--- /dev/null
+FROM debian:9
+
+RUN apt update && apt install -y \
+build-essential \
+jq \
+gawk \
+gettext \
+git \
+libncurses5-dev \
+libssl-dev \
+subversion \
+zlib1g-dev \
+&& rm -rf /var/lib/apt/lists/*
+
+# LEDE Build System (LEDE GnuPG key for unattended build jobs)
+RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/626471F1.asc' | gpg --import \
+ && echo '54CC74307A2C6DC9CE618269CD84BCED626471F1:6:' | gpg --import-ownertrust
+
+# LEDE Release Builder (17.01 "Reboot" Signing Key)
+RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/D52BBB6B.asc' | gpg --import \
+ && echo 'B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B:6:' | gpg --import-ownertrust
+
+# OpenWrt Release Builder (18.06 Signing Key)
+RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/17E1CE16.asc' | gpg --import \
+ && echo '6768C55E79B032D77A28DA5F0F20257417E1CE16:6:' | gpg --import-ownertrust
--- /dev/null
+# Build/update the docker image
+
+docker pull debian:9
+docker build --rm .
+docker tag <IMAGE ID> docker.io/champtar/openwrtpackagesci:latest
+docker push docker.io/champtar/openwrtpackagesci:latest
--- /dev/null
+version: 2.0
+jobs:
+ build:
+ docker:
+ - image: champtar/openwrtpackagesci@sha256:ba41678f7bd9dea5f1caef9594167588c306caf08bc2f90e779a91e57a9fc7bd
+ environment:
+ - SDK_BASE_URL: "https://downloads.lede-project.org/snapshots/targets/ar71xx/generic"
+ - SDK_FILE: "openwrt-sdk-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64.tar.xz"
+ branches:
+ only: /pull.*/
+ steps:
+ - run:
+ name: Download the SDK
+ working_directory: ~/sdk
+ command: |
+ curl "$SDK_BASE_URL/sha256sums" -sS -o sha256sums
+ curl "$SDK_BASE_URL/sha256sums.asc" -sS -o sha256sums.asc
+ gpg --with-fingerprint --verify sha256sums.asc sha256sums
+ curl "$SDK_BASE_URL/$SDK_FILE" -sS -o "$SDK_FILE"
+ sha256sum -c --ignore-missing sha256sums
+
+ - checkout:
+ path: ~/openwrt_packages
+
+ - run:
+ name: Prepare build_dir
+ working_directory: ~/build_dir
+ command: |
+ tar Jxf ~/sdk/$SDK_FILE --strip=1
+ cat > feeds.conf <<EOF
+ src-git base https://github.com/lede-project/source.git
+ src-link packages $HOME/openwrt_packages
+ src-git luci https://github.com/openwrt/luci.git
+ EOF
+ cat feeds.conf
+ # enable BUILD_LOG
+ sed -i '1s/^/config BUILD_LOG\n\tbool\n\tdefault y\n\n/' Config-build.in
+ ./scripts/feeds update -a > /dev/null
+ ./scripts/feeds install -a > /dev/null
+ make defconfig > /dev/null
+
+ - run:
+ name: Download & check & compile
+ working_directory: ~/build_dir
+ command: |
+ PKGS=$(cd ~/openwrt_packages; git diff --diff-filter=d --name-only "origin/master" | grep 'Makefile$' | grep -v '/files/' | awk -F/ '{ print $(NF-1) }')
+ echo "Packages: $PKGS"
+ for PKG in $PKGS ; do
+ make "package/$PKG/download" V=s
+ make "package/$PKG/check" V=s
+ done
+ for PKG in $PKGS ; do
+ make "package/$PKG/compile" -j3 V=s
+ done
+
+ - store_artifacts:
+ path: ~/build_dir/logs
+
+ - store_artifacts:
+ path: ~/build_dir/bin
+
include $(TOPDIR)/rules.mk
PKG_NAME:=sudo
-PKG_VERSION:=1.8.24
+PKG_VERSION:=1.8.25p1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.sudo.ws/dist
-PKG_HASH:=b488557a198ecef30b7ad4011b59a66232dec2364ad956e11d8e17906c225be8
+PKG_HASH:=9dc99c7a7d37a0ab938410995c133e15d6afb970c2c66f9264fe36d20c89195b
PKG_LICENSE:=ISC
PKG_LICENSE_FILES:=doc/LICENSE
PKG_NAME:=syslog-ng
PKG_VERSION:=3.17.2
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>
$(call libtool_remove_files,$(1))
endef
+define Package/syslog-ng/prerm
+ #!/bin/sh
+ # check if we are on real system
+ if [ -z "$${IPKG_INSTROOT}" ]; then
+ # wish we had pidof unconditionally
+ pid=$(ps | grep syslog | grep -v grep | awk '{ print $$1; }')
+ [ -n "$$pid" ] && /etc/init.d/syslog-ng stop
+ [ "$${PKG_UPGRADE}" != "1" ] && {
+ echo "Removing rc.d symlink for syslog-ng"
+ /etc/init.d/syslog-ng disable
+ }
+ fi
+ exit 0
+endef
+
$(eval $(call BuildPackage,syslog-ng))
PKG_NAME:=zabbix
PKG_VERSION:=3.4.14
-PKG_RELEASE:=2
+PKG_RELEASE:=5
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_HASH:=7443873cc970672d3c884230d3aeb082f2d8afcc2b757506c2d684ffdd12d77e
PKG_CONFIG_DEPENDS:= \
CONFIG_ZABBIX_GNUTLS \
- CONFIG_ZABBIX_OPENSSL
+ CONFIG_ZABBIX_OPENSSL \
+ CONFIG_ZABBIX_MYSQL \
+ CONFIG_ZABBIX_POSTGRESQL
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/nls.mk
endchoice
endef
+define Package/zabbix-server/config
+comment "Database Software"
+
+choice
+ prompt "Selected Database Software"
+ default ZABBIX_POSTGRESQL
+
+ config ZABBIX_MYSQL
+ bool "MySQL/MariaDB"
+
+ config ZABBIX_POSTGRESQL
+ bool "PostgreSQL"
+
+endchoice
+endef
+
define Package/zabbix/Default
SECTION:=admin
CATEGORY:=Administration
define Package/zabbix-extra-network
$(call Package/zabbix/Default)
TITLE+= discovery/userparameters for network
- DEPENDS = +zabbix-agentd +libuci-lua +lua
+ DEPENDS = +zabbix-agentd +libubus-lua +lua
endef
define Package/zabbix-extra-wifi
$(call Package/zabbix/Default)
TITLE+= discovery/userparameters for wifi
- DEPENDS = +zabbix-agentd +libiwinfo-lua +libuci-lua +lua
+ DEPENDS = +zabbix-agentd +libiwinfo-lua +libubus-lua +lua
endef
define Package/zabbix-sender
define Package/zabbix-server
$(call Package/zabbix/Default)
TITLE+= server
- DEPENDS += +pgsql-cli +libevent2
+ DEPENDS += +ZABBIX_POSTGRESQL:libpq +ZABBIX_MYSQL:libmariadbclient +libevent2
endef
define Package/zabbix-proxy
$(call Package/zabbix/Default)
TITLE+= proxy
- DEPENDS += +pgsql-cli
+ DEPENDS += +ZABBIX_POSTGRESQL:libpq +ZABBIX_MYSQL:libmariadbclient
endef
define Package/zabbix-extra-mac80211/description
--enable-proxy \
$(call autoconf_bool,CONFIG_IPV6,ipv6) \
--disable-java \
- --with-postgresql \
+ $(if $(CONFIG_ZABBIX_MYSQL),--with-mysql) \
+ $(if $(CONFIG_ZABBIX_POSTGRESQL),--with-postgresql) \
--with-libevent=$(STAGING_DIR)/usr/include/libevent \
--with-libpcre=$(STAGING_DIR)/usr/include \
$(if $(CONFIG_ZABBIX_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr") \
define Package/zabbix-extra-network/install
$(call Package/zabbix/install/zabbix.conf.d,$(1),network)
+ $(INSTALL_DIR) $(1)/usr/share/acl.d
+ $(INSTALL_DATA) ./files/zabbix-network-ubus-acl.json $(1)/usr/share/acl.d/zabbix-network.json
+endef
+
+define Package/zabbix-extra-network/postinst
+#!/bin/sh
+if [ -z "$${IPKG_INSTROOT}" ]; then
+ killall -HUP ubusd
+fi
endef
define Package/zabbix-extra-wifi/install
$(call Package/zabbix/install/zabbix.conf.d,$(1),wifi)
+ $(INSTALL_DIR) $(1)/usr/share/acl.d
+ $(INSTALL_DATA) ./files/zabbix-wifi-ubus-acl.json $(1)/usr/share/acl.d/zabbix-wifi.json
+endef
+
+define Package/zabbix-extra-wifi/postinst
+#!/bin/sh
+if [ -z "$${IPKG_INSTROOT}" ]; then
+ killall -HUP ubusd
+fi
endef
define Package/zabbix-sender/install
# network interface discovery
# example: {"data":[{"{#IF}":"lo", "{#NET}":"loopback"},{"{#IF}":"br-lan", "{#NET}":"lan"},{"{#IF}":"eth0.1", "{#NET}":"wan"}]}
#
-UserParameter=netowrt.discovery,lua -l uci -e 'x = uci.cursor(nil, "/var/state");list = "{\"data\":[";x:foreach("network", "interface", function(s) list=list.."{\"{#IF}\":\""..s.ifname.."\", \"{#NET}\":\""..s[".name"].."\"}," end); list=string.gsub(list,",$",""); print(list.."]}")'
-
-
-
+UserParameter=netowrt.discovery,lua -l ubus -e 'u=ubus.connect();list="{\"data\":[";dump=u:call("network.interface", "dump", {});for _, intf in ipairs(dump.interface) do list=list.."{\"{#IF}\":\""..intf.device.."\", \"{#NET}\":\""..intf.interface.."\"},";end;list=string.gsub(list,",$","");print(list.."]}")'
# wifi interface discovery
# example: {"data":[{"{#IF}":"wlan0", "{#MODE}":"ap", "{#SSID}":"Openwrt", "{#NET}":"lan", "{#DEV}":"radio0", "{#ENC}":"psk2+ccmp", "{#TYPE}":"mac80211", "{#HWMODE}":"11ng", "{#CHANNEL}":"11", "{#BSSID}":"xx:xx:xx:xx:xx:xx"}]}
-# ubus call only work as root so you need to run zabbix as root to use wifi.ifdiscovery
UserParameter=wifi.ifdiscovery, lua -l ubus -l iwinfo -e 'u=ubus.connect();list="{\"data\":[";stat=u:call("network.wireless", "status", {});for dev, dev_table in pairs(stat) do for i, iface in pairs(dev_table["interfaces"]) do c=iface["config"];i=iface["ifname"];t=iwinfo.type(i);iw=iwinfo[t];e = iw.encryption(i);e = e and e.description or "None";n = table.concat(c["network"]," ");list=list.."{\"{#IF}\":\""..i.."\", \"{#MODE}\":\""..iw.mode(i).."\", \"{#SSID}\":\""..c["ssid"].."\", \"{#NET}\":\""..n.."\", \"{#DEV}\":\""..dev.."\", \"{#ENC}\":\""..e.."\", \"{#TYPE}\":\""..t.."\", \"{#HWMODE}\":\"".."?".."\", \"{#CHANNEL}\":\""..iw.channel(i).."\", \"{#BSSID}\":\""..iw.bssid(i).."\"},";end;end;list=string.gsub(list,",$","");print(list.."]}")'
--- /dev/null
+{
+ "user": "zabbix",
+ "access": {
+ "network.interface": {
+ "methods": [ "dump" ]
+ }
+ }
+}
--- /dev/null
+{
+ "user": "zabbix",
+ "access": {
+ "network.wireless": {
+ "methods": [ "status" ]
+ }
+ }
+}
PKG_NAME:=patch
PKG_VERSION:=2.7.6
-PKG_RELEASE:=2
+PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@GNU/patch
+++ /dev/null
-From ee2904728eb4364a36d62d66f723d0b68749e5df Mon Sep 17 00:00:00 2001
-From: Andreas Gruenbacher <agruen@gnu.org>
-Date: Fri, 6 Apr 2018 12:14:49 +0200
-Subject: [PATCH] Fix arbitrary command execution in ed-style patches
- (CVE-2018-1000156)
-
-* src/pch.c (do_ed_script): Write ed script to a temporary file instead
-of piping it to ed: this will cause ed to abort on invalid commands
-instead of rejecting them and carrying on.
-* tests/ed-style: New test case.
-* tests/Makefile.am (TESTS): Add test case.
----
- src/pch.c | 89 +++++++++++++++++++++++++++++++++++------------
- tests/Makefile.am | 1 +
- tests/ed-style | 41 ++++++++++++++++++++++
- 3 files changed, 108 insertions(+), 23 deletions(-)
- create mode 100644 tests/ed-style
-
-diff --git a/src/pch.c b/src/pch.c
-index ff9ed2c..8150493 100644
---- a/src/pch.c
-+++ b/src/pch.c
-@@ -33,6 +33,7 @@
- # include <io.h>
- #endif
- #include <safe.h>
-+#include <sys/wait.h>
-
- #define INITHUNKMAX 125 /* initial dynamic allocation size */
-
-@@ -2388,22 +2389,28 @@ do_ed_script (char const *inname, char const *outname,
- static char const editor_program[] = EDITOR_PROGRAM;
-
- file_offset beginning_of_this_line;
-- FILE *pipefp = 0;
- size_t chars_read;
-+ FILE *tmpfp = 0;
-+ char const *tmpname;
-+ int tmpfd;
-+ pid_t pid;
-+
-+ if (! dry_run && ! skip_rest_of_patch)
-+ {
-+ /* Write ed script to a temporary file. This causes ed to abort on
-+ invalid commands such as when line numbers or ranges exceed the
-+ number of available lines. When ed reads from a pipe, it rejects
-+ invalid commands and treats the next line as a new command, which
-+ can lead to arbitrary command execution. */
-+
-+ tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
-+ if (tmpfd == -1)
-+ pfatal ("Can't create temporary file %s", quotearg (tmpname));
-+ tmpfp = fdopen (tmpfd, "w+b");
-+ if (! tmpfp)
-+ pfatal ("Can't open stream for file %s", quotearg (tmpname));
-+ }
-
-- if (! dry_run && ! skip_rest_of_patch) {
-- int exclusive = *outname_needs_removal ? 0 : O_EXCL;
-- assert (! inerrno);
-- *outname_needs_removal = true;
-- copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
-- sprintf (buf, "%s %s%s", editor_program,
-- verbosity == VERBOSE ? "" : "- ",
-- outname);
-- fflush (stdout);
-- pipefp = popen(buf, binary_transput ? "wb" : "w");
-- if (!pipefp)
-- pfatal ("Can't open pipe to %s", quotearg (buf));
-- }
- for (;;) {
- char ed_command_letter;
- beginning_of_this_line = file_tell (pfp);
-@@ -2414,14 +2421,14 @@ do_ed_script (char const *inname, char const *outname,
- }
- ed_command_letter = get_ed_command_letter (buf);
- if (ed_command_letter) {
-- if (pipefp)
-- if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
-+ if (tmpfp)
-+ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
- write_fatal ();
- if (ed_command_letter != 'd' && ed_command_letter != 's') {
- p_pass_comments_through = true;
- while ((chars_read = get_line ()) != 0) {
-- if (pipefp)
-- if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
-+ if (tmpfp)
-+ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
- write_fatal ();
- if (chars_read == 2 && strEQ (buf, ".\n"))
- break;
-@@ -2434,13 +2441,49 @@ do_ed_script (char const *inname, char const *outname,
- break;
- }
- }
-- if (!pipefp)
-+ if (!tmpfp)
- return;
-- if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0
-- || fflush (pipefp) != 0)
-+ if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0
-+ || fflush (tmpfp) != 0)
- write_fatal ();
-- if (pclose (pipefp) != 0)
-- fatal ("%s FAILED", editor_program);
-+
-+ if (lseek (tmpfd, 0, SEEK_SET) == -1)
-+ pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
-+
-+ if (! dry_run && ! skip_rest_of_patch) {
-+ int exclusive = *outname_needs_removal ? 0 : O_EXCL;
-+ *outname_needs_removal = true;
-+ if (inerrno != ENOENT)
-+ {
-+ *outname_needs_removal = true;
-+ copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
-+ }
-+ sprintf (buf, "%s %s%s", editor_program,
-+ verbosity == VERBOSE ? "" : "- ",
-+ outname);
-+ fflush (stdout);
-+
-+ pid = fork();
-+ if (pid == -1)
-+ pfatal ("Can't fork");
-+ else if (pid == 0)
-+ {
-+ dup2 (tmpfd, 0);
-+ execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
-+ _exit (2);
-+ }
-+ else
-+ {
-+ int wstatus;
-+ if (waitpid (pid, &wstatus, 0) == -1
-+ || ! WIFEXITED (wstatus)
-+ || WEXITSTATUS (wstatus) != 0)
-+ fatal ("%s FAILED", editor_program);
-+ }
-+ }
-+
-+ fclose (tmpfp);
-+ safe_unlink (tmpname);
-
- if (ofp)
- {
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index 6b6df63..16f8693 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -32,6 +32,7 @@ TESTS = \
- crlf-handling \
- dash-o-append \
- deep-directories \
-+ ed-style \
- empty-files \
- false-match \
- fifo \
-diff --git a/tests/ed-style b/tests/ed-style
-new file mode 100644
-index 0000000..d8c0689
---- /dev/null
-+++ b/tests/ed-style
-@@ -0,0 +1,41 @@
-+# Copyright (C) 2018 Free Software Foundation, Inc.
-+#
-+# Copying and distribution of this file, with or without modification,
-+# in any medium, are permitted without royalty provided the copyright
-+# notice and this notice are preserved.
-+
-+. $srcdir/test-lib.sh
-+
-+require cat
-+use_local_patch
-+use_tmpdir
-+
-+# ==============================================================
-+
-+cat > ed1.diff <<EOF
-+0a
-+foo
-+.
-+EOF
-+
-+check 'patch -e foo -i ed1.diff' <<EOF
-+EOF
-+
-+check 'cat foo' <<EOF
-+foo
-+EOF
-+
-+cat > ed2.diff <<EOF
-+1337a
-+r !echo bar
-+,p
-+EOF
-+
-+check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF
-+?
-+Status: 2
-+EOF
-+
-+check 'cat foo' <<EOF
-+foo
-+EOF
---
-2.19.1
-
--- /dev/null
+From 9bf998b5fcbcde1dea0e472dc1538abb97e9012e Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 12 Feb 2018 16:48:24 +0100
+Subject: [PATCH] Fix segfault with mangled rename patch
+
+http://savannah.gnu.org/bugs/?53132
+* src/pch.c (intuit_diff_type): Ensure that two filenames are specified
+for renames and copies (fix the existing check).
+---
+ src/pch.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index ff9ed2c..bc6278c 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -974,7 +974,8 @@ intuit_diff_type (bool need_header, mode_t *p_file_type)
+ if ((pch_rename () || pch_copy ())
+ && ! inname
+ && ! ((i == OLD || i == NEW) &&
+- p_name[! reverse] &&
++ p_name[reverse] && p_name[! reverse] &&
++ name_is_valid (p_name[reverse]) &&
+ name_is_valid (p_name[! reverse])))
+ {
+ say ("Cannot %s file without two valid file names\n", pch_rename () ? "rename" : "copy");
+--
+2.19.1
+
--- /dev/null
+From b56779aed483f0036a32a65e62ab7b5e461b07cc Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 12:14:49 +0200
+Subject: [PATCH] Fix arbitrary command execution in ed-style patches
+ (CVE-2018-1000156)
+
+* src/pch.c (do_ed_script): Write ed script to a temporary file instead
+of piping it to ed: this will cause ed to abort on invalid commands
+instead of rejecting them and carrying on.
+* tests/ed-style: New test case.
+* tests/Makefile.am (TESTS): Add test case.
+---
+ src/pch.c | 89 +++++++++++++++++++++++++++++++++++------------
+ tests/Makefile.am | 1 +
+ tests/ed-style | 41 ++++++++++++++++++++++
+ 3 files changed, 108 insertions(+), 23 deletions(-)
+ create mode 100644 tests/ed-style
+
+diff --git a/src/pch.c b/src/pch.c
+index bc6278c..4fd5a05 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -33,6 +33,7 @@
+ # include <io.h>
+ #endif
+ #include <safe.h>
++#include <sys/wait.h>
+
+ #define INITHUNKMAX 125 /* initial dynamic allocation size */
+
+@@ -2389,22 +2390,28 @@ do_ed_script (char const *inname, char const *outname,
+ static char const editor_program[] = EDITOR_PROGRAM;
+
+ file_offset beginning_of_this_line;
+- FILE *pipefp = 0;
+ size_t chars_read;
++ FILE *tmpfp = 0;
++ char const *tmpname;
++ int tmpfd;
++ pid_t pid;
++
++ if (! dry_run && ! skip_rest_of_patch)
++ {
++ /* Write ed script to a temporary file. This causes ed to abort on
++ invalid commands such as when line numbers or ranges exceed the
++ number of available lines. When ed reads from a pipe, it rejects
++ invalid commands and treats the next line as a new command, which
++ can lead to arbitrary command execution. */
++
++ tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++ if (tmpfd == -1)
++ pfatal ("Can't create temporary file %s", quotearg (tmpname));
++ tmpfp = fdopen (tmpfd, "w+b");
++ if (! tmpfp)
++ pfatal ("Can't open stream for file %s", quotearg (tmpname));
++ }
+
+- if (! dry_run && ! skip_rest_of_patch) {
+- int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+- assert (! inerrno);
+- *outname_needs_removal = true;
+- copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+- sprintf (buf, "%s %s%s", editor_program,
+- verbosity == VERBOSE ? "" : "- ",
+- outname);
+- fflush (stdout);
+- pipefp = popen(buf, binary_transput ? "wb" : "w");
+- if (!pipefp)
+- pfatal ("Can't open pipe to %s", quotearg (buf));
+- }
+ for (;;) {
+ char ed_command_letter;
+ beginning_of_this_line = file_tell (pfp);
+@@ -2415,14 +2422,14 @@ do_ed_script (char const *inname, char const *outname,
+ }
+ ed_command_letter = get_ed_command_letter (buf);
+ if (ed_command_letter) {
+- if (pipefp)
+- if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++ if (tmpfp)
++ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ write_fatal ();
+ if (ed_command_letter != 'd' && ed_command_letter != 's') {
+ p_pass_comments_through = true;
+ while ((chars_read = get_line ()) != 0) {
+- if (pipefp)
+- if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++ if (tmpfp)
++ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ write_fatal ();
+ if (chars_read == 2 && strEQ (buf, ".\n"))
+ break;
+@@ -2435,13 +2442,49 @@ do_ed_script (char const *inname, char const *outname,
+ break;
+ }
+ }
+- if (!pipefp)
++ if (!tmpfp)
+ return;
+- if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0
+- || fflush (pipefp) != 0)
++ if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0
++ || fflush (tmpfp) != 0)
+ write_fatal ();
+- if (pclose (pipefp) != 0)
+- fatal ("%s FAILED", editor_program);
++
++ if (lseek (tmpfd, 0, SEEK_SET) == -1)
++ pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
++
++ if (! dry_run && ! skip_rest_of_patch) {
++ int exclusive = *outname_needs_removal ? 0 : O_EXCL;
++ *outname_needs_removal = true;
++ if (inerrno != ENOENT)
++ {
++ *outname_needs_removal = true;
++ copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++ }
++ sprintf (buf, "%s %s%s", editor_program,
++ verbosity == VERBOSE ? "" : "- ",
++ outname);
++ fflush (stdout);
++
++ pid = fork();
++ if (pid == -1)
++ pfatal ("Can't fork");
++ else if (pid == 0)
++ {
++ dup2 (tmpfd, 0);
++ execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++ _exit (2);
++ }
++ else
++ {
++ int wstatus;
++ if (waitpid (pid, &wstatus, 0) == -1
++ || ! WIFEXITED (wstatus)
++ || WEXITSTATUS (wstatus) != 0)
++ fatal ("%s FAILED", editor_program);
++ }
++ }
++
++ fclose (tmpfp);
++ safe_unlink (tmpname);
+
+ if (ofp)
+ {
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 6b6df63..16f8693 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -32,6 +32,7 @@ TESTS = \
+ crlf-handling \
+ dash-o-append \
+ deep-directories \
++ ed-style \
+ empty-files \
+ false-match \
+ fifo \
+diff --git a/tests/ed-style b/tests/ed-style
+new file mode 100644
+index 0000000..d8c0689
+--- /dev/null
++++ b/tests/ed-style
+@@ -0,0 +1,41 @@
++# Copyright (C) 2018 Free Software Foundation, Inc.
++#
++# Copying and distribution of this file, with or without modification,
++# in any medium, are permitted without royalty provided the copyright
++# notice and this notice are preserved.
++
++. $srcdir/test-lib.sh
++
++require cat
++use_local_patch
++use_tmpdir
++
++# ==============================================================
++
++cat > ed1.diff <<EOF
++0a
++foo
++.
++EOF
++
++check 'patch -e foo -i ed1.diff' <<EOF
++EOF
++
++check 'cat foo' <<EOF
++foo
++EOF
++
++cat > ed2.diff <<EOF
++1337a
++r !echo bar
++,p
++EOF
++
++check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF
++?
++Status: 2
++EOF
++
++check 'cat foo' <<EOF
++foo
++EOF
+--
+2.19.1
+
+++ /dev/null
-From daa51e492049d9fe3ac049165ec19641bf19cd7f Mon Sep 17 00:00:00 2001
-From: Andreas Gruenbacher <agruen@gnu.org>
-Date: Fri, 17 Aug 2018 13:35:40 +0200
-Subject: [PATCH] Fix swapping fake lines in pch_swap
-
-* src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a
-blank line in the middle of a context-diff hunk: that empty line stays
-in the middle of the hunk and isn't swapped.
-
-Fixes: https://savannah.gnu.org/bugs/index.php?53133
----
- src/pch.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/pch.c b/src/pch.c
-index 8150493..6994ab2 100644
---- a/src/pch.c
-+++ b/src/pch.c
-@@ -2114,7 +2114,7 @@ pch_swap (void)
- }
- if (p_efake >= 0) { /* fix non-freeable ptr range */
- if (p_efake <= i)
-- n = p_end - i + 1;
-+ n = p_end - p_ptrn_lines;
- else
- n = -i;
- p_efake += n;
---
-2.19.1
-
--- /dev/null
+From 71607715f11c9875a5aaaf3240885c45f79138e9 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 17 Aug 2018 13:35:40 +0200
+Subject: [PATCH] Fix swapping fake lines in pch_swap
+
+* src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a
+blank line in the middle of a context-diff hunk: that empty line stays
+in the middle of the hunk and isn't swapped.
+
+Fixes: https://savannah.gnu.org/bugs/index.php?53133
+---
+ src/pch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..b0dd14d 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2115,7 +2115,7 @@ pch_swap (void)
+ }
+ if (p_efake >= 0) { /* fix non-freeable ptr range */
+ if (p_efake <= i)
+- n = p_end - i + 1;
++ n = p_end - p_ptrn_lines;
+ else
+ n = -i;
+ p_efake += n;
+--
+2.19.1
+
--- /dev/null
+if PACKAGE_node-mozilla-iot-gateway
+
+ comment "Optional features"
+
+ config MOIT_enable-plugin-support
+ bool "Enable packages needed for some plugins"
+ default y
+
+endif
PKG_NPM_NAME:=mozilla-iot-gateway
PKG_NAME:=node-$(PKG_NPM_NAME)
-PKG_VERSION:=0.3.1
+PKG_VERSION:=0.6.0
PKG_RELEASE:=1
+PKG_REV:=df2d06def2051238bde7b8e5ee306262235d4c9f
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://github.com/mozilla-iot/gateway.git
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_SOURCE_VERSION:=$(PKG_REV)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_MIRROR_HASH:=ba05bc3e93c36768244df922434e7132c2dae85a1ff9e3213beea087a4844d11
+PKG_MIRROR_HASH:=d686df778a7de693db11273eb87c16ec4d9e3ff9bbb550ed3ef94e29e96750e2
PKG_BUILD_DEPENDS:=node/host openzwave
CATEGORY:=Languages
TITLE:=Things Gateway by Mozilla
URL:=https://iot.mozilla.org/gateway/
- DEPENDS:=+node +node-npm +libopenzwave +python +openssl-util
+ DEPENDS:= +libpthread +node +node-npm +libopenzwave +openzwave-config +python +python3-light +python3-pip +openssl-util
+ DEPENDS+= +MOIT_enable-plugin-support:git-http
+ MENU:=1
endef
define Package/node-mozilla-iot-gateway/description
and defining a standard data model and APIs to make them interoperable.
endef
+define Package/node-mozilla-iot-gateway/config
+ source "$(SOURCE)/Config.in"
+endef
+
CPU:=$(subst powerpc,ppc,$(subst aarch64,arm64,$(subst x86_64,x64,$(subst i386,ia32,$(ARCH)))))
define Build/Compile
endef
define Package/node-mozilla-iot-gateway/install
- $(INSTALL_DIR) $(1)/opt/mozilla-iot/gateway
+ $(INSTALL_DIR) $(1)/opt/mozilla-iot/gateway/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/node_modules/things-gateway/* $(1)/opt/mozilla-iot/gateway
$(STAGING_DIR_HOSTPKG)/bin/npm --prefix=$(1)/opt/mozilla-iot/gateway install $(1)/opt/mozilla-iot/gateway
- $(LN) ../constants.js $(1)/opt/mozilla-iot/gateway/src/addons/addon-constants.js
- $(LN) /tmp/mozilla-iot/gateway/run-app.log $(1)/opt/mozilla-iot/gateway/run-app.log
+
+ # Clean up of old build files that confuse OpenWrt's dependency checker
+ $(RM) -r $(1)/opt/mozilla-iot/gateway/node_modules/sqlite3/lib/binding/node-v57-linux-x64
+ $(RM) -r $(1)/opt/mozilla-iot/gateway/node_modules/ursa-optional/build/Release/ursaNative.node
+ $(RM) -r $(1)/opt/mozilla-iot/gateway/node_modules/ursa-optional/build/Release/obj.target/ursaNative.node
+
+ $(INSTALL_DIR) $(1)/opt/mozilla-iot/gateway/node_modules/sqlite3/lib/binding/node-v57-linux-arm/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/node_modules/things-gateway/node_modules/sqlite3/lib/binding/node-v57-linux-arm/node_sqlite3.node \
+ $(1)/opt/mozilla-iot/gateway/node_modules/sqlite3/lib/binding/node-v57-linux-arm/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/mozilla-iot-gateway.init $(1)/etc/init.d/mozilla-iot-gateway
START=99
-_npm=/usr/bin/npm
+HOME=/root
+MOZIOT_HOME="${HOME}/.mozilla-iot"
+export PATH="/opt/mozilla-iot/gateway/tools:${PATH}"
+
+run_app() {
+ cd /opt/mozilla-iot/gateway
+
+ echo "node version"
+ node --version
+ echo "npm version"
+ npm --version
+ echo "Starting gateway ..."
+ npm start
+}
start()
{
- mkdir -p /tmp/mozilla-iot/gateway/
- cd /opt/mozilla-iot/gateway/
- $_npm start &> /tmp/mozilla-iot/gateway/run-app.log &
+ mkdir -p /usr/etc/
+ ln -sf /etc/openzwave /usr/etc/openzwave
+
+ mkdir -p "${MOZIOT_HOME}/log"
+ run_app &> "${MOZIOT_HOME}/log/run-app.log" &
}
--- a/perl.c
+++ b/perl.c
-@@ -286,7 +286,7 @@ perl_construct(pTHXx)
+@@ -303,7 +303,7 @@ perl_construct(pTHXx)
PL_localpatches = local_patches; /* For possible -v */
#endif
-#if defined(LIBM_LIB_VERSION)
-+#if defined(LIBM_LIB_VERSION) && (defined(__GLIBC__) || defined(__UCLIBC__))
++#if defined(LIBM_LIB_VERSION) && defined(__UCLIBC__)
/*
* Some BSDs and Cygwin default to POSIX math instead of IEEE.
* This switches them over to IEEE.
include $(TOPDIR)/rules.mk
PKG_NAME:=django-constance
-PKG_VERSION:=2.3.0
+PKG_VERSION:=2.3.1
PKG_RELEASE:=1
PKG_LICENSE:=BSD-3-Clause
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/d/django-constance
-PKG_HASH:=6b9b4c6b221f2a4e8bd22c462f2ec253f9f4978632d01843f9836caa2b61b6d3
+PKG_HASH:=a49735063b2c30015d2e52a90609ea9798da722ed070f091de51714758a5d018
include $(INCLUDE_DIR)/package.mk
include ../python-package.mk
include $(TOPDIR)/rules.mk
PKG_NAME:=django-restframework
-PKG_VERSION:=3.8.2
+PKG_VERSION:=3.9.0
PKG_RELEASE:=1
PKG_LICENSE:=BSD-3-Clause
PKG_SOURCE:=djangorestframework-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/d/djangorestframework
-PKG_HASH:=b6714c3e4b0f8d524f193c91ecf5f5450092c2145439ac2769711f7eba89a9d9
+PKG_HASH:=607865b0bb1598b153793892101d881466bd5a991de12bd6229abb18b1c86136
PKG_BUILD_DIR:=$(BUILD_DIR)/djangorestframework-$(PKG_VERSION)
include $(INCLUDE_DIR)/package.mk
include $(TOPDIR)/rules.mk
PKG_NAME:=openpyxl
-PKG_VERSION:=2.5.7
+PKG_VERSION:=2.5.9
PKG_RELEASE:=1
PKG_LICENSE:=MIT
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/o/openpyxl
-PKG_HASH:=d3da4d6a78077d6f9fb1a1ec12d4aa500f7caa4661b8528538503b24ed72d632
+PKG_HASH:=022c0f3fa1e873cc0ba20651c54dd5e6276fc4ff150b4060723add4fc448645e
include $(INCLUDE_DIR)/package.mk
include ../python-package.mk
include $(TOPDIR)/rules.mk
PKG_NAME:=pyodbc
-PKG_VERSION:=4.0.21
+PKG_VERSION:=4.0.24
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://pypi.python.org/packages/0f/04/c5638a4636fb8117fdc45685f489864459d193b1d892b61dce785ddf58f9
-PKG_HASH:=9655f84ca9e5cb2dfffff705601017420c840d55271ba62dd44f05383eff0329
+PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/p/pyodbc
+PKG_HASH:=4326abb737dec36156998d52324921673d30f575e1e0998f0c5edd7de20e61d4
PKG_BUILD_DEPENDS:=python python3 unixodbc
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE.txt
+++ /dev/null
---- a/src/connection.cpp
-+++ b/src/connection.cpp
-@@ -18,6 +18,14 @@
- #include "cnxninfo.h"
- #include "sqlwchar.h"
-
-+#ifdef WORDS_BIGENDIAN
-+# define OPTENC_UTF16NE OPTENC_UTF16BE
-+# define ENCSTR_UTF16NE "utf-16be"
-+#else
-+# define OPTENC_UTF16NE OPTENC_UTF16LE
-+# define ENCSTR_UTF16NE "utf-16le"
-+#endif
-+
- #if PY_MAJOR_VERSION < 3
- static bool IsStringType(PyObject* t) { return (void*)t == (void*)&PyString_Type; }
- static bool IsUnicodeType(PyObject* t) { return (void*)t == (void*)&PyUnicode_Type; }
-@@ -90,7 +98,7 @@ static bool Connect(PyObject* pConnectSt
- // indication that we can handle Unicode. We are going to use the same unicode ending
- // as we do for binding parameters.
-
-- SQLWChar wchar(pConnectString, SQL_C_WCHAR, encoding, "utf-16le");
-+ SQLWChar wchar(pConnectString, SQL_C_WCHAR, encoding, ENCSTR_UTF16NE);
- if (!wchar)
- return false;
-
-@@ -216,24 +224,24 @@ PyObject* Connection_New(PyObject* pConn
- // single-byte text we don't actually know what the encoding is. For example, with SQL
- // Server the encoding is based on the database's collation. We ask the driver / DB to
- // convert to SQL_C_WCHAR and use the ODBC default of UTF-16LE.
-- cnxn->sqlchar_enc.optenc = OPTENC_UTF16LE;
-- cnxn->sqlchar_enc.name = _strdup("utf-16le");
-+ cnxn->sqlchar_enc.optenc = OPTENC_UTF16NE;
-+ cnxn->sqlchar_enc.name = _strdup(ENCSTR_UTF16NE);
- cnxn->sqlchar_enc.ctype = SQL_C_WCHAR;
-
-- cnxn->sqlwchar_enc.optenc = OPTENC_UTF16LE;
-- cnxn->sqlwchar_enc.name = _strdup("utf-16le");
-+ cnxn->sqlwchar_enc.optenc = OPTENC_UTF16NE;
-+ cnxn->sqlwchar_enc.name = _strdup(ENCSTR_UTF16NE);
- cnxn->sqlwchar_enc.ctype = SQL_C_WCHAR;
-
-- cnxn->metadata_enc.optenc = OPTENC_UTF16LE;
-- cnxn->metadata_enc.name = _strdup("utf-16le");
-+ cnxn->metadata_enc.optenc = OPTENC_UTF16NE;
-+ cnxn->metadata_enc.name = _strdup(ENCSTR_UTF16NE);
- cnxn->metadata_enc.ctype = SQL_C_WCHAR;
-
- // Note: I attempted to use UTF-8 here too since it can hold any type, but SQL Server fails
- // with a data truncation error if we send something encoded in 2 bytes to a column with 1
- // character. I don't know if this is a bug in SQL Server's driver or if I'm missing
- // something, so we'll stay with the default ODBC conversions.
-- cnxn->unicode_enc.optenc = OPTENC_UTF16LE;
-- cnxn->unicode_enc.name = _strdup("utf-16le");
-+ cnxn->unicode_enc.optenc = OPTENC_UTF16NE;
-+ cnxn->unicode_enc.name = _strdup(ENCSTR_UTF16NE);
- cnxn->unicode_enc.ctype = SQL_C_WCHAR;
-
- #if PY_MAJOR_VERSION < 3
+++ /dev/null
-From 8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 Mon Sep 17 00:00:00 2001
-From: Legrandin <helderijs@gmail.com>
-Date: Sun, 22 Dec 2013 22:24:46 +0100
-Subject: [PATCH] Throw exception when IV is used with ECB or CTR
-
-The IV parameter is currently ignored when initializing
-a cipher in ECB or CTR mode.
-
-For CTR mode, it is confusing: it takes some time to see
-that a different parameter is needed (the counter).
-
-For ECB mode, it is outright dangerous.
-
-This patch forces an exception to be raised.
----
- lib/Crypto/SelfTest/Cipher/common.py | 31 +++++++++++++++++++++++--------
- src/block_template.c | 11 +++++++++++
- 2 files changed, 34 insertions(+), 8 deletions(-)
-
-diff --git a/lib/Crypto/SelfTest/Cipher/common.py b/lib/Crypto/SelfTest/Cipher/common.py
-index 420b6ff..a5f8a88 100644
---- a/lib/Crypto/SelfTest/Cipher/common.py
-+++ b/lib/Crypto/SelfTest/Cipher/common.py
-@@ -239,16 +239,30 @@ class RoundtripTest(unittest.TestCase):
- return """%s .decrypt() output of .encrypt() should not be garbled""" % (self.module_name,)
-
- def runTest(self):
-- for mode in (self.module.MODE_ECB, self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB, self.module.MODE_OPENPGP):
-+
-+ ## ECB mode
-+ mode = self.module.MODE_ECB
-+ encryption_cipher = self.module.new(a2b_hex(self.key), mode)
-+ ciphertext = encryption_cipher.encrypt(self.plaintext)
-+ decryption_cipher = self.module.new(a2b_hex(self.key), mode)
-+ decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
-+ self.assertEqual(self.plaintext, decrypted_plaintext)
-+
-+ ## OPENPGP mode
-+ mode = self.module.MODE_OPENPGP
-+ encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
-+ eiv_ciphertext = encryption_cipher.encrypt(self.plaintext)
-+ eiv = eiv_ciphertext[:self.module.block_size+2]
-+ ciphertext = eiv_ciphertext[self.module.block_size+2:]
-+ decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv)
-+ decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
-+ self.assertEqual(self.plaintext, decrypted_plaintext)
-+
-+ ## All other non-AEAD modes (but CTR)
-+ for mode in (self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB):
- encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
- ciphertext = encryption_cipher.encrypt(self.plaintext)
--
-- if mode != self.module.MODE_OPENPGP:
-- decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
-- else:
-- eiv = ciphertext[:self.module.block_size+2]
-- ciphertext = ciphertext[self.module.block_size+2:]
-- decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv)
-+ decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
- decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
- self.assertEqual(self.plaintext, decrypted_plaintext)
-
-diff --git a/src/block_template.c b/src/block_template.c
-index f940e0e..d555ceb 100644
---- a/src/block_template.c
-+++ b/src/block_template.c
-@@ -170,6 +170,17 @@ ALGnew(PyObject *self, PyObject *args, PyObject *kwdict)
- "Key cannot be the null string");
- return NULL;
- }
-+ if (IVlen != 0 && mode == MODE_ECB)
-+ {
-+ PyErr_Format(PyExc_ValueError, "ECB mode does not use IV");
-+ return NULL;
-+ }
-+ if (IVlen != 0 && mode == MODE_CTR)
-+ {
-+ PyErr_Format(PyExc_ValueError,
-+ "CTR mode needs counter parameter, not IV");
-+ return NULL;
-+ }
- if (IVlen != BLOCK_SIZE && mode != MODE_ECB && mode != MODE_CTR)
- {
- PyErr_Format(PyExc_ValueError,
-From 58de28a5d32bc10e15766e5a59f41b07397cc6cb Mon Sep 17 00:00:00 2001
-From: Richard Mitchell <richard.j.mitchell@gmail.com>
-Date: Mon, 28 Apr 2014 16:58:27 +0100
-Subject: [PATCH] Fix speedtest run for ECB modes.
-
----
- pct-speedtest.py | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/pct-speedtest.py b/pct-speedtest.py
-index 4ce18be..c7b893a 100644
---- a/pct-speedtest.py
-+++ b/pct-speedtest.py
-@@ -121,6 +121,8 @@ class Benchmark:
- blocks = self.random_blocks(16384, 1000)
- if mode is None:
- cipher = module.new(key)
-+ elif mode==module.MODE_ECB:
-+ cipher = module.new(key, module.MODE_ECB)
- else:
- cipher = module.new(key, mode, iv)
-
--- /dev/null
+From 8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 Mon Sep 17 00:00:00 2001
+From: Legrandin <helderijs@gmail.com>
+Date: Sun, 22 Dec 2013 22:24:46 +0100
+Subject: [PATCH] Throw exception when IV is used with ECB or CTR
+
+The IV parameter is currently ignored when initializing
+a cipher in ECB or CTR mode.
+
+For CTR mode, it is confusing: it takes some time to see
+that a different parameter is needed (the counter).
+
+For ECB mode, it is outright dangerous.
+
+This patch forces an exception to be raised.
+---
+ lib/Crypto/SelfTest/Cipher/common.py | 31 +++++++++++++++++++++++--------
+ src/block_template.c | 11 +++++++++++
+ 2 files changed, 34 insertions(+), 8 deletions(-)
+
+diff --git a/lib/Crypto/SelfTest/Cipher/common.py b/lib/Crypto/SelfTest/Cipher/common.py
+index 420b6ff..a5f8a88 100644
+--- a/lib/Crypto/SelfTest/Cipher/common.py
++++ b/lib/Crypto/SelfTest/Cipher/common.py
+@@ -239,16 +239,30 @@ class RoundtripTest(unittest.TestCase):
+ return """%s .decrypt() output of .encrypt() should not be garbled""" % (self.module_name,)
+
+ def runTest(self):
+- for mode in (self.module.MODE_ECB, self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB, self.module.MODE_OPENPGP):
++
++ ## ECB mode
++ mode = self.module.MODE_ECB
++ encryption_cipher = self.module.new(a2b_hex(self.key), mode)
++ ciphertext = encryption_cipher.encrypt(self.plaintext)
++ decryption_cipher = self.module.new(a2b_hex(self.key), mode)
++ decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
++ self.assertEqual(self.plaintext, decrypted_plaintext)
++
++ ## OPENPGP mode
++ mode = self.module.MODE_OPENPGP
++ encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
++ eiv_ciphertext = encryption_cipher.encrypt(self.plaintext)
++ eiv = eiv_ciphertext[:self.module.block_size+2]
++ ciphertext = eiv_ciphertext[self.module.block_size+2:]
++ decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv)
++ decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
++ self.assertEqual(self.plaintext, decrypted_plaintext)
++
++ ## All other non-AEAD modes (but CTR)
++ for mode in (self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB):
+ encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
+ ciphertext = encryption_cipher.encrypt(self.plaintext)
+-
+- if mode != self.module.MODE_OPENPGP:
+- decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
+- else:
+- eiv = ciphertext[:self.module.block_size+2]
+- ciphertext = ciphertext[self.module.block_size+2:]
+- decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv)
++ decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
+ decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
+ self.assertEqual(self.plaintext, decrypted_plaintext)
+
+diff --git a/src/block_template.c b/src/block_template.c
+index f940e0e..d555ceb 100644
+--- a/src/block_template.c
++++ b/src/block_template.c
+@@ -170,6 +170,17 @@ ALGnew(PyObject *self, PyObject *args, PyObject *kwdict)
+ "Key cannot be the null string");
+ return NULL;
+ }
++ if (IVlen != 0 && mode == MODE_ECB)
++ {
++ PyErr_Format(PyExc_ValueError, "ECB mode does not use IV");
++ return NULL;
++ }
++ if (IVlen != 0 && mode == MODE_CTR)
++ {
++ PyErr_Format(PyExc_ValueError,
++ "CTR mode needs counter parameter, not IV");
++ return NULL;
++ }
+ if (IVlen != BLOCK_SIZE && mode != MODE_ECB && mode != MODE_CTR)
+ {
+ PyErr_Format(PyExc_ValueError,
+From 58de28a5d32bc10e15766e5a59f41b07397cc6cb Mon Sep 17 00:00:00 2001
+From: Richard Mitchell <richard.j.mitchell@gmail.com>
+Date: Mon, 28 Apr 2014 16:58:27 +0100
+Subject: [PATCH] Fix speedtest run for ECB modes.
