polarssl: update to version 1.3.4 and add openssl compat patch
[openwrt.git] / package / network / services / openvpn / patches / 100-polarssl_compat.h
1 --- a/src/openvpn/ssl_polarssl.h
2 +++ b/src/openvpn/ssl_polarssl.h
3 @@ -36,6 +36,8 @@
4  #include <polarssl/pkcs11.h>
5  #endif
6  
7 +#include <polarssl/compat-1.2.h>
8 +
9  typedef struct _buffer_entry buffer_entry;
10  
11  struct _buffer_entry {
12 --- a/src/openvpn/ssl_polarssl.c
13 +++ b/src/openvpn/ssl_polarssl.c
14 @@ -44,7 +44,7 @@
15  #include "manage.h"
16  #include "ssl_common.h"
17  
18 -#include <polarssl/sha2.h>
19 +#include <polarssl/sha256.h>
20  #include <polarssl/havege.h>
21  
22  #include "ssl_verify_polarssl.h"
23 @@ -204,12 +204,12 @@ tls_ctx_load_dh_params (struct tls_root_
24  {
25    if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
26      {
27 -      if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
28 +      if (0 != dhm_parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
29         msg (M_FATAL, "Cannot read inline DH parameters");
30    }
31  else
32    {
33 -    if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
34 +    if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
35        msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
36    }
37  
38 @@ -530,7 +530,7 @@ void key_state_ssl_init(struct key_state
39             ssl_pkcs11_key_len );
40        else
41  #endif
42 -       ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
43 +       ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
44  
45        /* Initialise SSL verification */
46        ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
47 @@ -832,7 +832,7 @@ print_details (struct key_state_ssl * ks
48    cert = ssl_get_peer_cert(ks_ssl->ctx);
49    if (cert != NULL)
50      {
51 -      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
52 +      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8);
53      }
54  
55    msg (D_HANDSHAKE, "%s%s", s1, s2);
56 --- a/src/openvpn/crypto_polarssl.c
57 +++ b/src/openvpn/crypto_polarssl.c
58 @@ -466,7 +466,12 @@ int cipher_ctx_mode (const cipher_contex
59  
60  int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
61  {
62 -  return 0 == cipher_reset(ctx, iv_buf);
63 +  int retval = cipher_reset(ctx);
64 +
65 +  if (0 == retval)
66 +    cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
67 +
68 +  return 0 == retval;
69  }
70  
71  int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
72 --- a/src/openvpn/ssl_verify_polarssl.h
73 +++ b/src/openvpn/ssl_verify_polarssl.h
74 @@ -34,6 +34,7 @@
75  #include "misc.h"
76  #include "manage.h"
77  #include <polarssl/x509.h>
78 +#include <polarssl/compat-1.2.h>
79  
80  #ifndef __OPENVPN_X509_CERT_T_DECLARED
81  #define __OPENVPN_X509_CERT_T_DECLARED
82 --- a/src/openvpn/ssl_verify.c
83 +++ b/src/openvpn/ssl_verify.c
84 @@ -437,7 +437,7 @@ verify_cert_set_env(struct env_set *es, 
85  #endif
86  
87    /* export serial number as environmental variable */
88 -  serial = x509_get_serial(peer_cert, &gc);
89 +  serial = backend_x509_get_serial(peer_cert, &gc);
90    openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth);
91    setenv_str (es, envname, serial);
92  
93 @@ -564,7 +564,7 @@ verify_check_crl_dir(const char *crl_dir
94    int fd = -1;
95    struct gc_arena gc = gc_new();
96  
97 -  char *serial = x509_get_serial(cert, &gc);
98 +  char *serial = backend_x509_get_serial(cert, &gc);
99  
100    if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial))
101      {
102 --- a/src/openvpn/ssl_verify_backend.h
103 +++ b/src/openvpn/ssl_verify_backend.h
104 @@ -122,7 +122,7 @@ result_t x509_get_username (char *common
105   *
106   * @return             The certificate's serial number.
107   */
108 -char *x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc);
109 +char *backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc);
110  
111  /*
112   * Save X509 fields to environment, using the naming convention:
113 --- a/src/openvpn/ssl_verify_openssl.c
114 +++ b/src/openvpn/ssl_verify_openssl.c
115 @@ -220,7 +220,7 @@ x509_get_username (char *common_name, in
116  }
117  
118  char *
119 -x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
120 +backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
121  {
122    ASN1_INTEGER *asn1_i;
123    BIGNUM *bignum;
124 --- a/src/openvpn/ssl_verify_polarssl.c
125 +++ b/src/openvpn/ssl_verify_polarssl.c
126 @@ -38,6 +38,7 @@
127  #if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL)
128  
129  #include "ssl_verify.h"
130 +#include <polarssl/oid.h>
131  #include <polarssl/sha1.h>
132  
133  #define MAX_SUBJECT_LENGTH 256
134 @@ -100,7 +101,7 @@ x509_get_username (char *cn, int cn_len,
135    /* Find common name */
136    while( name != NULL )
137    {
138 -      if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0)
139 +      if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0)
140         break;
141  
142        name = name->next;
143 @@ -123,7 +124,7 @@ x509_get_username (char *cn, int cn_len,
144  }
145  
146  char *
147 -x509_get_serial (x509_cert *cert, struct gc_arena *gc)
148 +backend_x509_get_serial (x509_cert *cert, struct gc_arena *gc)
149  {
150    int ret = 0;
151    int i = 0;
152 @@ -184,60 +185,18 @@ x509_setenv (struct env_set *es, int cer
153    while( name != NULL )
154      {
155        char name_expand[64+8];
156 +      const char *shortname;
157  
158 -      if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 )
159 +      if( 0 == oid_get_attr_short_name(&name->oid, &shortname) )
160         {
161 -         switch( name->oid.p[2] )
162 -           {
163 -           case X520_COMMON_NAME:
164 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN",
165 -                   cert_depth); break;
166 -
167 -           case X520_COUNTRY:
168 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C",
169 -                   cert_depth); break;
170 -
171 -           case X520_LOCALITY:
172 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L",
173 -                   cert_depth); break;
174 -
175 -           case X520_STATE:
176 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST",
177 -                   cert_depth); break;
178 -
179 -           case X520_ORGANIZATION:
180 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O",
181 -                   cert_depth); break;
182 -
183 -           case X520_ORG_UNIT:
184 -               openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU",
185 -                   cert_depth); break;
186 -
187 -           default:
188 -               openvpn_snprintf (name_expand, sizeof(name_expand),
189 -                   "X509_%d_0x%02X", cert_depth, name->oid.p[2]);
190 -               break;
191 -           }
192 +         openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s",
193 +             cert_depth, shortname);
194 +       }
195 +      else
196 +       {
197 +         openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
198 +             cert_depth);
199         }
200 -       else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
201 -         {
202 -           switch( name->oid.p[8] )
203 -             {
204 -               case PKCS9_EMAIL:
205 -                 openvpn_snprintf (name_expand, sizeof(name_expand),
206 -                     "X509_%d_emailAddress", cert_depth); break;
207 -
208 -               default:
209 -                 openvpn_snprintf (name_expand, sizeof(name_expand),
210 -                     "X509_%d_0x%02X", cert_depth, name->oid.p[8]);
211 -                 break;
212 -             }
213 -         }
214 -       else
215 -         {
216 -           openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
217 -               cert_depth);
218 -         }
219  
220         for( i = 0; i < name->val.len; i++ )
221         {