hak5
/
wifipineapple-openwrt
mirror of https://github.com/hak5/wifipineapple-openwrt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #550 from wigyori/cc-ovpn2 

CC: sec upgrade for openvpn, polarssl, lzo
master
Zoltan Herpai 2017-10-16 09:27:54 +02:00 committed by GitHub
parent ffa56da748 b130306800
commit f6802c747f
13 changed files with 81 additions and 397 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
package/libs/lzo/Makefile
View File

@ -1,5 +1,5 @@
#
# Copyright (C) 2006-2012 OpenWrt.org
# Copyright (C) 2006-2016 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=lzo
PKG_VERSION:=2.08
PKG_VERSION:=2.10
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.oberhumer.com/opensource/lzo/download/
PKG_MD5SUM:=fcec64c26a0f4f4901468f360029678f
PKG_MD5SUM:=39d3f3f9c55c87b1e5d6888e1420f4b5
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1

6
package/libs/polarssl/Makefile
View File

@ -9,13 +9,13 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=polarssl
SRC_PKG_NAME:=mbedtls
PKG_VERSION:=1.3.14
PKG_VERSION:=1.3.17
PKG_RELEASE:=1
PKG_USE_MIPS16:=0
PKG_SOURCE:=$(SRC_PKG_NAME)-$(PKG_VERSION)-gpl.tgz
PKG_SOURCE_URL:=https://polarssl.org/download/
PKG_MD5SUM:=869c7b5798b8769902880c7cf0212fed
PKG_SOURCE_URL:=https://tls.mbed.org/download/
PKG_MD5SUM:=f5beb43e850283915e3e0f8d37495eade3bfb5beedfb61e7b8da70d4c68edb82
PKG_BUILD_DIR:=$(BUILD_DIR)/$(SRC_PKG_NAME)-$(PKG_VERSION)

12
package/libs/polarssl/patches/100-disable_sslv3.patch
View File

@ -1,12 +0,0 @@
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -1011,8 +1011,8 @@
* POLARSSL_SHA1_C
*
* Comment this macro to disable support for SSL 3.0
- */
#define POLARSSL_SSL_PROTO_SSL3
+ */
/**
* \def POLARSSL_SSL_PROTO_TLS1

