package/network/services/openvpn/patches/100-polarssl_compat.h

   1 --- a/src/openvpn/ssl_polarssl.h
   2 +++ b/src/openvpn/ssl_polarssl.h
   3 @@ -38,6 +38,8 @@
   4  #include <polarssl/pkcs11.h>
   5  #endif
   6
   7 +#include <polarssl/compat-1.2.h>
   8 +
   9  typedef struct _buffer_entry buffer_entry;
  10
  11  struct _buffer_entry {
  12 --- a/src/openvpn/ssl_polarssl.c
  13 +++ b/src/openvpn/ssl_polarssl.c
  14 @@ -46,7 +46,7 @@
  15  #include "manage.h"
  16  #include "ssl_common.h"
  17
  18 -#include <polarssl/sha2.h>
  19 +#include <polarssl/sha256.h>
  20  #include <polarssl/havege.h>
  21
  22  #include "ssl_verify_polarssl.h"
  23 @@ -212,13 +212,13 @@ tls_ctx_load_dh_params (struct tls_root_
  24  {
  25    if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline)
  26      {
  27 -      if (0 != x509parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
  28 +      if (0 != dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
  29           strlen(dh_inline)))
  30         msg (M_FATAL, "Cannot read inline DH parameters");
  31    }
  32  else
  33    {
  34 -    if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
  35 +    if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
  36        msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
  37    }
  38
  39 @@ -253,13 +253,13 @@ tls_ctx_load_cert_file (struct tls_root_
  40
  41    if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline)
  42      {
  43 -      if (0 != x509parse_crt(ctx->crt_chain,
  44 +      if (0 != x509_crt_parse(ctx->crt_chain,
  45           (const unsigned char *) cert_inline, strlen(cert_inline)))
  46          msg (M_FATAL, "Cannot load inline certificate file");
  47      }
  48    else
  49      {
  50 -      if (0 != x509parse_crtfile(ctx->crt_chain, cert_file))
  51 +      if (0 != x509_crt_parse_file(ctx->crt_chain, cert_file))
  52         msg (M_FATAL, "Cannot load certificate file %s", cert_file);
  53      }
  54  }
  55 @@ -277,7 +277,7 @@ tls_ctx_load_priv_file (struct tls_root_
  56        status = x509parse_key(ctx->priv_key,
  57           (const unsigned char *) priv_key_inline, strlen(priv_key_inline),
  58           NULL, 0);
  59 -      if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
  60 +      if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
  61         {
  62           char passbuf[512] = {0};
  63           pem_password_callback(passbuf, 512, 0, NULL);
  64 @@ -289,7 +289,7 @@ tls_ctx_load_priv_file (struct tls_root_
  65    else
  66      {
  67        status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL);
  68 -      if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
  69 +      if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
  70         {
  71           char passbuf[512] = {0};
  72           pem_password_callback(passbuf, 512, 0, NULL);
  73 @@ -480,14 +480,14 @@ void tls_ctx_load_ca (struct tls_root_ct
  74
  75    if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline)
  76      {
  77 -      if (0 != x509parse_crt(ctx->ca_chain, (const unsigned char *) ca_inline,
  78 +      if (0 != x509_crt_parse(ctx->ca_chain, (const unsigned char *) ca_inline,
  79           strlen(ca_inline)))
  80         msg (M_FATAL, "Cannot load inline CA certificates");
  81      }
  82    else
  83      {
  84        /* Load CA file for verifying peer supplied certificate */
  85 -      if (0 != x509parse_crtfile(ctx->ca_chain, ca_file))
  86 +      if (0 != x509_crt_parse_file(ctx->ca_chain, ca_file))
  87         msg (M_FATAL, "Cannot load CA certificate file %s", ca_file);
  88      }
  89  }
  90 @@ -501,14 +501,14 @@ tls_ctx_load_extra_certs (struct tls_roo
  91
  92    if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline)
  93      {
  94 -      if (0 != x509parse_crt(ctx->crt_chain,
  95 +      if (0 != x509_crt_parse(ctx->crt_chain,
  96           (const unsigned char *) extra_certs_inline,
  97           strlen(extra_certs_inline)))
  98          msg (M_FATAL, "Cannot load inline extra-certs file");
  99      }
 100    else
 101      {
 102 -      if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file))
 103 +      if (0 != x509_crt_parse_file(ctx->crt_chain, extra_certs_file))
 104         msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file);
 105      }
 106  }
 107 @@ -724,7 +724,7 @@ void key_state_ssl_init(struct key_state
 108            external_key_len );
 109        else
 110  #endif
 111 -       ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
 112 +       ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
 113
 114        /* Initialise SSL verification */
 115  #if P2MP_SERVER
 116 @@ -1068,7 +1068,7 @@ print_details (struct key_state_ssl * ks
 117    cert = ssl_get_peer_cert(ks_ssl->ctx);
 118    if (cert != NULL)
 119      {
 120 -      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
