polarssl: update to version 1.3.4 and add openssl compat patch
authorFelix Fietkau <nbd@openwrt.org>
Fri, 14 Mar 2014 15:05:46 +0000 (15:05 +0000)
committerFelix Fietkau <nbd@openwrt.org>
Fri, 14 Mar 2014 15:05:46 +0000 (15:05 +0000)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 39930

package/libs/polarssl/Makefile
package/libs/polarssl/patches/200-reduce_config.patch
package/libs/polarssl/patches/210-gen_key_config_fix.patch [new file with mode: 0644]
package/libs/polarssl/patches/300-openssl_cipher_name_compat.patch [deleted file]
package/network/services/openvpn/patches/100-polarssl_compat.h [new file with mode: 0644]

index 209281e4062c546627194e084e6ac36b36321d26..b59605d7938975f8df8bedf9fb26ac6b3f4cf7d6 100644 (file)
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=polarssl
-PKG_VERSION:=1.2.9
+PKG_VERSION:=1.3.4
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://polarssl.org/code/releases
-PKG_MD5SUM:=3d8e01537e747d7997993c70f2e108db
+PKG_MD5SUM:=30a75c5f171be49f805f3bf64a0af054
 
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
@@ -35,6 +35,7 @@ $(call Package/polarssl/Default)
   SECTION:=libs
   CATEGORY:=Libraries
   TITLE+= (library)
+  ABI_VERSION:=$(PKG_VERSION)
 endef
 
 define Package/libpolarssl/description
index 40bdedc5a79a40b19d31a229074ecea4681a70c4..a7e06f583344f2bc21c93d9beba9eab71726f80f 100644 (file)
@@ -1,16 +1,96 @@
 --- a/include/polarssl/config.h
 +++ b/include/polarssl/config.h
-@@ -206,8 +206,8 @@
-  * Requires: POLARSSL_BIGNUM_C, POLARSSL_RSA_C
+@@ -315,8 +315,8 @@
+  *      TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+  *      TLS_PSK_WITH_3DES_EDE_CBC_SHA
+  *      TLS_PSK_WITH_RC4_128_SHA
+- */
+ #define POLARSSL_KEY_EXCHANGE_PSK_ENABLED
++ */
+ /**
+  * \def POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED
+@@ -339,8 +339,8 @@
+  *      TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+  *      TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+  *      TLS_DHE_PSK_WITH_RC4_128_SHA
+- */
+ #define POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED
++ */
+ /**
+  * \def POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+@@ -359,8 +359,8 @@
+  *      TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+  *      TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+  *      TLS_ECDHE_PSK_WITH_RC4_128_SHA
+- */
+ #define POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED
++ */
+ /**
+  * \def POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
+@@ -384,8 +384,8 @@
+  *      TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+  *      TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+  *      TLS_RSA_PSK_WITH_RC4_128_SHA
+- */
+ #define POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
++ */
+ /**
+  * \def POLARSSL_KEY_EXCHANGE_RSA_ENABLED
+@@ -463,8 +463,8 @@
+  *      TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+  *      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+  *      TLS_ECDHE_RSA_WITH_RC4_128_SHA
+- */
+ #define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
++ */
+ /**
+  * \def POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+@@ -487,8 +487,8 @@
+  *      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+  *      TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+  *      TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+- */
+ #define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
++ */
+ /**
+  * \def POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+@@ -511,8 +511,8 @@
+  *      TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+  *      TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+  *      TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+- */
+ #define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
++ */
+ /**
+  * \def POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
+@@ -535,8 +535,8 @@
+  *      TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+  *      TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+  *      TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+- */
+ #define POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
++ */
+ /**
+  * \def POLARSSL_ERROR_STRERROR_BC
+@@ -566,8 +566,8 @@
+  * Enable the prime-number generation code.
   *
-  * Enable the RSA prime-number generation code.
+  * Requires: POLARSSL_BIGNUM_C
 - */
  #define POLARSSL_GENPRIME
 + */
  
  /**
   * \def POLARSSL_FS_IO
-@@ -264,8 +264,8 @@
+@@ -662,8 +662,8 @@
   * \def POLARSSL_SELF_TEST
   *
   * Enable the checkup functions (*_self_test).
  
