polarssl: update to version 1.3.4 and add openssl compat patch

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39930 3c298f89-4303-0410-b956-a3cf2f4a3e73
master
Felix Fietkau 2014-03-14 15:05:46 +00:00
parent 92007525b8
commit c8457cf43a
5 changed files with 404 additions and 77 deletions

View File

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=polarssl
PKG_VERSION:=1.2.9
PKG_VERSION:=1.3.4
PKG_RELEASE:=1
PKG_USE_MIPS16:=0
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
PKG_SOURCE_URL:=https://polarssl.org/code/releases
PKG_MD5SUM:=3d8e01537e747d7997993c70f2e108db
PKG_MD5SUM:=30a75c5f171be49f805f3bf64a0af054
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
@ -35,6 +35,7 @@ $(call Package/polarssl/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE+= (library)
ABI_VERSION:=$(PKG_VERSION)
endef
define Package/libpolarssl/description

View File

@ -1,16 +1,96 @@
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -206,8 +206,8 @@
* Requires: POLARSSL_BIGNUM_C, POLARSSL_RSA_C
@@ -315,8 +315,8 @@
* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
* TLS_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_PSK_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_PSK_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED
@@ -339,8 +339,8 @@
* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_DHE_PSK_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@@ -359,8 +359,8 @@
* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_ECDHE_PSK_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
@@ -384,8 +384,8 @@
* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_RSA_PSK_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_RSA_ENABLED
@@ -463,8 +463,8 @@
* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_ECDHE_RSA_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
@@ -487,8 +487,8 @@
* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- */
#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
@@ -511,8 +511,8 @@
* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
- */
#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+ */
/**
* \def POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
@@ -535,8 +535,8 @@
* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
- */
#define POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
+ */
/**
* \def POLARSSL_ERROR_STRERROR_BC
@@ -566,8 +566,8 @@
* Enable the prime-number generation code.
*
* Enable the RSA prime-number generation code.
* Requires: POLARSSL_BIGNUM_C
- */
#define POLARSSL_GENPRIME
+ */
/**
* \def POLARSSL_FS_IO
@@ -264,8 +264,8 @@
@@ -662,8 +662,8 @@
* \def POLARSSL_SELF_TEST
*
* Enable the checkup functions (*_self_test).
@ -20,18 +100,18 @@
/**
* \def POLARSSL_SSL_ALL_ALERT_MESSAGES
@@ -466,8 +466,8 @@
* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
@@ -1107,8 +1107,8 @@
* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
- */
#define POLARSSL_CAMELLIA_C
+ */
/**
* \def POLARSSL_CERTS_C
@@ -478,8 +478,8 @@
* Caller:
@@ -1121,8 +1121,8 @@
* Requires: POLARSSL_PEM_PARSE_C
*
* This module is used for testing (ssl_client/server).
- */
@ -40,7 +120,7 @@
/**
* \def POLARSSL_CIPHER_C
@@ -518,8 +518,8 @@
@@ -1161,8 +1161,8 @@
* library/ssl_tls.c
*
* This module provides debugging functions.
@ -50,18 +130,48 @@
/**
* \def POLARSSL_DES_C
@@ -604,8 +604,8 @@
* enabled as well):
* TLS_RSA_WITH_AES_128_GCM_SHA256
* TLS_RSA_WITH_AES_256_GCM_SHA384
@@ -1217,8 +1217,8 @@
* ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
*
* Requires: POLARSSL_ECP_C
- */
#define POLARSSL_ECDH_C
+ */
/**
* \def POLARSSL_ECDSA_C
@@ -1232,8 +1232,8 @@
* ECDHE-ECDSA
*
* Requires: POLARSSL_ECP_C, POLARSSL_ASN1_WRITE_C, POLARSSL_ASN1_PARSE_C
- */
#define POLARSSL_ECDSA_C
+ */
/**
* \def POLARSSL_ECP_C
@@ -1245,8 +1245,8 @@
* library/ecdsa.c
*
* Requires: POLARSSL_BIGNUM_C and at least one POLARSSL_ECP_DP_XXX_ENABLED
- */
#define POLARSSL_ECP_C
+ */
/**
* \def POLARSSL_ENTROPY_C
@@ -1285,8 +1285,8 @@
*
* This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
* requisites are enabled as well.
- */
#define POLARSSL_GCM_C
+ */
/**
* \def POLARSSL_HAVEGE_C
@@ -704,8 +704,8 @@
* Caller: library/aes.c
@@ -1436,8 +1436,8 @@
* Requires: POLARSSL_HAVE_ASM
*
* This modules adds support for the VIA PadLock on x86.
- */
@ -70,7 +180,17 @@
/**
* \def POLARSSL_PBKDF2_C
@@ -848,8 +848,8 @@
@@ -1584,8 +1584,8 @@
* Module: library/ripemd160.c
* Caller: library/md.c
*
- */
#define POLARSSL_RIPEMD160_C
+ */
/**
* \def POLARSSL_RSA_C
@@ -1664,8 +1664,8 @@
* Caller:
*
* Requires: POLARSSL_SSL_CACHE_C
@ -80,7 +200,7 @@
/**
* \def POLARSSL_SSL_CLI_C
@@ -903,8 +903,8 @@
@@ -1741,8 +1741,8 @@
* Caller: library/havege.c
*
* This module is used by the HAVEGE random number generator.
@ -90,13 +210,13 @@
/**
* \def POLARSSL_VERSION_C
@@ -953,8 +953,8 @@
@@ -1862,8 +1862,8 @@
*
* Module: library/xtea.c
* Caller:
- */
#define POLARSSL_XTEA_C
+ */
/* \} name */
/**
/* \} name SECTION: PolarSSL modules */

