update patch to second version

- fix runtime with openssl 1.0
- fix build with openssl 1.1

1 files changed, 155 insertions, 63 deletions

diff --git a/debian/patches/05_port-openssl-1.1.0.patch b/debian/patches/05_port-openssl-1.1.0.patch
index 471511e78..c1e64b46d 100644
--- a/debian/patches/05_port-openssl-1.1.0.patch
+++ b/debian/patches/05_port-openssl-1.1.0.patch
@@ -111,9 +111,37 @@ index cb02c663ca0b..20bac6be57dc 100644
  	this->issuer = openssl_x509_name2id(X509_CRL_get_issuer(this->crl));
  	if (!this->issuer)
 diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
-index 26f4700b81e8..a690adbcd2c0 100644
+index 26f4700b81e8..b9085f9aaa4c 100644
 --- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
 +++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
+@@ -43,7 +43,7 @@ struct private_openssl_crypter_t {
+ /**
+  * Look up an OpenSSL algorithm name and validate its key size
+  */
+-static char* lookup_algorithm(u_int16_t ikev2_algo, size_t *key_size)
++static char* lookup_algorithm(uint16_t ikev2_algo, size_t *key_size)
+ {
+ 	struct {
+ 		/* identifier specified in IKEv2 */
+@@ -57,12 +57,12 @@ static char* lookup_algorithm(u_int16_t ikev2_algo, size_t *key_size)
+ 		/* maximum key size */
+ 		size_t key_max;
+ 	} mappings[] = {
+-		{ENCR_DES, 			"des",			 8,		 8,		  8},
+-		{ENCR_3DES, 		"des3",			24,		24,		 24},
+-		{ENCR_RC5, 			"rc5", 			16,		 5,		255},
+-		{ENCR_IDEA, 		"idea",			16,		16,		 16},
+-		{ENCR_CAST, 		"cast",			16,		 5,		 16},
+-		{ENCR_BLOWFISH, 	"blowfish",		16,		 5,		 56},
++		{ENCR_DES, 			"des-cbc",		 8,		 8,		  8},
++		{ENCR_3DES, 		"des-ede3-cbc",	24,		24,		 24},
++		{ENCR_RC5, 			"rc5-cbc",		16,		 5,		255},
++		{ENCR_IDEA, 		"idea-cbc",		16,		16,		 16},
++		{ENCR_CAST, 		"cast5-cbc",	16,		 5,		 16},
++		{ENCR_BLOWFISH, 	"bf-cbc",		16,		 5,		 56},
+ 	};
+ 	int i;
+ 
 @@ -93,8 +93,10 @@ static char* lookup_algorithm(u_int16_t ikev2_algo, size_t *key_size)
  static bool crypt(private_openssl_crypter_t *this, chunk_t data, chunk_t iv,
  				  chunk_t *dst, int enc)
@@ -171,6 +199,40 @@ index 26f4700b81e8..a690adbcd2c0 100644
  }
  
  METHOD(crypter_t, get_key_size, size_t,
+@@ -193,13 +198,13 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
+ 					key_size = 16;
+ 					/* FALL */
+ 				case 16:        /* AES 128 */
+-					this->cipher = EVP_get_cipherbyname("aes128");
++					this->cipher = EVP_get_cipherbyname("aes-128-cbc");
+ 					break;
+ 				case 24:        /* AES-192 */
+-					this->cipher = EVP_get_cipherbyname("aes192");
++					this->cipher = EVP_get_cipherbyname("aes-192-cbc");
+ 					break;
+ 				case 32:        /* AES-256 */
+-					this->cipher = EVP_get_cipherbyname("aes256");
++					this->cipher = EVP_get_cipherbyname("aes-256-cbc");
+ 					break;
+ 				default:
+ 					free(this);
+@@ -213,13 +218,13 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
+ 					key_size = 16;
+ 					/* FALL */
+ 				case 16:        /* CAMELLIA 128 */
+-					this->cipher = EVP_get_cipherbyname("camellia128");
++					this->cipher = EVP_get_cipherbyname("camellia-128-cbc");
+ 					break;
+ 				case 24:        /* CAMELLIA 192 */
+-					this->cipher = EVP_get_cipherbyname("camellia192");
++					this->cipher = EVP_get_cipherbyname("camellia-192-cbc");
+ 					break;
+ 				case 32:        /* CAMELLIA 256 */
+-					this->cipher = EVP_get_cipherbyname("camellia256");
++					this->cipher = EVP_get_cipherbyname("camellia-256-cbc");
+ 					break;
+ 				default:
+ 					free(this);
 diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
 index 49ec4880480f..f08dfff7e8f1 100644
 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -441,8 +503,30 @@ index 147e4afb449e..6bbe4af9560c 100644
  }
  
