From b3c50d1d6e6ae038ddd22798cc4aad17948963ad Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobias.heider@stusta.de>
Date: Fri, 24 Nov 2023 23:21:53 +0100
Subject: [PATCH 1/9] Rename contrib to linux, add openiked.service for
 distros.

---
 {contrib => linux}/iked.apparmor |  0
 linux/openiked.service           | 12 ++++++++++++
 2 files changed, 12 insertions(+)
 rename {contrib => linux}/iked.apparmor (100%)
 create mode 100644 linux/openiked.service

diff --git a/contrib/iked.apparmor b/linux/iked.apparmor
similarity index 100%
rename from contrib/iked.apparmor
rename to linux/iked.apparmor
diff --git a/linux/openiked.service b/linux/openiked.service
new file mode 100644
index 00000000..e053e87a
--- /dev/null
+++ b/linux/openiked.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenIKED IKEv2 daemon
+Documentation=man:iked(8)
+Requires=network-online.target
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/iked
+ExecReload=/usr/sbin/ikectl reload
+
+[Install]
+WantedBy=multi-user.target

From 204e82ca3e598120c1a5e7a590ac6bf20ac37d68 Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobias.heider@stusta.de>
Date: Fri, 24 Nov 2023 23:23:54 +0100
Subject: [PATCH 2/9] Remove obsolete setup_config.sh

---
 setup_config.sh | 25 -------------------------
 1 file changed, 25 deletions(-)
 delete mode 100755 setup_config.sh

diff --git a/setup_config.sh b/setup_config.sh
deleted file mode 100755
index 39248f35..00000000
--- a/setup_config.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/sh
-# Generate iked config directory structure and local key.
-
-set -e
-
-DIR=$1
-
-if [ -z "$DIR" ]; then
-	echo "usage: $0 CONFIG_DIR"
-	exit 1
-fi
-
-mkdir -p "$DIR/ca"
-mkdir -p "$DIR/certs"
-mkdir -p "$DIR/crls"
-mkdir -p "$DIR/private"
-mkdir -p "$DIR/pubkeys/ipv4"
-mkdir -p "$DIR/pubkeys/ipv6"
-mkdir -p "$DIR/pubkeys/fqdn"
-mkdir -p "$DIR/pubkeys/ufqdn"
-
-chmod -R 0700 "$DIR/private"
-
-openssl ecparam -genkey -name prime256v1 -noout -out "$DIR/private/local.key"
-openssl ec -in "$DIR/private/local.key" -pubout -out "$DIR/local.pub"

From 54ca735b7749dc69218423b4c2e69501965df2f8 Mon Sep 17 00:00:00 2001
From: tobhe <tobhe@openbsd.org>
Date: Fri, 24 Nov 2023 14:43:00 +0000
Subject: [PATCH 3/9] Empty IKEv2 DPD messages should not contain extra NONE
 payloads

from markus@
---
 iked/ikev2.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/iked/ikev2.c b/iked/ikev2.c
index ac8aebfe..c634ae86 100644
--- a/iked/ikev2.c
+++ b/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.379 2023/11/10 08:03:02 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.380 2023/11/24 14:43:00 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -4059,10 +4059,10 @@ ikev2_send_ike_e(struct iked *env, struct iked_sa *sa, struct ibuf *buf,
 	if ((e = ibuf_static()) == NULL)
 		goto done;
 
-	if ((pld = ikev2_add_payload(e)) == NULL)
-		goto done;
-
 	if (buf) {
+		if ((pld = ikev2_add_payload(e)) == NULL)
+			goto done;
+
 		if (ibuf_add_buf(e, buf) != 0)
 			goto done;
 

From 12001fb7f5586e3265695e98bbc33e91ce304b07 Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobhe@openbsd.org>
Date: Wed, 29 Nov 2023 15:13:04 +0100
Subject: [PATCH 4/9] Fix contrib install path

---
 iked/CMakeLists.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iked/CMakeLists.txt b/iked/CMakeLists.txt
index 685f19d2..49fe3eb9 100644
--- a/iked/CMakeLists.txt
+++ b/iked/CMakeLists.txt
@@ -169,7 +169,7 @@ install(FILES ${CMAKE_SOURCE_DIR}/iked.conf
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/iked.conf.5 DESTINATION ${CMAKE_INSTALL_MANDIR}/man5/)
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/iked.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8/)
 if(WITH_APPARMOR)
-	install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/../contrib/iked.apparmor
+	install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/../linux/iked.apparmor
 		DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/apparmor.d/
 		RENAME usr.sbin.iked)
 endif()

