summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorchristos <christos@pkgsrc.org>2018-07-01 15:47:17 +0000
committerchristos <christos@pkgsrc.org>2018-07-01 15:47:17 +0000
commit592d5fcc76f3c12bb6560944f1ecd42e9a538dc0 (patch)
tree8a4e0ed48ac6b026219ab6229627efc34c865e97
parent97ea959557d9bc6f964d39c045e5da6ffb488052 (diff)
downloadpkgsrc-592d5fcc76f3c12bb6560944f1ecd42e9a538dc0.tar.gz
switch to using github as upstream, and enable nat-t
(all patches have been included in the github version)
-rw-r--r--security/racoon2/Makefile18
-rw-r--r--security/racoon2/distinfo40
-rw-r--r--security/racoon2/patches/patch-aa16
-rw-r--r--security/racoon2/patches/patch-ab22
-rw-r--r--security/racoon2/patches/patch-ac21
-rw-r--r--security/racoon2/patches/patch-ad25
-rw-r--r--security/racoon2/patches/patch-ae23
-rw-r--r--security/racoon2/patches/patch-iked_crypto__impl.h15
-rw-r--r--security/racoon2/patches/patch-iked_crypto__openssl.c714
-rw-r--r--security/racoon2/patches/patch-iked_ike__conf.c36
-rw-r--r--security/racoon2/patches/patch-iked_ikev1_ikev1.c24
-rw-r--r--security/racoon2/patches/patch-iked_ikev1_ipsec__doi.c48
-rw-r--r--security/racoon2/patches/patch-iked_ikev1_oakley.c91
-rw-r--r--security/racoon2/patches/patch-iked_ikev1_pfkey.c71
-rw-r--r--security/racoon2/patches/patch-iked_ikev2.c78
-rw-r--r--security/racoon2/patches/patch-iked_ikev2__child.c26
-rw-r--r--security/racoon2/patches/patch-iked_ikev2__notify.c24
-rw-r--r--security/racoon2/patches/patch-kinkd-crypto__openssl.c117
-rw-r--r--security/racoon2/patches/patch-kinkd-ipsec__doi.c34
-rw-r--r--security/racoon2/patches/patch-kinkd_bbkk__heimdal.c310
-rw-r--r--security/racoon2/patches/patch-kinkd_isakmp__quick.c61
-rw-r--r--security/racoon2/patches/patch-kinkd_session.c15
-rw-r--r--security/racoon2/patches/patch-lib_cfparse.y15
-rw-r--r--security/racoon2/patches/patch-lib_cfsetup.c23
-rw-r--r--security/racoon2/patches/patch-lib_cftoken.l24
-rw-r--r--security/racoon2/patches/patch-lib_if__pfkeyv2.c26
-rw-r--r--security/racoon2/patches/patch-lib_if__spmd.c68
-rw-r--r--security/racoon2/patches/patch-spmd_fqdn__query.c29
-rw-r--r--security/racoon2/patches/patch-spmd_main.c21
-rw-r--r--security/racoon2/patches/patch-spmd_shell.c61
-rw-r--r--security/racoon2/patches/patch-spmd_spmd__pfkey.c22
-rw-r--r--security/racoon2/patches/patch-spmd_spmdctl.c366
32 files changed, 17 insertions, 2467 deletions
diff --git a/security/racoon2/Makefile b/security/racoon2/Makefile
index d486ada4cc1..31601118aed 100644
--- a/security/racoon2/Makefile
+++ b/security/racoon2/Makefile
@@ -1,11 +1,17 @@
-# $NetBSD: Makefile,v 1.12 2018/05/29 01:22:50 christos Exp $
+# $NetBSD: Makefile,v 1.13 2018/07/01 15:47:17 christos Exp $
#
-DISTNAME= racoon2-20100526a
-PKGREVISION= 10
CATEGORIES= security net
-MASTER_SITES= ftp://ftp.racoon2.wide.ad.jp/pub/racoon2/
-EXTRACT_SUFX= .tgz
+#DISTNAME= racoon2-20100526a
+#PKGREVISION= 10
+#MASTER_SITES= ftp://ftp.racoon2.wide.ad.jp/pub/racoon2/
+#EXTRACT_SUFX= .tgz
+
+DISTNAME= racoon2
+PKGNAME= racoon2-20180701
+MASTER_SITES= ${MASTER_SITE_GITHUB:=zoulasc/}
+GITHUB_PROJECT= racoon2
+GITHUB_TAG= b2a193fc9875d1fb89c0a51690745379bc135fcf
MAINTAINER= kamada@nanohz.org
HOMEPAGE= http://www.racoon2.wide.ad.jp/
@@ -55,7 +61,7 @@ CONF_FILES_PERMS+= ${EGDIR}/racoon2.conf ${PKG_SYSCONFDIR}/racoon2.conf \
${REAL_ROOT_USER} ${REAL_ROOT_GROUP} 600
CONF_FILES_PERMS+= ${EGDIR}/vals.conf ${PKG_SYSCONFDIR}/vals.conf \
${REAL_ROOT_USER} ${REAL_ROOT_GROUP} 600
-CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
+CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR} --enable-natt
MAKE_DIRS_PERMS+= ${VARBASE}/run/racoon2 ${REAL_ROOT_USER} ${REAL_ROOT_GROUP} 0700
diff --git a/security/racoon2/distinfo b/security/racoon2/distinfo
index 7afb5d6501f..76e19026ac3 100644
--- a/security/racoon2/distinfo
+++ b/security/racoon2/distinfo
@@ -1,36 +1,6 @@
-$NetBSD: distinfo,v 1.6 2018/05/29 01:22:50 christos Exp $
+$NetBSD: distinfo,v 1.7 2018/07/01 15:47:17 christos Exp $
-SHA1 (racoon2-20100526a.tgz) = 268429af8a031dbbc279580cf98ea18331f0e2d9
-RMD160 (racoon2-20100526a.tgz) = 014cdcf78cc82ab21235a21491850cdcd1f883bf
-SHA512 (racoon2-20100526a.tgz) = 0a75fe0338c5747e3ecd7d68e28adc6d4a66ad2d33210d3d027de72bad6712068a92506caaaf8f6c6f81b204db9be2a1779cb3b1bb8bd75445210cfa746eb88a
-Size (racoon2-20100526a.tgz) = 1017077 bytes
-SHA1 (patch-aa) = e3bc810f72dac266bec992f0430572b00768cc22
-SHA1 (patch-ab) = eb6d901108ebcca90571851817137b4b3f3c594b
-SHA1 (patch-ac) = 081a2d3d694d4c20cf1fa2d9718577577280288e
-SHA1 (patch-ad) = 0d04dc7027c100de6bc04db00eddb30a12fd8715
-SHA1 (patch-ae) = 937cf84a2b6f1e8f8d288703a0556faf500bab95
-SHA1 (patch-iked_crypto__impl.h) = e6b274258eb7428cbd01cefc33ae85e001260542
-SHA1 (patch-iked_crypto__openssl.c) = 0a013e5aa5ce9747da61b8095440a16ee78de4e9
-SHA1 (patch-iked_ike__conf.c) = 82e09465e69b082abb12b3fead16eae8a7bc103b
-SHA1 (patch-iked_ikev1_ikev1.c) = ce9b22b2be12bc4cd5fa0e171cbd39c0d88d5406
-SHA1 (patch-iked_ikev1_ipsec__doi.c) = 3673d0643359eb8a68bbd867e941e1a1aae02b01
-SHA1 (patch-iked_ikev1_oakley.c) = 8823a898ec8190d177d3eda8d6c474040b08d2a1
-SHA1 (patch-iked_ikev1_pfkey.c) = 064df06b876504b611008a8a20b44266a83c5789
-SHA1 (patch-iked_ikev2.c) = 857805c92e3c78ec5f05a9068acbba03e91030b3
-SHA1 (patch-iked_ikev2__child.c) = f7f268f3e7666a3e23efd3b71c4474eeb9f8a046
-SHA1 (patch-iked_ikev2__notify.c) = 688d5b46451912b00dbf1500e7ff66f4290d7d8a
-SHA1 (patch-kinkd-crypto__openssl.c) = 4acd36a5462d3296a53966f85fb39e8888650d5a
-SHA1 (patch-kinkd-ipsec__doi.c) = f72d62de7dce9e02d4de77162926491fef3761d1
-SHA1 (patch-kinkd_bbkk__heimdal.c) = 55a4e8121df28272d2838376823bc85ec108d93f
-SHA1 (patch-kinkd_isakmp__quick.c) = 1b177838621336bfabf0416d9fc09d6e581b8c05
-SHA1 (patch-kinkd_session.c) = 6b2ec8329d0fda0b850116c21bda2a4d06634f0d
-SHA1 (patch-lib_cfparse.y) = 9e0b8ec9c09c315edde171103b97a8c403ba748e
-SHA1 (patch-lib_cfsetup.c) = 70c2409bc69ff85cef6d2e2b4e222e12537c323e
-SHA1 (patch-lib_cftoken.l) = cbda1153f7fd34713248d3d7d188a50b27d9ddcd
-SHA1 (patch-lib_if__pfkeyv2.c) = 9eb969ff0f289bc7c4aa1fa234c221b4d70d1da7
-SHA1 (patch-lib_if__spmd.c) = 0b5e5412afb826f502c040153ca5b0e50ad3d682
-SHA1 (patch-spmd_fqdn__query.c) = d44af49981bfc503fe097a40a0448215ff2367d8
-SHA1 (patch-spmd_main.c) = 7ee34b1a5b18d938806f490abe2d8cdf25caa426
-SHA1 (patch-spmd_shell.c) = 37a52cb9062fd44e0d358c7ae1605481a3604f71
-SHA1 (patch-spmd_spmd__pfkey.c) = 2bf3e70f41a779989d63d7099b2e7031a7441a27
-SHA1 (patch-spmd_spmdctl.c) = 26cd17a8b9932bbc5af8aa5d476eb0a5fad8e323
+SHA1 (racoon2-b2a193fc9875d1fb89c0a51690745379bc135fcf.tar.gz) = 5f36bf656682f794d933584485296c2556500536
+RMD160 (racoon2-b2a193fc9875d1fb89c0a51690745379bc135fcf.tar.gz) = ad6c26b5a2f818bc38989bf687f4a623b995c0df
+SHA512 (racoon2-b2a193fc9875d1fb89c0a51690745379bc135fcf.tar.gz) = b3dcbe43f7f2454f0befd4434a9335df6063e4468924d8c6ab22c960dc45802c7733f0e8720b2674666fbe953309668221352ee25c6bb1ffaafc7eab4666ce49
+Size (racoon2-b2a193fc9875d1fb89c0a51690745379bc135fcf.tar.gz) = 1144364 bytes
diff --git a/security/racoon2/patches/patch-aa b/security/racoon2/patches/patch-aa
deleted file mode 100644
index b3cff2be348..00000000000
--- a/security/racoon2/patches/patch-aa
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD: patch-aa,v 1.1.1.1 2012/01/11 20:08:39 drochner Exp $
-
-Don't mess up user's configuration files.
-
---- samples/Makefile.in.orig 2007-12-27 10:08:52.000000000 +0900
-+++ samples/Makefile.in 2007-12-27 10:08:52.000000000 +0900
-@@ -11,8 +11,7 @@
- # empty
- all:
-
--install: all install-startup-@startup_scripts@ install-samples install-hook
-- $(INSTALL) -d -o 0 -g 0 -m 700 /var/run/racoon2
-+install: all install-startup-@startup_scripts@
-
- install-samples:
- $(INSTALL) -d $(sysconfdir)
diff --git a/security/racoon2/patches/patch-ab b/security/racoon2/patches/patch-ab
deleted file mode 100644
index f52304519e7..00000000000
--- a/security/racoon2/patches/patch-ab
+++ /dev/null
@@ -1,22 +0,0 @@
-$NetBSD: patch-ab,v 1.1.1.1 2012/01/11 20:08:39 drochner Exp $
-
-This should be done when installing the package (Makefile when
-"make install" or PLIST when "pkg_add").
