| Message ID | 20200825041647.26235-1-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [Openvpn-devel] Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined) | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> Thanks for this. I have tried to review it without having to understand all of the EKM/PRF stuff, and it sort of looks reasonable. The approach of not having more #ifdefs in the common code is certainly welcome. I have *tested* it, though, on some of the buildbots that failed before, and this looks all reasonable (NetBSD 8.1 with mbedtls-2.14.1), plus Linux with a very recent mbedtls (2.22.0). All succeeded. Your patch has been applied to the master branch. commit 136c5f015c3e7eceecc07a45655d5da5616e9131 Author: Arne Schwabe Date: Tue Aug 25 06:16:47 2020 +0200 Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined) Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200825041647.26235-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20812.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 4287b59e..4ec355a9 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -253,6 +253,16 @@ key_state_export_keying_material(struct tls_session *session, return NULL; } } +#else +unsigned char* +key_state_export_keying_material(struct tls_session *session, + const char* label, size_t label_size, + size_t ekm_size, + struct gc_arena *gc) +{ + /* Dummy function to avoid ifdefs in the common code */ + return NULL; +} #endif /* HAVE_EXPORT_KEYING_MATERIAL */ bool diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index 17aae551..ff64e17c 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -82,6 +82,7 @@ struct external_context { void *sign_ctx; }; +#ifdef HAVE_EXPORT_KEYING_MATERIAL /** struct to cache TLS secrets for keying material exporter (RFC 5705). * The constants (64 and 48) are inherent to TLS version and * the whole keying material export will likely change when they change */ @@ -90,6 +91,9 @@ struct tls_key_cache { mbedtls_tls_prf_types tls_prf_type; unsigned char master_secret[48]; }; +#else +struct tls_key_cache { }; +#endif /** * Structure that wraps the TLS context. Contents differ depending on the @@ -124,7 +128,6 @@ struct key_state_ssl { bio_ctx *bio_ctx; struct tls_key_cache tls_key_cache; - }; /**
The usage of the new keying material methods was not properly guarded. To avoid a number of ifdefs this commit uses a dummy struct and function. When we eventually drop support for non-EKM mbed TLS version we can remove these. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl_mbedtls.c | 10 ++++++++++ src/openvpn/ssl_mbedtls.h | 5 ++++- 2 files changed, 14 insertions(+), 1 deletion(-)