@@ -160,6 +160,13 @@ openvpn_SOURCES += \

 	ssl_openssl.c ssl_openssl.h \

 	ssl_verify_openssl.c ssl_verify_openssl.h

 endif

+if USE_POLARSSL

+openvpn_SOURCES += \

+	crypto_polarssl.c crypto_polarssl.h \

+	pkcs11_polarssl.c \

+	ssl_polarssl.c ssl_polarssl.h \

+	ssl_verify_polarssl.c ssl_verify_polarssl.h

+endif

 dist-hook:

 	cd $(distdir) && for i in $(EXTRA_DIST) $(SUBDIRS) ; do find $$i -name .svn -type d -prune -exec rm -rf '{}' ';' ; rm -f `find $$i -type f | grep -E '(^|\/)\.?\#|\~$$|\.s?o$$'` ; done

new file mode 100644

@@ -0,0 +1,23 @@

+This version of OpenVPN has PolarSSL support. To enable follow the following

+instructions:

+

+To Build and Install,

+

+	./configure --with-ssl-type=polarssl

+	make

+	make install

+

+*************************************************************************

+

+The following features are missing in the PolarSSL version of OpenVPN:

+

+ * ca_path support - Loading certificate authorities from a directory

+ * PKCS#12 file support

+ * Windows CryptoAPI support

+ * Management external key support

+ * X509 alternative username fields (must be "CN")

+

+ TODO:

+ * serial is in Hex

+ * X509 certificate export

+ * X.509 tracking

@@ -291,14 +291,16 @@ AC_ARG_WITH(mem-check,

 )

 AC_ARG_WITH([ssl-type],

-   [  --with-ssl-type=TYPE  Build with the given SSL library, TYPE = openssl ],

+   [  --with-ssl-type=TYPE  Build with the given SSL library, TYPE = openssl or polarssl ],

    [case "${withval}" in 

         openssl) SSL_LIB=openssl ;;

+        polarssl) SSL_LIB=polarssl ;;

         *) AC_MSG_ERROR([bad value ${withval} for --with-ssl-type]) ;;

    esac],

    [SSL_LIB="openssl"]

 )

 AM_CONDITIONAL([USE_OPENSSL], [test x$SSL_LIB = xopenssl])

+AM_CONDITIONAL([USE_POLARSSL], [test x$SSL_LIB = xpolarssl])

 dnl fix search path, to allow compilers to find syshead.h

 CPPFLAGS="$CPPFLAGS -I${srcdir}"

@@ -710,6 +712,24 @@ if test "$LZO_STUB" = "yes"; then

 fi

 dnl

+dnl enable pkcs11 capability

+dnl

+

+if test "$PKCS11" = "yes"; then

+   AC_CHECKING([for pkcs11-helper Library and Header files])

+   AC_CHECK_HEADER(pkcs11-helper-1.0/pkcs11h-core.h,

+	[AC_CHECK_LIB(pkcs11-helper, pkcs11h_initialize,

+	    [

+		   AC_DEFINE(USE_PKCS11, 1, [Enable PKCS11 capability])

+		   OPENVPN_ADD_LIBS(-lpkcs11-helper)

+	    ],

+	    [AC_MSG_RESULT([pkcs11-helper library not found.])]

+	)],

+	[AC_MSG_RESULT([pkcs11-helper headers not found.])]

+   )

+fi

+

+dnl

 dnl check for SSL-crypto library

 dnl

@@ -752,7 +772,20 @@ if test "$CRYPTO" = "yes"; then

          [AC_MSG_ERROR([OpenSSL crypto Library is too old.])]

        )

    fi

-

+   if test "$SSL_LIB" = "polarssl"; then

+        AC_CHECKING([for PolarSSL Crypto Library and Header files])

+        AC_CHECK_HEADER(polarssl/aes.h,

+            [AC_CHECK_LIB(polarssl, aes_crypt_cbc,

+                [

+                    OPENVPN_ADD_LIBS(-lpolarssl)

+                    AC_DEFINE(USE_CRYPTO, 1, [Use crypto library])

+                    AC_DEFINE(USE_POLARSSL, 1, [Use PolarSSL library])

+                ],

+                [AC_MSG_ERROR([PolarSSL Crypto library not found.])]

