File ipsec-tools-openssl1.1.patch of Package ipsec-tools

Index: ipsec-tools-0.8.2/src/racoon/crypto_openssl.c
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/crypto_openssl.c
+++ ipsec-tools-0.8.2/src/racoon/crypto_openssl.c
@@ -312,13 +312,18 @@ eay_cmp_asn1dn(n1, n2)
 	for(idx = 0; idx < X509_NAME_entry_count(a); idx++) {
 		X509_NAME_ENTRY *ea = X509_NAME_get_entry(a, idx);
 		X509_NAME_ENTRY *eb = X509_NAME_get_entry(b, idx);
+		ASN1_STRING	*eav = X509_NAME_ENTRY_get_data(ea);
+		ASN1_STRING	*ebv;
 		if (!eb) {	/* reached end of eb while still entries in ea, can not be equal... */
 			i = idx+1;
 			goto end;
 		}
-		if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
-		    (eb->value->length == 1 && eb->value->data[0] == '*')) {
-	    		if (OBJ_cmp(ea->object,eb->object)) {
+		ebv = X509_NAME_ENTRY_get_data(eb);
+		if ((ASN1_STRING_length(eav) == 1 && ASN1_STRING_get0_data(eav)[0] == '*') ||
+		    (ASN1_STRING_length(ebv) == 1 && ASN1_STRING_get0_data(ebv)[0] == '*')) {
+			ASN1_OBJECT	*eao = X509_NAME_ENTRY_get_object(ea);
+			ASN1_OBJECT	*ebo = X509_NAME_ENTRY_get_object(eb);
+	    		if (OBJ_cmp(eao,ebo)) {
 				i = idx+1;
 				goto end;
 	    		}
@@ -430,7 +435,7 @@ cb_check_cert_local(ok, ctx)
 
 	if (!ok) {
 		X509_NAME_oneline(
-				X509_get_subject_name(ctx->current_cert),
+				X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
 				buf,
 				256);
 		/*
@@ -438,7 +443,7 @@ cb_check_cert_local(ok, ctx)
 		 * ok if they are self signed. But we should still warn
 		 * the user.
  		 */
-		switch (ctx->error) {
+		switch (X509_STORE_CTX_get_error(ctx)) {
 		case X509_V_ERR_CERT_HAS_EXPIRED:
 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
 		case X509_V_ERR_INVALID_CA:
@@ -453,9 +458,9 @@ cb_check_cert_local(ok, ctx)
 		}
 		plog(log_tag, LOCATION, NULL,
 			"%s(%d) at depth:%d SubjectName:%s\n",
-			X509_verify_cert_error_string(ctx->error),
-			ctx->error,
-			ctx->error_depth,
+			X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)),
+			X509_STORE_CTX_get_error(ctx),
+			X509_STORE_CTX_get_error_depth(ctx),
 			buf);
 	}
 	ERR_clear_error();
@@ -477,10 +482,10 @@ cb_check_cert_remote(ok, ctx)
 
 	if (!ok) {
 		X509_NAME_oneline(
-				X509_get_subject_name(ctx->current_cert),
+				X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
 				buf,
 				256);
-		switch (ctx->error) {
+		switch (X509_STORE_CTX_get_error(ctx)) {
 		case X509_V_ERR_UNABLE_TO_GET_CRL:
 			ok = 1;
 			log_tag = LLV_WARNING;
@@ -490,9 +495,9 @@ cb_check_cert_remote(ok, ctx)
 		}
 		plog(log_tag, LOCATION, NULL,
 			"%s(%d) at depth:%d SubjectName:%s\n",
-			X509_verify_cert_error_string(ctx->error),
-			ctx->error,
-			ctx->error_depth,
+			X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)),
+			X509_STORE_CTX_get_error(ctx),
+			X509_STORE_CTX_get_error_depth(ctx),
 			buf);
 	}
 	ERR_clear_error();
@@ -517,13 +522,13 @@ eay_get_x509asn1subjectname(cert)
 		goto error;
 
