1 --- a
/src
/openvpn
/ssl_polarssl
.h
2 +++ b
/src
/openvpn
/ssl_polarssl
.h
4 #include <polarssl/pkcs11.h>
7 +#include <polarssl/compat-1.2.h>
9 typedef struct _buffer_entry buffer_entry
;
11 struct _buffer_entry
{
12 --- a
/src
/openvpn
/ssl_polarssl
.c
13 +++ b
/src
/openvpn
/ssl_polarssl
.c
16 #include "ssl_common.h"
18 -#include <polarssl/sha2.h>
19 +#include <polarssl/sha256.h>
20 #include <polarssl/havege.h>
22 #include "ssl_verify_polarssl.h"
23 @@
-212,13 +212,13 @@
tls_ctx_load_dh_params (struct tls_root_
25 if (!strcmp (dh_file
, INLINE_FILE_TAG
) && dh_inline
)
27 - if (0 != x509parse_dhm(ctx
->dhm_ctx
, (const unsigned char *) dh_inline
,
28 + if (0 != dhm_parse_dhm(ctx
->dhm_ctx
, (const unsigned char *) dh_inline
,
30 msg (M_FATAL
, "Cannot read inline DH parameters");
34 - if (0 != x509parse_dhmfile(ctx
->dhm_ctx
, dh_file
))
35 + if (0 != dhm_parse_dhmfile(ctx
->dhm_ctx
, dh_file
))
36 msg (M_FATAL
, "Cannot read DH parameters from file %s", dh_file
);
39 @@
-253,13 +253,13 @@
tls_ctx_load_cert_file (struct tls_root_
41 if (!strcmp (cert_file
, INLINE_FILE_TAG
) && cert_inline
)
43 - if (0 != x509parse_crt(ctx
->crt_chain
,
44 + if (0 != x509_crt_parse(ctx
->crt_chain
,
45 (const unsigned char *) cert_inline
, strlen(cert_inline
)))
46 msg (M_FATAL
, "Cannot load inline certificate file");
50 - if (0 != x509parse_crtfile(ctx
->crt_chain
, cert_file
))
51 + if (0 != x509_crt_parse_file(ctx
->crt_chain
, cert_file
))
52 msg (M_FATAL
, "Cannot load certificate file %s", cert_file
);
55 @@
-277,7 +277,7 @@
tls_ctx_load_priv_file (struct tls_root_
56 status
= x509parse_key(ctx
->priv_key
,
57 (const unsigned char *) priv_key_inline
, strlen(priv_key_inline
),
59 - if (POLARSSL_ERR_X509_PASSWORD_REQUIRED
== status
)
60 + if (POLARSSL_ERR_PK_PASSWORD_REQUIRED
== status
)
62 char passbuf
[512] = {0};
63 pem_password_callback(passbuf
, 512, 0, NULL
);
64 @@
-289,7 +289,7 @@
tls_ctx_load_priv_file (struct tls_root_
67 status
= x509parse_keyfile(ctx
->priv_key
, priv_key_file
, NULL
);
68 - if (POLARSSL_ERR_X509_PASSWORD_REQUIRED
== status
)
69 + if (POLARSSL_ERR_PK_PASSWORD_REQUIRED
== status
)
71 char passbuf
[512] = {0};
72 pem_password_callback(passbuf
, 512, 0, NULL
);
73 @@
-480,14 +480,14 @@
void tls_ctx_load_ca (struct tls_root_ct
75 if (ca_file
&& !strcmp (ca_file
, INLINE_FILE_TAG
) && ca_inline
)
77 - if (0 != x509parse_crt(ctx
->ca_chain
, (const unsigned char *) ca_inline
,
78 + if (0 != x509_crt_parse(ctx
->ca_chain
, (const unsigned char *) ca_inline
,
80 msg (M_FATAL
, "Cannot load inline CA certificates");
84 /* Load CA file for verifying peer supplied certificate */
85 - if (0 != x509parse_crtfile(ctx
->ca_chain
, ca_file
))
86 + if (0 != x509_crt_parse_file(ctx
->ca_chain
, ca_file
))
87 msg (M_FATAL
, "Cannot load CA certificate file %s", ca_file
);
90 @@
-501,14 +501,14 @@
tls_ctx_load_extra_certs (struct tls_roo
92 if (!strcmp (extra_certs_file
, INLINE_FILE_TAG
) && extra_certs_inline
)
94 - if (0 != x509parse_crt(ctx
->crt_chain
,
95 + if (0 != x509_crt_parse(ctx
->crt_chain
,
96 (const unsigned char *) extra_certs_inline
,
97 strlen(extra_certs_inline
)))
98 msg (M_FATAL
, "Cannot load inline extra-certs file");
102 - if (0 != x509parse_crtfile(ctx
->crt_chain
, extra_certs_file
))
103 + if (0 != x509_crt_parse_file(ctx
->crt_chain
, extra_certs_file
))
104 msg (M_FATAL
, "Cannot load extra-certs file: %s", extra_certs_file
);
107 @@
-724,7 +724,7 @@
void key_state_ssl_init(struct key_state
111 - ssl_set_own_cert( ks_ssl
->ctx
, ssl_ctx
->crt_chain
, ssl_ctx
->priv_key
);
112 + ssl_set_own_cert_rsa( ks_ssl
->ctx
, ssl_ctx
->crt_chain
, ssl_ctx
->priv_key
);
114 /* Initialise SSL verification */
116 @@
-1068,7 +1068,7 @@
print_details (struct key_state_ssl
* ks
117 cert
= ssl_get_peer_cert(ks_ssl
