Home Explore Help
Sign In
libreCMC
/
librecmc-fossil
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 3c4ec5f916
Branches Tags
librecmc-fossil
/
trunk
/
package
/
network
/
services
/
openvpn
/
patches
/
100-polarssl_compat.h

100-polarssl_compat.h 8.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257 
  1. --- a/src/openvpn/ssl_polarssl.h
    2. 

  2. +++ b/src/openvpn/ssl_polarssl.h
    3. 

  3. @@ -38,6 +38,8 @@
    4. 

  4.  #include <polarssl/pkcs11.h>
    5. 

  5.  #endif
    6. 

  6.  
    7. 

  7. +#include <polarssl/compat-1.2.h>
    8. 

  8. +
    9. 

  9.  typedef struct _buffer_entry buffer_entry;
    10. 

  10.  
    11. 

  11.  struct _buffer_entry {
    12. 

  12. --- a/src/openvpn/ssl_polarssl.c
    13. 

  13. +++ b/src/openvpn/ssl_polarssl.c
    14. 

  14. @@ -46,7 +46,7 @@
    15. 

  15.  #include "manage.h"
    16. 

  16.  #include "ssl_common.h"
    17. 

  17.  
    18. 

  18. -#include <polarssl/sha2.h>
    19. 

  19. +#include <polarssl/sha256.h>
    20. 

  20.  #include <polarssl/havege.h>
    21. 

  21.  
    22. 

  22.  #include "ssl_verify_polarssl.h"
    23. 

  23. @@ -212,13 +212,13 @@ tls_ctx_load_dh_params (struct tls_root_
    24. 

  24.  {
    25. 

  25.    if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline)
    26. 

  26.      {
    27. 

  27. -      if (0 != x509parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
    28. 

  28. +      if (0 != dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
    29. 

  29.  	  strlen(dh_inline)))
    30. 

  30.  	msg (M_FATAL, "Cannot read inline DH parameters");
    31. 

  31.    }
    32. 

  32.  else
    33. 

  33.    {
    34. 

  34. -    if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
    35. 

  35. +    if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
    36. 

  36.        msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
    37. 

  37.    }
    38. 

  38.  
    39. 

  39. @@ -253,13 +253,13 @@ tls_ctx_load_cert_file (struct tls_root_
    40. 

  40.  
    41. 

  41.    if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline)
    42. 

  42.      {
    43. 

  43. -      if (0 != x509parse_crt(ctx->crt_chain,
    44. 

  44. +      if (0 != x509_crt_parse(ctx->crt_chain,
    45. 

  45.  	  (const unsigned char *) cert_inline, strlen(cert_inline)))
    46. 

  46.          msg (M_FATAL, "Cannot load inline certificate file");
    47. 

  47.      }
    48. 

  48.    else
    49. 

  49.      {
    50. 

  50. -      if (0 != x509parse_crtfile(ctx->crt_chain, cert_file))
    51. 

  51. +      if (0 != x509_crt_parse_file(ctx->crt_chain, cert_file))
    52. 

  52.  	msg (M_FATAL, "Cannot load certificate file %s", cert_file);
    53. 

  53.      }
    54. 

  54.  }
    55. 

  55. @@ -277,7 +277,7 @@ tls_ctx_load_priv_file (struct tls_root_
    56. 

  56.        status = x509parse_key(ctx->priv_key,
    57. 

  57.  	  (const unsigned char *) priv_key_inline, strlen(priv_key_inline),
    58. 

  58.  	  NULL, 0);
    59. 

  59. -      if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
    60. 

  60. +      if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
    61. 

  61.  	{
    62. 

  62.  	  char passbuf[512] = {0};
    63. 

  63.  	  pem_password_callback(passbuf, 512, 0, NULL);
    64. 

  64. @@ -289,7 +289,7 @@ tls_ctx_load_priv_file (struct tls_root_
    65. 

  65.    else
    66. 

  66.      {
    67. 

  67.        status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL);
    68. 

  68. -      if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
    69. 

  69. +      if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
    70. 

  70.  	{
    71. 

  71.  	  char passbuf[512] = {0};
    72. 

  72.  	  pem_password_callback(passbuf, 512, 0, NULL);
    73. 

  73. @@ -480,14 +480,14 @@ void tls_ctx_load_ca (struct tls_root_ct
    74. 

  74.  
    75. 

  75.    if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline)
    76. 

  76.      {
    77. 

  77. -      if (0 != x509parse_crt(ctx->ca_chain, (const unsigned char *) ca_inline,
    78. 