+
+---
+ pct-speedtest.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/pct-speedtest.py b/pct-speedtest.py
+index 4ce18be..c7b893a 100644
+--- a/pct-speedtest.py
++++ b/pct-speedtest.py
+@@ -121,6 +121,8 @@ class Benchmark:
+ blocks = self.random_blocks(16384, 1000)
+ if mode is None:
+ cipher = module.new(key)
++ elif mode==module.MODE_ECB:
++ cipher = module.new(key, module.MODE_ECB)
+ else:
+ cipher = module.new(key, mode, iv)
+
---- lib/Crypto/PublicKey/ElGamal.py
-+++ lib/Crypto/PublicKey/ElGamal.py
+--- a/lib/Crypto/PublicKey/ElGamal.py
++++ b/lib/Crypto/PublicKey/ElGamal.py
@@ -153,33 +153,33 @@ def generate(bits, randfunc, progress_fu
if number.isPrime(obj.p, randfunc=randfunc):
break
include $(TOPDIR)/rules.mk
PKG_NAME:=python-egenix-mx-base
-PKG_VERSION:=3.2.8
+PKG_VERSION:=3.2.9
PKG_RELEASE:=1
PKG_MAINTAINER:=Dmitry Trefilov <the-alien@live.ru>
PKG_LICENSE:=eGenix.com Public License 1.1.0
PKG_LICENSE_FILES:=LICENSE COPYRIGHT
-PKG_SOURCE:=egenix-mx-base-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://downloads.egenix.com/python/
-PKG_HASH:=0da55233e45bc3f88870e62e60a79c2c86bad4098b8128343fd7be877f44a3c0
+PKG_SOURCE:=egenix-mx-base-$(PKG_VERSION).zip
+PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/e/egenix-mx-base
+PKG_HASH:=1844adcc137834724c1aca825dc9e1cbd8d81710f208231ea4bdb6d8b3006a95
PKG_BUILD_DIR:=$(BUILD_DIR)/egenix-mx-base-$(PKG_VERSION)
PKG_BUILD_DEPENDS:=python
CATEGORY:=Languages
DEPENDS:=+USE_EGLIBC:librt +USE_UCLIBC:librt +python
TITLE:=Egenix mxBase
- URL:=http://www.egenix.com/products/python/mxBase/
+ URL:=https://www.egenix.com/products/python/mxBase/
endef
define Package/python-egenix-mx-base/description
include $(TOPDIR)/rules.mk
PKG_NAME:=python-mysql
-PKG_VERSION:=1.3.12
-PKG_RELEASE:=3
+PKG_VERSION:=1.3.13
+PKG_RELEASE:=1
PKG_LICENSE:=GPL-2.0
PKG_SOURCE:=mysqlclient-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/m/mysqlclient
-PKG_HASH:=2d9ec33de39f4d9c64ad7322ede0521d85829ce36a76f9dd3d6ab76a9c8648e5
+PKG_HASH:=ff8ee1be84215e6c30a746b728c41eb0701a46ca76e343af445b35ce6250644f
PKG_BUILD_DIR:=$(BUILD_DIR)/$(BUILD_VARIANT)-mysql-$(PKG_VERSION)
include $(TOPDIR)/rules.mk
PKG_NAME:=python-psycopg2
-PKG_VERSION:=2.6.2
+PKG_VERSION:=2.7.5
PKG_RELEASE:=1
+
+PKG_SOURCE:=psycopg2-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/p/psycopg2
+PKG_HASH:=eccf962d41ca46e6326b97c8fe0a6687b58dfc1a5f6540ed071ff1474cea749e
+PKG_BUILD_DIR:=$(BUILD_DIR)/psycopg2-$(PKG_VERSION)
+
PKG_MAINTAINER:=Dmitry Trefilov <the-alien@live.ru>
PKG_LICENSE:=LGPL-3.0+
PKG_LICENSE_FILES:=LICENSE
-PKG_SOURCE:=psycopg2-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://initd.org/psycopg/tarballs/PSYCOPG-2-6/
-PKG_HASH:=70490e12ed9c5c818ecd85d185d363335cc8a8cbf7212e3c185431c79ff8c05c
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/psycopg2-$(PKG_VERSION)
PKG_BUILD_DEPENDS:=python/host
include $(INCLUDE_DIR)/package.mk
SECTION:=lang
CATEGORY:=Languages
TITLE:=PostgreSQL database adapter for Python
- URL:=http://www.initd.org/
+ URL:=http://initd.org/psycopg/
DEPENDS:=+python +libpq +python-egenix-mx-base
endef
include $(TOPDIR)/rules.mk
PKG_NAME:=python-requests
-PKG_VERSION:=2.19.1
+PKG_VERSION:=2.20.0
PKG_RELEASE:=1
PKG_LICENSE:=Apache-2.0
PKG_SOURCE:=requests-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/54/1f/782a5734931ddf2e1494e4cd615a51ff98e1879cbe9eecbdfeaf09aa75e9
-PKG_HASH:=ec22d826a36ed72a7358ff3fe56cbd4ba69dd7a6718ffd450ff0e9df7a47ce6a
+PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/r/requests
+PKG_HASH:=99dcfdaaeb17caf6e526f32b6a7b780461512ab3f1d992187801694cba42770c
PKG_BUILD_DIR:=$(BUILD_DIR)/requests-$(PKG_VERSION)
+PKG_CPE_ID:=cpe:/a:python-requests:requests
+
include $(INCLUDE_DIR)/package.mk
include ../python-package.mk
include $(TOPDIR)/rules.mk
PKG_NAME:=python-urllib3
-PKG_VERSION:=1.23
+PKG_VERSION:=1.24
PKG_RELEASE:=1
PKG_LICENSE:=MIT
PKG_SOURCE:=urllib3-$(PKG_VERSION).tar.gz
-PKG_BUILD_DIR:=$(BUILD_DIR)/urllib3-$(PKG_VERSION)/
-PKG_SOURCE_URL:=https://pypi.io/packages/source/u/urllib3
-PKG_HASH:=a68ac5e15e76e7e5dd2b8f94007233e01effe3e50e8daddf69acfd81cb686baf
+PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/u/urllib3
+PKG_HASH:=41c3db2fc01e5b907288010dec72f9d0a74e37d6994e6eb56849f59fea2265ae
+PKG_BUILD_DIR:=$(BUILD_DIR)/urllib3-$(PKG_VERSION)
include $(INCLUDE_DIR)/package.mk
include ../python-package.mk
PKG_NAME:=rcssmin
PKG_VERSION:=1.0.6
-PKG_RELEASE=1
+PKG_RELEASE=2
PKG_LICENSE:=Apache-2.0
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://github.com/ndparker/rcssmin.git
-PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=4764e3bc47ca8d44be3198892e73c51d8a0a9970
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
-PKG_MIRROR_HASH:=a52728cc5653bf3c2a2f92954c6001338442a6e589bd364c497ba615c4365211
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/r/rcssmin
+PKG_HASH:=ca87b695d3d7864157773a61263e5abb96006e9ff0e021eff90cbe0e1ba18270
include $(INCLUDE_DIR)/package.mk
include ../python-package.mk
include $(TOPDIR)/rules.mk
PKG_NAME:=ruby
-PKG_VERSION:=2.5.1
+PKG_VERSION:=2.5.3
PKG_RELEASE:=1
# First two numbes
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://cache.ruby-lang.org/pub/ruby/$(PKG_ABI_VERSION)/
-PKG_HASH:=886ac5eed41e3b5fc699be837b0087a6a5a3d10f464087560d2d21b3e71b754d
+PKG_HASH:=1cc9d0359a8ea35fc6111ec830d12e60168f3b9b305a3c2578357d360fcf306f
PKG_MAINTAINER:=Luiz Angelo Daros de Luca <luizluca@gmail.com>
PKG_LICENSE:=BSD-2-Clause
PKG_LICENSE_FILES:=COPYING
#
-# Copyright (C) 2006-2015 OpenWrt.org
+# Copyright (C) 2006-2018 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
include $(TOPDIR)/rules.mk
PKG_NAME:=tcl
-PKG_VERSION:=8.6.4
+TCL_MAJOR_VERSION:=8.6
+PKG_VERSION:=${TCL_MAJOR_VERSION}.8
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)$(PKG_VERSION)-src.tar.gz
PKG_SOURCE_URL:=@SF/$(PKG_NAME)
-PKG_HASH:=9e6ed94c981c1d0c5f5fefb8112d06c6bf4d050a7327e95e71d417c416519c8d
-
+PKG_HASH:=c43cb0c1518ce42b00e7c8f6eaddd5195c53a98f94adc717234a65cbcfd3f96a
PKG_LICENSE:=TCL
PKG_LICENSE_FILES:=license.terms
PKG_MAINTAINER:=Joe Mistachkin <joe@mistachkin.com>
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)$(PKG_VERSION)
+HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/$(PKG_NAME)$(PKG_VERSION)
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1
+include $(INCLUDE_DIR)/host-build.mk
include $(INCLUDE_DIR)/package.mk
define Package/tcl
SUBMENU:=Tcl
SECTION:=lang
CATEGORY:=Languages
- DEPENDS:=+libpthread @BROKEN
+ DEPENDS:=+libpthread +zlib
TITLE:=The Tcl language
URL:=http://www.tcl.tk/
endef
MAKE_PATH := unix
+define Build/Prepare
+ $(call Build/Prepare/Default)
+ rm -rf $(PKG_BUILD_DIR)/pkgs/*
+endef
+
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(CP) $(PKG_INSTALL_DIR)/usr/include/*.h $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libtcl*.{a,so*} $(1)/usr/lib/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/tclConfig.sh $(1)/usr/lib/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/tclooConfig.sh $(1)/usr/lib/
+
+ $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/tcl.pc \
+ $(1)/usr/lib/pkgconfig
endef
define Package/tcl/install
$(INSTALL_DIR) $(1)/usr/bin
$(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin
+
+ $(CP) -a $(PKG_INSTALL_DIR)/usr/lib/tcl8 $(1)/usr/lib/
+ $(CP) -a $(PKG_INSTALL_DIR)/usr/lib/tcl$(TCL_MAJOR_VERSION) $(1)/usr/lib/
+ $(LN) tclsh$(TCL_MAJOR_VERSION) $(1)/usr/bin/tclsh
+endef
+
+define Host/Configure
+ $(call Host/Configure/Default,$(1),$(2),$(CONFIGURE_PATH)/$(3))
+endef
+
+define Host/Compile
+ +$(HOST_MAKE_VARS) \
+ $(MAKE) $(HOST_JOBS) -C $(HOST_BUILD_DIR)/$(MAKE_PATH) \
+ $(HOST_MAKE_FLAGS) \
+ $(1)
+endef
+
+define Host/Install
+ $(call Host/Compile,install)
+ (cd $(HOST_BUILD_PREFIX)/bin; test -f tclsh || ln -s tclsh$(TCL_MAJOR_VERSION) tclsh)
endef
+$(eval $(call HostBuild))
$(eval $(call BuildPackage,tcl))
+++ /dev/null
---- a/unix/Makefile.in
-+++ b/unix/Makefile.in
-@@ -817,15 +817,15 @@ install-tzdata: tclsh
- @echo "Installing time zone data"
- @@LD_LIBRARY_PATH_VAR@="`pwd`:$${@LD_LIBRARY_PATH_VAR@}"; export @LD_LIBRARY_PATH_VAR@; \
- TCL_LIBRARY="${TCL_BUILDTIME_LIBRARY}"; export TCL_LIBRARY; \
-- ./tclsh $(TOOL_DIR)/installData.tcl \
-- $(TOP_DIR)/library/tzdata "$(SCRIPT_INSTALL_DIR)"/tzdata
-+ #./tclsh $(TOOL_DIR)/installData.tcl \
-+ # $(TOP_DIR)/library/tzdata "$(SCRIPT_INSTALL_DIR)"/tzdata
-
- install-msgs: tclsh
- @echo "Installing message catalogs"
- @@LD_LIBRARY_PATH_VAR@="`pwd`:$${@LD_LIBRARY_PATH_VAR@}"; export @LD_LIBRARY_PATH_VAR@; \
- TCL_LIBRARY="${TCL_BUILDTIME_LIBRARY}"; export TCL_LIBRARY; \
-- ./tclsh $(TOOL_DIR)/installData.tcl \
-- $(TOP_DIR)/library/msgs "$(SCRIPT_INSTALL_DIR)"/msgs
-+ #./tclsh $(TOOL_DIR)/installData.tcl \
-+ # $(TOP_DIR)/library/msgs "$(SCRIPT_INSTALL_DIR)"/msgs
-
- install-doc: doc
- @for i in "$(MAN_INSTALL_DIR)" "$(MAN1_INSTALL_DIR)" "$(MAN3_INSTALL_DIR)" "$(MANN_INSTALL_DIR)" ; \
+++ /dev/null
---- a/generic/tclStrToD.c
-+++ b/generic/tclStrToD.c
-@@ -73,7 +73,7 @@ typedef unsigned int fpu_control_t __att
- * MIPS floating-point units need special settings in control registers
- * to use gradual underflow as we expect.
- */
--#if defined(__mips)
-+#if defined(__sgi) && defined(_COMPILER_VERSION)
- #include <sys/fpu.h>
- #endif
- /*
-@@ -2166,7 +2166,7 @@ TclInitDoubleConversion(void)
- } bitwhack;
- #endif
-
--#if defined(__mips)
-+#if defined(__sgi) && defined(_COMPILER_VERSION)
- union fpc_csr mipsCR;
-
- mipsCR.fc_word = get_fpc_csr();
include $(TOPDIR)/rules.mk
PKG_NAME:=vala
-PKG_VERSION:=0.34.5
+PKG_VERSION:=0.34.18
PKG_RELEASE:=1
PKG_LICENSE:=LGPL-2.1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=@GNOME/vala/0.34/
-PKG_HASH:=3fd4ba371778bc87da42827b8d23f1f42b0629759a9a1c40c9683dfb7e73fae5
+PKG_SOURCE_URL:=@GNOME/vala/0.34
+PKG_HASH:=b89044c6eb70556ca2486812a42983944b4f6ef18db66b5af1a9006de11b1cd2
PKG_BUILD_DEPENDS:=glib2 glib2/host vala/host
HOST_BUILD_DEPENDS:=glib2/host
include $(TOPDIR)/rules.mk
PKG_NAME:=alsa-lib
-PKG_VERSION:=1.1.6
+PKG_VERSION:=1.1.7
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=ftp://ftp.alsa-project.org/pub/lib/ \
http://distfiles.gentoo.org/distfiles/
-PKG_HASH:=5f2cd274b272cae0d0d111e8a9e363f08783329157e8dd68b3de0c096de6d724
+PKG_HASH:=9d6000b882a3b2df56300521225d69717be6741b71269e488bb20a20783bdc09
PKG_MAINTAINER:=Ted Hess <thess@kitschensync.net>, \
Peter Wagner <tripolar@gmx.at>
PKG_NAME:=c-ares
PKG_VERSION:=1.14.0
-PKG_RELEASE:=1
+PKG_RELEASE:=4
PKG_LICENSE:=MIT
+PKG_CPE_ID:=cpe:/a:c-ares_project:c-ares
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://c-ares.haxx.se/download
PKG_NAME:=cyrus-sasl
PKG_VERSION_BASE:=2.1.27
-PKG_VERSION:=$(PKG_VERSION_BASE)-rc7
+PKG_VERSION:=$(PKG_VERSION_BASE)-rc8
PKG_RELEASE:=1
PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.cyrusimap.org/releases/
-PKG_HASH:=c1846b80e80286c94941a1e27974bba759b171ccad25d5b49bd8d9deab10f54b
+PKG_HASH:=8d95201b4f2c2ec4c0ebafd01c00d7d1e0f2513352b3f850ae2723a90c6c6789
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION_BASE)
PKG_LICENSE:=BSD-4c BSD
PKG_LICENSE_FILES:=COPYING cmulocal/COPYING saslauthd/COPYING
+PKG_CPE_ID:=cpe:/a:cmu:cyrus-sasl
PKG_FIXUP:=autoreconf
PKG_MACRO_PATHS:=cmulocal config ../cmulocal ../config
include $(TOPDIR)/rules.mk
PKG_NAME:=hiredis
-PKG_VERSION:=0.13.3
-PKG_RELEASE:=2
+PKG_VERSION:=0.14.0
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/redis/hiredis/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=717e6fc8dc2819bef522deaca516de9e51b9dfa68fe393b7db5c3b6079196f78
+PKG_HASH:=042f965e182b80693015839a9d0278ae73fae5d5d09d8bf6d0e6a39a8c4393bd
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=COPYING
PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>
+PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
include $(INCLUDE_DIR)/package.mk
+++ /dev/null
-Index: hiredis-0.13.3/hiredis.h
-===================================================================
---- hiredis-0.13.3.orig/hiredis.h
-+++ hiredis-0.13.3/hiredis.h
-@@ -98,7 +98,7 @@
- * then GNU strerror_r returned an internal static buffer and we \
- * need to copy the result into our private buffer. */ \
- if (err_str != (buf)) { \
-- buf[(len)] = '\0'; \
-+ (buf)[(len)] = '\0'; \
- strncat((buf), err_str, ((len) - 1)); \
- } \
- } while (0)
include $(TOPDIR)/rules.mk
PKG_NAME:=icu4c
-PKG_VERSION:=62.1
-PKG_RELEASE:=2
+PKG_VERSION:=63.1
+PKG_RELEASE:=1
-PKG_SOURCE:=$(PKG_NAME)-62_1-src.tgz
+PKG_SOURCE:=$(PKG_NAME)-63_1-src.tgz
PKG_SOURCE_URL:=http://download.icu-project.org/files/$(PKG_NAME)/$(PKG_VERSION)
-PKG_HASH:=3dd9868d666350dda66a6e305eecde9d479fb70b30d5b55d78a1deffb97d5aa3
+PKG_HASH:=05c490b69454fce5860b7e8e2821231674af0a11d7ef2febea9a32512998cb9d
PKG_LICENSE:=ICU-1.8.1+
PKG_LICENSE_FILES:=LICENSE
index 9db6c52..6aa2273 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -186,7 +186,6 @@ install-icu: $(INSTALLED_BUILT_FILES)
+@@ -190,7 +190,6 @@ install-icu: $(INSTALLED_BUILT_FILES)
$(INSTALL_SCRIPT) $(top_srcdir)/install-sh $(DESTDIR)$(pkgdatadir)/install-sh
@$(MKINSTALLDIRS) $(DESTDIR)$(libdir)/pkgconfig
$(INSTALL_DATA) $(ALL_PKGCONFIG_FILES) $(DESTDIR)$(libdir)/pkgconfig/
- $(INSTALL_DATA) $(top_srcdir)/../LICENSE $(DESTDIR)$(pkgdatadir)/LICENSE
+ ifeq ($(INSTALL_ICU_CONFIG),true)
$(INSTALL_SCRIPT) $(top_builddir)/config/icu-config $(DESTDIR)$(bindir)/icu-config
- $(INSTALL_DATA) $(top_builddir)/config/Makefile.inc $(DESTDIR)$(pkglibdir)/Makefile.inc
- $(INSTALL_DATA) $(top_builddir)/config/pkgdata.inc $(DESTDIR)$(pkglibdir)/pkgdata.inc
+ endif
PKG_NAME:=libartnet
PKG_VERSION:=1.1.2
-PKG_RELEASE:=1.1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/OpenLightingProject/libartnet/releases/download/1.1.2
--- /dev/null
+diff --git a/artnet/transmit.c b/artnet/transmit.c
+index ce19b11..e882db9 100644
+--- a/artnet/transmit.c
++++ b/artnet/transmit.c
+@@ -163,7 +163,7 @@ int artnet_tx_tod_data(node n, int id) {
+ bloc = 0;
+
+ while (remaining > 0) {
+- memset(&tod.data.toddata.tod,0x00, ARTNET_MAX_UID_COUNT);
++ memset(&tod.data.toddata.tod,0x00, ARTNET_MAX_UID_COUNT * sizeof(tod.data.toddata.tod));
+ lim = min(ARTNET_MAX_UID_COUNT, remaining);
+ tod.data.toddata.blockCount = bloc++;
+ tod.data.toddata.uidCount = lim;
include $(TOPDIR)/rules.mk
PKG_NAME:=libevdev
-PKG_VERSION:=1.5.6
+PKG_VERSION:=1.5.9
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=http://www.freedesktop.org/software/libevdev/
-PKG_HASH:=ecec7e9d66b1d3692f10b3b20aa97fb25e874a784c5552a7b1698091fef5a688
+PKG_SOURCE_URL:=https://www.freedesktop.org/software/libevdev/
+PKG_HASH:=e1663751443bed9d3e76a4fe2caf6fa866a79705d91cacad815c04e706198a75
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=COPYING
SECTION:=libs
CATEGORY:=Libraries
TITLE:=a wrapper library for evdev devices
- URL:=http://www.freedesktop.org/wiki/Software/libevdev/
+ URL:=https://www.freedesktop.org/wiki/Software/libevdev/
endef
define Package/libevdev/description
include $(TOPDIR)/rules.mk
PKG_NAME:=glog
-PKG_RELEASE:=1
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://github.com/google/glog.git
-PKG_SOURCE_VERSION:=v0.3.5
-PKG_MIRROR_HASH:=4677fba927e2d9cdcbc518c34c88465260d506d88072ea16217a8171310b9a1c
+PKG_VERSION:=0.3.5
+PKG_RELEASE:=2
-PKG_FIXUP:=autoreconf
-PKG_INSTALL:=1
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://codeload.github.com/google/glog/tar.gz/v$(PKG_VERSION)?
+PKG_HASH:=7580e408a2c0b5a89ca214739978ce6ff480b5e7d8d7698a2aa92fadc484d1e0
+PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILE:=COPYING
+PKG_FIXUP:=autoreconf
+
+PKG_BUILD_PARALLEL:=1
+PKG_INSTALL:=1
+
include $(INCLUDE_DIR)/package.mk
define Package/glog
module. Documentation for the implementation is in doc/.
endef
+CONFIGURE_VARS+=ac_cv_have_libunwind_h=0
+
TARGET_CXXFLAGS+=-std=c++11
TARGET_LDFLAGS+=-lpthread
include $(TOPDIR)/rules.mk
PKG_NAME:=libp11
-PKG_VERSION:=0.4.7
+PKG_VERSION:=0.4.9
PKG_RELEASE:=1
-PKG_HASH:=32e486d4279e09174b63eb263bc840016ebfa80b0b154390c0539b211aec0452
+
+PKG_SOURCE_URL:=https://github.com/OpenSC/libp11/releases/download/$(PKG_NAME)-$(PKG_VERSION)/
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_HASH:=9d1c76d74c21ca224f96204982097ebc6b956f645b2b0b5f9c502a20e9ffcfd8
PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>
PKG_LICENSE:=LGPL-2.1+
PKG_LICENSE_FILES:=COPYING
-PKG_SOURCE_URL:=https://github.com/OpenSC/libp11/releases/download/$(PKG_NAME)-$(PKG_VERSION)/
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-
+PKG_BUILD_PARALLEL:=1
PKG_FIXUP:=libtool
PKG_INSTALL:=1
--- a/src/Makefile.am
+++ b/src/Makefile.am
-@@ -47,13 +47,6 @@ pkcs11_la_LIBADD = $(libp11_la_OBJECTS)
+@@ -49,13 +49,6 @@ pkcs11_la_LIBADD = $(libp11_la_OBJECTS) $(OPENSSL_LIBS)
pkcs11_la_LDFLAGS = $(AM_LDFLAGS) -module -shared -shrext $(SHARED_EXT) \
-avoid-version -export-symbols "$(srcdir)/pkcs11.exports"
mylibdir=$(libdir)
--- a/src/Makefile.in
+++ b/src/Makefile.in
-@@ -844,7 +844,7 @@ distdir: $(DISTFILES)
+@@ -872,7 +872,7 @@ distdir: $(DISTFILES)
fi; \
done
check-am: all-am
check: check-am
all-am: Makefile $(LTLIBRARIES) $(DATA) $(HEADERS) config.h
installdirs:
-@@ -915,7 +915,7 @@ install-dvi-am:
+@@ -944,7 +944,7 @@ install-dvi-am:
install-exec-am: install-enginesexecLTLIBRARIES install-libLTLIBRARIES
@$(NORMAL_INSTALL)
install-html: install-html-am
install-html-am:
-@@ -960,7 +960,7 @@ uninstall-am: uninstall-enginesexecLTLIB
+@@ -989,7 +989,7 @@ uninstall-am: uninstall-enginesexecLTLIBRARIES \
.MAKE: all check-am install-am install-exec-am install-strip
clean-enginesexecLTLIBRARIES clean-generic \
clean-libLTLIBRARIES clean-libtool cscopelist-am ctags \
ctags-am distclean distclean-compile distclean-generic \
-@@ -968,7 +968,7 @@ uninstall-am: uninstall-enginesexecLTLIB
+@@ -997,7 +997,7 @@ uninstall-am: uninstall-enginesexecLTLIBRARIES \
dvi-am html html-am info info-am install install-am \
install-data install-data-am install-dvi install-dvi-am \
install-enginesexecLTLIBRARIES install-exec install-exec-am \
include $(TOPDIR)/rules.mk
PKG_NAME:=libsearpc
-PKG_VERSION:=3.0.8
-PKG_RELEASE=$(PKG_SOURCE_VERSION)-1
+PKG_VERSION:=3.1.0
+PKG_RELEASE=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://codeload.github.com/haiwen/libsearpc/tar.gz/v$(PKG_VERSION)?
+PKG_HASH:=cbd86d3c37b54ca2060ca537a07940fe3e98498abf345b2f3e1cec488230231a
+
PKG_LICENSE:=GPL-3.0
+PKG_LICENSE_FILES:=LICENSE.txt
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://github.com/haiwen/libsearpc.git
-PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=12a01268825e9c7e17794c58c367e3b4db912ad9
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
-PKG_MIRROR_HASH:=8ca4785c4d276afeac212a26a143b22e45b85cf196c1218e4630f6072a33f430
PKG_FIXUP:=autoreconf
+PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
include $(INCLUDE_DIR)/package.mk
CATEGORY:=Libraries
TITLE:=Seafile RPC Library
MAINTAINER:=Gergely Kiss <mail.gery@gmail.com>
- URL:=http://seafile.com/
+ URL:=https://seafile.com
DEPENDS:=+glib2 +jansson +python $(ICONV_DEPENDS)
endef
-#
+#
# Copyright (C) 2014 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
include $(TOPDIR)/rules.mk
PKG_NAME:=libsoup
-PKG_VERSION:=2.63.2
+PKG_VERSION:=2.65.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=@GNOME/$(PKG_NAME)/2.63
-PKG_HASH:=3931f8ae282f010fa0d6c31841751d7c4bff72f116d13f34a5bf98a96550a4f9
+PKG_SOURCE_URL:=@GNOME/$(PKG_NAME)/2.65
+PKG_HASH:=3f3718623338f1bd7d7899dae2bdb613348212d59999a27432120afc1435ff04
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
+PKG_CPE_ID:=cpe:/a:gnome:libsoup
+PKG_BUILD_PARALLEL:=1
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1
SECTION:=libs
CATEGORY:=Libraries
TITLE:=libsoup
- URL:=http://live.gnome.org/LibSoup
+ URL:=https://wiki.gnome.org/Projects/libsoup
MAINTAINER:=W. Michael Petullo <mike@flyn.org>
DEPENDS:=+glib2 +libxml2 +libgnutls +libsqlite3 +libpsl $(ICONV_DEPENDS) $(INTL_DEPENDS)
endef
define Build/Configure
$(call Build/Configure/Default, \
- --enable-ssl \
--disable-glibtest \
+ --disable-gtk-doc-html \
+ --disable-more-warnings \
+ --disable-vala \
--without-apache-httpd \
--without-gnome \
--without-gssapi \
- --enable-vala=no \
- --disable-more-warnings \
)
endef
CATEGORY:=Libraries
URL:=$(PKG_SOURCE_URL)
TITLE:=SSH library
- DEPENDS:=+libpthread +librt +zlib +libopenssl
+ DEPENDS:=+libpthread +librt +zlib +libopenssl @BROKEN
endef
define Package/libssh/description
include $(TOPDIR)/rules.mk
PKG_NAME:=opus
-PKG_VERSION:=1.2.1
+PKG_VERSION:=1.3
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://archive.mozilla.org/pub/opus/
-PKG_HASH:=cfafd339ccd9c5ef8d6ab15d7e1a412c054bf4cb4ecbbbcc78c12ef2def70732
+PKG_SOURCE_URL:=https://archive.mozilla.org/pub/opus
+PKG_HASH:=4f3d69aefdf2dbaf9825408e452a8a414ffc60494c70633560700398820dc550
+PKG_MAINTAINER:=Ted Hess <thess@kitchensync.net>, Ian Leonard <antonlacon@gmail.com>
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=COPYING
-PKG_MAINTAINER:=Ted Hess <thess@kitchensync.net>, Ian Leonard <antonlacon@gmail.com>
+PKG_CPE_ID:=cpe:/a:opus-codec:opus
+PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
include $(INCLUDE_DIR)/package.mk
SECTION:=libs
CATEGORY:=Libraries
TITLE:=OPUS Audio Codec
- URL:=http://opus-codec.org/
+ URL:=https://opus-codec.org
endef
define Package/libopus/description
endif
CPU_ASM_BLACKLIST:=xscale arm926ej-s
-
ifneq ($(findstring $(call qstrip,$(CONFIG_CPU_TYPE)),$(CPU_ASM_BLACKLIST)),)
CONFIGURE_ARGS+= --disable-asm
endif
include $(TOPDIR)/rules.mk
PKG_NAME:=pcre2
-PKG_VERSION:=10.31
+PKG_VERSION:=10.32
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_SOURCE_URL:=@SF/$(PKG_NAME) \
- ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre
-PKG_HASH:=e07d538704aa65e477b6a392b32ff9fc5edf75ab9a40ddfc876186c4ff4d68ac
-PKG_MAINTAINER:=Shane Peelar <lookatyouhacker@gmail.com>
+PKG_SOURCE_URL:=@SF/pcre/$(PKG_NAME)/$(PKG_VERSION)
+PKG_HASH:=f29e89cc5de813f45786580101aaee3984a65818631d4ddbda7b32f699b87c2e
+PKG_MAINTAINER:=Shane Peelar <lookatyouhacker@gmail.com>
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENCE
PKG_FIXUP:=autoreconf
+PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
include $(INCLUDE_DIR)/package.mk
define Package/libpcre2/default
SECTION:=libs
CATEGORY:=Libraries
- URL:=http://www.pcre.org/
+ URL:=https://www.pcre.org/
endef
define Package/libpcre2
include $(TOPDIR)/rules.mk
PKG_NAME:=sbc
-PKG_VERSION:=1.3
-PKG_RELEASE:=2
+PKG_VERSION:=1.4
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@KERNEL/linux/bluetooth/
-PKG_HASH:=e61022cf576f14190241e7071753fdacdce5d1dea89ffd704110fc50be689309
+PKG_HASH:=518bf46e6bb3dc808a95e1eabad26fdebe8a099c1e781c27ed7fca6c2f4a54c9
PKG_LICENSE:=LGPL-2.1+
PKG_LICENSE_FILES:=COPYING.LIB
-PKG_MAINTAINER:=Dirk Neukirchen <dirkneukirchen@web.de>
+PKG_MAINTAINER:=
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1
HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/unixODBC-$(PKG_VERSION)
HOST_BUILD_DEPENDS:=unixodbc
+PKG_FIXUP:=autoreconf
+
# if your other package depends on unixodbc and needs
# odbc_config, add to your other Makefile
# PKG_BUILD_DEPENDS:=unixodbc/host
append_setting "rpc-secret=${rpc_secret}"
elif [ -n "$rpc_user" ]; then
append_setting "rpc-user=${rpc_user}"
- append_setting "rcp-passwd=${rcp-passwd}"
+ append_setting "rpc-passwd=${rpc_passwd}"
else
_info "It is recommand to set RPC secret."
fi
unset_auth_method
fi
elif [ "$rpc_auth_method" = "user_pass" ]; then
- if [ -n "$rcp_user" ]; then
+ if [ -n "$rpc_user" ]; then
append_setting "rpc-user=${rpc_user}"
- append_setting "rcp-passwd=${rcp-passwd}"
+ append_setting "rpc-passwd=${rpc_passwd}"
else
_info "Please set RPC user."
unset_auth_method
include $(TOPDIR)/rules.mk
PKG_NAME:=clamav
-PKG_VERSION:=0.100.1
-PKG_RELEASE:=2
+PKG_VERSION:=0.100.2
+PKG_RELEASE:=1
PKG_LICENSE:=GPL-2.0
PKG_MAINTAINER:=Marko Ratkaj <marko.ratkaj@sartura.hr> \
Lucian Cristian <lucian.cristian@gmail.com>
+PKG_CPE_ID:=cpe:/a:clamav:clamav
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.clamav.net/downloads/production/
-PKG_HASH:=84e026655152247de7237184ee13003701c40be030dd68e0316111049f58a59f
+PKG_HASH:=4a2e4f0cd41e62adb5a713b4a1857c49145cd09a69957e6d946ecad575206dd6
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
CATEGORY:=Network
SUBMENU:=Web Servers/Proxies
TITLE:=ClamAV
- URL:=http://www.clamav.net/
+ URL:=https://www.clamav.net/
endef
define Package/clamav
include $(TOPDIR)/rules.mk
PKG_NAME:=gnunet
-PKG_SOURCE_VERSION:=13274f4bd2009dd928e91f0b6e056cee7f7975a5
-PKG_MIRROR_HASH:=fb80259245a496bc238117c7ac36f9338dc3612a99eef2bc5be2a042de8cdee1
+PKG_SOURCE_VERSION:=e0785bb1b2af91a38d161bda7a4075338579441a
+PKG_MIRROR_HASH:=4cbb9cf48f18fa87aa7c81bcff2372fc9c04c3688fb8dd4b2b57da258050179b
-PKG_VERSION:=0.10.2-git-20180929-$(PKG_SOURCE_VERSION)
-PKG_RELEASE:=1
+PKG_VERSION:=0.10.2-git-20181021-$(PKG_SOURCE_VERSION)
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
CONFLICTS_dhtcache-heap:=gnunet-dhtcache-pgsql gnunet-dhtcache-sqlite
DEPENDS_gns-flat:=+gnunet-gns
-PLUGIN_gns-flat:=namecache_flat namestore_flat
+PLUGIN_gns-flat:=namecache_flat namestore_heap
DEPENDS_peerstore-flat:=+gnunet-peerstore
PLUGIN_peerstore-flat:=peerstore_flat
uci -q get gnunet.namecache || uci set gnunet.namecache=gnunet-config
uci -q batch <<EOF
- del gnunet.namestore_flat
- set gnunet.namestore_flat=gnunet-config
- set gnunet.namestore_flat.FILENAME=/etc/gnunet/namestore.flat
- set gnunet.namestore.DATABASE=flat
+ del gnunet.namestore_heap
+ set gnunet.namestore_heap=gnunet-config
+ set gnunet.namestore_heap.FILENAME=/etc/gnunet/namestore.flat
+ set gnunet.namestore.DATABASE=heap
del gnunet.namecache_flat
set gnunet.namecache_flat=gnunet-config
set gnunet.namecache_flat.FILENAME=/var/run/gnunet/namecache.flat
PKG_NAME:=jool
PKG_VERSION:=3.5.7
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/NICMx/Jool/tar.gz/v$(PKG_VERSION)?
--- /dev/null
+From 831486ea6c7d7adfbdc453587a65bcba247d698b Mon Sep 17 00:00:00 2001
+From: Alberto Leiva Popper <ydahhrk@gmail.com>
+Date: Fri, 6 Jul 2018 13:19:21 -0500
+Subject: [PATCH 1/2] Add support for kernel 4.17
+
+Fixes #266.
+---
+ mod/common/hash_table.c | 14 +++-----------
+ mod/stateful/fragment_db.c | 4 +---
+ 2 files changed, 4 insertions(+), 14 deletions(-)
+
+diff --git a/mod/common/hash_table.c b/mod/common/hash_table.c
+index 25ddd7a6..4e9272f8 100644
+--- a/mod/common/hash_table.c
++++ b/mod/common/hash_table.c
+@@ -23,8 +23,7 @@
+ * @macro HTABLE_NAME name of the hash table structure to generate. Optional; Default: hash_table.
+ * @macro KEY_TYPE data type of the table's keys.
+ * @macro VALUE_TYPE data type of the table's values.
+- * @macro HASH_TABLE_SIZE The size of the internal array, in slots. Optional;
+- * Default = Max = 64k - 1.
++ * @macro HASH_TABLE_SIZE The size of the internal array, in slots. MUST be a power of 2.
+ * @macro GENERATE_PRINT just define it if you want the print function; otherwise it will not be
+ * generated.
+ * @macro GENERATE_FOR_EACH just define it if you want the for_each function; otherwise it will not
+@@ -44,13 +43,6 @@
+ #define HTABLE_NAME hash_table
+ #endif
+
+-#ifndef HASH_TABLE_SIZE
+-/**
+- * This number should not exceed unsigned int's maximum.
+- */
+-#define HASH_TABLE_SIZE (64 * 1024 - 1)
+-#endif
+-
+ /** Creates a token name by concatenating prefix and suffix. */
+ #define CONCAT_AUX(prefix, suffix) prefix ## suffix
+ /** Seems useless, but if not present, the compiler won't expand the HTABLE_NAME macro... */
+@@ -131,7 +123,7 @@ static struct KEY_VALUE_PAIR *GET_AUX(struct HTABLE_NAME *table, const KEY_TYPE
+ if (WARN(!table, "The table is NULL."))
+ return NULL;
+
+- hash_code = table->hash_function(key) % HASH_TABLE_SIZE;
++ hash_code = table->hash_function(key) & (HASH_TABLE_SIZE - 1);
+ hlist_for_each(current_node, &table->table[hash_code]) {
+ current_pair = hlist_entry(current_node, struct KEY_VALUE_PAIR, hlist_hook);
+ if (table->equals_function(key, ¤t_pair->key))
+@@ -210,7 +202,7 @@ static int PUT(struct HTABLE_NAME *table, KEY_TYPE *key, VALUE_TYPE *value)
+ key_value->value = value;
+
+ /* Insert the key-value to the table. */
+- hash_code = table->hash_function(key) % HASH_TABLE_SIZE;
++ hash_code = table->hash_function(key) & (HASH_TABLE_SIZE - 1);
+ hlist_add_head(&key_value->hlist_hook, &table->table[hash_code]);
+ list_add_tail(&key_value->list_hook, &table->list);
+
+diff --git a/mod/stateful/fragment_db.c b/mod/stateful/fragment_db.c
+index 44f966aa..ef0b1f5a 100644
+--- a/mod/stateful/fragment_db.c
++++ b/mod/stateful/fragment_db.c
+@@ -90,10 +90,8 @@ static bool equals_function(const struct packet *k1, const struct packet *k2)
+ static unsigned int inet6_hash_frag(__be32 id, const struct in6_addr *saddr,
+ const struct in6_addr *daddr, u32 rnd)
+ {
+- u32 c;
+- c = jhash_3words(ipv6_addr_hash(saddr), ipv6_addr_hash(daddr),
++ return jhash_3words(ipv6_addr_hash(saddr), ipv6_addr_hash(daddr),
+ (__force u32)id, rnd);
+- return c & (INETFRAGS_HASHSZ - 1);
+ }
+ #endif
+
+--
+2.19.1
+
--- /dev/null
+From f9e62248f252accb0609243958fb51f0f99a5bf3 Mon Sep 17 00:00:00 2001
+From: Ricardo Salveti <ricardo@foundries.io>
+Date: Mon, 1 Oct 2018 22:45:17 -0300
+Subject: [PATCH 2/2] packet: rename offset_to_ptr to skb_offset_to_ptr to
+ avoid conflicts with newer kernel
+
+Rename offset_to_ptr to skb_offset_to_ptr to avoid definition conflict
+when building jool against linux >= 4.19.
+
+Fixes:
+| mod/stateful/../common/packet.c:73:14: error: conflicting types for 'offset_to_ptr'
+| static void *offset_to_ptr(struct sk_buff *skb, unsigned int offset)
+| ^~~~~~~~~~~~~
+| In file included from kernel-source/include/linux/export.h:45,
+| from kernel-source/include/linux/linkage.h:7,
+| from kernel-source/include/linux/kernel.h:7,
+| from kernel-source/include/linux/skbuff.h:17,
+| from mod/stateful/../../include/nat64/mod/common/packet.h:81,
+| from mod/stateful/../common/packet.c:1:
+| kernel-source/include/linux/compiler.h:297:21: note: previous definition of 'offset_to_ptr' was here
+| static inline void *offset_to_ptr(const int *off)
+| ^~~~~~~~~~~~~
+
+Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
+---
+ mod/common/packet.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/mod/common/packet.c b/mod/common/packet.c
+index 9b4fbcd6..1b094fcc 100644
+--- a/mod/common/packet.c
++++ b/mod/common/packet.c
+@@ -70,7 +70,7 @@ static int inhdr4(struct sk_buff *skb, const char *msg)
+ return -EINVAL;
+ }
+
+-static void *offset_to_ptr(struct sk_buff *skb, unsigned int offset)
++static void *skb_offset_to_ptr(struct sk_buff *skb, unsigned int offset)
+ {
+ return ((void *) skb->data) + offset;
+ }
+@@ -368,9 +368,9 @@ int pkt_init_ipv6(struct packet *pkt, struct sk_buff *skb)
+ pkt->l4_proto = meta.l4_proto;
+ pkt->is_inner = 0;
+ pkt->is_hairpin = false;
+- pkt->hdr_frag = meta.has_frag_hdr ? offset_to_ptr(skb, meta.frag_offset) : NULL;
++ pkt->hdr_frag = meta.has_frag_hdr ? skb_offset_to_ptr(skb, meta.frag_offset) : NULL;
+ skb_set_transport_header(skb, meta.l4_offset);
+- pkt->payload = offset_to_ptr(skb, meta.payload_offset);
++ pkt->payload = skb_offset_to_ptr(skb, meta.payload_offset);
+ pkt->original_pkt = pkt;
+
+ return 0;
+@@ -530,7 +530,7 @@ int pkt_init_ipv4(struct packet *pkt, struct sk_buff *skb)
+ pkt->is_hairpin = false;
+ pkt->hdr_frag = NULL;
+ skb_set_transport_header(skb, meta.l4_offset);
+- pkt->payload = offset_to_ptr(skb, meta.payload_offset);
++ pkt->payload = skb_offset_to_ptr(skb, meta.payload_offset);
+ pkt->original_pkt = pkt;
+
+ return 0;
+--
+2.19.1
+
include $(TOPDIR)/rules.mk
PKG_NAME:=mDNSResponder
-PKG_VERSION:=576.30.4
-PKG_RELEASE:=2
+PKG_VERSION:=878.70.2
+PKG_RELEASE:=1
PKG_SOURCE:=mDNSResponder-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://opensource.apple.com/tarballs/mDNSResponder/
-PKG_HASH:=4737cb51378377e11d0edb7bcdd1bec79cbdaa7b27ea09c13e3006e58f8d92c0
-PKG_MAINTAINER:=Steven Barth <cyrus@openwrt.org>
+PKG_HASH:=cdd03171ca05f16ea987bba1f8b0c4847d3035283ea0f5fa0ade75f64ec83ed5
+PKG_MAINTAINER:=
PKG_LICENSE:=Apache-2.0
PKG_BUILD_DIR:=$(BUILD_DIR)/mDNSResponder-$(PKG_VERSION)
LINKOPTS = -lsocket -lnsl -lresolv
JAVACFLAGS_OS += -I$(JDK)/include/solaris
ifneq ($(DEBUG),1)
-@@ -148,7 +149,8 @@ CFLAGS_OS = -DHAVE_IPV6 -no-cpp-precomp
- -D__MAC_OS_X_VERSION_MIN_REQUIRED=__MAC_OS_X_VERSION_10_4 \
+@@ -149,7 +150,8 @@ -D__MAC_OS_X_VERSION_MIN_REQUIRED=__MAC_OS_X_VERSION_10_4 \
+ -DHAVE_STRLCPY=1 \
-D__APPLE_USE_RFC_2292 #-Wunreachable-code
CC = gcc
-LD = $(CC) -dynamiclib
LINKOPTS = -lSystem
LDSUFFIX = dylib
JDK = /System/Library/Frameworks/JavaVM.framework/Home
-@@ -170,8 +172,9 @@ NSSLIBFILE := $(NSSLIBNAME)-$(NSSVERSIO
+@@ -172,8 +174,9 @@ NSSLIBFILE := $(NSSLIBNAME)-$(NSSVERSIO
NSSLINKNAME := $(NSSLIBNAME).so.2
NSSINSTPATH := /lib
INSTBASE?=/usr
STARTUPSCRIPTNAME?=mdns
-@@ -257,7 +260,7 @@ libdns_sd: setup $(BUILDDIR)/libdns_sd.$
+@@ -259,7 +262,7 @@ libdns_sd: setup $(BUILDDIR)/libdns_sd.$
CLIENTLIBOBJS = $(OBJDIR)/dnssd_clientlib.c.so.o $(OBJDIR)/dnssd_clientstub.c.so.o $(OBJDIR)/dnssd_ipc.c.so.o
$(BUILDDIR)/libdns_sd.$(LDSUFFIX): $(CLIENTLIBOBJS)
@$(STRIP) $@
Clients: setup libdns_sd ../Clients/build/dns-sd
-@@ -292,7 +295,7 @@ InstalledManPages: $(MANPATH)/man8/mdnsd
+@@ -294,7 +297,7 @@ InstalledManPages: $(MANPATH)/man8/mdnsd
InstalledClients: $(INSTBASE)/bin/dns-sd
@echo $+ " installed"
+ -[ -f $(ETCBASE)/nsswitch.conf ] && sed -e '/mdns/!s/^\(hosts:.*\)dns\(.*\)/\1mdns dns\2/' $(ETCBASE)/nsswitch.conf.pre-mdns > $(ETCBASE)/nsswitch.conf
#############################################################################
-
---- /dev/null
-+++ b/.gitignore
-@@ -0,0 +1,4 @@
-+Clients/build
-+mDNSPosix/build
-+mDNSPosix/objects
-+
+diff --git a/Clients/Makefile b/Clients/Makefile
+index 383af31..925c20e 100755
--- a/Clients/Makefile
+++ b/Clients/Makefile
@@ -36,7 +36,7 @@ TARGETS = build/dns-sd build/dns-sd64
endif
all: $(TARGETS)
+diff --git a/mDNSPosix/PosixDaemon.c b/mDNSPosix/PosixDaemon.c
+index 88b3292..e86a6c7 100644
--- a/mDNSPosix/PosixDaemon.c
+++ b/mDNSPosix/PosixDaemon.c
@@ -37,6 +37,11 @@
if (mStatus_NoError == err)
err = MainLoop(&mDNSStorage);
---- a/mDNSPosix/Responder.c
-+++ b/mDNSPosix/Responder.c
-@@ -603,7 +603,8 @@ static mStatus RegisterServicesInFile(co
- status = mStatus_UnknownErr;
- }
-
-- assert(0 == fclose(fp));
-+ int rv = fclose(fp);
-+ assert(0 == rv);
-
- return status;
- }
+diff --git a/mDNSPosix/mDNSPosix.c b/mDNSPosix/mDNSPosix.c
+index 6effa12..7c1d6eb 100755
--- a/mDNSPosix/mDNSPosix.c
+++ b/mDNSPosix/mDNSPosix.c
-@@ -138,7 +138,7 @@ mDNSlocal void SockAddrTomDNSAddr(const
-
- // mDNS core calls this routine when it needs to send a packet.
