[Openvpn-devel] Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined)

Message ID 20200825041647.26235-1-arne@rfc2549.org
State Accepted
Headers show
Series
  • [Openvpn-devel] Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined)
Related show

Commit Message

Arne Schwabe Aug. 25, 2020, 4:16 a.m.
The usage of the new keying material methods was not properly guarded.

To avoid a number of ifdefs this commit uses a dummy struct and function.
When we eventually drop support for non-EKM mbed TLS version we can remove
these.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_mbedtls.c | 10 ++++++++++
 src/openvpn/ssl_mbedtls.h |  5 ++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

Comments

Gert Doering Aug. 28, 2020, 1:25 p.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

Thanks for this.  I have tried to review it without having to understand
all of the EKM/PRF stuff, and it sort of looks reasonable.  The approach
of not having more #ifdefs in the common code is certainly welcome.

I have *tested* it, though, on some of the buildbots that failed before,
and this looks all reasonable (NetBSD 8.1 with mbedtls-2.14.1), plus
Linux with a very recent mbedtls (2.22.0).  All succeeded.

Your patch has been applied to the master branch.

commit 136c5f015c3e7eceecc07a45655d5da5616e9131
Author: Arne Schwabe
Date:   Tue Aug 25 06:16:47 2020 +0200

     Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined)

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20200825041647.26235-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20812.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 4287b59e..4ec355a9 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -253,6 +253,16 @@  key_state_export_keying_material(struct tls_session *session,
         return  NULL;
     }
 }
+#else
+unsigned char*
+key_state_export_keying_material(struct tls_session *session,
+                                 const char* label, size_t label_size,
+                                 size_t ekm_size,
+                                 struct gc_arena *gc)
+{
+    /* Dummy function to avoid ifdefs in the common code */
+    return NULL;
+}
 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
 
 bool
diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h
index 17aae551..ff64e17c 100644
--- a/src/openvpn/ssl_mbedtls.h
+++ b/src/openvpn/ssl_mbedtls.h
@@ -82,6 +82,7 @@  struct external_context {
     void *sign_ctx;
 };
 
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
 /** struct to cache TLS secrets for keying material exporter (RFC 5705).
  * The constants (64 and 48) are inherent to TLS version and
  * the whole keying material export will likely change when they change */
@@ -90,6 +91,9 @@  struct tls_key_cache {
     mbedtls_tls_prf_types tls_prf_type;
     unsigned char master_secret[48];
 };
+#else
+struct tls_key_cache { };
+#endif
 
 /**
  * Structure that wraps the TLS context. Contents differ depending on the
@@ -124,7 +128,6 @@  struct key_state_ssl {
     bio_ctx *bio_ctx;
 
     struct tls_key_cache tls_key_cache;
-
 };
 
 /**