Menu
▾
▴
openvpn-devel
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-09 11:57:38
|
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to review the following change.
Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
......................................................................
Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/ssl_mbedtls.c
1 file changed, 3 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/1
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..911d4bb 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -174,7 +174,7 @@
return ctx->initialised;
}
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +205,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -255,6 +255,7 @@
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newchange
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-09 11:58:03
|
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT ...................................................................... Patch Set 1: (1 comment) Patchset: PS1: Github Actions run: https://github.com/schwabe/openvpn/actions/runs/16168579847/job/45636215699 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Wed, 09 Jul 2025 11:57:49 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-09 15:03:05
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT ...................................................................... Patch Set 1: Code-Review-1 (1 comment) File src/openvpn/ssl_mbedtls.c: http://gerrit.openvpn.net/c/openvpn/+/1081/comment/eaa93c85_55785638 : PS1, Line 177: #if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) Change makes sense, but now every clause of the #if .. #elif .. #elif has a `!defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)`. So I think it would be easier to understand wrapping the whole thing into a separate `#if !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT`. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Wed, 09 Jul 2025 15:02:49 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-09 15:03:16
|
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT ...................................................................... Patch Set 1: (1 comment) Patchset: PS1: > Can we include the GHA update to 3.6. […] Why should we include that? The fix is also for older version as we compile in functions that are not used. So it didn't feel like that is strictly tied to a specific version. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Wed, 09 Jul 2025 14:34:13 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-09 15:06:51
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT ...................................................................... Patch Set 1: -Code-Review (1 comment) Patchset: PS1: > Why should we include that? The fix is also for older version as we compile in functions that are no […] Okay, I will put it in #1079 and rebase that on top of your change -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Wed, 09 Jul 2025 14:42:10 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: plaisthos <arn...@rf...> Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-09 15:41:24
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT ...................................................................... Patch Set 1: Code-Review-1 (1 comment) Patchset: PS1: Can we include the GHA update to 3.6.4 in this patch, please? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Wed, 09 Jul 2025 12:40:12 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-10 10:24:28
|
Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld
Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
......................................................................
Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/ssl_mbedtls.c
1 file changed, 6 insertions(+), 4 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/2
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..569421c 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
ASSERT(NULL != ctx);
return ctx->initialised;
}
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#elif /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-10 11:15:03
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT ...................................................................... Patch Set 2: Code-Review+2 (1 comment) File src/openvpn/ssl_mbedtls.c: http://gerrit.openvpn.net/c/openvpn/+/1081/comment/7552178f_39f98b2e : PS1, Line 177: #if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) > Change makes sense, but now every clause of the #if .. #elif .. […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Thu, 10 Jul 2025 11:14:48 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: Frank L. <fr...@li...> - 2025-07-11 10:21:42
|
From: Arne Schwabe <ar...@rf...> The helper methods are only used when we don't have MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material. Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1081 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ecccc26..569421c 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -173,8 +173,9 @@ ASSERT(NULL != ctx); return ctx->initialised; } - -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +/* mbedtls_ssl_export_keying_material does not need helper/callback methods */ +#elif HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB /* * Key export callback for older versions of mbed TLS, to be used with * mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master @@ -205,7 +206,7 @@ return 0; } -#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) /* * Key export callback for newer versions of mbed TLS, to be used with * mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback @@ -251,10 +252,11 @@ memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); cache->tls_prf_type = tls_prf_type; } -#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#elif /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ #error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ + bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-14 09:59:35
|
Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to look at the new patch set (#3).
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld
Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
......................................................................
Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/ssl_mbedtls.c
1 file changed, 6 insertions(+), 4 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/3
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..c3ca010 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
ASSERT(NULL != ctx);
return ctx->initialised;
}
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#elif /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-14 12:26:04
|
Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to look at the new patch set (#4).
Change subject: Cleanup/simplify mbed TLS related define from autoconf
......................................................................
Cleanup/simplify mbed TLS related define from autoconf
Instead of a custom logic using 0/1 to be defined when the functions
are present or not, use the standard check and adjust the source code
accordingly.
Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Remove AEAD check that tests for presence of mbedtls_cipher_write_tag
and mbedtls_cipher_check_tag. Having an mbed TLS version that does not
support that is highly unlikely. It might have been a good check in
PolarSSL's time but is not today anymore.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M config.h.cmake.in
M configure.ac
M src/openvpn/mbedtls_compat.h
M src/openvpn/ssl_mbedtls.c
4 files changed, 17 insertions(+), 36 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/4
diff --git a/config.h.cmake.in b/config.h.cmake.in
index 5df0ac8..0ee1a89 100644
--- a/config.h.cmake.in
+++ b/config.h.cmake.in
@@ -370,10 +370,9 @@
#undef HAVE_VFORK_H
/* Availability of different mbed TLS features and APIs */
-#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H
-#define HAVE_MBEDTLS_SSL_TLS_PRF 1
-#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
-#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_MBEDTLS_PSA_CRYPTO_H
+#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
/* Path to ifconfig tool */
#define IFCONFIG_PATH "@IFCONFIG_PATH@"
diff --git a/configure.ac b/configure.ac
index 02b45f8..51c20ef 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1044,31 +1044,11 @@
[AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])]
)
- AC_CHECK_FUNCS(
- [ \
- mbedtls_cipher_write_tag \
- mbedtls_cipher_check_tag \
- ],
- ,
- [AC_MSG_ERROR([mbed TLS check for AEAD support failed])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb])
- AC_CHECK_FUNC(
- [mbedtls_ssl_tls_prf],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])]
- )
-
- AC_CHECK_FUNC(
- [mbedtls_ssl_conf_export_keys_ext_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])]
- )
if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then
AC_CHECK_FUNC(
- [mbedtls_ssl_set_export_keys_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])]
+ [mbedtls_ssl_set_export_keys_cb]
)
if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then
AC_CHECK_FUNC([mbedtls_ssl_export_keying_material])
diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h
index 145a7ae..68c4cc3 100644
--- a/src/openvpn/mbedtls_compat.h
+++ b/src/openvpn/mbedtls_compat.h
@@ -48,7 +48,7 @@
#include <mbedtls/version.h>
#include <mbedtls/x509_crt.h>
-#if HAVE_MBEDTLS_PSA_CRYPTO_H
+#ifdef HAVE_MBEDTLS_PSA_CRYPTO_H
#include <psa/crypto.h>
#endif
@@ -61,14 +61,14 @@
static inline void
mbedtls_compat_psa_crypto_init(void)
{
-#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(HAVE_MBEDTLS_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C)
if (psa_crypto_init() != PSA_SUCCESS)
{
msg(M_FATAL, "mbedtls: psa_crypto_init() failed");
}
#else
return;
-#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */
+#endif
}
static inline mbedtls_compat_group_id
@@ -96,7 +96,7 @@
{
#if MBEDTLS_VERSION_NUMBER > 0x03000000
return mbedtls_ctr_drbg_update(ctx, additional, add_len);
-#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len);
#else
mbedtls_ctr_drbg_update(ctx, additional, add_len);
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..2e0c7d2 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
ASSERT(NULL != ctx);
return ctx->initialised;
}
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#elif /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
@@ -1244,7 +1246,7 @@
mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version);
}
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, old style. */
mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config,
mbedtls_ssl_export_keys_cb, session);
@@ -1259,7 +1261,7 @@
* verification. */
ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));
-#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, new style. */
mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session);
#endif
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 4
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-14 13:09:23
|
Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to look at the new patch set (#6).
Change subject: Cleanup/simplify mbed TLS related define from autoconf
......................................................................
Cleanup/simplify mbed TLS related define from autoconf
Instead of a custom logic using 0/1 to be defined when the functions
are present or not, use the standard check and adjust the source code
accordingly.
Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Remove AEAD check that tests for presence of mbedtls_cipher_write_tag
and mbedtls_cipher_check_tag. Having an mbed TLS version that does not
support that is highly unlikely. It might have been a good check in
PolarSSL's time but is not today anymore.
This also adds some missing support for mbed 2.x related defines to
cmake based build.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M CMakeLists.txt
M config.h.cmake.in
M configure.ac
M src/openvpn/crypto_mbedtls.c
M src/openvpn/mbedtls_compat.h
M src/openvpn/ssl_mbedtls.c
6 files changed, 22 insertions(+), 40 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/6
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 40bffd4..75afcea 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -302,6 +302,7 @@
check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
+ check_symbol_exists(mbedtls_ssl_tls_prf mbedtls/ssl.h HAVE_MBEDTLS_SSL_TLS_PRF)
check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H)
endfunction()
diff --git a/config.h.cmake.in b/config.h.cmake.in
index 5df0ac8..911f7d3 100644
--- a/config.h.cmake.in
+++ b/config.h.cmake.in
@@ -370,10 +370,11 @@
#undef HAVE_VFORK_H
/* Availability of different mbed TLS features and APIs */
-#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H
-#define HAVE_MBEDTLS_SSL_TLS_PRF 1
-#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
-#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_MBEDTLS_PSA_CRYPTO_H
+#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#cmakedefine HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_MBEDTLS_SSL_TLS_PRF
/* Path to ifconfig tool */
#define IFCONFIG_PATH "@IFCONFIG_PATH@"
diff --git a/configure.ac b/configure.ac
index 02b45f8..d74f08d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1044,32 +1044,10 @@
[AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])]
)
- AC_CHECK_FUNCS(
- [ \
- mbedtls_cipher_write_tag \
- mbedtls_cipher_check_tag \
- ],
- ,
- [AC_MSG_ERROR([mbed TLS check for AEAD support failed])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb])
- AC_CHECK_FUNC(
- [mbedtls_ssl_tls_prf],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])]
- )
-
- AC_CHECK_FUNC(
- [mbedtls_ssl_conf_export_keys_ext_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])]
- )
if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then
- AC_CHECK_FUNC(
- [mbedtls_ssl_set_export_keys_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_set_export_keys_cb])
if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then
AC_CHECK_FUNC([mbedtls_ssl_export_keying_material])
if test "x$ac_cv_func_mbedtls_ssl_export_keying_material" != xyes; then
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index c05902d..1f3dcba 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -981,7 +981,7 @@
}
/* mbedtls-2.18.0 or newer implements tls_prf, but prf_tls1 is removed
* from recent versions, so we use our own implementation if necessary. */
-#if HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
+#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
bool
ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
int secret_len, uint8_t *output, int output_len)
@@ -990,7 +990,7 @@
secret_len, "", seed, seed_len, output,
output_len));
}
-#else /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */
+#else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */
/*
* Generate the hash required by for the \c tls1_PRF function.
