package/network/services/openvpn/patches/100-polarssl_compat.h

   1 --- a/src/openvpn/ssl_polarssl.h
   2 +++ b/src/openvpn/ssl_polarssl.h
   3 @@ -38,6 +38,8 @@
   4  #include <polarssl/pkcs11.h>
   5  #endif
   6
   7 +#include <polarssl/compat-1.2.h>
   8 +
   9  typedef struct _buffer_entry buffer_entry;
  10
  11  struct _buffer_entry {
  12 --- a/src/openvpn/ssl_polarssl.c
  13 +++ b/src/openvpn/ssl_polarssl.c
  14 @@ -45,7 +45,7 @@
  15  #include "manage.h"
  16  #include "ssl_common.h"
  17
  18 -#include <polarssl/sha2.h>
  19 +#include <polarssl/sha256.h>
  20  #include <polarssl/havege.h>
  21
  22  #include "ssl_verify_polarssl.h"
  23 @@ -209,12 +209,12 @@ tls_ctx_load_dh_params (struct tls_root_
  24  {
  25    if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
  26      {
  27 -      if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
  28 +      if (0 != dhm_parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
  29         msg (M_FATAL, "Cannot read inline DH parameters");
  30    }
  31  else
  32    {
  33 -    if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
  34 +    if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
  35        msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
  36    }
  37
  38 @@ -249,13 +249,13 @@ tls_ctx_load_cert_file (struct tls_root_
  39
  40    if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_file_inline)
  41      {
  42 -      if (0 != x509parse_crt(ctx->crt_chain, cert_file_inline,
  43 +      if (0 != x509_crt_parse(ctx->crt_chain, cert_file_inline,
  44           strlen(cert_file_inline)))
  45          msg (M_FATAL, "Cannot load inline certificate file");
  46      }
  47    else
  48      {
  49 -      if (0 != x509parse_crtfile(ctx->crt_chain, cert_file))
  50 +      if (0 != x509_crt_parse_file(ctx->crt_chain, cert_file))
  51         msg (M_FATAL, "Cannot load certificate file %s", cert_file);
  52      }
  53  }
  54 @@ -476,13 +476,13 @@ void tls_ctx_load_ca (struct tls_root_ct
  55
  56    if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline)
  57      {
  58 -      if (0 != x509parse_crt(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline)))
  59 +      if (0 != x509_crt_parse(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline)))
  60         msg (M_FATAL, "Cannot load inline CA certificates");
  61      }
  62    else
  63      {
  64        /* Load CA file for verifying peer supplied certificate */
  65 -      if (0 != x509parse_crtfile(ctx->ca_chain, ca_file))
  66 +      if (0 != x509_crt_parse_file(ctx->ca_chain, ca_file))
  67         msg (M_FATAL, "Cannot load CA certificate file %s", ca_file);
  68      }
  69  }
  70 @@ -496,13 +496,13 @@ tls_ctx_load_extra_certs (struct tls_roo
  71
  72    if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline)
  73      {
  74 -      if (0 != x509parse_crt(ctx->crt_chain, extra_certs_file_inline,
  75 +      if (0 != x509_crt_parse(ctx->crt_chain, extra_certs_file_inline,
  76           strlen(extra_certs_file_inline)))
  77          msg (M_FATAL, "Cannot load inline extra-certs file");
  78      }
  79    else
  80      {
  81 -      if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file))
  82 +      if (0 != x509_crt_parse_file(ctx->crt_chain, extra_certs_file))
  83         msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file);
  84      }
  85  }
  86 @@ -684,7 +684,7 @@ void key_state_ssl_init(struct key_state
  87            external_key_len );
  88        else
  89  #endif
  90 -       ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
  91 +       ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
  92
  93        /* Initialise SSL verification */
  94  #if P2MP_SERVER
  95 @@ -1026,7 +1026,7 @@ print_details (struct key_state_ssl * ks
  96    cert = ssl_get_peer_cert(ks_ssl->ctx);
  97    if (cert != NULL)
  98      {
  99 -      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
 100 +      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8);
 101      }
 102
 103    msg (D_HANDSHAKE, "%s%s", s1, s2);
 104 --- a/src/openvpn/crypto_polarssl.c
 105 +++ b/src/openvpn/crypto_polarssl.c
 106 @@ -466,7 +466,12 @@ int cipher_ctx_mode (const cipher_contex
 107
 108  int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
 109  {
 110 -  return 0 == cipher_reset(ctx, iv_buf);
 111 +  int retval = cipher_reset(ctx);
 112 +
 113 +  if (0 == retval)