 	/* get the length of the name */
-	len = i2d_X509_NAME(x509->cert_info->subject, NULL);
+	len = i2d_X509_NAME(X509_get_subject_name(x509), NULL);
 	name = vmalloc(len);
 	if (!name)
 		goto error;
 	/* get the name */
 	bp = (unsigned char *) name->v;
-	len = i2d_X509_NAME(x509->cert_info->subject, &bp);
+	len = i2d_X509_NAME(X509_get_subject_name(x509), &bp);
 
 	X509_free(x509);
 
@@ -662,14 +667,14 @@ eay_get_x509asn1issuername(cert)
 		goto error;
 
 	/* get the length of the name */
-	len = i2d_X509_NAME(x509->cert_info->issuer, NULL);
+	len = i2d_X509_NAME(X509_get_issuer_name(x509), NULL);
 	name = vmalloc(len);
 	if (name == NULL)
 		goto error;
 
 	/* get the name */
 	bp = (unsigned char *) name->v;
-	len = i2d_X509_NAME(x509->cert_info->issuer, &bp);
+	len = i2d_X509_NAME(X509_get_issuer_name(x509), &bp);
 
 	X509_free(x509);
 
@@ -850,7 +855,7 @@ eay_check_x509sign(source, sig, cert)
 		return -1;
 	}
 
-	res = eay_rsa_verify(source, sig, evp->pkey.rsa);
+	res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp));
 
 	EVP_PKEY_free(evp);
 	X509_free(x509);
@@ -992,7 +997,7 @@ eay_get_x509sign(src, privkey)
 	if (evp == NULL)
 		return NULL;
 
-	sig = eay_rsa_sign(src, evp->pkey.rsa);
+	sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
 
 	EVP_PKEY_free(evp);
 
@@ -1100,7 +1105,7 @@ vchar_t *
 evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc)
 {
 	vchar_t *res;
-	EVP_CIPHER_CTX ctx;
+	EVP_CIPHER_CTX *ctx;
 
 	if (!e)
 		return NULL;
@@ -1111,7 +1116,7 @@ evp_crypt(vchar_t *data, vchar_t *key, v
 	if ((res = vmalloc(data->l)) == NULL)
 		return NULL;
 
-	EVP_CIPHER_CTX_init(&ctx);
+	ctx = EVP_CIPHER_CTX_new();
 
 	switch(EVP_CIPHER_nid(e)){
 	case NID_bf_cbc:
@@ -1126,7 +1131,7 @@ evp_crypt(vchar_t *data, vchar_t *key, v
 		 */
 		/* init context without key/iv
          */
-        if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
+        if (!EVP_CipherInit(ctx, e, NULL, NULL, enc))
         {
             OpenSSL_BUG();
             vfree(res);
@@ -1135,7 +1140,7 @@ evp_crypt(vchar_t *data, vchar_t *key, v
 		
         /* update key size
          */
-        if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
+        if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l))
         {
             OpenSSL_BUG();
             vfree(res);
@@ -1144,7 +1149,7 @@ evp_crypt(vchar_t *data, vchar_t *key, v
 
         /* finalize context init with desired key size
          */
-        if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
+        if (!EVP_CipherInit(ctx, NULL, (u_char *) key->v,
 							(u_char *) iv->v, enc))
         {
             OpenSSL_BUG();
@@ -1153,7 +1158,7 @@ evp_crypt(vchar_t *data, vchar_t *key, v
 		}
 		break;
 	default:
-		if (!EVP_CipherInit(&ctx, e, (u_char *) key->v, 
+		if (!EVP_CipherInit(ctx, e, (u_char *) key->v, 
 							(u_char *) iv->v, enc)) {
 			OpenSSL_BUG();
 			vfree(res);
@@ -1162,15 +1167,15 @@ evp_crypt(vchar_t *data, vchar_t *key, v
 	}
 