38
package/libs/polarssl/patches/200-reduce_config.patch
View File

@ -100,7 +100,7 @@
/**
* \def POLARSSL_SSL_AEAD_RANDOM_IV
@@ -1138,8 +1138,8 @@
@@ -1151,8 +1151,8 @@
* Requires: POLARSSL_VERSION_C
*
* Comment this to disable run-time checking and save ROM space
@ -110,7 +110,7 @@
/**
* \def POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3
@@ -1457,8 +1457,8 @@
@@ -1470,8 +1470,8 @@
* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
@ -120,7 +120,7 @@
/**
* \def POLARSSL_CCM_C
@@ -1485,8 +1485,8 @@
@@ -1498,8 +1498,8 @@
* Requires: POLARSSL_PEM_PARSE_C
*
* This module is used for testing (ssl_client/server).
@ -130,7 +130,7 @@
/**
* \def POLARSSL_CIPHER_C
@@ -1525,8 +1525,8 @@
@@ -1538,8 +1538,8 @@
* library/ssl_tls.c
*
* This module provides debugging functions.
@ -140,7 +140,7 @@
/**
* \def POLARSSL_DES_C
@@ -1581,8 +1581,8 @@
@@ -1594,8 +1594,8 @@
* ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
*
* Requires: POLARSSL_ECP_C
@ -150,7 +150,7 @@
/**
* \def POLARSSL_ECDSA_C
@@ -1596,8 +1596,8 @@
@@ -1609,8 +1609,8 @@
* ECDHE-ECDSA
*
* Requires: POLARSSL_ECP_C, POLARSSL_ASN1_WRITE_C, POLARSSL_ASN1_PARSE_C
@ -160,7 +160,7 @@
/**
* \def POLARSSL_ECP_C
@@ -1609,8 +1609,8 @@
@@ -1622,8 +1622,8 @@
* library/ecdsa.c
*
* Requires: POLARSSL_BIGNUM_C and at least one POLARSSL_ECP_DP_XXX_ENABLED
@ -170,17 +170,7 @@
/**
* \def POLARSSL_ENTROPY_C
@@ -1649,8 +1649,8 @@
*
* This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
* requisites are enabled as well.
- */
#define POLARSSL_GCM_C
+ */
/**
* \def POLARSSL_HAVEGE_C
@@ -1686,8 +1686,8 @@
@@ -1699,8 +1699,8 @@
* Requires: POLARSSL_MD_C
*
* Uncomment to enable the HMAC_DRBG random number geerator.
@ -190,7 +180,7 @@
/**
* \def POLARSSL_MD_C
@@ -1813,8 +1813,8 @@
@@ -1826,8 +1826,8 @@
* Requires: POLARSSL_HAVE_ASM
*
* This modules adds support for the VIA PadLock on x86.
@ -200,7 +190,7 @@
/**
* \def POLARSSL_PBKDF2_C
@@ -1979,8 +1979,8 @@
@@ -1992,8 +1992,8 @@
* Module: library/ripemd160.c
* Caller: library/md.c
*
@ -210,7 +200,7 @@
/**
* \def POLARSSL_RSA_C
@@ -2059,8 +2059,8 @@
@@ -2072,8 +2072,8 @@
* Caller:
*
* Requires: POLARSSL_SSL_CACHE_C
@ -220,7 +210,7 @@
/**
* \def POLARSSL_SSL_CLI_C
@@ -2136,8 +2136,8 @@
@@ -2149,8 +2149,8 @@
* Caller: library/havege.c
*
* This module is used by the HAVEGE random number generator.
@ -230,7 +220,7 @@
/**
* \def POLARSSL_VERSION_C
@@ -2147,8 +2147,8 @@
@@ -2160,8 +2160,8 @@
* Module: library/version.c
*
* This module provides run-time version information.
@ -240,7 +230,7 @@
/**
* \def POLARSSL_X509_USE_C
@@ -2257,8 +2257,8 @@
@@ -2270,8 +2270,8 @@
*
* Module: library/xtea.c
* Caller:

12
package/network/services/openvpn/Makefile
View File

@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openvpn
PKG_VERSION:=2.3.6
PKG_RELEASE:=5
PKG_VERSION:=2.3.18
PKG_RELEASE:=1
PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_MD5SUM:=6ca03fe0fd093e0d01601abee808835c
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_MD5SUM:=844ec9c64aae62051478784b8562f881
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
@ -72,15 +72,13 @@ define Build/Configure
--disable-systemd \
--disable-plugins \
--disable-debug \
--disable-eurephia \
--disable-pkcs11 \
--enable-password-save \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),enable,disable-x509-alt-username)-ssl \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SOCKS),--enable,--disable)-socks \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_HTTP),--enable,--disable)-http \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_HTTP),--enable,--disable)-http-proxy \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \

14
package/network/services/openvpn/files/openvpn.init
View File

@ -42,7 +42,8 @@ append_params() {
config_get v "$s" "$p"
IFS="$LIST_SEP"
for v in $v; do
[ -n "$v" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf"
[ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf"
[ -n "$v" ] && [ "$p" == "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf"
done
unset IFS
done
@ -107,7 +108,7 @@ start_instance() {
# append params
append_params "$s" \
cd askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers ca cert \
cd askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers ca cert capath \
chroot cipher client_config_dir client_connect client_disconnect comp_lzo connect_freq \
connect_retry connect_timeout connect_retry_max crl_verify dev dev_node dev_type dh \
echo engine explicit_exit_notify fragment group hand_window hash_size \
@ -120,10 +121,11 @@ start_instance() {
redirect_gateway remap_usr1 remote remote_cert_eku remote_cert_ku remote_cert_tls \
reneg_bytes reneg_pkts reneg_sec \
replay_persist replay_window resolv_retry route route_delay route_gateway \
route_metric route_up rport script_security secret server server_bridge setenv shaper sndbuf \
socks_proxy status status_version syslog tcp_queue_limit tls_auth \
route_metric route_pre_down route_up rport script_security secret server server_bridge setenv shaper sndbuf \
socks_proxy status status_version syslog tcp_queue_limit tls_auth tls_version_min \
tls_cipher tls_remote tls_timeout tls_verify tmp_dir topology tran_window \
tun_mtu tun_mtu_extra txqueuelen user verb down push up \
verify_x509_name x509_username_field \
ifconfig_ipv6 route_ipv6 server_ipv6 ifconfig_ipv6_pool ifconfig_ipv6_push iroute_ipv6
openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf"
@ -152,3 +154,7 @@ start_service() {
fi
done
}
service_triggers() {
procd_add_reload_trigger openvpn
}