*
diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h
index 145a7ae..68c4cc3 100644
--- a/src/openvpn/mbedtls_compat.h
+++ b/src/openvpn/mbedtls_compat.h
@@ -48,7 +48,7 @@
#include <mbedtls/version.h>
#include <mbedtls/x509_crt.h>
-#if HAVE_MBEDTLS_PSA_CRYPTO_H
+#ifdef HAVE_MBEDTLS_PSA_CRYPTO_H
#include <psa/crypto.h>
#endif
@@ -61,14 +61,14 @@
static inline void
mbedtls_compat_psa_crypto_init(void)
{
-#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(HAVE_MBEDTLS_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C)
if (psa_crypto_init() != PSA_SUCCESS)
{
msg(M_FATAL, "mbedtls: psa_crypto_init() failed");
}
#else
return;
-#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */
+#endif
}
static inline mbedtls_compat_group_id
@@ -96,7 +96,7 @@
{
#if MBEDTLS_VERSION_NUMBER > 0x03000000
return mbedtls_ctr_drbg_update(ctx, additional, add_len);
-#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len);
#else
mbedtls_ctr_drbg_update(ctx, additional, add_len);
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..a4bb772 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
ASSERT(NULL != ctx);
return ctx->initialised;
}
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
@@ -1244,7 +1246,7 @@
mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version);
}
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, old style. */
mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config,
mbedtls_ssl_export_keys_cb, session);
@@ -1259,7 +1261,7 @@
* verification. */
ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));
-#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, new style. */
mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session);
#endif
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 6
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-14 13:14:45
|
Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to look at the new patch set (#5).
Change subject: Cleanup/simplify mbed TLS related define from autoconf
......................................................................
Cleanup/simplify mbed TLS related define from autoconf
Instead of a custom logic using 0/1 to be defined when the functions
are present or not, use the standard check and adjust the source code
accordingly.
Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Remove AEAD check that tests for presence of mbedtls_cipher_write_tag
and mbedtls_cipher_check_tag. Having an mbed TLS version that does not
support that is highly unlikely. It might have been a good check in
PolarSSL's time but is not today anymore.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M config.h.cmake.in
M configure.ac
M src/openvpn/mbedtls_compat.h
M src/openvpn/ssl_mbedtls.c
4 files changed, 18 insertions(+), 36 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/5
diff --git a/config.h.cmake.in b/config.h.cmake.in
index 5df0ac8..48807ee 100644
--- a/config.h.cmake.in
+++ b/config.h.cmake.in
@@ -370,10 +370,10 @@
#undef HAVE_VFORK_H
/* Availability of different mbed TLS features and APIs */
-#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H
-#define HAVE_MBEDTLS_SSL_TLS_PRF 1
-#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
-#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_MBEDTLS_PSA_CRYPTO_H
+#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#cmakedefine HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
/* Path to ifconfig tool */
#define IFCONFIG_PATH "@IFCONFIG_PATH@"
diff --git a/configure.ac b/configure.ac
index 02b45f8..51c20ef 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1044,31 +1044,11 @@
[AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])]
)
- AC_CHECK_FUNCS(
- [ \
- mbedtls_cipher_write_tag \
- mbedtls_cipher_check_tag \
- ],
- ,
- [AC_MSG_ERROR([mbed TLS check for AEAD support failed])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb])
- AC_CHECK_FUNC(
- [mbedtls_ssl_tls_prf],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])]
- )
-
- AC_CHECK_FUNC(
- [mbedtls_ssl_conf_export_keys_ext_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])]
- )
if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then
AC_CHECK_FUNC(
- [mbedtls_ssl_set_export_keys_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])]
+ [mbedtls_ssl_set_export_keys_cb]
)
if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then
AC_CHECK_FUNC([mbedtls_ssl_export_keying_material])
diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h
index 145a7ae..68c4cc3 100644
--- a/src/openvpn/mbedtls_compat.h
+++ b/src/openvpn/mbedtls_compat.h
@@ -48,7 +48,7 @@
#include <mbedtls/version.h>
#include <mbedtls/x509_crt.h>
-#if HAVE_MBEDTLS_PSA_CRYPTO_H
+#ifdef HAVE_MBEDTLS_PSA_CRYPTO_H
#include <psa/crypto.h>
#endif
@@ -61,14 +61,14 @@
static inline void
mbedtls_compat_psa_crypto_init(void)
{
-#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(HAVE_MBEDTLS_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C)
if (psa_crypto_init() != PSA_SUCCESS)
{
msg(M_FATAL, "mbedtls: psa_crypto_init() failed");
}
#else
return;
-#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */
+#endif
}
static inline mbedtls_compat_group_id
@@ -96,7 +96,7 @@
{
#if MBEDTLS_VERSION_NUMBER > 0x03000000
return mbedtls_ctr_drbg_update(ctx, additional, add_len);
-#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len);
#else
mbedtls_ctr_drbg_update(ctx, additional, add_len);
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..a4bb772 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
ASSERT(NULL != ctx);
return ctx->initialised;
}
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
@@ -1244,7 +1246,7 @@
mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version);
}
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, old style. */
mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config,
mbedtls_ssl_export_keys_cb, session);
@@ -1259,7 +1261,7 @@
* verification. */
ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));
