[LEDE-DEV] [PATCH RFC 2/2] openvpn: fix disabling DES support in mbedtls

Magnus Kroken mkroken at gmail.com
Fri Dec 16 16:53:40 PST 2016


From: Felix Fietkau <nbd at nbd.name>

Signed-off-by: Felix Fietkau <nbd at nbd.name>
Signed-off-by: Magnus Kroken <mkroken at gmail.com>
---
Felix added this to his staging tree along with my 2.4_rc1 patch,
it needed updates after rc2 due to a style reformatting of the OpenVPN
codebase. Not sure if I got the rebasing right, let me know of any problems.

 .../services/openvpn/patches/220-disable_des.patch | 81 ++++++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 package/network/services/openvpn/patches/220-disable_des.patch

diff --git a/package/network/services/openvpn/patches/220-disable_des.patch b/package/network/services/openvpn/patches/220-disable_des.patch
new file mode 100644
index 0000000..cd93070
--- /dev/null
+++ b/package/network/services/openvpn/patches/220-disable_des.patch
@@ -0,0 +1,81 @@
+--- a/src/openvpn/syshead.h
++++ b/src/openvpn/syshead.h
+@@ -594,11 +594,11 @@ socket_defined(const socket_descriptor_t
+ /*
+  * Should we include NTLM proxy functionality
+  */
+-#if defined(ENABLE_CRYPTO)
+-#define NTLM 1
+-#else
++//#if defined(ENABLE_CRYPTO)
++//#define NTLM 1
++//#else
+ #define NTLM 0
+-#endif
++//#endif
+ 
+ /*
+  * Should we include proxy digest auth functionality
+--- a/src/openvpn/crypto_mbedtls.c
++++ b/src/openvpn/crypto_mbedtls.c
+@@ -320,6 +320,7 @@ int
+ key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
+ {
+     int ret = 0;
++#ifdef MBEDTLS_DES_C
+     if (kt->type == MBEDTLS_CIPHER_DES_CBC)
+     {
+         ret = 1;
+@@ -332,6 +333,7 @@ key_des_num_cblocks(const mbedtls_cipher
+     {
+         ret = 3;
+     }
++#endif
+ 
+     dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
+     return ret;
+@@ -340,6 +342,7 @@ key_des_num_cblocks(const mbedtls_cipher
+ bool
+ key_des_check(uint8_t *key, int key_len, int ndc)
+ {
++#ifdef MBEDTLS_DES_C
+     int i;
+     struct buffer b;
+ 
+@@ -368,11 +371,15 @@ key_des_check(uint8_t *key, int key_len,
+ 
+ err:
+     return false;
++#else
++    return true;
++#endif
+ }
+ 
+ void
+ key_des_fixup(uint8_t *key, int key_len, int ndc)
+ {
++#ifdef MBEDTLS_DES_C
+     int i;
+     struct buffer b;
+ 
+@@ -387,6 +394,7 @@ key_des_fixup(uint8_t *key, int key_len,
+         }
+         mbedtls_des_key_set_parity(key);
+     }
++#endif
+ }
+ 
+ /*
+@@ -698,10 +706,12 @@ cipher_des_encrypt_ecb(const unsigned ch
+                        unsigned char *src,
+                        unsigned char *dst)
+ {
++#ifdef MBEDTLS_DES_C
+     mbedtls_des_context ctx;
+ 
+     ASSERT(mbed_ok(mbedtls_des_setkey_enc(&ctx, key)));
+     ASSERT(mbed_ok(mbedtls_des_crypt_ecb(&ctx, src, dst)));
++#endif
+ }
+ 
+ 
-- 
2.1.4




More information about the Lede-dev mailing list