-
---- pskgen/Makefile.in.orig 2007-12-12 07:12:22.000000000 +0000
-+++ pskgen/Makefile.in
-@@ -17,11 +17,9 @@ PROG=pskgen
- all:
-
- install: all
-- $(INSTALL) -d $(sbindir)
-- $(INSTALL_SCRIPT) $(PROG) $(sbindir)
-- $(INSTALL_DATA) $(PROG).8 $(mandir)/man8
-- $(INSTALL) -d $(prefix)/etc/racoon2
-- sh ./autogen.spmd.pwd
-+ $(INSTALL) -d $(DESTDIR)$(sbindir)
-+ $(INSTALL_SCRIPT) $(PROG) $(DESTDIR)$(sbindir)
-+ $(INSTALL_DATA) $(PROG).8 $(DESTDIR)$(mandir)/man8
-
- depend:
-
diff --git a/security/racoon2/patches/patch-ac b/security/racoon2/patches/patch-ac
deleted file mode 100644
index 9fb253ac671..00000000000
--- a/security/racoon2/patches/patch-ac
+++ /dev/null
@@ -1,21 +0,0 @@
-$NetBSD: patch-ac,v 1.1.1.1 2012/01/11 20:08:39 drochner Exp $
-
---- spmd/Makefile.in.orig 2006-06-23 10:21:59.000000000 +0000
-+++ spmd/Makefile.in
-@@ -38,11 +38,11 @@ spmdctl: spmdctl.o ../lib/libracoon.a
- spmdctl.o: spmd_internal.h
-
- install: all
-- $(INSTALL_DIR) $(sbindir)
-- $(INSTALL_PROGRAM) $(DAEMON) $(sbindir)
-- $(INSTALL_PROGRAM) $(COMMAND) $(sbindir)
-- $(INSTALL_DIR) $(man8dir)
-- $(INSTALL_DATA) $(MANFILES) $(man8dir)
-+ $(INSTALL_DIR) $(DESTDIR)$(sbindir)
-+ $(INSTALL_PROGRAM) $(DAEMON) $(DESTDIR)$(sbindir)
-+ $(INSTALL_PROGRAM) $(COMMAND) $(DESTDIR)$(sbindir)
-+ $(INSTALL_DIR) $(DESTDIR)$(man8dir)
-+ $(INSTALL_DATA) $(MANFILES) $(DESTDIR)$(man8dir)
-
- clean:
- -rm -f $(TARGET) *.o $(COMMAND)
diff --git a/security/racoon2/patches/patch-ad b/security/racoon2/patches/patch-ad
deleted file mode 100644
index 802f575d2ce..00000000000
--- a/security/racoon2/patches/patch-ad
+++ /dev/null
@@ -1,25 +0,0 @@
-$NetBSD: patch-ad,v 1.1.1.1 2012/01/11 20:08:39 drochner Exp $
-
---- iked/Makefile.in.orig 2009-03-27 07:24:26.000000000 +0000
-+++ iked/Makefile.in
-@@ -66,16 +66,16 @@ all: $(PROG) $(TESTPROG)
- install: install-prog install-doc
-
- install-prog: $(PROG)
-- $(INSTALL) -d $(sbindir)
-- $(INSTALL_PROGRAM) $(PROG) $(sbindir)
-+ $(INSTALL) -d $(DESTDIR)$(sbindir)
-+ $(INSTALL_PROGRAM) $(PROG) $(DESTDIR)$(sbindir)
-
- install-doc:
-- $(INSTALL) -d $(mandir)/man8
-+ $(INSTALL) -d $(DESTDIR)$(mandir)/man8
- # not friendly with -n :-(
- sysconfdir="$$(echo '$(sysconfdir)' | sed 's/%/\\\%/g')"; \
- for f in $(MAN); do \
- sed -e s%\@sysconfdir\@%"$$sysconfdir"%g < $$f > $${f}.tmp; \
-- $(INSTALL_DATA) $${f}.tmp $(mandir)/man$${f##*.}/$$f; \
-+ $(INSTALL_DATA) $${f}.tmp $(DESTDIR)$(mandir)/man$${f##*.}/$$f; \
- rm $${f}.tmp; \
- done
-
diff --git a/security/racoon2/patches/patch-ae b/security/racoon2/patches/patch-ae
deleted file mode 100644
index 4b9568d79c4..00000000000
--- a/security/racoon2/patches/patch-ae
+++ /dev/null
@@ -1,23 +0,0 @@
-$NetBSD: patch-ae,v 1.1.1.1 2012/01/11 20:08:39 drochner Exp $
-
---- kinkd/Makefile.in.orig 2010-05-07 18:42:30.000000000 +0000
-+++ kinkd/Makefile.in
-@@ -49,14 +49,14 @@ $(PROG): ../lib/libracoon.a
- ../lib/libracoon.a: # check its timestamp only when there is.
-
- install: all
-- $(INSTALL) -d $(sbindir)
-- $(INSTALL_PROGRAM) $(PROG) $(sbindir)
-- $(INSTALL) -d $(mandir)/man8
-+ $(INSTALL) -d $(DESTDIR)$(sbindir)
-+ $(INSTALL_PROGRAM) $(PROG) $(DESTDIR)$(sbindir)
-+ $(INSTALL) -d $(DESTDIR)$(mandir)/man8
- # not friendly with -n :-(
- sysconfdir="$$(echo '$(sysconfdir)' | sed 's/%/\\\%/g')"; \
- for f in $(MAN); do \
- sed -e s%\@sysconfdir\@%"$$sysconfdir"%g < $$f > $${f}.tmp; \
-- $(INSTALL_DATA) $${f}.tmp $(mandir)/man$${f##*.}/$$f; \
-+ $(INSTALL_DATA) $${f}.tmp $(DESTDIR)$(mandir)/man$${f##*.}/$$f; \
- rm $${f}.tmp; \
- done
-
diff --git a/security/racoon2/patches/patch-iked_crypto__impl.h b/security/racoon2/patches/patch-iked_crypto__impl.h
deleted file mode 100644
index 906828c5da7..00000000000
--- a/security/racoon2/patches/patch-iked_crypto__impl.h
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-iked_crypto__impl.h,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Make unmodified argument const
-
---- iked/crypto_impl.h 2010-02-01 05:30:51.000000000 -0500
-+++ iked/crypto_impl.h 2018-05-28 16:44:16.016528535 -0400
-@@ -246,7 +246,7 @@
- extern int eay_revbnl (rc_vchar_t *);
- #include <openssl/bn.h>
- extern int eay_v2bn (BIGNUM **, rc_vchar_t *);
--extern int eay_bn2v (rc_vchar_t **, BIGNUM *);
-+extern int eay_bn2v (rc_vchar_t **, const BIGNUM *);
-
- extern const char *eay_version (void);
-
diff --git a/security/racoon2/patches/patch-iked_crypto__openssl.c b/security/racoon2/patches/patch-iked_crypto__openssl.c
deleted file mode 100644
index 13fa5acad37..00000000000
--- a/security/racoon2/patches/patch-iked_crypto__openssl.c
+++ /dev/null
@@ -1,714 +0,0 @@
-$NetBSD: patch-iked_crypto__openssl.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Adjust for openssl-1.1
-
---- iked/crypto_openssl.c 2010-02-01 05:30:51.000000000 -0500
-+++ iked/crypto_openssl.c 2018-05-28 17:08:27.806906241 -0400
-@@ -324,16 +324,17 @@
- {
- char buf[256];
- int log_tag;
-+ int ctx_error, ctx_error_depth;
-
- if (!ok) {
-- X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
-- buf, 256);
-+ X509_NAME_oneline(X509_get_subject_name(
-+ X509_STORE_CTX_get0_cert(ctx)), buf, 256);
- /*
- * since we are just checking the certificates, it is
- * ok if they are self signed. But we should still warn
- * the user.
- */
-- switch (ctx->error) {
-+ switch (ctx_error = X509_STORE_CTX_get_error(ctx)) {
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- #if OPENSSL_VERSION_NUMBER >= 0x00905100L
- case X509_V_ERR_INVALID_CA:
-@@ -347,16 +348,17 @@
- default:
- log_tag = PLOG_PROTOERR;
- }
-+ ctx_error_depth = X509_STORE_CTX_get_error_depth(ctx);
- #ifndef EAYDEBUG
- plog(log_tag, PLOGLOC, NULL,
- "%s(%d) at depth:%d SubjectName:%s\n",
-- X509_verify_cert_error_string(ctx->error),
-- ctx->error, ctx->error_depth, buf);
-+ X509_verify_cert_error_string(ctx_error),
-+ ctx_error, ctx_error_depth, buf);
- #else
- printf("%d: %s(%d) at depth:%d SubjectName:%s\n",
- log_tag,
-- X509_verify_cert_error_string(ctx->error),
-- ctx->error, ctx->error_depth, buf);
-+ X509_verify_cert_error_string(ctx_error),
-+ ctx_error, ctx_error_depth, buf);
- #endif
- }
- ERR_clear_error();
-@@ -991,6 +993,7 @@
- BPP_const unsigned char *bp;
- rc_vchar_t *sig = NULL;
- int len;
-+ RSA *rsa;
- int pad = RSA_PKCS1_PADDING;
-
- bp = (unsigned char *)privkey->v;
-@@ -1002,14 +1005,15 @@
- /* XXX: to be handled EVP_dss() */
- /* XXX: Where can I get such parameters ? From my cert ? */
-
-- len = RSA_size(evp->pkey.rsa);
-+ rsa = EVP_PKEY_get0_RSA(evp);
-+ len = RSA_size(rsa);
-
- sig = rc_vmalloc(len);
- if (sig == NULL)
- return NULL;
-
- len = RSA_private_encrypt(src->l, (unsigned char *)src->v,
-- (unsigned char *)sig->v, evp->pkey.rsa, pad);
-+ (unsigned char *)sig->v, rsa, pad);
- EVP_PKEY_free(evp);
- if (len == 0 || (size_t)len != sig->l) {
- rc_vfree(sig);
-@@ -1028,6 +1032,7 @@
- BPP_const unsigned char *bp;
- rc_vchar_t *xbuf = NULL;
- int pad = RSA_PKCS1_PADDING;
-+ RSA *rsa;
- int len = 0;
- int error;
-
-@@ -1040,7 +1045,8 @@
- return -1;
- }
-
-- len = RSA_size(evp->pkey.rsa);
-+ rsa = EVP_PKEY_get0_RSA(evp);
-+ len = RSA_size(rsa);
-
- xbuf = rc_vmalloc(len);
- if (xbuf == NULL) {
-@@ -1053,7 +1059,7 @@
- }
-
- len = RSA_public_decrypt(sig->l, (unsigned char *)sig->v,
-- (unsigned char *)xbuf->v, evp->pkey.rsa, pad);
-+ (unsigned char *)xbuf->v, rsa, pad);
- #ifndef EAYDEBUG
- if (len == 0 || (size_t)len != src->l)
- plog(PLOG_PROTOERR, PLOGLOC, NULL, "%s\n", eay_strerror());
-@@ -1089,7 +1095,8 @@
- rc_vchar_t *sig = 0;
- unsigned int siglen;
- const EVP_MD *md;
-- EVP_MD_CTX ctx;
-+ EVP_MD_CTX *ctx = NULL;
-+ RSA *rsa;
-
- bp = (unsigned char *)privkey->v;
- /* convert private key from vmbuf to internal data */
-@@ -1100,7 +1107,8 @@
- goto fail;
- }
-
-- len = RSA_size(pkey->pkey.rsa);
-+ rsa = EVP_PKEY_get0_RSA(pkey);
-+ len = RSA_size(rsa);
- sig = rc_vmalloc(len);
- if (sig == NULL) {
- plog(PLOG_INTERR, PLOGLOC, NULL, "failed allocating memory\n");
-@@ -1114,27 +1122,33 @@
- "failed to find digest algorithm %s\n", hash_type);
- goto fail;
- }
-- EVP_MD_CTX_init(&ctx);
-- EVP_SignInit(&ctx, md);
-- EVP_SignUpdate(&ctx, octets->v, octets->l);
-- if (EVP_SignFinal(&ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
-+ ctx = EVP_MD_CTX_new();
-+ if (!ctx) {
-+ plog(PLOG_INTERR, PLOGLOC, NULL,
-+ "failed to allocate context\n");
-+ goto fail;
-+ }
-+ EVP_SignInit(ctx, md);
-+ EVP_SignUpdate(ctx, octets->v, octets->l);
-+ if (EVP_SignFinal(ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
- "RSA_sign failed: %s\n", eay_strerror());
-- EVP_MD_CTX_cleanup(&ctx);
- goto fail;
- }
-- EVP_MD_CTX_cleanup(&ctx);
- if (sig->l != siglen) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
- "unexpected signature length %d\n", siglen);
- goto fail;
- }
-+ EVP_MD_CTX_free(ctx);
- EVP_PKEY_free(pkey);
- return sig;
-
- fail:
- if (sig)
- rc_vfree(sig);
-+ if (ctx)
-+ EVP_MD_CTX_free(ctx);
- if (pkey)
- EVP_PKEY_free(pkey);
- return 0;
-@@ -1154,7 +1168,7 @@
- EVP_PKEY *pkey;
- BPP_const unsigned char *bp;
- const EVP_MD *md;
-- EVP_MD_CTX ctx;
-+ EVP_MD_CTX *ctx = NULL;
-
- bp = (unsigned char *)pubkey->v;
- pkey = d2i_PUBKEY(NULL, &bp, pubkey->l);
-@@ -1163,7 +1177,7 @@
- "failed obtaining public key: %s\n", eay_strerror());
- goto fail;
- }
-- if (pkey->type != EVP_PKEY_RSA) {
-+ if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) {
- plog(PLOG_PROTOERR, PLOGLOC, NULL,
- "public key is not for RSA\n");
- goto fail;
-@@ -1175,23 +1189,29 @@
- "failed to find the algorithm engine for %s\n", hash_type);
- goto fail;
- }
-- EVP_MD_CTX_init(&ctx);
-- EVP_VerifyInit(&ctx, md);
-- EVP_VerifyUpdate(&ctx, octets->v, octets->l);
-- if (EVP_VerifyFinal(&ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
-+ ctx = EVP_MD_CTX_new();
-+ if (!ctx) {
-+ plog(PLOG_INTERR, PLOGLOC, NULL,
-+ "failed to allocate context\n");
-+ goto fail;
-+ }
-+ EVP_VerifyInit(ctx, md);
-+ EVP_VerifyUpdate(ctx, octets->v, octets->l);
-+ if (EVP_VerifyFinal(ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
- plog(PLOG_PROTOERR, PLOGLOC, NULL,
- "RSA_verify failed: %s\n", eay_strerror());