57
package/network/services/openvpn/patches/001-backport_cipher_none_fix.patch
View File

@ -1,57 +0,0 @@
commit 98156e90e1e83133a6a6a020db8e7333ada6156b
Author: Steffan Karger <steffan@karger.me>
Date: Tue Dec 2 21:42:00 2014 +0100
Really fix '--cipher none' regression
... by not incorrectly hinting to the compiler the function argument of
cipher_kt_mode_{cbc,ofb_cfb}() is nonnull, since that no longer is the
case.
Verified the fix on Debian Wheezy, one of the platforms the reporter in
trac #473 mentions with a compiler that would optimize out the required
checks.
Also add a testcase for --cipher none to t_lpback, to prevent further
regressions.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417552920-31770-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9300
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -237,8 +237,7 @@ int cipher_kt_mode (const cipher_kt_t *c
*
* @return true iff the cipher is a CBC mode cipher.
*/
-bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
- __attribute__((nonnull));
+bool cipher_kt_mode_cbc(const cipher_kt_t *cipher);
/**
* Check if the supplied cipher is a supported OFB or CFB mode cipher.
@@ -247,8 +246,7 @@ bool cipher_kt_mode_cbc(const cipher_kt_
*
* @return true iff the cipher is a OFB or CFB mode cipher.
*/
-bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
- __attribute__((nonnull));
+bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher);
/**
--- a/tests/t_lpback.sh
+++ b/tests/t_lpback.sh
@@ -35,6 +35,9 @@ CIPHERS=$(${top_builddir}/src/openvpn/op
# GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5)
CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' )
+# Also test cipher 'none'
+CIPHERS=${CIPHERS}$(printf "\nnone")
+
"${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$
set +e

2
package/network/services/openvpn/patches/130-polarssl-disable-runtime-version-check.patch → package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch
View File

@ -1,6 +1,6 @@
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -1119,7 +1119,7 @@ const char *
@@ -1156,7 +1156,7 @@ const char *
get_ssl_library_version(void)
{
static char polar_version[30];