View File

@ -0,0 +1,38 @@
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -155,7 +155,9 @@ int main( int argc, char *argv[] )
opt.type = DFL_TYPE;
opt.rsa_keysize = DFL_RSA_KEYSIZE;
+#if defined(POLARSSL_ECP_C)
opt.ec_curve = DFL_EC_CURVE;
+#endif
opt.filename = DFL_FILENAME;
opt.format = DFL_FORMAT;
@@ -170,8 +172,10 @@ int main( int argc, char *argv[] )
{
if( strcmp( q, "rsa" ) == 0 )
opt.type = POLARSSL_PK_RSA;
+#if defined(POLARSSL_ECP_C)
if( strcmp( q, "ec" ) == 0 )
opt.type = POLARSSL_PK_ECKEY;
+#endif
else
goto usage;
}
@@ -190,12 +194,14 @@ int main( int argc, char *argv[] )
if( opt.rsa_keysize < 1024 || opt.rsa_keysize > 8192 )
goto usage;
}
+#if defined(POLARSSL_ECP_C)
else if( strcmp( p, "ec_curve" ) == 0 )
{
if( ( curve_info = ecp_curve_info_from_name( q ) ) == NULL )
goto usage;
opt.ec_curve = curve_info->grp_id;
}
+#endif
else if( strcmp( p, "filename" ) == 0 )
opt.filename = q;
else

View File

@ -1,53 +0,0 @@
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -279,15 +279,21 @@ const cipher_info_t *cipher_info_from_st
#if defined(POLARSSL_BLOWFISH_C)
if( !strcasecmp( "BLOWFISH-CBC", cipher_name ) )
return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CBC );
+ if( !strcasecmp( "BF-CBC", cipher_name ) )
+ return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CBC );
#if defined(POLARSSL_CIPHER_MODE_CFB)
if( !strcasecmp( "BLOWFISH-CFB64", cipher_name ) )
return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CFB64 );
+ if( !strcasecmp( "BF-CFB64", cipher_name ) )
+ return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CFB64 );
#endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
#if defined(POLARSSL_CIPHER_MODE_CTR)
if( !strcasecmp( "BLOWFISH-CTR", cipher_name ) )
return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CTR );
+ if( !strcasecmp( "BF-CTR", cipher_name ) )
+ return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CTR );
#endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
#endif
--- a/library/cipher_wrap.c
+++ b/library/cipher_wrap.c
@@ -643,7 +643,7 @@ const cipher_info_t blowfish_cbc_info =
POLARSSL_CIPHER_BLOWFISH_CBC,
POLARSSL_MODE_CBC,
128,
- "BLOWFISH-CBC",
+ "BF-CBC",
8,
8,
&blowfish_info
@@ -654,7 +654,7 @@ const cipher_info_t blowfish_cfb64_info
POLARSSL_CIPHER_BLOWFISH_CFB64,
POLARSSL_MODE_CFB,
128,
- "BLOWFISH-CFB64",
+ "BF-CFB64",
8,
8,
&blowfish_info
@@ -666,7 +666,7 @@ const cipher_info_t blowfish_ctr_info =
POLARSSL_CIPHER_BLOWFISH_CTR,
POLARSSL_MODE_CTR,
128,
- "BLOWFISH-CTR",
+ "BF-CTR",
8,
8,
&blowfish_info