-- EVP_MD_CTX_cleanup(&ctx);
- goto fail;
- }
-- EVP_MD_CTX_cleanup(&ctx);
-
-+ EVP_MD_CTX_free(ctx);
- EVP_PKEY_free(pkey);
- return 0;
-
- fail:
- if (pkey)
- EVP_PKEY_free(pkey);
-+ if (ctx)
-+ EVP_MD_CTX_free(ctx);
- return -1;
- }
-
-@@ -1204,7 +1224,8 @@
- EVP_PKEY *pkey;
- BPP_const unsigned char *bp;
- const EVP_MD *md;
-- EVP_MD_CTX ctx;
-+ EVP_MD_CTX *ctx = NULL;
-+ DSA *dsa;
- int len;
- rc_vchar_t *sig = 0;
- unsigned int siglen;
-@@ -1217,24 +1238,33 @@
- goto fail;
- }
-
-- len = DSA_size(pkey->pkey.dsa);
-+ dsa = EVP_PKEY_get0_DSA(pkey);
-+ len = DSA_size(dsa);
- sig = rc_vmalloc(len);
- if (sig == NULL) {
- plog(PLOG_INTERR, PLOGLOC, NULL, "failed allocating memory\n");
- goto fail;
- }
-
-+#if 0
- md = EVP_dss1();
-- EVP_MD_CTX_init(&ctx);
-- EVP_SignInit(&ctx, md);
-- EVP_SignUpdate(&ctx, octets->v, octets->l);
-- if (EVP_SignFinal(&ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
-+#else
-+ md = NULL;
-+ goto fail;
-+#endif
-+ ctx = EVP_MD_CTX_new();
-+ if (!ctx) {
-+ plog(PLOG_INTERR, PLOGLOC, NULL,
-+ "failed to allocate context\n");
-+ goto fail;
-+ }
-+ EVP_SignInit(ctx, md);
-+ EVP_SignUpdate(ctx, octets->v, octets->l);
-+ if (EVP_SignFinal(ctx, (unsigned char *)sig->v, &siglen, pkey) <= 0) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
- "DSS sign failed: %s\n", eay_strerror());
-- EVP_MD_CTX_cleanup(&ctx);
- goto fail;
- }
-- EVP_MD_CTX_cleanup(&ctx);
-
- if (siglen > sig->l) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
-@@ -1245,6 +1275,7 @@
- if (siglen < sig->l)
- sig = rc_vrealloc(sig, siglen);
- EVP_PKEY_free(pkey);
-+ EVP_MD_CTX_free(ctx);
- return sig;
-
- fail:
-@@ -1252,6 +1283,8 @@
- rc_vfree(sig);
- if (pkey)
- EVP_PKEY_free(pkey);
-+ if (ctx)
-+ EVP_MD_CTX_free(ctx);
- return 0;
- }
-
-@@ -1265,7 +1298,7 @@
- EVP_PKEY *pkey;
- BPP_const unsigned char *bp;
- const EVP_MD *md;
-- EVP_MD_CTX ctx;
-+ EVP_MD_CTX *ctx = NULL;
-
- bp = (unsigned char *)pubkey->v;
- pkey = d2i_PUBKEY(NULL, &bp, pubkey->l);
-@@ -1274,30 +1307,40 @@
- "failed obtaining public key: %s\n", eay_strerror());
- goto fail;
- }
-- if (pkey->type != EVP_PKEY_DSA) {
-+ if (EVP_PKEY_id(pkey) != EVP_PKEY_DSA) {
- plog(PLOG_PROTOERR, PLOGLOC, NULL,
- "public key is not for DSS\n");
- goto fail;
- }
-
-+#if 0
- md = EVP_dss1();
-- EVP_MD_CTX_init(&ctx);
-- EVP_VerifyInit(&ctx, md);
-- EVP_VerifyUpdate(&ctx, octets->v, octets->l);
-- if (EVP_VerifyFinal(&ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
-+#else
-+ md = NULL;
-+ goto fail;
-+#endif
-+ ctx = EVP_MD_CTX_new();
-+ if (!ctx) {
-+ plog(PLOG_INTERR, PLOGLOC, NULL,
-+ "failed to allocate context\n");
-+ goto fail;
-+ }
-+ EVP_VerifyInit(ctx, md);
-+ EVP_VerifyUpdate(ctx, octets->v, octets->l);
-+ if (EVP_VerifyFinal(ctx, (unsigned char *)sig->v, sig->l, pkey) <= 0) {
- plog(PLOG_PROTOERR, PLOGLOC, NULL,
- "DSS verify failed: %s\n", eay_strerror());
-- EVP_MD_CTX_cleanup(&ctx);
- goto fail;
- }
-- EVP_MD_CTX_cleanup(&ctx);
--
-+ EVP_MD_CTX_free(ctx);
- EVP_PKEY_free(pkey);
- return 0;
-
- fail:
- if (pkey)
- EVP_PKEY_free(pkey);
-+ if (ctx)
-+ EVP_MD_CTX_free(ctx);
- return -1;
- }
-
-@@ -1345,7 +1388,7 @@
- evp_encrypt(const EVP_CIPHER *ciph, rc_vchar_t *data, rc_vchar_t *key, rc_vchar_t *iv)
- {
- rc_vchar_t *res;
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx = NULL;
- int outl;
-
- if (!iv || iv->l < (size_t)EVP_CIPHER_block_size(ciph))
-@@ -1355,12 +1398,17 @@
- if ((res = rc_vmalloc(data->l)) == NULL)
- return NULL;
-
-- EVP_CIPHER_CTX_init(&ctx);
-- if (!EVP_EncryptInit(&ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (!ctx) {
-+ plog(PLOG_INTERR, PLOGLOC, NULL,
-+ "failed to allocate context\n");
-+ goto fail;
-+ }
-+ if (!EVP_EncryptInit(ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
- goto fail;
-- if (!EVP_CIPHER_CTX_set_padding(&ctx, 0))
-+ if (!EVP_CIPHER_CTX_set_padding(ctx, 0))
- goto fail;
-- if (!EVP_EncryptUpdate(&ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
-+ if (!EVP_EncryptUpdate(ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
- data->l))
- goto fail;
- if ((size_t)outl != data->l) {
-@@ -1369,16 +1417,17 @@
- outl, (unsigned long)data->l);
- goto fail;
- }
-- if (!EVP_EncryptFinal(&ctx, NULL, &outl))
-+ if (!EVP_EncryptFinal(ctx, NULL, &outl))
- goto fail;
-
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_free(ctx);
- return res;
-
- fail:
- if (res)
- rc_vfree(res);
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ if (ctx)
-+ EVP_CIPHER_CTX_free(ctx);
- return NULL;
- }
-
-@@ -1386,7 +1435,7 @@
- evp_decrypt(const EVP_CIPHER *ciph, rc_vchar_t *data, rc_vchar_t *key, rc_vchar_t *iv)
- {
- rc_vchar_t *res;
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx = NULL;
- int outl;
-
- if (!iv || iv->l < (size_t)EVP_CIPHER_block_size(ciph))
-@@ -1396,12 +1445,17 @@
- if ((res = rc_vmalloc(data->l)) == NULL)
- return NULL;
-
-- EVP_CIPHER_CTX_init(&ctx);
-- if (!EVP_DecryptInit(&ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (!ctx) {
-+ plog(PLOG_INTERR, PLOGLOC, NULL,
-+ "failed to allocate context\n");
-+ goto fail;
-+ }
-+ if (!EVP_DecryptInit(ctx, ciph, (unsigned char *)key->v, (unsigned char *)iv->v))
- goto fail;
-- if (!EVP_CIPHER_CTX_set_padding(&ctx, 0))
-+ if (!EVP_CIPHER_CTX_set_padding(ctx, 0))
- goto fail;
-- if (!EVP_DecryptUpdate(&ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
-+ if (!EVP_DecryptUpdate(ctx, (unsigned char *)res->v, &outl, (unsigned char *)data->v,
- data->l))
- goto fail;
- if ((size_t)outl != data->l) {
-@@ -1410,15 +1464,16 @@
- outl, (unsigned long)data->l);
- goto fail;
- }
-- if (!EVP_DecryptFinal(&ctx, NULL, &outl))
-+ if (!EVP_DecryptFinal(ctx, NULL, &outl))
- goto fail;
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_free(ctx);
- return res;
-
- fail:
- if (res)
- rc_vfree(res);
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ if (ctx)
-+ EVP_CIPHER_CTX_cleanup(ctx);
- return NULL;
- }
-
-@@ -1963,45 +2018,55 @@
- * are used as the nonce value in the counter block.
- */
-
-- uint8_t *nonce;
-- union {
-- uint8_t bytes[AES_BLOCK_SIZE];
-- struct aes_ctrblk {
-- uint32_t nonce;
-- uint8_t iv[AES_CTR_IV_SIZE];
-- uint32_t block_counter;
-- } fields;
-- } ctrblk;
-- uint8_t ecount_buf[AES_BLOCK_SIZE];
-- AES_KEY k;
-- unsigned int num;
-- rc_vchar_t *resultbuf;
-+ int len;
-+ rc_vchar_t *resultbuf = NULL;
-+ EVP_CIPHER_CTX *ctx = NULL;
-
- /*
- * if (data->l > AES_BLOCK_SIZE * UINT32_MAX) return 0;
- */
-
-- if (iv->l != AES_CTR_IV_SIZE)
-- return 0;
-- nonce = (unsigned char *)key->v + key->l - AES_CTR_NONCE_SIZE;
-- if (AES_set_encrypt_key((unsigned char *)key->v,
-- (key->l - AES_CTR_NONCE_SIZE) << 3, &k) < 0)
-+ if (iv->l != AES_CTR_IV_SIZE) {
-+ plog(PLOG_INTERR, PLOGLOC, 0, "bad iv size");
- return 0;
-+ }
-+
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (ctx == NULL) {
-+ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_CIPHER_CTX_new failed");
-+ goto fail;
-+ }
-+
-+ if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_ctr(), NULL, (unsigned char *)key->v, (unsigned char *)iv->v)) {
-+ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_EncryptInit_ex failed");
-+ goto fail;
-+ }
-
- resultbuf = rc_vmalloc(data->l);
-- if (!resultbuf)
-- return 0;
-+ if (!resultbuf) {
-+ plog(PLOG_INTERR, PLOGLOC, 0, "allocate resultbuf failed");
-+ goto fail;
-+ }
-
-- memcpy(&ctrblk.fields.nonce, nonce, AES_CTR_NONCE_SIZE);
-- memcpy(&ctrblk.fields.iv[0], iv->v, AES_CTR_IV_SIZE);
-- ctrblk.fields.block_counter = htonl(1);
--
-- num = 0;
-- AES_ctr128_encrypt((unsigned char *)data->v,
-- (unsigned char *)resultbuf->v, data->l, &k,
-- &ctrblk.bytes[0], ecount_buf, &num);
-+ if (!EVP_EncryptUpdate(ctx, (unsigned char *)resultbuf->v, &len, (unsigned char *)data->v, data->l)) {
-+ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_EncryptUpdate failed");
-+ goto fail;
-+ }
-
-+ if (!EVP_EncryptFinal_ex(ctx, (unsigned char *)resultbuf->v + len, &len)) {
-+ plog(PLOG_INTERR, PLOGLOC, 0, "EVP_EncryptFinal_ex failed");
-+ goto fail;
-+ }
-+
-+ EVP_CIPHER_CTX_free(ctx);
- return resultbuf;
-+
-+fail:
-+ EVP_CIPHER_CTX_free(ctx);
-+ if (resultbuf)
-+ rc_free(resultbuf);
-+
-+ return NULL;
- }
-
- /* for ipsec part */
-@@ -2038,14 +2103,9 @@
- static caddr_t
- eay_hmac_init(rc_vchar_t *key, const EVP_MD *md)
- {
-- HMAC_CTX *c = racoon_malloc(sizeof(*c));
-+ HMAC_CTX *c = HMAC_CTX_new();
-
--#if OPENSSL_VERSION_NUMBER < 0x0090700fL
-- HMAC_Init(c, key->v, key->l, md);
--#else
-- HMAC_CTX_init(c);
- HMAC_Init_ex(c, key->v, key->l, md, NULL);
--#endif
-
- return (caddr_t)c;
- }
-@@ -2053,12 +2113,7 @@
- void
- eay_hmac_dispose(HMAC_CTX *c)
- {
--#if OPENSSL_VERSION_NUMBER < 0x0090700fL
-- HMAC_cleanup(c);
--#else
-- HMAC_CTX_cleanup(c);
--#endif
-- (void)racoon_free(c);
-+ HMAC_CTX_free(c);
- }
-
- #ifdef WITH_SHA2
-@@ -2972,15 +3027,16 @@
- eay_random_uint32(void)
- {
- uint32_t value;
-- (void)RAND_pseudo_bytes((uint8_t *)&value, sizeof(value));
-+ (void)RAND_bytes((uint8_t *)&value, sizeof(value));
- return value;
- }
-
- /* DH */
- int
--eay_dh_generate(rc_vchar_t *prime, uint32_t g, unsigned int publen, rc_vchar_t **pub, rc_vchar_t **priv)
-+eay_dh_generate(rc_vchar_t *prime, uint32_t gg, unsigned int publen, rc_vchar_t **pub, rc_vchar_t **priv)
- {
-- BIGNUM *p = NULL;
-+ BIGNUM *p = NULL, *g = NULL;
-+ const BIGNUM *pub_key, *priv_key;
- DH *dh = NULL;
- int error = -1;
-
-@@ -2991,25 +3047,27 @@
-
- if ((dh = DH_new()) == NULL)
- goto end;
-- dh->p = p;
-- p = NULL; /* p is now part of dh structure */
-- dh->g = NULL;
-- if ((dh->g = BN_new()) == NULL)
-+ if ((g = BN_new()) == NULL)
- goto end;
-- if (!BN_set_word(dh->g, g))
-+ if (!BN_set_word(g, gg))
- goto end;
-
-+ if (!DH_set0_pqg(dh, p, NULL, g))
-+ goto end;
-+ g = p = NULL;
-+
- if (publen != 0)
-- dh->length = publen;
-+ DH_set_length(dh, publen);
-
- /* generate public and private number */
- if (!DH_generate_key(dh))
- goto end;
-
-+ DH_get0_key(dh, &pub_key, &priv_key);
- /* copy results to buffers */
-- if (eay_bn2v(pub, dh->pub_key) < 0)
-+ if (eay_bn2v(pub, pub_key) < 0)