257
package/network/services/openvpn/patches/100-polarssl_compat.h
View File

@ -1,257 +0,0 @@
--- a/src/openvpn/ssl_polarssl.h
+++ b/src/openvpn/ssl_polarssl.h
@@ -38,6 +38,8 @@
#include <polarssl/pkcs11.h>
#endif
+#include <polarssl/compat-1.2.h>
+
typedef struct _buffer_entry buffer_entry;
struct _buffer_entry {
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -46,7 +46,7 @@
#include "manage.h"
#include "ssl_common.h"
-#include <polarssl/sha2.h>
+#include <polarssl/sha256.h>
#include <polarssl/havege.h>
#include "ssl_verify_polarssl.h"
@@ -212,13 +212,13 @@ tls_ctx_load_dh_params (struct tls_root_
{
if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline)
{
- if (0 != x509parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
+ if (0 != dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
strlen(dh_inline)))
msg (M_FATAL, "Cannot read inline DH parameters");
}
else
{
- if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
+ if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
}
@@ -253,13 +253,13 @@ tls_ctx_load_cert_file (struct tls_root_
if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline)
{
- if (0 != x509parse_crt(ctx->crt_chain,
+ if (0 != x509_crt_parse(ctx->crt_chain,
(const unsigned char *) cert_inline, strlen(cert_inline)))
msg (M_FATAL, "Cannot load inline certificate file");
}
else
{
- if (0 != x509parse_crtfile(ctx->crt_chain, cert_file))
+ if (0 != x509_crt_parse_file(ctx->crt_chain, cert_file))
msg (M_FATAL, "Cannot load certificate file %s", cert_file);
}
}
@@ -277,7 +277,7 @@ tls_ctx_load_priv_file (struct tls_root_
status = x509parse_key(ctx->priv_key,
(const unsigned char *) priv_key_inline, strlen(priv_key_inline),
NULL, 0);
- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
+ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
{
char passbuf[512] = {0};
pem_password_callback(passbuf, 512, 0, NULL);
@@ -289,7 +289,7 @@ tls_ctx_load_priv_file (struct tls_root_
else
{
status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL);
- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
+ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
{
char passbuf[512] = {0};
pem_password_callback(passbuf, 512, 0, NULL);
@@ -480,14 +480,14 @@ void tls_ctx_load_ca (struct tls_root_ct
if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline)
{
- if (0 != x509parse_crt(ctx->ca_chain, (const unsigned char *) ca_inline,
+ if (0 != x509_crt_parse(ctx->ca_chain, (const unsigned char *) ca_inline,
strlen(ca_inline)))
msg (M_FATAL, "Cannot load inline CA certificates");
}
else
{
/* Load CA file for verifying peer supplied certificate */
- if (0 != x509parse_crtfile(ctx->ca_chain, ca_file))
+ if (0 != x509_crt_parse_file(ctx->ca_chain, ca_file))
msg (M_FATAL, "Cannot load CA certificate file %s", ca_file);
}
}
@@ -501,14 +501,14 @@ tls_ctx_load_extra_certs (struct tls_roo
if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline)
{
- if (0 != x509parse_crt(ctx->crt_chain,
+ if (0 != x509_crt_parse(ctx->crt_chain,
(const unsigned char *) extra_certs_inline,
strlen(extra_certs_inline)))
msg (M_FATAL, "Cannot load inline extra-certs file");
}
else
{
- if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file))
+ if (0 != x509_crt_parse_file(ctx->crt_chain, extra_certs_file))
msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file);
}
}
@@ -724,7 +724,7 @@ void key_state_ssl_init(struct key_state
external_key_len );
else
#endif
- ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
+ ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
/* Initialise SSL verification */
#if P2MP_SERVER
@@ -1068,7 +1068,7 @@ print_details (struct key_state_ssl * ks
cert = ssl_get_peer_cert(ks_ssl->ctx);
if (cert != NULL)
{
- openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
+ openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8);
}
msg (D_HANDSHAKE, "%s%s", s1, s2);
--- a/src/openvpn/crypto_polarssl.c
+++ b/src/openvpn/crypto_polarssl.c
@@ -487,7 +487,12 @@ cipher_ctx_get_cipher_kt (const cipher_c
int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
{
- return 0 == cipher_reset(ctx, iv_buf);
+ int retval = cipher_reset(ctx);
+
+ if (0 == retval)
+ cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
+
+ return 0 == retval;
}
int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
--- a/src/openvpn/ssl_verify_polarssl.h
+++ b/src/openvpn/ssl_verify_polarssl.h
@@ -34,6 +34,7 @@
#include "misc.h"
#include "manage.h"
#include <polarssl/x509.h>
+#include <polarssl/compat-1.2.h>
#ifndef __OPENVPN_X509_CERT_T_DECLARED
#define __OPENVPN_X509_CERT_T_DECLARED
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -40,6 +40,7 @@
#include "ssl_verify.h"
#include <polarssl/error.h>
#include <polarssl/bignum.h>
+#include <polarssl/oid.h>
#include <polarssl/sha1.h>
#define MAX_SUBJECT_LENGTH 256
@@ -102,7 +103,7 @@ x509_get_username (char *cn, int cn_len,
/* Find common name */
while( name != NULL )
{
- if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0)
+ if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0)
break;
name = name->next;
@@ -224,60 +225,18 @@ x509_setenv (struct env_set *es, int cer
while( name != NULL )
{
char name_expand[64+8];
+ const char *shortname;
- if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 )
+ if( 0 == oid_get_attr_short_name(&name->oid, &shortname) )
{
- switch( name->oid.p[2] )
- {
- case X520_COMMON_NAME:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN",
- cert_depth); break;
-
- case X520_COUNTRY:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C",
- cert_depth); break;
-
- case X520_LOCALITY:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L",
- cert_depth); break;
-
- case X520_STATE:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST",
- cert_depth); break;
-
- case X520_ORGANIZATION:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O",
- cert_depth); break;
-
- case X520_ORG_UNIT:
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU",
- cert_depth); break;
-
- default:
- openvpn_snprintf (name_expand, sizeof(name_expand),
- "X509_%d_0x%02X", cert_depth, name->oid.p[2]);
- break;
- }
+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s",
+ cert_depth, shortname);
+ }
+ else
+ {
+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
+ cert_depth);
}
- else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
- {
- switch( name->oid.p[8] )
- {
- case PKCS9_EMAIL:
- openvpn_snprintf (name_expand, sizeof(name_expand),
- "X509_%d_emailAddress", cert_depth); break;
-
- default:
- openvpn_snprintf (name_expand, sizeof(name_expand),
- "X509_%d_0x%02X", cert_depth, name->oid.p[8]);
- break;
- }
- }
- else
- {
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
- cert_depth);
- }
for( i = 0; i < name->val.len; i++ )
{
--- a/configure.ac
+++ b/configure.ac
@@ -819,13 +819,13 @@ if test "${with_crypto_library}" = "pola
#include <polarssl/version.h>
]],
[[
-#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000
+#if POLARSSL_VERSION_NUMBER < 0x01030000
#error invalid version
#endif
]]
)],
[AC_MSG_RESULT([ok])],
- [AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])]
+ [AC_MSG_ERROR([PolarSSL 1.3.x required])]
)
polarssl_with_pkcs11="no"