From cabc947453061b75715a78d83934f637666a1218 Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobhe@openbsd.org>
Date: Wed, 29 Nov 2023 15:19:20 +0100
Subject: [PATCH 5/9] Make sbin install path configurable and respect
 CMAKE_INSTALL_PREFIX

---
 CMakeLists.txt        | 3 +++
 ikectl/CMakeLists.txt | 2 +-
 iked/CMakeLists.txt   | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 95c4e3fe..a90fc8f7 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -82,6 +82,9 @@ endif()
 if (NOT DEFINED CMAKE_INSTALL_MANDIR)
 	set (CMAKE_INSTALL_MANDIR ${CMAKE_INSTALL_PREFIX}/man)
 endif()
+if (NOT DEFINED CMAKE_INSTALL_SBINDIR)
+	set (CMAKE_INSTALL_SBINDIR ${CMAKE_INSTALL_PREFIX}/sbin)
+endif()
 
 check_linker_flag(C "LINKER:-z,now,-z,relro" HAVE_LD_Z)
 
diff --git a/ikectl/CMakeLists.txt b/ikectl/CMakeLists.txt
index df7f2153..30694206 100644
--- a/ikectl/CMakeLists.txt
+++ b/ikectl/CMakeLists.txt
@@ -57,7 +57,7 @@ target_link_libraries(ikectl
 	PRIVATE util event crypto ssl compat
 )
 
-install(TARGETS ikectl RUNTIME DESTINATION sbin)
+install(TARGETS ikectl RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR})
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/ikectl.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8/)
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/ikeca.cnf DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/ssl)
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/ikex509v3.cnf DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/ssl)
diff --git a/iked/CMakeLists.txt b/iked/CMakeLists.txt
index 49fe3eb9..49394f3c 100644
--- a/iked/CMakeLists.txt
+++ b/iked/CMakeLists.txt
@@ -161,7 +161,7 @@ add_custom_command(
 	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/genmap.sh
 )
 
-install(TARGETS iked RUNTIME DESTINATION sbin)
+install(TARGETS iked RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR})
 install(FILES ${CMAKE_SOURCE_DIR}/iked.conf
 	PERMISSIONS OWNER_READ OWNER_WRITE 
 	DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}

From d4fef0982f703e5825dd7d0aabfa972286598519 Mon Sep 17 00:00:00 2001
From: linderd <19273958+linderd@users.noreply.github.com>
Date: Sun, 3 Dec 2023 16:38:02 +0100
Subject: [PATCH 6/9] fix msan-problems in fuzzer-environment

---
 .clusterfuzzlite/Dockerfile          | 2 +-
 .clusterfuzzlite/build.sh            | 2 +-
 CMakeLists.txt                       | 2 +-
 regress/parser-libfuzzer/common.c    | 2 ++
 regress/parser-libfuzzer/run_test.sh | 1 +
 5 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile
index 316c26ea..5ac96f08 100644
--- a/.clusterfuzzlite/Dockerfile
+++ b/.clusterfuzzlite/Dockerfile
@@ -1,7 +1,7 @@
 FROM gcr.io/oss-fuzz-base/base-builder:v1
 
 ENV CLUSTERFUZZLITE=TRUE
-RUN apt-get update && apt-get install -y bison libssl-dev libevent-dev libsystemd-dev
+RUN apt-get update && apt-get install -y bison libssl-dev libevent-dev
 COPY . $SRC/openiked-portable
 WORKDIR openiked-portable
 COPY .clusterfuzzlite/build.sh $SRC/
diff --git a/.clusterfuzzlite/build.sh b/.clusterfuzzlite/build.sh
index 6bb324cc..47728c2f 100755
--- a/.clusterfuzzlite/build.sh
+++ b/.clusterfuzzlite/build.sh
@@ -1,7 +1,7 @@
 #!/bin/bash -eu
 
 # build project
-cmake -S . -B build -DCMAKE_BUILD_TYPE=Release -DCLUSTERFUZZ=ON
+cmake -S . -B build -DCMAKE_BUILD_TYPE=DEBUG -DCLUSTERFUZZ=ON
 cmake --build build
 