->ctx
);
120 - openvpn_snprintf (s2
, sizeof (s2
), ", " counter_format
" bit RSA", (counter_type
) cert
->rsa
.len
* 8);
121 + openvpn_snprintf (s2
, sizeof (s2
), ", " counter_format
" bit RSA", (counter_type
) pk_rsa(cert
->pk
)->len
* 8);
124 msg (D_HANDSHAKE
, "%s%s", s1
, s2
);
125 --- a
/src
/openvpn
/crypto_polarssl
.c
126 +++ b
/src
/openvpn
/crypto_polarssl
.c
127 @@
-487,7 +487,12 @@
cipher_ctx_get_cipher_kt (const cipher_c
129 int cipher_ctx_reset (cipher_context_t
*ctx
, uint8_t *iv_buf
)
131 - return 0 == cipher_reset(ctx
, iv_buf
);
132 + int retval
= cipher_reset(ctx
);
135 + cipher_set_iv(ctx
, iv_buf
, ctx
->cipher_info
->iv_size
);
137 + return 0 == retval
;
140 int cipher_ctx_update (cipher_context_t
*ctx
, uint8_t *dst
, int *dst_len
,
141 --- a
/src
/openvpn
/ssl_verify_polarssl
.h
142 +++ b
/src
/openvpn
/ssl_verify_polarssl
.h
146 #include <polarssl/x509.h>
147 +#include <polarssl/compat-1.2.h>
149 #ifndef __OPENVPN_X509_CERT_T_DECLARED
150 #define __OPENVPN_X509_CERT_T_DECLARED
151 --- a
/src
/openvpn
/ssl_verify_polarssl
.c
152 +++ b
/src
/openvpn
/ssl_verify_polarssl
.c
154 #include "ssl_verify.h"
155 #include <polarssl/error.h>
156 #include <polarssl/bignum.h>
157 +#include <polarssl/oid.h>
158 #include <polarssl/sha1.h>
160 #define MAX_SUBJECT_LENGTH 256
161 @@
-102,7 +103,7 @@
x509_get_username (char *cn
, int cn_len
,
162 /* Find common name */
163 while( name
!= NULL
)
165 - if( memcmp( name
->oid
.p
, OID_CN
, OID_SIZE(OID_CN
) ) == 0)
166 + if( memcmp( name
->oid
.p
, OID_AT_CN
, OID_SIZE(OID_AT_CN
) ) == 0)
170 @@
-224,60 +225,18 @@
x509_setenv (struct env_set
*es
, int cer
171 while( name
!= NULL
)
173 char name_expand
[64+8];
174 + const char *shortname
;
176 - if( name
->oid
.len
== 2 && memcmp( name
->oid
.p
, OID_X520
, 2 ) == 0 )
177 + if( 0 == oid_get_attr_short_name(&name
->oid
, &shortname
) )
179 - switch( name
->oid
.p
[2] )
181 - case X520_COMMON_NAME
:
182 - openvpn_snprintf (name_expand
, sizeof(name_expand
), "X509_%d_CN",
183 - cert_depth
); break;
186 - openvpn_snprintf (name_expand
, sizeof(name_expand
), "X509_%d_C",
187 - cert_depth
); break;
189 - case X520_LOCALITY
:
190 - openvpn_snprintf (name_expand
, sizeof(name_expand
), "X509_%d_L",
191 - cert_depth
); break;
194 - openvpn_snprintf (name_expand
, sizeof(name_expand
), "X509_%d_ST",
195 - cert_depth
); break;
197 - case X520_ORGANIZATION
:
198 - openvpn_snprintf (name_expand
, sizeof(name_expand
), "X509_%d_O",
199 - cert_depth
); break;
201 - case X520_ORG_UNIT
:
202 - openvpn_snprintf (name_expand
, sizeof(name_expand
), "X509_%d_OU",
203 - cert_depth
); break;
206 - openvpn_snprintf (name_expand
, sizeof(name_expand
),
207 - "X509_%d_0x%02X", cert_depth
, name
->oid
.p
[2]);
210 + openvpn_snprintf (name_expand
, sizeof(name_expand
), "X509_%d_%s",
211 + cert_depth
, shortname
);
215 + openvpn_snprintf (name_expand
, sizeof(name_expand
), "X509_%d_\?\?",
218 - else if( name
->oid
.len
== 8 && memcmp( name
->oid
.p
, OID_PKCS9
, 8 ) == 0 )
220 - switch( name
->oid
.p
[8] )
223 - openvpn_snprintf (name_expand
, sizeof(name_expand
),
224 - "X509_%d_emailAddress", cert_depth
); break;
227 - openvpn_snprintf (name_expand
, sizeof(name_expand
),
228 - "X509_%d_0x%02X", cert_depth
, name
->oid
.p
[8]);
234 - openvpn_snprintf (name_expand
, sizeof(name_expand
), "X509_%d_\?\?",
238 for( i
= 0; i
< name
->val
.len
; i
++ )
242 @@
-819,13 +819,13 @@
if test
"${with_crypto_library}" = "pola
243 #include <polarssl/version.h>
246 -#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000
247 +#if POLARSSL_VERSION_NUMBER < 0x01030000
248 #error invalid version
252 [AC_MSG_RESULT([ok])],
253 - [AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])]
254 + [AC_MSG_ERROR([PolarSSL 1.3.x required])]
257 polarssl_with_pkcs11="no
"