- goto end;
-- if (eay_bn2v(priv, dh->priv_key) < 0) {
-+ if (eay_bn2v(priv, priv_key) < 0) {
- rc_vfree(*pub);
- goto end;
- }
-@@ -3019,44 +3077,57 @@
- end:
- if (dh != NULL)
- DH_free(dh);
-- if (p != 0)
-+ if (p != NULL)
- BN_free(p);
-+ if (g != NULL)
-+ BN_free(g);
- return (error);
- }
-
- int
--eay_dh_compute (rc_vchar_t *prime, uint32_t g, rc_vchar_t *pub,
-+eay_dh_compute (rc_vchar_t *prime, uint32_t gg, rc_vchar_t *pub,
- rc_vchar_t *priv, rc_vchar_t *pub2, rc_vchar_t **key)
- {
-- BIGNUM *dh_pub = NULL;
-+ BIGNUM *dh_pub = NULL, *p = NULL, *g = NULL,
-+ *pub_key = NULL, *priv_key = NULL;
- DH *dh = NULL;
- int l;
- unsigned char *v = NULL;
- int error = -1;
-
-- /* make public number to compute */
-- if (eay_v2bn(&dh_pub, pub2) < 0)
-- goto end;
--
- /* make DH structure */
- if ((dh = DH_new()) == NULL)
- goto end;
-- if (eay_v2bn(&dh->p, prime) < 0)
-+
-+ if (eay_v2bn(&p, prime) < 0)
-+ goto end;
-+ if ((g = BN_new()) == NULL)
- goto end;
-- if (eay_v2bn(&dh->pub_key, pub) < 0)
-+ if (!BN_set_word(g, gg))
- goto end;
-- if (eay_v2bn(&dh->priv_key, priv) < 0)
-+ if (!DH_set0_pqg(dh, p, NULL, g))
- goto end;
-- dh->length = pub2->l * 8;
-+ p = NULL;
-+ g = NULL;
-
-- dh->g = NULL;
-- if ((dh->g = BN_new()) == NULL)
-+ if (eay_v2bn(&pub_key, pub) < 0)
- goto end;
-- if (!BN_set_word(dh->g, g))
-+ if (eay_v2bn(&priv_key, priv) < 0)
- goto end;
-+ if (!DH_set0_key(dh, pub_key, priv_key))
-+ goto end;
-+ pub_key = NULL;
-+ priv_key = NULL;
-+
-+ DH_set_length(dh, pub2->l * 8);
-
- if ((v = racoon_calloc(prime->l, sizeof(unsigned char))) == NULL)
- goto end;
-+
-+ /* make public number to compute */
-+ if (eay_v2bn(&dh_pub, pub2) < 0)
-+ goto end;
-+
- if ((l = DH_compute_key(v, dh_pub, dh)) == -1)
- goto end;
- memcpy((*key)->v + (prime->l - l), v, l);
-@@ -3066,6 +3137,14 @@
- end:
- if (dh_pub != NULL)
- BN_free(dh_pub);
-+ if (pub_key != NULL)
-+ BN_free(pub_key);
-+ if (priv_key != NULL)
-+ BN_free(priv_key);
-+ if (p != NULL)
-+ BN_free(p);
-+ if (g != NULL)
-+ BN_free(g);
- if (dh != NULL)
- DH_free(dh);
- if (v != NULL)
-@@ -3083,9 +3162,9 @@
- }
-
- int
--eay_bn2v(rc_vchar_t **var, BIGNUM *bn)
-+eay_bn2v(rc_vchar_t **var, const BIGNUM *bn)
- {
-- *var = rc_vmalloc(bn->top * BN_BYTES);
-+ *var = rc_vmalloc(BN_num_bytes(bn));
- if (*var == NULL)
- return (-1);
-
diff --git a/security/racoon2/patches/patch-iked_ike__conf.c b/security/racoon2/patches/patch-iked_ike__conf.c
deleted file mode 100644
index 9930dcf1156..00000000000
--- a/security/racoon2/patches/patch-iked_ike__conf.c
+++ /dev/null
@@ -1,36 +0,0 @@
-$NetBSD: patch-iked_ike__conf.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Comment out impossible case (switch is enum)
-
---- iked/ike_conf.c.orig 2009-07-28 01:32:40.000000000 -0400
-+++ iked/ike_conf.c 2018-05-28 19:48:04.934126933 -0400
-@@ -4025,12 +4025,14 @@
- SA_CONF(comp_alg, sa, comp_alg, 0);
-
- switch (sa_protocol) {
-+#if 0
- case 0:
- ++*err;
- plog(PLOG_INTERR, PLOGLOC, 0,
- "sa %s does not have sa_protocol field\n",
- sa_index);
- break;
-+#endif
- case RCT_SATYPE_ESP:
- if (!enc_alg) {
- ++*err;
-@@ -4226,12 +4228,14 @@
- if (!action)
- POLICY_DEFAULT(action, action, 0);
- switch (action) {
-+#if 0
- case 0:
- ++error;
- plog(PLOG_INTERR, PLOGLOC, 0,
- "policy %s lacks action field\n",
- rc_vmem2str(policy->pl_index));
- continue;
-+#endif
- case RCT_ACT_AUTO_IPSEC:
- break;
- default:
diff --git a/security/racoon2/patches/patch-iked_ikev1_ikev1.c b/security/racoon2/patches/patch-iked_ikev1_ikev1.c
deleted file mode 100644
index b4be22d2be5..00000000000
--- a/security/racoon2/patches/patch-iked_ikev1_ikev1.c
+++ /dev/null
@@ -1,24 +0,0 @@
-$NetBSD: patch-iked_ikev1_ikev1.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Remove unused
-
---- iked/ikev1/ikev1.c.orig 2008-07-07 05:36:08.000000000 -0400
-+++ iked/ikev1/ikev1.c 2018-05-28 19:50:20.088751812 -0400
-@@ -1457,8 +1457,6 @@
- #define IKEV1_DEFAULT_RETRY_CHECKPH1 30
-
- if (!iph1) {
-- struct sched *sc;
--
- if (isakmp_ph1begin_i(rm_info, iph2->dst, iph2->src) < 0) {
- plog(PLOG_INTERR, PLOGLOC, 0,
- "failed to initiate phase 1 negotiation for %s\n",
-@@ -1467,7 +1465,7 @@
- goto fail;
- }
- iph2->retry_checkph1 = IKEV1_DEFAULT_RETRY_CHECKPH1;
-- sc = sched_new(1, isakmp_chkph1there_stub, iph2);
-+ sched_new(1, isakmp_chkph1there_stub, iph2);
- plog(PLOG_INFO, PLOGLOC, 0,
- "IPsec-SA request for %s queued "
- "since no phase1 found\n",
diff --git a/security/racoon2/patches/patch-iked_ikev1_ipsec__doi.c b/security/racoon2/patches/patch-iked_ikev1_ipsec__doi.c
deleted file mode 100644
index 5a8c4aa493b..00000000000
--- a/security/racoon2/patches/patch-iked_ikev1_ipsec__doi.c
+++ /dev/null
@@ -1,48 +0,0 @@
-$NetBSD: patch-iked_ikev1_ipsec__doi.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Fix memset argument
-Fix unused
-
---- iked/ikev1/ipsec_doi.c.orig 2008-07-07 05:36:08.000000000 -0400
-+++ iked/ikev1/ipsec_doi.c 2018-05-28 21:19:12.197533568 -0400
-@@ -220,7 +220,9 @@
- rc_vchar_t *newsa;
- struct isakmpsa *sa, tsa;
- struct prop_pair *s, *p;
-+#if 0
- int prophlen;
-+#endif
- int i;
-
- if (iph1->approval) {
-@@ -232,8 +234,10 @@
- if (pair[i] == NULL)
- continue;
- for (s = pair[i]; s; s = s->next) {
-+#if 0
- prophlen = sizeof(struct isakmp_pl_p)
- + s->prop->spi_size;
-+#endif
- /* compare proposal and select one */
- for (p = s; p; p = p->tnext) {
- sa = get_ph1approvalx(p, iph1->proposal,
-@@ -254,8 +258,10 @@
- if (pair[i] == NULL)
- continue;
- for (s = pair[i]; s; s = s->next) {
-+#if 0
- prophlen = sizeof(struct isakmp_pl_p)
- + s->prop->spi_size;
-+#endif
- for (p = s; p; p = p->tnext) {
- print_ph1mismatched(p,
- iph1->proposal);
-@@ -1238,7 +1244,7 @@
- "failed to get buffer.\n");
- return NULL;
- }
-- memset(pair, 0, sizeof(pair));
-+ memset(pair, 0, sizeof(*pair));
-
- bp = (caddr_t)(sab + 1);
- tlen = sa->l - sizeof(*sab);
diff --git a/security/racoon2/patches/patch-iked_ikev1_oakley.c b/security/racoon2/patches/patch-iked_ikev1_oakley.c
deleted file mode 100644
index 1c2b417e330..00000000000
--- a/security/racoon2/patches/patch-iked_ikev1_oakley.c
+++ /dev/null
@@ -1,91 +0,0 @@
-$NetBSD: patch-iked_ikev1_oakley.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Remove unused variables
-
---- iked/ikev1/oakley.c.orig 2008-07-07 05:36:08.000000000 -0400
-+++ iked/ikev1/oakley.c 2018-05-28 19:39:44.411098687 -0400
-@@ -585,7 +585,6 @@
- {
- rc_vchar_t *buf = 0, *res = 0;
- int len;
-- int error = -1;
-
- /* create buffer */
- len = 1 + sizeof(uint32_t) + body->l;
-@@ -610,8 +609,6 @@
- if (res == NULL)
- goto end;
-
-- error = 0;
--
- plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH computed:\n");
- plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
-
-@@ -637,7 +634,6 @@
- rc_vchar_t *buf = NULL, *res = NULL;
- char *p;
- int len;
-- int error = -1;
-
- /* create buffer */
- len = sizeof(uint32_t) + body->l;
-@@ -663,8 +659,6 @@
- if (res == NULL)
- goto end;
-
-- error = 0;
--
- plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH computed:\n");
- plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
-
-@@ -687,7 +681,6 @@
- rc_vchar_t *buf = NULL, *res = NULL, *bp;
- char *p, *bp2;
- int len, bl;
-- int error = -1;
- #ifdef HAVE_GSSAPI
- rc_vchar_t *gsstokens = NULL;
- #endif
-@@ -780,8 +773,6 @@
- if (res == NULL)
- goto end;
-
-- error = 0;
--
- plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH (%s) computed:\n",
- iph1->side == INITIATOR ? "init" : "resp");
- plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
-@@ -811,7 +802,6 @@
- rc_vchar_t *hash = NULL; /* for signature mode */
- char *p;
- int len;
-- int error = -1;
-
- /* sanity check */
- if (iph1->etype != ISAKMP_ETYPE_BASE) {
-@@ -925,8 +915,6 @@
- if (res == NULL)
- goto end;
-
-- error = 0;
--
- plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH_I computed:\n");
- plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
-
-@@ -950,7 +938,6 @@
- rc_vchar_t *hash = NULL;
- char *p;
- int len;
-- int error = -1;
-
- /* sanity check */
- if (iph1->etype != ISAKMP_ETYPE_BASE) {
-@@ -1049,8 +1036,6 @@
- if (res == NULL)
- goto end;
-
-- error = 0;
--
- plog(PLOG_DEBUG, PLOGLOC, NULL, "HASH computed:\n");
- plogdump(PLOG_DEBUG, PLOGLOC, 0, res->v, res->l);
-
diff --git a/security/racoon2/patches/patch-iked_ikev1_pfkey.c b/security/racoon2/patches/patch-iked_ikev1_pfkey.c
deleted file mode 100644
index 3b51f009b90..00000000000
--- a/security/racoon2/patches/patch-iked_ikev1_pfkey.c
+++ /dev/null
@@ -1,71 +0,0 @@
-$NetBSD: patch-iked_ikev1_pfkey.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Fix unused
-
---- iked/ikev1/pfkey.c.orig 2008-04-01 06:39:13.000000000 -0400
-+++ iked/ikev1/pfkey.c 2018-05-28 19:55:26.598592949 -0400
-@@ -562,7 +562,9 @@
- unsigned int satype, mode;
- struct saprop *pp;
- struct saproto *pr;
-+#ifdef notyet
- uint32_t minspi, maxspi;
-+#endif
- #if 0
- int proxy = 0;
- #endif
-@@ -613,13 +615,15 @@
- }
- /* this works around a bug in Linux kernel where it
- * allocates 4 byte spi's for IPCOMP */
-- else if (satype == SADB_X_SATYPE_IPCOMP) {
-+#ifdef notyet
-+ if (satype == SADB_X_SATYPE_IPCOMP) {
- minspi = 0x100;
- maxspi = 0xffff;
- } else {
- minspi = 0;
- maxspi = 0;
- }
-+#endif
- mode = ipsecdoi2rc_mode(pr->encmode);
- if (mode == 0) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
-@@ -635,8 +639,10 @@
- param.pref_dst = 0;
- param.satype = satype;
- param.samode = mode;
-- /* param.minspi = minspi; */
-- /* param.maxspi = maxspi; */
-+#ifdef notyet
-+ param.minspi = minspi;
-+ param.maxspi = maxspi;
-+#endif
- param.reqid = pr->reqid_in;
- param.seq = iph2->seq;
- if (iph2->sadb_request.method->getspi(&param)) {
-@@ -747,7 +753,9 @@
- unsigned int e_keylen, a_keylen, flags;
- int satype, mode;
- struct rcpfk_msg param;
-+#if 0
- unsigned int wsize = 4; /* XXX static size of window */
-+#endif
-
- /* sanity check */
- if (iph2->approval == NULL) {
-@@ -773,10 +781,13 @@
- plog(PLOG_PROTOERR, PLOGLOC, 0,
- "invalid proto_id %d\n", pr->proto_id);
- return -1;