 # copy binary and dict to $OUT
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a90fc8f7..418997f1 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -409,7 +409,7 @@ if(CLUSTERFUZZ)
 	add_subdirectory(regress/parser-libfuzzer)
 	if (NOT DEFINED ENV{CLUSTERFUZZLITE})
 		set(CMAKE_C_COMPILER clang)
-		string(APPEND CMAKE_C_FLAGS " -g -O1 -fsanitize=fuzzer-no-link")
+		string(APPEND CMAKE_C_FLAGS " -g -O0 -fsanitize=fuzzer-no-link")
 	endif()
 endif()
 add_subdirectory(compat)
diff --git a/regress/parser-libfuzzer/common.c b/regress/parser-libfuzzer/common.c
index 7871d208..2030e75e 100644
--- a/regress/parser-libfuzzer/common.c
+++ b/regress/parser-libfuzzer/common.c
@@ -12,6 +12,7 @@
 
 #include <event.h>
 #include <limits.h>
+#include <string.h>
 
 #include "iked.h"
 #include "types.h"
@@ -162,6 +163,7 @@ ssize_t
 ikev2_nat_detection(struct iked *env, struct iked_message *msg,
     void *ptr, size_t len, u_int type, int frompeer)
 {
+	bzero(ptr, len);
 	return (0);
 }
 
diff --git a/regress/parser-libfuzzer/run_test.sh b/regress/parser-libfuzzer/run_test.sh
index 9560e07d..d77855d4 100644
--- a/regress/parser-libfuzzer/run_test.sh
+++ b/regress/parser-libfuzzer/run_test.sh
@@ -1,6 +1,7 @@
 #!/bin/sh
 
 # script to run the parser-fuzzer for 5 minutes with the right options
+# use repo github.com/openiked/openiked-fuzzing/corpus/test_libfuzzer as corpus for faster results
 
 # ASAN-option to help finding the source of memory leaks
 export ASAN_OPTIONS=fast_unwind_on_malloc=0

From 727ace8ee2bdf44b03c3b80d0dc0d79b3c7e16d5 Mon Sep 17 00:00:00 2001
From: Markus Friedl <mfriedl@genua.de>
Date: Thu, 18 Jan 2024 21:44:50 +0100
Subject: [PATCH 7/9] vroute-netlink: pull missing leak fix from vroute

---
 iked/vroute-netlink.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/iked/vroute-netlink.c b/iked/vroute-netlink.c
index ae5177c1..34284479 100644
--- a/iked/vroute-netlink.c
+++ b/iked/vroute-netlink.c
@@ -328,12 +328,13 @@ void
 vroute_removeroute(struct iked *env, struct sockaddr *dest)
 {
 	struct iked_vroute_sc	*ivr = env->sc_vroute;
-	struct vroute_route	*route;
+	struct vroute_route	*route, *troute;
 
-	TAILQ_FOREACH(route, &ivr->ivr_routes, vr_entry) {
+	TAILQ_FOREACH_SAFE(route, &ivr->ivr_routes, vr_entry, troute) {
 		if (sockaddr_cmp(dest, (struct sockaddr *)&route->vr_dest, -1))
 			continue;
 		TAILQ_REMOVE(&ivr->ivr_routes, route, vr_entry);
+		free(route);
 	}
 }
 
@@ -393,9 +394,9 @@ vroute_removeaddr(struct iked *env, int ifidx, struct sockaddr *addr,
     struct sockaddr *mask)
 {
 	struct iked_vroute_sc	*ivr = env->sc_vroute;
-	struct vroute_addr	*vaddr;
+	struct vroute_addr	*vaddr, *tvaddr;
 
-	TAILQ_FOREACH(vaddr, &ivr->ivr_addrs, va_entry) {
+	TAILQ_FOREACH_SAFE(vaddr, &ivr->ivr_addrs, va_entry, tvaddr) {
 		if (sockaddr_cmp(addr, (struct sockaddr *)&vaddr->va_addr, -1))
 			continue;
 		if (sockaddr_cmp(mask, (struct sockaddr *)&vaddr->va_mask, -1))
@@ -403,6 +404,7 @@ vroute_removeaddr(struct iked *env, int ifidx, struct sockaddr *addr,
 		if (ifidx != vaddr->va_ifidx)
 			continue;
 		TAILQ_REMOVE(&ivr->ivr_addrs, vaddr, va_entry);
+		free(vaddr);
 	}
 }
 

