Ticket #250: freetz.org-openvpn-2.3.0-polarssl-1.2.x-support.patch
| File freetz.org-openvpn-2.3.0-polarssl-1.2.x-support.patch, 5.2 KB (added by , 11 years ago) |
|---|
-
src/openvpn/crypto_polarssl.h
60 60 #define OPENVPN_MODE_OFB POLARSSL_MODE_OFB 61 61 62 62 /** Cipher is in CFB mode */ 63 #if POLARSSL_VERSION_NUMBER < 0x01020000 63 64 #define OPENVPN_MODE_CFB POLARSSL_MODE_CFB128 65 #else 66 #define OPENVPN_MODE_CFB POLARSSL_MODE_CFB 67 #endif 64 68 65 69 /** Cipher should encrypt */ 66 70 #define OPENVPN_OP_ENCRYPT POLARSSL_ENCRYPT -
src/openvpn/options.c
827 827 o->server_poll_timeout = 0; 828 828 #endif 829 829 #ifdef ENABLE_CRYPTO 830 #ifdef ENABLE_CRYPTO_POLARSSL 831 o->ciphername = "BLOWFISH-CBC"; 832 o->keysize = 16; 833 #else 830 834 o->ciphername = "BF-CBC"; 835 #endif 831 836 o->ciphername_defined = true; 832 837 o->authname = "SHA1"; 833 838 o->authname_defined = true; -
src/openvpn/ssl_polarssl.h
30 30 #ifndef SSL_POLARSSL_H_ 31 31 #define SSL_POLARSSL_H_ 32 32 33 #include <polarssl/version.h> 33 34 #include <polarssl/ssl.h> 34 35 35 36 #if defined(ENABLE_PKCS11) … … 73 74 74 75 struct key_state_ssl { 75 76 ssl_context *ctx; 77 #if POLARSSL_VERSION_NUMBER < 0x01020000 76 78 ssl_session *ssn; 79 #endif 77 80 endless_buffer *ct_in; 78 81 endless_buffer *ct_out; 79 82 }; -
src/openvpn/ssl_polarssl.c
65 65 { 66 66 } 67 67 68 #if POLARSSL_VERSION_NUMBER < 0x0102000 68 69 static int default_ciphersuites[] = 69 70 { 70 71 SSL_EDH_RSA_AES_256_SHA, … … 81 82 SSL_RSA_RC4_128_MD5, 82 83 0 83 84 }; 85 #endif 84 86 85 87 void 86 88 tls_ctx_server_new(struct tls_root_ctx *ctx) … … 514 516 515 517 ssl_set_rng (ks_ssl->ctx, ctr_drbg_random, rand_ctx_get()); 516 518 519 #if POLARSSL_VERSION_NUMBER < 0x01020000 517 520 ALLOC_OBJ_CLEAR (ks_ssl->ssn, ssl_session); 518 521 ssl_set_session (ks_ssl->ctx, 0, 0, ks_ssl->ssn ); 522 #endif 519 523 if (ssl_ctx->allowed_ciphers) 520 524 ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers); 521 525 else 526 #if POLARSSL_VERSION_NUMBER < 0x01020000 522 527 ssl_set_ciphersuites (ks_ssl->ctx, default_ciphersuites); 528 #else 529 ssl_set_ciphersuites (ks_ssl->ctx, ssl_default_ciphersuites); 530 #endif 523 531 524 532 /* Initialise authentication information */ 525 533 if (is_server) … … 556 564 ssl_free(ks_ssl->ctx); 557 565 free(ks_ssl->ctx); 558 566 } 567 #if POLARSSL_VERSION_NUMBER < 0x01020000 559 568 if (ks_ssl->ssn) 560 569 free(ks_ssl->ssn); 570 #endif 561 571 if (ks_ssl->ct_in) { 562 572 buf_free_entries(ks_ssl->ct_in); 563 573 free(ks_ssl->ct_in); … … 818 828 void 819 829 print_details (struct key_state_ssl * ks_ssl, const char *prefix) 820 830 { 821 x509_cert *cert;831 const x509_cert *cert; 822 832 char s1[256]; 823 833 char s2[256]; 824 834 … … 828 838 ssl_get_version (ks_ssl->ctx), 829 839 ssl_get_ciphersuite(ks_ssl->ctx)); 830 840 841 #if POLARSSL_VERSION_NUMBER < 0x01020000 831 842 cert = ks_ssl->ctx->peer_cert; 843 #else 844 cert = ssl_get_peer_cert(ks_ssl->ctx); 845 #endif 832 846 if (cert != NULL) 833 847 { 834 848 openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8); -
src/openvpn/ssl_verify_polarssl.h
33 33 #include "syshead.h" 34 34 #include "misc.h" 35 35 #include "manage.h" 36 #include <polarssl/version.h> 36 37 #include <polarssl/x509.h> 37 38 38 39 #ifndef __OPENVPN_X509_CERT_T_DECLARED … … 64 65 * @param cert - The certificate used by PolarSSL. 65 66 * @param cert_depth - The depth of the current certificate in the chain, with 66 67 * 0 being the actual certificate. 68 * PolarSSL < 1.2.x 67 69 * @param preverify_ok - Whether the remote OpenVPN peer's certificate 68 70 * past verification. A value of 1 means it 69 71 * verified successfully, 0 means it failed. 72 * PolarSSL >= 1.2.x 73 * @param preverify_flags - Pointer to preverify flags. 74 * ((*flags) == 0) means verified successfully 75 * ((*flags) != 0) means verification failed 70 76 * 71 77 * @return The return value indicates whether the supplied certificate is 72 78 * allowed to set up a VPN tunnel. The following values can be … … 75 81 * - \c 1: success, this certificate is allowed to connect. 76 82 */ 77 83 int verify_callback (void *session_obj, x509_cert *cert, int cert_depth, 84 #if POLARSSL_VERSION_NUMBER < 0x01020000 78 85 int preverify_ok); 86 #else 87 int *preverify_flags); 88 #endif 79 89 80 90 /** @} name Function for authenticating a new connection from a remote OpenVPN peer */ 81 91 -
src/openvpn/ssl_verify_polarssl.c
44 44 45 45 int 46 46 verify_callback (void *session_obj, x509_cert *cert, int cert_depth, 47 #if POLARSSL_VERSION_NUMBER < 0x01020000 47 48 int preverify_ok) 49 #else 50 int *preverify_flags) 51 #endif 48 52 { 49 53 struct tls_session *session = (struct tls_session *) session_obj; 50 54 struct gc_arena gc = gc_new(); … … 59 63 cert_hash_remember (session, cert_depth, x509_get_sha1_hash(cert, &gc)); 60 64 61 65 /* did peer present cert which was signed by our root cert? */ 66 #if POLARSSL_VERSION_NUMBER < 0x01020000 62 67 if (!preverify_ok) 68 #else 69 if (preverify_flags && (*preverify_flags) != 0) 70 /* 71 * In case of PolarSSL>=1.2.x the actual reason could be determined and printed out, 72 * see polarssl-1.2.x/programs/ssl/ssl_client2.c::my_verify for details. 73 */ 74 #endif 63 75 { 64 76 char *subject = x509_get_subject(cert, &gc); 65 77
