--- /dev/null
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -46,20 +46,23 @@
+ #include <polarssl/ssl.h>
+ #include <polarssl/net.h>
+
++#ifdef POLARSSL_API_V1_2
++int ciphers[] =
++{
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
++ TLS_RSA_WITH_AES_256_CBC_SHA,
++ TLS_RSA_WITH_AES_128_CBC_SHA,
++ 0
++};
++#else
+ int ciphers[] =
+ {
+ SSL_EDH_RSA_AES_256_SHA,
+- SSL_EDH_RSA_CAMELLIA_256_SHA,
+- SSL_EDH_RSA_DES_168_SHA,
+ SSL_RSA_AES_256_SHA,
+- SSL_RSA_CAMELLIA_256_SHA,
+ SSL_RSA_AES_128_SHA,
+- SSL_RSA_CAMELLIA_128_SHA,
+- SSL_RSA_DES_168_SHA,
+- SSL_RSA_RC4_128_SHA,
+- SSL_RSA_RC4_128_MD5,
+ 0
+ };
++#endif
+ static x509_cert certificate;
+ static rsa_context key;
+ bool_t builtInTestCertificate;
+@@ -170,8 +173,13 @@ void SSLi_deinit(void)
+ /* Create SHA1 of last certificate in the peer's chain. */
+ bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash)
+ {
+- x509_cert *cert = ssl->peer_cert;
+- if (!ssl->peer_cert) {
++ x509_cert *cert;
++#ifdef POLARSSL_API_V1_2
++ cert = ssl_get_peer_cert(ssl);
++#else
++ cert = ssl->peer_cert;
++#endif
++ if (!cert) {
+ return false;
+ }
+ sha1(cert->raw.p, cert->raw.len, hash);
+@@ -207,7 +215,12 @@ SSL_handle_t *SSLi_newconnection(int *fd
+ #else
+ ssl_set_ciphers(ssl, ciphers);
+ #endif
++
++#ifdef POLARSSL_API_V1_2
++ ssl_set_session(ssl, ssn);
++#else
+ ssl_set_session(ssl, 0, 0, ssn);
++#endif
+
+ ssl_set_ca_chain(ssl, &certificate, NULL, NULL);
+ ssl_set_own_cert(ssl, &certificate, &key);
+--- a/src/ssl.h
++++ b/src/ssl.h
+@@ -68,6 +68,9 @@
+ } \
+ } while (0)
+ #endif
++ #if (POLARSSL_VERSION_MINOR >= 2)
++ #define POLARSSL_API_V1_2
++ #endif
+ #endif
+ #endif
+
--- /dev/null
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -30,6 +30,7 @@
+ */
+ #include <string.h>
+ #include <stdlib.h>
++#include <fcntl.h>
+
+ #include "conf.h"
+ #include "log.h"
+@@ -66,8 +67,7 @@ int ciphers[] =
+ static x509_cert certificate;
+ static rsa_context key;
+ bool_t builtInTestCertificate;
+-
+-havege_state hs; /* exported to crypt.c */
++static int urandom_fd;
+
+ /* DH prime */
+ char *my_dhm_P =
+@@ -83,9 +83,13 @@ char *my_dhm_G = "4";
+ static void initTestCert()
+ {
+ int rc;
++#ifdef POLARSSL_CERTS_C
+ builtInTestCertificate = true;
+ rc = x509parse_crt(&certificate, (unsigned char *)test_srv_crt,
+ strlen(test_srv_crt));
++#else
++ rc = -1;
++#endif
+ if (rc != 0)
+ Log_fatal("Could not parse built-in test certificate");
+ }
+@@ -93,9 +97,12 @@ static void initTestCert()
+ static void initTestKey()
+ {
+ int rc;
+-
++#ifdef POLARSSL_CERTS_C
+ rc = x509parse_key(&key, (unsigned char *)test_srv_key,
+ strlen(test_srv_key), NULL, 0);
++#else
++ rc = -1;
++#endif
+ if (rc != 0)
+ Log_fatal("Could not parse built-in test RSA key");
+ }
+@@ -135,6 +142,19 @@ static void initKey()
+ Log_fatal("Could not read RSA key file %s", keyfile);
+ }
+
++int urandom_bytes(void *ctx, unsigned char *dest, size_t len)
++{
++ int cur;
++
++ while (len) {
++ cur = read(urandom_fd, dest, len);
++ if (cur < 0)
++ continue;
++
++ len -= cur;
++ }
++}
++
+ #define DEBUG_LEVEL 0
+ static void pssl_debug(void *ctx, int level, const char *str)
+ {
+@@ -154,8 +174,11 @@ void SSLi_init(void)
+ }
+ else
+ initKey();
+- havege_init(&hs);
+-
++
++ urandom_fd = open("/dev/urandom", O_RDONLY);
++ if (urandom_fd < 0)
++ Log_fatal("Cannot open /dev/urandom");
++
+ #ifdef POLARSSL_VERSION_MAJOR
+ version_get_string(verstring);
+ Log_info("PolarSSL library version %s initialized", verstring);
+@@ -173,7 +196,7 @@ void SSLi_deinit(void)
+ /* Create SHA1 of last certificate in the peer's chain. */
+ bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash)
+ {
+- x509_cert *cert;
++ const x509_cert *cert;
+ #ifdef POLARSSL_API_V1_2
+ cert = ssl_get_peer_cert(ssl);
+ #else
+@@ -206,7 +229,7 @@ SSL_handle_t *SSLi_newconnection(int *fd
+ ssl_set_endpoint(ssl, SSL_IS_SERVER);
+ ssl_set_authmode(ssl, SSL_VERIFY_OPTIONAL);
+
+- ssl_set_rng(ssl, HAVEGE_RAND, &hs);
++ ssl_set_rng(ssl, urandom_bytes, NULL);
+ ssl_set_dbg(ssl, pssl_debug, NULL);
+ ssl_set_bio(ssl, net_recv, fd, net_send, fd);
+
+--- a/src/ssl.h
++++ b/src/ssl.h
+@@ -45,35 +45,17 @@
+ #else
+ #if (POLARSSL_VERSION_MAJOR == 0)
+ #define POLARSSL_API_V0
+- #define HAVEGE_RAND (havege_rand)
+- #define RAND_bytes(_dst_, _size_) do { \
+- int i; \
+- for (i = 0; i < _size_; i++) { \
+- _dst_[i] = havege_rand(&hs); \
+- } \
+- } while (0)
+ #else
+ #define POLARSSL_API_V1
+- #if (POLARSSL_VERSION_MINOR >= 1)
+- #define HAVEGE_RAND (havege_random)
+- #define RAND_bytes(_dst_, _size_) do { \
+- havege_random(&hs, _dst_, _size_); \
+- } while (0)
+- #else
+- #define HAVEGE_RAND (havege_rand)
+- #define RAND_bytes(_dst_, _size_) do { \
+- int i; \
+- for (i = 0; i < _size_; i++) { \
+- _dst_[i] = havege_rand(&hs); \
+- } \
+- } while (0)
+- #endif
+ #if (POLARSSL_VERSION_MINOR >= 2)
+ #define POLARSSL_API_V1_2
+ #endif
+ #endif
+ #endif
+
++#define RAND_bytes(_dst_, _size_) urandom_bytes(NULL, _dst_, _size_)
++int urandom_bytes(void *ctx, unsigned char *dest, size_t len);
++
+ #else /* OpenSSL */
+ #include <openssl/x509v3.h>
+ #include <openssl/ssl.h>
projects / openwrt / svn-archive / packages.git / commitdiff