 	/* disable openssl padding */
-	EVP_CIPHER_CTX_set_padding(&ctx, 0); 
+	EVP_CIPHER_CTX_set_padding(ctx, 0); 
 	
-	if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
+	if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
 		OpenSSL_BUG();
 		vfree(res);
 		return NULL;
 	}
 
-	EVP_CIPHER_CTX_cleanup(&ctx);
+	EVP_CIPHER_CTX_free(ctx);
 
 	return res;
 }
@@ -1680,9 +1685,9 @@ eay_hmac_init(key, md)
 	vchar_t *key;
 	const EVP_MD *md;
 {
-	HMAC_CTX *c = racoon_malloc(sizeof(*c));
+	HMAC_CTX *c = HMAC_CTX_new();
 
-	HMAC_Init(c, key->v, key->l, md);
+	HMAC_Init_ex(c, key->v, key->l, md, NULL);
 
 	return (caddr_t)c;
 }
@@ -1761,8 +1766,7 @@ eay_hmacsha2_512_final(c)
 
 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
 	res->l = l;
-	HMAC_cleanup((HMAC_CTX *)c);
-	(void)racoon_free(c);
+	HMAC_CTX_free((HMAC_CTX *)c);
 
 	if (SHA512_DIGEST_LENGTH != res->l) {
 		plog(LLV_ERROR, LOCATION, NULL,
@@ -1811,8 +1815,7 @@ eay_hmacsha2_384_final(c)
 
 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
 	res->l = l;
-	HMAC_cleanup((HMAC_CTX *)c);
-	(void)racoon_free(c);
+	HMAC_CTX_free((HMAC_CTX *)c);
 
 	if (SHA384_DIGEST_LENGTH != res->l) {
 		plog(LLV_ERROR, LOCATION, NULL,
@@ -1861,8 +1864,7 @@ eay_hmacsha2_256_final(c)
 
 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
 	res->l = l;
-	HMAC_cleanup((HMAC_CTX *)c);
-	(void)racoon_free(c);
+	HMAC_CTX_free((HMAC_CTX *)c);
 
 	if (SHA256_DIGEST_LENGTH != res->l) {
 		plog(LLV_ERROR, LOCATION, NULL,
@@ -1912,8 +1914,7 @@ eay_hmacsha1_final(c)
 
 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
 	res->l = l;
-	HMAC_cleanup((HMAC_CTX *)c);
-	(void)racoon_free(c);
+	HMAC_CTX_free((HMAC_CTX *)c);
 
 	if (SHA_DIGEST_LENGTH != res->l) {
 		plog(LLV_ERROR, LOCATION, NULL,
@@ -1962,8 +1963,7 @@ eay_hmacmd5_final(c)
 
 	HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
 	res->l = l;
-	HMAC_cleanup((HMAC_CTX *)c);
-	(void)racoon_free(c);
+	HMAC_CTX_free((HMAC_CTX *)c);
 
 	if (MD5_DIGEST_LENGTH != res->l) {
 		plog(LLV_ERROR, LOCATION, NULL,
@@ -2234,28 +2234,28 @@ vchar_t *
 eay_md5fips_one(data)
 	vchar_t *data;
 {
-	EVP_MD_CTX	ctx;
+	EVP_MD_CTX	*ctx;
 	vchar_t *res;
 	unsigned int i;
 
 	if ((res = vmalloc(EVP_MD_size(EVP_md5()))) == 0)
 		return NULL;
 
-	EVP_MD_CTX_init(&ctx);
+	ctx = EVP_MD_CTX_new();
 #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
 	/* appeared around openssl 0.9.8k as define, allows usage in FIPS mode. */
-	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+	EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 #endif
-	EVP_DigestInit_ex (&ctx, EVP_md5(), NULL);
+	EVP_DigestInit_ex (ctx, EVP_md5(), NULL);
 