-- } else if (satype == RCT_SATYPE_IPCOMP) {
-+ }
-+#if 0
-+ if (satype == RCT_SATYPE_IPCOMP) {
- /* IPCOMP has no replay window */
- wsize = 0;
- }
-+#endif
- mode = ipsecdoi2rc_mode(pr->encmode);
- if (mode == 0) {
- plog(PLOG_PROTOERR, PLOGLOC, 0,
diff --git a/security/racoon2/patches/patch-iked_ikev2.c b/security/racoon2/patches/patch-iked_ikev2.c
deleted file mode 100644
index 031bda1ea81..00000000000
--- a/security/racoon2/patches/patch-iked_ikev2.c
+++ /dev/null
@@ -1,78 +0,0 @@
-$NetBSD: patch-iked_ikev2.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Remove unused
-
---- iked/ikev2.c.orig 2010-02-01 05:30:51.000000000 -0500
-+++ iked/ikev2.c 2018-05-28 19:59:33.332024762 -0400
-@@ -1945,8 +1945,6 @@
- struct ikev2_payload_header *p;
- int type;
- struct ikev2_payload_header *id_i = 0;
-- struct ikev2_payload_header *cert = 0;
-- struct ikev2_payload_header *certreq = 0;
- struct ikev2_payload_header *id_r = 0;
- struct ikev2payl_auth *auth = 0;
- struct ikev2_payload_header *sa_i2 = 0;
-@@ -2010,10 +2008,8 @@
- * accept up to four X.509 certificates in support of authentication,
- */
- #endif
-- cert = p;
- break;
- case IKEV2_PAYLOAD_CERTREQ:
-- certreq = p;
- break;
- case IKEV2_PAYLOAD_ID_R:
- if (id_r)
-@@ -2639,7 +2635,6 @@
- int type;
- struct ikev2_payload_header *p;
- struct ikev2_payload_header *id_r = 0;
-- struct ikev2_payload_header *cert = 0;
- struct ikev2payl_auth *auth = 0;
- struct ikev2_payload_header *sa_r2 = 0;
- struct ikev2_payload_header *ts_i = 0;
-@@ -2669,7 +2664,6 @@
- * accept up to four X.509 certificates in support of authentication,
- */
- #endif
-- cert = p;
- break;
- case IKEV2_PAYLOAD_AUTH:
- if (auth)
-@@ -2791,7 +2785,6 @@
- int type;
- struct ikev2_payload_header *p;
- struct ikev2_payload_header *cfg = 0;
-- struct ikev2_payload_header *id_r = 0;
- struct ikev2_payload_header *sa_r2 = 0;
- struct ikev2_payload_header *ts_i = 0;
- struct ikev2_payload_header *ts_r = 0;
-@@ -2834,7 +2827,6 @@
- case IKEV2_PAYLOAD_ENCRYPTED:
- break;
- case IKEV2_PAYLOAD_ID_R:
-- id_r = p;
- break;
- case IKEV2_PAYLOAD_SA:
- sa_r2 = p;
-@@ -4541,7 +4533,9 @@
- int i;
- uint32_t spi;
- struct ikev2_child_sa *child_sa;
-+#if 0
- struct rcf_policy *policy;
-+#endif
-
- d = (struct ikev2payl_delete *)p;
- protocol_id = d->dh.protocol_id;
-@@ -4641,7 +4635,9 @@
- break;
- }
-
-+#if 0
- policy = child_sa->selector->pl;
-+#endif
-
- /* (draft-17)
- * If by chance both ends of a set
diff --git a/security/racoon2/patches/patch-iked_ikev2__child.c b/security/racoon2/patches/patch-iked_ikev2__child.c
deleted file mode 100644
index a85fd9e375c..00000000000
--- a/security/racoon2/patches/patch-iked_ikev2__child.c
+++ /dev/null
@@ -1,26 +0,0 @@
-$NetBSD: patch-iked_ikev2__child.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Comment out unused
-
---- iked/ikev2_child.c.orig 2008-09-10 04:30:58.000000000 -0400
-+++ iked/ikev2_child.c 2018-05-28 20:02:17.518182437 -0400
-@@ -1373,7 +1373,9 @@
- struct prop_pair *matching_proposal = 0;
- struct prop_pair *matching_my_proposal = 0;
- struct prop_pair **new_my_proposal_list = 0;
-+#ifdef notyet
- rc_vchar_t *g_ir;
-+#endif
- int err = 0;
-
- /* update IPsec SA with received parameter */
-@@ -1451,8 +1453,8 @@
- use_transport_mode ? "transport" : "tunnel"));
- }
-
-- g_ir = 0;
- #ifdef notyet
-+ g_ir = 0;
- /* if (ke_i && ke_r) g_ir = g^i^r */
- #endif
-
diff --git a/security/racoon2/patches/patch-iked_ikev2__notify.c b/security/racoon2/patches/patch-iked_ikev2__notify.c
deleted file mode 100644
index 21669cbe4f1..00000000000
--- a/security/racoon2/patches/patch-iked_ikev2__notify.c
+++ /dev/null
@@ -1,24 +0,0 @@
-$NetBSD: patch-iked_ikev2__notify.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Fix unused
-
---- iked/ikev2_notify.c.orig 2008-02-06 03:09:00.000000000 -0500
-+++ iked/ikev2_notify.c 2018-05-28 20:05:41.431368140 -0400
-@@ -281,12 +281,16 @@
- struct ikev2_child_param *child_param,
- int *http_cert_lookup_supported)
- {
-- struct ikev2_header *ikehdr;
- struct ikev2payl_notify *notify;
-+#ifdef notyet
-+ struct ikev2_header *ikehdr;
- uint32_t message_id;
-+#endif
-
-+#ifdef notyet
- ikehdr = (struct ikev2_header *)msg->v;
- message_id = get_uint32(&ikehdr->message_id);
-+#endif
- notify = (struct ikev2payl_notify *)payload;
-
- switch (get_notify_type(notify)) {
diff --git a/security/racoon2/patches/patch-kinkd-crypto__openssl.c b/security/racoon2/patches/patch-kinkd-crypto__openssl.c
deleted file mode 100644
index ee029c2bc47..00000000000
--- a/security/racoon2/patches/patch-kinkd-crypto__openssl.c
+++ /dev/null
@@ -1,117 +0,0 @@
-$NetBSD: patch-kinkd-crypto__openssl.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Fix signness issues
-
---- kinkd/crypto_openssl.c.orig 2008-02-07 05:12:28.000000000 -0500
-+++ kinkd/crypto_openssl.c 2018-05-28 19:32:47.287261308 -0400
-@@ -239,7 +239,7 @@
- rc_vchar_t *res;
- AES_KEY k;
-
-- if (AES_set_encrypt_key(key->v, key->l << 3, &k) < 0)
-+ if (AES_set_encrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
- return NULL;
- /* allocate buffer for result */
- if ((res = rc_vmalloc(data->l)) == NULL) {
-@@ -247,7 +247,7 @@
- EXITREQ_NOMEM();
- return NULL;
- }
-- AES_cbc_encrypt(data->v, res->v, data->l, &k, iv->v, AES_ENCRYPT);
-+ AES_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_ENCRYPT);
-
- return res;
- }
-@@ -258,7 +258,7 @@
- rc_vchar_t *res;
- AES_KEY k;
-
-- if (AES_set_decrypt_key(key->v, key->l << 3, &k) < 0)
-+ if (AES_set_decrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
- return NULL;
- /* allocate buffer for result */
- if ((res = rc_vmalloc(data->l)) == NULL) {
-@@ -266,7 +266,7 @@
- EXITREQ_NOMEM();
- return NULL;
- }
-- AES_cbc_encrypt(data->v, res->v, data->l, &k, iv->v, AES_DECRYPT);
-+ AES_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_DECRYPT);
-
- return res;
- }
-@@ -291,7 +291,7 @@
- rc_vchar_t *res;
- AES_KEY k;
-
-- if (AES_set_encrypt_key(key->v, key->l << 3, &k) < 0)
-+ if (AES_set_encrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
- return NULL;
- /* allocate buffer for result */
- if ((res = rc_vmalloc(data->l)) == NULL) {
-@@ -299,7 +299,7 @@
- EXITREQ_NOMEM();
- return NULL;
- }
-- AES_cts_encrypt(data->v, res->v, data->l, &k, iv->v, AES_ENCRYPT);
-+ AES_cts_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_ENCRYPT);
-
- return res;
- }
-@@ -310,7 +310,7 @@
- rc_vchar_t *res;
- AES_KEY k;
-
-- if (AES_set_decrypt_key(key->v, key->l << 3, &k) < 0)
-+ if (AES_set_decrypt_key((unsigned char *)key->v, key->l << 3, &k) < 0)
- return NULL;
- /* allocate buffer for result */
- if ((res = rc_vmalloc(data->l)) == NULL) {
-@@ -318,7 +318,7 @@
- EXITREQ_NOMEM();
- return NULL;
- }
-- AES_cts_encrypt(data->v, res->v, data->l, &k, iv->v, AES_DECRYPT);
-+ AES_cts_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l, &k, (unsigned char *)iv->v, AES_DECRYPT);
-
- return res;
- }
-@@ -348,17 +348,17 @@
- memcpy(lastblk, ivec, AES_BLOCK_SIZE);
- for (i = 0; i < fraglen; i++)
- lastblk[i] ^= (in + cbclen + AES_BLOCK_SIZE)[i];
-- AES_encrypt(lastblk, out + cbclen, key);
-+ AES_encrypt((unsigned char *)lastblk, out + cbclen, key);
- } else {
- /* Decrypt the last plainblock. */
-- AES_decrypt(in + cbclen, lastblk, key);
-+ AES_decrypt(in + cbclen, (unsigned char *)lastblk, key);
- for (i = 0; i < fraglen; i++)
- (out + cbclen + AES_BLOCK_SIZE)[i] =
- lastblk[i] ^ (in + cbclen + AES_BLOCK_SIZE)[i];
-
- /* Decrypt the second last block. */
- memcpy(lastblk, in + cbclen + AES_BLOCK_SIZE, fraglen);
-- AES_decrypt(lastblk, out + cbclen, key);
-+ AES_decrypt((unsigned char *)lastblk, out + cbclen, key);
- if (cbclen == 0)
- for (i = 0; i < AES_BLOCK_SIZE; i++)
- (out + cbclen)[i] ^= ivec[i];
-@@ -738,7 +738,7 @@
- if ((res = rc_vmalloc(SHA_DIGEST_LENGTH)) == 0)
- return(0);
-
-- SHA1_Final(res->v, (SHA_CTX *)c);
-+ SHA1_Final((unsigned char *)res->v, (SHA_CTX *)c);
- (void)free(c);
-
- return(res);
-@@ -792,7 +792,7 @@
- if ((res = rc_vmalloc(MD5_DIGEST_LENGTH)) == 0)
- return(0);
-
-- MD5_Final(res->v, (MD5_CTX *)c);
-+ MD5_Final((unsigned char *)res->v, (MD5_CTX *)c);
- (void)free(c);
-
- return(res);
diff --git a/security/racoon2/patches/patch-kinkd-ipsec__doi.c b/security/racoon2/patches/patch-kinkd-ipsec__doi.c
deleted file mode 100644
index d42a45529da..00000000000
--- a/security/racoon2/patches/patch-kinkd-ipsec__doi.c
+++ /dev/null
@@ -1,34 +0,0 @@
-$NetBSD: patch-kinkd-ipsec__doi.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Fix wrong memset
-Fix pointer signness
-
---- kinkd/ipsec_doi.c.orig 2018-05-28 19:34:49.793231430 -0400
-+++ kinkd/ipsec_doi.c 2018-05-28 19:35:27.322259892 -0400
-@@ -654,7 +654,7 @@
- "failed to get buffer.\n");
- return NULL;
- }
-- memset(pair, 0, sizeof(pair));
-+ memset(pair, 0, sizeof(*pair));
-
- bp = (caddr_t)(sab + 1);
- tlen = sa->l - sizeof(*sab);
-@@ -2034,7 +2034,7 @@
-
- /* set prefix */
- if (len2) {
-- unsigned char *p = new->v + sizeof(struct ipsecdoi_id_b) + len1;
-+ unsigned char *p = (unsigned char *)new->v + sizeof(struct ipsecdoi_id_b) + len1;
- unsigned int bits = prefixlen;
-
- while (bits >= 8) {
-@@ -2141,7 +2141,7 @@
- plen = 0;
- max = alen <<3;
-
-- p = buf->v
-+ p = (unsigned char *)buf->v
- + sizeof(struct ipsecdoi_id_b)
- + alen;
-
diff --git a/security/racoon2/patches/patch-kinkd_bbkk__heimdal.c b/security/racoon2/patches/patch-kinkd_bbkk__heimdal.c
deleted file mode 100644
index 954b0776c3b..00000000000
--- a/security/racoon2/patches/patch-kinkd_bbkk__heimdal.c
+++ /dev/null
@@ -1,310 +0,0 @@
-$NetBSD: patch-kinkd_bbkk__heimdal.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Avoid deprecated API's
-Include private header since we are using private functions
-Fix function calls with missing args
-
---- kinkd/bbkk_heimdal.c.orig 2007-08-03 01:42:24.000000000 -0400
-+++ kinkd/bbkk_heimdal.c 2018-05-28 21:07:22.720866945 -0400
-@@ -40,6 +40,10 @@
- #include <string.h>
- #if defined(HAVE_KRB5_KRB5_H)
- # include <krb5/krb5.h>
-+# include <openssl/evp.h>
-+typedef void *krb5_pk_init_ctx;
-+# include <krb5/pkinit_asn1.h>
