projects / openwrt / staging / mkresin.git / blob
? search:


86e7ec6a9479e041a032669c40825b454cc60560
[openwrt/staging/mkresin.git] / package / network / services / openvpn / patches / 100-polarssl_compat.h
1 --- a/src/openvpn/ssl_polarssl.h
2 +++ b/src/openvpn/ssl_polarssl.h
3 @@ -38,6 +38,8 @@
4 #include <polarssl/pkcs11.h>
5 #endif
6
7 +#include <polarssl/compat-1.2.h>
8 +
9 typedef struct _buffer_entry buffer_entry;
10
11 struct _buffer_entry {
12 --- a/src/openvpn/ssl_polarssl.c
13 +++ b/src/openvpn/ssl_polarssl.c
14 @@ -45,7 +45,7 @@
15 #include "manage.h"
16 #include "ssl_common.h"
17
18 -#include <polarssl/sha2.h>
19 +#include <polarssl/sha256.h>
20 #include <polarssl/havege.h>
21
22 #include "ssl_verify_polarssl.h"
23 @@ -209,12 +209,12 @@ tls_ctx_load_dh_params (struct tls_root_
24 {
25 if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
26 {
27 - if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
28 + if (0 != dhm_parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
29 msg (M_FATAL, "Cannot read inline DH parameters");
30 }
31 else
32 {
33 - if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
34 + if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
35 msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
36 }
37
38 @@ -249,13 +249,13 @@ tls_ctx_load_cert_file (struct tls_root_
39
40 if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_file_inline)
41 {
42 - if (0 != x509parse_crt(ctx->crt_chain, cert_file_inline,
43 + if (0 != x509_crt_parse(ctx->crt_chain, cert_file_inline,
44 strlen(cert_file_inline)))
45 msg (M_FATAL, "Cannot load inline certificate file");
46 }
47 else
48 {
49 - if (0 != x509parse_crtfile(ctx->crt_chain, cert_file))
50 + if (0 != x509_crt_parse_file(ctx->crt_chain, cert_file))
51 msg (M_FATAL, "Cannot load certificate file %s", cert_file);
52 }
53 }
54 @@ -476,13 +476,13 @@ void tls_ctx_load_ca (struct tls_root_ct
55
56 if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline)
57 {
58 - if (0 != x509parse_crt(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline)))
59 + if (0 != x509_crt_parse(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline)))
60 msg (M_FATAL, "Cannot load inline CA certificates");
61 }
62 else
63 {
64 /* Load CA file for verifying peer supplied certificate */
65 - if (0 != x509parse_crtfile(ctx->ca_chain, ca_file))
66 + if (0 != x509_crt_parse_file(ctx->ca_chain, ca_file))
67 msg (M_FATAL, "Cannot load CA certificate file %s", ca_file);
68 }
69 }
70 @@ -496,13 +496,13 @@ tls_ctx_load_extra_certs (struct tls_roo
71
72 if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline)
73 {
74 - if (0 != x509parse_crt(ctx->crt_chain, extra_certs_file_inline,
75 + if (0 != x509_crt_parse(ctx->crt_chain, extra_certs_file_inline,
76 strlen(extra_certs_file_inline)))
77 msg (M_FATAL, "Cannot load inline extra-certs file");
78 }
79 else
80 {
81 - if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file))
82 + if (0 != x509_crt_parse_file(ctx->crt_chain, extra_certs_file))
83 msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file);
84 }
85 }
86 @@ -684,7 +684,7 @@ void key_state_ssl_init(struct key_state
87 external_key_len );
88 else
89 #endif
90 - ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
91 + ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
92
93 /* Initialise SSL verification */
94 #if P2MP_SERVER
95 @@ -1026,7 +1026,7 @@ print_details (struct key_state_ssl * ks
96 cert = ssl_get_peer_cert(ks_ssl->ctx);
97 if (cert != NULL)
98 {
99 - openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
100 + openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8);
101 }
102
103 msg (D_HANDSHAKE, "%s%s", s1, s2);
104 --- a/src/openvpn/crypto_polarssl.c
105 +++ b/src/openvpn/crypto_polarssl.c
106 @@ -466,7 +466,12 @@ int cipher_ctx_mode (const cipher_contex
