/src/racoon/schedule.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/crypto/dist/ipsec-tools/src/racoon/schedule.c b/crypto/dist/ipsec-tools/src/racoon/schedule.c
index 018f920bace8..d4a09846677f 100644
--- a/crypto/dist/ipsec-tools/src/racoon/schedule.c
+++ b/crypto/dist/ipsec-tools/src/racoon/schedule.c
@@ -67,7 +67,12 @@ sched_get_monotonic_time(tv)
 #ifdef HAVE_CLOCK_MONOTONIC
 	struct timespec ts;
 
+#ifdef CLOCK_BOOTTIME
+	if (clock_gettime(CLOCK_BOOTTIME, &ts) != 0)
+		clock_gettime(CLOCK_MONOTONIC, &ts);
+#else
 	clock_gettime(CLOCK_MONOTONIC, &ts);
+#endif
 	tv->tv_sec = ts.tv_sec;
 	tv->tv_usec = ts.tv_nsec / 1000;
 #else