33
package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch Normal file
View File

@ -0,0 +1,33 @@
openvpn: fix build without POLARSSL_DEBUG_C
Backport of upstream master commit
b63f98633dbe2ca92cd43fc6f8597ab283a600bf.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
From b63f98633dbe2ca92cd43fc6f8597ab283a600bf Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Tue, 14 Jun 2016 22:00:03 +0200
Subject: [PATCH] mbedtls: don't set debug threshold if compiled without
MBEDTLS_DEBUG_C
For targets with space constraints, one might want to compile mbed TLS
without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes. Make
sure OpenVPN still compiles if that is the case.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1465934403-22226-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11922
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -747,7 +747,9 @@ void key_state_ssl_init(struct key_state
if (polar_ok(ssl_init(ks_ssl->ctx)))
{
/* Initialise SSL context */
+ #ifdef POLARSSL_DEBUG_C
debug_set_threshold(3);
+ #endif
ssl_set_dbg (ks_ssl->ctx, my_debug, NULL);
ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint);

13
package/network/services/openvpn/patches/110-musl_compat.patch
View File

@ -1,13 +0,0 @@
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -214,10 +214,6 @@
#ifdef TARGET_LINUX
-#if defined(HAVE_NETINET_IF_ETHER_H)
-#include <netinet/if_ether.h>
-#endif
-
#ifdef HAVE_LINUX_IF_TUN_H
#include <linux/if_tun.h>
#endif

16
package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch
View File

@ -1,16 +0,0 @@
Index: openvpn-2.3.6/src/openvpn/ssl_polarssl.c
===================================================================
--- openvpn-2.3.6.orig/src/openvpn/ssl_polarssl.c
+++ openvpn-2.3.6/src/openvpn/ssl_polarssl.c
@@ -707,6 +707,11 @@ void key_state_ssl_init(struct key_state
if (ssl_ctx->allowed_ciphers)
ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers);
+ /* Disable record splitting (breaks current ssl handling) */
+#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
+ ssl_set_cbc_record_splitting (ks_ssl->ctx, SSL_CBC_RECORD_SPLITTING_DISABLED);
+#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
+
/* Initialise authentication information */
if (is_server)
ssl_set_dh_param_ctx (ks_ssl->ctx, ssl_ctx->dhm_ctx );

12
package/network/services/openvpn/patches/200-small_build_enable_occ.patch Normal file
View File

@ -0,0 +1,12 @@
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -602,9 +602,7 @@ socket_defined (const socket_descriptor_
/*
* Should we include OCC (options consistency check) code?
*/
-#ifndef ENABLE_SMALL
#define ENABLE_OCC
-#endif
/*
* Should we include NTLM proxy functionality