-#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, new style. */
mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session);
#endif
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 5
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-14 13:54:18
|
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Cleanup/simplify mbed TLS related define from autoconf ...................................................................... Patch Set 6: Code-Review+1 (1 comment) Patchset: PS6: So, I'm still a bit confused about this twisty maze, but I can confirm that it compiles and connects to a "master" server correctly with 2.82.3 and 3.6.3 (both TLS 1.2 and tls-ekm) and 3.6.4 (TLS 1.3). I would prefer if someone else could +2 the code and build system changes. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 6 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Mon, 14 Jul 2025 13:54:03 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-14 19:37:08
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Cleanup/simplify mbed TLS related define from autoconf ...................................................................... Patch Set 6: Code-Review-2 (2 comments) Patchset: PS1: > Okay, I will put it in #1079 and rebase that on top of your change Done File src/openvpn/mbedtls_compat.h: http://gerrit.openvpn.net/c/openvpn/+/1081/comment/a66a43b0_418c29b4 : PS6, Line 51: #ifdef HAVE_MBEDTLS_PSA_CRYPTO_H This is wrong, we always define it, just to 0 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 6 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Mon, 14 Jul 2025 19:36:59 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: plaisthos <arn...@rf...> Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-14 22:00:12
|
Attention is currently required from: cron2, plaisthos.
Hello cron2, flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to look at the new patch set (#7).
The following approvals got outdated and were removed:
Code-Review+1 by cron2
Change subject: Cleanup/simplify mbed TLS related define from autoconf
......................................................................
Cleanup/simplify mbed TLS related define from autoconf
Instead of a custom logic using 0/1 to be defined when the functions
are present or not, use the standard check and adjust the source code
accordingly.
Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Remove AEAD check that tests for presence of mbedtls_cipher_write_tag
and mbedtls_cipher_check_tag. Having an mbed TLS version that does not
support that is highly unlikely. It might have been a good check in
PolarSSL's time but is not today anymore.
This also adds some missing support for mbed 2.x related defines to
cmake based build.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M CMakeLists.txt
M config.h.cmake.in
M configure.ac
M src/openvpn/crypto_mbedtls.c
M src/openvpn/mbedtls_compat.h
M src/openvpn/ssl_mbedtls.c
6 files changed, 23 insertions(+), 45 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/7
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 40bffd4..75afcea 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -302,6 +302,7 @@
check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
+ check_symbol_exists(mbedtls_ssl_tls_prf mbedtls/ssl.h HAVE_MBEDTLS_SSL_TLS_PRF)
check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H)
endfunction()
diff --git a/config.h.cmake.in b/config.h.cmake.in
index 5df0ac8..911f7d3 100644
--- a/config.h.cmake.in
+++ b/config.h.cmake.in
@@ -370,10 +370,11 @@
#undef HAVE_VFORK_H
/* Availability of different mbed TLS features and APIs */
-#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H
-#define HAVE_MBEDTLS_SSL_TLS_PRF 1
-#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
-#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_MBEDTLS_PSA_CRYPTO_H
+#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#cmakedefine HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_MBEDTLS_SSL_TLS_PRF
/* Path to ifconfig tool */
#define IFCONFIG_PATH "@IFCONFIG_PATH@"
diff --git a/configure.ac b/configure.ac
index 02b45f8..70ff8d2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1038,38 +1038,12 @@
[AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])]
)
- AC_CHECK_HEADER(
- psa/crypto.h,
- [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])]
- )
+ AC_CHECK_HEADER(psa/crypto.h)
- AC_CHECK_FUNCS(
- [ \
- mbedtls_cipher_write_tag \
- mbedtls_cipher_check_tag \
- ],
- ,
- [AC_MSG_ERROR([mbed TLS check for AEAD support failed])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb])
- AC_CHECK_FUNC(
- [mbedtls_ssl_tls_prf],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])]
- )
-
- AC_CHECK_FUNC(
- [mbedtls_ssl_conf_export_keys_ext_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])]
- )
if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then
- AC_CHECK_FUNC(
- [mbedtls_ssl_set_export_keys_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_set_export_keys_cb])
if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then
AC_CHECK_FUNC([mbedtls_ssl_export_keying_material])
if test "x$ac_cv_func_mbedtls_ssl_export_keying_material" != xyes; then
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index c05902d..1f3dcba 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -981,7 +981,7 @@
}
/* mbedtls-2.18.0 or newer implements tls_prf, but prf_tls1 is removed
* from recent versions, so we use our own implementation if necessary. */
-#if HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
+#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
bool
ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
int secret_len, uint8_t *output, int output_len)
@@ -990,7 +990,7 @@
secret_len, "", seed, seed_len, output,
output_len));
}
-#else /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */
+#else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */
/*
* Generate the hash required by for the \c tls1_PRF function.