  /**
   * \def POLARSSL_SSL_ALL_ALERT_MESSAGES
-@@ -466,8 +466,8 @@
-  *      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
-  *      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
-  *      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+@@ -1107,8 +1107,8 @@
+  *      TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+  *      TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+  *      TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
 - */
  #define POLARSSL_CAMELLIA_C
 + */
  
  /**
   * \def POLARSSL_CERTS_C
-@@ -478,8 +478,8 @@
-  * Caller:
+@@ -1121,8 +1121,8 @@
+  * Requires: POLARSSL_PEM_PARSE_C
   *
   * This module is used for testing (ssl_client/server).
 - */
  
  /**
   * \def POLARSSL_CIPHER_C
-@@ -518,8 +518,8 @@
+@@ -1161,8 +1161,8 @@
   *          library/ssl_tls.c
   *
   * This module provides debugging functions.
  
  /**
   * \def POLARSSL_DES_C
-@@ -604,8 +604,8 @@
-  * enabled as well):
-  *      TLS_RSA_WITH_AES_128_GCM_SHA256
-  *      TLS_RSA_WITH_AES_256_GCM_SHA384
+@@ -1217,8 +1217,8 @@
+  *      ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
+  *
+  * Requires: POLARSSL_ECP_C
+- */
+ #define POLARSSL_ECDH_C
++ */
+ /**
+  * \def POLARSSL_ECDSA_C
+@@ -1232,8 +1232,8 @@
+  *      ECDHE-ECDSA
+  *
+  * Requires: POLARSSL_ECP_C, POLARSSL_ASN1_WRITE_C, POLARSSL_ASN1_PARSE_C
+- */
+ #define POLARSSL_ECDSA_C
++ */
+ /**
+  * \def POLARSSL_ECP_C
+@@ -1245,8 +1245,8 @@
+  *          library/ecdsa.c
+  *
+  * Requires: POLARSSL_BIGNUM_C and at least one POLARSSL_ECP_DP_XXX_ENABLED
+- */
+ #define POLARSSL_ECP_C
++ */
+ /**
+  * \def POLARSSL_ENTROPY_C
+@@ -1285,8 +1285,8 @@
+  *
+  * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
+  * requisites are enabled as well.
 - */
  #define POLARSSL_GCM_C
 + */
  
  /**
   * \def POLARSSL_HAVEGE_C
-@@ -704,8 +704,8 @@
-  * Caller:  library/aes.c
+@@ -1436,8 +1436,8 @@
+  * Requires: POLARSSL_HAVE_ASM
   *
   * This modules adds support for the VIA PadLock on x86.
 - */
  
  /**
   * \def POLARSSL_PBKDF2_C
-@@ -848,8 +848,8 @@
+@@ -1584,8 +1584,8 @@
+  * Module:  library/ripemd160.c
+  * Caller:  library/md.c
+  *
+- */
+ #define POLARSSL_RIPEMD160_C
++ */
+ /**
+  * \def POLARSSL_RSA_C
+@@ -1664,8 +1664,8 @@
   * Caller:
   *
   * Requires: POLARSSL_SSL_CACHE_C
  
  /**
   * \def POLARSSL_SSL_CLI_C
-@@ -903,8 +903,8 @@
+@@ -1741,8 +1741,8 @@
   * Caller:  library/havege.c
   *
   * This module is used by the HAVEGE random number generator.
  