107
108 int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
109 {
110 - return 0 == cipher_reset(ctx, iv_buf);
111 + int retval = cipher_reset(ctx);
112 +
113 + if (0 == retval)
114 + cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
115 +
116 + return 0 == retval;
117 }
118
119 int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
120 --- a/src/openvpn/ssl_verify_polarssl.h
121 +++ b/src/openvpn/ssl_verify_polarssl.h
122 @@ -34,6 +34,7 @@
123 #include "misc.h"
124 #include "manage.h"
125 #include <polarssl/x509.h>
126 +#include <polarssl/compat-1.2.h>
127
128 #ifndef __OPENVPN_X509_CERT_T_DECLARED
129 #define __OPENVPN_X509_CERT_T_DECLARED
130 --- a/src/openvpn/ssl_verify_polarssl.c
131 +++ b/src/openvpn/ssl_verify_polarssl.c
132 @@ -40,6 +40,7 @@
133 #include "ssl_verify.h"
134 #include <polarssl/error.h>
135 #include <polarssl/bignum.h>
136 +#include <polarssl/oid.h>
137 #include <polarssl/sha1.h>
138
139 #define MAX_SUBJECT_LENGTH 256
140 @@ -102,7 +103,7 @@ x509_get_username (char *cn, int cn_len,
141 /* Find common name */
142 while( name != NULL )
143 {
144 - if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0)
145 + if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0)
146 break;
147
148 name = name->next;
149 @@ -224,60 +225,18 @@ x509_setenv (struct env_set *es, int cer
150 while( name != NULL )
151 {
152 char name_expand[64+8];
153 + const char *shortname;
154
155 - if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 )
156 + if( 0 == oid_get_attr_short_name(&name->oid, &shortname) )
157 {
158 - switch( name->oid.p[2] )
159 - {
160 - case X520_COMMON_NAME:
161 - openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN",
162 - cert_depth); break;
163 -
164 - case X520_COUNTRY:
165 - openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C",
166 - cert_depth); break;
167 -
168 - case X520_LOCALITY:
169 - openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L",
170 - cert_depth); break;
171 -
172 - case X520_STATE:
173 - openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST",
174 - cert_depth); break;
175 -
176 - case X520_ORGANIZATION:
177 - openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O",
178 - cert_depth); break;
179 -
180 - case X520_ORG_UNIT:
181 - openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU",
182 - cert_depth); break;
183 -
184 - default:
185 - openvpn_snprintf (name_expand, sizeof(name_expand),
186 - "X509_%d_0x%02X", cert_depth, name->oid.p[2]);
187 - break;
188 - }
189 + openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s",
190 + cert_depth, shortname);
191 + }
192 + else
193 + {
194 + openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
195 + cert_depth);
196 }
197 - else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
198 - {
199 - switch( name->oid.p[8] )
200 - {
201 - case PKCS9_EMAIL:
202 - openvpn_snprintf (name_expand, sizeof(name_expand),
203 - "X509_%d_emailAddress", cert_depth); break;
204 -
205 - default:
206 - openvpn_snprintf (name_expand, sizeof(name_expand),
207 - "X509_%d_0x%02X", cert_depth, name->oid.p[8]);
208 - break;
209 - }
210 - }
211 - else
212 - {
213 - openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
214 - cert_depth);
215 - }
216
217 for( i = 0; i < name->val.len; i++ )
218 {
219 --- a/configure.ac
220 +++ b/configure.ac
221 @@ -809,13 +809,13 @@ if test "${with_crypto_library}" = "pola
222 #include <polarssl/version.h>
223 ]],
224 [[
225 -#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000
226 +#if POLARSSL_VERSION_NUMBER < 0x01030000
227 #error invalid version
228 #endif
229 ]]
230 )],
231 [AC_MSG_RESULT([ok])],
232 - [AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])]
233 + [AC_MSG_ERROR([PolarSSL 1.3.x required])]
234 )
235
236 polarssl_with_pkcs11="no"
Staging tree of Mathias Kresin