Opened 16 months ago

Closed 5 months ago

#250 closed Bug / Defect (fixed)

OpenVPN 2.3.0 fails to build with PolarSSL 1.2.0+

Reported by: mandree Owned by:
Priority: major Milestone:
Component: Building / Compiling Version: 2.3-beta / 2.3-RC
Severity: Not set (if unsure, select this one) Keywords:
Cc:

Description

gcc -DHAVE_CONFIG_H -I. -I../../../src/openvpn -I../.. -I../../../include -I../../../src/compat -I/usr/local/include -g -O2 -MT crypto.o -MD -MP -MF .deps/crypto.Tpo -c -o crypto.o ../../../src/openvpn/crypto.c
../../../src/openvpn/crypto.c: In function 'openvpn_encrypt':
../../../src/openvpn/crypto.c:104: error: 'POLARSSL_MODE_CFB128' undeclared (first use in this function)
../../../src/openvpn/crypto.c:104: error: (Each undeclared identifier is reported only once
../../../src/openvpn/crypto.c:104: error: for each function it appears in.)
../../../src/openvpn/crypto.c: In function 'openvpn_decrypt':
../../../src/openvpn/crypto.c:314: error: 'POLARSSL_MODE_CFB128' undeclared (first use in this function)
../../../src/openvpn/crypto.c: In function 'init_key_type':
../../../src/openvpn/crypto.c:414: error: 'POLARSSL_MODE_CFB128' undeclared (first use in this function)
../../../src/openvpn/crypto.c: In function 'cfb_ofb_mode':
../../../src/openvpn/crypto.c:600: error: 'POLARSSL_MODE_CFB128' undeclared (first use in this function)
* [crypto.o] Error code 1

This is in PolarSSL's 1.2.0 ChangeLog?, under Changes:

  • Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to POLARSSL_MODE_CFB, to also handle different block size CFB modes.

If I get past that one, with a cunning yet daring AC_DEFINE, I get more errors:

../../../src/openvpn/ssl_polarssl.c:70: error: 'SSL_EDH_RSA_AES_256_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:71: error: 'SSL_EDH_RSA_CAMELLIA_256_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:72: error: 'SSL_EDH_RSA_AES_128_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:73: error: 'SSL_EDH_RSA_CAMELLIA_128_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:74: error: 'SSL_EDH_RSA_DES_168_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:75: error: 'SSL_RSA_AES_256_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:76: error: 'SSL_RSA_CAMELLIA_256_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:77: error: 'SSL_RSA_AES_128_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:78: error: 'SSL_RSA_CAMELLIA_128_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:79: error: 'SSL_RSA_DES_168_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:80: error: 'SSL_RSA_RC4_128_SHA' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c:81: error: 'SSL_RSA_RC4_128_MD5' undeclared here (not in a function)
../../../src/openvpn/ssl_polarssl.c: In function 'key_state_ssl_init':
../../../src/openvpn/ssl_polarssl.c:518: error: too many arguments to function 'ssl_set_session'
../../../src/openvpn/ssl_polarssl.c:537: warning: passing argument 2 of 'ssl_set_verify' from incompatible pointer type
../../../src/openvpn/ssl_polarssl.c: In function 'print_details':
../../../src/openvpn/ssl_polarssl.c:831: error: 'ssl_context' has no member named 'peer_cert'
../../../src/openvpn/ssl_polarssl.c:831: warning: assignment from incompatible pointer type
gmake[3]: * [ssl_polarssl.o] Fehler 1

Attachments (3)

polarssl-1.2-first-half.patch.gz (779 bytes) - added by mandree 16 months ago.
Fix PolarSSL 1.2 portability, first half, gzipped.
220-allow-polarssl-1.2.3.patch (2.3 KB) - added by MaxMuster 15 months ago.
Patch for OpenVPN 2.3.0 to use polarssl 1.2.3, including "blowfish" as default cipher
freetz.org-openvpn-2.3.0-polarssl-1.2.x-support.patch (5.2 KB) - added by er13 14 months ago.
A more complete patch from freetz.org project (based on patch by MaxMuster?)

