hsist
/
freifunkist-firmware
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

polarssl: update to version 1.3.4 and add openssl compat patch

Browse Source 
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 39930
master
Felix Fietkau 11 years ago
parent 6ae77556dc
commit b9825247c2
5 changed files with 404 additions and 77 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 5
      package/libs/polarssl/Makefile
  2. 164
      package/libs/polarssl/patches/200-reduce_config.patch
  3. 38
      package/libs/polarssl/patches/210-gen_key_config_fix.patch
  4. 53
      package/libs/polarssl/patches/300-openssl_cipher_name_compat.patch
  5. 221
      package/network/services/openvpn/patches/100-polarssl_compat.h

5
package/libs/polarssl/Makefile
Unescape View File

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=polarssl
PKG_VERSION:=1.2.9
PKG_VERSION:=1.3.4
PKG_RELEASE:=1
PKG_USE_MIPS16:=0
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
PKG_SOURCE_URL:=https://polarssl.org/code/releases
PKG_MD5SUM:=3d8e01537e747d7997993c70f2e108db
PKG_MD5SUM:=30a75c5f171be49f805f3bf64a0af054
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
@ -35,6 +35,7 @@ $(call Package/polarssl/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE+= (library)
ABI_VERSION:=$(PKG_VERSION)
endef
define Package/libpolarssl/description

164
package/libs/polarssl/patches/200-reduce_config.patch
Unescape View File

@ -1,16 +1,96 @@
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -206,8 +206,8 @@
* Requires: POLARSSL_BIGNUM_C, POLARSSL_RSA_C
@@ -315,8 +315,8 @@
* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
* TLS_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_PSK_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_PSK_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED
@@ -339,8 +339,8 @@
* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_DHE_PSK_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@@ -359,8 +359,8 @@
* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_ECDHE_PSK_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
@@ -384,8 +384,8 @@
* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_RSA_PSK_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_RSA_ENABLED
@@ -463,8 +463,8 @@
* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_ECDHE_RSA_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
@@ -487,8 +487,8 @@
* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
@@ -511,8 +511,8 @@
* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
- */
#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
@@ -535,8 +535,8 @@
* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
- */
#define POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
+ */
/**
* \def POLARSSL_ERROR_STRERROR_BC
@@ -566,8 +566,8 @@
* Enable the prime-number generation code.
*
* Enable the RSA prime-number generation code.
* Requires: POLARSSL_BIGNUM_C
- */
#define POLARSSL_GENPRIME
+ */
/**
* \def POLARSSL_FS_IO
@@ -264,8 +264,8 @@
@@ -662,8 +662,8 @@
* \def POLARSSL_SELF_TEST
*
* Enable the checkup functions (*_self_test).
@ -20,18 +100,18 @@
/**
* \def POLARSSL_SSL_ALL_ALERT_MESSAGES
@@ -466,8 +466,8 @@
* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
@@ -1107,8 +1107,8 @@
* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
- */
#define POLARSSL_CAMELLIA_C
+ */
/**
* \def POLARSSL_CERTS_C
@@ -478,8 +478,8 @@
* Caller:
@@ -1121,8 +1121,8 @@
* Requires: POLARSSL_PEM_PARSE_C
*
* This module is used for testing (ssl_client/server).
- */
@ -40,7 +120,7 @@
/**
* \def POLARSSL_CIPHER_C
@@ -518,8 +518,8 @@
@@ -1161,8 +1161,8 @@
* library/ssl_tls.c
*
* This module provides debugging functions.
@ -50,18 +130,48 @@
/**
* \def POLARSSL_DES_C
@@ -604,8 +604,8 @@
* enabled as well):
* TLS_RSA_WITH_AES_128_GCM_SHA256
* TLS_RSA_WITH_AES_256_GCM_SHA384
@@ -1217,8 +1217,8 @@
* ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
*
* Requires: POLARSSL_ECP_C
- */
#define POLARSSL_ECDH_C
+ */
/**
* \def POLARSSL_ECDSA_C
@@ -1232,8 +1232,8 @@
* ECDHE-ECDSA
*
* Requires: POLARSSL_ECP_C, POLARSSL_ASN1_WRITE_C, POLARSSL_ASN1_PARSE_C
- */
#define POLARSSL_ECDSA_C
+ */
/**
* \def POLARSSL_ECP_C
@@ -1245,8 +1245,8 @@
* library/ecdsa.c
*
* Requires: POLARSSL_BIGNUM_C and at least one POLARSSL_ECP_DP_XXX_ENABLED
- */
#define POLARSSL_ECP_C
+ */
/**
* \def POLARSSL_ENTROPY_C
@@ -1285,8 +1285,8 @@
*
* This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
* requisites are enabled as well.
- */
#define POLARSSL_GCM_C
+ */
/**
* \def POLARSSL_HAVEGE_C
@@ -704,8 +704,8 @@
* Caller: library/aes.c
@@ -1436,8 +1436,8 @@
* Requires: POLARSSL_HAVE_ASM
*
* This modules adds support for the VIA PadLock on x86.
- */
@ -70,7 +180,17 @@
/**
* \def POLARSSL_PBKDF2_C
@@ -848,8 +848,8 @@
@@ -1584,8 +1584,8 @@
* Module: library/ripemd160.c
* Caller: library/md.c
*
- */
#define POLARSSL_RIPEMD160_C
+ */
/**
* \def POLARSSL_RSA_C
@@ -1664,8 +1664,8 @@
* Caller:
*
* Requires: POLARSSL_SSL_CACHE_C
@ -80,7 +200,7 @@
/**
* \def POLARSSL_SSL_CLI_C
@@ -903,8 +903,8 @@
@@ -1741,8 +1741,8 @@
* Caller: library/havege.c
*
* This module is used by the HAVEGE random number generator.
@ -90,13 +210,13 @@
/**
* \def POLARSSL_VERSION_C
@@ -953,8 +953,8 @@
@@ -1862,8 +1862,8 @@
*
* Module: library/xtea.c
* Caller:
- */
#define POLARSSL_XTEA_C
+ */
/* \} name */
/**
/* \} name SECTION: PolarSSL modules */