-	if (!EVP_DigestUpdate(&ctx, (void *) data->v, data->l))
+	if (!EVP_DigestUpdate(ctx, (void *) data->v, data->l))
 	{
-		EVP_MD_CTX_cleanup(&ctx);
+		EVP_MD_CTX_free(ctx);
 		vfree(res);
 		return NULL;
 	}
-	EVP_DigestFinal_ex(&ctx, (void *) res->v, &i);
-	EVP_MD_CTX_cleanup(&ctx);
+	EVP_DigestFinal_ex(ctx, (void *) res->v, &i);
+	EVP_MD_CTX_free(ctx);
 	return res;
 }
 
@@ -2294,36 +2294,40 @@ eay_dh_generate(prime, g, publen, pub, p
 	u_int publen;
 	u_int32_t g;
 {
-	BIGNUM *p = NULL;
+	BIGNUM *dhg = NULL;
+	BIGNUM *dhp = NULL;
+	const BIGNUM *pub_key;
+	const BIGNUM *priv_key;
 	DH *dh = NULL;
 	int error = -1;
 
 	/* initialize */
 	/* pre-process to generate number */
-	if (eay_v2bn(&p, prime) < 0)
+	if (eay_v2bn(&dhp, prime) < 0)
 		goto end;
 
 	if ((dh = DH_new()) == NULL)
 		goto end;
-	dh->p = p;
-	p = NULL;	/* p is now part of dh structure */
-	dh->g = NULL;
-	if ((dh->g = BN_new()) == NULL)
+	if ((dhg = BN_new()) == NULL)
 		goto end;
-	if (!BN_set_word(dh->g, g))
+	if (!BN_set_word(dhg, g))
 		goto end;
 
+	DH_set0_pqg(dh,dhp,NULL,dhg);
+	dhp = NULL;
 	if (publen != 0)
-		dh->length = publen;
+		DH_set_length(dh,publen);
 
 	/* generate public and private number */
 	if (!DH_generate_key(dh))
 		goto end;
 
+	DH_get0_key(dh,&pub_key, &priv_key);
+
 	/* copy results to buffers */
-	if (eay_bn2v(pub, dh->pub_key) < 0)
+	if (eay_bn2v(pub, pub_key) < 0)
 		goto end;
-	if (eay_bn2v(priv, dh->priv_key) < 0) {
+	if (eay_bn2v(priv, priv_key) < 0) {
 		vfree(*pub);
 		goto end;
 	}
@@ -2333,8 +2337,8 @@ eay_dh_generate(prime, g, publen, pub, p
 end:
 	if (dh != NULL)
 		DH_free(dh);
-	if (p != 0)
-		BN_free(p);
+	if (dhp != 0)
+		BN_free(dhp);
 	return(error);
 }
 
@@ -2344,6 +2348,10 @@ eay_dh_compute(prime, g, pub, priv, pub2
 	u_int32_t g;
 {
 	BIGNUM *dh_pub = NULL;
+	BIGNUM *dhp = NULL;
+	BIGNUM *dhg = NULL;
+	BIGNUM *dhpub_key = NULL;
+	BIGNUM *dhpriv_key = NULL;
 	DH *dh = NULL;
 	int l;
 	unsigned char *v = NULL;
@@ -2356,20 +2364,23 @@ eay_dh_compute(prime, g, pub, priv, pub2
 	/* make DH structure */
 	if ((dh = DH_new()) == NULL)
 		goto end;
-	if (eay_v2bn(&dh->p, prime) < 0)
+	if (eay_v2bn(&dhp, prime) < 0)
 		goto end;
-	if (eay_v2bn(&dh->pub_key, pub) < 0)
+	if (eay_v2bn(&dhpub_key, pub) < 0)
 		goto end;
-	if (eay_v2bn(&dh->priv_key, priv) < 0)
+	if (eay_v2bn(&dhpriv_key, priv) < 0)
 		goto end;
-	dh->length = pub2->l * 8;
 
