Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to look at the new patch set (#4).
Change subject: Cleanup/simplify mbed TLS related define from autoconf
......................................................................
Cleanup/simplify mbed TLS related define from autoconf
Instead of a custom logic using 0/1 to be defined when the functions
are present or not, use the standard check and adjust the source code
accordingly.
Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Remove AEAD check that tests for presence of mbedtls_cipher_write_tag
and mbedtls_cipher_check_tag. Having an mbed TLS version that does not
support that is highly unlikely. It might have been a good check in
PolarSSL's time but is not today anymore.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
M config.h.cmake.in
M configure.ac
M src/openvpn/mbedtls_compat.h
M src/openvpn/ssl_mbedtls.c
4 files changed, 17 insertions(+), 36 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/4
diff --git a/config.h.cmake.in b/config.h.cmake.in
index 5df0ac8..0ee1a89 100644
--- a/config.h.cmake.in
+++ b/config.h.cmake.in
@@ -370,10 +370,9 @@
#undef HAVE_VFORK_H
/* Availability of different mbed TLS features and APIs */
-#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H
-#define HAVE_MBEDTLS_SSL_TLS_PRF 1
-#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
-#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_MBEDTLS_PSA_CRYPTO_H
+#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
/* Path to ifconfig tool */
#define IFCONFIG_PATH "@IFCONFIG_PATH@"
diff --git a/configure.ac b/configure.ac
index 02b45f8..51c20ef 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1044,31 +1044,11 @@
[AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])]
)
- AC_CHECK_FUNCS(
- [ \
- mbedtls_cipher_write_tag \
- mbedtls_cipher_check_tag \
- ],
- ,
- [AC_MSG_ERROR([mbed TLS check for AEAD support failed])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_tls_prf
mbedtls_ssl_conf_export_keys_ext_cb])
- AC_CHECK_FUNC(
- [mbedtls_ssl_tls_prf],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])]
- )
-
- AC_CHECK_FUNC(
- [mbedtls_ssl_conf_export_keys_ext_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1],
[yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0],
[no])]
- )
if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then
AC_CHECK_FUNC(
- [mbedtls_ssl_set_export_keys_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1],
[yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0],
[no])]
+ [mbedtls_ssl_set_export_keys_cb]
)
if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes;
then
AC_CHECK_FUNC([mbedtls_ssl_export_keying_material])
diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h
index 145a7ae..68c4cc3 100644
--- a/src/openvpn/mbedtls_compat.h
+++ b/src/openvpn/mbedtls_compat.h
@@ -48,7 +48,7 @@
#include <mbedtls/version.h>
#include <mbedtls/x509_crt.h>
-#if HAVE_MBEDTLS_PSA_CRYPTO_H
+#ifdef HAVE_MBEDTLS_PSA_CRYPTO_H
#include <psa/crypto.h>
#endif
@@ -61,14 +61,14 @@
static inline void
mbedtls_compat_psa_crypto_init(void)
{
-#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(HAVE_MBEDTLS_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C)
if (psa_crypto_init() != PSA_SUCCESS)
{
msg(M_FATAL, "mbedtls: psa_crypto_init() failed");
}
#else
return;
-#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */
+#endif
}
static inline mbedtls_compat_group_id
@@ -96,7 +96,7 @@
{
#if MBEDTLS_VERSION_NUMBER > 0x03000000
return mbedtls_ctr_drbg_update(ctx, additional, add_len);
-#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len);
#else
mbedtls_ctr_drbg_update(ctx, additional, add_len);
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..2e0c7d2 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
ASSERT(NULL != ctx);
return ctx->initialised;
}
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#elif /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or
mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
@@ -1244,7 +1246,7 @@
mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version);
}
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB &&
!defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) &&
!defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, old style. */
mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config,
mbedtls_ssl_export_keys_cb, session);
@@ -1259,7 +1261,7 @@
* verification. */
ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));
-#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB &&
!defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) &&
!defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, new style. */
mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb,
session);
#endif
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 4
Gerrit-Owner: plaisthos <arne-open...@rfc2549.org>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: plaisthos <arne-open...@rfc2549.org>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