*
diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h
index 145a7ae..68c4cc3 100644
--- a/src/openvpn/mbedtls_compat.h
+++ b/src/openvpn/mbedtls_compat.h
@@ -48,7 +48,7 @@
#include <mbedtls/version.h>
#include <mbedtls/x509_crt.h>
-#if HAVE_MBEDTLS_PSA_CRYPTO_H
+#ifdef HAVE_MBEDTLS_PSA_CRYPTO_H
#include <psa/crypto.h>
#endif
@@ -61,14 +61,14 @@
static inline void
mbedtls_compat_psa_crypto_init(void)
{
-#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(HAVE_MBEDTLS_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C)
if (psa_crypto_init() != PSA_SUCCESS)
{
msg(M_FATAL, "mbedtls: psa_crypto_init() failed");
}
#else
return;
-#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */
+#endif
}
static inline mbedtls_compat_group_id
@@ -96,7 +96,7 @@
{
#if MBEDTLS_VERSION_NUMBER > 0x03000000
return mbedtls_ctr_drbg_update(ctx, additional, add_len);
-#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len);
#else
mbedtls_ctr_drbg_update(ctx, additional, add_len);
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..a4bb772 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
ASSERT(NULL != ctx);
return ctx->initialised;
}
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
@@ -1244,7 +1246,7 @@
mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version);
}
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, old style. */
mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config,
mbedtls_ssl_export_keys_cb, session);
@@ -1259,7 +1261,7 @@
* verification. */
ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));
-#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, new style. */
mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session);
#endif
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 7
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: cron2 <ge...@gr...>
Gerrit-MessageType: newpatchset
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-14 22:00:22
|
Attention is currently required from: cron2, flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Cleanup/simplify mbed TLS related define from autoconf ...................................................................... Patch Set 6: (1 comment) File src/openvpn/mbedtls_compat.h: http://gerrit.openvpn.net/c/openvpn/+/1081/comment/33d2c36f_3dc99cd6 : PS6, Line 51: #ifdef HAVE_MBEDTLS_PSA_CRYPTO_H > This is wrong, we always define it, just to 0 Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 6 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Mon, 14 Jul 2025 22:00:08 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-15 06:21:11
|
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Cleanup/simplify mbed TLS related define from autoconf ...................................................................... Patch Set 7: Code-Review+1 (1 comment) Patchset: PS7: passes compile tests and "openvpn connect to git master server" for 2.82.3, 3.6.3 and 3.6.4 - the first two with TLS1.2 and tls-ekm, the third one with TLS1.3 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 7 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Tue, 15 Jul 2025 06:20:54 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-15 09:28:50
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Cleanup/simplify mbed TLS related define from autoconf ...................................................................... Patch Set 7: Code-Review-2 (1 comment) File configure.ac: http://gerrit.openvpn.net/c/openvpn/+/1081/comment/00ff5884_aeb7bbcd : PS7, Line 1041: AC_CHECK_HEADER(psa/crypto.h) Needs to be AC_CHECK_HEADERS, otherwise HAVE_MBEDTLS_PSA_CRYPTO_H is never defined. But this passed everywhere. So does this mean this whole check is useless? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 7 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Tue, 15 Jul 2025 09:28:34 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-15 10:42:36
|
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Cleanup/simplify mbed TLS related define from autoconf ...................................................................... Patch Set 7: (1 comment) File configure.ac: http://gerrit.openvpn.net/c/openvpn/+/1081/comment/327557b0_9308dcaf : PS7, Line 1041: AC_CHECK_HEADER(psa/crypto.h) > Needs to be AC_CHECK_HEADERS, otherwise HAVE_MBEDTLS_PSA_CRYPTO_H is never defined. […] *sigh* I hate autconf. Might be fine to remove it but I am not in the mood today to try this in this patch and then figure out, it wasn't. Let's do that in some follow up patch. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 7 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Tue, 15 Jul 2025 10:42:21 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-15 10:45:55
|
Attention is currently required from: cron2, flichtenheld.
Hello cron2, flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to look at the new patch set (#8).
The following approvals got outdated and were removed:
Code-Review+1 by cron2
Change subject: Cleanup/simplify mbed TLS related define from autoconf
......................................................................
Cleanup/simplify mbed TLS related define from autoconf
Instead of a custom logic using 0/1 to be defined when the functions
are present or not, use the standard check and adjust the source code
accordingly.
Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Remove AEAD check that tests for presence of mbedtls_cipher_write_tag
and mbedtls_cipher_check_tag. Having an mbed TLS version that does not
support that is highly unlikely. It might have been a good check in
PolarSSL's time but is not today anymore.
