| Message ID | 20210812085300.4738-1-a@unstable.cc |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [Openvpn-devel,v2] mbedtls: do not define mbedtls_ctr_drbg_update_ret when not needed | expand |
On 12/08/2021 10:53, Antonio Quartulli wrote: > The mbedtls_ctr_drbg_update_ret() function was backported to various > older branches, including 2.14 and 2.7. > To aqvoid making the if guard too complex, let's detect if this function > exist at configure time. > All versions not having this function, will use our compat code. > > Cc: Max Fillinger <maximilian.fillinger@foxcrypto.com> > Signed-off-by: Antonio Quartulli <a@unstable.cc> Thanks again for cleaning up my mess! Compile-tested with mbedtls versions 2.27.0 2.26.0 2.25.0 2.16.11 2.15.1 2.14.1 2.14.0 2.12.0 2.7.19 2.7.0 All good! (Typo: "aqvoid" in the commit message, but that can be fixed when committing it, right?) Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Thanks :-) (verified on that slightly old NetBSD 8.1 buildslave,
and on more current installations)
Your patch has been applied to the master branch.
commit 2b9bbaadf44d4978c07abfdb5cce147c71cd9e8d
Author: Antonio Quartulli
Date: Thu Aug 12 10:53:00 2021 +0200
mbedtls: do not define mbedtls_ctr_drbg_update_ret when not needed
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20210812085300.4738-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22734.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/configure.ac b/configure.ac index 56b536dc..5d378962 100644 --- a/configure.ac +++ b/configure.ac @@ -891,6 +891,12 @@ elif test "${with_crypto_library}" = "mbedtls"; then [have_export_keying_material="no"] ) + AC_CHECK_FUNC( + [mbedtls_ctr_drbg_update_ret], + AC_DEFINE([HAVE_CTR_DRBG_UPDATE_RET], [1], + [Use mbedtls_ctr_drbg_update_ret from mbed TLS]), + ) + CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 1853335e..cea88f41 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -66,8 +66,11 @@ * Compatibility: mbedtls_ctr_drbg_update was deprecated in mbedtls 2.16 and * replaced with mbedtls_ctr_drbg_update_ret, which returns an error code. * For older versions, we call mbedtls_ctr_drbg_update and return 0 (success). + * + * Note: this change was backported to other mbedTLS branches, therefore we + * rely on function detection at configure time. */ -#if MBEDTLS_VERSION_NUMBER < 0x02100000 +#ifndef HAVE_CTR_DRBG_UPDATE_RET static int mbedtls_ctr_drbg_update_ret(mbedtls_ctr_drbg_context *ctx, const unsigned char *additional, size_t add_len)
The mbedtls_ctr_drbg_update_ret() function was backported to various older branches, including 2.14 and 2.7. To aqvoid making the if guard too complex, let's detect if this function exist at configure time. All versions not having this function, will use our compat code. Cc: Max Fillinger <maximilian.fillinger@foxcrypto.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> --- Compile tests: * Testing mbedtls-2.7.19... * mbedtls-2.7.19 OK * Testing mbedtls-2.10.0... * mbedtls-2.10.0 OK * Testing mbedtls-2.14.1... * mbedtls-2.14.1 OK * Testing mbedtls-2.16.11... * mbedtls-2.16.11 OK * Testing mbedtls-2.20.0... * mbedtls-2.20.0 OK * Testing mbedtls-2.26.0... * mbedtls-2.26.0 OK * Testing mbedtls-2.27.0... * mbedtls-2.27.0 OK configure.ac | 6 ++++++ src/openvpn/ssl_mbedtls.c | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-)