- mDNSexport mStatus mDNSPlatformSendUDP(const mDNS *const m, const void *const msg, const mDNSu8 *const end,
-- mDNSInterfaceID InterfaceID, UDPSocket *src, const mDNSAddr *dst,
-+ mDNSInterfaceID InterfaceID, UDPSocket *src, const mDNSAddr *dst,
- mDNSIPPort dstPort, mDNSBool useBackgroundTrafficClass)
- {
- int err = 0;
-@@ -583,9 +583,17 @@ mDNSlocal void FreePosixNetworkInterface
- {
- assert(intf != NULL);
- if (intf->intfName != NULL) free((void *)intf->intfName);
-- if (intf->multicastSocket4 != -1) assert(close(intf->multicastSocket4) == 0);
-+ if (intf->multicastSocket4 != -1)
-+ {
-+ int rv = close(intf->multicastSocket4);
-+ assert(rv == 0);
-+ }
- #if HAVE_IPV6
-- if (intf->multicastSocket6 != -1) assert(close(intf->multicastSocket6) == 0);
-+ if (intf->multicastSocket6 != -1)
-+ {
-+ int rv = close(intf->multicastSocket6);
-+ assert(rv == 0);
-+ }
- #endif
-
- // Move interface to the RecentInterfaces list for a minute
-@@ -724,6 +732,29 @@ mDNSlocal int SetupSocket(struct sockadd
+@@ -733,6 +741,29 @@ mDNSlocal int SetupSocket(struct sockaddr *intfAddr, mDNSIPPort port, int interf
if (err < 0) { err = errno; perror("setsockopt - IP_MULTICAST_TTL"); }
}
// And start listening for packets
if (err == 0)
{
-@@ -805,6 +836,29 @@ mDNSlocal int SetupSocket(struct sockadd
+@@ -814,6 +845,29 @@ mDNSlocal int SetupSocket(struct sockaddr *intfAddr, mDNSIPPort port, int interf
if (err < 0) { err = errno; perror("setsockopt - IPV6_MULTICAST_HOPS"); }
}
// And start listening for packets
if (err == 0)
{
-@@ -836,7 +890,12 @@ mDNSlocal int SetupSocket(struct sockadd
- }
-
- // Clean up
-- if (err != 0 && *sktPtr != -1) { assert(close(*sktPtr) == 0); *sktPtr = -1; }
-+ if (err != 0 && *sktPtr != -1)
-+ {
-+ int rv = close(*sktPtr);
-+ assert(rv == 0);
-+ *sktPtr = -1;
-+ }
- assert((err == 0) == (*sktPtr != -1));
- return err;
- }
-@@ -942,19 +1001,14 @@ mDNSlocal int SetupInterfaceList(mDNS *c
+@@ -958,19 +1017,14 @@ mDNSlocal int SetupInterfaceList(mDNS *const m)
int err = 0;
struct ifi_info *intfList = get_ifi_info(AF_INET, mDNStrue);
struct ifi_info *firstLoopback = NULL;
#endif
if (err == 0)
-@@ -1030,7 +1084,7 @@ mDNSlocal mStatus OpenIfNotifySocket(int
+@@ -1046,7 +1100,7 @@ mDNSlocal mStatus OpenIfNotifySocket(int *pFD)
/* Subscribe the socket to Link & IP addr notifications. */
mDNSPlatformMemZero(&snl, sizeof snl);
snl.nl_family = AF_NETLINK;
ret = bind(sock, (struct sockaddr *) &snl, sizeof snl);
if (0 == ret)
*pFD = sock;
-@@ -1108,11 +1162,18 @@ mDNSlocal mDNSu32 ProcessRoutingNo
+@@ -1124,11 +1178,18 @@ mDNSlocal mDNSu32 ProcessRoutingNotification(int sd)
PrintNetLinkMsg(pNLMsg);
#endif
// Advance pNLMsg to the next message in the buffer
if ((pNLMsg->nlmsg_flags & NLM_F_MULTI) != 0 && pNLMsg->nlmsg_type != NLMSG_DONE)
-@@ -1283,8 +1344,12 @@ mDNSexport mStatus mDNSPlatformInit(mDNS
+@@ -1299,8 +1360,12 @@ mDNSexport mStatus mDNSPlatformInit(mDNS *const m)
if (err == mStatus_NoError) err = SetupSocket(&sa, zeroIPPort, 0, &m->p->unicastSocket6);
#endif
// Tell mDNS core about DNS Servers
mDNS_Lock(m);
-@@ -1317,9 +1382,17 @@ mDNSexport void mDNSPlatformClose(mDNS *
- {
- assert(m != NULL);
- ClearInterfaceList(m);
-- if (m->p->unicastSocket4 != -1) assert(close(m->p->unicastSocket4) == 0);
-+ if (m->p->unicastSocket4 != -1)
-+ {
-+ int rv = close(m->p->unicastSocket4);
-+ assert(rv == 0);
-+ }
- #if HAVE_IPV6
-- if (m->p->unicastSocket6 != -1) assert(close(m->p->unicastSocket6) == 0);
-+ if (m->p->unicastSocket6 != -1)
-+ {
-+ int rv = close(m->p->unicastSocket6);
-+ assert(rv == 0);
-+ }
- #endif
- }
-
-@@ -1575,14 +1648,14 @@ mDNSexport mStatus mDNSPlatformClearS
- mDNSexport mDNSu16 mDNSPlatformGetUDPPort(UDPSocket *sock)
- {
- (void) sock; // unused
--
-+
- return (mDNSu16)-1;
- }
-
- mDNSexport mDNSBool mDNSPlatformInterfaceIsD2D(mDNSInterfaceID InterfaceID)
- {
- (void) InterfaceID; // unused
--
-+
- return mDNSfalse;
- }
-
+diff --git a/mDNSPosix/mDNSUNP.c b/mDNSPosix/mDNSUNP.c
+index b392fc7..f551ad5 100755
--- a/mDNSPosix/mDNSUNP.c
+++ b/mDNSPosix/mDNSUNP.c
@@ -63,6 +63,7 @@
/* Converts a prefix length to IPv6 network mask */
void plen_to_mask(int plen, char *addr) {
-@@ -86,7 +87,7 @@ struct ifi_info *get_ifi_info_linuxv6(in
- FILE *fp;
+@@ -86,7 +87,7 @@ struct ifi_info *get_ifi_info_linuxv6(int family, int doaliases)
+ FILE *fp = NULL;
char addr[8][5];
int flags, myflags, index, plen, scope;
- char ifname[9], lastname[IFNAMSIZ];
+ char ifname[IFNAMSIZ], lastname[IFNAMSIZ];
char addr6[32+7+1]; /* don't forget the seven ':' */
struct addrinfo hints, *res0;
- struct sockaddr_in6 *sin6;
-@@ -94,7 +95,8 @@ struct ifi_info *get_ifi_info_linuxv6(in
+ int err;
+@@ -92,7 +93,8 @@ struct ifi_info *get_ifi_info_linuxv6(int family, int doaliases)
int err;
int sockfd = -1;
struct ifreq ifr;
res0=NULL;
ifihead = NULL;
ifipnext = &ifihead;
-@@ -106,11 +108,12 @@ struct ifi_info *get_ifi_info_linuxv6(in
+@@ -104,11 +106,12 @@ struct ifi_info *get_ifi_info_linuxv6(int family, int doaliases)
goto gotError;
}
while (fscanf(fp,
myflags = 0;
if (strncmp(lastname, ifname, IFNAMSIZ) == 0) {
if (doaliases == 0)
-@@ -204,8 +207,11 @@ gotError:
- res0=NULL;
- }
- done:
-+ if (fp)
-+ fclose(fp);
- if (sockfd != -1) {
-- assert(close(sockfd) == 0);
-+ int rv = close(sockfd);
-+ assert(rv == 0);
- }
- return(ifihead); /* pointer to first structure in linked list */
- }
+diff --git a/mDNSShared/dnsextd_parser.y b/mDNSShared/dnsextd_parser.y
+index 18c5990..d4b63ce 100644
--- a/mDNSShared/dnsextd_parser.y
+++ b/mDNSShared/dnsextd_parser.y
@@ -15,6 +15,8 @@
int yylex(void);
-@@ -378,7 +380,7 @@ int yywrap(void);
+@@ -409,7 +419,7 @@ int yywrap(void);
extern int yylineno;
+++ /dev/null
---- a/mDNSPosix/mDNSPosix.c
-+++ b/mDNSPosix/mDNSPosix.c
-@@ -1673,7 +1673,7 @@ mDNSexport mDNSs32 mDNSPlatformGetServic
- return -1;
- }
-
--mDNSexport void mDNSPlatformSetDelegatePID(UDPSocket *src, const mDNSAddr *dst, DNSQuestion *q)
-+mDNSexport void mDNSPlatformSetuDNSSocktOpt(UDPSocket *src, const mDNSAddr *dst, DNSQuestion *q)
- {
- (void) src;
- (void) dst;
--- a/Clients/dns-sd.c
+++ b/Clients/dns-sd.c
-@@ -1811,7 +1811,7 @@ Fail:
+@@ -2288,7 +2288,7 @@ Fail:
// NOT static -- otherwise the compiler may optimize it out
// The "@(#) " pattern is a special prefix the "what" command looks for
// If the process crashes, then this string will be magically included in the automatically-generated crash log
--- a/mDNSPosix/PosixDaemon.c
+++ b/mDNSPosix/PosixDaemon.c
-@@ -289,9 +289,9 @@ asm (".desc ___crashreporter_info__, 0x1
+@@ -290,9 +290,9 @@ asm (".desc ___crashreporter_info__, 0x1
// For convenience when using the "strings" command, this is the last thing in the file
#if mDNSResponderVersion > 1
+const char VersionString_SCCS[] = "@(#) libjdns_sd " STRINGIFY(mDNSResponderVersion);
--- a/mDNSShared/dnsextd.c
+++ b/mDNSShared/dnsextd.c
-@@ -3141,7 +3141,7 @@ mDNS mDNSStorage;
+@@ -3136,7 +3136,7 @@ mDNS mDNSStorage;
// For convenience when using the "strings" command, this is the last thing in the file
// The "@(#) " pattern is a special prefix the "what" command looks for
PKG_RELEASE:=3
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE.txt
+PKG_CPE_ID:=cpe:/a:eclipse:mosquitto
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://mosquitto.org/files/source/
include $(TOPDIR)/rules.mk
PKG_NAME:=mwan3
-PKG_VERSION:=2.7.4
+PKG_VERSION:=2.7.5
PKG_RELEASE:=1
PKG_MAINTAINER:=Florian Eckert <fe@dev.tdt.de>
PKG_LICENSE:=GPLv2
--- /dev/null
+#!/bin/sh
+
+. /lib/functions.sh
+. /lib/functions/network.sh
+. /lib/mwan3/mwan3.sh
+
+LOG="logger -t mwan3[$$] -p"
+
+[ "$ACTION" = "connected" -o "$ACTION" = "disconnected" ] || exit 1
+[ -n "$INTERFACE" ] || exit 2
+
+if [ "$ACTION" = "connected" ]; then
+ [ -n "$DEVICE" ] || exit 3
+fi
+
+config_load mwan3
+config_get_bool enabled globals 'enabled' '0'
+config_get local_source globals 'local_source' 'none'
+[ ${enabled} = "1" ] || exit 0
+[ ${local_source} = "none" ] || exit 0
+
+config_get enabled $INTERFACE enabled 0
+config_get online_metric $INTERFACE online_metric 0
+[ "$enabled" == "1" ] || exit 0
+
+if [ "$online_metric" = 0 ]; then
+ $LOG notice "No online metric for interface "$INTERFACE" found"
+ exit 0
+fi
+
+mwan3_add_failover_metric() {
+ local iface="$1"
+ local device="$2"
+ local metric="$3"
+
+ local route_args
+
+ config_get family $iface family ipv4
+
+ if [ "$family" == "ipv4" ]; then
+ if ubus call network.interface.${iface}_4 status 1>/dev/null 2>&1; then
+ network_get_gateway route_args ${iface}_4
+ else
+ network_get_gateway route_args $iface
+ fi
+
+ if [ -n "$route_args" -a "$route_args" != "0.0.0.0" ]; then
+ route_args="via $route_args"
+ else
+ route_args=""
+ fi
+
+ $IP4 route add default $route_args dev $device proto static metric $metric 1>/dev/null 2>&1
+ fi
+
+ if [ "$family" == "ipv6" ]; then
+ if ubus call network.interface.${iface}_6 status 1>/dev/null 2>&1; then
+ network_get_gateway6 route_args ${iface}_6
+ else
+ network_get_gateway6 route_args $iface
+ fi
+
+ if [ -n "$route_args" -a "$route_args" != "::" ]; then
+ route_args="via $route_args"
+ else
+ route_args=""
+ fi
+
+ $IP6 route add default $route_args dev $device proto static metric $metric 1>/dev/null 2>&1
+ fi
+}
+
+mwan3_del_failover_metric() {
+ local iface="$1"
+ local device="$2"
+ local metric="$3"
+
+ config_get family $iface family ipv4
+
+ if [ "$family" == "ipv4" ]; then
+ $IP4 route del default dev $device proto static metric $metric 1>/dev/null 2>&1
+ fi
+
+ if [ "$family" == "ipv6" ]; then
+ $IP6 route del default dev $device proto static metric $metric 1>/dev/null 2>&1
+ fi
+}
+
+case "$ACTION" in
+ connected)
+ mwan3_add_failover_metric "$INTERFACE" "$DEVICE" "$online_metric"
+ ;;
+ disconnected)
+ mwan3_del_failover_metric "$INTERFACE" "$DEVICE" "$online_metric"
+ ;;
+esac
+
+exit 0
mwan3_lock
mwan3_init
mwan3_set_connected_iptables
+mwan3_set_custom_ipset
mwan3_unlock
config_get enabled $INTERFACE enabled 0
IPT6="ip6tables -t mangle -w"
LOG="logger -t mwan3[$$] -p"
CONNTRACK_FILE="/proc/net/nf_conntrack"
+IPv6_REGEX="([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|"
+IPv6_REGEX="${IPv6_REGEX}([0-9a-fA-F]{1,4}:){1,7}:|"
+IPv6_REGEX="${IPv6_REGEX}([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|"
+IPv6_REGEX="${IPv6_REGEX}([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|"
+IPv6_REGEX="${IPv6_REGEX}([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|"
+IPv6_REGEX="${IPv6_REGEX}([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|"
+IPv6_REGEX="${IPv6_REGEX}([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|"
+IPv6_REGEX="${IPv6_REGEX}[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|"
+IPv6_REGEX="${IPv6_REGEX}:((:[0-9a-fA-F]{1,4}){1,7}|:)|"
+IPv6_REGEX="${IPv6_REGEX}fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|"
+IPv6_REGEX="${IPv6_REGEX}::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|"
+IPv6_REGEX="${IPv6_REGEX}([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])"
MWAN3_STATUS_DIR="/var/run/mwan3"
MWAN3TRACK_STATUS_DIR="/var/run/mwan3track"
export "$1=$_tmp"
}
+mwan3_set_custom_ipset_v4()
+{
+ local custom_network_v4
+
+ for custom_network_v4 in $($IP4 route list table "$1" | awk '{print $1}' | egrep '[0-9]{1,3}(\.[0-9]{1,3}){3}'); do
+ $LOG notice "Adding network $custom_network_v4 from table $1 to mwan3_custom_v4 ipset"
+ $IPS -! add mwan3_custom_v4_temp $custom_network_v4
+ done
+}
+
+mwan3_set_custom_ipset_v6()
+{
+ local custom_network_v6
+
+ for custom_network_v6 in $($IP6 route list table "$1" | awk '{print $1}' | egrep "$IPv6_REGEX"); do
+ $LOG notice "Adding network $custom_network_v6 from table $1 to mwan3_custom_v6 ipset"
+ $IPS -! add mwan3_custom_v6_temp $custom_network_v6
+ done
+}
+
+mwan3_set_custom_ipset()
+{
+ $IPS -! create mwan3_custom_v4 hash:net
+ $IPS create mwan3_custom_v4_temp hash:net
+ config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v4
+ $IPS swap mwan3_custom_v4_temp mwan3_custom_v4
+ $IPS destroy mwan3_custom_v4_temp
+
+
+ $IPS -! create mwan3_custom_v6 hash:net family inet6
+ $IPS create mwan3_custom_v6_temp hash:net family inet6
+ config_list_foreach "globals" "rt_table_lookup" mwan3_set_custom_ipset_v6
+ $IPS swap mwan3_custom_v6_temp mwan3_custom_v6
+ $IPS destroy mwan3_custom_v6_temp
+
+ $IPS -! create mwan3_connected list:set
+ $IPS -! add mwan3_connected mwan3_custom_v4
+ $IPS -! add mwan3_connected mwan3_custom_v6
+}
+
mwan3_set_connected_iptables()
{
local connected_network_v4 connected_network_v6
$IPS -! create mwan3_connected_v6 hash:net family inet6
$IPS create mwan3_connected_v6_temp hash:net family inet6
- for connected_network_v6 in $($IP6 route | awk '{print $1}' | egrep '([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])'); do
+ for connected_network_v6 in $($IP6 route | awk '{print $1}' | egrep "$IPv6_REGEX"); do
$IPS -! add mwan3_connected_v6_temp $connected_network_v6
done
$IPS -! create mwan3_connected list:set
$IPS -! add mwan3_connected mwan3_connected_v4
$IPS -! add mwan3_connected mwan3_connected_v6
+
+ $IPS -! create mwan3_dynamic_v4 hash:net
+ $IPS -! add mwan3_connected mwan3_dynamic_v4
+
+ $IPS -! create mwan3_dynamic_v6 hash:net family inet6
+ $IPS -! add mwan3_connected mwan3_dynamic_v6
}
mwan3_set_general_rules()
if ! $IPT -S mwan3_connected &> /dev/null; then
$IPT -N mwan3_connected
$IPS -! create mwan3_connected list:set
- $IPT -A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
+ $IPT -A mwan3_connected \
+ -m set --match-set mwan3_connected dst \
+ -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
fi
if ! $IPT -S mwan3_rules &> /dev/null; then
$IPT -N mwan3_hook
# do not mangle ipv6 ra service
if [ "$IPT" = "$IPT6" ]; then
- $IPT6 -A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j RETURN
- $IPT6 -A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j RETURN
- $IPT6 -A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
- $IPT6 -A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
- $IPT6 -A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j RETURN
+ $IPT6 -A mwan3_hook \
+ -p ipv6-icmp \
+ -m icmp6 --icmpv6-type 133 \
+ -j RETURN
+ $IPT6 -A mwan3_hook \
+ -p ipv6-icmp \
+ -m icmp6 --icmpv6-type 134 \
+ -j RETURN
+ $IPT6 -A mwan3_hook \
+ -p ipv6-icmp \
+ -m icmp6 --icmpv6-type 135 \
+ -j RETURN
+ $IPT6 -A mwan3_hook \
+ -p ipv6-icmp \
+ -m icmp6 --icmpv6-type 136 \
+ -j RETURN
+ $IPT6 -A mwan3_hook \
+ -p ipv6-icmp \
+ -m icmp6 --icmpv6-type 137 \
+ -j RETURN
fi
- $IPT -A mwan3_hook -j CONNMARK --restore-mark --nfmask $MMX_MASK --ctmask $MMX_MASK
- $IPT -A mwan3_hook -m mark --mark 0x0/$MMX_MASK -j mwan3_ifaces_in
- $IPT -A mwan3_hook -m mark --mark 0x0/$MMX_MASK -j mwan3_connected
- $IPT -A mwan3_hook -m mark --mark 0x0/$MMX_MASK -j mwan3_rules
- $IPT -A mwan3_hook -j CONNMARK --save-mark --nfmask $MMX_MASK --ctmask $MMX_MASK
- $IPT -A mwan3_hook -m mark ! --mark $MMX_DEFAULT/$MMX_MASK -j mwan3_connected
+ $IPT -A mwan3_hook \
+ -j CONNMARK --restore-mark --nfmask $MMX_MASK --ctmask $MMX_MASK
+ $IPT -A mwan3_hook \
+ -m mark --mark 0x0/$MMX_MASK \
+ -j mwan3_ifaces_in
+ $IPT -A mwan3_hook \
+ -m mark --mark 0x0/$MMX_MASK \
+ -j mwan3_connected
+ $IPT -A mwan3_hook \
+ -m mark --mark 0x0/$MMX_MASK \
+ -j mwan3_rules
+ $IPT -A mwan3_hook \
+ -j CONNMARK --save-mark --nfmask $MMX_MASK --ctmask $MMX_MASK
+ $IPT -A mwan3_hook \
+ -m mark ! --mark $MMX_DEFAULT/$MMX_MASK \
+ -j mwan3_connected
fi
if ! $IPT -S PREROUTING | grep mwan3_hook &> /dev/null; then
fi
$IPT4 -F mwan3_iface_in_$1
- $IPT4 -A mwan3_iface_in_$1 -i $2 -m set --match-set mwan3_connected src -m mark --mark 0x0/$MMX_MASK -m comment --comment "default" -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
- $IPT4 -A mwan3_iface_in_$1 -i $2 -m mark --mark 0x0/$MMX_MASK -m comment --comment "$1" -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
-
- $IPT4 -D mwan3_ifaces_in -m mark --mark 0x0/$MMX_MASK -j mwan3_iface_in_$1 &> /dev/null
- $IPT4 -A mwan3_ifaces_in -m mark --mark 0x0/$MMX_MASK -j mwan3_iface_in_$1
+ $IPT4 -A mwan3_iface_in_$1 \
+ -i $2 \
+ -m set --match-set mwan3_connected src \
+ -m mark --mark 0x0/$MMX_MASK \
+ -m comment --comment "default" \
+ -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
+ $IPT4 -A mwan3_iface_in_$1 \
+ -i $2 \
+ -m mark --mark 0x0/$MMX_MASK \
+ -m comment --comment "$1" \
+ -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
+
+ $IPT4 -D mwan3_ifaces_in \
+ -m mark --mark 0x0/$MMX_MASK \
+ -j mwan3_iface_in_$1 &> /dev/null
+ $IPT4 -A mwan3_ifaces_in \
+ -m mark --mark 0x0/$MMX_MASK \
+ -j mwan3_iface_in_$1
fi
if [ "$family" == "ipv6" ]; then
fi
$IPT6 -F mwan3_iface_in_$1
- $IPT6 -A mwan3_iface_in_$1 -i $2 -m set --match-set mwan3_connected_v6 src -m mark --mark 0x0/$MMX_MASK -m comment --comment "default" -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
- $IPT6 -A mwan3_iface_in_$1 -i $2 -m mark --mark 0x0/$MMX_MASK -m comment --comment "$1" -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
-
- $IPT6 -D mwan3_ifaces_in -m mark --mark 0x0/$MMX_MASK -j mwan3_iface_in_$1 &> /dev/null
- $IPT6 -A mwan3_ifaces_in -m mark --mark 0x0/$MMX_MASK -j mwan3_iface_in_$1
+ $IPT6 -A mwan3_iface_in_$1 -i $2 \
+ -m set --match-set mwan3_connected_v6 src \
+ -m mark --mark 0x0/$MMX_MASK \
+ -m comment --comment "default" \
+ -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
+ $IPT6 -A mwan3_iface_in_$1 -i $2 -m mark --mark 0x0/$MMX_MASK \
+ -m comment --comment "$1" \
+ -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
+
+ $IPT6 -D mwan3_ifaces_in \
+ -m mark --mark 0x0/$MMX_MASK \
+ -j mwan3_iface_in_$1 &> /dev/null
+ $IPT6 -A mwan3_ifaces_in \
+ -m mark --mark 0x0/$MMX_MASK \
+ -j mwan3_iface_in_$1
fi
}
if [ "$family" == "ipv4" ]; then
- $IPT4 -D mwan3_ifaces_in -m mark --mark 0x0/$MMX_MASK -j mwan3_iface_in_$1 &> /dev/null
+ $IPT4 -D mwan3_ifaces_in \
+ -m mark --mark 0x0/$MMX_MASK \
+ -j mwan3_iface_in_$1 &> /dev/null
$IPT4 -F mwan3_iface_in_$1 &> /dev/null
$IPT4 -X mwan3_iface_in_$1 &> /dev/null
fi
if [ "$family" == "ipv6" ]; then
- $IPT6 -D mwan3_ifaces_in -m mark --mark 0x0/$MMX_MASK -j mwan3_iface_in_$1 &> /dev/null
+ $IPT6 -D mwan3_ifaces_in \
+ -m mark --mark 0x0/$MMX_MASK \
+ -j mwan3_iface_in_$1 &> /dev/null
$IPT6 -F mwan3_iface_in_$1 &> /dev/null
$IPT6 -X mwan3_iface_in_$1 &> /dev/null
fi
total_weight_v4=$weight
$IPT4 -F mwan3_policy_$policy
- $IPT4 -A mwan3_policy_$policy -m mark --mark 0x0/$MMX_MASK -m comment --comment "$iface $weight $weight" -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
+ $IPT4 -A mwan3_policy_$policy \
+ -m mark --mark 0x0/$MMX_MASK \
+ -m comment --comment "$iface $weight $weight" \
+ -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
lowest_metric_v4=$metric
probability="-m statistic --mode random --probability $probability"
- $IPT4 -I mwan3_policy_$policy -m mark --mark 0x0/$MMX_MASK $probability -m comment --comment "$iface $weight $total_weight_v4" -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
+ $IPT4 -I mwan3_policy_$policy \
+ -m mark --mark 0x0/$MMX_MASK $probability \
+ -m comment --comment "$iface $weight $total_weight_v4" \
+ -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
fi
else
[ -n "$device" ] && {
$IPT4 -S mwan3_policy_$policy | grep -q '.*--comment ".* [0-9]* [0-9]*"' || \
- $IPT4 -I mwan3_policy_$policy -o $device -m mark --mark 0x0/$MMX_MASK -m comment --comment "out $iface $device" -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
+ $IPT4 -I mwan3_policy_$policy \
+ -o $device \
+ -m mark --mark 0x0/$MMX_MASK \
+ -m comment --comment "out $iface $device" \
+ -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
}
fi
fi
total_weight_v6=$weight
$IPT6 -F mwan3_policy_$policy
- $IPT6 -A mwan3_policy_$policy -m mark --mark 0x0/$MMX_MASK -m comment --comment "$iface $weight $weight" -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
+ $IPT6 -A mwan3_policy_$policy \
+ -m mark --mark 0x0/$MMX_MASK \
+ -m comment --comment "$iface $weight $weight" \
+ -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
lowest_metric_v6=$metric
probability="-m statistic --mode random --probability $probability"
- $IPT6 -I mwan3_policy_$policy -m mark --mark 0x0/$MMX_MASK $probability -m comment --comment "$iface $weight $total_weight_v6" -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
+ $IPT6 -I mwan3_policy_$policy \
+ -m mark --mark 0x0/$MMX_MASK \
+ $probability \
+ -m comment --comment "$iface $weight $total_weight_v6" \
+ -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
fi
else
[ -n "$device" ] && {
$IPT6 -S mwan3_policy_$policy | grep -q '.*--comment ".* [0-9]* [0-9]*"' || \
- $IPT6 -I mwan3_policy_$policy -o $device -m mark --mark 0x0/$MMX_MASK -m comment --comment "out $iface $device" -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
+ $IPT6 -I mwan3_policy_$policy \
+ -o $device \
+ -m mark --mark 0x0/$MMX_MASK \
+ -m comment --comment "out $iface $device" \
+ -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
}
fi
fi
case "$last_resort" in
blackhole)
- $IPT -A mwan3_policy_$1 -m mark --mark 0x0/$MMX_MASK -m comment --comment "blackhole" -j MARK --set-xmark $MMX_BLACKHOLE/$MMX_MASK
+ $IPT -A mwan3_policy_$1 \
+ -m mark --mark 0x0/$MMX_MASK \
+ -m comment --comment "blackhole" \
+ -j MARK --set-xmark $MMX_BLACKHOLE/$MMX_MASK
;;
default)
- $IPT -A mwan3_policy_$1 -m mark --mark 0x0/$MMX_MASK -m comment --comment "default" -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
+ $IPT -A mwan3_policy_$1 \
+ -m mark --mark 0x0/$MMX_MASK \
+ -m comment --comment "default" \
+ -j MARK --set-xmark $MMX_DEFAULT/$MMX_MASK
;;
*)
- $IPT -A mwan3_policy_$1 -m mark --mark 0x0/$MMX_MASK -m comment --comment "unreachable" -j MARK --set-xmark $MMX_UNREACHABLE/$MMX_MASK
+ $IPT -A mwan3_policy_$1 \
+ -m mark --mark 0x0/$MMX_MASK \
+ -m comment --comment "unreachable" \
+ -j MARK --set-xmark $MMX_UNREACHABLE/$MMX_MASK
;;
esac
done
for IPT in "$IPT4" "$IPT6"; do
if [ -n "$($IPT -S mwan3_iface_in_$1 2> /dev/null)" ]; then
- $IPT -I mwan3_rule_$rule -m mark --mark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK -m set ! --match-set mwan3_sticky_$rule src,src -j MARK --set-xmark 0x0/$MMX_MASK
- $IPT -I mwan3_rule_$rule -m mark --mark 0/$MMX_MASK -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
+ $IPT -I mwan3_rule_$rule \
+ -m mark --mark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK \
+ -m set ! --match-set mwan3_sticky_$rule src,src \
+ -j MARK --set-xmark 0x0/$MMX_MASK
+ $IPT -I mwan3_rule_$rule \
+ -m mark --mark 0/$MMX_MASK \
+ -j MARK --set-xmark $(mwan3_id2mask id MMX_MASK)/$MMX_MASK
fi
done
fi
$IPT -F mwan3_rule_$1
done
- $IPS -! create mwan3_sticky_v4_$rule hash:ip,mark markmask $MMX_MASK timeout $timeout
- $IPS -! create mwan3_sticky_v6_$rule hash:ip,mark markmask $MMX_MASK timeout $timeout family inet6
+ $IPS -! create mwan3_sticky_v4_$rule \
+ hash:ip,mark markmask $MMX_MASK \
+ timeout $timeout
+ $IPS -! create mwan3_sticky_v6_$rule \
+ hash:ip,mark markmask $MMX_MASK \
+ timeout $timeout family inet6
$IPS -! create mwan3_sticky_$rule list:set
$IPS -! add mwan3_sticky_$rule mwan3_sticky_v4_$rule
$IPS -! add mwan3_sticky_$rule mwan3_sticky_v6_$rule
config_foreach mwan3_set_sticky_iptables interface
for IPT in "$IPT4" "$IPT6"; do
- $IPT -A mwan3_rule_$1 -m mark --mark 0/$MMX_MASK -j $policy
- $IPT -A mwan3_rule_$1 -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_$rule src,src
- $IPT -A mwan3_rule_$1 -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_$rule src,src
+ $IPT -A mwan3_rule_$1 \
+ -m mark --mark 0/$MMX_MASK \
+ -j $policy
+ $IPT -A mwan3_rule_$1 \
+ -m mark ! --mark 0xfc00/0xfc00 \
+ -j SET --del-set mwan3_sticky_$rule src,src
+ $IPT -A mwan3_rule_$1 \
+ -m mark ! --mark 0xfc00/0xfc00 \
+ -j SET --add-set mwan3_sticky_$rule src,src
done
policy="mwan3_rule_$1"
for IPT in "$IPT4" "$IPT6"; do
case $proto in
tcp|udp)
- $IPT -A mwan3_rules -p $proto -s $src_ip -d $dest_ip $ipset -m multiport --sports $src_port -m multiport --dports $dest_port -m mark --mark 0/$MMX_MASK -m comment --comment "$1" -j $policy &> /dev/null
+ $IPT -A mwan3_rules \
+ -p $proto \
+ -s $src_ip \
+ -d $dest_ip $ipset \
+ -m multiport --sports $src_port \
+ -m multiport --dports $dest_port \
+ -m mark --mark 0/$MMX_MASK \
+ -m comment --comment "$1" \
+ -j $policy &> /dev/null
;;
*)
- $IPT -A mwan3_rules -p $proto -s $src_ip -d $dest_ip $ipset -m mark --mark 0/$MMX_MASK -m comment --comment "$1" -j $policy &> /dev/null
+ $IPT -A mwan3_rules \
+ -p $proto \
+ -s $src_ip \
+ -d $dest_ip $ipset \
+ -m mark --mark 0/$MMX_MASK \
+ -m comment --comment "$1" \
+ -j $policy &> /dev/null
;;
esac
done
case $proto in
tcp|udp)
- $IPT4 -A mwan3_rules -p $proto -s $src_ip -d $dest_ip $ipset -m multiport --sports $src_port -m multiport --dports $dest_port -m mark --mark 0/$MMX_MASK -m comment --comment "$1" -j $policy &> /dev/null
+ $IPT4 -A mwan3_rules \
+ -p $proto \
+ -s $src_ip \
+ -d $dest_ip $ipset \
+ -m multiport --sports $src_port \
+ -m multiport --dports $dest_port \
+ -m mark --mark 0/$MMX_MASK \
+ -m comment --comment "$1" \
+ -j $policy &> /dev/null
;;
*)
- $IPT4 -A mwan3_rules -p $proto -s $src_ip -d $dest_ip $ipset -m mark --mark 0/$MMX_MASK -m comment --comment "$1" -j $policy &> /dev/null
+ $IPT4 -A mwan3_rules \
+ -p $proto \
+ -s $src_ip \
+ -d $dest_ip $ipset \
+ -m mark --mark 0/$MMX_MASK \
+ -m comment --comment "$1" \
+ -j $policy &> /dev/null
;;
esac
case $proto in
tcp|udp)
- $IPT6 -A mwan3_rules -p $proto -s $src_ip -d $dest_ip $ipset -m multiport --sports $src_port -m multiport --dports $dest_port -m mark --mark 0/$MMX_MASK -m comment --comment "$1" -j $policy &> /dev/null
+ $IPT6 -A mwan3_rules \
+ -p $proto \
+ -s $src_ip \
+ -d $dest_ip $ipset \
+ -m multiport --sports $src_port \
+ -m multiport --dports $dest_port \
+ -m mark --mark 0/$MMX_MASK \
+ -m comment --comment "$1" \
+ -j $policy &> /dev/null
;;
*)
- $IPT6 -A mwan3_rules -p $proto -s $src_ip -d $dest_ip $ipset -m mark --mark 0/$MMX_MASK -m comment --comment "$1" -j $policy &> /dev/null
+ $IPT6 -A mwan3_rules \
+ -p $proto \
+ -s $src_ip \
+ -d $dest_ip $ipset \
+ -m mark --mark 0/$MMX_MASK \
+ -m comment --comment "$1" \
+ -j $policy &> /dev/null
;;
esac
fi
if [ -z "$id" -o -z "$device" ]; then
result="unknown"
- elif [ -n "$($IP rule | awk '$1 == "'$(($id+1000)):'"')" -a -n "$($IP rule | awk '$1 == "'$(($id+2000)):'"')" -a -n "$($IPT -S mwan3_iface_in_$1 2> /dev/null)" -a -n "$($IP route list table $id default dev $device 2> /dev/null)" ]; then
+ elif [ -n "$($IP rule | awk '$1 == "'$(($id+1000)):'"')" ] && \
+ [ -n "$($IP rule | awk '$1 == "'$(($id+2000)):'"')" ] && \
+ [ -n "$($IPT -S mwan3_iface_in_$1 2> /dev/null)" ] && \
+ [ -n "$($IP route list table $id default dev $device 2> /dev/null)" ]; then
result="$(mwan3_get_iface_hotplug_state $1)"
- elif [ -n "$($IP rule | awk '$1 == "'$(($id+1000)):'"')" -o -n "$($IP rule | awk '$1 == "'$(($id+2000)):'"')" -o -n "$($IPT -S mwan3_iface_in_$1 2> /dev/null)" -o -n "$($IP route list table $id default dev $device 2> /dev/null)" ]; then
+ elif [ -n "$($IP rule | awk '$1 == "'$(($id+1000)):'"')" ] || \
+ [ -n "$($IP rule | awk '$1 == "'$(($id+2000)):'"')" ] || \
+ [ -n "$($IPT -S mwan3_iface_in_$1 2> /dev/null)" ] || \
+ [ -n "$($IP route list table $id default dev $device 2> /dev/null)" ]; then
result="error"
elif [ "$enabled" == "1" ]; then
result="offline"
echo " interface $1 is $result and tracking is $tracking"
}
-mwan3_report_policies_v4()
+mwan3_report_policies()
{
- local percent policy share total_weight weight iface
+ local ipt="$1"
+ local policy="$2"
- for policy in $($IPT4 -S | awk '{print $2}' | grep mwan3_policy_ | sort -u); do
- echo "$policy:" | sed 's/mwan3_policy_//'
+ local percent total_weight weight iface
- [ -n "$total_weight" ] || total_weight=$($IPT4 -S $policy | grep -v '.*--comment "out .*" .*$' | cut -s -d'"' -f2 | head -1 | awk '{print $3}')
+ total_weight=$($ipt -S $policy | grep -v '.*--comment "out .*" .*$' | cut -s -d'"' -f2 | head -1 | awk '{print $3}')
- if [ ! -z "${total_weight##*[!0-9]*}" ]; then
- for iface in $($IPT4 -S $policy | grep -v '.*--comment "out .*" .*$' | cut -s -d'"' -f2 | awk '{print $1}'); do
- weight=$($IPT4 -S $policy | grep -v '.*--comment "out .*" .*$' | cut -s -d'"' -f2 | awk '$1 == "'$iface'"' | awk '{print $2}')
- percent=$(($weight*100/$total_weight))
- echo " $iface ($percent%)"
- done
- else
- echo " $($IPT4 -S $policy | grep -v '.*--comment "out .*" .*$' | sed '/.*--comment \([^ ]*\) .*$/!d;s//\1/;q')"
- fi
+ if [ ! -z "${total_weight##*[!0-9]*}" ]; then
+ for iface in $($ipt -S $policy | grep -v '.*--comment "out .*" .*$' | cut -s -d'"' -f2 | awk '{print $1}'); do
+ weight=$($ipt -S $policy | grep -v '.*--comment "out .*" .*$' | cut -s -d'"' -f2 | awk '$1 == "'$iface'"' | awk '{print $2}')
+ percent=$(($weight*100/$total_weight))
+ echo " $iface ($percent%)"
+ done
+ else
+ echo " $($ipt -S $policy | grep -v '.*--comment "out .*" .*$' | sed '/.*--comment \([^ ]*\) .*$/!d;s//\1/;q')"
+ fi
+}
- unset total_weight
+mwan3_report_policies_v4()
+{
+ local policy
- echo -e
+ for policy in $($IPT4 -S | awk '{print $2}' | grep mwan3_policy_ | sort -u); do
+ echo "$policy:" | sed 's/mwan3_policy_//'
+ mwan3_report_policies "$IPT4" "$policy"
done
}
mwan3_report_policies_v6()
{
- local percent policy share total_weight weight iface
+ local policy
for policy in $($IPT6 -S | awk '{print $2}' | grep mwan3_policy_ | sort -u); do
echo "$policy:" | sed 's/mwan3_policy_//'
-
- [ -n "$total_weight" ] || total_weight=$($IPT6 -S $policy | grep -v '.*--comment "out .*" .*$' | cut -s -d'"' -f2 | head -1 | awk '{print $3}')
-
- if [ ! -z "${total_weight##*[!0-9]*}" ]; then
- for iface in $($IPT6 -S $policy | grep -v '.*--comment "out .*" .*$' | cut -s -d'"' -f2 | awk '{print $1}'); do
- weight=$($IPT6 -S $policy | grep -v '.*--comment "out .*" .*$' | cut -s -d'"' -f2 | awk '$1 == "'$iface'"' | awk '{print $2}')
- percent=$(($weight*100/$total_weight))
- echo " $iface ($percent%)"
- done
- else
- echo " $($IPT6 -S $policy | grep -v '.*--comment "out .*" .*$' | sed '/.*--comment \([^ ]*\) .*$/!d;s//\1/;q')"
- fi
-
- unset total_weight
-
- echo -e
+ mwan3_report_policies "$IPT6" "$policy"
done
}
local address
if [ -n "$($IPT4 -S mwan3_connected 2> /dev/null)" ]; then
- for address in $($IPS list mwan3_connected_v4 | egrep '[0-9]{1,3}(\.[0-9]{1,3}){3}'); do
- echo " $address"
- done
+ $IPS -o save list mwan3_connected_v4 | grep add | cut -d " " -f 3
fi
}
local address
if [ -n "$($IPT6 -S mwan3_connected 2> /dev/null)" ]; then
- for address in $($IPS list mwan3_connected_v6 | egrep '([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])'); do
- echo " $address"
- done
+ $IPS -o save list mwan3_connected_v6 | grep add | cut -d " " -f 3
fi
}
fi
}
}
+
+mwan3_online_metric_clean() {
+ local iface="$1"
+
+ local online_metric ifname
+
+ config_get family $iface family ipv4
+ config_get online_metric $iface online_metric ""
+ ifname=$(uci_get_state network $iface ifname)
+
+ if [ "$family" == "ipv4" ] \
+ && [ "$online_metric" != "" ] \
+ && [ "$ifname" != "" ]; then
+ $IP4 route del default dev $ifname proto static metric $online_metric 1>/dev/null 2>&1
+ fi
+
+ if [ "$family" == "ipv6" ] \
+ && [ "$online_metric" != "" ] \
+ && [ "$ifname" != "" ]; then
+ $IP6 route del default dev $ifname proto static metric $online_metric 1>/dev/null 2>&1
+ fi
+}
local address
if [ -n "$($IPT4 -S mwan3_connected 2> /dev/null)" ]; then
- for address in $($IPS list mwan3_connected_v4 | tail -n +8); do
+ for address in $($IPS -o save list mwan3_connected_v4 | grep add | cut -d " " -f 3); do
json_add_string "" "${address}"
done
fi
local address
if [ -n "$($IPT6 -S mwan3_connected 2> /dev/null)" ]; then
- for address in $($IPS list mwan3_connected_v6 | tail -n +8); do
+ for address in $($IPS -o save list mwan3_connected_v6 | grep add | cut -d " " -f 3); do
json_add_string "" "${address}"
done
fi
config_load mwan3
config_foreach mwan3_track_clean interface
+ config_foreach mwan3_online_metric_clean interface
for IP in "$IP4" "$IP6"; do
include $(TOPDIR)/rules.mk
PKG_NAME:=net-snmp
-PKG_VERSION:=5.7.3
-PKG_RELEASE:=10
+PKG_VERSION:=5.8
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=@SF/net-snmp
-PKG_HASH:=12ef89613c7707dc96d13335f153c1921efc9d61d3708ef09f3fc4a7014fb4f0
+PKG_HASH:=b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf
PKG_MAINTAINER:=Stijn Tintel <stijn@linux-ipv6.be>
PKG_LICENSE:=MIT BSD-3-Clause-Clear
CONFIGURE_VARS += \
ac_cv_header_netlink_netlink_h=yes \
+ ac_cv_header_pcre_h=no \
netsnmp_cv_func_nl_connect_LIBS=-lnl-tiny \
ifeq ($(CONFIG_IPV6),y)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
--- a/configure.d/config_os_libs2
+++ b/configure.d/config_os_libs2
-@@ -226,14 +226,22 @@ if test "x$with_nl" != "xno"; then
- case $target_os in
- linux*) # Check for libnl (linux)
+@@ -254,14 +254,22 @@ if test "x$with_nl" != "xno"; then
+ )
+
netsnmp_save_CPPFLAGS="$CPPFLAGS"
-- CPPFLAGS="-I/usr/include/libnl3 $CPPFLAGS"
+- CPPFLAGS="${LIBNL3_CFLAGS} $CPPFLAGS"
- NETSNMP_SEARCH_LIBS(nl_connect, nl-3,
- [AC_CHECK_HEADERS(netlink/netlink.h)
-- EXTERNAL_MIBGROUP_INCLUDES="$EXTERNAL_MIBGROUP_INCLUDES -I/usr/include/libnl3"],
+- EXTERNAL_MIBGROUP_INCLUDES="$EXTERNAL_MIBGROUP_INCLUDES ${LIBNL3_CFLAGS}"],
- [CPPFLAGS="$netsnmp_save_CPPFLAGS"], [], [], [LMIBLIBS])
+ netsnmp_netlink_include_flags=""
if test "x$ac_cv_header_netlink_netlink_h" != xyes; then
--- a/agent/mibgroup/mibII/interfaces.c
+++ b/agent/mibgroup/mibII/interfaces.c
-@@ -1590,6 +1590,10 @@ Interface_Scan_Init(void)
+@@ -1588,6 +1588,10 @@ Interface_Scan_Init(void)
struct ifnet *nnew;
char *stats, *ifstart = line;
if (line[strlen(line) - 1] == '\n')
line[strlen(line) - 1] = '\0';
-@@ -1622,7 +1622,7 @@ Interface_Scan_Init(void)
+@@ -1620,7 +1624,7 @@ Interface_Scan_Init(void)
&coll) != 5)) {
if ((scan_line_to_use == scan_line_2_2)
&& !strstr(line, "No statistics available"))
diff -uNr a/local/Makefile.in b/local/Makefile.in
--- a/local/Makefile.in 2014-02-20 08:36:42.000000000 +0800
+++ b/local/Makefile.in 2014-05-27 13:21:34.245223503 +0800
-@@ -103,7 +103,7 @@
+@@ -101,7 +101,7 @@
mib2c.made: $(srcdir)/mib2c
if test "x$(PERL)" != "x" ; then \
diff -uNr a/Makefile.top b/Makefile.top
--- a/Makefile.top 2014-02-20 08:36:42.000000000 +0800
+++ b/Makefile.top 2014-05-27 13:26:53.023737120 +0800
-@@ -27,6 +27,7 @@
+@@ -28,6 +28,7 @@
snmplibdir = $(datadir)/snmp
mibdir = $(snmplibdir)/mibs
persistentdir = @PERSISTENT_DIRECTORY@
diff -uNr a/mibs/Makefile.in b/mibs/Makefile.in
--- a/mibs/Makefile.in 2014-02-20 08:36:42.000000000 +0800
+++ b/mibs/Makefile.in 2014-05-27 13:25:07.151988585 +0800
-@@ -49,11 +49,15 @@
+@@ -47,11 +47,15 @@
UCDMIBS = UCD-SNMP-MIB.txt UCD-DEMO-MIB.txt UCD-IPFWACC-MIB.txt \
UCD-DLMOD-MIB.txt UCD-DISKIO-MIB.txt
--- a/configure
+++ b/configure
-@@ -14197,7 +14197,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
+@@ -15097,7 +15097,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
need_version=no
library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
soname_spec='${libname}${release}${shared_ext}$major'
--- a/Makefile.top
+++ b/Makefile.top
-@@ -85,7 +85,7 @@ LIBCURRENT = 30
+@@ -87,7 +87,7 @@ LIBCURRENT = 30
LIBAGE = 0
- LIBREVISION = 3
+ LIBREVISION = 0
-LIB_LD_CMD = $(LIBTOOL) --mode=link $(LINKCC) $(CFLAGS) -rpath $(libdir) -version-info $(LIBCURRENT):$(LIBREVISION):$(LIBAGE) -o
+LIB_LD_CMD = $(LIBTOOL) --mode=link $(LINKCC) $(CFLAGS) -rpath $(libdir) $(LDFLAGS) -version-info $(LIBCURRENT):$(LIBREVISION):$(LIBAGE) -o
include $(TOPDIR)/rules.mk
PKG_NAME:=openssh
-PKG_VERSION:=7.8p1
+PKG_VERSION:=7.9p1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
https://ftp.spline.de/pub/OpenBSD/OpenSSH/portable/ \
https://anorien.csc.warwick.ac.uk/pub/OpenBSD/OpenSSH/portable/
-PKG_HASH:=1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca
+PKG_HASH:=6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
PKG_LICENSE:=BSD ISC
PKG_LICENSE_FILES:=LICENCE
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_REMOVE_FILES:=
-PKG_FIXUP:=autoreconf
include $(INCLUDE_DIR)/package.mk
--- /dev/null
+From 91b777c7064d9d91a1433a42b0bb31592388d1b4 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Tue, 9 Oct 2018 16:17:42 -0300
+Subject: [PATCH] fix compilation with openssl built without ECC
+
+ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be
+guarded by OPENSSL_HAS_ECC
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c
+index de3e64a6..ae00ff59 100644
+--- a/openbsd-compat/libressl-api-compat.c
++++ b/openbsd-compat/libressl-api-compat.c
+@@ -152,7 +152,9 @@
+ #include <openssl/dsa.h>
+ #include <openssl/rsa.h>
+ #include <openssl/evp.h>
++#ifdef OPENSSL_HAS_ECC
+ #include <openssl/ecdsa.h>
++#endif
+ #include <openssl/dh.h>
+
+ #ifndef HAVE_DSA_GET0_PQG
+@@ -417,6 +419,7 @@ DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
+ }
+ #endif /* HAVE_DSA_SIG_SET0 */
+
++#ifdef OPENSSL_HAS_ECC
+ #ifndef HAVE_ECDSA_SIG_GET0
+ void
+ ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
+@@ -442,6 +445,7 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
+ return 1;
+ }
+ #endif /* HAVE_ECDSA_SIG_SET0 */
++#endif /* OPENSSL_HAS_ECC */
+
+ #ifndef HAVE_DH_GET0_PQG
+ void
+diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
+index 9e0264c0..6a525f28 100644
+--- a/openbsd-compat/openssl-compat.h
++++ b/openbsd-compat/openssl-compat.h
+@@ -24,7 +24,9 @@
+ #include <openssl/evp.h>
+ #include <openssl/rsa.h>
+ #include <openssl/dsa.h>
++#ifdef OPENSSL_HAS_ECC
+ #include <openssl/ecdsa.h>
++#endif
+ #include <openssl/dh.h>
+
+ int ssh_compatible_openssl(long, long);
+@@ -161,6 +163,7 @@ void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+ int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+ #endif /* DSA_SIG_SET0 */
+
++#ifdef OPENSSL_HAS_ECC
+ #ifndef HAVE_ECDSA_SIG_GET0
+ void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+ #endif /* HAVE_ECDSA_SIG_GET0 */
+@@ -168,6 +171,7 @@ void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+ #ifndef HAVE_ECDSA_SIG_SET0
+ int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+ #endif /* HAVE_ECDSA_SIG_SET0 */
++#endif /* OPENSSL_HAS_ECC */
+
+ #ifndef HAVE_DH_GET0_PQG
+ void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
+++ /dev/null
-From b67882dece4df10893307467f3782237fad72d25 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Thu, 13 Sep 2018 02:08:33 +0000
-Subject: [PATCH 1/5] upstream: hold our collective noses and use the
- openssl-1.1.x API in
-
-OpenSSH; feedback and ok tb@ jsing@ markus@
-
-OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
----
- auth2.c | 4 +-
- cipher.c | 16 +-
- cipher.h | 4 +-
- dh.c | 60 +++--
- dh.h | 2 +-
- digest-openssl.c | 26 ++-
- kexdhc.c | 15 +-
- kexdhs.c | 11 +-
- kexgexc.c | 18 +-
- kexgexs.c | 21 +-
- monitor.c | 6 +-
- ssh-dss.c | 26 ++-
- ssh-ecdsa.c | 23 +-
- ssh-keygen.c | 61 +++--
- ssh-pkcs11-client.c | 12 +-
- ssh-pkcs11.c | 55 +++--
- ssh-rsa.c | 47 ++--
- sshd.c | 6 +-
- sshkey.c | 637 ++++++++++++++++++++++++++++------------------------
- sshkey.h | 7 +-
- 20 files changed, 619 insertions(+), 438 deletions(-)
-
-diff --git a/auth2.c b/auth2.c
-index ab879589..4d19957a 100644
---- a/auth2.c
-+++ b/auth2.c
-@@ -706,7 +706,7 @@ auth2_record_key(Authctxt *authctxt, int authenticated,
- struct sshkey **tmp, *dup;
- int r;
-
-- if ((r = sshkey_demote(key, &dup)) != 0)
-+ if ((r = sshkey_from_private(key, &dup)) != 0)
- fatal("%s: copy key: %s", __func__, ssh_err(r));
- sshkey_free(authctxt->auth_method_key);
- authctxt->auth_method_key = dup;
-@@ -715,7 +715,7 @@ auth2_record_key(Authctxt *authctxt, int authenticated,
- return;
-
- /* If authenticated, make sure we don't accept this key again */
-- if ((r = sshkey_demote(key, &dup)) != 0)
-+ if ((r = sshkey_from_private(key, &dup)) != 0)
- fatal("%s: copy key: %s", __func__, ssh_err(r));
- if (authctxt->nprev_keys >= INT_MAX ||
- (tmp = recallocarray(authctxt->prev_keys, authctxt->nprev_keys,
-diff --git a/cipher.c b/cipher.c
-index a72682a8..df43826e 100644
---- a/cipher.c
-+++ b/cipher.c
-@@ -446,7 +446,7 @@ cipher_get_keyiv_len(const struct sshcipher_ctx *cc)
- }
-
- int
--cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
-+cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, size_t len)
- {
- #ifdef WITH_OPENSSL
- const struct sshcipher *c = cc->cipher;
-@@ -473,7 +473,7 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
- return 0;
- else if (evplen < 0)
- return SSH_ERR_LIBCRYPTO_ERROR;
-- if ((u_int)evplen != len)
-+ if ((size_t)evplen != len)
- return SSH_ERR_INVALID_ARGUMENT;
- #ifndef OPENSSL_HAVE_EVPCTR
- if (c->evptype == evp_aes_128_ctr)
-@@ -484,14 +484,14 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
- if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
- len, iv))
- return SSH_ERR_LIBCRYPTO_ERROR;
-- } else
-- memcpy(iv, cc->evp->iv, len);
-+ } else if (!EVP_CIPHER_CTX_get_iv(cc->evp, iv, len))
-+ return SSH_ERR_LIBCRYPTO_ERROR;
- #endif
- return 0;
- }
-
- int
--cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
-+cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv, size_t len)
- {
- #ifdef WITH_OPENSSL
- const struct sshcipher *c = cc->cipher;
-@@ -507,6 +507,8 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
- evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
- if (evplen <= 0)
- return SSH_ERR_LIBCRYPTO_ERROR;
-+ if ((size_t)evplen != len)
-+ return SSH_ERR_INVALID_ARGUMENT;
- #ifndef OPENSSL_HAVE_EVPCTR
- /* XXX iv arg is const, but ssh_aes_ctr_iv isn't */
- if (c->evptype == evp_aes_128_ctr)
-@@ -518,8 +520,8 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
- if (!EVP_CIPHER_CTX_ctrl(cc->evp,
- EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
- return SSH_ERR_LIBCRYPTO_ERROR;
-- } else
-- memcpy(cc->evp->iv, iv, evplen);
-+ } else if (!EVP_CIPHER_CTX_set_iv(cc->evp, iv, evplen))
-+ return SSH_ERR_LIBCRYPTO_ERROR;
- #endif
- return 0;
- }
-diff --git a/cipher.h b/cipher.h
-index dc7ecf11..dc1571d2 100644
---- a/cipher.h
-+++ b/cipher.h
-@@ -68,8 +68,8 @@ u_int cipher_is_cbc(const struct sshcipher *);
-
- u_int cipher_ctx_is_plaintext(struct sshcipher_ctx *);
-
--int cipher_get_keyiv(struct sshcipher_ctx *, u_char *, u_int);
--int cipher_set_keyiv(struct sshcipher_ctx *, const u_char *);
-+int cipher_get_keyiv(struct sshcipher_ctx *, u_char *, size_t);
-+int cipher_set_keyiv(struct sshcipher_ctx *, const u_char *, size_t);
- int cipher_get_keyiv_len(const struct sshcipher_ctx *);
-
- #endif /* CIPHER_H */
-diff --git a/dh.c b/dh.c
-index ac8d5a0a..d0d4527b 100644
---- a/dh.c
-+++ b/dh.c
-@@ -216,14 +216,17 @@ choose_dh(int min, int wantbits, int max)
- /* diffie-hellman-groupN-sha1 */
-
- int
--dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
-+dh_pub_is_valid(const DH *dh, const BIGNUM *dh_pub)
- {
- int i;
- int n = BN_num_bits(dh_pub);
- int bits_set = 0;
- BIGNUM *tmp;
-+ const BIGNUM *dh_p;
-
-- if (dh_pub->neg) {
-+ DH_get0_pqg(dh, &dh_p, NULL, NULL);
-+
-+ if (BN_is_negative(dh_pub)) {
- logit("invalid public DH value: negative");
- return 0;
- }
-@@ -236,7 +239,7 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
- error("%s: BN_new failed", __func__);
- return 0;
- }
-- if (!BN_sub(tmp, dh->p, BN_value_one()) ||
-+ if (!BN_sub(tmp, dh_p, BN_value_one()) ||
- BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */
- BN_clear_free(tmp);
- logit("invalid public DH value: >= p-1");
-@@ -247,14 +250,14 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
- for (i = 0; i <= n; i++)
- if (BN_is_bit_set(dh_pub, i))
- bits_set++;
-- debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
-+ debug2("bits set: %d/%d", bits_set, BN_num_bits(dh_p));
-
- /*
- * if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial
- */
- if (bits_set < 4) {
- logit("invalid public DH value (%d/%d)",
-- bits_set, BN_num_bits(dh->p));
-+ bits_set, BN_num_bits(dh_p));
- return 0;
- }
- return 1;
-@@ -264,9 +267,12 @@ int
- dh_gen_key(DH *dh, int need)
- {
- int pbits;
-+ const BIGNUM *dh_p, *pub_key;
-+
-+ DH_get0_pqg(dh, &dh_p, NULL, NULL);
-
-- if (need < 0 || dh->p == NULL ||
-- (pbits = BN_num_bits(dh->p)) <= 0 ||
-+ if (need < 0 || dh_p == NULL ||
-+ (pbits = BN_num_bits(dh_p)) <= 0 ||
- need > INT_MAX / 2 || 2 * need > pbits)
- return SSH_ERR_INVALID_ARGUMENT;
- if (need < 256)
-@@ -275,13 +281,14 @@ dh_gen_key(DH *dh, int need)
- * Pollard Rho, Big step/Little Step attacks are O(sqrt(n)),
- * so double requested need here.