This also adds some missing support for mbed 2.x related defines to
cmake based build.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M CMakeLists.txt
M config.h.cmake.in
M configure.ac
M src/openvpn/crypto_mbedtls.c
M src/openvpn/mbedtls_compat.h
M src/openvpn/ssl_mbedtls.c
6 files changed, 23 insertions(+), 45 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/8
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 40bffd4..75afcea 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -302,6 +302,7 @@
check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
+ check_symbol_exists(mbedtls_ssl_tls_prf mbedtls/ssl.h HAVE_MBEDTLS_SSL_TLS_PRF)
check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H)
endfunction()
diff --git a/config.h.cmake.in b/config.h.cmake.in
index 5df0ac8..911f7d3 100644
--- a/config.h.cmake.in
+++ b/config.h.cmake.in
@@ -370,10 +370,11 @@
#undef HAVE_VFORK_H
/* Availability of different mbed TLS features and APIs */
-#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H
-#define HAVE_MBEDTLS_SSL_TLS_PRF 1
-#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
-#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_MBEDTLS_PSA_CRYPTO_H
+#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#cmakedefine HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_MBEDTLS_SSL_TLS_PRF
/* Path to ifconfig tool */
#define IFCONFIG_PATH "@IFCONFIG_PATH@"
diff --git a/configure.ac b/configure.ac
index 02b45f8..8fc48ba 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1038,38 +1038,12 @@
[AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])]
)
- AC_CHECK_HEADER(
- psa/crypto.h,
- [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])]
- )
+ AC_CHECK_HEADERS(psa/crypto.h)
- AC_CHECK_FUNCS(
- [ \
- mbedtls_cipher_write_tag \
- mbedtls_cipher_check_tag \
- ],
- ,
- [AC_MSG_ERROR([mbed TLS check for AEAD support failed])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb])
- AC_CHECK_FUNC(
- [mbedtls_ssl_tls_prf],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])]
- )
-
- AC_CHECK_FUNC(
- [mbedtls_ssl_conf_export_keys_ext_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])]
- )
if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then
- AC_CHECK_FUNC(
- [mbedtls_ssl_set_export_keys_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_set_export_keys_cb])
if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then
AC_CHECK_FUNC([mbedtls_ssl_export_keying_material])
if test "x$ac_cv_func_mbedtls_ssl_export_keying_material" != xyes; then
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index c05902d..1f3dcba 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -981,7 +981,7 @@
}
/* mbedtls-2.18.0 or newer implements tls_prf, but prf_tls1 is removed
* from recent versions, so we use our own implementation if necessary. */
-#if HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
+#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
bool
ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
int secret_len, uint8_t *output, int output_len)
@@ -990,7 +990,7 @@
secret_len, "", seed, seed_len, output,
output_len));
}
-#else /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */
+#else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */
/*
* Generate the hash required by for the \c tls1_PRF function.
*
diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h
index 145a7ae..68c4cc3 100644
--- a/src/openvpn/mbedtls_compat.h
+++ b/src/openvpn/mbedtls_compat.h
@@ -48,7 +48,7 @@
#include <mbedtls/version.h>
#include <mbedtls/x509_crt.h>
-#if HAVE_MBEDTLS_PSA_CRYPTO_H
+#ifdef HAVE_MBEDTLS_PSA_CRYPTO_H
#include <psa/crypto.h>
#endif
@@ -61,14 +61,14 @@
static inline void
mbedtls_compat_psa_crypto_init(void)
{
-#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(HAVE_MBEDTLS_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C)
if (psa_crypto_init() != PSA_SUCCESS)
{
msg(M_FATAL, "mbedtls: psa_crypto_init() failed");
}
#else
return;
-#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */
+#endif
}
static inline mbedtls_compat_group_id
@@ -96,7 +96,7 @@
{
#if MBEDTLS_VERSION_NUMBER > 0x03000000
return mbedtls_ctr_drbg_update(ctx, additional, add_len);
-#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len);
#else
mbedtls_ctr_drbg_update(ctx, additional, add_len);
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..a4bb772 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
ASSERT(NULL != ctx);
return ctx->initialised;
}
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
@@ -1244,7 +1246,7 @@
mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version);
}
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, old style. */
mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config,
mbedtls_ssl_export_keys_cb, session);
@@ -1259,7 +1261,7 @@
* verification. */
ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));
-#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, new style. */
mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session);
#endif
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 8
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: cron2 <ge...@gr...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-15 11:11:15
|
Attention is currently required from: cron2, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Cleanup/simplify mbed TLS related define from autoconf ...................................................................... Patch Set 8: Code-Review-2 (1 comment) File configure.ac: http://gerrit.openvpn.net/c/openvpn/+/1081/comment/136d3b26_e9bdddae : PS7, Line 1041: AC_CHECK_HEADER(psa/crypto.h) > *sigh* I hate autconf. […] Sorry, this is still not correct. Now it defines HAVE_PSA_CRYPTO_H, not HAVE_MBEDTLS_PSA_CRYPTO_H %) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 8 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Comment-Date: Tue, 15 Jul 2025 11:11:01 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: plaisthos <arn...@rf...> Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-15 11:27:53
|
Attention is currently required from: cron2, plaisthos.
Hello cron2, flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to look at the new patch set (#9).
Change subject: Cleanup/simplify mbed TLS related define from autoconf
......................................................................
Cleanup/simplify mbed TLS related define from autoconf
Instead of a custom logic using 0/1 to be defined when the functions
are present or not, use the standard check and adjust the source code
accordingly.
Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Remove AEAD check that tests for presence of mbedtls_cipher_write_tag
and mbedtls_cipher_check_tag. Having an mbed TLS version that does not
support that is highly unlikely. It might have been a good check in
PolarSSL's time but is not today anymore.