  METHOD(aead_t, get_icv_size, size_t,
+diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
+index 50b14698be93..96ee230c9b25 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_hasher.c
++++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
+@@ -43,7 +43,7 @@ struct private_openssl_hasher_t {
+ METHOD(hasher_t, get_hash_size, size_t,
+ 	private_openssl_hasher_t *this)
+ {
+-	return this->hasher->md_size;
++	return EVP_MD_size(this->hasher);
+ }
+ 
+ METHOD(hasher_t, reset, bool,
+@@ -53,7 +53,7 @@ METHOD(hasher_t, reset, bool,
+ }
+ 
+ METHOD(hasher_t, get_hash, bool,
+-	private_openssl_hasher_t *this, chunk_t chunk, u_int8_t *hash)
++	private_openssl_hasher_t *this, chunk_t chunk, uint8_t *hash)
+ {
+ 	if (EVP_DigestUpdate(this->ctx, chunk.ptr, chunk.len) != 1)
+ 	{
 diff --git a/src/libstrongswan/plugins/openssl/openssl_hmac.c b/src/libstrongswan/plugins/openssl/openssl_hmac.c
-index 065187a8c301..6498cb4d6f98 100644
+index 065187a8c301..16e7071166e5 100644
 --- a/src/libstrongswan/plugins/openssl/openssl_hmac.c
 +++ b/src/libstrongswan/plugins/openssl/openssl_hmac.c
 @@ -68,7 +68,14 @@ struct private_mac_t {
@@ -461,7 +545,7 @@ index 065187a8c301..6498cb4d6f98 100644
  