- */
-- dh->length = MINIMUM(need * 2, pbits - 1);
-- if (DH_generate_key(dh) == 0 ||
-- !dh_pub_is_valid(dh, dh->pub_key)) {
-- BN_clear_free(dh->priv_key);
-- dh->priv_key = NULL;
-+ if (!DH_set_length(dh, MINIMUM(need * 2, pbits - 1)))
- return SSH_ERR_LIBCRYPTO_ERROR;
-- }
-+
-+ if (DH_generate_key(dh) == 0)
-+ return SSH_ERR_LIBCRYPTO_ERROR;
-+ DH_get0_key(dh, &pub_key, NULL);
-+ if (!dh_pub_is_valid(dh, pub_key))
-+ return SSH_ERR_INVALID_FORMAT;
- return 0;
- }
-
-@@ -289,22 +296,27 @@ DH *
- dh_new_group_asc(const char *gen, const char *modulus)
- {
- DH *dh;
-+ BIGNUM *dh_p = NULL, *dh_g = NULL;
-
- if ((dh = DH_new()) == NULL)
- return NULL;
-- if (BN_hex2bn(&dh->p, modulus) == 0 ||
-- BN_hex2bn(&dh->g, gen) == 0) {
-- DH_free(dh);
-- return NULL;
-- }
-- return (dh);
-+ if (BN_hex2bn(&dh_p, modulus) == 0 ||
-+ BN_hex2bn(&dh_g, gen) == 0)
-+ goto fail;
-+ if (!DH_set0_pqg(dh, dh_p, NULL, dh_g))
-+ goto fail;
-+ return dh;
-+ fail:
-+ DH_free(dh);
-+ BN_clear_free(dh_p);
-+ BN_clear_free(dh_g);
-+ return NULL;
- }
-
- /*
- * This just returns the group, we still need to generate the exchange
- * value.
- */
--
- DH *
- dh_new_group(BIGNUM *gen, BIGNUM *modulus)
- {
-@@ -312,10 +324,12 @@ dh_new_group(BIGNUM *gen, BIGNUM *modulus)
-
- if ((dh = DH_new()) == NULL)
- return NULL;
-- dh->p = modulus;
-- dh->g = gen;
-+ if (!DH_set0_pqg(dh, modulus, NULL, gen)) {
-+ DH_free(dh);
-+ return NULL;
-+ }
-
-- return (dh);
-+ return dh;
- }
-
- /* rfc2409 "Second Oakley Group" (1024 bits) */
-diff --git a/dh.h b/dh.h
-index bcd485cf..344b29e3 100644
---- a/dh.h
-+++ b/dh.h
-@@ -42,7 +42,7 @@ DH *dh_new_group18(void);
- DH *dh_new_group_fallback(int);
-
- int dh_gen_key(DH *, int);
--int dh_pub_is_valid(DH *, BIGNUM *);
-+int dh_pub_is_valid(const DH *, const BIGNUM *);
-
- u_int dh_estimate(int);
-
-diff --git a/digest-openssl.c b/digest-openssl.c
-index 27709992..da7ed72b 100644
---- a/digest-openssl.c
-+++ b/digest-openssl.c
-@@ -43,7 +43,7 @@
-
- struct ssh_digest_ctx {
- int alg;
-- EVP_MD_CTX mdctx;
-+ EVP_MD_CTX *mdctx;
- };
-
- struct ssh_digest {
-@@ -106,7 +106,7 @@ ssh_digest_bytes(int alg)
- size_t
- ssh_digest_blocksize(struct ssh_digest_ctx *ctx)
- {
-- return EVP_MD_CTX_block_size(&ctx->mdctx);
-+ return EVP_MD_CTX_block_size(ctx->mdctx);
- }
-
- struct ssh_digest_ctx *
-@@ -118,11 +118,14 @@ ssh_digest_start(int alg)
- if (digest == NULL || ((ret = calloc(1, sizeof(*ret))) == NULL))
- return NULL;
- ret->alg = alg;
-- EVP_MD_CTX_init(&ret->mdctx);
-- if (EVP_DigestInit_ex(&ret->mdctx, digest->mdfunc(), NULL) != 1) {
-+ if ((ret->mdctx = EVP_MD_CTX_new()) == NULL) {
- free(ret);
- return NULL;
- }
-+ if (EVP_DigestInit_ex(ret->mdctx, digest->mdfunc(), NULL) != 1) {
-+ ssh_digest_free(ret);
-+ return NULL;
-+ }
- return ret;
- }
-
-@@ -132,7 +135,7 @@ ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
- if (from->alg != to->alg)
- return SSH_ERR_INVALID_ARGUMENT;
- /* we have bcopy-style order while openssl has memcpy-style */
-- if (!EVP_MD_CTX_copy_ex(&to->mdctx, &from->mdctx))
-+ if (!EVP_MD_CTX_copy_ex(to->mdctx, from->mdctx))
- return SSH_ERR_LIBCRYPTO_ERROR;
- return 0;
- }
-@@ -140,7 +143,7 @@ ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
- int
- ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
- {
-- if (EVP_DigestUpdate(&ctx->mdctx, m, mlen) != 1)
-+ if (EVP_DigestUpdate(ctx->mdctx, m, mlen) != 1)
- return SSH_ERR_LIBCRYPTO_ERROR;
- return 0;
- }
-@@ -161,7 +164,7 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
- return SSH_ERR_INVALID_ARGUMENT;
- if (dlen < digest->digest_len) /* No truncation allowed */
- return SSH_ERR_INVALID_ARGUMENT;
-- if (EVP_DigestFinal_ex(&ctx->mdctx, d, &l) != 1)
-+ if (EVP_DigestFinal_ex(ctx->mdctx, d, &l) != 1)
- return SSH_ERR_LIBCRYPTO_ERROR;
- if (l != digest->digest_len) /* sanity */
- return SSH_ERR_INTERNAL_ERROR;
-@@ -171,11 +174,10 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
- void
- ssh_digest_free(struct ssh_digest_ctx *ctx)
- {
-- if (ctx != NULL) {
-- EVP_MD_CTX_cleanup(&ctx->mdctx);
-- explicit_bzero(ctx, sizeof(*ctx));
-- free(ctx);
-- }
-+ if (ctx == NULL)
-+ return;
-+ EVP_MD_CTX_free(ctx->mdctx);
-+ freezero(ctx, sizeof(*ctx));
- }
-
- int
-diff --git a/kexdhc.c b/kexdhc.c
-index 9a9f1ea7..a8b74247 100644
---- a/kexdhc.c
-+++ b/kexdhc.c
-@@ -56,6 +56,7 @@ kexdh_client(struct ssh *ssh)
- {
- struct kex *kex = ssh->kex;
- int r;
-+ const BIGNUM *pub_key;
-
- /* generate and send 'e', client DH public key */
- switch (kex->kex_type) {
-@@ -81,15 +82,17 @@ kexdh_client(struct ssh *ssh)
- goto out;
- }
- debug("sending SSH2_MSG_KEXDH_INIT");
-- if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0 ||
-- (r = sshpkt_start(ssh, SSH2_MSG_KEXDH_INIT)) != 0 ||
-- (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 ||
-+ if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
-+ goto out;
-+ DH_get0_key(kex->dh, &pub_key, NULL);
-+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXDH_INIT)) != 0 ||
-+ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- goto out;
- #ifdef DEBUG_KEXDH
- DHparams_print_fp(stderr, kex->dh);
- fprintf(stderr, "pub= ");
-- BN_print_fp(stderr, kex->dh->pub_key);
-+ BN_print_fp(stderr, pub_key);
- fprintf(stderr, "\n");
- #endif
- debug("expecting SSH2_MSG_KEXDH_REPLY");
-@@ -104,6 +107,7 @@ input_kex_dh(int type, u_int32_t seq, struct ssh *ssh)
- {
- struct kex *kex = ssh->kex;
- BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
-+ const BIGNUM *pub_key;
- struct sshkey *server_host_key = NULL;
- u_char *kbuf = NULL, *server_host_key_blob = NULL, *signature = NULL;
- u_char hash[SSH_DIGEST_MAX_LENGTH];
-@@ -168,6 +172,7 @@ input_kex_dh(int type, u_int32_t seq, struct ssh *ssh)
- #endif
-
- /* calc and verify H */
-+ DH_get0_key(kex->dh, &pub_key, NULL);
- hashlen = sizeof(hash);
- if ((r = kex_dh_hash(
- kex->hash_alg,
-@@ -176,7 +181,7 @@ input_kex_dh(int type, u_int32_t seq, struct ssh *ssh)
- sshbuf_ptr(kex->my), sshbuf_len(kex->my),
- sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
- server_host_key_blob, sbloblen,
-- kex->dh->pub_key,
-+ pub_key,
- dh_server_pub,
- shared_secret,
- hash, &hashlen)) != 0)
-diff --git a/kexdhs.c b/kexdhs.c
-index 5dfca0a2..8367c6c3 100644
---- a/kexdhs.c
-+++ b/kexdhs.c
-@@ -95,6 +95,7 @@ input_kex_dh_init(int type, u_int32_t seq, struct ssh *ssh)
- {
- struct kex *kex = ssh->kex;
- BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
-+ const BIGNUM *pub_key;
- struct sshkey *server_host_public, *server_host_private;
- u_char *kbuf = NULL, *signature = NULL, *server_host_key_blob = NULL;
- u_char hash[SSH_DIGEST_MAX_LENGTH];
-@@ -121,6 +122,7 @@ input_kex_dh_init(int type, u_int32_t seq, struct ssh *ssh)
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
-+ DH_get0_key(kex->dh, &pub_key, NULL);
- if ((r = sshpkt_get_bignum2(ssh, dh_client_pub)) != 0 ||
- (r = sshpkt_get_end(ssh)) != 0)
- goto out;
-@@ -130,12 +132,9 @@ input_kex_dh_init(int type, u_int32_t seq, struct ssh *ssh)
- BN_print_fp(stderr, dh_client_pub);
- fprintf(stderr, "\n");
- debug("bits %d", BN_num_bits(dh_client_pub));
--#endif
--
--#ifdef DEBUG_KEXDH
- DHparams_print_fp(stderr, kex->dh);
- fprintf(stderr, "pub= ");
-- BN_print_fp(stderr, kex->dh->pub_key);
-+ BN_print_fp(stderr, pub_key);
- fprintf(stderr, "\n");
- #endif
- if (!dh_pub_is_valid(kex->dh, dh_client_pub)) {
-@@ -171,7 +170,7 @@ input_kex_dh_init(int type, u_int32_t seq, struct ssh *ssh)
- sshbuf_ptr(kex->my), sshbuf_len(kex->my),
- server_host_key_blob, sbloblen,
- dh_client_pub,
-- kex->dh->pub_key,
-+ pub_key,
- shared_secret,
- hash, &hashlen)) != 0)
- goto out;
-@@ -197,7 +196,7 @@ input_kex_dh_init(int type, u_int32_t seq, struct ssh *ssh)
- /* send server hostkey, DH pubkey 'f' and signed H */
- if ((r = sshpkt_start(ssh, SSH2_MSG_KEXDH_REPLY)) != 0 ||
- (r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
-- (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 || /* f */
-+ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || /* f */
- (r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- goto out;
-diff --git a/kexgexc.c b/kexgexc.c
-index 762a9a32..955bc837 100644
---- a/kexgexc.c
-+++ b/kexgexc.c
-@@ -93,6 +93,7 @@ input_kex_dh_gex_group(int type, u_int32_t seq, struct ssh *ssh)
- {
- struct kex *kex = ssh->kex;
- BIGNUM *p = NULL, *g = NULL;
-+ const BIGNUM *pub_key;
- int r, bits;
-
- debug("got SSH2_MSG_KEX_DH_GEX_GROUP");
-@@ -118,16 +119,18 @@ input_kex_dh_gex_group(int type, u_int32_t seq, struct ssh *ssh)
- p = g = NULL; /* belong to kex->dh now */
-
- /* generate and send 'e', client DH public key */
-- if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0 ||
-- (r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_INIT)) != 0 ||
-- (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 ||
-+ if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
-+ goto out;
-+ DH_get0_key(kex->dh, &pub_key, NULL);
-+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_INIT)) != 0 ||
-+ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- goto out;
- debug("SSH2_MSG_KEX_DH_GEX_INIT sent");
- #ifdef DEBUG_KEXDH
- DHparams_print_fp(stderr, kex->dh);
- fprintf(stderr, "pub= ");
-- BN_print_fp(stderr, kex->dh->pub_key);
-+ BN_print_fp(stderr, pub_key);
- fprintf(stderr, "\n");
- #endif
- ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_GROUP, NULL);
-@@ -144,6 +147,7 @@ input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh)
- {
- struct kex *kex = ssh->kex;
- BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
-+ const BIGNUM *pub_key, *dh_p, *dh_g;
- struct sshkey *server_host_key = NULL;
- u_char *kbuf = NULL, *signature = NULL, *server_host_key_blob = NULL;
- u_char hash[SSH_DIGEST_MAX_LENGTH];
-@@ -211,6 +215,8 @@ input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh)
- kex->min = kex->max = -1;
-
- /* calc and verify H */
-+ DH_get0_key(kex->dh, &pub_key, NULL);
-+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
- hashlen = sizeof(hash);
- if ((r = kexgex_hash(
- kex->hash_alg,
-@@ -220,8 +226,8 @@ input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh)
- sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
- server_host_key_blob, sbloblen,
- kex->min, kex->nbits, kex->max,
-- kex->dh->p, kex->dh->g,
-- kex->dh->pub_key,
-+ dh_p, dh_g,
-+ pub_key,
- dh_server_pub,
- shared_secret,
- hash, &hashlen)) != 0)
-diff --git a/kexgexs.c b/kexgexs.c
-index f6983fd6..2a4aa7e8 100644
---- a/kexgexs.c
-+++ b/kexgexs.c
-@@ -72,6 +72,7 @@ input_kex_dh_gex_request(int type, u_int32_t seq, struct ssh *ssh)
- struct kex *kex = ssh->kex;
- int r;
- u_int min = 0, max = 0, nbits = 0;
-+ const BIGNUM *dh_p, *dh_g;
-
- debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
- if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
-@@ -101,9 +102,10 @@ input_kex_dh_gex_request(int type, u_int32_t seq, struct ssh *ssh)
- goto out;
- }
- debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
-+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
- if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_GROUP)) != 0 ||
-- (r = sshpkt_put_bignum2(ssh, kex->dh->p)) != 0 ||
-- (r = sshpkt_put_bignum2(ssh, kex->dh->g)) != 0 ||
-+ (r = sshpkt_put_bignum2(ssh, dh_p)) != 0 ||
-+ (r = sshpkt_put_bignum2(ssh, dh_g)) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- goto out;
-
-@@ -123,6 +125,7 @@ input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh)
- {
- struct kex *kex = ssh->kex;
- BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
-+ const BIGNUM *pub_key, *dh_p, *dh_g;
- struct sshkey *server_host_public, *server_host_private;
- u_char *kbuf = NULL, *signature = NULL, *server_host_key_blob = NULL;
- u_char hash[SSH_DIGEST_MAX_LENGTH];
-@@ -153,17 +156,17 @@ input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh)
- (r = sshpkt_get_end(ssh)) != 0)
- goto out;
-
-+ DH_get0_key(kex->dh, &pub_key, NULL);
-+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
-+
- #ifdef DEBUG_KEXDH
- fprintf(stderr, "dh_client_pub= ");
- BN_print_fp(stderr, dh_client_pub);
- fprintf(stderr, "\n");
- debug("bits %d", BN_num_bits(dh_client_pub));
--#endif
--
--#ifdef DEBUG_KEXDH
- DHparams_print_fp(stderr, kex->dh);
- fprintf(stderr, "pub= ");
-- BN_print_fp(stderr, kex->dh->pub_key);
-+ BN_print_fp(stderr, pub_key);
- fprintf(stderr, "\n");
- #endif
- if (!dh_pub_is_valid(kex->dh, dh_client_pub)) {
-@@ -199,9 +202,9 @@ input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh)
- sshbuf_ptr(kex->my), sshbuf_len(kex->my),
- server_host_key_blob, sbloblen,
- kex->min, kex->nbits, kex->max,
-- kex->dh->p, kex->dh->g,
-+ dh_p, dh_g,
- dh_client_pub,
-- kex->dh->pub_key,
-+ pub_key,
- shared_secret,
- hash, &hashlen)) != 0)
- goto out;
-@@ -227,7 +230,7 @@ input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh)
- /* send server hostkey, DH pubkey 'f' and signed H */
- if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REPLY)) != 0 ||
- (r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
-- (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 || /* f */
-+ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || /* f */
- (r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- goto out;
-diff --git a/monitor.c b/monitor.c
-index d4b4b047..b30813b4 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -566,6 +566,7 @@ int
- mm_answer_moduli(int sock, struct sshbuf *m)
- {
- DH *dh;
-+ const BIGNUM *dh_p, *dh_g;
- int r;
- u_int min, want, max;
-
-@@ -590,9 +591,10 @@ mm_answer_moduli(int sock, struct sshbuf *m)
- return (0);
- } else {
- /* Send first bignum */
-+ DH_get0_pqg(dh, &dh_p, NULL, &dh_g);
- if ((r = sshbuf_put_u8(m, 1)) != 0 ||
-- (r = sshbuf_put_bignum2(m, dh->p)) != 0 ||
-- (r = sshbuf_put_bignum2(m, dh->g)) != 0)
-+ (r = sshbuf_put_bignum2(m, dh_p)) != 0 ||
-+ (r = sshbuf_put_bignum2(m, dh_g)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
- DH_free(dh);
-diff --git a/ssh-dss.c b/ssh-dss.c
-index 9f832ee2..631b1571 100644
---- a/ssh-dss.c
-+++ b/ssh-dss.c
-@@ -51,6 +51,7 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
- const u_char *data, size_t datalen, u_int compat)
- {
- DSA_SIG *sig = NULL;
-+ const BIGNUM *sig_r, *sig_s;
- u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
- size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
- struct sshbuf *b = NULL;
-@@ -76,15 +77,16 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
- goto out;
- }
-
-- rlen = BN_num_bytes(sig->r);
-- slen = BN_num_bytes(sig->s);
-+ DSA_SIG_get0(sig, &sig_r, &sig_s);
-+ rlen = BN_num_bytes(sig_r);
-+ slen = BN_num_bytes(sig_s);
- if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
- ret = SSH_ERR_INTERNAL_ERROR;
- goto out;
- }
- explicit_bzero(sigblob, SIGBLOB_LEN);
-- BN_bn2bin(sig->r, sigblob + SIGBLOB_LEN - INTBLOB_LEN - rlen);
-- BN_bn2bin(sig->s, sigblob + SIGBLOB_LEN - slen);
-+ BN_bn2bin(sig_r, sigblob + SIGBLOB_LEN - INTBLOB_LEN - rlen);
-+ BN_bn2bin(sig_s, sigblob + SIGBLOB_LEN - slen);
-
- if ((b = sshbuf_new()) == NULL) {
- ret = SSH_ERR_ALLOC_FAIL;
-@@ -118,6 +120,7 @@ ssh_dss_verify(const struct sshkey *key,
- const u_char *data, size_t datalen, u_int compat)
- {
- DSA_SIG *sig = NULL;
-+ BIGNUM *sig_r = NULL, *sig_s = NULL;
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
- size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
- int ret = SSH_ERR_INTERNAL_ERROR;
-@@ -155,16 +158,21 @@ ssh_dss_verify(const struct sshkey *key,
-
- /* parse signature */
- if ((sig = DSA_SIG_new()) == NULL ||
-- (sig->r = BN_new()) == NULL ||
-- (sig->s = BN_new()) == NULL) {
-+ (sig_r = BN_new()) == NULL ||
-+ (sig_s = BN_new()) == NULL) {
- ret = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
-- if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
-- (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) {
-+ if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig_r) == NULL) ||
-+ (BN_bin2bn(sigblob + INTBLOB_LEN, INTBLOB_LEN, sig_s) == NULL)) {
- ret = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
-+ if (!DSA_SIG_set0(sig, sig_r, sig_s)) {
-+ ret = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
-+ }
-+ sig_r = sig_s = NULL; /* transferred */
-
- /* sha1 the data */
- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
-@@ -186,6 +194,8 @@ ssh_dss_verify(const struct sshkey *key,
- out:
- explicit_bzero(digest, sizeof(digest));
- DSA_SIG_free(sig);
-+ BN_clear_free(sig_r);
-+ BN_clear_free(sig_s);
- sshbuf_free(b);
- free(ktype);
- if (sigblob != NULL) {
-diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
-index 3d3b78d7..9e92af04 100644
---- a/ssh-ecdsa.c
-+++ b/ssh-ecdsa.c
-@@ -49,6 +49,7 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
- const u_char *data, size_t datalen, u_int compat)
- {
- ECDSA_SIG *sig = NULL;
-+ const BIGNUM *sig_r, *sig_s;
- int hash_alg;
- u_char digest[SSH_DIGEST_MAX_LENGTH];
- size_t len, dlen;
-@@ -80,8 +81,9 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
- ret = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
-- if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||
-- (ret = sshbuf_put_bignum2(bb, sig->s)) != 0)
-+ ECDSA_SIG_get0(sig, &sig_r, &sig_s);
-+ if ((ret = sshbuf_put_bignum2(bb, sig_r)) != 0 ||
-+ (ret = sshbuf_put_bignum2(bb, sig_s)) != 0)
- goto out;
- if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 ||
- (ret = sshbuf_put_stringb(b, bb)) != 0)
-@@ -112,6 +114,7 @@ ssh_ecdsa_verify(const struct sshkey *key,
- const u_char *data, size_t datalen, u_int compat)
- {
- ECDSA_SIG *sig = NULL;
-+ BIGNUM *sig_r = NULL, *sig_s = NULL;
- int hash_alg;
- u_char digest[SSH_DIGEST_MAX_LENGTH];
- size_t dlen;
-@@ -146,15 +149,23 @@ ssh_ecdsa_verify(const struct sshkey *key,
- }
-
- /* parse signature */
-- if ((sig = ECDSA_SIG_new()) == NULL) {
-+ if ((sig = ECDSA_SIG_new()) == NULL ||
-+ (sig_r = BN_new()) == NULL ||
-+ (sig_s = BN_new()) == NULL) {
- ret = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
-- if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||
-- sshbuf_get_bignum2(sigbuf, sig->s) != 0) {
-+ if (sshbuf_get_bignum2(sigbuf, sig_r) != 0 ||
-+ sshbuf_get_bignum2(sigbuf, sig_s) != 0) {
- ret = SSH_ERR_INVALID_FORMAT;
- goto out;
- }
-+ if (!ECDSA_SIG_set0(sig, sig_r, sig_s)) {
-+ ret = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
-+ }
-+ sig_r = sig_s = NULL; /* transferred */
-+
- if (sshbuf_len(sigbuf) != 0) {
- ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
- goto out;
-@@ -180,6 +191,8 @@ ssh_ecdsa_verify(const struct sshkey *key,
- sshbuf_free(sigbuf);
- sshbuf_free(b);
- ECDSA_SIG_free(sig);
-+ BN_clear_free(sig_r);
-+ BN_clear_free(sig_s);
- free(ktype);
- return ret;
- }
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 22860ad9..f240af66 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -450,7 +450,10 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
- u_int magic, i1, i2, i3, i4;
- size_t slen;
- u_long e;
--
-+ BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL;
-+ BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL;
-+ BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
-+ BIGNUM *rsa_p = NULL, *rsa_q = NULL, *rsa_iqmp = NULL;
- if ((b = sshbuf_from(blob, blen)) == NULL)
- fatal("%s: sshbuf_from failed", __func__);
- if ((r = sshbuf_get_u32(b, &magic)) != 0)
-@@ -494,11 +497,23 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
-
- switch (key->type) {
- case KEY_DSA:
-- buffer_get_bignum_bits(b, key->dsa->p);
-- buffer_get_bignum_bits(b, key->dsa->g);
-- buffer_get_bignum_bits(b, key->dsa->q);
-- buffer_get_bignum_bits(b, key->dsa->pub_key);
-- buffer_get_bignum_bits(b, key->dsa->priv_key);
-+ if ((dsa_p = BN_new()) == NULL ||
-+ (dsa_q = BN_new()) == NULL ||
-+ (dsa_g = BN_new()) == NULL ||
-+ (dsa_pub_key = BN_new()) == NULL ||
-+ (dsa_priv_key = BN_new()) == NULL)
-+ fatal("%s: BN_new", __func__);
-+ buffer_get_bignum_bits(b, dsa_p);
-+ buffer_get_bignum_bits(b, dsa_g);
-+ buffer_get_bignum_bits(b, dsa_q);
-+ buffer_get_bignum_bits(b, dsa_pub_key);
-+ buffer_get_bignum_bits(b, dsa_priv_key);
-+ if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g))
-+ fatal("%s: DSA_set0_pqg failed", __func__);
-+ dsa_p = dsa_q = dsa_g = NULL; /* transferred */
-+ if (!DSA_set0_key(key->dsa, dsa_pub_key, dsa_priv_key))
-+ fatal("%s: DSA_set0_key failed", __func__);
-+ dsa_pub_key = dsa_priv_key = NULL; /* transferred */
- break;
- case KEY_RSA:
- if ((r = sshbuf_get_u8(b, &e1)) != 0 ||
-@@ -515,18 +530,34 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
- e += e3;
- debug("e %lx", e);
- }
-- if (!BN_set_word(key->rsa->e, e)) {
-+ if ((rsa_e = BN_new()) == NULL)
-+ fatal("%s: BN_new", __func__);
-+ if (!BN_set_word(rsa_e, e)) {
-+ BN_clear_free(rsa_e);
- sshbuf_free(b);
- sshkey_free(key);
- return NULL;
- }
-- buffer_get_bignum_bits(b, key->rsa->d);
-- buffer_get_bignum_bits(b, key->rsa->n);
-- buffer_get_bignum_bits(b, key->rsa->iqmp);
-- buffer_get_bignum_bits(b, key->rsa->q);
-- buffer_get_bignum_bits(b, key->rsa->p);
-- if ((r = ssh_rsa_generate_additional_parameters(key)) != 0)
-+ if ((rsa_n = BN_new()) == NULL ||
-+ (rsa_d = BN_new()) == NULL ||
-+ (rsa_p = BN_new()) == NULL ||
-+ (rsa_q = BN_new()) == NULL ||
-+ (rsa_iqmp = BN_new()) == NULL)
-+ fatal("%s: BN_new", __func__);
-+ buffer_get_bignum_bits(b, rsa_d);
-+ buffer_get_bignum_bits(b, rsa_n);
-+ buffer_get_bignum_bits(b, rsa_iqmp);
-+ buffer_get_bignum_bits(b, rsa_q);
-+ buffer_get_bignum_bits(b, rsa_p);
-+ if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, rsa_d))
-+ fatal("%s: RSA_set0_key failed", __func__);
-+ rsa_n = rsa_e = rsa_d = NULL; /* transferred */
-+ if (!RSA_set0_factors(key->rsa, rsa_p, rsa_q))
-+ fatal("%s: RSA_set0_factors failed", __func__);
-+ rsa_p = rsa_q = NULL; /* transferred */
-+ if ((r = ssh_rsa_complete_crt_parameters(key, rsa_iqmp)) != 0)
- fatal("generate RSA parameters failed: %s", ssh_err(r));
-+ BN_clear_free(rsa_iqmp);
- break;
- }
- rlen = sshbuf_len(b);
-@@ -634,7 +665,7 @@ do_convert_from_pkcs8(struct sshkey **k, int *private)
- identity_file);
- }
- fclose(fp);
-- switch (EVP_PKEY_type(pubkey->type)) {
-+ switch (EVP_PKEY_base_id(pubkey)) {
- case EVP_PKEY_RSA:
- if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
- fatal("sshkey_new failed");
-@@ -658,7 +689,7 @@ do_convert_from_pkcs8(struct sshkey **k, int *private)
- #endif
- default:
- fatal("%s: unsupported pubkey type %d", __func__,
-- EVP_PKEY_type(pubkey->type));
-+ EVP_PKEY_base_id(pubkey));
- }
- EVP_PKEY_free(pubkey);
- return;
-diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
-index 028b272c..bcc18c6b 100644
---- a/ssh-pkcs11-client.c
-+++ b/ssh-pkcs11-client.c
-@@ -156,12 +156,14 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
- static int
- wrap_key(RSA *rsa)
- {
-- static RSA_METHOD helper_rsa;
-+ static RSA_METHOD *helper_rsa;
-
-- memcpy(&helper_rsa, RSA_get_default_method(), sizeof(helper_rsa));
-- helper_rsa.name = "ssh-pkcs11-helper";
-- helper_rsa.rsa_priv_enc = pkcs11_rsa_private_encrypt;
-- RSA_set_method(rsa, &helper_rsa);
-+ if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
-+ fatal("%s: RSA_meth_dup failed", __func__);
-+ if (!RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper") ||
-+ !RSA_meth_set_priv_enc(helper_rsa, pkcs11_rsa_private_encrypt))
-+ fatal("%s: failed to prepare method", __func__);
-+ RSA_set_method(rsa, helper_rsa);
- return (0);
- }
-
-diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
-index 65a7b589..c35f9415 100644
---- a/ssh-pkcs11.c
-+++ b/ssh-pkcs11.c
-@@ -67,7 +67,7 @@ struct pkcs11_key {
- struct pkcs11_provider *provider;
- CK_ULONG slotidx;
- int (*orig_finish)(RSA *rsa);
-- RSA_METHOD rsa_method;
-+ RSA_METHOD *rsa_method;
- char *keyid;
- int keyid_len;
- };
-@@ -182,6 +182,7 @@ pkcs11_rsa_finish(RSA *rsa)
- rv = k11->orig_finish(rsa);
- if (k11->provider)
- pkcs11_provider_unref(k11->provider);
-+ RSA_meth_free(k11->rsa_method);
- free(k11->keyid);
- free(k11);
- }
-@@ -326,13 +327,18 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
- k11->keyid = xmalloc(k11->keyid_len);
- memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
- }
-- k11->orig_finish = def->finish;
-- memcpy(&k11->rsa_method, def, sizeof(k11->rsa_method));
-- k11->rsa_method.name = "pkcs11";
-- k11->rsa_method.rsa_priv_enc = pkcs11_rsa_private_encrypt;
-- k11->rsa_method.rsa_priv_dec = pkcs11_rsa_private_decrypt;
-- k11->rsa_method.finish = pkcs11_rsa_finish;
-- RSA_set_method(rsa, &k11->rsa_method);
-+ k11->rsa_method = RSA_meth_dup(def);
-+ if (k11->rsa_method == NULL)
-+ fatal("%s: RSA_meth_dup failed", __func__);
-+ k11->orig_finish = RSA_meth_get_finish(def);
-+ if (!RSA_meth_set1_name(k11->rsa_method, "pkcs11") ||
-+ !RSA_meth_set_priv_enc(k11->rsa_method,
-+ pkcs11_rsa_private_encrypt) ||
-+ !RSA_meth_set_priv_dec(k11->rsa_method,
-+ pkcs11_rsa_private_decrypt) ||
-+ !RSA_meth_set_finish(k11->rsa_method, pkcs11_rsa_finish))
-+ fatal("%s: setup pkcs11 method failed", __func__);
-+ RSA_set_method(rsa, k11->rsa_method);
- RSA_set_app_data(rsa, k11);
- return (0);
- }
-@@ -444,6 +450,15 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key)
- return (0);
- }
-
-+static int
-+have_rsa_key(const RSA *rsa)
-+{
-+ const BIGNUM *rsa_n, *rsa_e;
-+
-+ RSA_get0_key(rsa, &rsa_n, &rsa_e, NULL);
-+ return rsa_n != NULL && rsa_e != NULL;
-+}
-+
- static int
- pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
- CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3],
-@@ -512,10 +527,20 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
- if ((rsa = RSA_new()) == NULL) {
- error("RSA_new failed");
- } else {
-- rsa->n = BN_bin2bn(attribs[1].pValue,
-+ BIGNUM *rsa_n, *rsa_e;
-+
-+ rsa_n = BN_bin2bn(attribs[1].pValue,
- attribs[1].ulValueLen, NULL);
-- rsa->e = BN_bin2bn(attribs[2].pValue,
-+ rsa_e = BN_bin2bn(attribs[2].pValue,
- attribs[2].ulValueLen, NULL);
-+ if (rsa_n != NULL && rsa_e != NULL) {
-+ if (!RSA_set0_key(rsa,
-+ rsa_n, rsa_e, NULL))
-+ fatal("%s: set key", __func__);
-+ rsa_n = rsa_e = NULL; /* transferred */
-+ }
-+ BN_free(rsa_n);
-+ BN_free(rsa_e);
- }
- } else {
- cp = attribs[2].pValue;
-@@ -525,16 +550,16 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
- == NULL) {
- error("d2i_X509 failed");
- } else if ((evp = X509_get_pubkey(x509)) == NULL ||
-- evp->type != EVP_PKEY_RSA ||
-- evp->pkey.rsa == NULL) {
-+ EVP_PKEY_base_id(evp) != EVP_PKEY_RSA ||
-+ EVP_PKEY_get0_RSA(evp) == NULL) {
- debug("X509_get_pubkey failed or no rsa");
-- } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa))
-- == NULL) {
-+ } else if ((rsa = RSAPublicKey_dup(
-+ EVP_PKEY_get0_RSA(evp))) == NULL) {
- error("RSAPublicKey_dup");
- }
- X509_free(x509);
- }
-- if (rsa && rsa->n && rsa->e &&
-+ if (rsa && have_rsa_key(rsa) &&
- pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {
- if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
- fatal("sshkey_new failed");
-diff --git a/ssh-rsa.c b/ssh-rsa.c
-index 1756315b..2788f334 100644
---- a/ssh-rsa.c
-+++ b/ssh-rsa.c
-@@ -104,38 +104,55 @@ rsa_hash_alg_nid(int type)
- }
-
- int
--ssh_rsa_generate_additional_parameters(struct sshkey *key)
-+ssh_rsa_complete_crt_parameters(struct sshkey *key, const BIGNUM *iqmp)
- {
-- BIGNUM *aux = NULL;
-+ const BIGNUM *rsa_p, *rsa_q, *rsa_d;
-+ BIGNUM *aux = NULL, *d_consttime = NULL;
-+ BIGNUM *rsa_dmq1 = NULL, *rsa_dmp1 = NULL, *rsa_iqmp = NULL;
- BN_CTX *ctx = NULL;
-- BIGNUM d;
- int r;
-
- if (key == NULL || key->rsa == NULL ||
- sshkey_type_plain(key->type) != KEY_RSA)
- return SSH_ERR_INVALID_ARGUMENT;
-
-+ RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);
-+ RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
-+
- if ((ctx = BN_CTX_new()) == NULL)
- return SSH_ERR_ALLOC_FAIL;
-- if ((aux = BN_new()) == NULL) {
-+ if ((aux = BN_new()) == NULL ||
-+ (rsa_dmq1 = BN_new()) == NULL ||
-+ (rsa_dmp1 = BN_new()) == NULL)
-+ return SSH_ERR_ALLOC_FAIL;
-+ if ((d_consttime = BN_dup(rsa_d)) == NULL ||
-+ (rsa_iqmp = BN_dup(iqmp)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- BN_set_flags(aux, BN_FLG_CONSTTIME);
-+ BN_set_flags(d_consttime, BN_FLG_CONSTTIME);
-
-- BN_init(&d);
-- BN_with_flags(&d, key->rsa->d, BN_FLG_CONSTTIME);
--
-- if ((BN_sub(aux, key->rsa->q, BN_value_one()) == 0) ||
-- (BN_mod(key->rsa->dmq1, &d, aux, ctx) == 0) ||
-- (BN_sub(aux, key->rsa->p, BN_value_one()) == 0) ||
-- (BN_mod(key->rsa->dmp1, &d, aux, ctx) == 0)) {
-+ if ((BN_sub(aux, rsa_q, BN_value_one()) == 0) ||
-+ (BN_mod(rsa_dmq1, d_consttime, aux, ctx) == 0) ||
-+ (BN_sub(aux, rsa_p, BN_value_one()) == 0) ||
-+ (BN_mod(rsa_dmp1, d_consttime, aux, ctx) == 0)) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
-+ }
-+ if (!RSA_set0_crt_params(key->rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp)) {
- r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
-+ rsa_dmp1 = rsa_dmq1 = rsa_iqmp = NULL; /* transferred */
-+ /* success */
- r = 0;
- out:
- BN_clear_free(aux);
-+ BN_clear_free(d_consttime);
-+ BN_clear_free(rsa_dmp1);
-+ BN_clear_free(rsa_dmq1);
-+ BN_clear_free(rsa_iqmp);
- BN_CTX_free(ctx);
- return r;
- }
-@@ -145,6 +162,7 @@ int
- ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
- const u_char *data, size_t datalen, const char *alg_ident)
- {
-+ const BIGNUM *rsa_n;
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
- size_t slen = 0;
- u_int dlen, len;
-@@ -163,7 +181,8 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
- if (key == NULL || key->rsa == NULL || hash_alg == -1 ||
- sshkey_type_plain(key->type) != KEY_RSA)
- return SSH_ERR_INVALID_ARGUMENT;
-- if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
-+ RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
-+ if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
- return SSH_ERR_KEY_LENGTH;
- slen = RSA_size(key->rsa);
- if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
-@@ -225,6 +244,7 @@ ssh_rsa_verify(const struct sshkey *key,
- const u_char *sig, size_t siglen, const u_char *data, size_t datalen,
- const char *alg)
- {
-+ const BIGNUM *rsa_n;
- char *sigtype = NULL;
- int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;
- size_t len = 0, diff, modlen, dlen;
-@@ -235,7 +255,8 @@ ssh_rsa_verify(const struct sshkey *key,
- sshkey_type_plain(key->type) != KEY_RSA ||
- sig == NULL || siglen == 0)
- return SSH_ERR_INVALID_ARGUMENT;
-- if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
-+ RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
-+ if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
- return SSH_ERR_KEY_LENGTH;
-
- if ((b = sshbuf_from(sig, siglen)) == NULL)
-diff --git a/sshd.c b/sshd.c
-index a738c3ab..98beb1ed 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -493,8 +493,8 @@ demote_sensitive_data(void)
-
- for (i = 0; i < options.num_host_key_files; i++) {
- if (sensitive_data.host_keys[i]) {
-- if ((r = sshkey_demote(sensitive_data.host_keys[i],
-- &tmp)) != 0)
-+ if ((r = sshkey_from_private(
-+ sensitive_data.host_keys[i], &tmp)) != 0)
- fatal("could not demote host %s key: %s",
- sshkey_type(sensitive_data.host_keys[i]),
- ssh_err(r));
-@@ -1772,7 +1772,7 @@ main(int ac, char **av)
- error("Error loading host key \"%s\": %s",
- options.host_key_files[i], ssh_err(r));
- if (pubkey == NULL && key != NULL)
-- if ((r = sshkey_demote(key, &pubkey)) != 0)
-+ if ((r = sshkey_from_private(key, &pubkey)) != 0)
- fatal("Could not demote key: \"%s\": %s",
- options.host_key_files[i], ssh_err(r));
- sensitive_data.host_keys[i] = key;
-diff --git a/sshkey.c b/sshkey.c
-index 72c08c7e..a5e6e60e 100644
---- a/sshkey.c
-+++ b/sshkey.c
-@@ -288,14 +288,24 @@ sshkey_names_valid2(const char *names, int allow_wildcard)
- u_int
- sshkey_size(const struct sshkey *k)
- {
-+#ifdef WITH_OPENSSL
-+ const BIGNUM *rsa_n, *dsa_p;
-+#endif /* WITH_OPENSSL */
-+
- switch (k->type) {
- #ifdef WITH_OPENSSL
- case KEY_RSA:
- case KEY_RSA_CERT:
-- return BN_num_bits(k->rsa->n);
-+ if (k->rsa == NULL)
-+ return 0;
-+ RSA_get0_key(k->rsa, &rsa_n, NULL, NULL);
-+ return BN_num_bits(rsa_n);
- case KEY_DSA:
- case KEY_DSA_CERT:
-- return BN_num_bits(k->dsa->p);
-+ if (k->dsa == NULL)
-+ return 0;
-+ DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL);
-+ return BN_num_bits(dsa_p);
- case KEY_ECDSA:
- case KEY_ECDSA_CERT:
- return sshkey_curve_nid_to_bits(k->ecdsa_nid);
-@@ -500,10 +510,7 @@ sshkey_new(int type)
- #ifdef WITH_OPENSSL
- case KEY_RSA:
- case KEY_RSA_CERT:
-- if ((rsa = RSA_new()) == NULL ||
-- (rsa->n = BN_new()) == NULL ||
-- (rsa->e = BN_new()) == NULL) {
-- RSA_free(rsa);
-+ if ((rsa = RSA_new()) == NULL) {
- free(k);
- return NULL;
- }
-@@ -511,12 +518,7 @@ sshkey_new(int type)
- break;
- case KEY_DSA:
- case KEY_DSA_CERT:
-- if ((dsa = DSA_new()) == NULL ||
-- (dsa->p = BN_new()) == NULL ||
-- (dsa->q = BN_new()) == NULL ||
-- (dsa->g = BN_new()) == NULL ||
-- (dsa->pub_key = BN_new()) == NULL) {
-- DSA_free(dsa);
-+ if ((dsa = DSA_new()) == NULL) {
- free(k);
- return NULL;
- }
-@@ -550,47 +552,7 @@ sshkey_new(int type)
- return k;
- }
-
--int
--sshkey_add_private(struct sshkey *k)
--{
-- switch (k->type) {
--#ifdef WITH_OPENSSL
-- case KEY_RSA:
-- case KEY_RSA_CERT:
--#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
-- if (bn_maybe_alloc_failed(k->rsa->d) ||
-- bn_maybe_alloc_failed(k->rsa->iqmp) ||
-- bn_maybe_alloc_failed(k->rsa->q) ||
-- bn_maybe_alloc_failed(k->rsa->p) ||
-- bn_maybe_alloc_failed(k->rsa->dmq1) ||
-- bn_maybe_alloc_failed(k->rsa->dmp1))
-- return SSH_ERR_ALLOC_FAIL;
-- break;
-- case KEY_DSA:
-- case KEY_DSA_CERT:
-- if (bn_maybe_alloc_failed(k->dsa->priv_key))
-- return SSH_ERR_ALLOC_FAIL;
-- break;
--#undef bn_maybe_alloc_failed
-- case KEY_ECDSA:
-- case KEY_ECDSA_CERT:
-- /* Cannot do anything until we know the group */
-- break;
--#endif /* WITH_OPENSSL */
-- case KEY_ED25519:
-- case KEY_ED25519_CERT:
-- case KEY_XMSS:
-- case KEY_XMSS_CERT:
-- /* no need to prealloc */
-- break;
-- case KEY_UNSPEC:
-- break;
-- default:
-- return SSH_ERR_INVALID_ARGUMENT;
-- }
-- return 0;
--}
--
-+/* XXX garbage-collect this API */
- struct sshkey *
- sshkey_new_private(int type)
- {
-@@ -598,10 +560,6 @@ sshkey_new_private(int type)
-
- if (k == NULL)
- return NULL;
-- if (sshkey_add_private(k) != 0) {
-- sshkey_free(k);
-- return NULL;
-- }
- return k;
- }
-
-@@ -683,9 +641,15 @@ cert_compare(struct sshkey_cert *a, struct sshkey_cert *b)
- int
- sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
- {
--#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
-+#if defined(WITH_OPENSSL)
-+ const BIGNUM *rsa_e_a, *rsa_n_a;
-+ const BIGNUM *rsa_e_b, *rsa_n_b;
-+ const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a;
-+ const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b;
-+# if defined(OPENSSL_HAS_ECC)
- BN_CTX *bnctx;
--#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
-+# endif /* OPENSSL_HAS_ECC */
-+#endif /* WITH_OPENSSL */
-
- if (a == NULL || b == NULL ||
- sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
-@@ -695,16 +659,24 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
- #ifdef WITH_OPENSSL
- case KEY_RSA_CERT:
- case KEY_RSA:
-- return a->rsa != NULL && b->rsa != NULL &&
-- BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
-- BN_cmp(a->rsa->n, b->rsa->n) == 0;
-+ if (a->rsa == NULL || b->rsa == NULL)
-+ return 0;
-+ RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL);
-+ RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL);
-+ return BN_cmp(rsa_e_a, rsa_e_b) == 0 &&
-+ BN_cmp(rsa_n_a, rsa_n_b) == 0;
- case KEY_DSA_CERT:
- case KEY_DSA:
-- return a->dsa != NULL && b->dsa != NULL &&
-- BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
-- BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
-- BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
-- BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
-+ if (a->dsa == NULL || b->dsa == NULL)
-+ return 0;
-+ DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a);
-+ DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b);
-+ DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL);
-+ DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL);
-+ return BN_cmp(dsa_p_a, dsa_p_b) == 0 &&
-+ BN_cmp(dsa_q_a, dsa_q_b) == 0 &&
-+ BN_cmp(dsa_g_a, dsa_g_b) == 0 &&
-+ BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0;
- # ifdef OPENSSL_HAS_ECC
- case KEY_ECDSA_CERT:
- case KEY_ECDSA:
-@@ -761,6 +733,9 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain,
- {
- int type, ret = SSH_ERR_INTERNAL_ERROR;
- const char *typename;
-+#ifdef WITH_OPENSSL
-+ const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
-+#endif /* WITH_OPENSSL */
-
- if (key == NULL)
- return SSH_ERR_INVALID_ARGUMENT;
-@@ -793,11 +768,13 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain,
- case KEY_DSA:
- if (key->dsa == NULL)
- return SSH_ERR_INVALID_ARGUMENT;
-+ DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
-+ DSA_get0_key(key->dsa, &dsa_pub_key, NULL);
- if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
-- (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 ||
-- (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 ||
-- (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 ||
-- (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0)
-+ (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
-+ (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
-+ (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
-+ (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0)
- return ret;
- break;
- # ifdef OPENSSL_HAS_ECC
-@@ -814,9 +791,10 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain,
- case KEY_RSA:
- if (key->rsa == NULL)
- return SSH_ERR_INVALID_ARGUMENT;
-+ RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL);
- if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
-- (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 ||
-- (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0)
-+ (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
-+ (ret = sshbuf_put_bignum2(b, rsa_n)) != 0)
- return ret;
- break;
- #endif /* WITH_OPENSSL */
-@@ -1750,59 +1728,95 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
- {
- struct sshkey *n = NULL;
- int ret = SSH_ERR_INTERNAL_ERROR;
-+ int r = SSH_ERR_INTERNAL_ERROR;
-+#ifdef WITH_OPENSSL
-+ const BIGNUM *rsa_n, *rsa_e;
-+ BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL;
-+ const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
-+ BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL;
-+ BIGNUM *dsa_pub_key_dup = NULL;
-+#endif /* WITH_OPENSSL */
-
- *pkp = NULL;
- switch (k->type) {
- #ifdef WITH_OPENSSL
- case KEY_DSA:
- case KEY_DSA_CERT:
-- if ((n = sshkey_new(k->type)) == NULL)
-- return SSH_ERR_ALLOC_FAIL;
-- if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
-- (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
-- (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
-- (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) {
-- sshkey_free(n);
-- return SSH_ERR_ALLOC_FAIL;
-+ if ((n = sshkey_new(k->type)) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
-+ }
-+
-+ DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
-+ DSA_get0_key(k->dsa, &dsa_pub_key, NULL);
-+ if ((dsa_p_dup = BN_dup(dsa_p)) == NULL ||
-+ (dsa_q_dup = BN_dup(dsa_q)) == NULL ||
-+ (dsa_g_dup = BN_dup(dsa_g)) == NULL ||
-+ (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
-+ }
-+ if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
-+ }
-+ dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */
-+ if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
- }
