[Openvpn-devel] Move keying material exporter check from syshead.h to configure.ac

Message ID E1itVts-0007ZG-L0@sfs-ml-2.v29.lw.sourceforge.com
State Accepted
Headers show
Series
  • [Openvpn-devel] Move keying material exporter check from syshead.h to configure.ac
Related show

Commit Message

Steffan Karger Jan. 20, 2020, 11:55 a.m.
Commit ab27c9f7 added a compile-time check for availablitity of
keying-material-export functionality to syshead.h. It turns out that
openvpnserv also includes syshead.h, and has ENABLE_CRYPTO_* defined in
it's config.h, but doesn't have the necessary CFLAGS / LIBS to actually
compile and link against the crypto libraries. That of course breaks
openvpnserv builds.

To fix this, change the compile-time check in syshead.h into a
configure-time check in configure.ac. That's more consistent with how we
do other feature checks anyway.

Signed-off-by: Steffan Karger <steffan.karger@foxcrypto.com>
---
 configure.ac              | 20 ++++++++++++++++++++
 src/openvpn/init.c        |  4 ++--
 src/openvpn/options.c     |  4 ++--
 src/openvpn/options.h     |  2 +-
 src/openvpn/ssl_mbedtls.c |  6 +++---
 src/openvpn/syshead.h     | 13 -------------
 6 files changed, 28 insertions(+), 21 deletions(-)

Patch

diff --git a/configure.ac b/configure.ac
index a47e0a06..98fd39ce 100644
--- a/configure.ac
+++ b/configure.ac
@@ -912,6 +912,13 @@  if test "${with_crypto_library}" = "openssl"; then
 		[have_crypto_aead_modes="no"; break]
 	)
 
+	have_export_keying_material="yes"
+	AC_CHECK_FUNCS(
+		[SSL_export_keying_material],
+		,
+		[have_export_keying_material="no"; break]
+	)
+
 	AC_CHECK_FUNCS(
 		[ \
 			HMAC_CTX_new \
@@ -1010,6 +1017,13 @@  elif test "${with_crypto_library}" = "mbedtls"; then
 		[have_crypto_aead_modes="no"; break]
 	)
 
+	have_export_keying_material="yes"
+	AC_CHECK_FUNCS(
+		[mbedtls_ssl_conf_export_keys_ext_cb],
+		,
+		[have_export_keying_material="no"; break]
+	)
+
 	CFLAGS="${saved_CFLAGS}"
 	LIBS="${saved_LIBS}"
 	AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
@@ -1217,6 +1231,12 @@  test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHEC
 
 test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
 test "${have_crypto_aead_modes}" = "yes" && AC_DEFINE([HAVE_AEAD_CIPHER_MODES], [1], [Use crypto library])
+if test "${have_export_keying_material}" = "yes"; then
+	AC_DEFINE(
+		[HAVE_EXPORT_KEYING_MATERIAL], [1],
+		[Crypto library supports keying material exporter]
+	)
+fi
 OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CFLAGS}"
 OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_LIBS}"
 
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index ce417df0..04207b61 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2931,7 +2931,7 @@  do_init_crypto_tls(struct context *c, const unsigned int flags)
     to.comp_options = options->comp;
 #endif
 
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
     if (options->keying_material_exporter_label)
     {
         to.ekm_size = options->keying_material_exporter_length;
@@ -2947,7 +2947,7 @@  do_init_crypto_tls(struct context *c, const unsigned int flags)
     {
         to.ekm_size = 0;
     }
-#endif /* HAVE_EKM */
+#endif /* HAVE_EXPORT_KEYING_MATERIAL */
 
     /* TLS handshake authentication (--tls-auth) */
     if (options->ce.tls_auth_file)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 173a1eea..c459b260 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -662,7 +662,7 @@  static const char usage_message[] =
     "                  an explicit nsCertType designation t = 'client' | 'server'.\n"
     "--x509-track x  : Save peer X509 attribute x in environment for use by\n"
     "                  plugins and management interface.\n"
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
     "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
     "                  of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
 #endif
@@ -8506,7 +8506,7 @@  add_option(struct options *options,
         options->use_peer_id = true;
         options->peer_id = atoi(p[1]);
     }
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
     else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
     {
         int ekm_length = positive_atoi(p[2]);
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 3c6b1965..2f1f6faf 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -640,7 +640,7 @@  struct options
     bool use_peer_id;
     uint32_t peer_id;
 
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
     /* Keying Material Exporters [RFC 5705] */
     const char *keying_material_exporter_label;
     int keying_material_exporter_length;
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 4114bb6b..0f0b035b 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -190,7 +190,7 @@  tls_ctx_initialised(struct tls_root_ctx *ctx)
     return ctx->initialised;
 }
 
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
 int mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms,
                                const unsigned char *kb, size_t maclen,
                                size_t keylen, size_t ivlen,
@@ -223,7 +223,7 @@  int mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms,
 
     return ret;
 }
-#endif /* HAVE_EKM */
+#endif /* HAVE_EXPORT_KEYING_MATERIAL */
 
 void
 key_state_export_keying_material(struct key_state_ssl *ssl,
@@ -1120,7 +1120,7 @@  key_state_ssl_init(struct key_state_ssl *ks_ssl,
         }
     }
 
-#if MBEDTLS_VERSION_NUMBER >= 0x02120000
+#if HAVE_EXPORT_KEYING_MATERIAL
     /* Initialize keying material exporter */
     if (session->opt->ekm_size)
     {
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 413ce623..b031dd60 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -550,14 +550,9 @@  socket_defined(const socket_descriptor_t sd)
 #endif
 
 #ifdef ENABLE_CRYPTO_MBEDTLS
-#include <mbedtls/version.h>
 #define ENABLE_PREDICTION_RESISTANCE
 #endif /* ENABLE_CRYPTO_MBEDTLS */
 
-#ifdef ENABLE_CRYPTO_OPENSSL
-#include <openssl/opensslv.h>
-#endif /* ENABLE_CRYPTO_OPENSSL */
-
 /*
  * Enable packet filter?
  */
@@ -602,14 +597,6 @@  socket_defined(const socket_descriptor_t sd)
 #define ENABLE_CRYPTOAPI
 #endif
 
-/*
- * Do we support RFC 5705 keying material exporters?
- */
-#if (defined(ENABLE_CRYPTO_MBEDTLS) && MBEDTLS_VERSION_NUMBER >= 0x02120000) || \
-    (defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000)
-#define HAVE_EKM
-#endif
-
 /*
  * Is poll available on this platform?
  */