diff options
5 files changed, 404 insertions, 77 deletions
diff --git a/package/libs/polarssl/Makefile b/package/libs/polarssl/Makefile index 209281e..b59605d 100644 --- a/package/libs/polarssl/Makefile +++ b/package/libs/polarssl/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=polarssl -PKG_VERSION:=1.2.9 +PKG_VERSION:=1.3.4 PKG_RELEASE:=1 PKG_USE_MIPS16:=0 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz PKG_SOURCE_URL:=https://polarssl.org/code/releases -PKG_MD5SUM:=3d8e01537e747d7997993c70f2e108db +PKG_MD5SUM:=30a75c5f171be49f805f3bf64a0af054 include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/cmake.mk @@ -35,6 +35,7 @@ $(call Package/polarssl/Default) SECTION:=libs CATEGORY:=Libraries TITLE+= (library) + ABI_VERSION:=$(PKG_VERSION) endef define Package/libpolarssl/description diff --git a/package/libs/polarssl/patches/200-reduce_config.patch b/package/libs/polarssl/patches/200-reduce_config.patch index 40bdedc..a7e06f5 100644 --- a/package/libs/polarssl/patches/200-reduce_config.patch +++ b/package/libs/polarssl/patches/200-reduce_config.patch @@ -1,16 +1,96 @@ --- a/include/polarssl/config.h +++ b/include/polarssl/config.h -@@ -206,8 +206,8 @@ - * Requires: POLARSSL_BIGNUM_C, POLARSSL_RSA_C +@@ -315,8 +315,8 @@ + * TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * TLS_PSK_WITH_3DES_EDE_CBC_SHA + * TLS_PSK_WITH_RC4_128_SHA +- */ + #define POLARSSL_KEY_EXCHANGE_PSK_ENABLED ++ */ + + /** + * \def POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED +@@ -339,8 +339,8 @@ + * TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA + * TLS_DHE_PSK_WITH_RC4_128_SHA +- */ + #define POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ++ */ + + /** + * \def POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED +@@ -359,8 +359,8 @@ + * TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA + * TLS_ECDHE_PSK_WITH_RC4_128_SHA +- */ + #define POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ++ */ + + /** + * \def POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED +@@ -384,8 +384,8 @@ + * TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA + * TLS_RSA_PSK_WITH_RC4_128_SHA +- */ + #define POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED ++ */ + + /** + * \def POLARSSL_KEY_EXCHANGE_RSA_ENABLED +@@ -463,8 +463,8 @@ + * TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 + * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + * TLS_ECDHE_RSA_WITH_RC4_128_SHA +- */ + #define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ++ */ + + /** + * \def POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +@@ -487,8 +487,8 @@ + * TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 + * TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + * TLS_ECDHE_ECDSA_WITH_RC4_128_SHA +- */ + #define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ++ */ + + /** + * \def POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +@@ -511,8 +511,8 @@ + * TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 + * TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 + * TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 +- */ + #define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED ++ */ + + /** + * \def POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED +@@ -535,8 +535,8 @@ + * TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 + * TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 +- */ + #define POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ++ */ + + /** + * \def POLARSSL_ERROR_STRERROR_BC +@@ -566,8 +566,8 @@ + * Enable the prime-number generation code. * - * Enable the RSA prime-number generation code. + * Requires: POLARSSL_BIGNUM_C - */ #define POLARSSL_GENPRIME + */ /** * \def POLARSSL_FS_IO -@@ -264,8 +264,8 @@ +@@ -662,8 +662,8 @@ * \def POLARSSL_SELF_TEST * * Enable the checkup functions (*_self_test). @@ -20,18 +100,18 @@ /** * \def POLARSSL_SSL_ALL_ALERT_MESSAGES -@@ -466,8 +466,8 @@ - * TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - * TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - * TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 +@@ -1107,8 +1107,8 @@ + * TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - */ #define POLARSSL_CAMELLIA_C + */ /** * \def POLARSSL_CERTS_C -@@ -478,8 +478,8 @@ - * Caller: +@@ -1121,8 +1121,8 @@ + * Requires: POLARSSL_PEM_PARSE_C * * This module is used for testing (ssl_client/server). - */ @@ -40,7 +120,7 @@ /** * \def POLARSSL_CIPHER_C -@@ -518,8 +518,8 @@ +@@ -1161,8 +1161,8 @@ * library/ssl_tls.c * * This module provides debugging functions. @@ -50,18 +130,48 @@ /** * \def POLARSSL_DES_C -@@ -604,8 +604,8 @@ - * enabled as well): - * TLS_RSA_WITH_AES_128_GCM_SHA256 - * TLS_RSA_WITH_AES_256_GCM_SHA384 +@@ -1217,8 +1217,8 @@ + * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK + * + * Requires: POLARSSL_ECP_C +- */ + #define POLARSSL_ECDH_C ++ */ + + /** + * \def POLARSSL_ECDSA_C +@@ -1232,8 +1232,8 @@ + * ECDHE-ECDSA + * + * Requires: POLARSSL_ECP_C, POLARSSL_ASN1_WRITE_C, POLARSSL_ASN1_PARSE_C +- */ + #define POLARSSL_ECDSA_C ++ */ + + /** + * \def POLARSSL_ECP_C +@@ -1245,8 +1245,8 @@ + * library/ecdsa.c + * + * Requires: POLARSSL_BIGNUM_C and at least one POLARSSL_ECP_DP_XXX_ENABLED +- */ + #define POLARSSL_ECP_C ++ */ + + /** + * \def POLARSSL_ENTROPY_C +@@ -1285,8 +1285,8 @@ + * + * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other + * requisites are enabled as well. - */ #define POLARSSL_GCM_C + */ /** * \def POLARSSL_HAVEGE_C -@@ -704,8 +704,8 @@ - * Caller: library/aes.c +@@ -1436,8 +1436,8 @@ + * Requires: POLARSSL_HAVE_ASM * * This modules adds support for the VIA PadLock on x86. - */ @@ -70,7 +180,17 @@ /** * \def POLARSSL_PBKDF2_C -@@ -848,8 +848,8 @@ +@@ -1584,8 +1584,8 @@ + * Module: library/ripemd160.c + * Caller: library/md.c + * +- */ + #define POLARSSL_RIPEMD160_C ++ */ + + /** + * \def POLARSSL_RSA_C +@@ -1664,8 +1664,8 @@ * Caller: * * Requires: POLARSSL_SSL_CACHE_C @@ -80,7 +200,7 @@ /** * \def POLARSSL_SSL_CLI_C -@@ -903,8 +903,8 @@ +@@ -1741,8 +1741,8 @@ * Caller: library/havege.c * * This module is used by the HAVEGE random number generator. @@ -90,13 +210,13 @@ /** * \def POLARSSL_VERSION_C -@@ -953,8 +953,8 @@ +@@ -1862,8 +1862,8 @@ * * Module: library/xtea.c * Caller: - */ #define POLARSSL_XTEA_C + */ - /* \} name */ - /** + /* \} name SECTION: PolarSSL modules */ + diff --git a/package/libs/polarssl/patches/210-gen_key_config_fix.patch b/package/libs/polarssl/patches/210-gen_key_config_fix.patch new file mode 100644 index 0000000..d682e28 --- /dev/null +++ b/package/libs/polarssl/patches/210-gen_key_config_fix.patch @@ -0,0 +1,38 @@ +--- a/programs/pkey/gen_key.c ++++ b/programs/pkey/gen_key.c +@@ -155,7 +155,9 @@ int main( int argc, char *argv[] ) + + opt.type = DFL_TYPE; + opt.rsa_keysize = DFL_RSA_KEYSIZE; ++#if defined(POLARSSL_ECP_C) + opt.ec_curve = DFL_EC_CURVE; ++#endif + opt.filename = DFL_FILENAME; + opt.format = DFL_FORMAT; + +@@ -170,8 +172,10 @@ int main( int argc, char *argv[] ) + { + if( strcmp( q, "rsa" ) == 0 ) + opt.type = POLARSSL_PK_RSA; ++#if defined(POLARSSL_ECP_C) + if( strcmp( q, "ec" ) == 0 ) + opt.type = POLARSSL_PK_ECKEY; ++#endif + else + goto usage; + } +@@ -190,12 +194,14 @@ int main( int argc, char *argv[] ) + if( opt.rsa_keysize < 1024 || opt.rsa_keysize > 8192 ) + goto usage; + } ++#if defined(POLARSSL_ECP_C) + else if( strcmp( p, "ec_curve" ) == 0 ) + { + if( ( curve_info = ecp_curve_info_from_name( q ) ) == NULL ) + goto usage; + opt.ec_curve = curve_info->grp_id; + } ++#endif + else if( strcmp( p, "filename" ) == 0 ) + opt.filename = q; + else diff --git a/package/libs/polarssl/patches/300-openssl_cipher_name_compat.patch b/package/libs/polarssl/patches/300-openssl_cipher_name_compat.patch deleted file mode 100644 index 474a859..0000000 --- a/package/libs/polarssl/patches/300-openssl_cipher_name_compat.patch +++ /dev/null @@ -1,53 +0,0 @@ ---- a/library/cipher.c -+++ b/library/cipher.c -@@ -279,15 +279,21 @@ const cipher_info_t *cipher_info_from_st - #if defined(POLARSSL_BLOWFISH_C) - if( !strcasecmp( "BLOWFISH-CBC", cipher_name ) ) - return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CBC ); -+ if( !strcasecmp( "BF-CBC", cipher_name ) ) -+ return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CBC ); - - #if defined(POLARSSL_CIPHER_MODE_CFB) - if( !strcasecmp( "BLOWFISH-CFB64", cipher_name ) ) - return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CFB64 ); -+ if( !strcasecmp( "BF-CFB64", cipher_name ) ) -+ return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CFB64 ); - #endif /* defined(POLARSSL_CIPHER_MODE_CFB) */ - - #if defined(POLARSSL_CIPHER_MODE_CTR) - if( !strcasecmp( "BLOWFISH-CTR", cipher_name ) ) - return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CTR ); -+ if( !strcasecmp( "BF-CTR", cipher_name ) ) -+ return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CTR ); - #endif /* defined(POLARSSL_CIPHER_MODE_CTR) */ - #endif - ---- a/library/cipher_wrap.c -+++ b/library/cipher_wrap.c -@@ -643,7 +643,7 @@ const cipher_info_t blowfish_cbc_info = - POLARSSL_CIPHER_BLOWFISH_CBC, - POLARSSL_MODE_CBC, - 128, -- "BLOWFISH-CBC", -+ "BF-CBC", - 8, - 8, - &blowfish_info -@@ -654,7 +654,7 @@ const cipher_info_t blowfish_cfb64_info - POLARSSL_CIPHER_BLOWFISH_CFB64, - POLARSSL_MODE_CFB, - 128, -- "BLOWFISH-CFB64", -+ "BF-CFB64", - 8, - 8, - &blowfish_info -@@ -666,7 +666,7 @@ const cipher_info_t blowfish_ctr_info = - POLARSSL_CIPHER_BLOWFISH_CTR, - POLARSSL_MODE_CTR, - 128, -- "BLOWFISH-CTR", -+ "BF-CTR", - 8, - 8, - &blowfish_info diff --git a/package/network/services/openvpn/patches/100-polarssl_compat.h b/package/network/services/openvpn/patches/100-polarssl_compat.h new file mode 100644 index 0000000..c68e3b4 --- /dev/null +++ b/package/network/services/openvpn/patches/100-polarssl_compat.h @@ -0,0 +1,221 @@ +--- a/src/openvpn/ssl_polarssl.h ++++ b/src/openvpn/ssl_polarssl.h +@@ -36,6 +36,8 @@ + #include <polarssl/pkcs11.h> + #endif + ++#include <polarssl/compat-1.2.h> ++ + typedef struct _buffer_entry buffer_entry; + + struct _buffer_entry { +--- a/src/openvpn/ssl_polarssl.c ++++ b/src/openvpn/ssl_polarssl.c +@@ -44,7 +44,7 @@ + #include "manage.h" + #include "ssl_common.h" + +-#include <polarssl/sha2.h> ++#include <polarssl/sha256.h> + #include <polarssl/havege.h> + + #include "ssl_verify_polarssl.h" +@@ -204,12 +204,12 @@ tls_ctx_load_dh_params (struct tls_root_ + { + if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline) + { +- if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline))) ++ if (0 != dhm_parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline))) + msg (M_FATAL, "Cannot read inline DH parameters"); + } + else + { +- if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file)) ++ if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file)) + msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file); + } + +@@ -530,7 +530,7 @@ void key_state_ssl_init(struct key_state + ssl_pkcs11_key_len ); + else + #endif +- ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key ); ++ ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key ); + + /* Initialise SSL verification */ + ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED); +@@ -832,7 +832,7 @@ print_details (struct key_state_ssl * ks + cert = ssl_get_peer_cert(ks_ssl->ctx); + if (cert != NULL) + { +- openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8); ++ openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8); + } + + msg (D_HANDSHAKE, "%s%s", s1, s2); +--- a/src/openvpn/crypto_polarssl.c ++++ b/src/openvpn/crypto_polarssl.c +@@ -466,7 +466,12 @@ int cipher_ctx_mode (const cipher_contex + + int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf) + { +- return 0 == cipher_reset(ctx, iv_buf); ++ int retval = cipher_reset(ctx); ++ ++ if (0 == retval) ++ cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size); ++ ++ return 0 == retval; + } + + int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len, +--- a/src/openvpn/ssl_verify_polarssl.h ++++ b/src/openvpn/ssl_verify_polarssl.h +@@ -34,6 +34,7 @@ + #include "misc.h" + #include "manage.h" + #include <polarssl/x509.h> ++#include <polarssl/compat-1.2.h> + + #ifndef __OPENVPN_X509_CERT_T_DECLARED + #define __OPENVPN_X509_CERT_T_DECLARED +--- a/src/openvpn/ssl_verify.c ++++ b/src/openvpn/ssl_verify.c +@@ -437,7 +437,7 @@ verify_cert_set_env(struct env_set *es, + #endif + + /* export serial number as environmental variable */ +- serial = x509_get_serial(peer_cert, &gc); ++ serial = backend_x509_get_serial(peer_cert, &gc); + openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth); + setenv_str (es, envname, serial); + +@@ -564,7 +564,7 @@ verify_check_crl_dir(const char *crl_dir + int fd = -1; + struct gc_arena gc = gc_new(); + +- char *serial = x509_get_serial(cert, &gc); ++ char *serial = backend_x509_get_serial(cert, &gc); + + if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial)) + { +--- a/src/openvpn/ssl_verify_backend.h ++++ b/src/openvpn/ssl_verify_backend.h +@@ -122,7 +122,7 @@ result_t x509_get_username (char *common + * + * @return The certificate's serial number. + */ +-char *x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc); ++char *backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc); + + /* + * Save X509 fields to environment, using the naming convention: +--- a/src/openvpn/ssl_verify_openssl.c ++++ b/src/openvpn/ssl_verify_openssl.c +@@ -220,7 +220,7 @@ x509_get_username (char *common_name, in + } + + char * +-x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) ++backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) + { + ASN1_INTEGER *asn1_i; + BIGNUM *bignum; +--- a/src/openvpn/ssl_verify_polarssl.c ++++ b/src/openvpn/ssl_verify_polarssl.c +@@ -38,6 +38,7 @@ + #if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL) + + #include "ssl_verify.h" ++#include <polarssl/oid.h> + #include <polarssl/sha1.h> + + #define MAX_SUBJECT_LENGTH 256 +@@ -100,7 +101,7 @@ x509_get_username (char *cn, int cn_len, + /* Find common name */ + while( name != NULL ) + { +- if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0) ++ if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0) + break; + + name = name->next; +@@ -123,7 +124,7 @@ x509_get_username (char *cn, int cn_len, + } + + char * +-x509_get_serial (x509_cert *cert, struct gc_arena *gc) ++backend_x509_get_serial (x509_cert *cert, struct gc_arena *gc) + { + int ret = 0; + int i = 0; +@@ -184,60 +185,18 @@ x509_setenv (struct env_set *es, int cer + while( name != NULL ) + { + char name_expand[64+8]; ++ const char *shortname; + +- if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 ) ++ if( 0 == oid_get_attr_short_name(&name->oid, &shortname) ) + { +- switch( name->oid.p[2] ) +- { +- case X520_COMMON_NAME: +- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN", +- cert_depth); break; +- +- case X520_COUNTRY: +- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C", +- cert_depth); break; +- +- case X520_LOCALITY: +- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L", +- cert_depth); break; +- +- case X520_STATE: +- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST", +- cert_depth); break; +- +- case X520_ORGANIZATION: +- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O", +- cert_depth); break; +- +- case X520_ORG_UNIT: +- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU", +- cert_depth); break; +- +- default: +- openvpn_snprintf (name_expand, sizeof(name_expand), +- "X509_%d_0x%02X", cert_depth, name->oid.p[2]); +- break; +- } ++ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s", ++ cert_depth, shortname); ++ } ++ else ++ { ++ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?", ++ cert_depth); + } +- else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 ) +- { +- switch( name->oid.p[8] ) +- { +- case PKCS9_EMAIL: +- openvpn_snprintf (name_expand, sizeof(name_expand), +- "X509_%d_emailAddress", cert_depth); break; +- +- default: +- openvpn_snprintf (name_expand, sizeof(name_expand), +- "X509_%d_0x%02X", cert_depth, name->oid.p[8]); +- break; +- } +- } +- else +- { +- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?", +- cert_depth); +- } + + for( i = 0; i < name->val.len; i++ ) + { |