+            )],

+            [AC_MSG_ERROR([PolarSSL Crypto headers not found.])]

+        )

+    fi

    dnl

    dnl check for OpenSSL-SSL library

    dnl

@@ -788,6 +821,20 @@ if test "$CRYPTO" = "yes"; then

          AC_DEFINE(USE_SSL, 1, [Use OpenSSL SSL library])

       fi

+      if test "$SSL_LIB" = "polarssl"; then

+         AC_CHECKING([for PolarSSL SSL Library and Header files])

+         AC_CHECK_HEADER(polarssl/ssl.h,

+              [AC_CHECK_LIB(polarssl, ssl_init,

+              [

+                  OPENVPN_ADD_LIBS(-lpolarssl)

+                  AC_DEFINE(USE_SSL, 1, [Use SSL library])

+                  AC_DEFINE(USE_POLARSSL, 1, [Use PolarSSL library])

+              ],

+              [AC_MSG_ERROR([PolarSSL SSL library not found.])]

+          )],

+              [AC_MSG_ERROR([PolarSSL SSL headers not found.])]

+          )

+       fi

    fi

 fi

@@ -796,22 +843,6 @@ if test "$X509ALTUSERNAME" = "yes"; then

    AC_DEFINE(ENABLE_X509ALTUSERNAME, 1, [Enable --x509-username-field feature])

 fi

-dnl enable pkcs11 capability

-

-if test "$PKCS11" = "yes"; then

-   AC_CHECKING([for pkcs11-helper Library and Header files])

-   AC_CHECK_HEADER(pkcs11-helper-1.0/pkcs11h-core.h,

-	[AC_CHECK_LIB(pkcs11-helper, pkcs11h_initialize,

-	    [

-		   AC_DEFINE(USE_PKCS11, 1, [Enable PKCS11 capability])

-		   OPENVPN_ADD_LIBS(-lpkcs11-helper)

-	    ],

-	    [AC_MSG_RESULT([pkcs11-helper library not found.])]

-	)],

-	[AC_MSG_RESULT([pkcs11-helper headers not found.])]

-   )

-fi

-

 dnl enable multi-client mode

 if test "$MULTI" = "yes"; then

    AC_DEFINE(ENABLE_CLIENT_SERVER, 1, [Enable client/server capability])

@@ -35,7 +35,9 @@

 #ifdef USE_OPENSSL

 #include "crypto_openssl.h"

 #endif

-

+#ifdef USE_POLARSSL

+#include "crypto_polarssl.h"

+#endif

 #include "basic.h"

new file mode 100644

@@ -0,0 +1,577 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single TCP/UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

+ *  Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program (see the file COPYING included with this

+ *  distribution); if not, write to the Free Software Foundation, Inc.,

+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+ */

+

+/**

+ * @file Data Channel Cryptography PolarSSL-specific backend interface

+ */

+

+#include "syshead.h"

+

+#include "errlevel.h"

+#include "basic.h"

+#include "buffer.h"

+#include "integer.h"

+#include "crypto_backend.h"

+

+#include <polarssl/des.h>

+#include <polarssl/md5.h>

+#include <polarssl/cipher.h>

+#include <polarssl/havege.h>

+

+/*

+ *

+ * Hardware engine support. Allows loading/unloading of engines.

+ *

+ */

+

+void

+crypto_init_lib_engine (const char *engine_name)

+{

+  msg (M_WARN, "Note: PolarSSL hardware crypto engine functionality is not "

+      "available");

+}

+

+/*

+ *

+ * Functions related to the core crypto library

+ *

+ */

+

+void

+crypto_init_lib (void)

+{

+}

+

+void

+crypto_uninit_lib (void)

+{

+  prng_uninit();

+}

+

+void

+crypto_clear_error (void)

+{

+}

+

+#ifdef DMALLOC

+void

+crypto_init_dmalloc (void)

+{

+  msg (M_ERR, "Error: dmalloc support is not available for PolarSSL.");

+}

+#endif /* DMALLOC */

+

+void

+show_available_ciphers ()

+{

+  const int *ciphers = cipher_list();

+

+#ifndef ENABLE_SMALL

+  printf ("The following ciphers and cipher modes are available\n"

+	  "for use with " PACKAGE_NAME ".  Each cipher shown below may be\n"