This also adds some missing support for mbed 2.x related defines to
cmake based build.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M CMakeLists.txt
M config.h.cmake.in
M configure.ac
M src/openvpn/crypto_mbedtls.c
M src/openvpn/mbedtls_compat.h
M src/openvpn/ssl_mbedtls.c
6 files changed, 24 insertions(+), 46 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/9
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 40bffd4..efb2d2d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -302,7 +302,8 @@
check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
- check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H)
+ check_symbol_exists(mbedtls_ssl_tls_prf mbedtls/ssl.h HAVE_MBEDTLS_SSL_TLS_PRF)
+ check_include_files(psa/crypto.h HAVE_PSA_CRYPTO_H)
endfunction()
if (${MBED})
diff --git a/config.h.cmake.in b/config.h.cmake.in
index 5df0ac8..1c443ab 100644
--- a/config.h.cmake.in
+++ b/config.h.cmake.in
@@ -370,10 +370,11 @@
#undef HAVE_VFORK_H
/* Availability of different mbed TLS features and APIs */
-#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H
-#define HAVE_MBEDTLS_SSL_TLS_PRF 1
-#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
-#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_PSA_CRYPTO_H
+#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#cmakedefine HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_MBEDTLS_SSL_TLS_PRF
/* Path to ifconfig tool */
#define IFCONFIG_PATH "@IFCONFIG_PATH@"
diff --git a/configure.ac b/configure.ac
index 02b45f8..8fc48ba 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1038,38 +1038,12 @@
[AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])]
)
- AC_CHECK_HEADER(
- psa/crypto.h,
- [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])]
- )
+ AC_CHECK_HEADERS(psa/crypto.h)
- AC_CHECK_FUNCS(
- [ \
- mbedtls_cipher_write_tag \
- mbedtls_cipher_check_tag \
- ],
- ,
- [AC_MSG_ERROR([mbed TLS check for AEAD support failed])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb])
- AC_CHECK_FUNC(
- [mbedtls_ssl_tls_prf],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])]
- )
-
- AC_CHECK_FUNC(
- [mbedtls_ssl_conf_export_keys_ext_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])]
- )
if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then
- AC_CHECK_FUNC(
- [mbedtls_ssl_set_export_keys_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_set_export_keys_cb])
if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then
AC_CHECK_FUNC([mbedtls_ssl_export_keying_material])
if test "x$ac_cv_func_mbedtls_ssl_export_keying_material" != xyes; then
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index c05902d..1f3dcba 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -981,7 +981,7 @@
}
/* mbedtls-2.18.0 or newer implements tls_prf, but prf_tls1 is removed
* from recent versions, so we use our own implementation if necessary. */
-#if HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
+#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
bool
ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
int secret_len, uint8_t *output, int output_len)
@@ -990,7 +990,7 @@
secret_len, "", seed, seed_len, output,
output_len));
}
-#else /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */
+#else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */
/*
* Generate the hash required by for the \c tls1_PRF function.
*
diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h
index 145a7ae..aeb0c5f 100644
--- a/src/openvpn/mbedtls_compat.h
+++ b/src/openvpn/mbedtls_compat.h
@@ -48,7 +48,7 @@
#include <mbedtls/version.h>
#include <mbedtls/x509_crt.h>
-#if HAVE_MBEDTLS_PSA_CRYPTO_H
+#ifdef HAVE_PSA_CRYPTO_H
#include <psa/crypto.h>
#endif
@@ -61,14 +61,14 @@
static inline void
mbedtls_compat_psa_crypto_init(void)
{
-#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(HAVE_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C)
if (psa_crypto_init() != PSA_SUCCESS)
{
msg(M_FATAL, "mbedtls: psa_crypto_init() failed");
}
#else
return;
-#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */
+#endif
}
static inline mbedtls_compat_group_id
@@ -96,7 +96,7 @@
{
#if MBEDTLS_VERSION_NUMBER > 0x03000000
return mbedtls_ctr_drbg_update(ctx, additional, add_len);
-#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len);
#else
mbedtls_ctr_drbg_update(ctx, additional, add_len);
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..a4bb772 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
ASSERT(NULL != ctx);
return ctx->initialised;
}
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
@@ -1244,7 +1246,7 @@
mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version);
}
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, old style. */
mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config,
mbedtls_ssl_export_keys_cb, session);
@@ -1259,7 +1261,7 @@
* verification. */
ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));
-#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, new style. */
mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session);
#endif
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 9
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: cron2 <ge...@gr...>
Gerrit-MessageType: newpatchset
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-15 12:24:37
|
Attention is currently required from: cron2, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Cleanup/simplify mbed TLS related define from autoconf ...................................................................... Patch Set 9: Code-Review+2 (1 comment) File configure.ac: http://gerrit.openvpn.net/c/openvpn/+/1081/comment/3278c867_05e6ee0b : PS7, Line 1041: AC_CHECK_HEADER(psa/crypto.h) > Sorry, this is still not correct. […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 9 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Comment-Date: Tue, 15 Jul 2025 12:24:28 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: plaisthos <arn...@rf...> Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: Gert D. <ge...@gr...> - 2025-07-15 12:30:11
|