-	dh->g = NULL;
-	if ((dh->g = BN_new()) == NULL)
+	dhg = NULL;
+	if ((dhg = BN_new()) == NULL)
 		goto end;
-	if (!BN_set_word(dh->g, g))
+	if (!BN_set_word(dhg, g))
 		goto end;
 
+	DH_set0_pqg(dh,dhp,NULL,dhg);
+	DH_set0_key(dh,dhpub_key,dhpriv_key);
+	DH_set_length(dh,pub2->l * 8);
+
 	if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
 		goto end;
 	if ((l = DH_compute_key(v, dh_pub, dh)) == -1)
@@ -2415,7 +2426,7 @@ eay_v2bn(bn, var)
 int
 eay_bn2v(var, bn)
 	vchar_t **var;
-	BIGNUM *bn;
+	const BIGNUM *bn;
 {
 	*var = vmalloc(BN_num_bytes(bn));
 	if (*var == NULL)
@@ -2532,9 +2543,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf)
 		rsa_pub = NULL;
 		goto out;
 	}
-	
-	rsa_pub->n = mod;
-	rsa_pub->e = exp;
+	RSA_set0_key(rsa_pub,mod,exp,NULL);
 
 out:
 	return rsa_pub;
Index: ipsec-tools-0.8.2/src/racoon/eaytest.c
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/eaytest.c
+++ ipsec-tools-0.8.2/src/racoon/eaytest.c
@@ -106,7 +106,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_
 		printf ("PEM_read_PUBKEY(): %s\n", eay_strerror());
 		return -1;
 	}
-	error = eay_check_rsasign(src, sig, evp->pkey.rsa);
+	error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp));
 
 	return error;
 }
Index: ipsec-tools-0.8.2/src/racoon/crypto_openssl.h
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/crypto_openssl.h
+++ ipsec-tools-0.8.2/src/racoon/crypto_openssl.h
@@ -224,7 +224,7 @@ RSA *bignum_pubkey2rsa(BIGNUM *in);
 extern int eay_revbnl __P((vchar_t *));
 #include <openssl/bn.h>
 extern int eay_v2bn __P((BIGNUM **, vchar_t *));
-extern int eay_bn2v __P((vchar_t **, BIGNUM *));
+extern int eay_bn2v __P((vchar_t **, const BIGNUM *));
 
 extern const char *eay_version __P((void));
 
Index: ipsec-tools-0.8.2/src/racoon/rsalist.c
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/rsalist.c
+++ ipsec-tools-0.8.2/src/racoon/rsalist.c
@@ -98,7 +98,10 @@ rsa_key_dup(struct rsa_key *key)
 		return NULL;
 