+	  "used as a parameter to the --cipher option.  The default\n"

+	  "key size is shown as well as whether or not it can be\n"

+          "changed with the --keysize directive.  Using a CBC mode\n"

+	  "is recommended.\n\n");

+#endif

+

+  while (*ciphers != 0)

+    {

+      const cipher_info_t *info = cipher_info_from_type(*ciphers);

+

+      if (info && info->mode == POLARSSL_MODE_CBC)

+	printf ("%s %d bit default key\n",

+		info->name, info->key_length);

+

+      ciphers++;

+    }

+  printf ("\n");

+}

+

+void

+show_available_digests ()

+{

+  const int *digests = md_list();

+

+#ifndef ENABLE_SMALL

+  printf ("The following message digests are available for use with\n"

+	  PACKAGE_NAME ".  A message digest is used in conjunction with\n"

+	  "the HMAC function, to authenticate received packets.\n"

+	  "You can specify a message digest as parameter to\n"

+	  "the --auth option.\n\n");

+#endif

+

+  while (*digests != 0)

+    {

+      const md_info_t *info = md_info_from_type(*digests);

+

+      if (info)

+	printf ("%s %d bit default key\n",

+		info->name, info->size * 8);

+      digests++;

+    }

+  printf ("\n");

+}

+

+void

+show_available_engines ()

+{

+  printf ("Sorry, PolarSSL hardware crypto engine functionality is not "

+      "available\n");

+}

+

+

+/*

+ *

+ * Random number functions, used in cases where we want

+ * reasonably strong cryptographic random number generation

+ * without depleting our entropy pool.  Used for random

+ * IV values and a number of other miscellaneous tasks.

+ *

+ */

+

+int

+rand_bytes (uint8_t *output, int len)

+{

+  static havege_state hs = {0};

+  static bool hs_initialised = false;

+  const int int_size = sizeof(int);

+

+  if (!hs_initialised)

+    {

+      /* Initialise PolarSSL RNG */

+      havege_init(&hs);

+      hs_initialised = true;

+    }

+

+  while (len > 0)

+    {

+      const int blen 	= min_int (len, int_size);

+      const int rand_int 	= havege_rand(&hs);

+

+      memcpy (output, &rand_int, blen);

+      output += blen;

+      len -= blen;

+    }

+  return 1;

+}

+

+/*

+ *

+ * Key functions, allow manipulation of keys.

+ *

+ */

+

+

+int

+key_des_num_cblocks (const cipher_info_t *kt)

+{

+  int ret = 0;

+  if (kt->type == POLARSSL_CIPHER_DES_CBC)

+    ret = 1;

+  if (kt->type == POLARSSL_CIPHER_DES_EDE_CBC)

+    ret = 2;

+  if (kt->type == POLARSSL_CIPHER_DES_EDE3_CBC)

+    ret = 3;

+

+  dmsg (D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);

+  return ret;

+}

+

+bool

+key_des_check (uint8_t *key, int key_len, int ndc)

+{

+  int i;

+  struct buffer b;

+

+  buf_set_read (&b, key, key_len);

+

+  for (i = 0; i < ndc; ++i)

+    {

+      unsigned char *key = buf_read_alloc(&b, DES_KEY_SIZE);

+      if (!key)

+	{

+	  msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material");

+	  goto err;

+	}

+      if (0 != des_key_check_weak(key))

+	{

+	  msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected");

+	  goto err;

+	}

+      if (0 != des_key_check_key_parity(key))

+	{

+	  msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected");

+	  goto err;

+	}

+    }

+  return true;

+

+ err:

+  return false;

+}

+

+void

+key_des_fixup (uint8_t *key, int key_len, int ndc)

+{

+  int i;

+  struct buffer b;

+

+  buf_set_read (&b, key, key_len);

+  for (i = 0; i < ndc; ++i)

+    {

+      unsigned char *key = buf_read_alloc(&b, DES_KEY_SIZE);

+      if (!key)

+	{

+	  msg (D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material");

+	  return;

+	}

+      des_key_set_parity(key);

+    }

+}

+

+/*

+ *

+ * Generic cipher key type functions

+ *

+ */

+

+

+const cipher_info_t *

+cipher_kt_get (const char *ciphername)