  78. +      if (0 != x509_crt_parse(ctx->ca_chain, (const unsigned char *) ca_inline,
    79. 

  79.  	  strlen(ca_inline)))
    80. 

  80.  	msg (M_FATAL, "Cannot load inline CA certificates");
    81. 

  81.      }
    82. 

  82.    else
    83. 

  83.      {
    84. 

  84.        /* Load CA file for verifying peer supplied certificate */
    85. 

  85. -      if (0 != x509parse_crtfile(ctx->ca_chain, ca_file))
    86. 

  86. +      if (0 != x509_crt_parse_file(ctx->ca_chain, ca_file))
    87. 

  87.  	msg (M_FATAL, "Cannot load CA certificate file %s", ca_file);
    88. 

  88.      }
    89. 

  89.  }
    90. 

  90. @@ -501,14 +501,14 @@ tls_ctx_load_extra_certs (struct tls_roo
    91. 

  91.  
    92. 

  92.    if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline)
    93. 

  93.      {
    94. 

  94. -      if (0 != x509parse_crt(ctx->crt_chain,
    95. 

  95. +      if (0 != x509_crt_parse(ctx->crt_chain,
    96. 

  96.  	  (const unsigned char *) extra_certs_inline,
    97. 

  97.  	  strlen(extra_certs_inline)))
    98. 

  98.          msg (M_FATAL, "Cannot load inline extra-certs file");
    99. 

  99.      }
    100. 

  100.    else
    101. 

  101.      {
    102. 

  102. -      if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file))
    103. 

  103. +      if (0 != x509_crt_parse_file(ctx->crt_chain, extra_certs_file))
    104. 

  104.  	msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file);
    105. 

  105.      }
    106. 

  106.  }
    107. 

  107. @@ -724,7 +724,7 @@ void key_state_ssl_init(struct key_state
    108. 

  108.  	   external_key_len );
    109. 

  109.        else
    110. 

  110.  #endif
    111. 

  111. -	ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
    112. 

  112. +	ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
    113. 

  113.  
    114. 

  114.        /* Initialise SSL verification */
    115. 

  115.  #if P2MP_SERVER
    116. 

  116. @@ -1068,7 +1068,7 @@ print_details (struct key_state_ssl * ks
    117. 

  117.    cert = ssl_get_peer_cert(ks_ssl->ctx);
    118. 

  118.    if (cert != NULL)
    119. 

  119.      {
    120. 

  120. -      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
    121. 

  121. +      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8);
    122. 

  122.      }
    123. 

  123.  
    124. 

  124.    msg (D_HANDSHAKE, "%s%s", s1, s2);
    125. 

  125. --- a/src/openvpn/crypto_polarssl.c
    126. 

  126. +++ b/src/openvpn/crypto_polarssl.c
    127. 

  127. @@ -487,7 +487,12 @@ cipher_ctx_get_cipher_kt (const cipher_c
    128. 

  128.  
    129. 

  129.  int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
    130. 

  130.  {
    131. 

  131. -  return 0 == cipher_reset(ctx, iv_buf);
    132. 

  132. +  int retval = cipher_reset(ctx);
    133. 

  133. +
    134. 

  134. +  if (0 == retval)
    135. 

  135. +    cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
    136. 

  136. +
    137. 

  137. +  return 0 == retval;
    138. 

  138.  }
    139. 

  139.  
    140. 

  140.  int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
    141. 

  141. --- a/src/openvpn/ssl_verify_polarssl.h
    142. 

  142. +++ b/src/openvpn/ssl_verify_polarssl.h
    143. 

  143. @@ -34,6 +34,7 @@
    144. 

  144.  #include "misc.h"
    145. 

  145.  #include "manage.h"
    146. 

  146.  #include <polarssl/x509.h>
    147. 

  147. +#include <polarssl/compat-1.2.h>
    148. 

  148.  
    149. 

  149.  #ifndef __OPENVPN_X509_CERT_T_DECLARED
    150. 

  150.  #define __OPENVPN_X509_CERT_T_DECLARED
    151. 

  151. --- a/src/openvpn/ssl_verify_polarssl.c
    152. 

  152. +++ b/src/openvpn/ssl_verify_polarssl.c
    153. 

  153. @@ -40,6 +40,7 @@
    154. 

  154.  #include "ssl_verify.h"
    155. 

  155.  #include <polarssl/error.h>
    156. 

  156.  #include <polarssl/bignum.h>
    157. 

  157. +#include <polarssl/oid.h>
    158. 

  158.  #include <polarssl/sha1.h>
    159. 

  159.  
    160. 

  160.  #define MAX_SUBJECT_LENGTH 256
    161. 