-+# include <krb5/krb5-private.h>
- #else
- # include <krb5.h>
- #endif
-@@ -147,7 +151,7 @@
- if (DEBUG_KRB5() && cause != NULL)
- kinkd_log(KLLV_DEBUG,
- "bbkk: %s: %s\n",
-- cause, krb5_get_err_text(con->context, ret));
-+ cause, krb5_get_error_message(con->context, ret));
- if (con->rcache != NULL)
- krb5_rc_close(con->context, con->rcache);
- if (con->ccache != NULL)
-@@ -185,7 +189,7 @@
- {
- krb5_error_code ret;
- krb5_principal principal;
-- krb5_get_init_creds_opt opt;
-+ krb5_get_init_creds_opt *opt;
- krb5_creds cred;
- krb5_keytab kt;
- krb5_deltat start_time = 0;
-@@ -198,7 +202,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_parse_name: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- return ret;
- }
- ret = krb5_kt_default(con->context, &kt);
-@@ -206,25 +210,26 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_kt_default: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- krb5_free_principal(con->context, principal);
- return ret;
- }
-
- memset(&cred, 0, sizeof(cred));
-- krb5_get_init_creds_opt_init(&opt);
-+ krb5_get_init_creds_opt_alloc(con->context, &opt);
- krb5_get_init_creds_opt_set_default_flags(con->context, "kinit",
-- principal->realm, &opt); /* XXX may not be kinit... */
-+ principal->realm, opt); /* XXX may not be kinit... */
-
- ret = krb5_get_init_creds_keytab(con->context, &cred, principal, kt,
-- start_time, NULL /* server */, &opt);
-+ start_time, NULL /* server */, opt);
- krb5_kt_close(con->context, kt);
- krb5_free_principal(con->context, principal);
-+ krb5_get_init_creds_opt_free(con->context, opt);
- if (ret != 0) {
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_get_init_creds_keytab: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- return ret;
- }
-
-@@ -236,10 +241,10 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_cc_store_cred: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- return ret;
- }
-- krb5_free_creds_contents(con->context, &cred);
-+ krb5_free_cred_contents(con->context, &cred);
-
- return 0;
- }
-@@ -261,7 +266,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_parse_name: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- return ret;
- }
- ret = krb5_parse_name(con->context, cprinc_str, &client);
-@@ -269,7 +274,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_parse_name: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- krb5_free_principal(con->context, server);
- return ret;
- }
-@@ -292,7 +297,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_cc_remove_cred: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- krb5_free_principal(con->context, client);
- krb5_free_principal(con->context, server);
- return ret;
-@@ -311,7 +316,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_get_credentials: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- return ret;
- }
- *cred = (void *)out_cred;
-@@ -354,7 +359,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_copy_creds_contents: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- goto cleanup;
- }
- int_auth_con = NULL;
-@@ -364,12 +369,12 @@
- */
- ret = krb5_mk_req_extended(con->context, &int_auth_con,
- AP_OPTS_MUTUAL_REQUIRED, NULL /* in_data */, &cred_copy, &ap_req);
-- krb5_free_creds_contents(con->context, &cred_copy);
-+ krb5_free_cred_contents(con->context, &cred_copy);
- if (ret != 0) {
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_mk_req_extended: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- goto cleanup;
- }
-
-@@ -414,7 +419,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_rd_rep: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- return ret;
- }
-
-@@ -462,7 +467,7 @@
- if (ret != 0) {
- kinkd_log(KLLV_SYSERR,
- "krb5e_force_get_key: (%d) %s\n",
-- ret, krb5_get_err_text(con->context, ret));
-+ ret, krb5_get_error_message(con->context, ret));
- krb5_auth_con_free(con->context, auth_context);
- return ret;
- }
-@@ -470,7 +475,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_rd_req: (%d)%s\n",
-- saveret, krb5_get_err_text(con->context, saveret));
-+ saveret, krb5_get_error_message(con->context, saveret));
- krb5_auth_con_free(con->context, auth_context);
- return saveret;
- }
-@@ -492,7 +497,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_rc_store: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- if (ticket != NULL)
- krb5_free_ticket(con->context, ticket);
- krb5_auth_con_free(con->context, auth_context);
-@@ -507,7 +512,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_mk_rep: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- /*
- * XXX Heimdal-0.6.x
- * Heimdal-0.6.x frees only ticket contents, not containter;
-@@ -536,7 +541,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_rd_req: (%d)%s\n",
-- saveret, krb5_get_err_text(con->context, saveret));
-+ saveret, krb5_get_error_message(con->context, saveret));
- if (ticket != NULL)
- krb5_free_ticket(con->context, ticket);
- return saveret;
-@@ -584,7 +589,7 @@
- time_t ctime, *ctimep;
- int cusec, *cusecp;
-
-- e_text = krb5_get_err_text(con->context, ecode);
-+ e_text = krb5_get_error_message(con->context, ecode);
- if (ecode < KRB5KDC_ERR_NONE || KRB5_ERR_RCSID <= ecode) {
- kinkd_log(KLLV_SYSWARN,
- "non protocol errror (%d), use GENERIC\n", ecode);
-@@ -609,7 +614,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_mk_error: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- return ret;
- }
-
-@@ -635,7 +640,7 @@
- if (DEBUG_KRB5())
- kinkd_log(KLLV_DEBUG,
- "bbkk: krb5_rd_error: %s\n",
-- krb5_get_err_text(con->context, ret));
-+ krb5_get_error_message(con->context, ret));
- return ret;
- }
-
-@@ -926,7 +931,7 @@
- if (con == NULL)
- return "Failed in initialization, so no message is available";
- else
-- return krb5_get_err_text(con->context, ecode);
-+ return krb5_get_error_message(con->context, ecode);
- }
-
-
-@@ -951,7 +956,7 @@
- keyblock = NULL;
-
- if ((t = (krb5_ticket *)malloc(sizeof(*t))) == NULL) {
-- krb5_clear_error_string(context);
-+ krb5_clear_error_message(context);
- return ENOMEM;
- }
- *t = t0;
-@@ -966,14 +971,14 @@
- principalname2krb5_principal(&server,
- ap_req.ticket.sname, ap_req.ticket.realm);
- #else
-- _krb5_principalname2krb5_principal(&server,
-+ _krb5_principalname2krb5_principal(context, &server,
- ap_req.ticket.sname, ap_req.ticket.realm);
- #endif
-
- if (ap_req.ap_options.use_session_key && ac->keyblock == NULL) {
-- krb5_set_error_string(context, "krb5_rd_req: user to user "
-- "auth without session key given");
- ret = KRB5KRB_AP_ERR_NOKEY;
-+ krb5_set_error_message(context, ret,
-+ "krb5_rd_req: user to user auth without session key given");
- goto fail;
- }
-
-@@ -1009,6 +1014,13 @@
- }
-
- /* decrypt ticket */
-+#if 1
-+ ret = krb5_decrypt_ticket(context, &ap_req.ticket,
-+ ac->keyblock != NULL ? ac->keyblock : keyblock,
-+ &t->ticket, 0);
-+ if (ret != 0)
-+ goto fail;
-+#else
- {
- krb5_data plain;
- size_t len;
-@@ -1030,6 +1042,7 @@
- if (ret != 0)
- goto fail;
- }
-+#endif
-
- /* get keyblock from ticket */
- if (ac->keyblock != NULL) {
-@@ -1039,6 +1052,11 @@
- krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock);
-
- /* handle authenticator */
-+#if 1
-+ ret = krb5_auth_con_getauthenticator(context, ac, &ac->authenticator);
-+ if (ret != 0)
-+ goto fail;
-+#else
- {
- krb5_data plain;
- size_t len;
-@@ -1059,6 +1077,7 @@
- if (ret != 0)
- goto fail;
- }
-+#endif
- if (ac->authenticator->seq_number)
- krb5_auth_con_setremoteseqnumber(context, ac,
- *ac->authenticator->seq_number);
diff --git a/security/racoon2/patches/patch-kinkd_isakmp__quick.c b/security/racoon2/patches/patch-kinkd_isakmp__quick.c
deleted file mode 100644
index b920fa08579..00000000000
--- a/security/racoon2/patches/patch-kinkd_isakmp__quick.c
+++ /dev/null
@@ -1,61 +0,0 @@
-$NetBSD: patch-kinkd_isakmp__quick.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Fix unused
-
---- kinkd/isakmp_quick.c.orig 2009-09-04 15:59:33.000000000 -0400
-+++ kinkd/isakmp_quick.c 2018-05-28 21:12:13.401432933 -0400
-@@ -191,9 +191,11 @@
- }
-
- if (iph2->id_p) {
-+#if 0
- uint8_t dummy_plen;
- uint16_t dummy_ulproto;
- int ret;
-+#endif
-
- plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
- plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
-@@ -212,9 +214,11 @@
- #endif
- }
- if (iph2->id) {
-+#if 0
- uint8_t dummy_plen;
- uint16_t dummy_ulproto;
- int ret;
-+#endif
-
- plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
- plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
-@@ -258,7 +262,9 @@
- {
- rc_vchar_t *pbuf = NULL; /* for payload parsing */
- struct isakmp_parse_t *pa;
-+#if 0
- int f_id;
-+#endif
- int error = ISAKMP_INTERNAL_ERROR;
-
- /*
-@@ -290,7 +296,9 @@
- * parse the payloads.
- */
- iph2->sa_ret = NULL;
-+#if 0
- f_id = 0; /* flag to use checking ID */
-+#endif
- for (; pa->type; pa++) {
-
- switch (pa->type) {
-@@ -319,9 +327,9 @@
-
- case ISAKMP_NPTYPE_ID:
- {
-+#if 0 /* ID payloads are not supported yet. */
- rc_vchar_t *vp;
-
--#if 0 /* ID payloads are not supported yet. */
- /* check ID value */
- if (f_id == 0) {
- /* for IDci */
diff --git a/security/racoon2/patches/patch-kinkd_session.c b/security/racoon2/patches/patch-kinkd_session.c
deleted file mode 100644
index b80cf99c307..00000000000
--- a/security/racoon2/patches/patch-kinkd_session.c
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-kinkd_session.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Fix pointer to integer cast
-
---- kinkd/session.c.orig 2006-08-11 16:44:34.000000000 -0400
-+++ kinkd/session.c 2018-05-28 21:09:41.263580997 -0400
-@@ -290,7 +290,7 @@
- {
- int signo;
-
-- signo = (int)arg;
-+ signo = (int)(intptr_t)arg;
-
- switch (signo) {
- case SIGHUP:
diff --git a/security/racoon2/patches/patch-lib_cfparse.y b/security/racoon2/patches/patch-lib_cfparse.y
deleted file mode 100644
index 6e9de377878..00000000000
--- a/security/racoon2/patches/patch-lib_cfparse.y
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-lib_cfparse.y,v 1.1 2013/03/29 13:52:45 joerg Exp $
-
-Fix type mismatch to avoid compilation error.