  	/**
  	 * Key set on HMAC_CTX?
-@@ -80,14 +87,14 @@ METHOD(mac_t, set_key, bool,
+@@ -80,28 +87,28 @@ METHOD(mac_t, set_key, bool,
  	private_mac_t *this, chunk_t key)
  {
  #if OPENSSL_VERSION_NUMBER >= 0x10000000L
@@ -478,7 +562,14 @@ index 065187a8c301..6498cb4d6f98 100644
  	this->key_set = TRUE;
  	return TRUE;
  #endif
-@@ -101,7 +108,7 @@ METHOD(mac_t, get_mac, bool,
+ }
+ 
+ METHOD(mac_t, get_mac, bool,
+-	private_mac_t *this, chunk_t data, u_int8_t *out)
++	private_mac_t *this, chunk_t data, uint8_t *out)
+ {
+ 	if (!this->key_set)
+ 	{
  		return FALSE;
  	}
  #if OPENSSL_VERSION_NUMBER >= 0x10000000L
@@ -682,12 +773,15 @@ index aeb9be409b77..3e3b986dffc0 100644
  	{
  		DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
 diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.c b/src/libstrongswan/plugins/openssl/openssl_rng.c
-index c807bb607262..884594620aeb 100644
+index c807bb607262..a25b6b4b6656 100644
 --- a/src/libstrongswan/plugins/openssl/openssl_rng.c
 +++ b/src/libstrongswan/plugins/openssl/openssl_rng.c
-@@ -49,13 +49,6 @@ struct private_openssl_rng_t {
+@@ -47,15 +47,8 @@ struct private_openssl_rng_t {
+ };
+ 
  METHOD(rng_t, get_bytes, bool,
- 	private_openssl_rng_t *this, size_t bytes, u_int8_t *buffer)
+-	private_openssl_rng_t *this, size_t bytes, u_int8_t *buffer)
++	private_openssl_rng_t *this, size_t bytes, uint8_t *buffer)
  {
 -	if (this->quality == RNG_WEAK)
 -	{
@@ -837,8 +931,30 @@ index db928569f31f..d66d5016e81c 100644
  	}
  	destroy(this);
  	return NULL;
+diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
+index 446c93e2b7c7..f6df03f12d99 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
++++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
+@@ -40,7 +40,7 @@ struct private_openssl_sha1_prf_t {
+ };
+ 
+ METHOD(prf_t, get_bytes, bool,
+-	private_openssl_sha1_prf_t *this, chunk_t seed, u_int8_t *bytes)
++	private_openssl_sha1_prf_t *this, chunk_t seed, uint8_t *bytes)
+ {
+ #if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ 	if (!SHA1_Update(&this->ctx, seed.ptr, seed.len))
+@@ -53,7 +53,7 @@ METHOD(prf_t, get_bytes, bool,
+ 
+ 	if (bytes)
+ 	{
+-		u_int32_t *hash = (u_int32_t*)bytes;
++		uint32_t *hash = (uint32_t*)bytes;
+ 
+ 		hash[0] = htonl(this->ctx.h0);
+ 		hash[1] = htonl(this->ctx.h1);
 diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
-index 2f981370174b..84749616a353 100644
+index 2f981370174b..6580e1c7df3a 100644
 --- a/src/libstrongswan/plugins/openssl/openssl_util.c
 +++ b/src/libstrongswan/plugins/openssl/openssl_util.c
 @@ -22,6 +22,12 @@
@@ -854,6 +970,15 @@ index 2f981370174b..84749616a353 100644
  /**
   * Described in header.
   */
+@@ -51,7 +57,7 @@ bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash)
+ 		goto error;
+ 	}
+ 
+-	*hash = chunk_alloc(hasher->md_size);
++	*hash = chunk_alloc(EVP_MD_size(hasher));
+ 	if (!EVP_DigestFinal_ex(ctx, hash->ptr, NULL))
+ 	{
+ 		chunk_free(hash);
 @@ -70,7 +76,8 @@ error:
  /**
   * Described in header.
@@ -883,7 +1008,7 @@ index 2f981370174b..84749616a353 100644
  	return chunk_empty;
  }
 diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
-index 2db073139214..9621d5c138b3 100644
+index 2db073139214..f4186e8c4690 100644
 --- a/src/libstrongswan/plugins/openssl/openssl_util.h
 +++ b/src/libstrongswan/plugins/openssl/openssl_util.h
 @@ -60,7 +60,8 @@ bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash);
@@ -905,7 +1030,7 @@ index 2db073139214..9621d5c138b3 100644
  
  /**
   * Allocate a chunk using the i2d function of a given object
-@@ -134,4 +135,36 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj);
+@@ -134,4 +135,42 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj);
   */
  time_t openssl_asn1_to_time(ASN1_TIME *time);
  
@@ -915,26 +1040,32 @@ index 2db073139214..9621d5c138b3 100644
 + */
 +#define OPENSSL_KEY_FALLBACK(...) VA_ARGS_DISPATCH(OPENSSL_KEY_FALLBACK, __VA_ARGS__)(__VA_ARGS__)
 +#define OPENSSL_KEY_FALLBACK3(type, k1, k2) \
++__attribute__((unused)) \
 +static inline void type##_get0(const type *o, const BIGNUM **k1, const BIGNUM **k2) { \
 +	if (k1) *k1 = o->k1; \
 +	if (k2) *k2 = o->k2; } \
++__attribute__((unused)) \
 +static inline int type##_set0(type *o, BIGNUM *k1, BIGNUM *k2) { \
 +	if (k1) { BN_clear_free(o->k1); o->k1 = k1; } \
 +	if (k2) { BN_clear_free(o->k2); o->k2 = k2; } \
 +	return 1; }
 +#define OPENSSL_KEY_FALLBACK4(type, name, k1, k2) \
++__attribute__((unused)) \
 +static inline void type##_get0_##name(const type *o, const BIGNUM **k1, const BIGNUM **k2) { \
 +	if (k1) *k1 = o->k1; \
 +	if (k2) *k2 = o->k2; } \
++__attribute__((unused)) \
 +static inline int type##_set0_##name(type *o, BIGNUM *k1, BIGNUM *k2) { \
 +	if (k1) { BN_clear_free(o->k1); o->k1 = k1; } \
 +	if (k2) { BN_clear_free(o->k2); o->k2 = k2; } \
 +	return 1; }
 +#define OPENSSL_KEY_FALLBACK5(type, name, k1, k2, k3) \
++__attribute__((unused)) \
 +static inline void type##_get0_##name(const type *o, const BIGNUM **k1, const BIGNUM **k2, const BIGNUM **k3) { \
 +	if (k1) *k1 = o->k1; \
 +	if (k2) *k2 = o->k2; \
 +	if (k3) *k3 = o->k3; } \
++__attribute__((unused)) \
 +static inline int type##_set0_##name(type *o, BIGNUM *k1, BIGNUM *k2, BIGNUM *k3) { \
 +	if (k1) { BN_clear_free(o->k1); o->k1 = k1; } \
 +	if (k2) { BN_clear_free(o->k2); o->k2 = k2; } \
@@ -943,10 +1074,10 @@ index 2db073139214..9621d5c138b3 100644
 +
  #endif /** OPENSSL_UTIL_H_ @}*/
 diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
-index 7a5b206dddfb..f82080730aa3 100644
+index 7a5b206dddfb..e95eb729bb72 100644
 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c
 +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
-@@ -60,6 +60,22 @@
+@@ -60,6 +60,25 @@
  #define OPENSSL_NO_RFC3779
  #endif
  