  161. @@ -102,7 +103,7 @@ x509_get_username (char *cn, int cn_len,
    162. 

  162.    /* Find common name */
    163. 

  163.    while( name != NULL )
    164. 

  164.    {
    165. 

  165. -      if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0)
    166. 

  166. +      if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0)
    167. 

  167.  	break;
    168. 

  168.  
    169. 

  169.        name = name->next;
    170. 

  170. @@ -224,60 +225,18 @@ x509_setenv (struct env_set *es, int cer
    171. 

  171.    while( name != NULL )
    172. 

  172.      {
    173. 

  173.        char name_expand[64+8];
    174. 

  174. +      const char *shortname;
    175. 

  175.  
    176. 

  176. -      if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 )
    177. 

  177. +      if( 0 == oid_get_attr_short_name(&name->oid, &shortname) )
    178. 

  178.  	{
    179. 

  179. -	  switch( name->oid.p[2] )
    180. 

  180. -	    {
    181. 

  181. -	    case X520_COMMON_NAME:
    182. 

  182. -		openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN",
    183. 

  183. -		    cert_depth); break;
    184. 

  184. -
    185. 

  185. -	    case X520_COUNTRY:
    186. 

  186. -		openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C",
    187. 

  187. -		    cert_depth); break;
    188. 

  188. -
    189. 

  189. -	    case X520_LOCALITY:
    190. 

  190. -		openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L",
    191. 

  191. -		    cert_depth); break;
    192. 

  192. -
    193. 

  193. -	    case X520_STATE:
    194. 

  194. -		openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST",
    195. 

  195. -		    cert_depth); break;
    196. 

  196. -
    197. 

  197. -	    case X520_ORGANIZATION:
    198. 

  198. -		openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O",
    199. 

  199. -		    cert_depth); break;
    200. 

  200. -
    201. 

  201. -	    case X520_ORG_UNIT:
    202. 

  202. -		openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU",
    203. 

  203. -		    cert_depth); break;
    204. 

  204. -
    205. 

  205. -	    default:
    206. 

  206. -		openvpn_snprintf (name_expand, sizeof(name_expand),
    207. 

  207. -		    "X509_%d_0x%02X", cert_depth, name->oid.p[2]);
    208. 

  208. -		break;
    209. 

  209. -	    }
    210. 

  210. +	  openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s",
    211. 

  211. +	      cert_depth, shortname);
    212. 

  212. +	}
    213. 

  213. +      else
    214. 

  214. +	{
    215. 

  215. +	  openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
    216. 

  216. +	      cert_depth);
    217. 

  217.  	}
    218. 

  218. -	else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
    219. 

  219. -	  {
    220. 

  220. -	    switch( name->oid.p[8] )
    221. 

  221. -	      {
    222. 

  222. -		case PKCS9_EMAIL:
    223. 

  223. -		  openvpn_snprintf (name_expand, sizeof(name_expand),
    224. 

  224. -		      "X509_%d_emailAddress", cert_depth); break;
    225. 

  225. -
    226. 

  226. -		default:
    227. 

  227. -		  openvpn_snprintf (name_expand, sizeof(name_expand),
    228. 

  228. -		      "X509_%d_0x%02X", cert_depth, name->oid.p[8]);
    229. 

  229. -		  break;
    230. 

  230. -	      }
    231. 

  231. -	  }
    232. 

  232. -	else
    233. 

  233. -	  {
    234. 

  234. -	    openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
    235. 

  235. -		cert_depth);
    236. 

  236. -	  }
    237. 

  237.  
    238. 

  238.  	for( i = 0; i < name->val.len; i++ )
    239. 

  239.  	{
    240. 

  240. --- a/configure.ac
    241. 

  241. +++ b/configure.ac
    242. 

  242. @@ -832,13 +832,13 @@ if test "${with_crypto_library}" = "pola
    243. 

  243.  #include <polarssl/version.h>
    244. 

  244.  			]],
    245. 

  245.  			[[
    246. 

  246. -#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000
    247. 

  247. +#if POLARSSL_VERSION_NUMBER < 0x01030000
    248. 

  248.  #error invalid version
    249. 

  249.  #endif
    250. 

  250.  			]]
    251. 

  251.  		)],
    252. 

  252.  		[AC_MSG_RESULT([ok])],
    253. 

  253. -		[AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])]
    254. 

  254. +		[AC_MSG_ERROR([PolarSSL 1.3.x required])]
    255. 

  255.  	)
    256. 

  256.  
    257. 

  257.  	polarssl_with_pkcs11="no"
    258.