38
package/libs/polarssl/patches/210-gen_key_config_fix.patch
Unescape View File

@ -0,0 +1,38 @@
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -155,7 +155,9 @@ int main( int argc, char *argv[] )
opt.type = DFL_TYPE;
opt.rsa_keysize = DFL_RSA_KEYSIZE;
+#if defined(POLARSSL_ECP_C)
opt.ec_curve = DFL_EC_CURVE;
+#endif
opt.filename = DFL_FILENAME;
opt.format = DFL_FORMAT;
@@ -170,8 +172,10 @@ int main( int argc, char *argv[] )
{
if( strcmp( q, "rsa" ) == 0 )
opt.type = POLARSSL_PK_RSA;
+#if defined(POLARSSL_ECP_C)
if( strcmp( q, "ec" ) == 0 )
opt.type = POLARSSL_PK_ECKEY;
+#endif
else
goto usage;
}
@@ -190,12 +194,14 @@ int main( int argc, char *argv[] )
if( opt.rsa_keysize < 1024 || opt.rsa_keysize > 8192 )
goto usage;
}
+#if defined(POLARSSL_ECP_C)
else if( strcmp( p, "ec_curve" ) == 0 )
{
if( ( curve_info = ecp_curve_info_from_name( q ) ) == NULL )
goto usage;
opt.ec_curve = curve_info->grp_id;
}
+#endif
else if( strcmp( p, "filename" ) == 0 )
opt.filename = q;
else

53
package/libs/polarssl/patches/300-openssl_cipher_name_compat.patch
Unescape View File

@ -1,53 +0,0 @@
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -279,15 +279,21 @@ const cipher_info_t *cipher_info_from_st
#if defined(POLARSSL_BLOWFISH_C)
if( !strcasecmp( "BLOWFISH-CBC", cipher_name ) )
return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CBC );
+ if( !strcasecmp( "BF-CBC", cipher_name ) )
+ return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CBC );
#if defined(POLARSSL_CIPHER_MODE_CFB)
if( !strcasecmp( "BLOWFISH-CFB64", cipher_name ) )
return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CFB64 );
+ if( !strcasecmp( "BF-CFB64", cipher_name ) )
+ return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CFB64 );
#endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
#if defined(POLARSSL_CIPHER_MODE_CTR)
if( !strcasecmp( "BLOWFISH-CTR", cipher_name ) )
return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CTR );
+ if( !strcasecmp( "BF-CTR", cipher_name ) )
+ return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CTR );
#endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
#endif
--- a/library/cipher_wrap.c
+++ b/library/cipher_wrap.c
@@ -643,7 +643,7 @@ const cipher_info_t blowfish_cbc_info =
POLARSSL_CIPHER_BLOWFISH_CBC,
POLARSSL_MODE_CBC,
128,
- "BLOWFISH-CBC",
+ "BF-CBC",
8,
8,
&blowfish_info
@@ -654,7 +654,7 @@ const cipher_info_t blowfish_cfb64_info
POLARSSL_CIPHER_BLOWFISH_CFB64,
POLARSSL_MODE_CFB,
128,
- "BLOWFISH-CFB64",
+ "BF-CFB64",
8,
8,
&blowfish_info
@@ -666,7 +666,7 @@ const cipher_info_t blowfish_ctr_info =
POLARSSL_CIPHER_BLOWFISH_CTR,
POLARSSL_MODE_CTR,
128,
- "BLOWFISH-CTR",
+ "BF-CTR",
8,
8,
&blowfish_info

221
package/network/services/openvpn/patches/100-polarssl_compat.h
Unescape View File