 121 +      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8);
 122      }
 123
 124    msg (D_HANDSHAKE, "%s%s", s1, s2);
 125 --- a/src/openvpn/crypto_polarssl.c
 126 +++ b/src/openvpn/crypto_polarssl.c
 127 @@ -487,7 +487,12 @@ cipher_ctx_get_cipher_kt (const cipher_c
 128
 129  int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
 130  {
 131 -  return 0 == cipher_reset(ctx, iv_buf);
 132 +  int retval = cipher_reset(ctx);
 133 +
 134 +  if (0 == retval)
 135 +    cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
 136 +
 137 +  return 0 == retval;
 138  }
 139
 140  int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
 141 --- a/src/openvpn/ssl_verify_polarssl.h
 142 +++ b/src/openvpn/ssl_verify_polarssl.h
 143 @@ -34,6 +34,7 @@
 144  #include "misc.h"
 145  #include "manage.h"
 146  #include <polarssl/x509.h>
 147 +#include <polarssl/compat-1.2.h>
 148
 149  #ifndef __OPENVPN_X509_CERT_T_DECLARED
 150  #define __OPENVPN_X509_CERT_T_DECLARED
 151 --- a/src/openvpn/ssl_verify_polarssl.c
 152 +++ b/src/openvpn/ssl_verify_polarssl.c
 153 @@ -40,6 +40,7 @@
 154  #include "ssl_verify.h"
 155  #include <polarssl/error.h>
 156  #include <polarssl/bignum.h>
 157 +#include <polarssl/oid.h>
 158  #include <polarssl/sha1.h>
 159
 160  #define MAX_SUBJECT_LENGTH 256
 161 @@ -102,7 +103,7 @@ x509_get_username (char *cn, int cn_len,
 162    /* Find common name */
 163    while( name != NULL )
 164    {
 165 -      if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0)
 166 +      if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0)
 167         break;
 168
 169        name = name->next;
 170 @@ -224,60 +225,18 @@ x509_setenv (struct env_set *es, int cer
 171    while( name != NULL )
 172      {
 173        char name_expand[64+8];
 174 +      const char *shortname;
 175
 176 -      if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 )
 177 +      if( 0 == oid_get_attr_short_name(&name->oid, &shortname) )
 178         {
 179 -         switch( name->oid.p[2] )
 180 -           {
 181 -           case X520_COMMON_NAME:
 182 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN",
 183 -                   cert_depth); break;
 184 -
 185 -           case X520_COUNTRY:
 186 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C",
 187 -                   cert_depth); break;
 188 -
 189 -           case X520_LOCALITY:
 190 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L",
 191 -                   cert_depth); break;
 192 -
 193 -           case X520_STATE:
 194 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST",
 195 -                   cert_depth); break;
 196 -
 197 -           case X520_ORGANIZATION:
 198 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O",
 199 -                   cert_depth); break;
 200 -
 201 -           case X520_ORG_UNIT:
 202 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU",
 203 -                   cert_depth); break;
 204 -
 205 -           default:
 206 -               openvpn_snprintf (name_expand, sizeof(name_expand),
 207 -                   "X509_%d_0x%02X", cert_depth, name->oid.p[2]);
 208 -               break;
 209 -           }
 210 +         openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s",
 211 +             cert_depth, shortname);
 212 +       }
 213 +      else
 214 +       {
 215 +         openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
 216 +             cert_depth);
 217         }
 218 -       else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
 219 -         {
 220 -           switch( name->oid.p[8] )
 221 -             {
 222 -               case PKCS9_EMAIL:
 223 -                 openvpn_snprintf (name_expand, sizeof(name_expand),
 224 -                     "X509_%d_emailAddress", cert_depth); break;
 225 -
 226 -               default:
 227 -                 openvpn_snprintf (name_expand, sizeof(name_expand),
 228 -                     "X509_%d_0x%02X", cert_depth, name->oid.p[8]);
 229 -                 break;
 230 -             }
 231 -         }
 232 -       else
 233 -         {
 234 -           openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
 235 -               cert_depth);
 236 -         }
 237
 238         for( i = 0; i < name->val.len; i++ )
 239         {
 240 --- a/configure.ac
 241 +++ b/configure.ac
 242 @@ -832,13 +832,13 @@ if test "${with_crypto_library}" = "pola
 243  #include <polarssl/version.h>
 244                         ]],
 245                         [[
 246 -#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000
 247 +#if POLARSSL_VERSION_NUMBER < 0x01030000
 248  #error invalid version
 249  #endif
 250                         ]]
 251                 )],
 252                 [AC_MSG_RESULT([ok])],
 253 -               [AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])]
 254 +               [AC_MSG_ERROR([PolarSSL 1.3.x required])]
 255         )
 256
 257         polarssl_with_pkcs11="no"