-+ dsa_pub_key_dup = NULL; /* transferred */
-+
- break;
- # ifdef OPENSSL_HAS_ECC
- case KEY_ECDSA:
- case KEY_ECDSA_CERT:
-- if ((n = sshkey_new(k->type)) == NULL)
-- return SSH_ERR_ALLOC_FAIL;
-+ if ((n = sshkey_new(k->type)) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
-+ }
- n->ecdsa_nid = k->ecdsa_nid;
- n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
- if (n->ecdsa == NULL) {
-- sshkey_free(n);
-- return SSH_ERR_ALLOC_FAIL;
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
- }
- if (EC_KEY_set_public_key(n->ecdsa,
- EC_KEY_get0_public_key(k->ecdsa)) != 1) {
-- sshkey_free(n);
-- return SSH_ERR_LIBCRYPTO_ERROR;
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
- }
- break;
- # endif /* OPENSSL_HAS_ECC */
- case KEY_RSA:
- case KEY_RSA_CERT:
-- if ((n = sshkey_new(k->type)) == NULL)
-- return SSH_ERR_ALLOC_FAIL;
-- if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
-- (BN_copy(n->rsa->e, k->rsa->e) == NULL)) {
-- sshkey_free(n);
-- return SSH_ERR_ALLOC_FAIL;
-+ if ((n = sshkey_new(k->type)) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
- }
-+ RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL);
-+ if ((rsa_n_dup = BN_dup(rsa_n)) == NULL ||
-+ (rsa_e_dup = BN_dup(rsa_e)) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
-+ }
-+ if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
-+ }
-+ rsa_n_dup = rsa_e_dup = NULL; /* transferred */
- break;
- #endif /* WITH_OPENSSL */
- case KEY_ED25519:
- case KEY_ED25519_CERT:
-- if ((n = sshkey_new(k->type)) == NULL)
-- return SSH_ERR_ALLOC_FAIL;
-+ if ((n = sshkey_new(k->type)) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
-+ }
- if (k->ed25519_pk != NULL) {
- if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
-- sshkey_free(n);
-- return SSH_ERR_ALLOC_FAIL;
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
- }
- memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
- }
-@@ -1810,37 +1824,46 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
- #ifdef WITH_XMSS
- case KEY_XMSS:
- case KEY_XMSS_CERT:
-- if ((n = sshkey_new(k->type)) == NULL)
-- return SSH_ERR_ALLOC_FAIL;
-- if ((ret = sshkey_xmss_init(n, k->xmss_name)) != 0) {
-- sshkey_free(n);
-- return ret;
-+ if ((n = sshkey_new(k->type)) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
- }
-+ if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0)
-+ goto out;
- if (k->xmss_pk != NULL) {
- size_t pklen = sshkey_xmss_pklen(k);
- if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) {
-- sshkey_free(n);
-- return SSH_ERR_INTERNAL_ERROR;
-+ r = SSH_ERR_INTERNAL_ERROR;
-+ goto out;
- }
- if ((n->xmss_pk = malloc(pklen)) == NULL) {
-- sshkey_free(n);
-- return SSH_ERR_ALLOC_FAIL;
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
- }
- memcpy(n->xmss_pk, k->xmss_pk, pklen);
- }
- break;
- #endif /* WITH_XMSS */
- default:
-- return SSH_ERR_KEY_TYPE_UNKNOWN;
-- }
-- if (sshkey_is_cert(k)) {
-- if ((ret = sshkey_cert_copy(k, n)) != 0) {
-- sshkey_free(n);
-- return ret;
-- }
-+ r = SSH_ERR_KEY_TYPE_UNKNOWN;
-+ goto out;
- }
-+ if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0)
-+ goto out;
-+ /* success */
- *pkp = n;
-- return 0;
-+ n = NULL;
-+ r = 0;
-+ out:
-+ sshkey_free(n);
-+ BN_clear_free(rsa_n_dup);
-+ BN_clear_free(rsa_e_dup);
-+ BN_clear_free(dsa_p_dup);
-+ BN_clear_free(dsa_q_dup);
-+ BN_clear_free(dsa_g_dup);
-+ BN_clear_free(dsa_pub_key_dup);
-+
-+ return r;
- }
-
- static int
-@@ -1966,6 +1989,17 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
- return ret;
- }
-
-+static int
-+check_rsa_length(const RSA *rsa)
-+{
-+ const BIGNUM *rsa_n;
-+
-+ RSA_get0_key(rsa, &rsa_n, NULL, NULL);
-+ if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
-+ return SSH_ERR_KEY_LENGTH;
-+ return 0;
-+}
-+
- static int
- sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
- int allow_cert)
-@@ -1976,9 +2010,13 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
- size_t len;
- u_char *pk = NULL;
- struct sshbuf *copy;
--#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
-+#if defined(WITH_OPENSSL)
-+ BIGNUM *rsa_n = NULL, *rsa_e = NULL;
-+ BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL;
-+# if defined(OPENSSL_HAS_ECC)
- EC_POINT *q = NULL;
--#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
-+# endif /* OPENSSL_HAS_ECC */
-+#endif /* WITH_OPENSSL */
-
- #ifdef DEBUG_PK /* XXX */
- sshbuf_dump(b, stderr);
-@@ -2013,15 +2051,23 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
- ret = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
-- if (sshbuf_get_bignum2(b, key->rsa->e) != 0 ||
-- sshbuf_get_bignum2(b, key->rsa->n) != 0) {
-+ if ((rsa_e = BN_new()) == NULL ||
-+ (rsa_n = BN_new()) == NULL) {
-+ ret = SSH_ERR_ALLOC_FAIL;
-+ goto out;
-+ }
-+ if (sshbuf_get_bignum2(b, rsa_e) != 0 ||
-+ sshbuf_get_bignum2(b, rsa_n) != 0) {
- ret = SSH_ERR_INVALID_FORMAT;
- goto out;
- }
-- if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-- ret = SSH_ERR_KEY_LENGTH;
-+ if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) {
-+ ret = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
-+ rsa_n = rsa_e = NULL; /* transferred */
-+ if ((ret = check_rsa_length(key->rsa)) != 0)
-+ goto out;
- #ifdef DEBUG_PK
- RSA_print_fp(stderr, key->rsa, 8);
- #endif
-@@ -2038,13 +2084,30 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
- ret = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
-- if (sshbuf_get_bignum2(b, key->dsa->p) != 0 ||
-- sshbuf_get_bignum2(b, key->dsa->q) != 0 ||
-- sshbuf_get_bignum2(b, key->dsa->g) != 0 ||
-- sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) {
-+ if ((dsa_p = BN_new()) == NULL ||
-+ (dsa_q = BN_new()) == NULL ||
-+ (dsa_g = BN_new()) == NULL ||
-+ (dsa_pub_key = BN_new()) == NULL) {
-+ ret = SSH_ERR_ALLOC_FAIL;
-+ goto out;
-+ }
-+ if (sshbuf_get_bignum2(b, dsa_p) != 0 ||
-+ sshbuf_get_bignum2(b, dsa_q) != 0 ||
-+ sshbuf_get_bignum2(b, dsa_g) != 0 ||
-+ sshbuf_get_bignum2(b, dsa_pub_key) != 0) {
- ret = SSH_ERR_INVALID_FORMAT;
- goto out;
- }
-+ if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) {
-+ ret = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
-+ }
-+ dsa_p = dsa_q = dsa_g = NULL; /* transferred */
-+ if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) {
-+ ret = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
-+ }
-+ dsa_pub_key = NULL; /* transferred */
- #ifdef DEBUG_PK
- DSA_print_fp(stderr, key->dsa, 8);
- #endif
-@@ -2178,9 +2241,17 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
- free(ktype);
- free(curve);
- free(pk);
--#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
-+#if defined(WITH_OPENSSL)
-+ BN_clear_free(rsa_n);
-+ BN_clear_free(rsa_e);
-+ BN_clear_free(dsa_p);
-+ BN_clear_free(dsa_q);
-+ BN_clear_free(dsa_g);
-+ BN_clear_free(dsa_pub_key);
-+# if defined(OPENSSL_HAS_ECC)
- EC_POINT_free(q);
--#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
-+# endif /* OPENSSL_HAS_ECC */
-+#endif /* WITH_OPENSSL */
- return ret;
- }
-
-@@ -2361,120 +2432,6 @@ sshkey_verify(const struct sshkey *key,
- }
- }
-
--/* Converts a private to a public key */
--int
--sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
--{
-- struct sshkey *pk;
-- int ret = SSH_ERR_INTERNAL_ERROR;
--
-- *dkp = NULL;
-- if ((pk = calloc(1, sizeof(*pk))) == NULL)
-- return SSH_ERR_ALLOC_FAIL;
-- pk->type = k->type;
-- pk->flags = k->flags;
-- pk->ecdsa_nid = k->ecdsa_nid;
-- pk->dsa = NULL;
-- pk->ecdsa = NULL;
-- pk->rsa = NULL;
-- pk->ed25519_pk = NULL;
-- pk->ed25519_sk = NULL;
-- pk->xmss_pk = NULL;
-- pk->xmss_sk = NULL;
--
-- switch (k->type) {
--#ifdef WITH_OPENSSL
-- case KEY_RSA_CERT:
-- if ((ret = sshkey_cert_copy(k, pk)) != 0)
-- goto fail;
-- /* FALLTHROUGH */
-- case KEY_RSA:
-- if ((pk->rsa = RSA_new()) == NULL ||
-- (pk->rsa->e = BN_dup(k->rsa->e)) == NULL ||
-- (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) {
-- ret = SSH_ERR_ALLOC_FAIL;
-- goto fail;
-- }
-- break;
-- case KEY_DSA_CERT:
-- if ((ret = sshkey_cert_copy(k, pk)) != 0)
-- goto fail;
-- /* FALLTHROUGH */
-- case KEY_DSA:
-- if ((pk->dsa = DSA_new()) == NULL ||
-- (pk->dsa->p = BN_dup(k->dsa->p)) == NULL ||
-- (pk->dsa->q = BN_dup(k->dsa->q)) == NULL ||
-- (pk->dsa->g = BN_dup(k->dsa->g)) == NULL ||
-- (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) {
-- ret = SSH_ERR_ALLOC_FAIL;
-- goto fail;
-- }
-- break;
-- case KEY_ECDSA_CERT:
-- if ((ret = sshkey_cert_copy(k, pk)) != 0)
-- goto fail;
-- /* FALLTHROUGH */
--# ifdef OPENSSL_HAS_ECC
-- case KEY_ECDSA:
-- pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid);
-- if (pk->ecdsa == NULL) {
-- ret = SSH_ERR_ALLOC_FAIL;
-- goto fail;
-- }
-- if (EC_KEY_set_public_key(pk->ecdsa,
-- EC_KEY_get0_public_key(k->ecdsa)) != 1) {
-- ret = SSH_ERR_LIBCRYPTO_ERROR;
-- goto fail;
-- }
-- break;
--# endif /* OPENSSL_HAS_ECC */
--#endif /* WITH_OPENSSL */
-- case KEY_ED25519_CERT:
-- if ((ret = sshkey_cert_copy(k, pk)) != 0)
-- goto fail;
-- /* FALLTHROUGH */
-- case KEY_ED25519:
-- if (k->ed25519_pk != NULL) {
-- if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
-- ret = SSH_ERR_ALLOC_FAIL;
-- goto fail;
-- }
-- memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
-- }
-- break;
--#ifdef WITH_XMSS
-- case KEY_XMSS_CERT:
-- if ((ret = sshkey_cert_copy(k, pk)) != 0)
-- goto fail;
-- /* FALLTHROUGH */
-- case KEY_XMSS:
-- if ((ret = sshkey_xmss_init(pk, k->xmss_name)) != 0)
-- goto fail;
-- if (k->xmss_pk != NULL) {
-- size_t pklen = sshkey_xmss_pklen(k);
--
-- if (pklen == 0 || sshkey_xmss_pklen(pk) != pklen) {
-- ret = SSH_ERR_INTERNAL_ERROR;
-- goto fail;
-- }
-- if ((pk->xmss_pk = malloc(pklen)) == NULL) {
-- ret = SSH_ERR_ALLOC_FAIL;
-- goto fail;
-- }
-- memcpy(pk->xmss_pk, k->xmss_pk, pklen);
-- }
-- break;
--#endif /* WITH_XMSS */
-- default:
-- ret = SSH_ERR_KEY_TYPE_UNKNOWN;
-- fail:
-- sshkey_free(pk);
-- return ret;
-- }
-- *dkp = pk;
-- return 0;
--}
--
- /* Convert a plain key to their _CERT equivalent */
- int
- sshkey_to_certified(struct sshkey *k)
-@@ -2532,6 +2489,9 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
- size_t i, ca_len, sig_len;
- int ret = SSH_ERR_INTERNAL_ERROR;
- struct sshbuf *cert;
-+#ifdef WITH_OPENSSL
-+ const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
-+#endif /* WITH_OPENSSL */
-
- if (k == NULL || k->cert == NULL ||
- k->cert->certblob == NULL || ca == NULL)
-@@ -2558,10 +2518,12 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
- switch (k->type) {
- #ifdef WITH_OPENSSL
- case KEY_DSA_CERT:
-- if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 ||
-- (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 ||
-- (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 ||
-- (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0)
-+ DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
-+ DSA_get0_key(k->dsa, &dsa_pub_key, NULL);
-+ if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 ||
-+ (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 ||
-+ (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 ||
-+ (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0)
- goto out;
- break;
- # ifdef OPENSSL_HAS_ECC
-@@ -2575,8 +2537,9 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
- break;
- # endif /* OPENSSL_HAS_ECC */
- case KEY_RSA_CERT:
-- if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 ||
-- (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
-+ RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL);
-+ if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 ||
-+ (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0)
- goto out;
- break;
- #endif /* WITH_OPENSSL */
-@@ -2758,18 +2721,25 @@ sshkey_private_serialize_opt(const struct sshkey *key, struct sshbuf *b,
- enum sshkey_serialize_rep opts)
- {
- int r = SSH_ERR_INTERNAL_ERROR;
-+#ifdef WITH_OPENSSL
-+ const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q;
-+ const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key;
-+#endif /* WITH_OPENSSL */
-
- if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
- goto out;
- switch (key->type) {
- #ifdef WITH_OPENSSL
- case KEY_RSA:
-- if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
-+ RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d);
-+ RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
-+ RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
-+ if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
- goto out;
- break;
- case KEY_RSA_CERT:
-@@ -2777,19 +2747,24 @@ sshkey_private_serialize_opt(const struct sshkey *key, struct sshbuf *b,
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
-+ RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);
-+ RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
-+ RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
- if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
-+ (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
- goto out;
- break;
- case KEY_DSA:
-- if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
-+ DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
-+ DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key);
-+ if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 ||
-+ (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
- goto out;
- break;
- case KEY_DSA_CERT:
-@@ -2797,8 +2772,9 @@ sshkey_private_serialize_opt(const struct sshkey *key, struct sshbuf *b,
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
-+ DSA_get0_key(key->dsa, NULL, &dsa_priv_key);
- if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
-- (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
-+ (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
- goto out;
- break;
- # ifdef OPENSSL_HAS_ECC
-@@ -2899,6 +2875,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- u_char *xmss_pk = NULL, *xmss_sk = NULL;
- #ifdef WITH_OPENSSL
- BIGNUM *exponent = NULL;
-+ BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
-+ BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL;
-+ BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL;
-+ BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL;
- #endif /* WITH_OPENSSL */
-
- if (kp != NULL)
-@@ -2913,18 +2893,44 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
-- if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
-+ if ((dsa_p = BN_new()) == NULL ||
-+ (dsa_q = BN_new()) == NULL ||
-+ (dsa_g = BN_new()) == NULL ||
-+ (dsa_pub_key = BN_new()) == NULL ||
-+ (dsa_priv_key = BN_new()) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
-+ }
-+ if ((r = sshbuf_get_bignum2(buf, dsa_p)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, dsa_q)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, dsa_g)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, dsa_pub_key)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, dsa_priv_key)) != 0)
- goto out;
-+ if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
-+ }
-+ dsa_p = dsa_q = dsa_g = NULL; /* transferred */
-+ if (!DSA_set0_key(k->dsa, dsa_pub_key, dsa_priv_key)) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
-+ }
-+ dsa_pub_key = dsa_priv_key = NULL; /* transferred */
- break;
- case KEY_DSA_CERT:
-+ if ((dsa_priv_key = BN_new()) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
-+ }
- if ((r = sshkey_froms(buf, &k)) != 0 ||
-- (r = sshkey_add_private(k)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
-+ (r = sshbuf_get_bignum2(buf, dsa_priv_key)) != 0)
-+ goto out;
-+ if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
-+ }
-+ dsa_priv_key = NULL; /* transferred */
- break;
- # ifdef OPENSSL_HAS_ECC
- case KEY_ECDSA:
-@@ -2965,7 +2971,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- goto out;
- }
- if ((r = sshkey_froms(buf, &k)) != 0 ||
-- (r = sshkey_add_private(k)) != 0 ||
- (r = sshbuf_get_bignum2(buf, exponent)) != 0)
- goto out;
- if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
-@@ -2983,32 +2988,65 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
-- if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
-- (r = ssh_rsa_generate_additional_parameters(k)) != 0)
-+ if ((rsa_n = BN_new()) == NULL ||
-+ (rsa_e = BN_new()) == NULL ||
-+ (rsa_d = BN_new()) == NULL ||
-+ (rsa_iqmp = BN_new()) == NULL ||
-+ (rsa_p = BN_new()) == NULL ||
-+ (rsa_q = BN_new()) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
- goto out;
-- if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-- r = SSH_ERR_KEY_LENGTH;
-+ }
-+ if ((r = sshbuf_get_bignum2(buf, rsa_n)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, rsa_e)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, rsa_d)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, rsa_iqmp)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, rsa_p)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, rsa_q)) != 0)
-+ goto out;
-+ if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, rsa_d)) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
-+ rsa_n = rsa_e = rsa_d = NULL; /* transferred */
-+ if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
-+ }
-+ rsa_p = rsa_q = NULL; /* transferred */
-+ if ((r = check_rsa_length(k->rsa)) != 0)
-+ goto out;
-+ if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
-+ goto out;
- break;
- case KEY_RSA_CERT:
-+ if ((rsa_d = BN_new()) == NULL ||
-+ (rsa_iqmp = BN_new()) == NULL ||
-+ (rsa_p = BN_new()) == NULL ||
-+ (rsa_q = BN_new()) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
-+ goto out;
-+ }
- if ((r = sshkey_froms(buf, &k)) != 0 ||
-- (r = sshkey_add_private(k)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
-- (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
-- (r = ssh_rsa_generate_additional_parameters(k)) != 0)
-+ (r = sshbuf_get_bignum2(buf, rsa_d)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, rsa_iqmp)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, rsa_p)) != 0 ||
-+ (r = sshbuf_get_bignum2(buf, rsa_q)) != 0)
-+ goto out;
-+ if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
-- if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-- r = SSH_ERR_KEY_LENGTH;
-+ }
-+ rsa_d = NULL; /* transferred */
-+ if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
-+ rsa_p = rsa_q = NULL; /* transferred */
-+ if ((r = check_rsa_length(k->rsa)) != 0)
-+ goto out;
-+ if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
-+ goto out;
- break;
- #endif /* WITH_OPENSSL */
- case KEY_ED25519:
-@@ -3029,7 +3067,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- break;
- case KEY_ED25519_CERT:
- if ((r = sshkey_froms(buf, &k)) != 0 ||
-- (r = sshkey_add_private(k)) != 0 ||
- (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
- (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
- goto out;
-@@ -3066,7 +3103,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- break;
- case KEY_XMSS_CERT:
- if ((r = sshkey_froms(buf, &k)) != 0 ||
-- (r = sshkey_add_private(k)) != 0 ||
- (r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
- (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
- (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
-@@ -3115,6 +3151,17 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- free(curve);
- #ifdef WITH_OPENSSL
- BN_clear_free(exponent);
-+ BN_clear_free(dsa_p);
-+ BN_clear_free(dsa_q);
-+ BN_clear_free(dsa_g);
-+ BN_clear_free(dsa_pub_key);
-+ BN_clear_free(dsa_priv_key);
-+ BN_clear_free(rsa_n);
-+ BN_clear_free(rsa_e);
-+ BN_clear_free(rsa_d);
-+ BN_clear_free(rsa_p);
-+ BN_clear_free(rsa_q);
-+ BN_clear_free(rsa_iqmp);
- #endif /* WITH_OPENSSL */
- sshkey_free(k);
- freezero(ed25519_pk, pklen);
-@@ -3769,7 +3816,9 @@ translate_libcrypto_error(unsigned long pem_err)
- switch (pem_reason) {
- case EVP_R_BAD_DECRYPT:
- return SSH_ERR_KEY_WRONG_PASSPHRASE;
-+#ifdef EVP_R_BN_DECODE_ERROR
- case EVP_R_BN_DECODE_ERROR:
-+#endif
- case EVP_R_DECODE_ERROR:
- #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
- case EVP_R_PRIVATE_KEY_DECODE_ERROR:
-@@ -3834,7 +3883,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
- r = convert_libcrypto_error();
- goto out;
- }
-- if (pk->type == EVP_PKEY_RSA &&
-+ if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA &&
- (type == KEY_UNSPEC || type == KEY_RSA)) {
- if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
-@@ -3849,11 +3898,9 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
- r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
-- if (BN_num_bits(prv->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-- r = SSH_ERR_KEY_LENGTH;
-+ if ((r = check_rsa_length(prv->rsa)) != 0)
- goto out;
-- }
-- } else if (pk->type == EVP_PKEY_DSA &&
-+ } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA &&
- (type == KEY_UNSPEC || type == KEY_DSA)) {
- if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
-@@ -3865,7 +3912,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
- DSA_print_fp(stderr, prv->dsa, 8);
- #endif
- #ifdef OPENSSL_HAS_ECC
-- } else if (pk->type == EVP_PKEY_EC &&
-+ } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC &&
- (type == KEY_UNSPEC || type == KEY_ECDSA)) {
- if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
-diff --git a/sshkey.h b/sshkey.h
-index 9060b2ec..922db5bb 100644
---- a/sshkey.h
-+++ b/sshkey.h
-@@ -39,6 +39,7 @@
- # define EC_POINT void
- # endif /* OPENSSL_HAS_ECC */
- #else /* WITH_OPENSSL */
-+# define BIGNUM void
- # define RSA void
- # define DSA void
- # define EC_KEY void
-@@ -126,10 +127,8 @@ struct sshkey {
- #define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES
-
- struct sshkey *sshkey_new(int);
--int sshkey_add_private(struct sshkey *);
--struct sshkey *sshkey_new_private(int);
-+struct sshkey *sshkey_new_private(int); /* XXX garbage collect */
- void sshkey_free(struct sshkey *);
--int sshkey_demote(const struct sshkey *, struct sshkey **);
- int sshkey_equal_public(const struct sshkey *,
- const struct sshkey *);
- int sshkey_equal(const struct sshkey *, const struct sshkey *);
-@@ -218,7 +217,7 @@ int sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
- const char *passphrase, struct sshkey **keyp, char **commentp);
-
- /* XXX should be internal, but used by ssh-keygen */
--int ssh_rsa_generate_additional_parameters(struct sshkey *);
-+int ssh_rsa_complete_crt_parameters(struct sshkey *, const BIGNUM *);
-
- /* stateful keys (e.g. XMSS) */
- #ifdef NO_ATTRIBUTE_ON_PROTOTYPE_ARGS
---
-2.16.4
-
--- /dev/null
+From edfc2e18ef069ba600c8f4632ce1e3dc94a0669a Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Fri, 19 Oct 2018 10:04:24 -0300
+Subject: [PATCH 2/2] Fix OPENSSL_init_crypto call for openssl < 1.1
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
+index 8b4a3627..590b66d1 100644
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
+ ENGINE_load_builtin_engines();
+ ENGINE_register_all_complete();
+
+-#if OPENSSL_VERSION_NUMBER < 0x10001000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ OPENSSL_config(NULL);
+ #else
+ OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
+++ /dev/null
-From a294365f8524e6cc3bb82bdcb459e95d65226fce Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Thu, 13 Sep 2018 12:13:50 +1000
-Subject: [PATCH 2/5] adapt -portable to OpenSSL 1.1x API
-
-Polyfill missing API with replacement functions extracted from LibreSSL
----
- auth-pam.c | 4 +
- cipher.c | 38 ---
- configure.ac | 112 +++++-
- dh.c | 2 +
- kexdh.c | 2 +
- kexdhc.c | 2 +
- kexdhs.c | 2 +
- kexgex.c | 2 +
- kexgexc.c | 2 +
- kexgexs.c | 2 +
- monitor.c | 4 +-
- openbsd-compat/Makefile.in | 1 +
- openbsd-compat/libressl-api-compat.c | 636 +++++++++++++++++++++++++++++++++++
- openbsd-compat/openssl-compat.h | 136 ++++++++
- ssh-dss.c | 2 +
- ssh-ecdsa.c | 2 +
- ssh-pkcs11-client.c | 2 +
- ssh-pkcs11.c | 1 +
- ssh-rsa.c | 2 +
- sshkey.c | 3 +-
- 20 files changed, 916 insertions(+), 41 deletions(-)
- create mode 100644 openbsd-compat/libressl-api-compat.c
-
-diff --git a/auth-pam.c b/auth-pam.c
-index 8c013836..1dec53e9 100644
---- a/auth-pam.c
-+++ b/auth-pam.c
-@@ -128,6 +128,10 @@ extern u_int utmp_len;
- typedef pthread_t sp_pthread_t;
- #else
- typedef pid_t sp_pthread_t;
-+#define pthread_exit fake_pthread_exit
-+#define pthread_create fake_pthread_create
-+#define pthread_cancel fake_pthread_cancel
-+#define pthread_join fake_pthread_join
- #endif
-
- struct pam_ctxt {
-diff --git a/cipher.c b/cipher.c
-index df43826e..12c59888 100644
---- a/cipher.c
-+++ b/cipher.c
-@@ -525,41 +525,3 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv, size_t len)
- #endif
- return 0;
- }
--
--#ifdef WITH_OPENSSL
--#define EVP_X_STATE(evp) (evp)->cipher_data
--#define EVP_X_STATE_LEN(evp) (evp)->cipher->ctx_size
--#endif
--
--int
--cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat)
--{
--#if defined(WITH_OPENSSL) && !defined(OPENSSL_NO_RC4)
-- const struct sshcipher *c = cc->cipher;
-- int plen = 0;
--
-- if (c->evptype == EVP_rc4) {
-- plen = EVP_X_STATE_LEN(cc->evp);
-- if (dat == NULL)
-- return (plen);
-- memcpy(dat, EVP_X_STATE(cc->evp), plen);
-- }
-- return (plen);
--#else
-- return 0;
--#endif
--}
--
--void
--cipher_set_keycontext(struct sshcipher_ctx *cc, const u_char *dat)
--{
--#if defined(WITH_OPENSSL) && !defined(OPENSSL_NO_RC4)
-- const struct sshcipher *c = cc->cipher;
-- int plen;
--
-- if (c->evptype == EVP_rc4) {
-- plen = EVP_X_STATE_LEN(cc->evp);
-- memcpy(EVP_X_STATE(cc->evp), dat, plen);
-- }
--#endif
--}
-diff --git a/configure.ac b/configure.ac
-index 83e53075..c0e120fe 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -2602,9 +2602,10 @@ if test "x$openssl" = "xyes" ; then
- AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
- ;;
- 100*) ;; # 1.0.x
-+ 101*) ;; # 1.1.x
- 200*) ;; # LibreSSL
- *)
-- AC_MSG_ERROR([OpenSSL >= 1.1.0 is not yet supported (have "$ssl_library_ver")])
-+ AC_MSG_ERROR([OpenSSL > 1.1.x is not yet supported (have "$ssl_library_ver")])
- ;;
- esac
- AC_MSG_RESULT([$ssl_library_ver])
-@@ -2777,6 +2778,115 @@ if test "x$openssl" = "xyes" ; then
- [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
- [Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
-
-+ # LibreSSL/OpenSSL 1.1x API
-+ AC_SEARCH_LIBS([DH_get0_key], [crypto],
-+ [AC_DEFINE([HAVE_DH_GET0_KEY], [1],
-+ [Define if libcrypto has DH_get0_key])])
-+ AC_SEARCH_LIBS([DH_get0_pqg], [crypto],
-+ [AC_DEFINE([HAVE_DH_GET0_PQG], [1],
-+ [Define if libcrypto has DH_get0_pqg])])
-+ AC_SEARCH_LIBS([DH_set0_key], [crypto],
-+ [AC_DEFINE([HAVE_DH_SET0_KEY], [1],
-+ [Define if libcrypto has DH_set0_key])])
-+ AC_SEARCH_LIBS([DH_set_length], [crypto],
-+ [AC_DEFINE([HAVE_DH_SET_LENGTH], [1],
-+ [Define if libcrypto has DH_set_length])])
-+ AC_SEARCH_LIBS([DH_set0_pqg], [crypto],
-+ [AC_DEFINE([HAVE_DH_SET0_PQG], [1],
-+ [Define if libcrypto has DH_set0_pqg])])
-+
-+ AC_SEARCH_LIBS([DSA_get0_key], [crypto],
-+ [AC_DEFINE([HAVE_DSA_GET0_KEY], [1],
-+ [Define if libcrypto has DSA_get0_key])])
-+ AC_SEARCH_LIBS([DSA_get0_pqg], [crypto],
-+ [AC_DEFINE([HAVE_DSA_GET0_PQG], [1],
-+ [Define if libcrypto has DSA_get0_pqg])])
-+ AC_SEARCH_LIBS([DSA_set0_key], [crypto],
-+ [AC_DEFINE([HAVE_DSA_SET0_KEY], [1],
-+ [Define if libcrypto has DSA_set0_key])])
-+ AC_SEARCH_LIBS([DSA_set0_pqg], [crypto],
-+ [AC_DEFINE([HAVE_DSA_SET0_PQG], [1],
-+ [Define if libcrypto has DSA_set0_pqg])])
-+
-+ AC_SEARCH_LIBS([DSA_SIG_get0], [crypto],
-+ [AC_DEFINE([HAVE_DSA_SIG_GET0], [1],
-+ [Define if libcrypto has DSA_SIG_get0])])
-+ AC_SEARCH_LIBS([DSA_SIG_set0], [crypto],
-+ [AC_DEFINE([HAVE_DSA_SIG_SET0], [1],
-+ [Define if libcrypto has DSA_SIG_set0])])
-+
-+ AC_SEARCH_LIBS([ECDSA_SIG_get0], [crypto],
-+ [AC_DEFINE([HAVE_ECDSA_SIG_GET0], [1],
-+ [Define if libcrypto has ECDSA_SIG_get0])])
-+ AC_SEARCH_LIBS([ECDSA_SIG_set0], [crypto],
-+ [AC_DEFINE([HAVE_ECDSA_SIG_SET0], [1],
-+ [Define if libcrypto has ECDSA_SIG_set0])])
-+
-+ AC_SEARCH_LIBS([EVP_CIPHER_CTX_iv], [crypto],
-+ [AC_DEFINE([HAVE_EVP_CIPHER_CTX_IV], [1],
-+ [Define if libcrypto has EVP_CIPHER_CTX_iv])])
-+ AC_SEARCH_LIBS([EVP_CIPHER_CTX_iv_noconst], [crypto],
-+ [AC_DEFINE([HAVE_EVP_CIPHER_CTX_IV_NOCONST], [1],
-+ [Define if libcrypto has EVP_CIPHER_CTX_iv_noconst])])
-+ AC_SEARCH_LIBS([EVP_CIPHER_CTX_get_iv], [crypto],
-+ [AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
-+ [Define if libcrypto has EVP_CIPHER_CTX_get_iv])])
-+ AC_SEARCH_LIBS([EVP_CIPHER_CTX_set_iv], [crypto],
-+ [AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
-+ [Define if libcrypto has EVP_CIPHER_CTX_set_iv])])
-+
-+ AC_SEARCH_LIBS([RSA_get0_crt_params], [crypto],
-+ [AC_DEFINE([HAVE_RSA_GET0_CRT_PARAMS], [1],
-+ [Define if libcrypto has RSA_get0_crt_params])])
-+ AC_SEARCH_LIBS([RSA_get0_factors], [crypto],
-+ [AC_DEFINE([HAVE_RSA_GET0_FACTORS], [1],
-+ [Define if libcrypto has RSA_get0_factors])])
-+ AC_SEARCH_LIBS([RSA_get0_key], [crypto],
-+ [AC_DEFINE([HAVE_RSA_GET0_KEY], [1],
-+ [Define if libcrypto has RSA_get0_key])])
-+ AC_SEARCH_LIBS([RSA_set0_crt_params], [crypto],
-+ [AC_DEFINE([HAVE_RSA_SET0_CRT_PARAMS], [1],
-+ [Define if libcrypto has RSA_get0_srt_params])])
-+ AC_SEARCH_LIBS([RSA_set0_factors], [crypto],
-+ [AC_DEFINE([HAVE_RSA_SET0_FACTORS], [1],
-+ [Define if libcrypto has RSA_set0_factors])])
-+ AC_SEARCH_LIBS([RSA_set0_key], [crypto],
-+ [AC_DEFINE([HAVE_RSA_SET0_KEY], [1],
-+ [Define if libcrypto has RSA_set0_key])])
-+
-+ AC_SEARCH_LIBS([RSA_meth_free], [crypto],
-+ [AC_DEFINE([HAVE_RSA_METH_FREE], [1],
-+ [Define if libcrypto has RSA_meth_free])])
-+ AC_SEARCH_LIBS([RSA_meth_dup], [crypto],
-+ [AC_DEFINE([HAVE_RSA_METH_DUP], [1],
-+ [Define if libcrypto has RSA_meth_dup])])
-+ AC_SEARCH_LIBS([RSA_meth_set1_name], [crypto],
-+ [AC_DEFINE([HAVE_RSA_METH_SET1_NAME], [1],
-+ [Define if libcrypto has RSA_meth_set1_name])])
-+ AC_SEARCH_LIBS([RSA_meth_get_finish], [crypto],
-+ [AC_DEFINE([HAVE_RSA_METH_GET_FINISH], [1],
-+ [Define if libcrypto has RSA_meth_get_finish])])
-+ AC_SEARCH_LIBS([RSA_meth_set_priv_enc], [crypto],
-+ [AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1],
-+ [Define if libcrypto has RSA_meth_set_priv_enc])])
-+ AC_SEARCH_LIBS([RSA_meth_set_priv_dec], [crypto],
-+ [AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1],
-+ [Define if libcrypto has RSA_meth_set_priv_dec])])
-+ AC_SEARCH_LIBS([RSA_meth_set_finish], [crypto],
-+ [AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1],
-+ [Define if libcrypto has RSA_meth_set_finish])])
-+
-+ AC_SEARCH_LIBS([EVP_PKEY_get0_RSA], [crypto],
-+ [AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1],
-+ [Define if libcrypto has EVP_PKEY_get0_RSA])])
-+
-+ AC_SEARCH_LIBS([EVP_MD_CTX_new], [crypto],
-+ [AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1],
-+ [Define if libcrypto has EVP_MD_CTX_new])])
-+ AC_SEARCH_LIBS([EVP_MD_CTX_free], [crypto],
-+ [AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1],
-+ [Define if libcrypto has EVP_MD_CTX_free])])
-+
- AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
- AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([[
-diff --git a/dh.c b/dh.c
-index d0d4527b..f3ed3882 100644
---- a/dh.c
-+++ b/dh.c
-@@ -43,6 +43,8 @@
- #include "misc.h"
- #include "ssherr.h"
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- static int
- parse_prime(int linenum, char *line, struct dhgroup *dhg)
- {
-diff --git a/kexdh.c b/kexdh.c
-index 0bf0dc13..e6925b18 100644
---- a/kexdh.c
-+++ b/kexdh.c
-@@ -33,6 +33,8 @@
-
- #include <openssl/evp.h>
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- #include "ssh2.h"
- #include "sshkey.h"
- #include "cipher.h"
-diff --git a/kexdhc.c b/kexdhc.c
-index a8b74247..8b56377a 100644
---- a/kexdhc.c
-+++ b/kexdhc.c
-@@ -36,6 +36,8 @@
- #include <string.h>
- #include <signal.h>
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- #include "sshkey.h"
- #include "cipher.h"
- #include "digest.h"
-diff --git a/kexdhs.c b/kexdhs.c
-index 8367c6c3..337aab5b 100644
---- a/kexdhs.c
-+++ b/kexdhs.c
-@@ -35,6 +35,8 @@
-
- #include <openssl/dh.h>
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- #include "sshkey.h"
- #include "cipher.h"
- #include "digest.h"
-diff --git a/kexgex.c b/kexgex.c
-index 8b0d8333..3ca4bd37 100644
---- a/kexgex.c
-+++ b/kexgex.c
-@@ -33,6 +33,8 @@
- #include <openssl/evp.h>
- #include <signal.h>
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- #include "sshkey.h"
- #include "cipher.h"
- #include "kex.h"
-diff --git a/kexgexc.c b/kexgexc.c
-index 955bc837..0d07f73c 100644
---- a/kexgexc.c
-+++ b/kexgexc.c
-@@ -37,6 +37,8 @@
- #include <string.h>
- #include <signal.h>
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- #include "sshkey.h"
- #include "cipher.h"
- #include "digest.h"
-diff --git a/kexgexs.c b/kexgexs.c
-index 2a4aa7e8..ce934f88 100644
---- a/kexgexs.c
-+++ b/kexgexs.c
-@@ -36,6 +36,8 @@
-
- #include <openssl/dh.h>
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- #include "sshkey.h"
- #include "cipher.h"
- #include "digest.h"
-diff --git a/monitor.c b/monitor.c
-index b30813b4..531b2993 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -29,7 +29,6 @@
-
- #include <sys/types.h>
- #include <sys/socket.h>
--#include "openbsd-compat/sys-tree.h"
- #include <sys/wait.h>
-
- #include <errno.h>
-@@ -60,7 +59,10 @@
- #include <openssl/dh.h>
- #endif
-
-+#include "openbsd-compat/sys-tree.h"
- #include "openbsd-compat/sys-queue.h"
-+#include "openbsd-compat/openssl-compat.h"
-+
- #include "atomicio.h"
- #include "xmalloc.h"
- #include "ssh.h"
-diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
-index 2fd9b952..c1e14cbd 100644
---- a/openbsd-compat/Makefile.in
-+++ b/openbsd-compat/Makefile.in
-@@ -85,6 +85,7 @@ COMPAT= arc4random.o \
- getrrsetbyname-ldns.o \
- kludge-fd_set.o \
- openssl-compat.o \
-+ libressl-api-compat.o \
- xcrypt.o
-
- PORTS= port-aix.o \
-diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c
-new file mode 100644
-index 00000000..de3e64a6
---- /dev/null
-+++ b/openbsd-compat/libressl-api-compat.c
-@@ -0,0 +1,636 @@
-+/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */
-+/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */
-+/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */
-+/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */
-+/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */
-+/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */
-+/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */
-+/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project 2000.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+/* $OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $ */
-+/*
-+ * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
-+ *
-+ * Permission to use, copy, modify, and distribute this software for any
-+ * purpose with or without fee is hereby granted, provided that the above
-+ * copyright notice and this permission notice appear in all copies.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ */
-+
-+#include "includes.h"
-+
-+#ifdef WITH_OPENSSL
-+
-+#include <sys/types.h>
-+
-+#include <stdlib.h>
-+#include <string.h>
-+
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/dsa.h>
-+#include <openssl/rsa.h>
-+#include <openssl/evp.h>
-+#include <openssl/ecdsa.h>
-+#include <openssl/dh.h>
-+
-+#ifndef HAVE_DSA_GET0_PQG
-+void
-+DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
-+{
-+ if (p != NULL)
-+ *p = d->p;
-+ if (q != NULL)
-+ *q = d->q;
-+ if (g != NULL)
-+ *g = d->g;
-+}
-+#endif /* HAVE_DSA_GET0_PQG */
-+
-+#ifndef HAVE_DSA_SET0_PQG
-+int
-+DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-+{
-+ if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) ||
-+ (d->g == NULL && g == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(d->p);
-+ d->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(d->q);
-+ d->q = q;
-+ }
-+ if (g != NULL) {
-+ BN_free(d->g);
-+ d->g = g;
-+ }
-+
-+ return 1;
-+}
-+#endif /* HAVE_DSA_SET0_PQG */
-+
-+#ifndef HAVE_DSA_GET0_KEY
-+void
-+DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key)
-+{
-+ if (pub_key != NULL)
-+ *pub_key = d->pub_key;
-+ if (priv_key != NULL)
-+ *priv_key = d->priv_key;
-+}
-+#endif /* HAVE_DSA_GET0_KEY */
-+
-+#ifndef HAVE_DSA_SET0_KEY
-+int
-+DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
-+{
-+ if (d->pub_key == NULL && pub_key == NULL)
-+ return 0;
-+
-+ if (pub_key != NULL) {
-+ BN_free(d->pub_key);
-+ d->pub_key = pub_key;
-+ }
-+ if (priv_key != NULL) {
-+ BN_free(d->priv_key);
-+ d->priv_key = priv_key;
-+ }
-+
-+ return 1;
-+}
-+#endif /* HAVE_DSA_SET0_KEY */
-+
-+#ifndef HAVE_RSA_GET0_KEY
-+void
-+RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
-+{
-+ if (n != NULL)
-+ *n = r->n;
-+ if (e != NULL)
-+ *e = r->e;
-+ if (d != NULL)
-+ *d = r->d;
-+}
-+#endif /* HAVE_RSA_GET0_KEY */
-+
-+#ifndef HAVE_RSA_SET0_KEY
-+int
-+RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
-+{
-+ if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL))
-+ return 0;
-+
-+ if (n != NULL) {
-+ BN_free(r->n);
-+ r->n = n;
-+ }
-+ if (e != NULL) {
-+ BN_free(r->e);
-+ r->e = e;
-+ }
-+ if (d != NULL) {
-+ BN_free(r->d);
-+ r->d = d;
-+ }
-+
-+ return 1;
-+}
-+#endif /* HAVE_RSA_SET0_KEY */
-+
-+#ifndef HAVE_RSA_GET0_CRT_PARAMS
-+void
-+RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
-+ const BIGNUM **iqmp)
-+{
-+ if (dmp1 != NULL)
-+ *dmp1 = r->dmp1;
-+ if (dmq1 != NULL)
-+ *dmq1 = r->dmq1;
-+ if (iqmp != NULL)
-+ *iqmp = r->iqmp;
-+}
-+#endif /* HAVE_RSA_GET0_CRT_PARAMS */
-+
-+#ifndef HAVE_RSA_SET0_CRT_PARAMS
-+int
-+RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
-+{
-+ if ((r->dmp1 == NULL && dmp1 == NULL) ||
-+ (r->dmq1 == NULL && dmq1 == NULL) ||
-+ (r->iqmp == NULL && iqmp == NULL))
-+ return 0;
-+
-+ if (dmp1 != NULL) {
-+ BN_free(r->dmp1);
-+ r->dmp1 = dmp1;
-+ }
-+ if (dmq1 != NULL) {
-+ BN_free(r->dmq1);
-+ r->dmq1 = dmq1;
-+ }
-+ if (iqmp != NULL) {
-+ BN_free(r->iqmp);
-+ r->iqmp = iqmp;
-+ }
-+
-+ return 1;
-+}
-+#endif /* HAVE_RSA_SET0_CRT_PARAMS */
-+
-+#ifndef HAVE_RSA_GET0_FACTORS
-+void
-+RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
-+{
-+ if (p != NULL)
-+ *p = r->p;
-+ if (q != NULL)
-+ *q = r->q;
-+}
-+#endif /* HAVE_RSA_GET0_FACTORS */
-+
-+#ifndef HAVE_RSA_SET0_FACTORS
-+int
-+RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
-+{
-+ if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(r->p);
-+ r->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(r->q);
-+ r->q = q;
-+ }
-+
-+ return 1;
-+}
-+#endif /* HAVE_RSA_SET0_FACTORS */
-+
-+#ifndef HAVE_EVP_CIPHER_CTX_GET_IV
-+int
-+EVP_CIPHER_CTX_get_iv(const EVP_CIPHER_CTX *ctx, unsigned char *iv, size_t len)
-+{
-+ if (ctx == NULL)
-+ return 0;
-+ if (EVP_CIPHER_CTX_iv_length(ctx) < 0)
-+ return 0;
-+ if (len != (size_t)EVP_CIPHER_CTX_iv_length(ctx))
-+ return 0;
-+ if (len > EVP_MAX_IV_LENGTH)
-+ return 0; /* sanity check; shouldn't happen */
-+ /*
-+ * Skip the memcpy entirely when the requested IV length is zero,
-+ * since the iv pointer may be NULL or invalid.
-+ */
-+ if (len != 0) {
-+ if (iv == NULL)
-+ return 0;
-+# ifdef HAVE_EVP_CIPHER_CTX_IV
-+ memcpy(iv, EVP_CIPHER_CTX_iv(ctx), len);
-+# else
-+ memcpy(iv, ctx->iv, len);
-+# endif /* HAVE_EVP_CIPHER_CTX_IV */
-+ }
-+ return 1;
-+}
-+#endif /* HAVE_EVP_CIPHER_CTX_GET_IV */
-+
-+#ifndef HAVE_EVP_CIPHER_CTX_SET_IV
-+int
-+EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len)
-+{
-+ if (ctx == NULL)
-+ return 0;
-+ if (EVP_CIPHER_CTX_iv_length(ctx) < 0)
-+ return 0;
-+ if (len != (size_t)EVP_CIPHER_CTX_iv_length(ctx))
-+ return 0;
-+ if (len > EVP_MAX_IV_LENGTH)
-+ return 0; /* sanity check; shouldn't happen */
-+ /*
-+ * Skip the memcpy entirely when the requested IV length is zero,
-+ * since the iv pointer may be NULL or invalid.