+{

+  const cipher_info_t *cipher = NULL;

+

+  ASSERT (ciphername);

+

+  cipher = cipher_info_from_string(ciphername);

+

+  if (NULL == cipher)

+    msg (M_FATAL, "Cipher algorithm '%s' not found", ciphername);

+

+  if (cipher->key_length/8 > MAX_CIPHER_KEY_LENGTH)

+    msg (M_FATAL, "Cipher algorithm '%s' uses a default key size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum key size (%d bytes)",

+	 ciphername,

+	 cipher->key_length/8,

+	 MAX_CIPHER_KEY_LENGTH);

+

+  return cipher;

+}

+

+const char *

+cipher_kt_name (const cipher_info_t *cipher_kt)

+{

+  if (NULL == cipher_kt)

+    return "[null-cipher]";

+  return cipher_kt->name;

+}

+

+int

+cipher_kt_key_size (const cipher_info_t *cipher_kt)

+{

+  if (NULL == cipher_kt)

+    return 0;

+  return cipher_kt->key_length/8;

+}

+

+int

+cipher_kt_iv_size (const cipher_info_t *cipher_kt)

+{

+  if (NULL == cipher_kt)

+    return 0;

+  return cipher_kt->iv_size;

+}

+

+int

+cipher_kt_block_size (const cipher_info_t *cipher_kt)

+{

+  if (NULL == cipher_kt)

+    return 0;

+  return cipher_kt->block_size;

+}

+

+bool

+cipher_kt_mode (const cipher_info_t *cipher_kt)

+{

+  ASSERT(NULL != cipher_kt);

+  return cipher_kt->mode;

+}

+

+

+/*

+ *

+ * Generic cipher context functions

+ *

+ */

+

+

+void

+cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int key_len,

+    const cipher_info_t *kt, int enc, const char *prefix)

+{

+  struct gc_arena gc = gc_new ();

+

+  ASSERT(NULL != kt && NULL != ctx);

+

+  CLEAR (*ctx);

+

+  if (0 != cipher_init_ctx(ctx, kt))

+    msg (M_FATAL, "PolarSSL cipher context init #1");

+

+  if (0 != cipher_setkey(ctx, key, key_len*8, enc))

+    msg (M_FATAL, "PolarSSL cipher set key");

+

+  msg (D_HANDSHAKE, "%s: Cipher '%s' initialized with %d bit key",

+       prefix,

+       cipher_kt_name(kt),

+       cipher_get_key_size(ctx));

+

+  /* make sure we used a big enough key */

+  ASSERT (ctx->key_length <= key_len*8);

+

+  dmsg (D_SHOW_KEYS, "%s: CIPHER KEY: %s", prefix,

+       format_hex (key, key_len, 0, &gc));

+  dmsg (D_CRYPTO_DEBUG, "%s: CIPHER block_size=%d iv_size=%d",

+       prefix,

+       cipher_get_block_size(ctx),

+       cipher_get_iv_size(ctx));

+

+  gc_free (&gc);

+}

+

+void cipher_ctx_cleanup (cipher_context_t *ctx)

+{

+  cipher_free_ctx(ctx);

+}

+

+int cipher_ctx_iv_length (const cipher_context_t *ctx)

+{

+  return cipher_get_iv_size(ctx);

+}

+

+int cipher_ctx_block_size(const cipher_context_t *ctx)

+{

+  return cipher_get_block_size(ctx);

+}

+

+int cipher_ctx_mode (const cipher_context_t *ctx)

+{

+  ASSERT(NULL != ctx);

+

+  return cipher_kt_mode(ctx->cipher_info);

+}

+

+int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)

+{

+  return 0 == cipher_reset(ctx, iv_buf);

+}

+

+int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,

+    uint8_t *src, int src_len)

+{

+  return 0 == cipher_update(ctx, src, src_len, dst, dst_len);

+}

+

+int cipher_ctx_final (cipher_context_t *ctx, uint8_t *dst, int *dst_len)

+{

+  return 0 == cipher_finish(ctx, dst, dst_len);

+}

+

+void

+cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_SIZE],

+    unsigned char *src,

+    unsigned char *dst)

+{

+    des_context ctx;

+

+    des_setkey_enc(&ctx, key);