 	if (key->rsa) {
-		new->rsa = key->rsa->d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa);
+		const BIGNUM *d;
+
+		RSA_get0_key(key->rsa,NULL,NULL,&d);
+		new->rsa = (d != NULL) ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa);
 		if (new->rsa == NULL)
 			goto dup_error;
 	}
Index: ipsec-tools-0.8.2/src/racoon/prsa_par.y
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/prsa_par.y
+++ ipsec-tools-0.8.2/src/racoon/prsa_par.y
@@ -174,31 +174,31 @@ statement:
 rsa_statement:
 	TAG_RSA OBRACE params EBRACE
 	{
+
 		if (prsa_cur_type == RSA_TYPE_PUBLIC) {
+			const BIGNUM *n, *e;
 			prsawarning("Using private key for public key purpose.\n");
-			if (!rsa_cur->n || !rsa_cur->e) {
+			RSA_get0_key(rsa_cur,&n,&e,NULL);
+			if (!n || !e) {
 				prsaerror("Incomplete key. Mandatory parameters are missing!\n");
 				YYABORT;
 			}
 		}
 		else {
-			if (!rsa_cur->n || !rsa_cur->e || !rsa_cur->d) {
+			const BIGNUM *n, *e, *d;
+			const BIGNUM *p, *q, *dmp1, *dmq1, *iqmp;
+
+			RSA_get0_key(rsa_cur,&n,&e,&d);
+			if (!n || !e || !d) {
 				prsaerror("Incomplete key. Mandatory parameters are missing!\n");
 				YYABORT;
 			}
-			if (!rsa_cur->p || !rsa_cur->q || !rsa_cur->dmp1
-			    || !rsa_cur->dmq1 || !rsa_cur->iqmp) {
-				if (rsa_cur->p) BN_clear_free(rsa_cur->p);
-				if (rsa_cur->q) BN_clear_free(rsa_cur->q);
-				if (rsa_cur->dmp1) BN_clear_free(rsa_cur->dmp1);
-				if (rsa_cur->dmq1) BN_clear_free(rsa_cur->dmq1);
-				if (rsa_cur->iqmp) BN_clear_free(rsa_cur->iqmp);
-
-				rsa_cur->p = NULL;
-				rsa_cur->q = NULL;
-				rsa_cur->dmp1 = NULL;
-				rsa_cur->dmq1 = NULL;
-				rsa_cur->iqmp = NULL;
+			RSA_get0_factors(rsa_cur,&p,&q);
+			RSA_get0_crt_params(rsa_cur,&dmp1,&dmq1,&iqmp);
+			if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
+				/* i think the intent here is to clear the key if it is incomplete ? */
+				RSA_free(rsa_cur);
+				rsa_cur = RSA_new();
 			}
 		}
 		$$ = rsa_cur;
@@ -301,21 +301,21 @@ params:
 
 param:
 	MODULUS COLON HEX 
-	{ if (!rsa_cur->n) rsa_cur->n = $3; else { prsaerror ("Modulus already defined\n"); YYABORT; } }
+	{ const BIGNUM *n; RSA_get0_key(rsa_cur,&n, NULL, NULL); if (!n) RSA_set0_key(rsa_cur,$3,NULL,NULL); else { prsaerror ("Modulus already defined\n"); YYABORT; } }
 	| PUBLIC_EXPONENT COLON HEX 
-	{ if (!rsa_cur->e) rsa_cur->e = $3; else { prsaerror ("PublicExponent already defined\n"); YYABORT; } }
+	{ const BIGNUM *e; RSA_get0_key(rsa_cur,NULL,&e,NULL); if (!e) RSA_set0_key(rsa_cur,NULL,$3,NULL); else { prsaerror ("PublicExponent already defined\n"); YYABORT; } }
 	| PRIVATE_EXPONENT COLON HEX 
-	{ if (!rsa_cur->d) rsa_cur->d = $3; else { prsaerror ("PrivateExponent already defined\n"); YYABORT; } }
+	{ const BIGNUM *d; RSA_get0_key(rsa_cur,NULL,NULL,&d); if (!d) RSA_set0_key(rsa_cur,NULL,NULL,$3); else { prsaerror ("PrivateExponent already defined\n"); YYABORT; } }
 	| PRIME1 COLON HEX 
-	{ if (!rsa_cur->p) rsa_cur->p = $3; else { prsaerror ("Prime1 already defined\n"); YYABORT; } }
+	{ const BIGNUM *p; RSA_get0_factors(rsa_cur,&p,NULL); if (!p) RSA_set0_factors(rsa_cur,$3,NULL); else { prsaerror ("Prime1 already defined\n"); YYABORT; } }
 	| PRIME2 COLON HEX 
-	{ if (!rsa_cur->q) rsa_cur->q = $3; else { prsaerror ("Prime2 already defined\n"); YYABORT; } }
+	{ const BIGNUM *q; RSA_get0_factors(rsa_cur,NULL,&q); if (!q) RSA_set0_factors(rsa_cur,NULL,$3); else { prsaerror ("Prime2 already defined\n"); YYABORT; } }
 	| EXPONENT1 COLON HEX 
-	{ if (!rsa_cur->dmp1) rsa_cur->dmp1 = $3; else { prsaerror ("Exponent1 already defined\n"); YYABORT; } }
+	{ const BIGNUM *dmp1; RSA_get0_crt_params(rsa_cur,&dmp1,NULL,NULL); if (!dmp1) RSA_set0_crt_params(rsa_cur,$3,NULL,NULL); else { prsaerror ("Exponent1 already defined\n"); YYABORT; } }
 	| EXPONENT2 COLON HEX 
-	{ if (!rsa_cur->dmq1) rsa_cur->dmq1 = $3; else { prsaerror ("Exponent2 already defined\n"); YYABORT; } }
+	{ const BIGNUM *dmq1; RSA_get0_crt_params(rsa_cur,NULL,&dmq1,NULL); if (!dmq1) RSA_set0_crt_params(rsa_cur,NULL,$3,NULL); else { prsaerror ("Exponent2 already defined\n"); YYABORT; } }
 	| COEFFICIENT COLON HEX 
-	{ if (!rsa_cur->iqmp) rsa_cur->iqmp = $3; else { prsaerror ("Coefficient already defined\n"); YYABORT; } }
+	{ const BIGNUM *iqmp; RSA_get0_crt_params(rsa_cur,NULL,NULL,&iqmp); if (!iqmp) RSA_set0_crt_params(rsa_cur,NULL,NULL,$3); else { prsaerror ("Coefficient already defined\n"); YYABORT; } }
 	;
 %%
 