-+ */
-+ if (len != 0) {
-+ if (iv == NULL)
-+ return 0;
-+# ifdef HAVE_EVP_CIPHER_CTX_IV_NOCONST
-+ memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, len);
-+# else
-+ memcpy(ctx->iv, iv, len);
-+# endif /* HAVE_EVP_CIPHER_CTX_IV_NOCONST */
-+ }
-+ return 1;
-+}
-+#endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
-+
-+#ifndef HAVE_DSA_SIG_GET0
-+void
-+DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
-+{
-+ if (pr != NULL)
-+ *pr = sig->r;
-+ if (ps != NULL)
-+ *ps = sig->s;
-+}
-+#endif /* HAVE_DSA_SIG_GET0 */
-+
-+#ifndef HAVE_DSA_SIG_SET0
-+int
-+DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
-+{
-+ if (r == NULL || s == NULL)
-+ return 0;
-+
-+ BN_clear_free(sig->r);
-+ sig->r = r;
-+ BN_clear_free(sig->s);
-+ sig->s = s;
-+
-+ return 1;
-+}
-+#endif /* HAVE_DSA_SIG_SET0 */
-+
-+#ifndef HAVE_ECDSA_SIG_GET0
-+void
-+ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
-+{
-+ if (pr != NULL)
-+ *pr = sig->r;
-+ if (ps != NULL)
-+ *ps = sig->s;
-+}
-+#endif /* HAVE_ECDSA_SIG_GET0 */
-+
-+#ifndef HAVE_ECDSA_SIG_SET0
-+int
-+ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
-+{
-+ if (r == NULL || s == NULL)
-+ return 0;
-+
-+ BN_clear_free(sig->r);
-+ BN_clear_free(sig->s);
-+ sig->r = r;
-+ sig->s = s;
-+ return 1;
-+}
-+#endif /* HAVE_ECDSA_SIG_SET0 */
-+
-+#ifndef HAVE_DH_GET0_PQG
-+void
-+DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
-+{
-+ if (p != NULL)
-+ *p = dh->p;
-+ if (q != NULL)
-+ *q = dh->q;
-+ if (g != NULL)
-+ *g = dh->g;
-+}
-+#endif /* HAVE_DH_GET0_PQG */
-+
-+#ifndef HAVE_DH_SET0_PQG
-+int
-+DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-+{
-+ if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(dh->p);
-+ dh->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(dh->q);
-+ dh->q = q;
-+ }
-+ if (g != NULL) {
-+ BN_free(dh->g);
-+ dh->g = g;
-+ }
-+
-+ return 1;
-+}
-+#endif /* HAVE_DH_SET0_PQG */
-+
-+#ifndef HAVE_DH_GET0_KEY
-+void
-+DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
-+{
-+ if (pub_key != NULL)
-+ *pub_key = dh->pub_key;
-+ if (priv_key != NULL)
-+ *priv_key = dh->priv_key;
-+}
-+#endif /* HAVE_DH_GET0_KEY */
-+
-+#ifndef HAVE_DH_SET0_KEY
-+int
-+DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
-+{
-+ if (pub_key != NULL) {
-+ BN_free(dh->pub_key);
-+ dh->pub_key = pub_key;
-+ }
-+ if (priv_key != NULL) {
-+ BN_free(dh->priv_key);
-+ dh->priv_key = priv_key;
-+ }
-+
-+ return 1;
-+}
-+#endif /* HAVE_DH_SET0_KEY */
-+
-+#ifndef HAVE_DH_SET_LENGTH
-+int
-+DH_set_length(DH *dh, long length)
-+{
-+ if (length < 0 || length > INT_MAX)
-+ return 0;
-+
-+ dh->length = length;
-+ return 1;
-+}
-+#endif /* HAVE_DH_SET_LENGTH */
-+
-+#ifndef HAVE_RSA_METH_FREE
-+void
-+RSA_meth_free(RSA_METHOD *meth)
-+{
-+ if (meth != NULL) {
-+ free((char *)meth->name);
-+ free(meth);
-+ }
-+}
-+#endif /* HAVE_RSA_METH_FREE */
-+
-+#ifndef HAVE_RSA_METH_DUP
-+RSA_METHOD *
-+RSA_meth_dup(const RSA_METHOD *meth)
-+{
-+ RSA_METHOD *copy;
-+
-+ if ((copy = calloc(1, sizeof(*copy))) == NULL)
-+ return NULL;
-+ memcpy(copy, meth, sizeof(*copy));
-+ if ((copy->name = strdup(meth->name)) == NULL) {
-+ free(copy);
-+ return NULL;
-+ }
-+
-+ return copy;
-+}
-+#endif /* HAVE_RSA_METH_DUP */
-+
-+#ifndef HAVE_RSA_METH_SET1_NAME
-+int
-+RSA_meth_set1_name(RSA_METHOD *meth, const char *name)
-+{
-+ char *copy;
-+
-+ if ((copy = strdup(name)) == NULL)
-+ return 0;
-+ free((char *)meth->name);
-+ meth->name = copy;
-+ return 1;
-+}
-+#endif /* HAVE_RSA_METH_SET1_NAME */
-+
-+#ifndef HAVE_RSA_METH_GET_FINISH
-+int
-+(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa)
-+{
-+ return meth->finish;
-+}
-+#endif /* HAVE_RSA_METH_GET_FINISH */
-+
-+#ifndef HAVE_RSA_METH_SET_PRIV_ENC
-+int
-+RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
-+ const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
-+{
-+ meth->rsa_priv_enc = priv_enc;
-+ return 1;
-+}
-+#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
-+
-+#ifndef HAVE_RSA_METH_SET_PRIV_DEC
-+int
-+RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
-+ const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
-+{
-+ meth->rsa_priv_dec = priv_dec;
-+ return 1;
-+}
-+#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
-+
-+#ifndef HAVE_RSA_METH_SET_FINISH
-+int
-+RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
-+{
-+ meth->finish = finish;
-+ return 1;
-+}
-+#endif /* HAVE_RSA_METH_SET_FINISH */
-+
-+#ifndef HAVE_EVP_PKEY_GET0_RSA
-+RSA *
-+EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
-+{
-+ if (pkey->type != EVP_PKEY_RSA) {
-+ /* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */
-+ return NULL;
-+ }
-+ return pkey->pkey.rsa;
-+}
-+#endif /* HAVE_EVP_PKEY_GET0_RSA */
-+
-+#ifndef HAVE_EVP_MD_CTX_NEW
-+EVP_MD_CTX *
-+EVP_MD_CTX_new(void)
-+{
-+ return calloc(1, sizeof(EVP_MD_CTX));
-+}
-+#endif /* HAVE_EVP_MD_CTX_NEW */
-+
-+#ifndef HAVE_EVP_MD_CTX_FREE
-+void
-+EVP_MD_CTX_free(EVP_MD_CTX *ctx)
-+{
-+ if (ctx == NULL)
-+ return;
-+
-+ EVP_MD_CTX_cleanup(ctx);
-+
-+ free(ctx);
-+}
-+#endif /* HAVE_EVP_MD_CTX_FREE */
-+
-+#endif /* WITH_OPENSSL */
-diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
-index 2ae42bac..9e0264c0 100644
---- a/openbsd-compat/openssl-compat.h
-+++ b/openbsd-compat/openssl-compat.h
-@@ -24,6 +24,8 @@
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- #include <openssl/dsa.h>
-+#include <openssl/ecdsa.h>
-+#include <openssl/dh.h>
-
- int ssh_compatible_openssl(long, long);
-
-@@ -96,5 +98,139 @@ void ssh_OpenSSL_add_all_algorithms(void);
-
- #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
-
-+/* LibreSSL/OpenSSL 1.1x API compat */
-+#ifndef HAVE_DSA_GET0_PQG
-+void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
-+ const BIGNUM **g);
-+#endif /* HAVE_DSA_GET0_PQG */
-+
-+#ifndef HAVE_DSA_SET0_PQG
-+int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-+#endif /* HAVE_DSA_SET0_PQG */
-+
-+#ifndef HAVE_DSA_GET0_KEY
-+void DSA_get0_key(const DSA *d, const BIGNUM **pub_key,
-+ const BIGNUM **priv_key);
-+#endif /* HAVE_DSA_GET0_KEY */
-+
-+#ifndef HAVE_DSA_SET0_KEY
-+int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
-+#endif /* HAVE_DSA_SET0_KEY */
-+
-+#ifndef HAVE_EVP_CIPHER_CTX_GET_IV
-+int EVP_CIPHER_CTX_get_iv(const EVP_CIPHER_CTX *ctx,
-+ unsigned char *iv, size_t len);
-+#endif /* HAVE_EVP_CIPHER_CTX_GET_IV */
-+
-+#ifndef HAVE_EVP_CIPHER_CTX_SET_IV
-+int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx,
-+ const unsigned char *iv, size_t len);
-+#endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
-+
-+#ifndef HAVE_RSA_GET0_KEY
-+void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
-+ const BIGNUM **d);
-+#endif /* HAVE_RSA_GET0_KEY */
-+
-+#ifndef HAVE_RSA_SET0_KEY
-+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
-+#endif /* HAVE_RSA_SET0_KEY */
-+
-+#ifndef HAVE_RSA_GET0_CRT_PARAMS
-+void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
-+ const BIGNUM **iqmp);
-+#endif /* HAVE_RSA_GET0_CRT_PARAMS */
-+
-+#ifndef HAVE_RSA_SET0_CRT_PARAMS
-+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
-+#endif /* HAVE_RSA_SET0_CRT_PARAMS */
-+
-+#ifndef HAVE_RSA_GET0_FACTORS
-+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
-+#endif /* HAVE_RSA_GET0_FACTORS */
-+
-+#ifndef HAVE_RSA_SET0_FACTORS
-+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
-+#endif /* HAVE_RSA_SET0_FACTORS */
-+
-+#ifndef DSA_SIG_GET0
-+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-+#endif /* DSA_SIG_GET0 */
-+
-+#ifndef DSA_SIG_SET0
-+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-+#endif /* DSA_SIG_SET0 */
-+
-+#ifndef HAVE_ECDSA_SIG_GET0
-+void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-+#endif /* HAVE_ECDSA_SIG_GET0 */
-+
-+#ifndef HAVE_ECDSA_SIG_SET0
-+int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-+#endif /* HAVE_ECDSA_SIG_SET0 */
-+
-+#ifndef HAVE_DH_GET0_PQG
-+void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
-+ const BIGNUM **g);
-+#endif /* HAVE_DH_GET0_PQG */
-+
-+#ifndef HAVE_DH_SET0_PQG
-+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-+#endif /* HAVE_DH_SET0_PQG */
-+
-+#ifndef HAVE_DH_GET0_KEY
-+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
-+#endif /* HAVE_DH_GET0_KEY */
-+
-+#ifndef HAVE_DH_SET0_KEY
-+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
-+#endif /* HAVE_DH_SET0_KEY */
-+
-+#ifndef HAVE_DH_SET_LENGTH
-+int DH_set_length(DH *dh, long length);
-+#endif /* HAVE_DH_SET_LENGTH */
-+
-+#ifndef HAVE_RSA_METH_FREE
-+void RSA_meth_free(RSA_METHOD *meth);
-+#endif /* HAVE_RSA_METH_FREE */
-+
-+#ifndef HAVE_RSA_METH_DUP
-+RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
-+#endif /* HAVE_RSA_METH_DUP */
-+
-+#ifndef HAVE_RSA_METH_SET1_NAME
-+int RSA_meth_set1_name(RSA_METHOD *meth, const char *name);
-+#endif /* HAVE_RSA_METH_SET1_NAME */
-+
-+#ifndef HAVE_RSA_METH_GET_FINISH
-+int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa);
-+#endif /* HAVE_RSA_METH_GET_FINISH */
-+
-+#ifndef HAVE_RSA_METH_SET_PRIV_ENC
-+int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
-+ const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
-+#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
-+
-+#ifndef HAVE_RSA_METH_SET_PRIV_DEC
-+int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
-+ const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
-+#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
-+
-+#ifndef HAVE_RSA_METH_SET_FINISH
-+int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa));
-+#endif /* HAVE_RSA_METH_SET_FINISH */
-+
-+#ifndef HAVE_EVP_PKEY_GET0_RSA
-+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
-+#endif /* HAVE_EVP_PKEY_GET0_RSA */
-+
-+#ifndef HAVE_EVP_MD_CTX_new
-+EVP_MD_CTX *EVP_MD_CTX_new(void);
-+#endif /* HAVE_EVP_MD_CTX_new */
-+
-+#ifndef HAVE_EVP_MD_CTX_free
-+void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
-+#endif /* HAVE_EVP_MD_CTX_free */
-+
- #endif /* WITH_OPENSSL */
- #endif /* _OPENSSL_COMPAT_H */
-diff --git a/ssh-dss.c b/ssh-dss.c
-index 631b1571..a23c383d 100644
---- a/ssh-dss.c
-+++ b/ssh-dss.c
-@@ -43,6 +43,8 @@
- #define SSHKEY_INTERNAL
- #include "sshkey.h"
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- #define INTBLOB_LEN 20
- #define SIGBLOB_LEN (2*INTBLOB_LEN)
-
-diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
-index 9e92af04..2f553175 100644
---- a/ssh-ecdsa.c
-+++ b/ssh-ecdsa.c
-@@ -43,6 +43,8 @@
- #define SSHKEY_INTERNAL
- #include "sshkey.h"
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- /* ARGSUSED */
- int
- ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
-diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
-index bcc18c6b..d1241ce6 100644
---- a/ssh-pkcs11-client.c
-+++ b/ssh-pkcs11-client.c
-@@ -32,6 +32,8 @@
-
- #include <openssl/rsa.h>
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- #include "pathnames.h"
- #include "xmalloc.h"
- #include "sshbuf.h"
-diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
-index c35f9415..775de964 100644
---- a/ssh-pkcs11.c
-+++ b/ssh-pkcs11.c
-@@ -30,6 +30,7 @@
- #include <dlfcn.h>
-
- #include "openbsd-compat/sys-queue.h"
-+#include "openbsd-compat/openssl-compat.h"
-
- #include <openssl/x509.h>
-
-diff --git a/ssh-rsa.c b/ssh-rsa.c
-index 2788f334..9b14f9a9 100644
---- a/ssh-rsa.c
-+++ b/ssh-rsa.c
-@@ -35,6 +35,8 @@
- #include "digest.h"
- #include "log.h"
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *);
-
- static const char *
-diff --git a/sshkey.c b/sshkey.c
-index a5e6e60e..18b253d9 100644
---- a/sshkey.c
-+++ b/sshkey.c
-@@ -60,6 +60,8 @@
-
- #include "xmss_fast.h"
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- /* openssh private key file format */
- #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
- #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n"
-@@ -1727,7 +1729,6 @@ int
- sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
- {
- struct sshkey *n = NULL;
-- int ret = SSH_ERR_INTERNAL_ERROR;
- int r = SSH_ERR_INTERNAL_ERROR;
- #ifdef WITH_OPENSSL
- const BIGNUM *rsa_n, *rsa_e;
---
-2.16.4
-
+++ /dev/null
-From 14a6994ae89f54218c2c509c7e68323b7a9a2cbf Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Thu, 13 Sep 2018 05:06:51 +0000
-Subject: [PATCH 3/5] upstream: use only openssl-1.1.x API here too
-
-OpenBSD-Regress-ID: ae877064597c349954b1b443769723563cecbc8f
----
- regress/unittests/sshkey/test_sshkey.c | 104 +++++++++++++++++++++------------
- 1 file changed, 67 insertions(+), 37 deletions(-)
-
-diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
-index 72367bde..a32d2884 100644
---- a/regress/unittests/sshkey/test_sshkey.c
-+++ b/regress/unittests/sshkey/test_sshkey.c
-@@ -1,4 +1,5 @@
- /* $OpenBSD: test_sshkey.c,v 1.14 2018/07/13 02:13:19 djm Exp $ */
-+/* Incorporates changes from 1.16 */
- /*
- * Regress test for sshkey.h key management API
- *
-@@ -173,6 +174,61 @@ get_private(const char *n)
- return ret;
- }
-
-+static const BIGNUM *
-+rsa_n(struct sshkey *k)
-+{
-+ const BIGNUM *n = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->rsa, NULL);
-+ RSA_get0_key(k->rsa, &n, NULL, NULL);
-+ return n;
-+}
-+
-+static const BIGNUM *
-+rsa_e(struct sshkey *k)
-+{
-+ const BIGNUM *e = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->rsa, NULL);
-+ RSA_get0_key(k->rsa, NULL, &e, NULL);
-+ return e;
-+}
-+
-+static const BIGNUM *
-+rsa_p(struct sshkey *k)
-+{
-+ const BIGNUM *p = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->rsa, NULL);
-+ RSA_get0_factors(k->rsa, &p, NULL);
-+ return p;
-+}
-+
-+static const BIGNUM *
-+dsa_g(struct sshkey *k)
-+{
-+ const BIGNUM *g = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->dsa, NULL);
-+ DSA_get0_pqg(k->dsa, NULL, NULL, &g);
-+ return g;
-+}
-+
-+static const BIGNUM *
-+dsa_priv_key(struct sshkey *k)
-+{
-+ const BIGNUM *priv_key = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->dsa, NULL);
-+ DSA_get0_key(k->dsa, NULL, &priv_key);
-+ return priv_key;
-+}
-+
- void
- sshkey_tests(void)
- {
-@@ -197,9 +253,6 @@ sshkey_tests(void)
- k1 = sshkey_new(KEY_RSA);
- ASSERT_PTR_NE(k1, NULL);
- ASSERT_PTR_NE(k1->rsa, NULL);
-- ASSERT_PTR_NE(k1->rsa->n, NULL);
-- ASSERT_PTR_NE(k1->rsa->e, NULL);
-- ASSERT_PTR_EQ(k1->rsa->p, NULL);
- sshkey_free(k1);
- TEST_DONE();
-
-@@ -207,8 +260,6 @@ sshkey_tests(void)
- k1 = sshkey_new(KEY_DSA);
- ASSERT_PTR_NE(k1, NULL);
- ASSERT_PTR_NE(k1->dsa, NULL);
-- ASSERT_PTR_NE(k1->dsa->g, NULL);
-- ASSERT_PTR_EQ(k1->dsa->priv_key, NULL);
- sshkey_free(k1);
- TEST_DONE();
-
-@@ -230,27 +281,6 @@ sshkey_tests(void)
- sshkey_free(k1);
- TEST_DONE();
-
-- TEST_START("new_private KEY_RSA");
-- k1 = sshkey_new_private(KEY_RSA);
-- ASSERT_PTR_NE(k1, NULL);
-- ASSERT_PTR_NE(k1->rsa, NULL);
-- ASSERT_PTR_NE(k1->rsa->n, NULL);
-- ASSERT_PTR_NE(k1->rsa->e, NULL);
-- ASSERT_PTR_NE(k1->rsa->p, NULL);
-- ASSERT_INT_EQ(sshkey_add_private(k1), 0);
-- sshkey_free(k1);
-- TEST_DONE();
--
-- TEST_START("new_private KEY_DSA");
-- k1 = sshkey_new_private(KEY_DSA);
-- ASSERT_PTR_NE(k1, NULL);
-- ASSERT_PTR_NE(k1->dsa, NULL);
-- ASSERT_PTR_NE(k1->dsa->g, NULL);
-- ASSERT_PTR_NE(k1->dsa->priv_key, NULL);
-- ASSERT_INT_EQ(sshkey_add_private(k1), 0);
-- sshkey_free(k1);
-- TEST_DONE();
--
- TEST_START("generate KEY_RSA too small modulus");
- ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 128, &k1),
- SSH_ERR_KEY_LENGTH);
-@@ -285,18 +315,18 @@ sshkey_tests(void)
- ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &kr), 0);
- ASSERT_PTR_NE(kr, NULL);
- ASSERT_PTR_NE(kr->rsa, NULL);
-- ASSERT_PTR_NE(kr->rsa->n, NULL);
-- ASSERT_PTR_NE(kr->rsa->e, NULL);
-- ASSERT_PTR_NE(kr->rsa->p, NULL);
-- ASSERT_INT_EQ(BN_num_bits(kr->rsa->n), 1024);
-+ ASSERT_PTR_NE(rsa_n(kr), NULL);
-+ ASSERT_PTR_NE(rsa_e(kr), NULL);
-+ ASSERT_PTR_NE(rsa_p(kr), NULL);
-+ ASSERT_INT_EQ(BN_num_bits(rsa_n(kr)), 1024);
- TEST_DONE();
-
- TEST_START("generate KEY_DSA");
- ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &kd), 0);
- ASSERT_PTR_NE(kd, NULL);
- ASSERT_PTR_NE(kd->dsa, NULL);
-- ASSERT_PTR_NE(kd->dsa->g, NULL);
-- ASSERT_PTR_NE(kd->dsa->priv_key, NULL);
-+ ASSERT_PTR_NE(dsa_g(kd), NULL);
-+ ASSERT_PTR_NE(dsa_priv_key(kd), NULL);
- TEST_DONE();
-
- #ifdef OPENSSL_HAS_ECC
-@@ -323,9 +353,9 @@ sshkey_tests(void)
- ASSERT_PTR_NE(kr, k1);
- ASSERT_INT_EQ(k1->type, KEY_RSA);
- ASSERT_PTR_NE(k1->rsa, NULL);
-- ASSERT_PTR_NE(k1->rsa->n, NULL);
-- ASSERT_PTR_NE(k1->rsa->e, NULL);
-- ASSERT_PTR_EQ(k1->rsa->p, NULL);
-+ ASSERT_PTR_NE(rsa_n(k1), NULL);
-+ ASSERT_PTR_NE(rsa_e(k1), NULL);
-+ ASSERT_PTR_EQ(rsa_p(k1), NULL);
- TEST_DONE();
-
- TEST_START("equal KEY_RSA/demoted KEY_RSA");
-@@ -339,8 +369,8 @@ sshkey_tests(void)
- ASSERT_PTR_NE(kd, k1);
- ASSERT_INT_EQ(k1->type, KEY_DSA);
- ASSERT_PTR_NE(k1->dsa, NULL);
-- ASSERT_PTR_NE(k1->dsa->g, NULL);
-- ASSERT_PTR_EQ(k1->dsa->priv_key, NULL);
-+ ASSERT_PTR_NE(dsa_g(k1), NULL);
-+ ASSERT_PTR_EQ(dsa_priv_key(k1), NULL);
- TEST_DONE();
-
- TEST_START("equal KEY_DSA/demoted KEY_DSA");
---
-2.16.4
-
+++ /dev/null
-From d100d85cc797d9871e0c34a09104b02b0452b4f4 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Thu, 13 Sep 2018 09:03:20 +0000
-Subject: [PATCH 4/5] upstream: missed a bit of openssl-1.0.x API in this
- unittest
-
-OpenBSD-Regress-ID: a73a54d7f7381856a3f3a2d25947bee7a9a5dbc9
----
- regress/unittests/sshkey/common.c | 79 +++++++++++++++++++++++++++++++++-
- regress/unittests/sshkey/common.h | 11 ++++-
- regress/unittests/sshkey/test_file.c | 13 +++---
- regress/unittests/sshkey/test_sshkey.c | 57 +-----------------------
- 4 files changed, 96 insertions(+), 64 deletions(-)
-
-diff --git a/regress/unittests/sshkey/common.c b/regress/unittests/sshkey/common.c
-index b598f05c..548da684 100644
---- a/regress/unittests/sshkey/common.c
-+++ b/regress/unittests/sshkey/common.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: common.c,v 1.2 2015/01/08 13:10:58 djm Exp $ */
-+/* $OpenBSD: common.c,v 1.3 2018/09/13 09:03:20 djm Exp $ */
- /*
- * Helpers for key API tests
- *
-@@ -82,3 +82,80 @@ load_bignum(const char *name)
- return ret;
- }
-
-+const BIGNUM *
-+rsa_n(struct sshkey *k)
-+{
-+ const BIGNUM *n = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->rsa, NULL);
-+ RSA_get0_key(k->rsa, &n, NULL, NULL);
-+ return n;
-+}
-+
-+const BIGNUM *
-+rsa_e(struct sshkey *k)
-+{
-+ const BIGNUM *e = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->rsa, NULL);
-+ RSA_get0_key(k->rsa, NULL, &e, NULL);
-+ return e;
-+}
-+
-+const BIGNUM *
-+rsa_p(struct sshkey *k)
-+{
-+ const BIGNUM *p = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->rsa, NULL);
-+ RSA_get0_factors(k->rsa, &p, NULL);
-+ return p;
-+}
-+
-+const BIGNUM *
-+rsa_q(struct sshkey *k)
-+{
-+ const BIGNUM *q = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->rsa, NULL);
-+ RSA_get0_factors(k->rsa, NULL, &q);
-+ return q;
-+}
-+
-+const BIGNUM *
-+dsa_g(struct sshkey *k)
-+{
-+ const BIGNUM *g = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->dsa, NULL);
-+ DSA_get0_pqg(k->dsa, NULL, NULL, &g);
-+ return g;
-+}
-+
-+const BIGNUM *
-+dsa_pub_key(struct sshkey *k)
-+{
-+ const BIGNUM *pub_key = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->dsa, NULL);
-+ DSA_get0_key(k->dsa, &pub_key, NULL);
-+ return pub_key;
-+}
-+
-+const BIGNUM *
-+dsa_priv_key(struct sshkey *k)
-+{
-+ const BIGNUM *priv_key = NULL;
-+
-+ ASSERT_PTR_NE(k, NULL);
-+ ASSERT_PTR_NE(k->dsa, NULL);
-+ DSA_get0_key(k->dsa, NULL, &priv_key);
-+ return priv_key;
-+}
-+
-diff --git a/regress/unittests/sshkey/common.h b/regress/unittests/sshkey/common.h
-index bf7d19dc..7a514fdc 100644
---- a/regress/unittests/sshkey/common.h
-+++ b/regress/unittests/sshkey/common.h
-@@ -1,4 +1,4 @@
--/* $OpenBSD: common.h,v 1.1 2014/06/24 01:14:18 djm Exp $ */
-+/* $OpenBSD: common.h,v 1.2 2018/09/13 09:03:20 djm Exp $ */
- /*
- * Helpers for key API tests
- *
-@@ -14,3 +14,12 @@ struct sshbuf *load_text_file(const char *name);
- /* Load a bignum from a file */
- BIGNUM *load_bignum(const char *name);
-
-+/* Accessors for key components */
-+const BIGNUM *rsa_n(struct sshkey *k);
-+const BIGNUM *rsa_e(struct sshkey *k);
-+const BIGNUM *rsa_p(struct sshkey *k);
-+const BIGNUM *rsa_q(struct sshkey *k);
-+const BIGNUM *dsa_g(struct sshkey *k);
-+const BIGNUM *dsa_pub_key(struct sshkey *k);
-+const BIGNUM *dsa_priv_key(struct sshkey *k);
-+
-diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c
-index 99b7e21c..596c166b 100644
---- a/regress/unittests/sshkey/test_file.c
-+++ b/regress/unittests/sshkey/test_file.c
-@@ -1,4 +1,5 @@
- /* $OpenBSD: test_file.c,v 1.6 2017/04/30 23:33:48 djm Exp $ */
-+/* Incorporates changes from 1.8 */
- /*
- * Regress test for sshkey.h key management API
- *
-@@ -60,9 +61,9 @@ sshkey_file_tests(void)
- a = load_bignum("rsa_1.param.n");
- b = load_bignum("rsa_1.param.p");
- c = load_bignum("rsa_1.param.q");
-- ASSERT_BIGNUM_EQ(k1->rsa->n, a);
-- ASSERT_BIGNUM_EQ(k1->rsa->p, b);
-- ASSERT_BIGNUM_EQ(k1->rsa->q, c);
-+ ASSERT_BIGNUM_EQ(rsa_n(k1), a);
-+ ASSERT_BIGNUM_EQ(rsa_p(k1), b);
-+ ASSERT_BIGNUM_EQ(rsa_q(k1), c);
- BN_free(a);
- BN_free(b);
- BN_free(c);
-@@ -151,9 +152,9 @@ sshkey_file_tests(void)
- a = load_bignum("dsa_1.param.g");
- b = load_bignum("dsa_1.param.priv");
- c = load_bignum("dsa_1.param.pub");
-- ASSERT_BIGNUM_EQ(k1->dsa->g, a);
-- ASSERT_BIGNUM_EQ(k1->dsa->priv_key, b);
-- ASSERT_BIGNUM_EQ(k1->dsa->pub_key, c);
-+ ASSERT_BIGNUM_EQ(dsa_g(k1), a);
-+ ASSERT_BIGNUM_EQ(dsa_priv_key(k1), b);
-+ ASSERT_BIGNUM_EQ(dsa_pub_key(k1), c);
- BN_free(a);
- BN_free(b);
- BN_free(c);
-diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
-index a32d2884..deeb23a0 100644
---- a/regress/unittests/sshkey/test_sshkey.c
-+++ b/regress/unittests/sshkey/test_sshkey.c
-@@ -1,5 +1,5 @@
- /* $OpenBSD: test_sshkey.c,v 1.14 2018/07/13 02:13:19 djm Exp $ */
--/* Incorporates changes from 1.16 */
-+/* Incorporates changes from 1.16 and 1.17 */
- /*
- * Regress test for sshkey.h key management API
- *
-@@ -174,61 +174,6 @@ get_private(const char *n)
- return ret;
- }
-
--static const BIGNUM *
--rsa_n(struct sshkey *k)
--{
-- const BIGNUM *n = NULL;
--
-- ASSERT_PTR_NE(k, NULL);
-- ASSERT_PTR_NE(k->rsa, NULL);
-- RSA_get0_key(k->rsa, &n, NULL, NULL);
-- return n;
--}
--
--static const BIGNUM *
--rsa_e(struct sshkey *k)
--{
-- const BIGNUM *e = NULL;
--
-- ASSERT_PTR_NE(k, NULL);
-- ASSERT_PTR_NE(k->rsa, NULL);
-- RSA_get0_key(k->rsa, NULL, &e, NULL);
-- return e;
--}
--
--static const BIGNUM *
--rsa_p(struct sshkey *k)
--{
-- const BIGNUM *p = NULL;
--
-- ASSERT_PTR_NE(k, NULL);
-- ASSERT_PTR_NE(k->rsa, NULL);
-- RSA_get0_factors(k->rsa, &p, NULL);
-- return p;
--}
--
--static const BIGNUM *
--dsa_g(struct sshkey *k)
--{
-- const BIGNUM *g = NULL;
--
-- ASSERT_PTR_NE(k, NULL);
-- ASSERT_PTR_NE(k->dsa, NULL);
-- DSA_get0_pqg(k->dsa, NULL, NULL, &g);
-- return g;
--}
--
--static const BIGNUM *
--dsa_priv_key(struct sshkey *k)
--{
-- const BIGNUM *priv_key = NULL;
--
-- ASSERT_PTR_NE(k, NULL);
-- ASSERT_PTR_NE(k->dsa, NULL);
-- DSA_get0_key(k->dsa, NULL, &priv_key);
-- return priv_key;
--}
--
- void
- sshkey_tests(void)
- {
---
-2.16.4
-
+++ /dev/null
-From a3fc79d9cdab61ed58dafc4c49b295ec1bbe1d84 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Thu, 13 Sep 2018 19:05:48 +1000
-Subject: [PATCH 5/5] add compat header
-
----
- regress/unittests/sshkey/common.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/regress/unittests/sshkey/common.c b/regress/unittests/sshkey/common.c
-index 548da684..e63465c4 100644
---- a/regress/unittests/sshkey/common.c
-+++ b/regress/unittests/sshkey/common.c
-@@ -27,6 +27,8 @@
- # include <openssl/ec.h>
- #endif
-
-+#include "openbsd-compat/openssl-compat.h"
-+
- #include "../test_helper/test_helper.h"
-
- #include "ssherr.h"
---
-2.16.4
-
--- /dev/null
+#
+# Copyright (c) 2018 Gregory L. Dietsche <Gregory.Dietsche@cuw.edu>
+# This is free software, licensed under the MIT License
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=safe-search
+PKG_VERSION:=1.0.0
+PKG_RELEASE:=1
+PKG_LICENSE:=MIT
+PKG_MAINTAINER:=Gregory L. Dietsche <Gregory.Dietsche@cuw.edu>
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/safe-search
+ SECTION:=net
+ CATEGORY:=Network
+ TITLE:=Safe Search
+ PKGARCH:=all
+endef
+
+define Package/safe-search/description
+This package prevents adult content from appearing in search results by
+configuring dnsmasq to force all devices on your network to use Google and
+Bing's Safe Search IP addresses. This is designed to be approperiate for most
+businesses and families. The default filtering rules do not interfere with
+normal web browsing.
+endef
+
+define Package/safe-search/conffiles
+/etc/config/safe-search
+endef
+
+define Build/Compile
+endef
+
+define Package/safe-search/install
+ $(INSTALL_DIR) $(1)/etc/uci-defaults
+ $(CP) ./files/safe-search.defaults $(1)/etc/uci-defaults/safe-search
+
+ $(INSTALL_DIR) $(1)/etc/config
+ $(INSTALL_CONF) ./files/safe-search.conf $(1)/etc/config/safe-search
+
+ $(INSTALL_DIR) $(1)/usr/sbin
+ $(INSTALL_BIN) ./files/safe-search-update $(1)/usr/sbin/safe-search-update
+
+ $(INSTALL_DIR) $(1)/etc/safe-search/enabled
+ $(INSTALL_DIR) $(1)/etc/safe-search/available
+ $(INSTALL_DATA) ./files/hosts/* $(1)/etc/safe-search/available/
+endef
+
+define Package/safe-search/prerm
+#!/bin/sh
+if [ -z "$${IPGK_INSTROOT}" ]; then
+ uci del_list dhcp.@dnsmasq[0].addnhosts=/etc/safe-search/enabled
+ uci commit dhcp
+ /etc/init.d/dnsmasq reload
+fi
+exit 0
+endef
+
+define Package/safe-search/postrm
+#!/bin/sh
+if [ -z "$${IPGK_INSTROOT}" ]; then
+ rm -rf /etc/safe-search/enabled
+ rmdir /etc/safe-search/available
+ rmdir /etc/safe-search/
+fi
+exit 0
+endef
+
+$(eval $(call BuildPackage,safe-search))
--- /dev/null
+# Package: net/safe-search
+
+This package prevents adult content from appearing in search results by
+configuring dnsmasq to force all devices on your network to use Google and
+Bing's Safe Search IP addresses. This is designed to be approperiate for most
+businesses and families. The default filtering rules do not interfere with
+normal web browsing.
+
+Currently supported:
+- Google Safe Search - enabled by default
+ - https://support.google.com/websearch/answer/186669
+- Bing Safe Search - enabled by default
+ - https://help.bing.microsoft.com/#apex/18/en-US/10003/0
+- youtube Safe Search
+ - https://support.google.com/a/answer/6214622
+ - https://support.google.com/a/answer/6212415
+ - https://www.youtube.com/check_content_restrictions
+ - Not enabled by default because it is designed for children.
+ - Enable by editing /etc/config/safe-search and then run safe-search-update
--- /dev/null
+#
+# Copyright (c) 2018 Gregory L. Dietsche <Gregory.Dietsche@cuw.edu>
+# This is free software, licensed under the MIT License
+#
+
+#
+# IMPORTANT: if this file is not working, make sure that dnsmasq is able to READ it!
+#
+
+#204.79.197.220 strict.bing.com
+#::FFFF:CC4F:C5DC strict.bing.com
+
+204.79.197.220 bing.com www.bing.com
+::FFFF:CC4F:C5DC bing.com www.bing.com
--- /dev/null
+#
+# Copyright (c) 2018 Gregory L. Dietsche <Gregory.Dietsche@cuw.edu>
+# This is free software, licensed under the MIT License
+#
+# IMPORTANT: if this file is not working, make sure that dnsmasq is able to READ it!