View File

@ -0,0 +1,221 @@
--- a/src/openvpn/ssl_polarssl.h
+++ b/src/openvpn/ssl_polarssl.h
@@ -36,6 +36,8 @@
#include <polarssl/pkcs11.h>
#endif
+#include <polarssl/compat-1.2.h>
+
typedef struct _buffer_entry buffer_entry;
struct _buffer_entry {
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -44,7 +44,7 @@
#include "manage.h"
#include "ssl_common.h"
-#include <polarssl/sha2.h>
+#include <polarssl/sha256.h>
#include <polarssl/havege.h>
#include "ssl_verify_polarssl.h"
@@ -204,12 +204,12 @@ tls_ctx_load_dh_params (struct tls_root_
{
if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
{
- if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
+ if (0 != dhm_parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
msg (M_FATAL, "Cannot read inline DH parameters");
}
else
{
- if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
+ if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
}
@@ -530,7 +530,7 @@ void key_state_ssl_init(struct key_state
ssl_pkcs11_key_len );
else
#endif
- ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
+ ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
/* Initialise SSL verification */
ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
@@ -832,7 +832,7 @@ print_details (struct key_state_ssl * ks
cert = ssl_get_peer_cert(ks_ssl->ctx);
if (cert != NULL)
{
- openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
+ openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8);
}
msg (D_HANDSHAKE, "%s%s", s1, s2);
--- a/src/openvpn/crypto_polarssl.c
+++ b/src/openvpn/crypto_polarssl.c
@@ -466,7 +466,12 @@ int cipher_ctx_mode (const cipher_contex
int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
{
- return 0 == cipher_reset(ctx, iv_buf);
+ int retval = cipher_reset(ctx);
+
+ if (0 == retval)
+ cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
+
+ return 0 == retval;
}
int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
--- a/src/openvpn/ssl_verify_polarssl.h
+++ b/src/openvpn/ssl_verify_polarssl.h
@@ -34,6 +34,7 @@
#include "misc.h"
#include "manage.h"
#include <polarssl/x509.h>
+#include <polarssl/compat-1.2.h>
#ifndef __OPENVPN_X509_CERT_T_DECLARED
#define __OPENVPN_X509_CERT_T_DECLARED
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -437,7 +437,7 @@ verify_cert_set_env(struct env_set *es,
#endif
/* export serial number as environmental variable */
- serial = x509_get_serial(peer_cert, &gc);
+ serial = backend_x509_get_serial(peer_cert, &gc);
openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth);
setenv_str (es, envname, serial);
@@ -564,7 +564,7 @@ verify_check_crl_dir(const char *crl_dir
int fd = -1;
struct gc_arena gc = gc_new();
- char *serial = x509_get_serial(cert, &gc);
+ char *serial = backend_x509_get_serial(cert, &gc);
if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial))
{
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -122,7 +122,7 @@ result_t x509_get_username (char *common
*
* @return The certificate's serial number.
*/
-char *x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc);
+char *backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc);
/*
* Save X509 fields to environment, using the naming convention:
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -220,7 +220,7 @@ x509_get_username (char *common_name, in
}
char *
-x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
+backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
{
ASN1_INTEGER *asn1_i;
BIGNUM *bignum;
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -38,6 +38,7 @@
#if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL)
#include "ssl_verify.h"
+#include <polarssl/oid.h>
#include <polarssl/sha1.h>
#define MAX_SUBJECT_LENGTH 256
@@ -100,7 +101,7 @@ x509_get_username (char *cn, int cn_len,
/* Find common name */
while( name != NULL )
{
- if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0)
+ if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0)
break;
name = name->next;
@@ -123,7 +124,7 @@ x509_get_username (char *cn, int cn_len,
}
char *
-x509_get_serial (x509_cert *cert, struct gc_arena *gc)
+backend_x509_get_serial (x509_cert *cert, struct gc_arena *gc)
{
int ret = 0;
int i = 0;
@@ -184,60 +185,18 @@ x509_setenv (struct env_set *es, int cer
while( name != NULL )
{
char name_expand[64+8];
+ const char *shortname;
- if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 )
+ if( 0 == oid_get_attr_short_name(&name->oid, &shortname) )
{
- switch( name->oid.p[2] )
- {
- case X520_COMMON_NAME:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN",
- cert_depth); break;
-
- case X520_COUNTRY:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C",
- cert_depth); break;
-
- case X520_LOCALITY:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L",
- cert_depth); break;
-
- case X520_STATE:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST",
- cert_depth); break;
-
- case X520_ORGANIZATION:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O",
- cert_depth); break;
-
- case X520_ORG_UNIT:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU",
- cert_depth); break;
-
- default:
- openvpn_snprintf (name_expand, sizeof(name_expand),
- "X509_%d_0x%02X", cert_depth, name->oid.p[2]);
- break;
- }
+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s",
+ cert_depth, shortname);
+ }
+ else
+ {
+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
+ cert_depth);
}
- else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
- {
- switch( name->oid.p[8] )
- {
- case PKCS9_EMAIL:
- openvpn_snprintf (name_expand, sizeof(name_expand),
- "X509_%d_emailAddress", cert_depth); break;
-
- default:
- openvpn_snprintf (name_expand, sizeof(name_expand),
- "X509_%d_0x%02X", cert_depth, name->oid.p[8]);
- break;
- }
- }
- else
- {
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
- cert_depth);
- }
for( i = 0; i < name->val.len; i++ )
{