@ -0,0 +1,221 @@
--- a/src/openvpn/ssl_polarssl.h
+++ b/src/openvpn/ssl_polarssl.h
@@ -36,6 +36,8 @@
#include <polarssl/pkcs11.h>
#endif
+#include <polarssl/compat-1.2.h>
+
typedef struct _buffer_entry buffer_entry;
struct _buffer_entry {
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -44,7 +44,7 @@
#include "manage.h"
#include "ssl_common.h"
-#include <polarssl/sha2.h>
+#include <polarssl/sha256.h>
#include <polarssl/havege.h>
#include "ssl_verify_polarssl.h"
@@ -204,12 +204,12 @@ tls_ctx_load_dh_params (struct tls_root_
{
if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
{
- if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
+ if (0 != dhm_parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
msg (M_FATAL, "Cannot read inline DH parameters");
}
else
{
- if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
+ if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
}
@@ -530,7 +530,7 @@ void key_state_ssl_init(struct key_state
ssl_pkcs11_key_len );
else
#endif
- ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
+ ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
/* Initialise SSL verification */
ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
@@ -832,7 +832,7 @@ print_details (struct key_state_ssl * ks
cert = ssl_get_peer_cert(ks_ssl->ctx);
if (cert != NULL)
{
- openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
+ openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8);
}
msg (D_HANDSHAKE, "%s%s", s1, s2);
--- a/src/openvpn/crypto_polarssl.c
+++ b/src/openvpn/crypto_polarssl.c
@@ -466,7 +466,12 @@ int cipher_ctx_mode (const cipher_contex
int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
{
- return 0 == cipher_reset(ctx, iv_buf);
+ int retval = cipher_reset(ctx);
+
+ if (0 == retval)
+ cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
+
+ return 0 == retval;
}
int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
--- a/src/openvpn/ssl_verify_polarssl.h
+++ b/src/openvpn/ssl_verify_polarssl.h
@@ -34,6 +34,7 @@
#include "misc.h"
#include "manage.h"
#include <polarssl/x509.h>
+#include <polarssl/compat-1.2.h>
#ifndef __OPENVPN_X509_CERT_T_DECLARED
#define __OPENVPN_X509_CERT_T_DECLARED
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -437,7 +437,7 @@ verify_cert_set_env(struct env_set *es,
#endif
/* export serial number as environmental variable */
- serial = x509_get_serial(peer_cert, &gc);
+ serial = backend_x509_get_serial(peer_cert, &gc);
openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth);
setenv_str (es, envname, serial);
@@ -564,7 +564,7 @@ verify_check_crl_dir(const char *crl_dir
int fd = -1;
struct gc_arena gc = gc_new();
- char *serial = x509_get_serial(cert, &gc);
+ char *serial = backend_x509_get_serial(cert, &gc);
if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial))
{
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -122,7 +122,7 @@ result_t x509_get_username (char *common
*
* @return The certificate's serial number.
*/
-char *x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc);
+char *backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc);
/*
* Save X509 fields to environment, using the naming convention:
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -220,7 +220,7 @@ x509_get_username (char *common_name, in
}
char *
-x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
+backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
{
ASN1_INTEGER *asn1_i;
BIGNUM *bignum;
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -38,6 +38,7 @@
#if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL)
#include "ssl_verify.h"
+#include <polarssl/oid.h>
#include <polarssl/sha1.h>
#define MAX_SUBJECT_LENGTH 256
@@ -100,7 +101,7 @@ x509_get_username (char *cn, int cn_len,
/* Find common name */
while( name != NULL )
{
- if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0)
+ if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0)
break;
name = name->next;
@@ -123,7 +124,7 @@ x509_get_username (char *cn, int cn_len,
}
char *
-x509_get_serial (x509_cert *cert, struct gc_arena *gc)
+backend_x509_get_serial (x509_cert *cert, struct gc_arena *gc)
{
int ret = 0;
int i = 0;
@@ -184,60 +185,18 @@ x509_setenv (struct env_set *es, int cer
while( name != NULL )
{
char name_expand[64+8];
+ const char *shortname;
- if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 )
+ if( 0 == oid_get_attr_short_name(&name->oid, &shortname) )
{
- switch( name->oid.p[2] )
- {
- case X520_COMMON_NAME:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN",
- cert_depth); break;
-
- case X520_COUNTRY:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C",
- cert_depth); break;
-
- case X520_LOCALITY:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L",
- cert_depth); break;
-
- case X520_STATE:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST",
- cert_depth); break;
-
- case X520_ORGANIZATION:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O",
- cert_depth); break;
-
- case X520_ORG_UNIT:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU",
- cert_depth); break;
-
- default:
- openvpn_snprintf (name_expand, sizeof(name_expand),
- "X509_%d_0x%02X", cert_depth, name->oid.p[2]);
- break;
- }
+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s",
+ cert_depth, shortname);
+ }
+ else
+ {
+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
+ cert_depth);
}
- else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
- {
- switch( name->oid.p[8] )
- {
- case PKCS9_EMAIL:
- openvpn_snprintf (name_expand, sizeof(name_expand),
- "X509_%d_emailAddress", cert_depth); break;
-
- default:
- openvpn_snprintf (name_expand, sizeof(name_expand),
- "X509_%d_0x%02X", cert_depth, name->oid.p[8]);
- break;
- }
- }
- else
- {
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
- cert_depth);
- }
for( i = 0; i < name->val.len; i++ )
{
Write Preview
Loading…
Cancel
Save