+#
+# Google Safe Search Host List
+# Generated on Wed Oct 10 10:18:34 CDT 2018
+# From: https://www.google.com/supported_domains
+
+#2001:4860:4802:32::78 forcesafesearch.google.com
+#216.239.38.120 forcesafesearch.google.com
+
+2001:4860:4802:32::78 google.com
+2001:4860:4802:32::78 google.ad
+2001:4860:4802:32::78 google.ae
+2001:4860:4802:32::78 google.com.af
+2001:4860:4802:32::78 google.com.ag
+2001:4860:4802:32::78 google.com.ai
+2001:4860:4802:32::78 google.al
+2001:4860:4802:32::78 google.am
+2001:4860:4802:32::78 google.co.ao
+2001:4860:4802:32::78 google.com.ar
+2001:4860:4802:32::78 google.as
+2001:4860:4802:32::78 google.at
+2001:4860:4802:32::78 google.com.au
+2001:4860:4802:32::78 google.az
+2001:4860:4802:32::78 google.ba
+2001:4860:4802:32::78 google.com.bd
+2001:4860:4802:32::78 google.be
+2001:4860:4802:32::78 google.bf
+2001:4860:4802:32::78 google.bg
+2001:4860:4802:32::78 google.com.bh
+2001:4860:4802:32::78 google.bi
+2001:4860:4802:32::78 google.bj
+2001:4860:4802:32::78 google.com.bn
+2001:4860:4802:32::78 google.com.bo
+2001:4860:4802:32::78 google.com.br
+2001:4860:4802:32::78 google.bs
+2001:4860:4802:32::78 google.bt
+2001:4860:4802:32::78 google.co.bw
+2001:4860:4802:32::78 google.by
+2001:4860:4802:32::78 google.com.bz
+2001:4860:4802:32::78 google.ca
+2001:4860:4802:32::78 google.cd
+2001:4860:4802:32::78 google.cf
+2001:4860:4802:32::78 google.cg
+2001:4860:4802:32::78 google.ch
+2001:4860:4802:32::78 google.ci
+2001:4860:4802:32::78 google.co.ck
+2001:4860:4802:32::78 google.cl
+2001:4860:4802:32::78 google.cm
+2001:4860:4802:32::78 google.cn
+2001:4860:4802:32::78 google.com.co
+2001:4860:4802:32::78 google.co.cr
+2001:4860:4802:32::78 google.com.cu
+2001:4860:4802:32::78 google.cv
+2001:4860:4802:32::78 google.com.cy
+2001:4860:4802:32::78 google.cz
+2001:4860:4802:32::78 google.de
+2001:4860:4802:32::78 google.dj
+2001:4860:4802:32::78 google.dk
+2001:4860:4802:32::78 google.dm
+2001:4860:4802:32::78 google.com.do
+2001:4860:4802:32::78 google.dz
+2001:4860:4802:32::78 google.com.ec
+2001:4860:4802:32::78 google.ee
+2001:4860:4802:32::78 google.com.eg
+2001:4860:4802:32::78 google.es
+2001:4860:4802:32::78 google.com.et
+2001:4860:4802:32::78 google.fi
+2001:4860:4802:32::78 google.com.fj
+2001:4860:4802:32::78 google.fm
+2001:4860:4802:32::78 google.fr
+2001:4860:4802:32::78 google.ga
+2001:4860:4802:32::78 google.ge
+2001:4860:4802:32::78 google.gg
+2001:4860:4802:32::78 google.com.gh
+2001:4860:4802:32::78 google.com.gi
+2001:4860:4802:32::78 google.gl
+2001:4860:4802:32::78 google.gm
+2001:4860:4802:32::78 google.gp
+2001:4860:4802:32::78 google.gr
+2001:4860:4802:32::78 google.com.gt
+2001:4860:4802:32::78 google.gy
+2001:4860:4802:32::78 google.com.hk
+2001:4860:4802:32::78 google.hn
+2001:4860:4802:32::78 google.hr
+2001:4860:4802:32::78 google.ht
+2001:4860:4802:32::78 google.hu
+2001:4860:4802:32::78 google.co.id
+2001:4860:4802:32::78 google.ie
+2001:4860:4802:32::78 google.co.il
+2001:4860:4802:32::78 google.im
+2001:4860:4802:32::78 google.co.in
+2001:4860:4802:32::78 google.iq
+2001:4860:4802:32::78 google.is
+2001:4860:4802:32::78 google.it
+2001:4860:4802:32::78 google.je
+2001:4860:4802:32::78 google.com.jm
+2001:4860:4802:32::78 google.jo
+2001:4860:4802:32::78 google.co.jp
+2001:4860:4802:32::78 google.co.ke
+2001:4860:4802:32::78 google.com.kh
+2001:4860:4802:32::78 google.ki
+2001:4860:4802:32::78 google.kg
+2001:4860:4802:32::78 google.co.kr
+2001:4860:4802:32::78 google.com.kw
+2001:4860:4802:32::78 google.kz
+2001:4860:4802:32::78 google.la
+2001:4860:4802:32::78 google.com.lb
+2001:4860:4802:32::78 google.li
+2001:4860:4802:32::78 google.lk
+2001:4860:4802:32::78 google.co.ls
+2001:4860:4802:32::78 google.lt
+2001:4860:4802:32::78 google.lu
+2001:4860:4802:32::78 google.lv
+2001:4860:4802:32::78 google.com.ly
+2001:4860:4802:32::78 google.co.ma
+2001:4860:4802:32::78 google.md
+2001:4860:4802:32::78 google.me
+2001:4860:4802:32::78 google.mg
+2001:4860:4802:32::78 google.mk
+2001:4860:4802:32::78 google.ml
+2001:4860:4802:32::78 google.com.mm
+2001:4860:4802:32::78 google.mn
+2001:4860:4802:32::78 google.ms
+2001:4860:4802:32::78 google.com.mt
+2001:4860:4802:32::78 google.mu
+2001:4860:4802:32::78 google.mv
+2001:4860:4802:32::78 google.mw
+2001:4860:4802:32::78 google.com.mx
+2001:4860:4802:32::78 google.com.my
+2001:4860:4802:32::78 google.co.mz
+2001:4860:4802:32::78 google.com.na
+2001:4860:4802:32::78 google.com.nf
+2001:4860:4802:32::78 google.com.ng
+2001:4860:4802:32::78 google.com.ni
+2001:4860:4802:32::78 google.ne
+2001:4860:4802:32::78 google.nl
+2001:4860:4802:32::78 google.no
+2001:4860:4802:32::78 google.com.np
+2001:4860:4802:32::78 google.nr
+2001:4860:4802:32::78 google.nu
+2001:4860:4802:32::78 google.co.nz
+2001:4860:4802:32::78 google.com.om
+2001:4860:4802:32::78 google.com.pa
+2001:4860:4802:32::78 google.com.pe
+2001:4860:4802:32::78 google.com.pg
+2001:4860:4802:32::78 google.com.ph
+2001:4860:4802:32::78 google.com.pk
+2001:4860:4802:32::78 google.pl
+2001:4860:4802:32::78 google.pn
+2001:4860:4802:32::78 google.com.pr
+2001:4860:4802:32::78 google.ps
+2001:4860:4802:32::78 google.pt
+2001:4860:4802:32::78 google.com.py
+2001:4860:4802:32::78 google.com.qa
+2001:4860:4802:32::78 google.ro
+2001:4860:4802:32::78 google.ru
+2001:4860:4802:32::78 google.rw
+2001:4860:4802:32::78 google.com.sa
+2001:4860:4802:32::78 google.com.sb
+2001:4860:4802:32::78 google.sc
+2001:4860:4802:32::78 google.se
+2001:4860:4802:32::78 google.com.sg
+2001:4860:4802:32::78 google.sh
+2001:4860:4802:32::78 google.si
+2001:4860:4802:32::78 google.sk
+2001:4860:4802:32::78 google.com.sl
+2001:4860:4802:32::78 google.sn
+2001:4860:4802:32::78 google.so
+2001:4860:4802:32::78 google.sm
+2001:4860:4802:32::78 google.sr
+2001:4860:4802:32::78 google.st
+2001:4860:4802:32::78 google.com.sv
+2001:4860:4802:32::78 google.td
+2001:4860:4802:32::78 google.tg
+2001:4860:4802:32::78 google.co.th
+2001:4860:4802:32::78 google.com.tj
+2001:4860:4802:32::78 google.tk
+2001:4860:4802:32::78 google.tl
+2001:4860:4802:32::78 google.tm
+2001:4860:4802:32::78 google.tn
+2001:4860:4802:32::78 google.to
+2001:4860:4802:32::78 google.com.tr
+2001:4860:4802:32::78 google.tt
+2001:4860:4802:32::78 google.com.tw
+2001:4860:4802:32::78 google.co.tz
+2001:4860:4802:32::78 google.com.ua
+2001:4860:4802:32::78 google.co.ug
+2001:4860:4802:32::78 google.co.uk
+2001:4860:4802:32::78 google.com.uy
+2001:4860:4802:32::78 google.co.uz
+2001:4860:4802:32::78 google.com.vc
+2001:4860:4802:32::78 google.co.ve
+2001:4860:4802:32::78 google.vg
+2001:4860:4802:32::78 google.co.vi
+2001:4860:4802:32::78 google.com.vn
+2001:4860:4802:32::78 google.vu
+2001:4860:4802:32::78 google.ws
+2001:4860:4802:32::78 google.rs
+2001:4860:4802:32::78 google.co.za
+2001:4860:4802:32::78 google.co.zm
+2001:4860:4802:32::78 google.co.zw
+2001:4860:4802:32::78 google.cat
+2001:4860:4802:32::78 www.google.com
+2001:4860:4802:32::78 www.google.ad
+2001:4860:4802:32::78 www.google.ae
+2001:4860:4802:32::78 www.google.com.af
+2001:4860:4802:32::78 www.google.com.ag
+2001:4860:4802:32::78 www.google.com.ai
+2001:4860:4802:32::78 www.google.al
+2001:4860:4802:32::78 www.google.am
+2001:4860:4802:32::78 www.google.co.ao
+2001:4860:4802:32::78 www.google.com.ar
+2001:4860:4802:32::78 www.google.as
+2001:4860:4802:32::78 www.google.at
+2001:4860:4802:32::78 www.google.com.au
+2001:4860:4802:32::78 www.google.az
+2001:4860:4802:32::78 www.google.ba
+2001:4860:4802:32::78 www.google.com.bd
+2001:4860:4802:32::78 www.google.be
+2001:4860:4802:32::78 www.google.bf
+2001:4860:4802:32::78 www.google.bg
+2001:4860:4802:32::78 www.google.com.bh
+2001:4860:4802:32::78 www.google.bi
+2001:4860:4802:32::78 www.google.bj
+2001:4860:4802:32::78 www.google.com.bn
+2001:4860:4802:32::78 www.google.com.bo
+2001:4860:4802:32::78 www.google.com.br
+2001:4860:4802:32::78 www.google.bs
+2001:4860:4802:32::78 www.google.bt
+2001:4860:4802:32::78 www.google.co.bw
+2001:4860:4802:32::78 www.google.by
+2001:4860:4802:32::78 www.google.com.bz
+2001:4860:4802:32::78 www.google.ca
+2001:4860:4802:32::78 www.google.cd
+2001:4860:4802:32::78 www.google.cf
+2001:4860:4802:32::78 www.google.cg
+2001:4860:4802:32::78 www.google.ch
+2001:4860:4802:32::78 www.google.ci
+2001:4860:4802:32::78 www.google.co.ck
+2001:4860:4802:32::78 www.google.cl
+2001:4860:4802:32::78 www.google.cm
+2001:4860:4802:32::78 www.google.cn
+2001:4860:4802:32::78 www.google.com.co
+2001:4860:4802:32::78 www.google.co.cr
+2001:4860:4802:32::78 www.google.com.cu
+2001:4860:4802:32::78 www.google.cv
+2001:4860:4802:32::78 www.google.com.cy
+2001:4860:4802:32::78 www.google.cz
+2001:4860:4802:32::78 www.google.de
+2001:4860:4802:32::78 www.google.dj
+2001:4860:4802:32::78 www.google.dk
+2001:4860:4802:32::78 www.google.dm
+2001:4860:4802:32::78 www.google.com.do
+2001:4860:4802:32::78 www.google.dz
+2001:4860:4802:32::78 www.google.com.ec
+2001:4860:4802:32::78 www.google.ee
+2001:4860:4802:32::78 www.google.com.eg
+2001:4860:4802:32::78 www.google.es
+2001:4860:4802:32::78 www.google.com.et
+2001:4860:4802:32::78 www.google.fi
+2001:4860:4802:32::78 www.google.com.fj
+2001:4860:4802:32::78 www.google.fm
+2001:4860:4802:32::78 www.google.fr
+2001:4860:4802:32::78 www.google.ga
+2001:4860:4802:32::78 www.google.ge
+2001:4860:4802:32::78 www.google.gg
+2001:4860:4802:32::78 www.google.com.gh
+2001:4860:4802:32::78 www.google.com.gi
+2001:4860:4802:32::78 www.google.gl
+2001:4860:4802:32::78 www.google.gm
+2001:4860:4802:32::78 www.google.gp
+2001:4860:4802:32::78 www.google.gr
+2001:4860:4802:32::78 www.google.com.gt
+2001:4860:4802:32::78 www.google.gy
+2001:4860:4802:32::78 www.google.com.hk
+2001:4860:4802:32::78 www.google.hn
+2001:4860:4802:32::78 www.google.hr
+2001:4860:4802:32::78 www.google.ht
+2001:4860:4802:32::78 www.google.hu
+2001:4860:4802:32::78 www.google.co.id
+2001:4860:4802:32::78 www.google.ie
+2001:4860:4802:32::78 www.google.co.il
+2001:4860:4802:32::78 www.google.im
+2001:4860:4802:32::78 www.google.co.in
+2001:4860:4802:32::78 www.google.iq
+2001:4860:4802:32::78 www.google.is
+2001:4860:4802:32::78 www.google.it
+2001:4860:4802:32::78 www.google.je
+2001:4860:4802:32::78 www.google.com.jm
+2001:4860:4802:32::78 www.google.jo
+2001:4860:4802:32::78 www.google.co.jp
+2001:4860:4802:32::78 www.google.co.ke
+2001:4860:4802:32::78 www.google.com.kh
+2001:4860:4802:32::78 www.google.ki
+2001:4860:4802:32::78 www.google.kg
+2001:4860:4802:32::78 www.google.co.kr
+2001:4860:4802:32::78 www.google.com.kw
+2001:4860:4802:32::78 www.google.kz
+2001:4860:4802:32::78 www.google.la
+2001:4860:4802:32::78 www.google.com.lb
+2001:4860:4802:32::78 www.google.li
+2001:4860:4802:32::78 www.google.lk
+2001:4860:4802:32::78 www.google.co.ls
+2001:4860:4802:32::78 www.google.lt
+2001:4860:4802:32::78 www.google.lu
+2001:4860:4802:32::78 www.google.lv
+2001:4860:4802:32::78 www.google.com.ly
+2001:4860:4802:32::78 www.google.co.ma
+2001:4860:4802:32::78 www.google.md
+2001:4860:4802:32::78 www.google.me
+2001:4860:4802:32::78 www.google.mg
+2001:4860:4802:32::78 www.google.mk
+2001:4860:4802:32::78 www.google.ml
+2001:4860:4802:32::78 www.google.com.mm
+2001:4860:4802:32::78 www.google.mn
+2001:4860:4802:32::78 www.google.ms
+2001:4860:4802:32::78 www.google.com.mt
+2001:4860:4802:32::78 www.google.mu
+2001:4860:4802:32::78 www.google.mv
+2001:4860:4802:32::78 www.google.mw
+2001:4860:4802:32::78 www.google.com.mx
+2001:4860:4802:32::78 www.google.com.my
+2001:4860:4802:32::78 www.google.co.mz
+2001:4860:4802:32::78 www.google.com.na
+2001:4860:4802:32::78 www.google.com.nf
+2001:4860:4802:32::78 www.google.com.ng
+2001:4860:4802:32::78 www.google.com.ni
+2001:4860:4802:32::78 www.google.ne
+2001:4860:4802:32::78 www.google.nl
+2001:4860:4802:32::78 www.google.no
+2001:4860:4802:32::78 www.google.com.np
+2001:4860:4802:32::78 www.google.nr
+2001:4860:4802:32::78 www.google.nu
+2001:4860:4802:32::78 www.google.co.nz
+2001:4860:4802:32::78 www.google.com.om
+2001:4860:4802:32::78 www.google.com.pa
+2001:4860:4802:32::78 www.google.com.pe
+2001:4860:4802:32::78 www.google.com.pg
+2001:4860:4802:32::78 www.google.com.ph
+2001:4860:4802:32::78 www.google.com.pk
+2001:4860:4802:32::78 www.google.pl
+2001:4860:4802:32::78 www.google.pn
+2001:4860:4802:32::78 www.google.com.pr
+2001:4860:4802:32::78 www.google.ps
+2001:4860:4802:32::78 www.google.pt
+2001:4860:4802:32::78 www.google.com.py
+2001:4860:4802:32::78 www.google.com.qa
+2001:4860:4802:32::78 www.google.ro
+2001:4860:4802:32::78 www.google.ru
+2001:4860:4802:32::78 www.google.rw
+2001:4860:4802:32::78 www.google.com.sa
+2001:4860:4802:32::78 www.google.com.sb
+2001:4860:4802:32::78 www.google.sc
+2001:4860:4802:32::78 www.google.se
+2001:4860:4802:32::78 www.google.com.sg
+2001:4860:4802:32::78 www.google.sh
+2001:4860:4802:32::78 www.google.si
+2001:4860:4802:32::78 www.google.sk
+2001:4860:4802:32::78 www.google.com.sl
+2001:4860:4802:32::78 www.google.sn
+2001:4860:4802:32::78 www.google.so
+2001:4860:4802:32::78 www.google.sm
+2001:4860:4802:32::78 www.google.sr
+2001:4860:4802:32::78 www.google.st
+2001:4860:4802:32::78 www.google.com.sv
+2001:4860:4802:32::78 www.google.td
+2001:4860:4802:32::78 www.google.tg
+2001:4860:4802:32::78 www.google.co.th
+2001:4860:4802:32::78 www.google.com.tj
+2001:4860:4802:32::78 www.google.tk
+2001:4860:4802:32::78 www.google.tl
+2001:4860:4802:32::78 www.google.tm
+2001:4860:4802:32::78 www.google.tn
+2001:4860:4802:32::78 www.google.to
+2001:4860:4802:32::78 www.google.com.tr
+2001:4860:4802:32::78 www.google.tt
+2001:4860:4802:32::78 www.google.com.tw
+2001:4860:4802:32::78 www.google.co.tz
+2001:4860:4802:32::78 www.google.com.ua
+2001:4860:4802:32::78 www.google.co.ug
+2001:4860:4802:32::78 www.google.co.uk
+2001:4860:4802:32::78 www.google.com.uy
+2001:4860:4802:32::78 www.google.co.uz
+2001:4860:4802:32::78 www.google.com.vc
+2001:4860:4802:32::78 www.google.co.ve
+2001:4860:4802:32::78 www.google.vg
+2001:4860:4802:32::78 www.google.co.vi
+2001:4860:4802:32::78 www.google.com.vn
+2001:4860:4802:32::78 www.google.vu
+2001:4860:4802:32::78 www.google.ws
+2001:4860:4802:32::78 www.google.rs
+2001:4860:4802:32::78 www.google.co.za
+2001:4860:4802:32::78 www.google.co.zm
+2001:4860:4802:32::78 www.google.co.zw
+2001:4860:4802:32::78 www.google.cat
+216.239.38.120 google.com
+216.239.38.120 google.ad
+216.239.38.120 google.ae
+216.239.38.120 google.com.af
+216.239.38.120 google.com.ag
+216.239.38.120 google.com.ai
+216.239.38.120 google.al
+216.239.38.120 google.am
+216.239.38.120 google.co.ao
+216.239.38.120 google.com.ar
+216.239.38.120 google.as
+216.239.38.120 google.at
+216.239.38.120 google.com.au
+216.239.38.120 google.az
+216.239.38.120 google.ba
+216.239.38.120 google.com.bd
+216.239.38.120 google.be
+216.239.38.120 google.bf
+216.239.38.120 google.bg
+216.239.38.120 google.com.bh
+216.239.38.120 google.bi
+216.239.38.120 google.bj
+216.239.38.120 google.com.bn
+216.239.38.120 google.com.bo
+216.239.38.120 google.com.br
+216.239.38.120 google.bs
+216.239.38.120 google.bt
+216.239.38.120 google.co.bw
+216.239.38.120 google.by
+216.239.38.120 google.com.bz
+216.239.38.120 google.ca
+216.239.38.120 google.cd
+216.239.38.120 google.cf
+216.239.38.120 google.cg
+216.239.38.120 google.ch
+216.239.38.120 google.ci
+216.239.38.120 google.co.ck
+216.239.38.120 google.cl
+216.239.38.120 google.cm
+216.239.38.120 google.cn
+216.239.38.120 google.com.co
+216.239.38.120 google.co.cr
+216.239.38.120 google.com.cu
+216.239.38.120 google.cv
+216.239.38.120 google.com.cy
+216.239.38.120 google.cz
+216.239.38.120 google.de
+216.239.38.120 google.dj
+216.239.38.120 google.dk
+216.239.38.120 google.dm
+216.239.38.120 google.com.do
+216.239.38.120 google.dz
+216.239.38.120 google.com.ec
+216.239.38.120 google.ee
+216.239.38.120 google.com.eg
+216.239.38.120 google.es
+216.239.38.120 google.com.et
+216.239.38.120 google.fi
+216.239.38.120 google.com.fj
+216.239.38.120 google.fm
+216.239.38.120 google.fr
+216.239.38.120 google.ga
+216.239.38.120 google.ge
+216.239.38.120 google.gg
+216.239.38.120 google.com.gh
+216.239.38.120 google.com.gi
+216.239.38.120 google.gl
+216.239.38.120 google.gm
+216.239.38.120 google.gp
+216.239.38.120 google.gr
+216.239.38.120 google.com.gt
+216.239.38.120 google.gy
+216.239.38.120 google.com.hk
+216.239.38.120 google.hn
+216.239.38.120 google.hr
+216.239.38.120 google.ht
+216.239.38.120 google.hu
+216.239.38.120 google.co.id
+216.239.38.120 google.ie
+216.239.38.120 google.co.il
+216.239.38.120 google.im
+216.239.38.120 google.co.in
+216.239.38.120 google.iq
+216.239.38.120 google.is
+216.239.38.120 google.it
+216.239.38.120 google.je
+216.239.38.120 google.com.jm
+216.239.38.120 google.jo
+216.239.38.120 google.co.jp
+216.239.38.120 google.co.ke
+216.239.38.120 google.com.kh
+216.239.38.120 google.ki
+216.239.38.120 google.kg
+216.239.38.120 google.co.kr
+216.239.38.120 google.com.kw
+216.239.38.120 google.kz
+216.239.38.120 google.la
+216.239.38.120 google.com.lb
+216.239.38.120 google.li
+216.239.38.120 google.lk
+216.239.38.120 google.co.ls
+216.239.38.120 google.lt
+216.239.38.120 google.lu
+216.239.38.120 google.lv
+216.239.38.120 google.com.ly
+216.239.38.120 google.co.ma
+216.239.38.120 google.md
+216.239.38.120 google.me
+216.239.38.120 google.mg
+216.239.38.120 google.mk
+216.239.38.120 google.ml
+216.239.38.120 google.com.mm
+216.239.38.120 google.mn
+216.239.38.120 google.ms
+216.239.38.120 google.com.mt
+216.239.38.120 google.mu
+216.239.38.120 google.mv
+216.239.38.120 google.mw
+216.239.38.120 google.com.mx
+216.239.38.120 google.com.my
+216.239.38.120 google.co.mz
+216.239.38.120 google.com.na
+216.239.38.120 google.com.nf
+216.239.38.120 google.com.ng
+216.239.38.120 google.com.ni
+216.239.38.120 google.ne
+216.239.38.120 google.nl
+216.239.38.120 google.no
+216.239.38.120 google.com.np
+216.239.38.120 google.nr
+216.239.38.120 google.nu
+216.239.38.120 google.co.nz
+216.239.38.120 google.com.om
+216.239.38.120 google.com.pa
+216.239.38.120 google.com.pe
+216.239.38.120 google.com.pg
+216.239.38.120 google.com.ph
+216.239.38.120 google.com.pk
+216.239.38.120 google.pl
+216.239.38.120 google.pn
+216.239.38.120 google.com.pr
+216.239.38.120 google.ps
+216.239.38.120 google.pt
+216.239.38.120 google.com.py
+216.239.38.120 google.com.qa
+216.239.38.120 google.ro
+216.239.38.120 google.ru
+216.239.38.120 google.rw
+216.239.38.120 google.com.sa
+216.239.38.120 google.com.sb
+216.239.38.120 google.sc
+216.239.38.120 google.se
+216.239.38.120 google.com.sg
+216.239.38.120 google.sh
+216.239.38.120 google.si
+216.239.38.120 google.sk
+216.239.38.120 google.com.sl
+216.239.38.120 google.sn
+216.239.38.120 google.so
+216.239.38.120 google.sm
+216.239.38.120 google.sr
+216.239.38.120 google.st
+216.239.38.120 google.com.sv
+216.239.38.120 google.td
+216.239.38.120 google.tg
+216.239.38.120 google.co.th
+216.239.38.120 google.com.tj
+216.239.38.120 google.tk
+216.239.38.120 google.tl
+216.239.38.120 google.tm
+216.239.38.120 google.tn
+216.239.38.120 google.to
+216.239.38.120 google.com.tr
+216.239.38.120 google.tt
+216.239.38.120 google.com.tw
+216.239.38.120 google.co.tz
+216.239.38.120 google.com.ua
+216.239.38.120 google.co.ug
+216.239.38.120 google.co.uk
+216.239.38.120 google.com.uy
+216.239.38.120 google.co.uz
+216.239.38.120 google.com.vc
+216.239.38.120 google.co.ve
+216.239.38.120 google.vg
+216.239.38.120 google.co.vi
+216.239.38.120 google.com.vn
+216.239.38.120 google.vu
+216.239.38.120 google.ws
+216.239.38.120 google.rs
+216.239.38.120 google.co.za
+216.239.38.120 google.co.zm
+216.239.38.120 google.co.zw
+216.239.38.120 google.cat
+216.239.38.120 www.google.com
+216.239.38.120 www.google.ad
+216.239.38.120 www.google.ae
+216.239.38.120 www.google.com.af
+216.239.38.120 www.google.com.ag
+216.239.38.120 www.google.com.ai
+216.239.38.120 www.google.al
+216.239.38.120 www.google.am
+216.239.38.120 www.google.co.ao
+216.239.38.120 www.google.com.ar
+216.239.38.120 www.google.as
+216.239.38.120 www.google.at
+216.239.38.120 www.google.com.au
+216.239.38.120 www.google.az
+216.239.38.120 www.google.ba
+216.239.38.120 www.google.com.bd
+216.239.38.120 www.google.be
+216.239.38.120 www.google.bf
+216.239.38.120 www.google.bg
+216.239.38.120 www.google.com.bh
+216.239.38.120 www.google.bi
+216.239.38.120 www.google.bj
+216.239.38.120 www.google.com.bn
+216.239.38.120 www.google.com.bo
+216.239.38.120 www.google.com.br
+216.239.38.120 www.google.bs
+216.239.38.120 www.google.bt
+216.239.38.120 www.google.co.bw
+216.239.38.120 www.google.by
+216.239.38.120 www.google.com.bz
+216.239.38.120 www.google.ca
+216.239.38.120 www.google.cd
+216.239.38.120 www.google.cf
+216.239.38.120 www.google.cg
+216.239.38.120 www.google.ch
+216.239.38.120 www.google.ci
+216.239.38.120 www.google.co.ck
+216.239.38.120 www.google.cl
+216.239.38.120 www.google.cm
+216.239.38.120 www.google.cn
+216.239.38.120 www.google.com.co
+216.239.38.120 www.google.co.cr
+216.239.38.120 www.google.com.cu
+216.239.38.120 www.google.cv
+216.239.38.120 www.google.com.cy
+216.239.38.120 www.google.cz
+216.239.38.120 www.google.de
+216.239.38.120 www.google.dj
+216.239.38.120 www.google.dk
+216.239.38.120 www.google.dm
+216.239.38.120 www.google.com.do
+216.239.38.120 www.google.dz
+216.239.38.120 www.google.com.ec
+216.239.38.120 www.google.ee
+216.239.38.120 www.google.com.eg
+216.239.38.120 www.google.es
+216.239.38.120 www.google.com.et
+216.239.38.120 www.google.fi
+216.239.38.120 www.google.com.fj
+216.239.38.120 www.google.fm
+216.239.38.120 www.google.fr
+216.239.38.120 www.google.ga
+216.239.38.120 www.google.ge
+216.239.38.120 www.google.gg
+216.239.38.120 www.google.com.gh
+216.239.38.120 www.google.com.gi
+216.239.38.120 www.google.gl
+216.239.38.120 www.google.gm
+216.239.38.120 www.google.gp
+216.239.38.120 www.google.gr
+216.239.38.120 www.google.com.gt
+216.239.38.120 www.google.gy
+216.239.38.120 www.google.com.hk
+216.239.38.120 www.google.hn
+216.239.38.120 www.google.hr
+216.239.38.120 www.google.ht
+216.239.38.120 www.google.hu
+216.239.38.120 www.google.co.id
+216.239.38.120 www.google.ie
+216.239.38.120 www.google.co.il
+216.239.38.120 www.google.im
+216.239.38.120 www.google.co.in
+216.239.38.120 www.google.iq
+216.239.38.120 www.google.is
+216.239.38.120 www.google.it
+216.239.38.120 www.google.je
+216.239.38.120 www.google.com.jm
+216.239.38.120 www.google.jo
+216.239.38.120 www.google.co.jp
+216.239.38.120 www.google.co.ke
+216.239.38.120 www.google.com.kh
+216.239.38.120 www.google.ki
+216.239.38.120 www.google.kg
+216.239.38.120 www.google.co.kr
+216.239.38.120 www.google.com.kw
+216.239.38.120 www.google.kz
+216.239.38.120 www.google.la
+216.239.38.120 www.google.com.lb
+216.239.38.120 www.google.li
+216.239.38.120 www.google.lk
+216.239.38.120 www.google.co.ls
+216.239.38.120 www.google.lt
+216.239.38.120 www.google.lu
+216.239.38.120 www.google.lv
+216.239.38.120 www.google.com.ly
+216.239.38.120 www.google.co.ma
+216.239.38.120 www.google.md
+216.239.38.120 www.google.me
+216.239.38.120 www.google.mg
+216.239.38.120 www.google.mk
+216.239.38.120 www.google.ml
+216.239.38.120 www.google.com.mm
+216.239.38.120 www.google.mn
+216.239.38.120 www.google.ms
+216.239.38.120 www.google.com.mt
+216.239.38.120 www.google.mu
+216.239.38.120 www.google.mv
+216.239.38.120 www.google.mw
+216.239.38.120 www.google.com.mx
+216.239.38.120 www.google.com.my
+216.239.38.120 www.google.co.mz
+216.239.38.120 www.google.com.na
+216.239.38.120 www.google.com.nf
+216.239.38.120 www.google.com.ng
+216.239.38.120 www.google.com.ni
+216.239.38.120 www.google.ne
+216.239.38.120 www.google.nl
+216.239.38.120 www.google.no
+216.239.38.120 www.google.com.np
+216.239.38.120 www.google.nr
+216.239.38.120 www.google.nu
+216.239.38.120 www.google.co.nz
+216.239.38.120 www.google.com.om
+216.239.38.120 www.google.com.pa
+216.239.38.120 www.google.com.pe
+216.239.38.120 www.google.com.pg
+216.239.38.120 www.google.com.ph
+216.239.38.120 www.google.com.pk
+216.239.38.120 www.google.pl
+216.239.38.120 www.google.pn
+216.239.38.120 www.google.com.pr
+216.239.38.120 www.google.ps
+216.239.38.120 www.google.pt
+216.239.38.120 www.google.com.py
+216.239.38.120 www.google.com.qa
+216.239.38.120 www.google.ro
+216.239.38.120 www.google.ru
+216.239.38.120 www.google.rw
+216.239.38.120 www.google.com.sa
+216.239.38.120 www.google.com.sb
+216.239.38.120 www.google.sc
+216.239.38.120 www.google.se
+216.239.38.120 www.google.com.sg
+216.239.38.120 www.google.sh
+216.239.38.120 www.google.si
+216.239.38.120 www.google.sk
+216.239.38.120 www.google.com.sl
+216.239.38.120 www.google.sn
+216.239.38.120 www.google.so
+216.239.38.120 www.google.sm
+216.239.38.120 www.google.sr
+216.239.38.120 www.google.st
+216.239.38.120 www.google.com.sv
+216.239.38.120 www.google.td
+216.239.38.120 www.google.tg
+216.239.38.120 www.google.co.th
+216.239.38.120 www.google.com.tj
+216.239.38.120 www.google.tk
+216.239.38.120 www.google.tl
+216.239.38.120 www.google.tm
+216.239.38.120 www.google.tn
+216.239.38.120 www.google.to
+216.239.38.120 www.google.com.tr
+216.239.38.120 www.google.tt
+216.239.38.120 www.google.com.tw
+216.239.38.120 www.google.co.tz
+216.239.38.120 www.google.com.ua
+216.239.38.120 www.google.co.ug
+216.239.38.120 www.google.co.uk
+216.239.38.120 www.google.com.uy
+216.239.38.120 www.google.co.uz
+216.239.38.120 www.google.com.vc
+216.239.38.120 www.google.co.ve
+216.239.38.120 www.google.vg
+216.239.38.120 www.google.co.vi
+216.239.38.120 www.google.com.vn
+216.239.38.120 www.google.vu
+216.239.38.120 www.google.ws
+216.239.38.120 www.google.rs
+216.239.38.120 www.google.co.za
+216.239.38.120 www.google.co.zm
+216.239.38.120 www.google.co.zw
+216.239.38.120 www.google.cat
--- /dev/null
+#
+# Copyright (c) 2018 Gregory L. Dietsche <Gregory.Dietsche@cuw.edu>
+# This is free software, licensed under the MIT License
+#
+
+#
+# IMPORTANT: if this file is not working, make sure that dnsmasq is able to READ it!
+#
+
+#216.239.38.120 restrict.youtube.com
+#2001:4860:4802:32::78 restrict.youtube.com
+
+#IPv6
+2001:4860:4802:32::78 www.youtube.com
+2001:4860:4802:32::78 m.youtube.com
+2001:4860:4802:32::78 youtubei.googleapis.com
+2001:4860:4802:32::78 youtube.googleapis.com
+2001:4860:4802:32::78 www.youtube-nocookie.com
+
+#IPv4
+216.239.38.120 www.youtube.com
+216.239.38.120 m.youtube.com
+216.239.38.120 youtubei.googleapis.com
+216.239.38.120 youtube.googleapis.com
+216.239.38.120 www.youtube-nocookie.com
--- /dev/null
+#
+# Copyright (c) 2018 Gregory L. Dietsche <Gregory.Dietsche@cuw.edu>
+# This is free software, licensed under the MIT License
+#
+
+#
+# IMPORTANT: if this file is not working, make sure that dnsmasq is able to READ it!
+#
+
+#216.239.38.119 restrictmoderate.youtube.com
+#2001:4860:4802:32::77 restrictmoderate.youtube.com
+
+#IPv6
+2001:4860:4802:32::77 www.youtube.com
+2001:4860:4802:32::77 m.youtube.com
+2001:4860:4802:32::77 youtubei.googleapis.com
+2001:4860:4802:32::77 youtube.googleapis.com
+2001:4860:4802:32::77 www.youtube-nocookie.com
+
+#IPv4
+216.239.38.119 www.youtube.com
+216.239.38.119 m.youtube.com
+216.239.38.119 youtubei.googleapis.com
+216.239.38.119 youtube.googleapis.com
+216.239.38.119 www.youtube-nocookie.com
--- /dev/null
+#!/bin/sh
+#
+# Copyright (c) 2018 Gregory L. Dietsche <Gregory.Dietsche@cuw.edu>
+# This is free software, licensed under the MIT License
+#
+. /lib/functions.sh
+
+update() {
+ config_get_bool enabled $1 enabled 0
+ config_get mode $1 mode default
+ if [ ! -f /etc/safe-search/available/$1.$mode ]; then
+ echo Error: /etc/safe-search/available/$1.$mode does not exist. Please check your configuration in /etc/config/safe-search
+ else
+ if [ "$enabled" -eq 1 ]; then
+ ln -s /etc/safe-search/available/$1.$mode /etc/safe-search/enabled/
+ fi
+ fi
+}
+
+rm -f /etc/safe-search/enabled/*
+config_load 'safe-search'
+config_foreach update safe-search
+/etc/init.d/dnsmasq reload
--- /dev/null
+#
+# Copyright (c) 2018 Gregory L. Dietsche <Gregory.Dietsche@cuw.edu>
+# This is free software, licensed under the MIT License
+#
+# run safe-search-update after making configuration changes.
+#
+
+config safe-search 'bing'
+ option enabled 1
+
+config safe-search 'google'
+ option enabled 1
+
+# Valid modes for youtube are restrict and restrictmoderate
+config safe-search 'youtube'
+ option enabled 0
+ option mode 'restrict'
--- /dev/null
+#!/bin/sh
+#
+# Copyright (c) 2018 Gregory L. Dietsche <Gregory.Dietsche@cuw.edu>
+# This is free software, licensed under the MIT License
+#
+uci add_list dhcp.@dnsmasq[0].addnhosts=/etc/safe-search/enabled
+uci commit dhcp
+
+#/etc/init.d/dnsmasq reload #safe-search-update does this for us.
+/usr/sbin/safe-search-update
+
+exit 0
DEPENDS:=+libsearpc +libevent2 +libopenssl \
+glib2 +python +libzdb +libuuid \
+libpthread +libsqlite3 +jansson $(ICONV_DEPENDS)
- EXTRA_DEPENDS:=libsearpc (=3.0.8-12a01268825e9c7e17794c58c367e3b4db912ad9-1)
endef
define Package/seafile-ccnet/description
include $(TOPDIR)/rules.mk
PKG_NAME:=spoofer
-PKG_VERSION:=1.3.3
+PKG_VERSION:=1.4.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.caida.org/projects/spoofer/downloads
-PKG_HASH:=376f9a4b2d0404de3c37df645672a954b4916ad56508fadfe3f99120e5b0f87e
+PKG_HASH:=cab261f00fdc4a7d9f98b199205764947d5c2081aa8192e4e17020cf0e2fe434
PKG_LICENSE:=GPL-3.0
PKG_LICENSE_FILES:=LICENSE
+PKG_USE_MIPS16:=0
HOST_BUILD_DEPENDS:=protobuf/host
include $(INCLUDE_DIR)/host-build.mk
include $(TOPDIR)/rules.mk
PKG_NAME:=strongswan
-PKG_VERSION:=5.7.0
+PKG_VERSION:=5.7.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_HASH:=d6fd0994320bc027090f6ee34964e59c42e761e7dac36cfcf1836c8cefc53c5c
PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/
+PKG_HASH:=006f9c9126e2a2f4e7a874b5e1bd2abec1bbbb193c8b3b3a4c6ccd8c2d454bec
PKG_LICENSE:=GPL-2.0+
PKG_MAINTAINER:=Stijn Tintel <stijn@linux-ipv6.be>
+++ /dev/null
-From 129ab919a8c3abfc17bea776f0774e0ccf33ca09 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 25 Sep 2018 14:50:08 +0200
-Subject: [PATCH] gmp: Fix buffer overflow with very small RSA keys
-
-Because `keylen` is unsigned the subtraction results in an integer
-underflow if the key length is < 11 bytes.
-
-This is only a problem when verifying signatures with a public key (for
-private keys the plugin enforces a minimum modulus length) and to do so
-we usually only use trusted keys. However, the x509 plugin actually
-calls issued_by() on a parsed certificate to check if it is self-signed,
-which is the reason this issue was found by OSS-Fuzz in the first place.
-So, unfortunately, this can be triggered by sending an invalid client
-cert to a peer.
-
-Fixes: 5955db5b124a ("gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them")
-Fixes: CVE-2018-17540
----
- src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
-index e9a83fdf49a1..a255a40abce2 100644
---- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
-+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
-@@ -301,7 +301,7 @@ bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm,
- data = digestInfo;
- }
-
-- if (data.len > keylen - 11)
-+ if (keylen < 11 || data.len > keylen - 11)
- {
- chunk_free(&digestInfo);
- DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of "
---
-2.7.4
-
--- a/configure.ac
+++ b/configure.ac
-@@ -135,6 +135,7 @@ ARG_DISBL_SET([fips-prf], [disable
+@@ -136,6 +136,7 @@ ARG_DISBL_SET([fips-prf], [disable
ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.])
ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.])
ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.])
ARG_DISBL_SET([curve25519], [disable Curve25519 Diffie-Hellman plugin.])
ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.])
-@@ -1407,6 +1408,7 @@ ADD_PLUGIN([gcrypt], [s ch
+@@ -1410,6 +1411,7 @@ ADD_PLUGIN([botan], [s ch
ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
ADD_PLUGIN([fips-prf], [s charon nm cmd])
ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
ADD_PLUGIN([curve25519], [s charon pki scripts nm cmd])
ADD_PLUGIN([agent], [s charon nm cmd])
ADD_PLUGIN([keychain], [s charon cmd])
-@@ -1547,6 +1549,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x
+@@ -1550,6 +1552,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x
AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue)
AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
AM_CONDITIONAL(USE_CURVE25519, test x$curve25519 = xtrue)
AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
-@@ -1823,6 +1826,7 @@ AC_CONFIG_FILES([
+@@ -1824,6 +1827,7 @@ AC_CONFIG_FILES([
src/libstrongswan/plugins/mgf1/Makefile
src/libstrongswan/plugins/fips_prf/Makefile
src/libstrongswan/plugins/gmp/Makefile
PKG_NAME:=unbound
PKG_VERSION:=1.8.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE
# function from dnsmasq and use DHCPv4 MAC to find IPV6 SLAAC hosts.
#
# External Parameters
-# "hostfile" = where this script will cache host DNS data
+# "conffile" = Unbound configuration left for a restart
+# "pipefile" = DNS entries for unbound-control standard input
# "domain" = text domain suffix
# "bslaac" = boolean, use DHCPv4 MAC to find GA and ULA IPV6 SLAAC
# "bisolt" = boolean, format <host>.<network>.<domain>. so you can isolate
-# "bconf" = boolean, write conf file format rather than pipe records
+# "bconf" = boolean, write conf file with pipe records
#
##############################################################################
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 300 IN A " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 300 " fqdn "\"" ) ;
- print ( x "\n" y "\n" ) > hostfile ;
+ print ( x "\n" y "\n" ) > conffile ;
}
- else {
- for( i=1; i<=4; i++ ) { qpr = ( ptr[i] "." qpr) ; }
- x = ( fqdn ". 300 IN A " adr ) ;
- y = ( qpr "in-addr.arpa. 300 IN PTR " fqdn ) ;
- print ( x "\n" y ) > hostfile ;
- }
+
+ # always create the pipe file
+ for( i=1; i<=4; i++ ) { qpr = ( ptr[i] "." qpr) ; }
+ x = ( fqdn ". 300 IN A " adr ) ;
+ y = ( qpr "in-addr.arpa. 300 IN PTR " fqdn ) ;
+ print ( x "\n" y ) > pipefile ;
if (( bslaac == 1 ) && ( slaac != 0 )) {
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 300 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 300 " fqdn "\"" ) ;
- print ( x "\n" y "\n" ) > hostfile ;
+ print ( x "\n" y "\n" ) > conffile ;
}
- else {
- qpr = ipv6_ptr( adr ) ;
- x = ( fqdn ". 300 IN AAAA " adr ) ;
- y = ( qpr ". 300 IN PTR " fqdn ) ;
- print ( x "\n" y ) > hostfile ;
- }
+
+ # always create the pipe file
+ qpr = ipv6_ptr( adr ) ;
+ x = ( fqdn ". 300 IN AAAA " adr ) ;
+ y = ( qpr ". 300 IN PTR " fqdn ) ;
+ print ( x "\n" y ) > pipefile ;
}
}
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 300 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 300 " fqdn "\"" ) ;
- print ( x "\n" y "\n" ) > hostfile ;
+ print ( x "\n" y "\n" ) > conffile ;
}
- else {
- # only for provided hostnames and full /128 assignments
- qpr = ipv6_ptr( adr ) ;
- x = ( fqdn ". 300 IN AAAA " adr ) ;
- y = ( qpr ". 300 IN PTR " fqdn ) ;
- print ( x "\n" y ) > hostfile ;
- }
+
+ # only for provided hostnames and full /128 assignments
+ qpr = ipv6_ptr( adr ) ;
+ x = ( fqdn ". 300 IN AAAA " adr ) ;
+ y = ( qpr ". 300 IN PTR " fqdn ) ;
+ print ( x "\n" y ) > pipefile ;
}
if (cdr2 == 128) {
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 300 IN AAAA " adr2 "\"" ) ;
y = ( "local-data-ptr: \"" adr2 " 300 " fqdn "\"" ) ;
- print ( x "\n" y "\n" ) > hostfile ;
+ print ( x "\n" y "\n" ) > conffile ;
}
- else {
- # odhcp puts GA and ULA on the same line (position 9 and 10)
- qpr2 = ipv6_ptr( adr2 ) ;
- x = ( fqdn ". 300 IN AAAA " adr2 ) ;
- y = ( qpr2 ". 300 IN PTR " fqdn ) ;
- print ( x "\n" y ) > hostfile ;
- }
+
+ # odhcp puts GA and ULA on the same line (position 9 and 10)
+ qpr2 = ipv6_ptr( adr2 ) ;
+ x = ( fqdn ". 300 IN AAAA " adr2 ) ;
+ y = ( qpr2 ". 300 IN PTR " fqdn ) ;
+ print ( x "\n" y ) > pipefile ;
}
}
##############################################################################
odhcpd_zonedata() {
- local longconf dateconf
- local dns_ls_add=$UB_VARDIR/dhcp_dns.add
- local dns_ls_del=$UB_VARDIR/dhcp_dns.del
- local dhcp_ls_new=$UB_VARDIR/dhcp_lease.new
- local dhcp_ls_old=$UB_VARDIR/dhcp_lease.old
- local dhcp_ls_add=$UB_VARDIR/dhcp_lease.add
- local dhcp_ls_del=$UB_VARDIR/dhcp_lease.del
-
local dhcp_link=$( uci_get unbound.@unbound[0].dhcp_link )
local dhcp4_slaac6=$( uci_get unbound.@unbound[0].dhcp4_slaac6 )
local dhcp_domain=$( uci_get unbound.@unbound[0].domain )
if [ -f "$UB_TOTAL_CONF" -a -f "$dhcp_origin" \
-a "$dhcp_link" = "odhcpd" -a -n "$dhcp_domain" ] ; then
+ local longconf dateconf
+ local dns_ls_add=$UB_VARDIR/dhcp_dns.add
+ local dns_ls_del=$UB_VARDIR/dhcp_dns.del
+ local dns_ls_new=$UB_VARDIR/dhcp_dns.new
+ local dns_ls_old=$UB_VARDIR/dhcp_dns.old
+ local dhcp_ls_new=$UB_VARDIR/dhcp_lease.new
+
# Capture the lease file which could be changing often
sort $dhcp_origin > $dhcp_ls_new
- if [ ! -f $UB_DHCP_CONF -o ! -f $dhcp_ls_old ] ; then
- longconf=2
+ if [ ! -f $UB_DHCP_CONF -o ! -f $dns_ls_old ] ; then
+ # no old files laying around
+ longconf=freshstart
else
+ # incremental at high load or full refresh about each 5 minutes
dateconf=$(( $( date +%s ) - $( date -r $UB_DHCP_CONF +%s ) ))
- if [ $dateconf > 150 ] ; then
- longconf=1
+ if [ $dateconf -gt 300 ] ; then
+ longconf=longtime
else
- longconf=0
+ longconf=increment
fi
fi
- if [ $longconf -gt 0 ] ; then
- # Go through the messy business of coding up A, AAAA, and PTR records
- # This static conf will be available if Unbound restarts asynchronously
- awk -v hostfile=$UB_DHCP_CONF -v domain=$dhcp_domain \
- -v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=1 \
+ case $longconf in
+ freshstart)
+ awk -v conffile=$UB_DHCP_CONF -v pipefile=$dns_ls_new \
+ -v domain=$dhcp_domain -v bslaac=$dhcp4_slaac6 \
+ -v bisolt=0 -v bconf=1 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
- fi
-
- if [ $longconf -lt 2 ] ; then
- # Deleting and adding all records into Unbound can be a burden in a
- # high density environment. Use unbound-control incrementally.
- sort $dhcp_ls_old $dhcp_ls_new $dhcp_ls_new | uniq -u > $dhcp_ls_del
- awk -v hostfile=$dns_ls_del -v domain=$dhcp_domain \
- -v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=0 \
- -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_del
+ cp $dns_ls_new $dns_ls_add
+ cp $dns_ls_new $dns_ls_old
+ ;;
- sort $dhcp_ls_new $dhcp_ls_old $dhcp_ls_old | uniq -u > $dhcp_ls_add
- awk -v hostfile=$dns_ls_add -v domain=$dhcp_domain \
- -v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=0 \
- -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_add
+ longtime)
+ awk -v conffile=$UB_DHCP_CONF -v pipefile=$dns_ls_new \
+ -v domain=$dhcp_domain -v bslaac=$dhcp4_slaac6 \
+ -v bisolt=0 -v bconf=1 \
+ -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
- else
- awk -v hostfile=$dns_ls_add -v domain=$dhcp_domain \
- -v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=0 \
+ awk '{ print $1 }' $dns_ls_old | sort | uniq > $dns_ls_del
+ cp $dns_ls_new $dns_ls_add
+ cp $dns_ls_new $dns_ls_old
+ ;;
+
+ *)
+ # incremental add and prepare the old list for delete later
+ # unbound-control can be slow so high DHCP rates cannot run a full list
+ awk -v conffile=$UB_DHCP_CONF -v pipefile=$dns_ls_new \
+ -v domain=$dhcp_domain -v bslaac=$dhcp4_slaac6 \
+ -v bisolt=0 -v bconf=0 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
- fi
+
+ sort $dns_ls_new $dns_ls_old $dns_ls_old | uniq -u > $dns_ls_add
+ sort $dns_ls_new $dns_ls_old | uniq > $dns_ls_old
+ ;;
+ esac
if [ -f "$dns_ls_del" ] ; then
# prepare next round
- mv $dhcp_ls_new $dhcp_ls_old
- rm -f $dns_ls_del $dns_ls_add $dhcp_ls_del $dhcp_ls_add
+ rm -f $dns_ls_new $dns_ls_del $dns_ls_add $dhcp_ls_new
fi
}
case $zone_type in
auth_zone)
- if [ -n "$UB_LIST_ZONE_NAMES" \
+ if [ "$UB_B_NTP_BOOT" -eq 0 -a -n "$UB_LIST_ZONE_NAMES" \
-a \( -n "$url_dir" -o -n "$UB_LIST_ZONE_SERVERS" \) ] ; then
+ # Note AXFR may have large downloads. If NTP restart is configured,
+ # then this can cause procd to force a process kill.
for zone_name in $UB_LIST_ZONE_NAMES ; do
if [ "$zone_name" = "." ] ; then
zone_sym=.
include $(TOPDIR)/rules.mk
PKG_NAME:=ccid
-PKG_VERSION:=1.4.29
+PKG_VERSION:=1.4.30
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://ccid.apdu.fr/files/
-PKG_HASH:=a5432ae845730493c04e59304b5c0c6103cd0e2c8827df57d69469a3eaaab84d
+PKG_HASH:=ac17087be08880a0cdf99a8a2799a4ef004dc6ffa08b4d9b0ad995f39a53ff7c
PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>
PKG_LICENSE:=LGPL-2.1+
PKG_LICENSE_FILES:=COPYING
PKG_NAME:=cmdpad
PKG_VERSION:=0.0.3
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tgz
PKG_SOURCE_URL:=@SF/cmdpad
URL:=http://cmdpad.sourceforge.net/index.php
endef
+TARGET_CFLAGS += -std=gnu89
+
CONFIGURE_ARGS += \
--enable-static \
--enable-shared
include $(TOPDIR)/rules.mk
PKG_NAME:=collectd
-PKG_VERSION:=5.8.0
-PKG_RELEASE:=6
+PKG_VERSION:=5.8.1
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://collectd.org/files/ \
https://github.com/collectd/collectd/releases/download/collectd-$(PKG_VERSION)
-PKG_HASH:=b06ff476bbf05533cb97ae6749262cc3c76c9969f032bd8496690084ddeb15c9
+PKG_HASH:=e796fda27ce06377f491ad91aa286962a68c2b54076aa77a29673d53204453da
PKG_FIXUP:=autoreconf
PKG_REMOVE_FILES:=aclocal.m4 libltdl/aclocal.m4
index dfd785a2c8..e9715126e6 100644
--- a/src/collectd.conf.pod
+++ b/src/collectd.conf.pod
-@@ -4128,11 +4128,19 @@ Configures the base register to read from the device. If the option
+@@ -4139,11 +4139,19 @@ Configures the base register to read from the device. If the option
B<RegisterType> has been set to B<Uint32> or B<Float>, this and the next
register will be read (the register number is increased by one).
/* consolidation_functions = */ NULL,
/* consolidation_functions_num = */ 0,
-@@ -950,6 +953,12 @@ static int rrd_config(const char *key, c
+@@ -949,6 +952,12 @@ static int rrd_config(const char *key, c
/* compar = */ rrd_compare_numeric);
free(value_copy);
#@BUILD_PLUGIN_JAVA_TRUE@LoadPlugin java
@BUILD_PLUGIN_LOAD_TRUE@@BUILD_PLUGIN_LOAD_TRUE@LoadPlugin load
#@BUILD_PLUGIN_LPAR_TRUE@LoadPlugin lpar
-@@ -720,6 +721,12 @@
+@@ -721,6 +722,12 @@
# IgnoreSelected true
#</Plugin>
# JVMArg "-Djava.class.path=@prefix@/share/collectd/java/collectd-api.jar"
--- a/src/collectd.conf.pod
+++ b/src/collectd.conf.pod
-@@ -3503,6 +3503,27 @@ and all other interrupts are collected.
+@@ -3521,6 +3521,27 @@ and all other interrupts are collected.
=back
# Legacy types
--- a/Makefile.am
+++ b/Makefile.am
-@@ -983,6 +983,14 @@ irq_la_LDFLAGS = $(PLUGIN_LDFLAGS)
+@@ -997,6 +997,14 @@ irq_la_LDFLAGS = $(PLUGIN_LDFLAGS)
irq_la_LIBADD = libignorelist.la
endif
--- a/src/ping.c
+++ b/src/ping.c
-@@ -635,7 +635,7 @@ static int ping_read(void) /* {{{ */
+@@ -633,7 +633,7 @@ static int ping_read(void) /* {{{ */
((double)(pkg_recv * (pkg_recv - 1))));
/* Calculate drop rate. */
include $(TOPDIR)/rules.mk
PKG_NAME:=hdparm
-PKG_VERSION:=9.56
+PKG_VERSION:=9.57
PKG_RELEASE:=1
PKG_USE_MIPS16:=0
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=@SF/$(PKG_NAME)
-PKG_HASH:=6ff9ed695f1017396eec4101f990f114b7b0e0a04c5aa6369c0394053d16e4da
+PKG_HASH:=9d568db955a5428797f0b1677ef7cc8bab7756c6e7ff39f6c4a2b2c3640fe870
+
PKG_MAINTAINER:=Richard Kunze <richard.kunze@web.de>
PKG_LICENSE:=BSD-Style Open Source License
CATEGORY:=Utilities
SUBMENU:=Disc
TITLE:=Hard disk drive configuration utilitity
- URL:=http://sourceforge.net/projects/hdparm/
+ URL:=https://sourceforge.net/projects/hdparm/
endef
define Package/hdparm/description
PKG_NAME:=oath-toolkit
PKG_VERSION:=2.6.2
-PKG_RELEASE:=1
+PKG_RELEASE:=2
+
PKG_SOURCE:=oath-toolkit-$(PKG_VERSION).tar.gz
-PKG_HASH:=b03446fa4b549af5ebe4d35d7aba51163442d255660558cd861ebce536824aa0
PKG_SOURCE_URL:=@SAVANNAH/oath-toolkit
+PKG_HASH:=b03446fa4b549af5ebe4d35d7aba51163442d255660558cd861ebce536824aa0
+
+PKG_MAINTAINER:=Fam Zheng <fam@euphon.net>
PKG_LICENSE:=LGPL-2.0+ GPL-3.0+
PKG_LICENSE_FILES:=COPYING
+PKG_CPE_ID:=cpe:/a:nongnu:oath_toolkit
+
+PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
-PKG_MAINTAINER:=Fam Zheng <fam@euphon.net>
include $(INCLUDE_DIR)/package.mk
--- /dev/null
+diff --git a/liboath/gl/fflush.c b/liboath/gl/fflush.c
+index 3664842..a140b7a 100644
+--- a/liboath/gl/fflush.c
++++ b/liboath/gl/fflush.c
+@@ -1,18 +1,18 @@
+ /* fflush.c -- allow flushing input streams
+- Copyright (C) 2007-2016 Free Software Foundation, Inc.
++ Copyright (C) 2007-2018 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify
+- it under the terms of the GNU Lesser General Public License as published by
+- the Free Software Foundation; either version 2.1 of the License, or
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- GNU Lesser General Public License for more details.
++ GNU General Public License for more details.
+
+- You should have received a copy of the GNU Lesser General Public License
+- along with this program. If not, see <http://www.gnu.org/licenses/>. */
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <https://www.gnu.org/licenses/>. */
+
+ /* Written by Eric Blake. */
+
+@@ -33,7 +33,8 @@
+ #undef fflush
+
+
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1
++/* GNU libc, BeOS, Haiku, Linux libc5 */
+
+ /* Clear the stream's ungetc buffer, preserving the value of ftello (fp). */
+ static void
+@@ -51,7 +52,7 @@ static void
+ clear_ungetc_buffer (FILE *fp)
+ {
+ # if defined __sferror || defined __DragonFly__ || defined __ANDROID__
+- /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
++ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
+ if (HASUB (fp))
+ {
+ fp_->_p += fp_->_r;
+@@ -63,7 +64,7 @@ clear_ungetc_buffer (FILE *fp)
+ fp->_ungetc_count = 0;
+ fp->_rcount = - fp->_rcount;
+ }
+-# elif defined _IOERR /* Minix, AIX, HP-UX, IRIX, OSF/1, Solaris, OpenServer, mingw, NonStop Kernel */
++# elif defined _IOERR /* Minix, AIX, HP-UX, IRIX, OSF/1, Solaris, OpenServer, mingw, MSVC, NonStop Kernel, OpenVMS */
+ /* Nothing to do. */
+ # else /* other implementations */
+ fseeko (fp, 0, SEEK_CUR);
+@@ -72,10 +73,11 @@ clear_ungetc_buffer (FILE *fp)
+
+ #endif
+
+-#if ! (defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
++#if ! (defined _IO_EOF_SEEN || defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1)
++/* GNU libc, BeOS, Haiku, Linux libc5 */
+
+ # if (defined __sferror || defined __DragonFly__ || defined __ANDROID__) && defined __SNPT
+-/* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
++/* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
+
+ static int
+ disable_seek_optimization (FILE *fp)
+@@ -98,7 +100,7 @@ update_fpos_cache (FILE *fp _GL_UNUSED_PARAMETER,
+ off_t pos _GL_UNUSED_PARAMETER)
+ {
+ # if defined __sferror || defined __DragonFly__ || defined __ANDROID__
+- /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
++ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
+ # if defined __CYGWIN__
+ /* fp_->_offset is typed as an integer. */
+ fp_->_offset = pos;
+@@ -148,7 +150,8 @@ rpl_fflush (FILE *stream)
+ if (stream == NULL || ! freading (stream))
+ return fflush (stream);
+
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1
++ /* GNU libc, BeOS, Haiku, Linux libc5 */
+
+ clear_ungetc_buffer_preserving_position (stream);
+
+@@ -199,7 +202,7 @@ rpl_fflush (FILE *stream)
+ }
+
+ # if (defined __sferror || defined __DragonFly__ || defined __ANDROID__) && defined __SNPT
+- /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
++ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
+
+ {
+ /* Disable seek optimization for the next fseeko call. This tells the
+diff --git a/liboath/gl/fpurge.c b/liboath/gl/fpurge.c
+index acf5905..f9c2d25 100644
+--- a/liboath/gl/fpurge.c
++++ b/liboath/gl/fpurge.c
+@@ -62,7 +62,7 @@ fpurge (FILE *fp)
+ /* Most systems provide FILE as a struct and the necessary bitmask in
+ <stdio.h>, because they need it for implementing getc() and putc() as
+ fast macros. */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++# if defined _IO_ftrylockfile || __GNU_LIBRARY__ /* GNU libc, BeOS, Haiku, Linux libc5 */
+ fp->_IO_read_end = fp->_IO_read_ptr;
+ fp->_IO_write_ptr = fp->_IO_write_base;
+ /* Avoid memory leak when there is an active ungetc buffer. */
+diff --git a/liboath/gl/freading.c b/liboath/gl/freading.c
+index 8ab19fd..54c3d5a 100644
+--- a/liboath/gl/freading.c
++++ b/liboath/gl/freading.c
+@@ -31,7 +31,7 @@ freading (FILE *fp)
+ /* Most systems provide FILE as a struct and the necessary bitmask in
+ <stdio.h>, because they need it for implementing getc() and putc() as
+ fast macros. */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++# if defined _IO_ftrylockfile || __GNU_LIBRARY__ /* GNU libc, BeOS, Haiku, Linux libc5 */
+ return ((fp->_flags & _IO_NO_WRITES) != 0
+ || ((fp->_flags & (_IO_NO_READS | _IO_CURRENTLY_PUTTING)) == 0
+ && fp->_IO_read_base != NULL));
+diff --git a/liboath/gl/fseeko.c b/liboath/gl/fseeko.c
+index 67bb9ec..5616221 100644
+--- a/liboath/gl/fseeko.c
++++ b/liboath/gl/fseeko.c
+@@ -47,7 +47,7 @@ fseeko (FILE *fp, off_t offset, int whence)
+ #endif
+
+ /* These tests are based on fpurge.c. */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_ftrylockfile || __GNU_LIBRARY__ /* GNU libc, BeOS, Haiku, Linux libc5 */
+ if (fp->_IO_read_end == fp->_IO_read_ptr
+ && fp->_IO_write_ptr == fp->_IO_write_base
+ && fp->_IO_save_base == NULL)
+@@ -123,7 +123,7 @@ fseeko (FILE *fp, off_t offset, int whence)
+ return -1;
+ }
+
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_ftrylockfile || __GNU_LIBRARY__ /* GNU libc, BeOS, Haiku, Linux libc5 */
+ fp->_flags &= ~_IO_EOF_SEEN;
+ fp->_offset = pos;
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+diff --git a/liboath/gl/stdio-impl.h b/liboath/gl/stdio-impl.h
+index 4c02c9f..393ef0c 100644
+--- a/liboath/gl/stdio-impl.h
++++ b/liboath/gl/stdio-impl.h
+@@ -1,23 +1,29 @@
+ /* Implementation details of FILE streams.