From a0fc2e0d629a081b170adabc8d092653b07f1d4a Mon Sep 17 00:00:00 2001
From: Markus Friedl <mfriedl@genua.de>
Date: Thu, 8 Feb 2024 10:02:13 +0100
Subject: [PATCH 8/9] iked: fix vroute_dbus_dns: System.Error.ENOTCONN

move sd_bus_open_system() to vroute_do_dns(), otherwise
we keep the dbus handle for the lifetime of iked and dbus
calls fail with ENOTCONN.
---
 iked/vroute-netlink.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/iked/vroute-netlink.c b/iked/vroute-netlink.c
index 34284479..8a085280 100644
--- a/iked/vroute-netlink.c
+++ b/iked/vroute-netlink.c
@@ -109,15 +109,6 @@ vroute_init(struct iked *env)
 	    NETLINK_ROUTE)) == -1)
 		fatal("%s: failed to create netlink socket", __func__);
 
-#ifdef WITH_SYSTEMD
-	int r;
-	r = sd_bus_open_system(&ivr->ivr_bus);
-	if (r < 0) {
-		log_warn("%s: sd_bus_open_system", __func__);
-		ivr->ivr_bus = NULL;
-	}
-#endif
-
 	TAILQ_INIT(&ivr->ivr_addrs);
 	TAILQ_INIT(&ivr->ivr_dnss);
 	TAILQ_INIT(&ivr->ivr_routes);
@@ -745,12 +736,23 @@ int
 vroute_dodns(struct iked *env, int add, unsigned int ifindex)
 {
 #ifdef WITH_SYSTEMD
+	struct iked_vroute_sc *ivr = env->sc_vroute;
 	const char *destination = "org.freedesktop.resolve1";
 	const char *path = "/org/freedesktop/resolve1";
 	const char *interface = "org.freedesktop.resolve1.Manager";
 	sd_bus_error error = SD_BUS_ERROR_NULL;
 	int ret;
 
+	if (ivr->ivr_bus != NULL) {
+		log_warnx("%s: vr_bus already set, internal error", __func__);
+		return (0);
+	}
+	if (sd_bus_open_system(&ivr->ivr_bus) < 0) {
+		log_warn("%s: sd_bus_open_system failed", __func__);
+		ivr->ivr_bus = NULL;
+		return (0);
+	}
+
 	ret = vroute_dbus_dns(env, ifindex, &error, add,
 	    destination, path, interface);
 	if (ret < 0 && sd_bus_error_has_name(&error,
@@ -780,6 +782,9 @@ vroute_dodns(struct iked *env, int add, unsigned int ifindex)
 		    error.name, error.message);
 		sd_bus_error_free(&error);
 	}
+
+	sd_bus_flush_close_unref(ivr->ivr_bus);
+	ivr->ivr_bus = NULL;
 #endif
 	return (0);
 }

From 8cb354a915cd8529a7283dbe74cbaf62db0a7543 Mon Sep 17 00:00:00 2001
From: David Linder <19273958+linderd@users.noreply.github.com>
Date: Wed, 6 Mar 2024 14:45:19 +0100
Subject: [PATCH 9/9] fix linking on macOS with Homebrew and different OpenSSL
 versions

---
 CMakeLists.txt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 418997f1..2f90a3f0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -36,11 +36,11 @@ if (CMAKE_SYSTEM_NAME MATCHES "Darwin")
 	if (HOMEBREW AND CMAKE_HOST_SYSTEM_PROCESSOR MATCHES "arm64")
 		include_directories("/opt/homebrew/include")
 		link_directories("/opt/homebrew/lib")
-		include_directories("/opt/homebrew/opt/openssl@1.1/include")
-        	link_directories("/opt/homebrew/opt/openssl@1.1/lib")
+		include_directories("/opt/homebrew/opt/openssl/include")
+        	link_directories("/opt/homebrew/opt/openssl/lib")
 	else()
-		include_directories("/usr/local/opt/openssl@1.1/include")
-		link_directories("/usr/local/opt/openssl@1.1/lib")
+		include_directories("/usr/local/opt/openssl/include")
+		link_directories("/usr/local/opt/openssl/lib")
 	endif()
 	set(HAVE_VROUTE ON)
 elseif(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")