Opened 12 years ago
Closed 11 years ago
#250 closed Bug / Defect (fixed)
OpenVPN 2.3.0 fails to build with PolarSSL 1.2.0+
Reported by: | mandree | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Building / Compiling | Version: | OpenVPN 2.3-beta / 2.3-RC (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
gcc -DHAVE_CONFIG_H -I. -I../../../src/openvpn -I../.. -I../../../include -I../../../src/compat -I/usr/local/include -g -O2 -MT crypto.o -MD -MP -MF .deps/crypto.Tpo -c -o crypto.o ../../../src/openvpn/crypto.c
../../../src/openvpn/crypto.c: In function 'openvpn_encrypt':
../../../src/openvpn/crypto.c:104: error: 'POLARSSL_MODE_CFB128' undeclared (first use in this function)
../../../src/openvpn/crypto.c:104: error: (Each undeclared identifier is reported only once
../../../src/openvpn/crypto.c:104: error: for each function it appears in.)
../../../src/openvpn/crypto.c: In function 'openvpn_decrypt':
../../../src/openvpn/crypto.c:314: error: 'POLARSSL_MODE_CFB128' undeclared (first use in this function)
../../../src/openvpn/crypto.c: In function 'init_key_type':
../../../src/openvpn/crypto.c:414: error: 'POLARSSL_MODE_CFB128' undeclared (first use in this function)
../../../src/openvpn/crypto.c: In function 'cfb_ofb_mode':
../../../src/openvpn/crypto.c:600: error: 'POLARSSL_MODE_CFB128' undeclared (first use in this function)
* [crypto.o] Error code 1
This is in PolarSSL's 1.2.0 ChangeLog?, under Changes:
- Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to POLARSSL_MODE_CFB, to also handle different block size CFB modes.
If I get past that one, with a cunning yet daring AC_DEFINE, I get more errors:
../../../src/openvpn/ssl_polarssl.c:70: error: 'SSL_EDH_RSA_AES_256_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:71: error: 'SSL_EDH_RSA_CAMELLIA_256_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:72: error: 'SSL_EDH_RSA_AES_128_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:73: error: 'SSL_EDH_RSA_CAMELLIA_128_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:74: error: 'SSL_EDH_RSA_DES_168_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:75: error: 'SSL_RSA_AES_256_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:76: error: 'SSL_RSA_CAMELLIA_256_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:77: error: 'SSL_RSA_AES_128_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:78: error: 'SSL_RSA_CAMELLIA_128_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:79: error: 'SSL_RSA_DES_168_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:80: error: 'SSL_RSA_RC4_128_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:81: error: 'SSL_RSA_RC4_128_MD5' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c: In function 'key_state_ssl_init':
../../../src/openvpn/ssl_polarssl.c:518: error: too many arguments to function 'ssl_set_session'
../../../src/openvpn/ssl_polarssl.c:537: warning: passing argument 2 of 'ssl_set_verify' from incompatible pointer type
../../../src/openvpn/ssl_polarssl.c: In function 'print_details':
../../../src/openvpn/ssl_polarssl.c:831: error: 'ssl_context' has no member named 'peer_cert'
../../../src/openvpn/ssl_polarssl.c:831: warning: assignment from incompatible pointer type
gmake[3]: * [ssl_polarssl.o] Fehler 1
Attachments (3)
Change History (11)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
These are the cipher names as of PolarSSL 1.2.0, from ssl.h.
/*
- Supported ciphersuites (Official IANA names) */
#define TLS_RSA_WITH_NULL_MD5 0x01 /< Weak! */
#define TLS_RSA_WITH_NULL_SHA 0x02 /< Weak! */
#define TLS_RSA_WITH_NULL_SHA256 0x3B /< Weak! */
#define TLS_RSA_WITH_DES_CBC_SHA 0x09 /< Weak! Not in TLS 1.2 */
#define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x15 /< Weak! Not in TLS 1.2 */
#define TLS_RSA_WITH_RC4_128_MD5 0x04
#define TLS_RSA_WITH_RC4_128_SHA 0x05
#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x0A
#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x16
#define TLS_RSA_WITH_AES_128_CBC_SHA 0x2F
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x33
#define TLS_RSA_WITH_AES_256_CBC_SHA 0x35
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x39
#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x3C /< TLS 1.2 */
#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x3D /< TLS 1.2 */
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x67 /< TLS 1.2 */
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x6B /< TLS 1.2 */
#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x41
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x45
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x84
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x88
#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBA /< TLS 1.2 */
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBE /< TLS 1.2 */
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC0 /< TLS 1.2 */
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4 /< TLS 1.2 */
#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x9C
#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x9D
#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x9E
#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x9F
Changed 12 years ago by
Attachment: | polarssl-1.2-first-half.patch.gz added |
---|
Fix PolarSSL 1.2 portability, first half, gzipped.
comment:3 Changed 12 years ago by
The attached patch (needed to be gzipped to avoid misdetection as spam) fixes most compatibility issues; two remain that I am unable to fix:
- the verify callback needs to be adjusted from int preverify_ok to int *flags
- there is a reference to peer_cert that no longer exists in ssl_context that needs to be updated
All this may need to be conditionalized on the PolarSSL version.
comment:4 Changed 12 years ago by
Hi mandree,
Thanks for the patch. I've got a series of patches for all of PolarSSL 1.2.3+ ready, and will submit them to the mailing list soon. Due to some bugs in PolarSSL 1.2.0-1.2.2, OpenVPN integration wasn't possible. Now that these have been fixed, we'll try to get the patch out into master ASAP, and hopefully into 2.3.1.
comment:5 Changed 12 years ago by
Just not to waste my work "on reinventing the wheel" ;-) as it seems, I attach my patch for using polarssl 1.2.3?
Might need some more tweaking, but I was able to compile a working binary with it.
It should work with 1.1.x and 1.2.x versions of polarssl.
comment:6 Changed 12 years ago by
... for PolarSSL 1.2 also supports "blowfish" (but with alternate cipher name and default key lenght) you might also use this additional patch:
...deleted..
comment:7 Changed 12 years ago by
sorry, wrong patch in previous Post, "keysize" has to be 16 to use a 128 bit key:
--- src/openvpn/options.c.ori 2013-01-13 18:31:52.735437040 +0100 +++ src/openvpn/options.c 2013-01-13 18:31:32.595437020 +0100 @@ -827,7 +827,12 @@ o->server_poll_timeout = 0; #endif #ifdef ENABLE_CRYPTO +#ifdef ENABLE_CRYPTO_POLARSSL + o->ciphername = "BLOWFISH-CBC"; + o->keysize = 16; +#else o->ciphername = "BF-CBC"; +#endif o->ciphername_defined = true; o->authname = "SHA1"; o->authname_defined = true;
Changed 12 years ago by
Attachment: | 220-allow-polarssl-1.2.3.patch added |
---|
Patch for OpenVPN 2.3.0 to use polarssl 1.2.3, including "blowfish" as default cipher
Changed 12 years ago by
Attachment: | freetz.org-openvpn-2.3.0-polarssl-1.2.x-support.patch added |
---|
A more complete patch from freetz.org project (based on patch by MaxMuster?)
comment:8 Changed 11 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
This is also in the ChangeLog?:
Renamed ciphersuites naming scheme to IANA reserved names
There is more - I think OpenVPN is not ready for PolarSSL 1.2.0.