+- Copyright (C) 2007-2008, 2010-2016 Free Software Foundation, Inc.
++ Copyright (C) 2007-2008, 2010-2018 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify
+- it under the terms of the GNU Lesser General Public License as published by
+- the Free Software Foundation; either version 2.1 of the License, or
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- GNU Lesser General Public License for more details.
++ GNU General Public License for more details.
+
+- You should have received a copy of the GNU Lesser General Public License
+- along with this program. If not, see <http://www.gnu.org/licenses/>. */
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <https://www.gnu.org/licenses/>. */
+
+ /* Many stdio implementations have the same logic and therefore can share
+ the same implementation of stdio extension API, except that some fields
+ have different naming conventions, or their access requires some casts. */
+
++/* Glibc 2.28 made _IO_IN_BACKUP private. For now, work around this
++ problem by defining it ourselves. FIXME: Do not rely on glibc
++ internals. */
++#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN
++# define _IO_IN_BACKUP 0x100
++#endif
+
+ /* BSD stdio derived implementations. */
+
+@@ -29,10 +35,10 @@
+ #include <errno.h> /* For detecting Plan9. */
+
+ #if defined __sferror || defined __DragonFly__ || defined __ANDROID__
+- /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
++ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
+
+ # if defined __DragonFly__ /* DragonFly */
+- /* See <http://www.dragonflybsd.org/cvsweb/src/lib/libc/stdio/priv_stdio.h?rev=HEAD&content-type=text/x-cvsweb-markup>. */
++ /* See <https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/HEAD:/lib/libc/stdio/priv_stdio.h>. */
+ # define fp_ ((struct { struct __FILE_public pub; \
+ struct { unsigned char *_base; int _size; } _bf; \
+ void *cookie; \
+@@ -49,30 +55,84 @@
+ fpos_t _offset; \
+ /* More fields, not relevant here. */ \
+ } *) fp)
+- /* See <http://www.dragonflybsd.org/cvsweb/src/include/stdio.h?rev=HEAD&content-type=text/x-cvsweb-markup>. */
++ /* See <https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/HEAD:/include/stdio.h>. */
+ # define _p pub._p
+ # define _flags pub._flags
+ # define _r pub._r
+ # define _w pub._w
++# elif defined __ANDROID__ /* Android */
++ /* Up to this commit from 2015-10-12
++ <https://android.googlesource.com/platform/bionic.git/+/f0141dfab10a4b332769d52fa76631a64741297a>
++ the innards of FILE were public, and fp_ub could be defined like for OpenBSD,
++ see <https://android.googlesource.com/platform/bionic.git/+/e78392637d5086384a5631ddfdfa8d7ec8326ee3/libc/stdio/fileext.h>
++ and <https://android.googlesource.com/platform/bionic.git/+/e78392637d5086384a5631ddfdfa8d7ec8326ee3/libc/stdio/local.h>.
++ After this commit, the innards of FILE are hidden. */
++# define fp_ ((struct { unsigned char *_p; \
++ int _r; \
++ int _w; \
++ int _flags; \
++ int _file; \
++ struct { unsigned char *_base; size_t _size; } _bf; \
++ int _lbfsize; \
++ void *_cookie; \
++ void *_close; \
++ void *_read; \
++ void *_seek; \
++ void *_write; \
++ struct { unsigned char *_base; size_t _size; } _ext; \
++ unsigned char *_up; \
++ int _ur; \
++ unsigned char _ubuf[3]; \
++ unsigned char _nbuf[1]; \
++ struct { unsigned char *_base; size_t _size; } _lb; \
++ int _blksize; \
++ fpos_t _offset; \
++ /* More fields, not relevant here. */ \
++ } *) fp)
+ # else
+ # define fp_ fp
+ # endif
+
+-# if (defined __NetBSD__ && __NetBSD_Version__ >= 105270000) || defined __OpenBSD__ || defined __ANDROID__ /* NetBSD >= 1.5ZA, OpenBSD, Android */
++# if (defined __NetBSD__ && __NetBSD_Version__ >= 105270000) || defined __OpenBSD__ || defined __minix /* NetBSD >= 1.5ZA, OpenBSD, Minix 3 */
+ /* See <http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/stdio/fileext.h?rev=HEAD&content-type=text/x-cvsweb-markup>
+- and <http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/fileext.h?rev=HEAD&content-type=text/x-cvsweb-markup> */
++ and <https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/fileext.h?rev=HEAD&content-type=text/x-cvsweb-markup>
++ and <https://github.com/Stichting-MINIX-Research-Foundation/minix/blob/master/lib/libc/stdio/fileext.h> */
+ struct __sfileext
+ {
+ struct __sbuf _ub; /* ungetc buffer */
+ /* More fields, not relevant here. */
+ };
+ # define fp_ub ((struct __sfileext *) fp->_ext._base)->_ub
+-# else /* FreeBSD, NetBSD <= 1.5Z, DragonFly, Mac OS X, Cygwin, Android */
++# elif defined __ANDROID__ /* Android */
++ struct __sfileext
++ {
++ struct { unsigned char *_base; size_t _size; } _ub; /* ungetc buffer */
++ /* More fields, not relevant here. */
++ };
++# define fp_ub ((struct __sfileext *) fp_->_ext._base)->_ub
++# else /* FreeBSD, NetBSD <= 1.5Z, DragonFly, Mac OS X, Cygwin */
+ # define fp_ub fp_->_ub
+ # endif
+
+ # define HASUB(fp) (fp_ub._base != NULL)
+
++# if defined __ANDROID__ /* Android */
++ /* Needed after this commit from 2016-01-25
++ <https://android.googlesource.com/platform/bionic.git/+/e70e0e9267d069bf56a5078c99307e08a7280de7> */
++# ifndef __SEOF
++# define __SLBF 1
++# define __SNBF 2
++# define __SRD 4
++# define __SWR 8
++# define __SRW 0x10
++# define __SEOF 0x20
++# define __SERR 0x40
++# endif
++# ifndef __SOFF
++# define __SOFF 0x1000
++# endif
++# endif
++
+ #endif
+
+
+@@ -81,7 +141,7 @@
+ #ifdef __TANDEM /* NonStop Kernel */
+ # ifndef _IOERR
+ /* These values were determined by the program 'stdioext-flags' at
+- <http://lists.gnu.org/archive/html/bug-gnulib/2010-12/msg00165.html>. */
++ <https://lists.gnu.org/r/bug-gnulib/2010-12/msg00165.html>. */
+ # define _IOERR 0x40
+ # define _IOREAD 0x80
+ # define _IOWRT 0x4
+@@ -99,6 +159,8 @@
+ int _file; \
+ unsigned int _flag; \
+ } *) fp)
++# elif defined __VMS /* OpenVMS */
++# define fp_ ((struct _iobuf *) fp)
+ # else
+ # define fp_ fp
+ # endif
+@@ -110,4 +172,31 @@
+ # define _flag __flag
+ # endif
+
++#elif defined _WIN32 && ! defined __CYGWIN__ /* newer Windows with MSVC */
++
++/* <stdio.h> does not define the innards of FILE any more. */
++# define WINDOWS_OPAQUE_FILE
++
++struct _gl_real_FILE
++{
++ /* Note: Compared to older Windows and to mingw, it has the fields
++ _base and _cnt swapped. */
++ unsigned char *_ptr;
++ unsigned char *_base;
++ int _cnt;
++ int _flag;
++ int _file;
++ int _charbuf;
++ int _bufsiz;
++};
++# define fp_ ((struct _gl_real_FILE *) fp)
++
++/* These values were determined by a program similar to the one at
++ <https://lists.gnu.org/r/bug-gnulib/2010-12/msg00165.html>. */
++# define _IOREAD 0x1
++# define _IOWRT 0x2
++# define _IORW 0x4
++# define _IOEOF 0x8
++# define _IOERR 0x10
++
+ #endif
+diff --git a/libpskc/gl/intprops.h b/libpskc/gl/intprops.h
+index feb02c3..af456ff 100644
+--- a/libpskc/gl/intprops.h
++++ b/libpskc/gl/intprops.h
+@@ -1,6 +1,6 @@
+ /* intprops.h -- properties of integer types
+
+- Copyright (C) 2001-2016 Free Software Foundation, Inc.
++ Copyright (C) 2001-2018 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published
+@@ -13,7 +13,7 @@
+ GNU Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+- along with this program. If not, see <http://www.gnu.org/licenses/>. */
++ along with this program. If not, see <https://www.gnu.org/licenses/>. */
+
+ /* Written by Paul Eggert. */
+
+@@ -21,13 +21,12 @@
+ #define _GL_INTPROPS_H
+
+ #include <limits.h>
+-#include <verify.h>
+
+ /* Return a value with the common real type of E and V and the value of V. */
+ #define _GL_INT_CONVERT(e, v) (0 * (e) + (v))
+
+ /* Act like _GL_INT_CONVERT (E, -V) but work around a bug in IRIX 6.5 cc; see
+- <http://lists.gnu.org/archive/html/bug-gnulib/2011-05/msg00406.html>. */
++ <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00406.html>. */
+ #define _GL_INT_NEGATE_CONVERT(e, v) (0 * (e) - (v))
+
+ /* The extra casts in the following macros work around compiler bugs,
+@@ -47,12 +46,16 @@
+
+ /* Minimum and maximum values for integer types and expressions. */
+
++/* The width in bits of the integer type or expression T.
++ Padding bits are not supported; this is checked at compile-time below. */
++#define TYPE_WIDTH(t) (sizeof (t) * CHAR_BIT)
++
+ /* The maximum and minimum values for the integer type T. */
+ #define TYPE_MINIMUM(t) ((t) ~ TYPE_MAXIMUM (t))
+ #define TYPE_MAXIMUM(t) \
+ ((t) (! TYPE_SIGNED (t) \
+ ? (t) -1 \
+- : ((((t) 1 << (sizeof (t) * CHAR_BIT - 2)) - 1) * 2 + 1)))
++ : ((((t) 1 << (TYPE_WIDTH (t) - 2)) - 1) * 2 + 1)))
+
+ /* The maximum and minimum values for the type of the expression E,
+ after integer promotion. E should not have side effects. */
+@@ -65,29 +68,23 @@
+ ? _GL_SIGNED_INT_MAXIMUM (e) \
+ : _GL_INT_NEGATE_CONVERT (e, 1))
+ #define _GL_SIGNED_INT_MAXIMUM(e) \
+- (((_GL_INT_CONVERT (e, 1) << (sizeof ((e) + 0) * CHAR_BIT - 2)) - 1) * 2 + 1)
++ (((_GL_INT_CONVERT (e, 1) << (TYPE_WIDTH ((e) + 0) - 2)) - 1) * 2 + 1)
++
++/* Work around OpenVMS incompatibility with C99. */
++#if !defined LLONG_MAX && defined __INT64_MAX
++# define LLONG_MAX __INT64_MAX
++# define LLONG_MIN __INT64_MIN
++#endif
+
+ /* This include file assumes that signed types are two's complement without
+ padding bits; the above macros have undefined behavior otherwise.
+ If this is a problem for you, please let us know how to fix it for your host.
+- As a sanity check, test the assumption for some signed types that
+- <limits.h> bounds. */
+-verify (TYPE_MINIMUM (signed char) == SCHAR_MIN);
+-verify (TYPE_MAXIMUM (signed char) == SCHAR_MAX);
+-verify (TYPE_MINIMUM (short int) == SHRT_MIN);
+-verify (TYPE_MAXIMUM (short int) == SHRT_MAX);
+-verify (TYPE_MINIMUM (int) == INT_MIN);
+-verify (TYPE_MAXIMUM (int) == INT_MAX);
+-verify (TYPE_MINIMUM (long int) == LONG_MIN);
+-verify (TYPE_MAXIMUM (long int) == LONG_MAX);
+-#ifdef LLONG_MAX
+-verify (TYPE_MINIMUM (long long int) == LLONG_MIN);
+-verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+-#endif
++ This assumption is tested by the intprops-tests module. */
+
+ /* Does the __typeof__ keyword work? This could be done by
+ 'configure', but for now it's easier to do it by hand. */
+-#if (2 <= __GNUC__ || defined __IBM__TYPEOF__ \
++#if (2 <= __GNUC__ \
++ || (1210 <= __IBMC__ && defined __IBM__TYPEOF__) \
+ || (0x5110 <= __SUNPRO_C && !__STDC__))
+ # define _GL_HAVE___TYPEOF__ 1
+ #else
+@@ -116,8 +113,7 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ signed, this macro may overestimate the true bound by one byte when
+ applied to unsigned types of size 2, 4, 16, ... bytes. */
+ #define INT_STRLEN_BOUND(t) \
+- (INT_BITS_STRLEN_BOUND (sizeof (t) * CHAR_BIT \
+- - _GL_SIGNED_TYPE_OR_EXPR (t)) \
++ (INT_BITS_STRLEN_BOUND (TYPE_WIDTH (t) - _GL_SIGNED_TYPE_OR_EXPR (t)) \
+ + _GL_SIGNED_TYPE_OR_EXPR (t))
+
+ /* Bound on buffer size needed to represent an integer type or expression T,
+@@ -183,7 +179,7 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ /* Return 1 if A * B would overflow in [MIN,MAX] arithmetic.
+ See above for restrictions. Avoid && and || as they tickle
+ bugs in Sun C 5.11 2010/08/13 and other compilers; see
+- <http://lists.gnu.org/archive/html/bug-gnulib/2011-05/msg00401.html>. */
++ <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00401.html>. */
+ #define INT_MULTIPLY_RANGE_OVERFLOW(a, b, min, max) \
+ ((b) < 0 \
+ ? ((a) < 0 \
+@@ -222,20 +218,27 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ ? (a) < (min) >> (b) \
+ : (max) >> (b) < (a))
+
+-/* True if __builtin_add_overflow (A, B, P) works when P is null. */
+-#define _GL_HAS_BUILTIN_OVERFLOW_WITH_NULL (7 <= __GNUC__)
++/* True if __builtin_add_overflow (A, B, P) works when P is non-null. */
++#if 5 <= __GNUC__ && !defined __ICC
++# define _GL_HAS_BUILTIN_OVERFLOW 1
++#else
++# define _GL_HAS_BUILTIN_OVERFLOW 0
++#endif
++
++/* True if __builtin_add_overflow_p (A, B, C) works. */
++#define _GL_HAS_BUILTIN_OVERFLOW_P (7 <= __GNUC__)
+
+ /* The _GL*_OVERFLOW macros have the same restrictions as the
+ *_RANGE_OVERFLOW macros, except that they do not assume that operands
+ (e.g., A and B) have the same type as MIN and MAX. Instead, they assume
+ that the result (e.g., A + B) has that type. */
+-#if _GL_HAS_BUILTIN_OVERFLOW_WITH_NULL
+-# define _GL_ADD_OVERFLOW(a, b, min, max)
+- __builtin_add_overflow (a, b, (__typeof__ ((a) + (b)) *) 0)
+-# define _GL_SUBTRACT_OVERFLOW(a, b, min, max)
+- __builtin_sub_overflow (a, b, (__typeof__ ((a) - (b)) *) 0)
+-# define _GL_MULTIPLY_OVERFLOW(a, b, min, max)
+- __builtin_mul_overflow (a, b, (__typeof__ ((a) * (b)) *) 0)
++#if _GL_HAS_BUILTIN_OVERFLOW_P
++# define _GL_ADD_OVERFLOW(a, b, min, max) \
++ __builtin_add_overflow_p (a, b, (__typeof__ ((a) + (b))) 0)
++# define _GL_SUBTRACT_OVERFLOW(a, b, min, max) \
++ __builtin_sub_overflow_p (a, b, (__typeof__ ((a) - (b))) 0)
++# define _GL_MULTIPLY_OVERFLOW(a, b, min, max) \
++ __builtin_mul_overflow_p (a, b, (__typeof__ ((a) * (b))) 0)
+ #else
+ # define _GL_ADD_OVERFLOW(a, b, min, max) \
+ ((min) < 0 ? INT_ADD_RANGE_OVERFLOW (a, b, min, max) \
+@@ -315,7 +318,7 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ _GL_BINARY_OP_OVERFLOW (a, b, _GL_ADD_OVERFLOW)
+ #define INT_SUBTRACT_OVERFLOW(a, b) \
+ _GL_BINARY_OP_OVERFLOW (a, b, _GL_SUBTRACT_OVERFLOW)
+-#if _GL_HAS_BUILTIN_OVERFLOW_WITH_NULL
++#if _GL_HAS_BUILTIN_OVERFLOW_P
+ # define INT_NEGATE_OVERFLOW(a) INT_SUBTRACT_OVERFLOW (0, a)
+ #else
+ # define INT_NEGATE_OVERFLOW(a) \
+@@ -349,10 +352,6 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ #define INT_MULTIPLY_WRAPV(a, b, r) \
+ _GL_INT_OP_WRAPV (a, b, r, *, __builtin_mul_overflow, INT_MULTIPLY_OVERFLOW)
+
+-#ifndef __has_builtin
+-# define __has_builtin(x) 0
+-#endif
+-
+ /* Nonzero if this compiler has GCC bug 68193 or Clang bug 25390. See:
+ https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68193
+ https://llvm.org/bugs/show_bug.cgi?id=25390
+@@ -369,17 +368,17 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ the operation. BUILTIN is the builtin operation, and OVERFLOW the
+ overflow predicate. Return 1 if the result overflows. See above
+ for restrictions. */
+-#if 5 <= __GNUC__ || __has_builtin (__builtin_add_overflow)
++#if _GL_HAS_BUILTIN_OVERFLOW
+ # define _GL_INT_OP_WRAPV(a, b, r, op, builtin, overflow) builtin (a, b, r)
+ #elif 201112 <= __STDC_VERSION__ && !_GL__GENERIC_BOGUS
+ # define _GL_INT_OP_WRAPV(a, b, r, op, builtin, overflow) \
+ (_Generic \
+ (*(r), \
+ signed char: \
+- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned char, \
++ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ signed char, SCHAR_MIN, SCHAR_MAX), \
+ short int: \
+- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned short int, \
++ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ short int, SHRT_MIN, SHRT_MAX), \
+ int: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+@@ -393,10 +392,10 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ #else
+ # define _GL_INT_OP_WRAPV(a, b, r, op, builtin, overflow) \
+ (sizeof *(r) == sizeof (signed char) \
+- ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned char, \
++ ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ signed char, SCHAR_MIN, SCHAR_MAX) \
+ : sizeof *(r) == sizeof (short int) \
+- ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned short int, \
++ ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ short int, SHRT_MIN, SHRT_MAX) \
+ : sizeof *(r) == sizeof (int) \
+ ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+@@ -412,15 +411,14 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ # else
+ # define _GL_INT_OP_WRAPV_LONGISH(a, b, r, op, overflow) \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
+- long int, LONG_MIN, LONG_MAX))
++ long int, LONG_MIN, LONG_MAX)
+ # endif
+ #endif
+
+ /* Store the low-order bits of A <op> B into *R, where the operation
+ is given by OP. Use the unsigned type UT for calculation to avoid
+- overflow problems. *R's type is T, with extremal values TMIN and
+- TMAX. T must be a signed integer type. Return 1 if the result
+- overflows. */
++ overflow problems. *R's type is T, with extrema TMIN and TMAX.
++ T must be a signed integer type. Return 1 if the result overflows. */
+ #define _GL_INT_OP_CALC(a, b, r, op, overflow, ut, t, tmin, tmax) \
+ (sizeof ((a) op (b)) < sizeof (t) \
+ ? _GL_INT_OP_CALC1 ((t) (a), (t) (b), r, op, overflow, ut, t, tmin, tmax) \
+@@ -429,17 +427,27 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ ((overflow (a, b) \
+ || (EXPR_SIGNED ((a) op (b)) && ((a) op (b)) < (tmin)) \
+ || (tmax) < ((a) op (b))) \
+- ? (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t, tmin, tmax), 1) \
+- : (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t, tmin, tmax), 0))
+-
+-/* Return A <op> B, where the operation is given by OP. Use the
+- unsigned type UT for calculation to avoid overflow problems.
+- Convert the result to type T without overflow by subtracting TMIN
+- from large values before converting, and adding it afterwards.
+- Compilers can optimize all the operations except OP. */
+-#define _GL_INT_OP_WRAPV_VIA_UNSIGNED(a, b, op, ut, t, tmin, tmax) \
+- (((ut) (a) op (ut) (b)) <= (tmax) \
+- ? (t) ((ut) (a) op (ut) (b)) \
+- : ((t) (((ut) (a) op (ut) (b)) - (tmin)) + (tmin)))
++ ? (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t), 1) \
++ : (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t), 0))
++
++/* Return the low-order bits of A <op> B, where the operation is given
++ by OP. Use the unsigned type UT for calculation to avoid undefined
++ behavior on signed integer overflow, and convert the result to type T.
++ UT is at least as wide as T and is no narrower than unsigned int,
++ T is two's complement, and there is no padding or trap representations.
++ Assume that converting UT to T yields the low-order bits, as is
++ done in all known two's-complement C compilers. E.g., see:
++ https://gcc.gnu.org/onlinedocs/gcc/Integers-implementation.html
++
++ According to the C standard, converting UT to T yields an
++ implementation-defined result or signal for values outside T's
++ range. However, code that works around this theoretical problem
++ runs afoul of a compiler bug in Oracle Studio 12.3 x86. See:
++ https://lists.gnu.org/r/bug-gnulib/2017-04/msg00049.html
++ As the compiler bug is real, don't try to work around the
++ theoretical problem. */
++
++#define _GL_INT_OP_WRAPV_VIA_UNSIGNED(a, b, op, ut, t) \
++ ((t) ((ut) (a) op (ut) (b)))
+
+ #endif /* _GL_INTPROPS_H */
+diff --git a/oathtool/gl/intprops.h b/oathtool/gl/intprops.h
+index e1fce5c..af456ff 100644
+--- a/oathtool/gl/intprops.h
++++ b/oathtool/gl/intprops.h
+@@ -1,19 +1,19 @@
+ /* intprops.h -- properties of integer types
+
+- Copyright (C) 2001-2016 Free Software Foundation, Inc.
++ Copyright (C) 2001-2018 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify it
+- under the terms of the GNU General Public License as published
+- by the Free Software Foundation; either version 3 of the License, or
++ under the terms of the GNU Lesser General Public License as published
++ by the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- GNU General Public License for more details.
++ GNU Lesser General Public License for more details.
+
+- You should have received a copy of the GNU General Public License
+- along with this program. If not, see <http://www.gnu.org/licenses/>. */
++ You should have received a copy of the GNU Lesser General Public License
++ along with this program. If not, see <https://www.gnu.org/licenses/>. */
+
+ /* Written by Paul Eggert. */
+
+@@ -21,13 +21,12 @@
+ #define _GL_INTPROPS_H
+
+ #include <limits.h>
+-#include <verify.h>
+
+ /* Return a value with the common real type of E and V and the value of V. */
+ #define _GL_INT_CONVERT(e, v) (0 * (e) + (v))
+
+ /* Act like _GL_INT_CONVERT (E, -V) but work around a bug in IRIX 6.5 cc; see
+- <http://lists.gnu.org/archive/html/bug-gnulib/2011-05/msg00406.html>. */
++ <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00406.html>. */
+ #define _GL_INT_NEGATE_CONVERT(e, v) (0 * (e) - (v))
+
+ /* The extra casts in the following macros work around compiler bugs,
+@@ -47,12 +46,16 @@
+
+ /* Minimum and maximum values for integer types and expressions. */
+
++/* The width in bits of the integer type or expression T.
++ Padding bits are not supported; this is checked at compile-time below. */
++#define TYPE_WIDTH(t) (sizeof (t) * CHAR_BIT)
++
+ /* The maximum and minimum values for the integer type T. */
+ #define TYPE_MINIMUM(t) ((t) ~ TYPE_MAXIMUM (t))
+ #define TYPE_MAXIMUM(t) \
+ ((t) (! TYPE_SIGNED (t) \
+ ? (t) -1 \
+- : ((((t) 1 << (sizeof (t) * CHAR_BIT - 2)) - 1) * 2 + 1)))
++ : ((((t) 1 << (TYPE_WIDTH (t) - 2)) - 1) * 2 + 1)))
+
+ /* The maximum and minimum values for the type of the expression E,
+ after integer promotion. E should not have side effects. */
+@@ -65,29 +68,23 @@
+ ? _GL_SIGNED_INT_MAXIMUM (e) \
+ : _GL_INT_NEGATE_CONVERT (e, 1))
+ #define _GL_SIGNED_INT_MAXIMUM(e) \
+- (((_GL_INT_CONVERT (e, 1) << (sizeof ((e) + 0) * CHAR_BIT - 2)) - 1) * 2 + 1)
++ (((_GL_INT_CONVERT (e, 1) << (TYPE_WIDTH ((e) + 0) - 2)) - 1) * 2 + 1)
++
++/* Work around OpenVMS incompatibility with C99. */
++#if !defined LLONG_MAX && defined __INT64_MAX
++# define LLONG_MAX __INT64_MAX
++# define LLONG_MIN __INT64_MIN
++#endif
+
+ /* This include file assumes that signed types are two's complement without
+ padding bits; the above macros have undefined behavior otherwise.
+ If this is a problem for you, please let us know how to fix it for your host.
+- As a sanity check, test the assumption for some signed types that
+- <limits.h> bounds. */
+-verify (TYPE_MINIMUM (signed char) == SCHAR_MIN);
+-verify (TYPE_MAXIMUM (signed char) == SCHAR_MAX);
+-verify (TYPE_MINIMUM (short int) == SHRT_MIN);
+-verify (TYPE_MAXIMUM (short int) == SHRT_MAX);
+-verify (TYPE_MINIMUM (int) == INT_MIN);
+-verify (TYPE_MAXIMUM (int) == INT_MAX);
+-verify (TYPE_MINIMUM (long int) == LONG_MIN);
+-verify (TYPE_MAXIMUM (long int) == LONG_MAX);
+-#ifdef LLONG_MAX
+-verify (TYPE_MINIMUM (long long int) == LLONG_MIN);
+-verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+-#endif
++ This assumption is tested by the intprops-tests module. */
+
+ /* Does the __typeof__ keyword work? This could be done by
+ 'configure', but for now it's easier to do it by hand. */
+-#if (2 <= __GNUC__ || defined __IBM__TYPEOF__ \
++#if (2 <= __GNUC__ \
++ || (1210 <= __IBMC__ && defined __IBM__TYPEOF__) \
+ || (0x5110 <= __SUNPRO_C && !__STDC__))
+ # define _GL_HAVE___TYPEOF__ 1
+ #else
+@@ -116,8 +113,7 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ signed, this macro may overestimate the true bound by one byte when
+ applied to unsigned types of size 2, 4, 16, ... bytes. */
+ #define INT_STRLEN_BOUND(t) \
+- (INT_BITS_STRLEN_BOUND (sizeof (t) * CHAR_BIT \
+- - _GL_SIGNED_TYPE_OR_EXPR (t)) \
++ (INT_BITS_STRLEN_BOUND (TYPE_WIDTH (t) - _GL_SIGNED_TYPE_OR_EXPR (t)) \
+ + _GL_SIGNED_TYPE_OR_EXPR (t))
+
+ /* Bound on buffer size needed to represent an integer type or expression T,
+@@ -183,7 +179,7 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ /* Return 1 if A * B would overflow in [MIN,MAX] arithmetic.
+ See above for restrictions. Avoid && and || as they tickle
+ bugs in Sun C 5.11 2010/08/13 and other compilers; see
+- <http://lists.gnu.org/archive/html/bug-gnulib/2011-05/msg00401.html>. */
++ <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00401.html>. */
+ #define INT_MULTIPLY_RANGE_OVERFLOW(a, b, min, max) \
+ ((b) < 0 \
+ ? ((a) < 0 \
+@@ -222,20 +218,27 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ ? (a) < (min) >> (b) \
+ : (max) >> (b) < (a))
+
+-/* True if __builtin_add_overflow (A, B, P) works when P is null. */
+-#define _GL_HAS_BUILTIN_OVERFLOW_WITH_NULL (7 <= __GNUC__)
++/* True if __builtin_add_overflow (A, B, P) works when P is non-null. */
++#if 5 <= __GNUC__ && !defined __ICC
++# define _GL_HAS_BUILTIN_OVERFLOW 1
++#else
++# define _GL_HAS_BUILTIN_OVERFLOW 0
++#endif
++
++/* True if __builtin_add_overflow_p (A, B, C) works. */
++#define _GL_HAS_BUILTIN_OVERFLOW_P (7 <= __GNUC__)
+
+ /* The _GL*_OVERFLOW macros have the same restrictions as the
+ *_RANGE_OVERFLOW macros, except that they do not assume that operands
+ (e.g., A and B) have the same type as MIN and MAX. Instead, they assume
+ that the result (e.g., A + B) has that type. */
+-#if _GL_HAS_BUILTIN_OVERFLOW_WITH_NULL
+-# define _GL_ADD_OVERFLOW(a, b, min, max)
+- __builtin_add_overflow (a, b, (__typeof__ ((a) + (b)) *) 0)
+-# define _GL_SUBTRACT_OVERFLOW(a, b, min, max)
+- __builtin_sub_overflow (a, b, (__typeof__ ((a) - (b)) *) 0)
+-# define _GL_MULTIPLY_OVERFLOW(a, b, min, max)
+- __builtin_mul_overflow (a, b, (__typeof__ ((a) * (b)) *) 0)
++#if _GL_HAS_BUILTIN_OVERFLOW_P
++# define _GL_ADD_OVERFLOW(a, b, min, max) \
++ __builtin_add_overflow_p (a, b, (__typeof__ ((a) + (b))) 0)
++# define _GL_SUBTRACT_OVERFLOW(a, b, min, max) \
++ __builtin_sub_overflow_p (a, b, (__typeof__ ((a) - (b))) 0)
++# define _GL_MULTIPLY_OVERFLOW(a, b, min, max) \
++ __builtin_mul_overflow_p (a, b, (__typeof__ ((a) * (b))) 0)
+ #else
+ # define _GL_ADD_OVERFLOW(a, b, min, max) \
+ ((min) < 0 ? INT_ADD_RANGE_OVERFLOW (a, b, min, max) \
+@@ -315,7 +318,7 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ _GL_BINARY_OP_OVERFLOW (a, b, _GL_ADD_OVERFLOW)
+ #define INT_SUBTRACT_OVERFLOW(a, b) \
+ _GL_BINARY_OP_OVERFLOW (a, b, _GL_SUBTRACT_OVERFLOW)
+-#if _GL_HAS_BUILTIN_OVERFLOW_WITH_NULL
++#if _GL_HAS_BUILTIN_OVERFLOW_P
+ # define INT_NEGATE_OVERFLOW(a) INT_SUBTRACT_OVERFLOW (0, a)
+ #else
+ # define INT_NEGATE_OVERFLOW(a) \
+@@ -349,10 +352,6 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ #define INT_MULTIPLY_WRAPV(a, b, r) \
+ _GL_INT_OP_WRAPV (a, b, r, *, __builtin_mul_overflow, INT_MULTIPLY_OVERFLOW)
+
+-#ifndef __has_builtin
+-# define __has_builtin(x) 0
+-#endif
+-
+ /* Nonzero if this compiler has GCC bug 68193 or Clang bug 25390. See:
+ https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68193
+ https://llvm.org/bugs/show_bug.cgi?id=25390
+@@ -369,17 +368,17 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ the operation. BUILTIN is the builtin operation, and OVERFLOW the
+ overflow predicate. Return 1 if the result overflows. See above
+ for restrictions. */
+-#if 5 <= __GNUC__ || __has_builtin (__builtin_add_overflow)
++#if _GL_HAS_BUILTIN_OVERFLOW
+ # define _GL_INT_OP_WRAPV(a, b, r, op, builtin, overflow) builtin (a, b, r)
+ #elif 201112 <= __STDC_VERSION__ && !_GL__GENERIC_BOGUS
+ # define _GL_INT_OP_WRAPV(a, b, r, op, builtin, overflow) \
+ (_Generic \
+ (*(r), \
+ signed char: \
+- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned char, \
++ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ signed char, SCHAR_MIN, SCHAR_MAX), \
+ short int: \
+- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned short int, \
++ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ short int, SHRT_MIN, SHRT_MAX), \
+ int: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+@@ -393,10 +392,10 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ #else
+ # define _GL_INT_OP_WRAPV(a, b, r, op, builtin, overflow) \
+ (sizeof *(r) == sizeof (signed char) \
+- ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned char, \
++ ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ signed char, SCHAR_MIN, SCHAR_MAX) \
+ : sizeof *(r) == sizeof (short int) \
+- ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned short int, \
++ ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ short int, SHRT_MIN, SHRT_MAX) \
+ : sizeof *(r) == sizeof (int) \
+ ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+@@ -412,15 +411,14 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ # else
+ # define _GL_INT_OP_WRAPV_LONGISH(a, b, r, op, overflow) \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
+- long int, LONG_MIN, LONG_MAX))
++ long int, LONG_MIN, LONG_MAX)
+ # endif
+ #endif
+
+ /* Store the low-order bits of A <op> B into *R, where the operation
+ is given by OP. Use the unsigned type UT for calculation to avoid
+- overflow problems. *R's type is T, with extremal values TMIN and
+- TMAX. T must be a signed integer type. Return 1 if the result
+- overflows. */
++ overflow problems. *R's type is T, with extrema TMIN and TMAX.
++ T must be a signed integer type. Return 1 if the result overflows. */
+ #define _GL_INT_OP_CALC(a, b, r, op, overflow, ut, t, tmin, tmax) \
+ (sizeof ((a) op (b)) < sizeof (t) \
+ ? _GL_INT_OP_CALC1 ((t) (a), (t) (b), r, op, overflow, ut, t, tmin, tmax) \
+@@ -429,17 +427,27 @@ verify (TYPE_MAXIMUM (long long int) == LLONG_MAX);
+ ((overflow (a, b) \
+ || (EXPR_SIGNED ((a) op (b)) && ((a) op (b)) < (tmin)) \
+ || (tmax) < ((a) op (b))) \
+- ? (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t, tmin, tmax), 1) \
+- : (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t, tmin, tmax), 0))
+-
+-/* Return A <op> B, where the operation is given by OP. Use the
+- unsigned type UT for calculation to avoid overflow problems.
+- Convert the result to type T without overflow by subtracting TMIN
+- from large values before converting, and adding it afterwards.
+- Compilers can optimize all the operations except OP. */
+-#define _GL_INT_OP_WRAPV_VIA_UNSIGNED(a, b, op, ut, t, tmin, tmax) \
+- (((ut) (a) op (ut) (b)) <= (tmax) \
+- ? (t) ((ut) (a) op (ut) (b)) \
+- : ((t) (((ut) (a) op (ut) (b)) - (tmin)) + (tmin)))
++ ? (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t), 1) \
++ : (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t), 0))
++
++/* Return the low-order bits of A <op> B, where the operation is given
++ by OP. Use the unsigned type UT for calculation to avoid undefined
++ behavior on signed integer overflow, and convert the result to type T.
++ UT is at least as wide as T and is no narrower than unsigned int,
++ T is two's complement, and there is no padding or trap representations.
++ Assume that converting UT to T yields the low-order bits, as is
++ done in all known two's-complement C compilers. E.g., see:
++ https://gcc.gnu.org/onlinedocs/gcc/Integers-implementation.html
++
++ According to the C standard, converting UT to T yields an
++ implementation-defined result or signal for values outside T's
++ range. However, code that works around this theoretical problem
++ runs afoul of a compiler bug in Oracle Studio 12.3 x86. See:
++ https://lists.gnu.org/r/bug-gnulib/2017-04/msg00049.html
++ As the compiler bug is real, don't try to work around the
++ theoretical problem. */
++
++#define _GL_INT_OP_WRAPV_VIA_UNSIGNED(a, b, op, ut, t) \
++ ((t) ((ut) (a) op (ut) (b)))
+
+ #endif /* _GL_INTPROPS_H */
include $(TOPDIR)/rules.mk
PKG_NAME:=openobex
-PKG_VERSION:=1.7.1
+PKG_VERSION:=1.7.2
PKG_RELEASE:=1
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)-Source
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-Source.tar.gz
PKG_SOURCE_URL:=@SF/openobex
-PKG_HASH:=3b264665d90901ea4ff720332ffb9b6d1d8f67187463d3a3279caddc7205ea57
+PKG_HASH:=158860aaea52f0fce0c8e4b64550daaae06df2689e05834697b7e8c7d73dd4fc
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)-Source
+PKG_MAINTAINER:=Rosen Penev <rosenp@gmail.com>
PKG_LICENSE:=GPL-2.0+ LGPL-2.1+
PKG_LICENSE_FILES:=COPYING
-PKG_MAINTAINER:=Nicolas Thill <nico@openwrt.org>
+PKG_CPE_ID:=cpe:/a:openobex:openobex
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 813f900..a0942e8 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
-@@ -1,6 +1,6 @@
- cmake_minimum_required ( VERSION 2.8.5 FATAL_ERROR )\r
+@@ -1,7 +1,7 @@
+ cmake_minimum_required ( VERSION 3.1 FATAL_ERROR )\r
\r
--project ( openobex C )\r
-+project ( openobex C CXX )\r
+ project ( openobex\r
+- LANGUAGES C\r
++ LANGUAGES C CXX\r
+ VERSION 1.7.2\r
+ )\r
\r
- #\r
- # The project version\r
PKG_NAME:=picocom
PKG_VERSION:=3.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/npat-efault/picocom/tar.gz/$(PKG_VERSION)?
PKG_HASH:=e6761ca932ffc6d09bd6b11ff018bdaf70b287ce518b3282d29e0270e88420bb
-PKG_MAINTAINER:=Steven Barth <cyrus@openwrt.org>
+PKG_MAINTAINER:=Rosen Penev <rosenp@gmail.com>
PKG_LICENSE:=GPL-2.0+
include $(INCLUDE_DIR)/package.mk
--- /dev/null
+From 6fad89a36968fe1bf6aed63f44b7e2e375271e76 Mon Sep 17 00:00:00 2001
+From: Nick Patavalis <npat@efault.net>
+Date: Thu, 12 Apr 2018 15:16:04 +0300
+Subject: [PATCH] Compile with libc's without cispeed / cospeed
+
+Some libc implementations (e.g. musl) do not define the cispeed and
+cospeed struct termios fields. So we have to check the
+_HAVE_STRUCT_TERMIOS_C_ISPEED and _HAVE_STRUCT_TERMIOS_C_OSPEED
+macros. If not defined, we disable custom baudrate support.
+---
+ custbaud.h | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/custbaud.h b/custbaud.h
+index 48151a4..ae4ae8d 100644
+--- a/custbaud.h
++++ b/custbaud.h
+@@ -26,6 +26,8 @@
+ #ifndef CUSTBAUD_H
+ #define CUSTBAUD_H
+
++#include <termios.h>
++
+ #ifndef NO_CUSTOM_BAUD
+
+ #if defined (__linux__)
+@@ -33,7 +35,13 @@
+ /* Enable by-default for kernels > 2.6.0 on x86 and x86_64 only */
+ #include <linux/version.h>
+ #if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,0)
+-#if defined (__i386__) || defined (__x86_64__) || defined (USE_CUSTOM_BAUD)
++/* Some libc implementations (e.g. musl) do not define the cispeed and
++ cospeed struct termios fields. We do not support custom baudrates
++ on them. */
++#if ( (defined (__i386__) || defined (__x86_64__)) \
++ && defined (_HAVE_STRUCT_TERMIOS_C_ISPEED) \
++ && defined (_HAVE_STRUCT_TERMIOS_C_OSPEED) ) \
++ || defined (USE_CUSTOM_BAUD)
+ #ifndef USE_CUSTOM_BAUD
+ #define USE_CUSTOM_BAUD
+ #endif
+--
+2.19.1
+
--- /dev/null
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=prometheus
+PKG_VERSION:=2.3.2
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://codeload.github.com/prometheus/prometheus/tar.gz/v${PKG_VERSION}?
+PKG_HASH:=008282497e2e85de6fb17a698dfdae4a942026f623d8a9d45b911a765442cb58
+
+PKG_LICENSE:=Apache-2.0
+PKG_LICENSE_FILES:=LICENSE
+PKG_MAINTAINER:=Paul Spooren <spooren@informatik.uni-leipzig.de>
+
+PKG_BUILD_DEPENDS:=golang/host
+PKG_BUILD_PARALLEL:=1
+PKG_USE_MIPS16:=0
+
+GO_PKG:=github.com/prometheus/prometheus/
+GO_PKG_BUILD_PKG:=github.com/prometheus/prometheus/cmd/prometheus/
+
+include $(INCLUDE_DIR)/package.mk
+include ../../lang/golang/golang-package.mk
+
+define Package/prometheus/Default
+ TITLE:=Monitoring system & time series database
+ USERID:=prometheus=112:prometheus=112
+ URL:=http://prometheus.io
+ DEPENDS:=$(GO_ARCH_DEPENDS)
+endef
+
+define Package/prometheus
+$(call Package/prometheus/Default)
+ SECTION:=utils
+ CATEGORY:=Utilities
+endef
+
+define Package/prometheus/description
+Prometheus, a Cloud Native Computing Foundation project, is a systems and
+service monitoring system. It collects metrics from configured targets at given
+intervals, evaluates rule expressions, displays the results, and can trigger
+alerts if some condition is observed to be true.
+endef
+
+define Package/prometheus/install
+ $(call GoPackage/Package/Install/Bin,$(1))
+
+ $(CP) ./files/* $(1)/
+endef
+
+define Package/prometheus/conffiles
+/etc/prometheus.yml
+endef
+
+$(eval $(call GoBinPackage,prometheus))
+$(eval $(call BuildPackage,prometheus))
--- /dev/null
+#!/bin/sh /etc/rc.common
+
+START=70
+
+USE_PROCD=1
+PROG=/usr/bin/prometheus
+CONFFILE=/etc/prometheus.yml
+
+start_service() {
+ local config_file
+ local storage_tsdb_path
+ local web_listen_address
+ config_load "prometheus"
+ config_get config_file prometheus config_file "$CONFFILE"
+ config_get storage_tsdb_path prometheus storage_tsdb_path "/data"
+ config_get web_listen_address prometheus web_listen_address "127.0.0.1:9090"
+
+ procd_open_instance
+ procd_set_param command "$PROG"
+ procd_append_param command --config.file="$config_file"
+ procd_append_param command --storage.tsdb.path="$storage_tsdb_path"
+ procd_append_param command --web.listen-address="$web_listen_address"
+ procd_append_param user "prometheus"
+ procd_set_param file "$config_file"
+ procd_set_param respawn
+ procd_close_instance
+}
--- /dev/null
+# my global config
+global:
+ scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
+ evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+ # scrape_timeout is set to the global default (10s).
+
+# Alertmanager configuration
+alerting:
+ alertmanagers:
+ - static_configs:
+ - targets:
+ # - alertmanager:9093
+
+# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
+rule_files:
+ # - "first_rules.yml"
+ # - "second_rules.yml"
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+ # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
+ - job_name: 'prometheus'
+
+ # metrics_path defaults to '/metrics'
+ # scheme defaults to 'http'.
+
+ static_configs:
+ - targets: ['localhost:9090']
--- /dev/null
+#!/bin/sh
+
+[ -e /etc/config/prometheus ] || touch /etc/config/prometheus
+
+uci -q get prometheus.prometheus || {
+ uci -q batch <<EOF
+ set prometheus.prometheus=prometheus
+ set prometheus.prometheus.config_file='/etc/prometheus.yml'
+ set prometheus.prometheus.storage_tsdb_path='/data'
+ set prometheus.prometheus.web_listen_address='127.0.0.1:9090'
+ commit prometheus
+EOF
+}
--- /dev/null
+# my global config
+global:
+ scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
+ evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+ # scrape_timeout is set to the global default (10s).
+
+# Alertmanager configuration
+alerting:
+ alertmanagers:
+ - static_configs:
+ - targets:
+ # - alertmanager:9093
+
+# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
+rule_files:
+ # - "first_rules.yml"
+ # - "second_rules.yml"
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+ # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
+ - job_name: 'prometheus'
+
+ # metrics_path defaults to '/metrics'
+ # scheme defaults to 'http'.
+
+ static_configs:
+ - targets: ['localhost:9090']
include $(TOPDIR)/rules.mk
PKG_NAME:=rtty
-PKG_VERSION:=6.3.0
+PKG_VERSION:=6.3.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
PKG_SOURCE_URL=https://codeload.github.com/zhaojh329/rtty/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=8129cc3f2d83db618afb6bfc93e018adf03de156d7e15e087e9ae52ac9dcae2b
+PKG_HASH:=1dd7852cd5a3615134dc1c6266157072652592bda847b44cc747ccfcaa27ce2f
CMAKE_INSTALL:=1
PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_SOURCE_SUBDIR)
include $(TOPDIR)/rules.mk
PKG_NAME:=unrar
-PKG_VERSION:=5.6.5
+PKG_VERSION:=5.6.8
PKG_RELEASE:=1
PKG_SOURCE:=unrarsrc-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.rarlab.com/rar
-PKG_HASH:=eba36a421bf41491818dee9507d934064622bc0bd9db6bbb8422a4706f200898
+PKG_HASH:=a4cc0ac14a354827751912d2af4a0a09e2c2129df5766576fa7e151791dd3dff
PKG_MAINTAINER:=Álvaro Fernández Rojas <noltari@gmail.com>, \
Ted Hess <thess@kitschensync.net>
include $(TOPDIR)/rules.mk
PKG_NAME:=yara
-PKG_VERSION:=3.7.1
+PKG_VERSION:=3.8.1
PKG_RELEASE:=1
PKG_LICENSE:=BSD-3-Clause
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/VirusTotal/yara/archive/v$(PKG_VERSION)/
-PKG_HASH:=df077a29b0fffbf4e7c575f838a440f42d09b215fcb3971e6fb6360318a64892
+PKG_SOURCE_URL:=https://codeload.github.com/VirusTotal/yara/tar.gz/v$(PKG_VERSION)?
+PKG_HASH:=283527711269354d3c60e2705f7f74b1f769d2d35ddba8f7f9ce97d0fd5cb1ca
PKG_FIXUP:=autoreconf
PKG_BUILD_PARALLEL:=1
include $(TOPDIR)/rules.mk
PKG_NAME:=zoneinfo
-PKG_VERSION:=2018e
-PKG_VERSION_CODE:=2018e
+PKG_VERSION:=2018f
+PKG_VERSION_CODE:=2018f
PKG_RELEASE:=1
#As i couldn't find real license used "Public Domain"
PKG_SOURCE:=tzdata$(PKG_VERSION).tar.gz
PKG_SOURCE_CODE:=tzcode$(PKG_VERSION_CODE).tar.gz
PKG_SOURCE_URL:=http://www.iana.org/time-zones/repository/releases
-PKG_HASH:=6b288e5926841a4cb490909fe822d85c36ae75538ad69baf20da9628b63b692e
+PKG_HASH:=0af6a85fc4ea95832f76524f35696a61abb3992fd3f8db33e5a1f95653e043f2
include $(INCLUDE_DIR)/package.mk
define Download/tzcode
FILE=$(PKG_SOURCE_CODE)
URL=$(PKG_SOURCE_URL)
- HASH:=ca340cf20e80b699d6e5c49b4ba47361b3aa681f06f38a0c88a8e8308c00ebce
+ HASH:=4ec74f8a84372570135ea4be16a042442fafe100f5598cb1017bfd30af6aaa70
endef
$(eval $(call Download,tzcode))
projects / feed / packages.git / commitdiff