 114 +    cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
 115 +
 116 +  return 0 == retval;
 117  }
 118
 119  int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
 120 --- a/src/openvpn/ssl_verify_polarssl.h
 121 +++ b/src/openvpn/ssl_verify_polarssl.h
 122 @@ -34,6 +34,7 @@
 123  #include "misc.h"
 124  #include "manage.h"
 125  #include <polarssl/x509.h>
 126 +#include <polarssl/compat-1.2.h>
 127
 128  #ifndef __OPENVPN_X509_CERT_T_DECLARED
 129  #define __OPENVPN_X509_CERT_T_DECLARED
 130 --- a/src/openvpn/ssl_verify_polarssl.c
 131 +++ b/src/openvpn/ssl_verify_polarssl.c
 132 @@ -40,6 +40,7 @@
 133  #include "ssl_verify.h"
 134  #include <polarssl/error.h>
 135  #include <polarssl/bignum.h>
 136 +#include <polarssl/oid.h>
 137  #include <polarssl/sha1.h>
 138
 139  #define MAX_SUBJECT_LENGTH 256
 140 @@ -102,7 +103,7 @@ x509_get_username (char *cn, int cn_len,
 141    /* Find common name */
 142    while( name != NULL )
 143    {
 144 -      if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0)
 145 +      if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0)
 146         break;
 147
 148        name = name->next;
 149 @@ -224,60 +225,18 @@ x509_setenv (struct env_set *es, int cer
 150    while( name != NULL )
 151      {
 152        char name_expand[64+8];
 153 +      const char *shortname;
 154
 155 -      if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 )
 156 +      if( 0 == oid_get_attr_short_name(&name->oid, &shortname) )
 157         {
 158 -         switch( name->oid.p[2] )
 159 -           {
 160 -           case X520_COMMON_NAME:
 161 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN",
 162 -                   cert_depth); break;
 163 -
 164 -           case X520_COUNTRY:
 165 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C",
 166 -                   cert_depth); break;
 167 -
 168 -           case X520_LOCALITY:
 169 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L",
 170 -                   cert_depth); break;
 171 -
 172 -           case X520_STATE:
 173 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST",
 174 -                   cert_depth); break;
 175 -
 176 -           case X520_ORGANIZATION:
 177 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O",
 178 -                   cert_depth); break;
 179 -
 180 -           case X520_ORG_UNIT:
 181 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU",
 182 -                   cert_depth); break;
 183 -
 184 -           default:
 185 -               openvpn_snprintf (name_expand, sizeof(name_expand),
 186 -                   "X509_%d_0x%02X", cert_depth, name->oid.p[2]);
 187 -               break;
 188 -           }
 189 +         openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s",
 190 +             cert_depth, shortname);
 191 +       }
 192 +      else
 193 +       {
 194 +         openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
 195 +             cert_depth);
 196         }
 197 -       else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
 198 -         {
 199 -           switch( name->oid.p[8] )
 200 -             {
 201 -               case PKCS9_EMAIL:
 202 -                 openvpn_snprintf (name_expand, sizeof(name_expand),
 203 -                     "X509_%d_emailAddress", cert_depth); break;
 204 -
 205 -               default:
 206 -                 openvpn_snprintf (name_expand, sizeof(name_expand),
 207 -                     "X509_%d_0x%02X", cert_depth, name->oid.p[8]);
 208 -                 break;
 209 -             }
 210 -         }
 211 -       else
 212 -         {
 213 -           openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
 214 -               cert_depth);
 215 -         }
 216
 217         for( i = 0; i < name->val.len; i++ )
 218         {
 219 --- a/configure.ac
 220 +++ b/configure.ac
 221 @@ -809,13 +809,13 @@ if test "${with_crypto_library}" = "pola
 222  #include <polarssl/version.h>
 223                         ]],
 224                         [[
 225 -#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000
 226 +#if POLARSSL_VERSION_NUMBER < 0x01030000
 227  #error invalid version
 228  #endif
 229                         ]]
 230                 )],
 231                 [AC_MSG_RESULT([ok])],
 232 -               [AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])]
 233 +               [AC_MSG_ERROR([PolarSSL 1.3.x required])]
 234         )
 235
 236         polarssl_with_pkcs11="no"