From patchwork Fri Apr 25 13:09:54 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 4226
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:e392:b0:63e:cbae:3930 with SMTP id
 oe18csp4271228mab;
        Fri, 25 Apr 2025 06:10:38 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCWDZq/IcTRANoaAd1oOQNYMf+wKYj6qI4RTBNHeqdvrc+h92azjjk5jD4Y8cXdqJOwaOcG4fdI3lP0=@openvpn.net
X-Google-Smtp-Source: 
 AGHT+IEYihRlhsN3UFUq7qDPibY8sQHOhJyNjAocoV8Rb7Dlq4kPYsYb3q2RZpuxSVKjvPb10UWj
X-Received: by 2002:a05:6820:4b0e:b0:603:f973:1b6 with SMTP id
 006d021491bc7-60652baad2fmr985438eaf.5.1745586637603;
        Fri, 25 Apr 2025 06:10:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1745586637; cv=none;
        d=google.com; s=arc-20240605;
        b=jSf0pqO3cwqSBhGCjqowPQQWgkYhKNu/ZmGNrvziVAzasq8t9EgmsTXCEF+feD4zVO
         u2idXGNiNnIP0LhKBtE0prap1KMu8ZexQqPmlrhf/lXiF9rMj19GBvnfoX0CVfCYG5/c
         MVR+yUWbkdAx7JtG+4g7kFL5dnp9TuuZCJzEx3IIzTNXC8xWK0wm+y0vEEoWanW25rZR
         g+rgi8qV8cQIVVzUgx3Y6vjBLz7frh5F1rJwd6+9f4IKTde3rbKD5tg4eXkSTTXoPxSW
         INAtTAlMa7u+3BQMTfd0YKqYzuYHvmK4kQcSu361iwMIn3zOWZleD3bON/FQ8br6OIn4
         FGww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=+3iB39rrNe4EjZvm5JwUfZQzSpLRiPh8OeLG/OlVR30=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=fbIEXyqdUvOS0h0lCmAbPRDjvjQUgZFqHVM/do3OGI6aA1DIfLDMrEPX1yj6LoLZE9
         3D5O10weV1l2aacbgH5b4YV5xf0nQETcu5Nh53mj6HsdFC29TcvSUGu3QCrny47t930k
         i/pQ9TI7A92efqm6uZXrmaUjLkjnmMFxRlPcqpXgjyuirQqBPN3u3CoGKm8Hg2Jozphe
         dE7DfNPNcx9sRpqwJw4xoaYkOLwXrusFr3E0yGTvxAMayy4gxeuUsmRP7BTePhlT6jD8
         MoZOBjRA6u+vPwC5ucnnSYn2v+xJj99+Oc/8YgvysNQYhDBSfTHEpa/egcbg0Jsbsrae
         ulxA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=euxgzc8p;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=EnAXc2PV;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 006d021491bc7-6064684e481si1815692eaf.13.2025.04.25.06.10.36
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 25 Apr 2025 06:10:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=euxgzc8p;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=EnAXc2PV;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1u8Ip5-0006Y4-Au;
	Fri, 25 Apr 2025 13:10:31 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue4.greenie.muc.de>) id 1u8Ip1-0006Xu-LC
 for openvpn-devel@lists.sourceforge.net;
 Fri, 25 Apr 2025 13:10:27 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=mtOQo5bldHOSHQ7ma+E2xtel4xOfAOiDceMii1SPoWk=; b=euxgzc8pCePWWl3N2BEBoJ755Q
 3WNG+sgUrUVTJ/tqVg4t+5yfGYlVTJrl/MIkPpHfLZKYOKhcE0LfmiPDECmU3kkK3R4g5N06r+dJC
 KCRAK4tPAKKrXN8S5Xut9cQNB0jJl6kX0SAZ8p8Nvb9skqvNnGGmtHLVjgbXZ42aiR3c=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=mtOQo5bldHOSHQ7ma+E2xtel4xOfAOiDceMii1SPoWk=; b=EnAXc2PVhuZA3yUqNtgqCrbs3I
 I9utI+ADckMxT4Nv+abN7ru6UZnr8ci3k1qkdldVam08O3OLHbqtXXitA1TQF2Aay+ZzyQgewPFZ7
 eLr8XNAkuT5dzFi9LG48Nicf5l9j8MEsW//tZFtGI/wK0n611LhzBSI7QDTl0ZLxzMfk=;
Received: from [193.149.48.143] (helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1u8Iok-00070G-HZ for openvpn-devel@lists.sourceforge.net;
 Fri, 25 Apr 2025 13:10:27 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 53PDA3lM021808
 for <openvpn-devel@lists.sourceforge.net>; Fri, 25 Apr 2025 15:10:03 +0200
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 53PDA3B5021807
 for openvpn-devel@lists.sourceforge.net; Fri, 25 Apr 2025 15:10:03 +0200
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Fri, 25 Apr 2025 15:09:54 +0200
Message-ID: <20250425131002.21772-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.49.0
In-Reply-To: 
 <gerrit.1742996678000.If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0@gerrit.openvpn.net>
References: 
 <gerrit.1742996678000.If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.7 (+)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Arne Schwabe <arne@rfc2549.org> Cmake did not check
 for the mbedtls_ssl_set_export_keys_cb symbol when generating an mbed TLS
 configuration. This causes no actual working key exporter to be in the
 binary.
 Content analysis details:   (1.7 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
 The query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [193.149.48.143 listed in sa-accredit.habeas.com]
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [193.149.48.143 listed in bl.score.senderscore.com]
 0.4 NO_DNS_FOR_FROM        DNS: Envelope sender has no MX or A DNS records
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.0 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
 [SPF failed: Rejected by SPF record]
 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1u8Iok-00070G-HZ
Subject: [Openvpn-devel] [PATCH v3] Fix mbed TLS key exporter functionality
 in 3.6.x and cmake
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1830380253863300795?=
X-GMAIL-MSGID: =?utf-8?q?1830380253863300795?=

From: Arne Schwabe <arne@rfc2549.org>

Cmake did not check for the mbedtls_ssl_set_export_keys_cb symbol
when generating an mbed TLS configuration. This causes no actual
working key exporter to be in the binary.

Also add an explicit #error to catch this situation during compilation.

Change-Id: If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/920
This mail reflects revision 3 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>

diff --git a/CMakeLists.txt b/CMakeLists.txt
index b04adce..a8fb64b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -275,6 +275,7 @@
     set(CMAKE_REQUIRED_LIBRARIES "mbedtls;mbedx509;mbedcrypto")
     check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
     check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
+    check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
     check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H)
 endfunction()
 
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index e15c391..ec3135a 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -253,6 +253,8 @@
     memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
     cache->tls_prf_type = tls_prf_type;
 }
+#else  /* if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+#error either HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB or HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB must be defined when HAVE_EXPORT_KEYING_MATERIAL is defined
 #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
 
 bool