  /**
   * \def POLARSSL_VERSION_C
-@@ -953,8 +953,8 @@
+@@ -1862,8 +1862,8 @@
   *
   * Module:  library/xtea.c
   * Caller:
 - */
  #define POLARSSL_XTEA_C
 + */
- /* \} name */
  
- /**
+ /* \} name SECTION: PolarSSL modules */
diff --git a/package/libs/polarssl/patches/210-gen_key_config_fix.patch b/package/libs/polarssl/patches/210-gen_key_config_fix.patch
new file mode 100644 (file)
index 0000000..d682e28
--- /dev/null
@@ -0,0 +1,38 @@
+--- a/programs/pkey/gen_key.c
++++ b/programs/pkey/gen_key.c
+@@ -155,7 +155,9 @@ int main( int argc, char *argv[] )
+     opt.type                = DFL_TYPE;
+     opt.rsa_keysize         = DFL_RSA_KEYSIZE;
++#if defined(POLARSSL_ECP_C)
+     opt.ec_curve            = DFL_EC_CURVE;
++#endif
+     opt.filename            = DFL_FILENAME;
+     opt.format              = DFL_FORMAT;
+@@ -170,8 +172,10 @@ int main( int argc, char *argv[] )
+         {
+             if( strcmp( q, "rsa" ) == 0 )
+                 opt.type = POLARSSL_PK_RSA;
++#if defined(POLARSSL_ECP_C)
+             if( strcmp( q, "ec" ) == 0 )
+                 opt.type = POLARSSL_PK_ECKEY;
++#endif
+             else
+                 goto usage;
+         }
+@@ -190,12 +194,14 @@ int main( int argc, char *argv[] )
+             if( opt.rsa_keysize < 1024 || opt.rsa_keysize > 8192 )
+                 goto usage;
+         }
++#if defined(POLARSSL_ECP_C)
+         else if( strcmp( p, "ec_curve" ) == 0 )
+         {
+             if( ( curve_info = ecp_curve_info_from_name( q ) ) == NULL )
+                 goto usage;
+             opt.ec_curve = curve_info->grp_id;
+         }
++#endif
+         else if( strcmp( p, "filename" ) == 0 )
+             opt.filename = q;
+         else
diff --git a/package/libs/polarssl/patches/300-openssl_cipher_name_compat.patch b/package/libs/polarssl/patches/300-openssl_cipher_name_compat.patch
deleted file mode 100644 (file)
index 474a859..0000000
+++ /dev/null
@@ -1,53 +0,0 @@
---- a/library/cipher.c
-+++ b/library/cipher.c
-@@ -279,15 +279,21 @@ const cipher_info_t *cipher_info_from_st
- #if defined(POLARSSL_BLOWFISH_C)
-     if( !strcasecmp( "BLOWFISH-CBC", cipher_name ) )
-         return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CBC );
-+    if( !strcasecmp( "BF-CBC", cipher_name ) )
-+        return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CBC );
- #if defined(POLARSSL_CIPHER_MODE_CFB)
-     if( !strcasecmp( "BLOWFISH-CFB64", cipher_name ) )
-         return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CFB64 );
-+    if( !strcasecmp( "BF-CFB64", cipher_name ) )
-+        return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CFB64 );
- #endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
- #if defined(POLARSSL_CIPHER_MODE_CTR)
-     if( !strcasecmp( "BLOWFISH-CTR", cipher_name ) )
-         return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CTR );
-+    if( !strcasecmp( "BF-CTR", cipher_name ) )
-+        return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CTR );
- #endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
- #endif
---- a/library/cipher_wrap.c
-+++ b/library/cipher_wrap.c
-@@ -643,7 +643,7 @@ const cipher_info_t blowfish_cbc_info =
-     POLARSSL_CIPHER_BLOWFISH_CBC,
-     POLARSSL_MODE_CBC,
-     128,
--    "BLOWFISH-CBC",
-+    "BF-CBC",
-     8,
-     8,
-     &blowfish_info
-@@ -654,7 +654,7 @@ const cipher_info_t blowfish_cfb64_info
-     POLARSSL_CIPHER_BLOWFISH_CFB64,
-     POLARSSL_MODE_CFB,
-     128,
--    "BLOWFISH-CFB64",
-+    "BF-CFB64",
-     8,
-     8,
-     &blowfish_info
-@@ -666,7 +666,7 @@ const cipher_info_t blowfish_ctr_info =
-     POLARSSL_CIPHER_BLOWFISH_CTR,
-     POLARSSL_MODE_CTR,