Index: ipsec-tools-0.8.2/src/racoon/plainrsa-gen.c
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/plainrsa-gen.c
+++ ipsec-tools-0.8.2/src/racoon/plainrsa-gen.c
@@ -90,12 +90,14 @@ mix_b64_pubkey(const RSA *key)
 	char *binbuf;
 	long binlen, ret;
 	vchar_t *res;
-	
-	binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n);
+	const BIGNUM *e, *n;
+
+	RSA_get0_key(key,&e,&n,NULL);
+	binlen = 1 + BN_num_bytes(e) + BN_num_bytes(n);
 	binbuf = malloc(binlen);
 	memset(binbuf, 0, binlen);
-	binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]);
-	ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
+	binbuf[0] = BN_bn2bin(e, (unsigned char *) &binbuf[1]);
+	ret = BN_bn2bin(n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
 	if (1 + binbuf[0] + ret != binlen) {
 		plog(LLV_ERROR, LOCATION, NULL,
 		     "Pubkey generation failed. This is really strange...\n");
@@ -122,25 +124,29 @@ int
 print_rsa_key(FILE *fp, const RSA *key)
 {
 	vchar_t *pubkey64 = NULL;
+	const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
 
 	pubkey64 = mix_b64_pubkey(key);
 	if (!pubkey64) {
 		fprintf(stderr, "mix_b64_pubkey(): %s\n", eay_strerror());
 		return -1;
 	}
+	RSA_get0_key(key,&n,&e,&d);
+	RSA_get0_factors(key,&p,&q);
+	RSA_get0_crt_params(key,&dmp1,&dmq1,&iqmp);
 	
 	fprintf(fp, "# : PUB 0s%s\n", pubkey64->v);
 	fprintf(fp, ": RSA\t{\n");
-	fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n));
+	fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(n));
 	fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v);
-	fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n)));
-	fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e)));
-	fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d)));
-	fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p)));
-	fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q)));
-	fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1)));
-	fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1)));
-	fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp)));
+	fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(n)));
+	fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(e)));
+	fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(d)));
+	fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(p)));
+	fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(q)));
+	fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(dmp1)));
+	fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(dmq1)));
+	fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(iqmp)));
 	fprintf(fp, "  }\n");
 
 	vfree(pubkey64);