Download all attachments as: .zip

Change History (11)

comment:1 Changed 16 months ago by mandree

This is also in the ChangeLog?:

Renamed ciphersuites naming scheme to IANA reserved names

There is more - I think OpenVPN is not ready for PolarSSL 1.2.0.

comment:2 Changed 16 months ago by mandree

These are the cipher names as of PolarSSL 1.2.0, from ssl.h.

/*

  • Supported ciphersuites (Official IANA names) */

#define TLS_RSA_WITH_NULL_MD5 0x01 /< Weak! */
#define TLS_RSA_WITH_NULL_SHA 0x02 /< Weak! */
#define TLS_RSA_WITH_NULL_SHA256 0x3B /
< Weak! */
#define TLS_RSA_WITH_DES_CBC_SHA 0x09 /< Weak! Not in TLS 1.2 */
#define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x15 /
< Weak! Not in TLS 1.2 */

#define TLS_RSA_WITH_RC4_128_MD5 0x04
#define TLS_RSA_WITH_RC4_128_SHA 0x05

#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x0A
#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x16

#define TLS_RSA_WITH_AES_128_CBC_SHA 0x2F
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x33
#define TLS_RSA_WITH_AES_256_CBC_SHA 0x35
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x39
#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x3C /< TLS 1.2 */
#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x3D /
< TLS 1.2 */
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x67 /< TLS 1.2 */
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x6B /
< TLS 1.2 */

#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x41
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x45
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x84
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x88
#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBA /< TLS 1.2 */
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBE /
< TLS 1.2 */
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC0 /< TLS 1.2 */
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4 /
< TLS 1.2 */

#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x9C
#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x9D
#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x9E
#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x9F

Changed 16 months ago by mandree

Fix PolarSSL 1.2 portability, first half, gzipped.

comment:3 Changed 16 months ago by mandree

The attached patch (needed to be gzipped to avoid misdetection as spam) fixes most compatibility issues; two remain that I am unable to fix:

  • the verify callback needs to be adjusted from int preverify_ok to int *flags
  • there is a reference to peer_cert that no longer exists in ssl_context that needs to be updated

All this may need to be conditionalized on the PolarSSL version.

comment:4 Changed 16 months ago by andj

Hi mandree,

Thanks for the patch. I've got a series of patches for all of PolarSSL 1.2.3+ ready, and will submit them to the mailing list soon. Due to some bugs in PolarSSL 1.2.0-1.2.2, OpenVPN integration wasn't possible. Now that these have been fixed, we'll try to get the patch out into master ASAP, and hopefully into 2.3.1.

comment:5 Changed 16 months ago by MaxMuster

Just not to waste my work "on reinventing the wheel" ;-) as it seems, I attach my patch for using polarssl 1.2.3?
Might need some more tweaking, but I was able to compile a working binary with it.
It should work with 1.1.x and 1.2.x versions of polarssl.

comment:6 Changed 16 months ago by MaxMuster

... for PolarSSL 1.2 also supports "blowfish" (but with alternate cipher name and default key lenght) you might also use this additional patch:

...deleted..

Last edited 15 months ago by MaxMuster (previous) (diff)

comment:7 Changed 16 months ago by MaxMuster

sorry, wrong patch in previous Post, "keysize" has to be 16 to use a 128 bit key:

--- src/openvpn/options.c.ori	2013-01-13 18:31:52.735437040 +0100
+++ src/openvpn/options.c	2013-01-13 18:31:32.595437020 +0100
@@ -827,7 +827,12 @@
   o->server_poll_timeout = 0;
 #endif
 #ifdef ENABLE_CRYPTO
+#ifdef ENABLE_CRYPTO_POLARSSL
+  o->ciphername = "BLOWFISH-CBC";
+  o->keysize = 16;
+#else
   o->ciphername = "BF-CBC";
+#endif
   o->ciphername_defined = true;
   o->authname = "SHA1";
   o->authname_defined = true;


Changed 15 months ago by MaxMuster

Patch for OpenVPN 2.3.0 to use polarssl 1.2.3, including "blowfish" as default cipher

Changed 14 months ago by er13

A more complete patch from freetz.org project (based on patch by MaxMuster?)

comment:8 Changed 5 months ago by samuli

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.