+    des_crypt_ecb(&ctx, src, dst);

+}

+

+

+

+/*

+ *

+ * Generic message digest information functions

+ *

+ */

+

+

+const md_info_t *

+md_kt_get (const char *digest)

+{

+  const md_info_t *md = NULL;

+  ASSERT (digest);

+

+  md = md_info_from_string(digest);

+  if (!md)

+    msg (M_FATAL, "Message hash algorithm '%s' not found", digest);

+  if (md->size > MAX_HMAC_KEY_LENGTH)

+    msg (M_FATAL, "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum hash size (%d bytes)",

+	 digest,

+	 md->size,

+	 MAX_HMAC_KEY_LENGTH);

+  return md;

+}

+

+const char *

+md_kt_name (const md_info_t *kt)

+{

+  if (NULL == kt)

+    return "[null-digest]";

+  return md_get_name (kt);

+}

+

+int

+md_kt_size (const md_info_t *kt)

+{

+  if (NULL == kt)

+    return 0;

+  return md_get_size(kt);

+}

+

+/*

+ *

+ * Generic message digest functions

+ *

+ */

+

+int

+md_full (const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst)

+{

+  return 0 == md(kt, src, src_len, dst);

+}

+

+

+void

+md_ctx_init (md_context_t *ctx, const md_info_t *kt)

+{

+  ASSERT(NULL != ctx && NULL != kt);

+

+  CLEAR(*ctx);

+

+  ASSERT(0 == md_starts(kt, ctx));

+}

+

+void

+md_ctx_cleanup(md_context_t *ctx)

+{

+  ASSERT(0 == md_free_ctx(ctx));

+}

+

+int

+md_ctx_size (const md_context_t *ctx)

+{

+  if (NULL == ctx)

+    return 0;

+  return md_get_size(ctx->md_info);

+}

+

+void

+md_ctx_update (md_context_t *ctx, const uint8_t *src, int src_len)

+{

+  ASSERT(0 == md_update(ctx, src, src_len));

+}

+

+void

+md_ctx_final (md_context_t *ctx, uint8_t *dst)

+{

+  ASSERT(0 == md_finish(ctx, dst));

+}

+

+

+/*

+ *

+ * Generic HMAC functions

+ *

+ */

+

+

+/*

+ * TODO: re-enable dmsg for crypto debug

+ */

+void

+hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info_t *kt,

+    const char *prefix)

+{

+  struct gc_arena gc = gc_new ();

+

+  ASSERT(NULL != kt && NULL != ctx);

+

+  CLEAR(*ctx);

+

+  ASSERT(0 == md_hmac_starts(kt, ctx, key, key_len));

+

+  if (prefix)

+    msg (D_HANDSHAKE,

+	"%s: Using %d bit message hash '%s' for HMAC authentication",

+	prefix, md_get_size(kt) * 8, md_get_name(kt));

+

+  /* make sure we used a big enough key */

+  ASSERT (md_get_size(kt) <= key_len);

+

+  if (prefix)

+    dmsg (D_SHOW_KEYS, "%s: HMAC KEY: %s", prefix,

+	format_hex (key, key_len, 0, &gc));

+//  if (prefix)

+//    dmsg (D_CRYPTO_DEBUG, "%s: HMAC size=%d block_size=%d",

+//         prefix,

+//         md_get_size(md_info),

+//         EVP_MD_block_size (md_info));

+

+  gc_free (&gc);

+}

+

+void

+hmac_ctx_cleanup(md_context_t *ctx)

+{

+  ASSERT(0 == md_free_ctx(ctx));

+}

+

+int

+hmac_ctx_size (const md_context_t *ctx)

+{

+  if (NULL == ctx)

+    return 0;

+  return md_get_size(ctx->md_info);

+}

+

+void

+hmac_ctx_reset (md_context_t *ctx)

+{

+  ASSERT(0 == md_hmac_reset(ctx));

+}

+

+void

+hmac_ctx_update (md_context_t *ctx, const uint8_t *src, int src_len)

+{

+  ASSERT(0 == md_hmac_update(ctx, src, src_len));

+}

+

+void

+hmac_ctx_final (md_context_t *ctx, uint8_t *dst)

+{

+  ASSERT(0 == md_hmac_finish(ctx, dst));