-     128,
--    "BLOWFISH-CTR",
-+    "BF-CTR",
-     8,
-     8,
-     &blowfish_info
diff --git a/package/network/services/openvpn/patches/100-polarssl_compat.h b/package/network/services/openvpn/patches/100-polarssl_compat.h
new file mode 100644 (file)
index 0000000..c68e3b4
--- /dev/null
@@ -0,0 +1,221 @@
+--- a/src/openvpn/ssl_polarssl.h
++++ b/src/openvpn/ssl_polarssl.h
+@@ -36,6 +36,8 @@
+ #include <polarssl/pkcs11.h>
+ #endif
++#include <polarssl/compat-1.2.h>
++
+ typedef struct _buffer_entry buffer_entry;
+ struct _buffer_entry {
+--- a/src/openvpn/ssl_polarssl.c
++++ b/src/openvpn/ssl_polarssl.c
+@@ -44,7 +44,7 @@
+ #include "manage.h"
+ #include "ssl_common.h"
+-#include <polarssl/sha2.h>
++#include <polarssl/sha256.h>
+ #include <polarssl/havege.h>
+ #include "ssl_verify_polarssl.h"
+@@ -204,12 +204,12 @@ tls_ctx_load_dh_params (struct tls_root_
+ {
+   if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
+     {
+-      if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
++      if (0 != dhm_parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
+       msg (M_FATAL, "Cannot read inline DH parameters");
+   }
+ else
+   {
+-    if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
++    if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
+       msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
+   }
+@@ -530,7 +530,7 @@ void key_state_ssl_init(struct key_state
+           ssl_pkcs11_key_len );
+       else
+ #endif
+-      ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
++      ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
+       /* Initialise SSL verification */
+       ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
+@@ -832,7 +832,7 @@ print_details (struct key_state_ssl * ks
+   cert = ssl_get_peer_cert(ks_ssl->ctx);
+   if (cert != NULL)
+     {
+-      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
++      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8);
+     }
+   msg (D_HANDSHAKE, "%s%s", s1, s2);
+--- a/src/openvpn/crypto_polarssl.c
++++ b/src/openvpn/crypto_polarssl.c
+@@ -466,7 +466,12 @@ int cipher_ctx_mode (const cipher_contex
+ int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
+ {
+-  return 0 == cipher_reset(ctx, iv_buf);
++  int retval = cipher_reset(ctx);
++
++  if (0 == retval)
++    cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
++
++  return 0 == retval;
+ }
+ int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
+--- a/src/openvpn/ssl_verify_polarssl.h
++++ b/src/openvpn/ssl_verify_polarssl.h
+@@ -34,6 +34,7 @@
+ #include "misc.h"
+ #include "manage.h"
+ #include <polarssl/x509.h>
++#include <polarssl/compat-1.2.h>
+ #ifndef __OPENVPN_X509_CERT_T_DECLARED
+ #define __OPENVPN_X509_CERT_T_DECLARED
+--- a/src/openvpn/ssl_verify.c
++++ b/src/openvpn/ssl_verify.c
+@@ -437,7 +437,7 @@ verify_cert_set_env(struct env_set *es, 
+ #endif
+   /* export serial number as environmental variable */
+-  serial = x509_get_serial(peer_cert, &gc);
++  serial = backend_x509_get_serial(peer_cert, &gc);
+   openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth);
+   setenv_str (es, envname, serial);
+@@ -564,7 +564,7 @@ verify_check_crl_dir(const char *crl_dir
+   int fd = -1;
+   struct gc_arena gc = gc_new();
+-  char *serial = x509_get_serial(cert, &gc);
++  char *serial = backend_x509_get_serial(cert, &gc);
+   if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial))
+     {
+--- a/src/openvpn/ssl_verify_backend.h
++++ b/src/openvpn/ssl_verify_backend.h
+@@ -122,7 +122,7 @@ result_t x509_get_username (char *common
+  *
+  * @return            The certificate's serial number.
+  */
+-char *x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc);