From: Arne Schwabe <ar...@rf...> Instead of a custom logic using 0/1 to be defined when the functions are present or not, use the standard check and adjust the source code accordingly. Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT The helper methods are only used when we don't have MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material. Remove AEAD check that tests for presence of mbedtls_cipher_write_tag and mbedtls_cipher_check_tag. Having an mbed TLS version that does not support that is highly unlikely. It might have been a good check in PolarSSL's time but is not today anymore. This also adds some missing support for mbed 2.x related defines to cmake based build. Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1081 This mail reflects revision 9 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/CMakeLists.txt b/CMakeLists.txt index 40bffd4..efb2d2d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -302,7 +302,8 @@ check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) - check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H) + check_symbol_exists(mbedtls_ssl_tls_prf mbedtls/ssl.h HAVE_MBEDTLS_SSL_TLS_PRF) + check_include_files(psa/crypto.h HAVE_PSA_CRYPTO_H) endfunction() if (${MBED}) diff --git a/config.h.cmake.in b/config.h.cmake.in index 5df0ac8..1c443ab 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -370,10 +370,11 @@ #undef HAVE_VFORK_H /* Availability of different mbed TLS features and APIs */ -#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H -#define HAVE_MBEDTLS_SSL_TLS_PRF 1 -#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB -#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#cmakedefine HAVE_PSA_CRYPTO_H +#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#cmakedefine HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#cmakedefine HAVE_MBEDTLS_SSL_TLS_PRF /* Path to ifconfig tool */ #define IFCONFIG_PATH "@IFCONFIG_PATH@" diff --git a/configure.ac b/configure.ac index 02b45f8..8fc48ba 100644 --- a/configure.ac +++ b/configure.ac @@ -1038,38 +1038,12 @@ [AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])] ) - AC_CHECK_HEADER( - psa/crypto.h, - [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])] - ) + AC_CHECK_HEADERS(psa/crypto.h) - AC_CHECK_FUNCS( - [ \ - mbedtls_cipher_write_tag \ - mbedtls_cipher_check_tag \ - ], - , - [AC_MSG_ERROR([mbed TLS check for AEAD support failed])] - ) + AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb]) - AC_CHECK_FUNC( - [mbedtls_ssl_tls_prf], - [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])] - ) - - AC_CHECK_FUNC( - [mbedtls_ssl_conf_export_keys_ext_cb], - [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])] - ) if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then - AC_CHECK_FUNC( - [mbedtls_ssl_set_export_keys_cb], - [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])] - ) + AC_CHECK_FUNCS([mbedtls_ssl_set_export_keys_cb]) if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then AC_CHECK_FUNC([mbedtls_ssl_export_keying_material]) if test "x$ac_cv_func_mbedtls_ssl_export_keying_material" != xyes; then diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index c05902d..1f3dcba 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -981,7 +981,7 @@ } /* mbedtls-2.18.0 or newer implements tls_prf, but prf_tls1 is removed * from recent versions, so we use our own implementation if necessary. */ -#if HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) +#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) @@ -990,7 +990,7 @@ secret_len, "", seed, seed_len, output, output_len)); } -#else /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ +#else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ /* * Generate the hash required by for the \c tls1_PRF function. * diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h index 145a7ae..aeb0c5f 100644 --- a/src/openvpn/mbedtls_compat.h +++ b/src/openvpn/mbedtls_compat.h @@ -48,7 +48,7 @@ #include <mbedtls/version.h> #include <mbedtls/x509_crt.h> -#if HAVE_MBEDTLS_PSA_CRYPTO_H +#ifdef HAVE_PSA_CRYPTO_H #include <psa/crypto.h> #endif @@ -61,14 +61,14 @@ static inline void mbedtls_compat_psa_crypto_init(void) { -#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(HAVE_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C) if (psa_crypto_init() != PSA_SUCCESS) { msg(M_FATAL, "mbedtls: psa_crypto_init() failed"); } #else return; -#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ +#endif } static inline mbedtls_compat_group_id @@ -96,7 +96,7 @@ { #if MBEDTLS_VERSION_NUMBER > 0x03000000 return mbedtls_ctr_drbg_update(ctx, additional, add_len); -#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len); #else mbedtls_ctr_drbg_update(ctx, additional, add_len); diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ecccc26..a4bb772 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -173,8 +173,9 @@ ASSERT(NULL != ctx); return ctx->initialised; } - -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +/* mbedtls_ssl_export_keying_material does not need helper/callback methods */ +#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) /* * Key export callback for older versions of mbed TLS, to be used with * mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master @@ -205,7 +206,7 @@ return 0; } -#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) /* * Key export callback for newer versions of mbed TLS, to be used with * mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback @@ -251,10 +252,11 @@ memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); cache->tls_prf_type = tls_prf_type; } -#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ #error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ + bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, @@ -1244,7 +1246,7 @@ mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version); } -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* Initialize keying material exporter, old style. */ mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config, mbedtls_ssl_export_keys_cb, session); @@ -1259,7 +1261,7 @@ * verification. */ ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL))); -#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* Initialize keying material exporter, new style. */ mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session); #endif |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X