@@ -964,12 +1095,15 @@ index 7a5b206dddfb..f82080730aa3 100644
 +#define X509_get0_tbs_sigalg(x509) ({ (x509)->cert_info->signature; })
 +#define X509_ALGOR_get0(oid, ppt, ppv, alg) ({ *(oid) = (alg)->algorithm; })
 +#define X509_PUBKEY_get0_param(oid, pk, len, pa, pub) X509_ALGOR_get0(oid, NULL, NULL, (pub)->algor)
++#define X509v3_addr_get_afi v3_addr_get_afi
++#define X509v3_addr_get_range v3_addr_get_range
++#define X509v3_addr_is_canonical v3_addr_is_canonical
 +#endif
 +
  typedef struct private_openssl_x509_t private_openssl_x509_t;
  
  /**
-@@ -380,6 +396,7 @@ METHOD(certificate_t, issued_by, bool,
+@@ -380,6 +399,7 @@ METHOD(certificate_t, issued_by, bool,
  	public_key_t *key;
  	bool valid;
  	x509_t *x509 = (x509_t*)issuer;
@@ -977,7 +1111,7 @@ index 7a5b206dddfb..f82080730aa3 100644
  	chunk_t tbs;
  
  	if (&this->public.x509.interface == issuer)
-@@ -413,9 +430,14 @@ METHOD(certificate_t, issued_by, bool,
+@@ -413,9 +433,14 @@ METHOD(certificate_t, issued_by, bool,
  	{
  		return FALSE;
  	}
@@ -994,7 +1128,7 @@ index 7a5b206dddfb..f82080730aa3 100644
  	free(tbs.ptr);
  	key->destroy(key);
  	if (valid && scheme)
-@@ -850,7 +872,7 @@ static void parse_ipAddrBlock_ext_fam(private_openssl_x509_t *this,
+@@ -850,7 +875,7 @@ static void parse_ipAddrBlock_ext_fam(private_openssl_x509_t *this,
  		return;
  	}
  
@@ -1003,7 +1137,7 @@ index 7a5b206dddfb..f82080730aa3 100644
  	switch (afi)
  	{
  		case IANA_AFI_IPV4:
-@@ -871,7 +893,7 @@ static void parse_ipAddrBlock_ext_fam(private_openssl_x509_t *this,
+@@ -871,7 +896,7 @@ static void parse_ipAddrBlock_ext_fam(private_openssl_x509_t *this,
  	for (i = 0; i < sk_IPAddressOrRange_num(list); i++)
  	{
  		aor = sk_IPAddressOrRange_value(list, i);
@@ -1012,7 +1146,7 @@ index 7a5b206dddfb..f82080730aa3 100644
  		{
  			ts = traffic_selector_create_from_bytes(0, type, from, 0, to, 65535);
  			if (ts)
-@@ -897,7 +919,7 @@ static bool parse_ipAddrBlock_ext(private_openssl_x509_t *this,
+@@ -897,7 +922,7 @@ static bool parse_ipAddrBlock_ext(private_openssl_x509_t *this,
  		return FALSE;
  	}
  