-
---- lib/cfparse.y.orig 2009-02-02 17:49:18.000000000 +0900
-+++ lib/cfparse.y 2013-03-29 21:31:04.000000000 +0900
-@@ -1712,7 +1712,7 @@
- int n;
- char *bp;
- struct cf_list *new;
-- rcf_t type;
-+ rc_type type;
-
- n = strtoll(str, &bp, 10);
-
diff --git a/security/racoon2/patches/patch-lib_cfsetup.c b/security/racoon2/patches/patch-lib_cfsetup.c
deleted file mode 100644
index d63a8a35f08..00000000000
--- a/security/racoon2/patches/patch-lib_cfsetup.c
+++ /dev/null
@@ -1,23 +0,0 @@
-$NetBSD: patch-lib_cfsetup.c,v 1.1 2012/12/15 08:10:59 marino Exp $
-
-Fix "error: variable 'va' set but not used" errors on gcc4.6+
-
---- lib/cfsetup.c.orig 2008-11-13 05:59:53.000000000 +0000
-+++ lib/cfsetup.c
-@@ -3026,7 +3026,6 @@ rcf_fix_addrlist(struct cf_list *head, s
- {
- struct rc_addrlist *new_head = 0, *new = 0, **lastap;
- struct cf_list *n, *m;
-- rc_vchar_t va;
- struct rc_addrlist *al = 0;
- char port[10];
- int nport;
-@@ -3060,8 +3059,6 @@ rcf_fix_addrlist(struct cf_list *head, s
- "at %d in %s\n", m->lineno, m->file);
- goto err;
- }
-- va.l = strlen(n->d.str);
-- va.v = n->d.str;
- error = rcs_getaddrlist(n->d.str, port, RCT_ADDR_FQDN, &al);
- if (error) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
diff --git a/security/racoon2/patches/patch-lib_cftoken.l b/security/racoon2/patches/patch-lib_cftoken.l
deleted file mode 100644
index fb85e105dc3..00000000000
--- a/security/racoon2/patches/patch-lib_cftoken.l
+++ /dev/null
@@ -1,24 +0,0 @@
-$NetBSD: patch-lib_cftoken.l,v 1.2 2018/05/29 01:22:50 christos Exp $
-
-Fixes for modern flex
-
---- lib/cftoken.l.orig 2018-05-28 17:21:27.733726555 -0400
-+++ lib/cftoken.l 2018-05-28 17:21:57.559009640 -0400
-@@ -53,7 +53,7 @@
- extern int yyget_lineno (void);
- extern FILE *yyget_in (void);
- extern FILE *yyget_out (void);
--extern int yyget_leng (void);
-+extern yy_size_t yyget_leng (void);
- extern char *yyget_text (void);
- extern void yyset_lineno (int);
- extern void yyset_in (FILE *);
-@@ -76,7 +76,7 @@
- #define YYDEBUG 1
- #define DP \
- if (cf_debug) { \
-- fprintf(CF_ERRDEV, "%s:%d:%d[%s] len=%d\n", \
-+ fprintf(CF_ERRDEV, "%s:%d:%d[%s] len=%zu\n", \
- rcf_istk[rcf_istkp].path, rcf_istk[rcf_istkp].lineno, \
- yy_start, yytext, yyleng); \
- }
diff --git a/security/racoon2/patches/patch-lib_if__pfkeyv2.c b/security/racoon2/patches/patch-lib_if__pfkeyv2.c
deleted file mode 100644
index 234b42b2152..00000000000
--- a/security/racoon2/patches/patch-lib_if__pfkeyv2.c
+++ /dev/null
@@ -1,26 +0,0 @@
-$NetBSD: patch-lib_if__pfkeyv2.c,v 1.1 2012/12/15 08:10:59 marino Exp $
-
-Fix "error: variable 'keytype' set but not used" errors on gcc4.6+
-
---- lib/if_pfkeyv2.c.orig 2008-04-25 06:02:56.000000000 +0000
-+++ lib/if_pfkeyv2.c
-@@ -1139,19 +1139,16 @@ rcpfk_set_sadbkey(rc_vchar_t **msg, stru
- {
- rc_vchar_t *buf;
- struct sadb_key *p;
-- int keytype;
- size_t keylen;
- caddr_t key;
- int len, prevlen, extlen;
-
- switch (type) {
- case SADB_EXT_KEY_AUTH:
-- keytype = rct2pfk_authtype(rc->authtype);
- key = rc->authkey;
- keylen = rc->authkeylen;
- break;
- case SADB_EXT_KEY_ENCRYPT:
-- keytype = rct2pfk_enctype(rc->enctype);
- key = rc->enckey;
- keylen = rc->enckeylen;
- break;
diff --git a/security/racoon2/patches/patch-lib_if__spmd.c b/security/racoon2/patches/patch-lib_if__spmd.c
deleted file mode 100644
index f5bf3d57304..00000000000
--- a/security/racoon2/patches/patch-lib_if__spmd.c
+++ /dev/null
@@ -1,68 +0,0 @@
-$NetBSD: patch-lib_if__spmd.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Adjust for OpenSSL v1.1
-
---- lib/if_spmd.c.orig 2008-03-27 06:05:42.000000000 -0400
-+++ lib/if_spmd.c 2018-05-28 13:31:19.367838157 -0400
-@@ -1100,7 +1100,7 @@
- spmd_if_login_response(struct spmd_cid *pci)
- {
- unsigned char md[EVP_MAX_MD_SIZE];
-- EVP_MD_CTX ctx;
-+ EVP_MD_CTX *ctx;
- size_t hash_len;
- unsigned int md_len;
- int error, used, i;
-@@ -1108,28 +1108,33 @@
-
- error = -1;
-
-- EVP_MD_CTX_init(&ctx);
-- if (!EVP_DigestInit_ex(&ctx, SPMD_DIGEST_ALG, SPMD_EVP_ENGINE)) {
-+ ctx = EVP_MD_CTX_new();
-+ if (ctx == NULL) {
-+ plog(PLOG_INTERR, PLOGLOC, NULL,
-+ "failed to allocate Message Digest context\n");
-+ goto fail_early;
-+ }
-+ if (!EVP_DigestInit_ex(ctx, SPMD_DIGEST_ALG, SPMD_EVP_ENGINE)) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
- "failed to initilize Message Digest function\n");
- goto fail_early;
- }
-- if (!EVP_DigestUpdate(&ctx, pci->challenge, strlen(pci->challenge))) {
-+ if (!EVP_DigestUpdate(ctx, pci->challenge, strlen(pci->challenge))) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
- "failed to hash Challenge\n");
- goto fail;
- }
-- if (!EVP_DigestUpdate(&ctx, pci->password, strlen(pci->password))) {
-+ if (!EVP_DigestUpdate(ctx, pci->password, strlen(pci->password))) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
- "failed to hash Password\n");
- goto fail;
- }
-- if (sizeof(md) < EVP_MD_CTX_size(&ctx)) {
-+ if (sizeof(md) < EVP_MD_CTX_size(ctx)) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
- "Message Digest buffer is not enough\n");
- goto fail;
- }
-- if (!EVP_DigestFinal_ex(&ctx, md, &md_len)) {
-+ if (!EVP_DigestFinal_ex(ctx, md, &md_len)) {
- plog(PLOG_INTERR, PLOGLOC, NULL,
- "failed to get Message Digest value\n");
- goto fail;
-@@ -1154,11 +1159,7 @@
-
- error = 0;
- fail:
-- if (!EVP_MD_CTX_cleanup(&ctx)) {
-- plog(PLOG_INTERR, PLOGLOC, NULL,
-- "failed to cleanup Message Digest context\n");
-- error = -1; /* error again */
-- }
-+ EVP_MD_CTX_free(ctx);
- fail_early:
- return error;
- }
diff --git a/security/racoon2/patches/patch-spmd_fqdn__query.c b/security/racoon2/patches/patch-spmd_fqdn__query.c
deleted file mode 100644
index e5e3d184b34..00000000000
--- a/security/racoon2/patches/patch-spmd_fqdn__query.c
+++ /dev/null
@@ -1,29 +0,0 @@
-$NetBSD: patch-spmd_fqdn__query.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Fix unused
-
---- spmd/fqdn_query.c.orig 2007-07-25 08:22:18.000000000 -0400
-+++ spmd/fqdn_query.c 2018-05-28 19:43:35.179657737 -0400
-@@ -163,10 +163,9 @@
- fqdn_query_response(struct task *t)
- {
- char data[MAX_UDP_DNS_SIZE];
-- int ret;
-
- /* just discard */
-- ret = recvfrom(t->fd, data, sizeof(data), t->flags, t->sa, &(t->salen));
-+ (void)recvfrom(t->fd, data, sizeof(data), t->flags, t->sa, &(t->salen));
-
- spmd_free(t->sa);
- close(t->fd);
-@@ -178,9 +177,8 @@
- fqdn_query_send(struct task *t)
- {
- struct task *newt = NULL;
-- int ret=0;
-
-- ret = sendto(t->fd, t->msg, t->len, t->flags, t->sa, t->salen);
-+ (void)sendto(t->fd, t->msg, t->len, t->flags, t->sa, t->salen);
-
- newt = task_alloc(0);
- newt->fd = t->fd;
diff --git a/security/racoon2/patches/patch-spmd_main.c b/security/racoon2/patches/patch-spmd_main.c
deleted file mode 100644
index 97227fcc148..00000000000
--- a/security/racoon2/patches/patch-spmd_main.c
+++ /dev/null
@@ -1,21 +0,0 @@
-$NetBSD: patch-spmd_main.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Fix unused variable
-
---- spmd/main.c.orig 2008-07-11 18:35:46.000000000 -0400
-+++ spmd/main.c 2018-05-28 19:26:45.583066490 -0400
-@@ -378,11 +378,12 @@
- do_daemon(void)
- {
- pid_t pid;
-- int en;
-
- openlog("spmd", LOG_PID, LOG_DAEMON);
- if (daemon(0, 0) < 0) {
-- en = errno;
-+#ifdef __linux__ /* glibc specific ? */
-+ int en = errno;
-+#endif
- perror("daemon()");
- #ifdef __linux__ /* glibc specific ? */
- if (en == 0) {
diff --git a/security/racoon2/patches/patch-spmd_shell.c b/security/racoon2/patches/patch-spmd_shell.c
deleted file mode 100644
index 36eb04becd3..00000000000
--- a/security/racoon2/patches/patch-spmd_shell.c
+++ /dev/null
@@ -1,61 +0,0 @@
-$NetBSD: patch-spmd_shell.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Fix for OpenSSL 1.1
-
---- spmd/shell.c 2008-01-25 01:13:01.000000000 -0500
-+++ spmd/shell.c 2018-05-28 13:54:05.166565802 -0400
-@@ -655,7 +655,7 @@
- char *p;
- int i;
- const EVP_MD *m;
-- EVP_MD_CTX ctx;
-+ EVP_MD_CTX *ctx;
- unsigned char digest[EVP_MAX_MD_SIZE];
- unsigned int digest_len;
-
-@@ -693,27 +693,27 @@
- }
- }
- #endif
-- EVP_MD_CTX_init(&ctx);
-- if (!EVP_DigestInit_ex(&ctx, m, SPMD_EVP_ENGINE)) {
-- SPMD_PLOG(SPMD_L_INTERR, "Failed to initilize Message Digest function");
-+ ctx = EVP_MD_CTX_new();
-+ if (ctx == NULL) {
-+ SPMD_PLOG(SPMD_L_INTERR, "Failed to allocate Message Digest context");
- goto fin;
- }
-- if (!EVP_DigestUpdate(&ctx, seed, seed_len)) {
-+ if (!EVP_DigestInit_ex(ctx, m, SPMD_EVP_ENGINE)) {
-+ SPMD_PLOG(SPMD_L_INTERR, "Failed to initialize Message Digest function");
-+ goto fin;
-+ }
-+ if (!EVP_DigestUpdate(ctx, seed, seed_len)) {
- SPMD_PLOG(SPMD_L_INTERR, "Failed to hash Seed");
- goto fin;
- }
-- if (!EVP_DigestFinal_ex(&ctx, digest, &digest_len)) {
-+ if (!EVP_DigestFinal_ex(ctx, digest, &digest_len)) {
- SPMD_PLOG(SPMD_L_INTERR, "Failed to get Message Digest value");
- goto fin;
- }
-- if (digest_len != EVP_MD_CTX_size(&ctx)) {
-+ if (digest_len != EVP_MD_CTX_size(ctx)) {
- SPMD_PLOG(SPMD_L_INTERR, "Message Digest length is not enough");
- goto fin;
- }
-- if (!EVP_MD_CTX_cleanup(&ctx)) {
-- SPMD_PLOG(SPMD_L_INTERR, "Failed to cleanup Message Digest context");
-- goto fin;
-- }
-
- challenge_len = digest_len*2+1;
- challenge = spmd_calloc(challenge_len);
-@@ -729,6 +729,7 @@
- }
-
- fin:
-+ EVP_MD_CTX_free(ctx);
- spmd_free(seed);
- just_fin:
- return challenge;
diff --git a/security/racoon2/patches/patch-spmd_spmd__pfkey.c b/security/racoon2/patches/patch-spmd_spmd__pfkey.c
deleted file mode 100644
index 117a729cae2..00000000000
--- a/security/racoon2/patches/patch-spmd_spmd__pfkey.c
+++ /dev/null
@@ -1,22 +0,0 @@
-$NetBSD: patch-spmd_spmd__pfkey.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-Remove unused.