+}

new file mode 100644

@@ -0,0 +1,71 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single TCP/UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

+ *  Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program (see the file COPYING included with this

+ *  distribution); if not, write to the Free Software Foundation, Inc.,

+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+ */

+

+/**

+ * @file Data Channel Cryptography PolarSSL-specific backend interface

+ */

+

+#ifndef CRYPTO_POLARSSL_H_

+#define CRYPTO_POLARSSL_H_

+

+#include <polarssl/cipher.h>

+#include <polarssl/md.h>

+

+/** Generic cipher key type %context. */

+typedef cipher_info_t cipher_kt_t;

+

+/** Generic message digest key type %context. */

+typedef md_info_t md_kt_t;

+

+/** Generic cipher %context. */

+typedef cipher_context_t cipher_ctx_t;

+

+/** Generic message digest %context. */

+typedef md_context_t md_ctx_t;

+

+/** Generic HMAC %context. */

+typedef md_context_t hmac_ctx_t;

+

+/** Maximum length of an IV */

+#define OPENVPN_MAX_IV_LENGTH 	POLARSSL_MAX_IV_LENGTH

+

+/** Cipher is in CBC mode */

+#define OPENVPN_MODE_CBC 	POLARSSL_MODE_CBC

+

+/** Cipher is in OFB mode */

+#define OPENVPN_MODE_OFB 	POLARSSL_MODE_OFB

+

+/** Cipher is in CFB mode */

+#define OPENVPN_MODE_CFB 	POLARSSL_MODE_CFB

+

+/** Cipher should encrypt */

+#define OPENVPN_OP_ENCRYPT 	POLARSSL_ENCRYPT

+

+/** Cipher should decrypt */

+#define OPENVPN_OP_DECRYPT 	POLARSSL_DECRYPT

+

+#define MD5_DIGEST_LENGTH 	16

+

+#endif /* CRYPTO_POLARSSL_H_ */

@@ -79,9 +79,11 @@

  *

  * @subsection key_generation_random Source of random material

  *

- * OpenVPN uses the OpenSSL library as its source of random material. More

- * specifically, the \c RAND_bytes() function is called to supply

- * cryptographically strong pseudo-random data.  The following links

+ * OpenVPN uses the either the OpenSSL library or the PolarSSL library as its

+ * source of random material.

+ *

+ * In OpenSSL, the \c RAND_bytes() function is called

+ * to supply cryptographically strong pseudo-random data.  The following links

  * contain more information on this subject:

  * - For OpenSSL's \c RAND_bytes() function:

  *   http://www.openssl.org/docs/crypto/RAND_bytes.html

@@ -90,6 +92,9 @@

  * - For OpenSSL's support for external crypto modules:

  *   http://www.openssl.org/docs/crypto/engine.html

  *

+ * In PolarSSL, the Havege random number generator is used. For details, see

+ * the PolarSSL documentation.

+ *

  * @section key_generation_exchange Key exchange:

  *

  * The %key exchange process is initiated by the OpenVPN process running

@@ -28,6 +28,9 @@

 #ifdef USE_OPENSSL

 #include "ssl_verify_openssl.h"

 #endif

+#ifdef USE_POLARSSL

+#include "ssl_verify_polarssl.h"

+#endif

 #define OPENVPN_PLUGIN_VERSION 3

@@ -508,7 +508,9 @@ static const char usage_message[] =

   "--keysize n     : Size of cipher key in bits (optional).\n"

   "                  If unspecified, defaults to cipher-specific default.\n"

 #endif

+#ifndef USE_POLARSSL

   "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"

+#endif

   "--no-replay     : Disable replay protection.\n"

   "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"

   "--replay-window n [t]  : Use a replay protection sliding window of size n\n"

@@ -529,13 +531,15 @@ static const char usage_message[] =

   "                  number, such as 1 (default), 2, etc.\n"

   "--ca file       : Certificate authority file in .pem format containing\n"

   "                  root certificate.\n"

+#ifndef USE_POLARSSL

   "--capath dir    : A directory of trusted certificates (CAs"

 #if OPENSSL_VERSION_NUMBER >= 0x00907000L

   " and CRLs).\n"

-#else

+#else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */

   ").\n"

   "                  WARNING: no support of CRL available with this version.\n"

-#endif