++char *backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc);
+ /*
+  * Save X509 fields to environment, using the naming convention:
+--- a/src/openvpn/ssl_verify_openssl.c
++++ b/src/openvpn/ssl_verify_openssl.c
+@@ -220,7 +220,7 @@ x509_get_username (char *common_name, in
+ }
+ char *
+-x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
++backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
+ {
+   ASN1_INTEGER *asn1_i;
+   BIGNUM *bignum;
+--- a/src/openvpn/ssl_verify_polarssl.c
++++ b/src/openvpn/ssl_verify_polarssl.c
+@@ -38,6 +38,7 @@
+ #if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL)
+ #include "ssl_verify.h"
++#include <polarssl/oid.h>
+ #include <polarssl/sha1.h>
+ #define MAX_SUBJECT_LENGTH 256
+@@ -100,7 +101,7 @@ x509_get_username (char *cn, int cn_len,
+   /* Find common name */
+   while( name != NULL )
+   {
+-      if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0)
++      if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0)
+       break;
+       name = name->next;
+@@ -123,7 +124,7 @@ x509_get_username (char *cn, int cn_len,
+ }
+ char *
+-x509_get_serial (x509_cert *cert, struct gc_arena *gc)
++backend_x509_get_serial (x509_cert *cert, struct gc_arena *gc)
+ {
+   int ret = 0;
+   int i = 0;
+@@ -184,60 +185,18 @@ x509_setenv (struct env_set *es, int cer
+   while( name != NULL )
+     {
+       char name_expand[64+8];
++      const char *shortname;
+-      if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 )
++      if( 0 == oid_get_attr_short_name(&name->oid, &shortname) )
+       {
+-        switch( name->oid.p[2] )
+-          {
+-          case X520_COMMON_NAME:
+-              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN",
+-                  cert_depth); break;
+-
+-          case X520_COUNTRY:
+-              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C",
+-                  cert_depth); break;
+-
+-          case X520_LOCALITY:
+-              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L",
+-                  cert_depth); break;
+-
+-          case X520_STATE:
+-              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST",
+-                  cert_depth); break;
+-
+-          case X520_ORGANIZATION:
+-              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O",
+-                  cert_depth); break;
+-
+-          case X520_ORG_UNIT:
+-              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU",
+-                  cert_depth); break;
+-
+-          default:
+-              openvpn_snprintf (name_expand, sizeof(name_expand),
+-                  "X509_%d_0x%02X", cert_depth, name->oid.p[2]);
+-              break;
+-          }
++        openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s",
++            cert_depth, shortname);
++      }
++      else
++      {
++        openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
++            cert_depth);
+       }
+-      else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
+-        {
+-          switch( name->oid.p[8] )
+-            {
+-              case PKCS9_EMAIL:
+-                openvpn_snprintf (name_expand, sizeof(name_expand),
+-                    "X509_%d_emailAddress", cert_depth); break;
+-
+-              default:
+-                openvpn_snprintf (name_expand, sizeof(name_expand),
+-                    "X509_%d_0x%02X", cert_depth, name->oid.p[8]);
+-                break;
+-            }
+-        }
+-      else
+-        {
+-          openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
+-              cert_depth);
+-        }
+       for( i = 0; i < name->val.len; i++ )
+       {