-
---- spmd/spmd_pfkey.c.orig 2008-07-11 18:35:46.000000000 -0400
-+++ spmd/spmd_pfkey.c 2018-05-28 19:45:26.942125292 -0400
-@@ -326,7 +326,6 @@
- spmd_nonfqdn_sp_add(struct rcf_selector *sl)
- {
- struct rcf_policy *pl = NULL;
-- struct rcf_ipsec *ips = NULL;
- struct rc_addrlist *al = NULL;
- struct rc_addrlist *ipal = NULL;
- struct rc_addrlist *ipal_tmp = NULL;
-@@ -373,7 +372,6 @@
- if (!sl->pl->ips) {
- return -1;
- }
-- ips = sl->pl->ips;
-
- /* check rcf_ipsec{} sa_* set or NULL */
- if (set_satype(sl, rc)<0) {
diff --git a/security/racoon2/patches/patch-spmd_spmdctl.c b/security/racoon2/patches/patch-spmd_spmdctl.c
deleted file mode 100644
index 5708867c1c6..00000000000
--- a/security/racoon2/patches/patch-spmd_spmdctl.c
+++ /dev/null
@@ -1,366 +0,0 @@
-$NetBSD: patch-spmd_spmdctl.c,v 1.1 2018/05/29 01:22:50 christos Exp $
-
-- Fix inefficient snprintfs, and detect errors.
-- Fix wrong memset length
-
-*** spmd/spmdctl.c.orig Sun Mar 28 21:52:00 2010
---- spmd/spmdctl.c Mon May 28 14:17:08 2018
-***************
-*** 38,43 ****
---- 38,44 ----
- #include <netdb.h>
- #include <netinet/tcp.h>
- #include <signal.h>
-+ #include <stdarg.h>
- #include <errno.h>
- #include "spmd_includes.h"
- #include "spmd_internal.h"
-***************
-*** 154,159 ****
---- 155,176 ----
- return len;
- }
-
-+ static ssize_t __attribute__((__format__(__printf__, 2, 3)))
-+ sc_writestr(int fd, const char *fmt, ...)
-+ {
-+ char buf[2048];
-+ va_list ap;
-+ va_start(ap, fmt);
-+ int len = vsnprintf(buf, sizeof(buf), fmt, ap);
-+ va_end(ap);
-+ if (len == -1) {
-+ perror("sc_writestr");
-+ return -1;
-+ }
-+
-+ return sc_writemsg(fd, buf, (size_t)len);
-+ }
-+
- static int
- sc_getline(int fd, char *buf, int len)
- {
-***************
-*** 247,253 ****
- sc_parse_alloc_sp_entry(const char *str, struct sp_entry *pre)
- {
- char *ap, *cp;
-! size_t slid_len=0, len=0;
- struct sp_entry *sd=NULL;
-
- sd = malloc(sizeof(*sd));
---- 264,270 ----
- sc_parse_alloc_sp_entry(const char *str, struct sp_entry *pre)
- {
- char *ap, *cp;
-! size_t slid_len=0;
- struct sp_entry *sd=NULL;
-
- sd = malloc(sizeof(*sd));
-***************
-*** 261,267 ****
- sd->sa_dst = (struct sockaddr *)&sd->ss_sa_dst;
-
- if (str) {
-- len = strlen(str);
- ap = (char *)str;
- cp = strpbrk(ap, " ");
- if (!cp) {
---- 278,283 ----
-***************
-*** 575,581 ****
- sc_setup_pfkey(struct rcpfk_msg *rc)
- {
-
-! memset(rc, 0, sizeof(rc));
- memset(&pfkey_cbs, 0, sizeof(pfkey_cbs));
- pfkey_cbs.cb_spddump = &sc_spddump_cb;
-
---- 591,597 ----
- sc_setup_pfkey(struct rcpfk_msg *rc)
- {
-
-! memset(rc, 0, sizeof(*rc));
- memset(&pfkey_cbs, 0, sizeof(pfkey_cbs));
- pfkey_cbs.cb_spddump = &sc_spddump_cb;
-
-***************
-*** 657,665 ****
- sc_policy(int s, char *selector_index, uint64_t lifetime, sa_mode_t samode,
- const char *sp_src, const char *sp_dst, const char *sa_src, const char *sa_dst, int flag)
- {
-- char wbuf[BUFSIZ];
- char rbuf[BUFSIZ];
-- int w;
- char sl[512]; /* XXX */
- char lt[32];
- int ps;
---- 673,679 ----
-***************
-*** 669,697 ****
-
- if (flag == TYPE_POLICY_ADD) {
- if (samode == SA_MODE_TRANSPORT) {
- snprintf(sl, sizeof(sl), "%s", selector_index);
- snprintf(lt, sizeof(lt), "%" PRIu64, lifetime);
-! snprintf(wbuf, sizeof(wbuf), "POLICY ADD %s %s TRANSPORT %s %s\r\n",
-! sl, lt, sp_src, sp_dst);
-! w= sc_writemsg(s, wbuf, strlen(wbuf));
-! }
-! else if (samode == SA_MODE_TUNNEL) {
-! return -1;
-! snprintf(sl, sizeof(sl), "%s", selector_index);
-! snprintf(lt, sizeof(lt), "%" PRIu64, lifetime);
-! snprintf(wbuf, sizeof(wbuf), "POLICY ADD %s %s TUNNEL %s %s %s %s\r\n",
-! sl, lt, sp_src, sp_dst, sa_src, sa_dst);
-! w= sc_writemsg(s, wbuf, strlen(wbuf));
- } else {
- return -1;
- }
- } else if (flag == TYPE_POLICY_DEL) {
-! snprintf(sl, sizeof(sl), "%s", selector_index);
-! snprintf(wbuf, sizeof(wbuf), "POLICY DELETE %s\r\n", sl);
-! w= sc_writemsg(s, wbuf, strlen(wbuf));
- } else if (flag == TYPE_POLICY_DUMP) {
-! snprintf(wbuf, sizeof(wbuf), "POLICY DUMP\r\n");
-! w= sc_writemsg(s, wbuf, strlen(wbuf));
- goto dump;
- } else {
- return -1;
---- 683,710 ----
-
- if (flag == TYPE_POLICY_ADD) {
- if (samode == SA_MODE_TRANSPORT) {
-+ if (sc_writestr(s,
-+ "POLICY ADD %s %" PRIu64 " TRANSPORT %s %s\r\n",
-+ selector_index, lifetime, sp_src, sp_dst) < 0)
-+ return -1;
-+ } else if (samode == SA_MODE_TUNNEL) {
- snprintf(sl, sizeof(sl), "%s", selector_index);
- snprintf(lt, sizeof(lt), "%" PRIu64, lifetime);
-! if (sc_writestr(s,
-! "POLICY ADD %s %" PRIu64 " TUNNEL %s %s %s %s\r\n",
-! selector_index, lifetime, sp_src, sp_dst, sa_src,
-! sa_dst) < 0)
-! return -1;
-!
- } else {
- return -1;
- }
- } else if (flag == TYPE_POLICY_DEL) {
-! if (sc_writestr(s, "POLICY DELETE %s\r\n", selector_index) < 0)
-! return -1;
- } else if (flag == TYPE_POLICY_DUMP) {
-! if (sc_writestr(s, "POLICY DUMP\r\n") < 0)
-! return -1;
- goto dump;
- } else {
- return -1;
-***************
-*** 752,768 ****
- sc_migrate(int s, char *selector_index, const char *src0, const char *dst0,
- const char *src, const char *dst)
- {
-- char wbuf[BUFSIZ];
- char rbuf[BUFSIZ];
-- int w;
-- char sl[512]; /* XXX */
--
-- snprintf(sl, sizeof(sl), "%s", selector_index);
-- snprintf(wbuf, sizeof(wbuf),
-- "MIGRATE %s %s %s %s %s\r\n",
-- sl, src0, dst0, src, dst);
-- w = sc_writemsg(s, wbuf, strlen(wbuf));
-
- if (sc_getline(s, rbuf, sizeof(rbuf)) < 0) {
- fprintf(stderr, "can't get response from spmd\n");
- return -1;
---- 765,775 ----
- sc_migrate(int s, char *selector_index, const char *src0, const char *dst0,
- const char *src, const char *dst)
- {
- char rbuf[BUFSIZ];
-
-+ if (sc_writestr(s, "MIGRATE %s %s %s %s %s\r\n",
-+ selector_index, src0, dst0, src, dst) < 0)
-+ return -1;
- if (sc_getline(s, rbuf, sizeof(rbuf)) < 0) {
- fprintf(stderr, "can't get response from spmd\n");
- return -1;
-***************
-*** 777,786 ****
- static int
- sc_status(int s)
- {
-- int w;
- char rbuf[512];
-
-! w = sc_writemsg(s, "STAT\r\n", strlen("STAT\r\n"));
- while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
- if (rbuf[0] != '2')
- return -1;
---- 784,793 ----
- static int
- sc_status(int s)
- {
- char rbuf[512];
-
-! if (sc_writestr(s, "STAT\r\n") < 0)
-! return -1;
- while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
- if (rbuf[0] != '2')
- return -1;
-***************
-*** 795,803 ****
- static int
- sc_ns(int s, char *addr, int flag)
- {
-- int w;
- char rbuf[512];
-- char wbuf[512];
- char naddr[NI_MAXHOST];
- int match=0;
-
---- 802,808 ----
-***************
-*** 811,817 ****
-
-
- if (flag == TYPE_NS_ADD) {
-! w = sc_writemsg(s, "NS LIST\r\n", strlen("NS LIST\r\n"));
- while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
- if (rbuf[0] != '2')
- return -1;
---- 816,823 ----
-
-
- if (flag == TYPE_NS_ADD) {
-! if (sc_writestr(s, "NS LIST\r\n") < 0)
-! return -1;
- while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
- if (rbuf[0] != '2')
- return -1;
-***************
-*** 823,838 ****
- }
-
- if (match) {
-! snprintf(wbuf, sizeof(wbuf), "NS CHANGE %s\r\n", naddr);
-! w= sc_writemsg(s, wbuf, strlen(wbuf));
- } else {
-! snprintf(wbuf, sizeof(wbuf), "NS ADD %s\r\n", naddr);
-! w= sc_writemsg(s, wbuf, strlen(wbuf));
- }
- return 0;
- } else if (flag == TYPE_NS_DEL) {
- int lines=0;
-! w = sc_writemsg(s, "NS LIST\r\n", strlen("NS LIST\r\n"));
- while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
- if (rbuf[0] != '2')
- return -1;
---- 829,845 ----
- }
-
- if (match) {
-! if (sc_writestr(s, "NS CHANGE %s\r\n", naddr) < 0)
-! return -1;
- } else {
-! if (sc_writestr(s, "NS ADD %s\r\n", naddr) < 0)
-! return -1;
- }
- return 0;
- } else if (flag == TYPE_NS_DEL) {
- int lines=0;
-! if (sc_writestr(s, "NS LIST\r\n") < 0)
-! return -1;
- while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
- if (rbuf[0] != '2')
- return -1;
-***************
-*** 845,856 ****
- }
-
- if (match && lines >1) {
-! snprintf(wbuf, sizeof(wbuf), "NS DELETE %s\r\n", naddr);
-! w= sc_writemsg(s, wbuf, strlen(wbuf));
- }
- return 0;
- } else if (flag == TYPE_NS_LST) {
-! sc_writemsg(s, "NS LIST\r\n", strlen("NS LIST\r\n"));
- while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
- if (rbuf[0] != '2')
- return -1;
---- 852,864 ----
- }
-
- if (match && lines >1) {
-! if (sc_writestr(s, "NS DELETE %s\r\n", naddr) < 0)
-! return -1;
- }
- return 0;
- } else if (flag == TYPE_NS_LST) {
-! if (sc_writestr(s, "NS LIST\r\n") < 0)
-! return -1;
- while ( sc_getline(s, rbuf, sizeof(rbuf)) > 0) {
- if (rbuf[0] != '2')
- return -1;
-***************
-*** 977,983 ****
- {
- char rbuf[512];
- char wbuf[512];
-! int r,w;
- int s = -1;
- struct rc_addrlist *rcl_top = NULL, *rcl;
- struct sockaddr *sa;
---- 985,991 ----
- {
- char rbuf[512];
- char wbuf[512];
-! int r;
- int s = -1;
- struct rc_addrlist *rcl_top = NULL, *rcl;
- struct sockaddr *sa;
-***************
-*** 1111,1118 ****
- fprintf(stdout, "hash=%s\n", cid.hash);
- }
-
-! snprintf(wbuf, sizeof(wbuf), "LOGIN %s\r\n", cid.hash);
-! w = sc_writemsg(s, wbuf, strlen(wbuf));
- r = sc_getline(s, rbuf, sizeof(rbuf));
- if (r<0) {
- perror("LOGIN:read");
---- 1119,1126 ----
- fprintf(stdout, "hash=%s\n", cid.hash);
- }
-
-! if (sc_writestr(s, "LOGIN %s\r\n", cid.hash) < 0)
-! exit(EXIT_FAILURE);
- r = sc_getline(s, rbuf, sizeof(rbuf));
- if (r<0) {
- perror("LOGIN:read");
-***************
-*** 1134,1142 ****
- sc_quit(int s)
- {
- char rbuf[512];
-! int r,w;
-
-! w = sc_writemsg(s, "QUIT\r\n", strlen("QUIT\r\n"));
- r = sc_getline(s, rbuf, sizeof(rbuf));
- if (r<0) {
- perror("QUIT:read");
---- 1142,1153 ----
- sc_quit(int s)
- {
- char rbuf[512];
-! int r;
-
-! if (sc_writestr(s, "QUIT\r\n")) {
-! close(s);
-! return -1;
-! }
- r = sc_getline(s, rbuf, sizeof(rbuf));
- if (r<0) {
- perror("QUIT:read");