@@ -1021,7 +1155,7 @@ index 7a5b206dddfb..f82080730aa3 100644
  	{
  		sk_IPAddressFamily_free(blocks);
  		return FALSE;
-@@ -964,7 +986,7 @@ static bool parse_extensions(private_openssl_x509_t *this)
+@@ -964,7 +989,7 @@ static bool parse_extensions(private_openssl_x509_t *this)
  	STACK_OF(X509_EXTENSION) *extensions;
  	int i, num;
  
@@ -1030,7 +1164,7 @@ index 7a5b206dddfb..f82080730aa3 100644
  	if (extensions)
  	{
  		num = sk_X509_EXTENSION_num(extensions);
-@@ -1041,6 +1063,8 @@ static bool parse_certificate(private_openssl_x509_t *this)
+@@ -1041,6 +1066,8 @@ static bool parse_certificate(private_openssl_x509_t *this)
  	const unsigned char *ptr = this->encoding.ptr;
  	hasher_t *hasher;
  	chunk_t chunk;
@@ -1039,7 +1173,7 @@ index 7a5b206dddfb..f82080730aa3 100644
  
  	this->x509 = d2i_X509(NULL, &ptr, this->encoding.len);
  	if (!this->x509)
-@@ -1057,7 +1081,12 @@ static bool parse_certificate(private_openssl_x509_t *this)
+@@ -1057,7 +1084,12 @@ static bool parse_certificate(private_openssl_x509_t *this)
  	this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509));
  	this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509));
  
@@ -1053,7 +1187,7 @@ index 7a5b206dddfb..f82080730aa3 100644
  	{
  		case OID_RSA_ENCRYPTION:
  			this->pubkey = lib->creds->create(lib->creds,
-@@ -1086,14 +1115,18 @@ static bool parse_certificate(private_openssl_x509_t *this)
+@@ -1086,14 +1118,18 @@ static bool parse_certificate(private_openssl_x509_t *this)
  	this->notBefore = openssl_asn1_to_time(X509_get_notBefore(this->x509));
  	this->notAfter = openssl_asn1_to_time(X509_get_notAfter(this->x509));
  
@@ -1077,45 +1211,3 @@ index 7a5b206dddfb..f82080730aa3 100644
  
  	if (!parse_extensions(this))
  	{
-diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
-index 99f4843ad6c6..f9bbd8ae4f77 100644
---- a/src/libstrongswan/utils/leak_detective.c
-+++ b/src/libstrongswan/utils/leak_detective.c
-@@ -562,6 +562,10 @@ char *whitelist[] = {
- 	"ECDSA_do_sign_ex",
- 	"ECDSA_verify",
- 	"RSA_new_method",
-+	/* OpenSSL 1.1.0 does not cleanup anymore until the library is unloaded */
-+	"OPENSSL_init_crypto",
-+	"CRYPTO_THREAD_lock_new",
-+	"ERR_add_error_data",
- 	/* OpenSSL libssl */
- 	"SSL_COMP_get_compression_methods",
- 	/* NSPR */
-@@ -837,6 +841,18 @@ HOOK(void, free, void *ptr)
- 
- 	if (!enabled || thread_disabled->get(thread_disabled))
- 	{
-+		/* after deinitialization we might have to free stuff we allocated
-+		 * while we were enabled */
-+		if (!first_header.magic && ptr)
-+		{
-+			hdr = ptr - sizeof(memory_header_t);
-+			tail = ptr + hdr->bytes;
-+			if (hdr->magic == MEMORY_HEADER_MAGIC &&
-+				tail->magic == MEMORY_TAIL_MAGIC)
-+			{
-+				ptr = hdr;
-+			}
-+		}
- 		real_free(ptr);
- 		return;
- 	}
-@@ -953,6 +969,7 @@ METHOD(leak_detective_t, destroy, void,
- 	lock->destroy(lock);
- 	thread_disabled->destroy(thread_disabled);
- 	free(this);
-+	first_header.magic = 0;
- 	first_header.next = NULL;
- }
-