From patchwork Fri Jul 11 10:05:35 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Frank Lichtenheld <frank@lichtenheld.com>
X-Patchwork-Id: 4303
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:3846:b0:671:5a2c:6455 with SMTP id n6csp9636275mal;
        Fri, 11 Jul 2025 03:21:45 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXSQgB60OUGs61kt6ihiYOKsf6goJBBmkwazNe1Ce8/gVDhtf4NPaLxHxHCQMuhaPeQdBHCPmkeytA=@openvpn.net
X-Google-Smtp-Source: 
 AGHT+IFY/xcFICgqqUSiJlxd8/Gw+zDOcClpZO+32epa0yQ07V3SfnOWyb+FdGo5q73eersmcIr3
X-Received: by 2002:a05:6808:319a:b0:40c:f644:8abc with SMTP id
 5614622812f47-41565ea5f87mr1252181b6e.13.1752229305496;
        Fri, 11 Jul 2025 03:21:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1752229305; cv=none;
        d=google.com; s=arc-20240605;
        b=B+95r/oA62KD+4SFLkHd6+NlPrjq2fYwnXIfpwOj5P9qDYN8+9EfWQ9p2r0CM0HGbI
         ExqGM8C5LSfy+JLDSSKfPjRNPay9dZleyLpMh+3Lq4t64KbTADDkRGZk551k9WPq4Iox
         mqLZ7GWEQ/BAodjHEv9h3RnSK5h2qAp6PiB7o5/YKr0WqnD6dyPHd/s3/JzoIt3uEaZq
         9EqIV5YurYp15q/InLqWvO3bcyyW3R63W4kVbL3aOmSzIMNlHQrdp9XFz3/lhE1bBoFV
         udth/d0fP3Dm+YtTLvptMzbwJKBM7NoU6g/UiMUM76JPQiMgAJQXIsHwuy+GWpQvVmRN
         eHOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature:dkim-signature;
        bh=o5gGuy16VsFoMbSitt9noZVgQ3JNnFGj2yHGu39BrSE=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=LRjE87OWy8ztkm9A1UHNjOsbZdFTTMULD+9vb0OZnRnHcKglgJii0Yn3zugdxsQYNb
         Qb8c3huQWCphOrVhp21NK8Sh3zIY73OzdEu0xlnJGQdj2a7ANU8tuGMxR79CaHbmGuDm
         vYhzt7N4jc8E8V5BnUXcHj63XyPUBEbXaqzVzAWvIzMh5O8zh2loCrX/jT+r7K92Lf5I
         1N2GzCz+jgPysjBQLrD5UUK7lqJjUiPbM0CT1D5P1/f1rPLkiDLTAAYYJyVn3rh4v8k4
         W6a+a9h1czdQSSSwd4QejXEWPTC8hvtnEM1ETEkLiWTnbM/rWbW/2PpNMk3UGJe80krB
         ZTxw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=eaa7sJjQ;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=NhE0LjF7;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Gm56Ne65;
       dkim=neutral (body hash did not verify) header.i=@lichtenheld.com
 header.s=MBO0001 header.b=DiI75yTW;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 46e09a7af769-73cf127934bsi1978398a34.131.2025.07.11.03.21.45
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 11 Jul 2025 03:21:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=eaa7sJjQ;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=NhE0LjF7;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Gm56Ne65;
       dkim=neutral (body hash did not verify) header.i=@lichtenheld.com
 header.s=MBO0001 header.b=DiI75yTW;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-Id:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=o5gGuy16VsFoMbSitt9noZVgQ3JNnFGj2yHGu39BrSE=; b=eaa7sJjQm0uHDH6oTAYY3ww3ZL
	hzX/UFhoxORVrGXj43tGjpCDb5jOWmOHncT6m+zPgxVLuNRpBexuDCtci6gENTrOu2t8y5Ycf5Wy3
	/h8HcjpUVmIZ4IvMQ6b1b5AKmeegnKadb+OzSHHowNaI6EqcuiHPFD5eg0+nIDtcC2p4=;
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1uaAsx-0004yQ-Lw;
	Fri, 11 Jul 2025 10:21:43 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <frank@lichtenheld.com>) id 1uaAsw-0004yH-Ad
 for openvpn-devel@lists.sourceforge.net;
 Fri, 11 Jul 2025 10:21:42 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=XmNL/SQBSxzkMapgn7jkC0DxEfKt2bNprbq9Q+a/Pvw=; b=NhE0LjF7/CwVcuOflsWlh7dnIe
 3ZLcfYI/Fvtjin8PYhHIpJ0QrAdwl7iegau4lLrK+zA3kV8/eG2b4lyOD36C2RegqZK93Lz50KkPD
 LSS/yy4BEhT+QpVd/zv8811+Dj62yKsM8kZZzDko4Y4S8EehWJ5BjALrDMiRUaiKIkhM=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=XmNL/SQBSxzkMapgn7jkC0DxEfKt2bNprbq9Q+a/Pvw=; b=Gm56Ne65vDcYj4oVmbB6pjuY9K
 z9ux0JQAg7jFoDu4daOFcDOvUWLPwRkEIGqgWxqH8/Wxfd7ucO4E/U1VDp2gxNGmiSu3D0f0Pf7pm
 kAZQ4z6gdH3cfjnCn151pAvIdSC6Jp1Z21gJciSX89S/s/Wbv3B7LG79uYw/ekMDAbVs=;
Received: from mout-p-201.mailbox.org ([80.241.56.171])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1uaAsv-0004k0-OH for openvpn-devel@lists.sourceforge.net;
 Fri, 11 Jul 2025 10:21:42 +0000
Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4bdnQm3NRYz9tc4;
 Fri, 11 Jul 2025 12:05:36 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com;
 s=MBO0001; t=1752228336;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=XmNL/SQBSxzkMapgn7jkC0DxEfKt2bNprbq9Q+a/Pvw=;
 b=DiI75yTWnNfrYB/ZU3eBDA80nWeZncBFkiaKe9BnBIFfDdmdI6sKyaO9TWIWFZ6tYsl5eu
 zKAvodNoM78+Xh4lMY5xxWJXREWMlQjfXyUyVnt7ywNx/+L6D8Zpjb/11xF4KtlSQarVMo
 HLvs9MXOGwwwBE4khlIWO+eOU9ivZ3hhMEN4h/m7yf0b9qGPE+tuahjzpszCO1sYxdLmn6
 TqnOexu/wmk6Ay9U+LcjA13VikOv/bl/DJIykqa3tFYqQnp2/ob7A4bVJCfjGECdtN5m8w
 zdiS8NSdzkLJCacdry8KJ3FNqXK5+MsvkJ3uU0wKJMikjsPET2rs2JxJsG/o5Q==
From: Frank Lichtenheld <frank@lichtenheld.com>
To: openvpn-devel@lists.sourceforge.net
Date: Fri, 11 Jul 2025 12:05:35 +0200
Message-Id: <20250711100535.241369-1-frank@lichtenheld.com>
In-Reply-To: 
 <gerrit.1752062243000.I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd@gerrit.openvpn.net>
References: 
 <gerrit.1752062243000.I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-2.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Arne Schwabe <arne@rfc2549.org> The helper methods are
 only used when we don't have MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and
 mbedtls_ssl_export_keying_material.
 Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Signed-off-by: Arne
 Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld
 <frank@lichtenheld.com>
 --- Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1uaAsv-0004k0-OH
Subject: [Openvpn-devel] [PATCH v2] Do not compile mbed key helper with
 MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1837345596143480166?=
X-GMAIL-MSGID: =?utf-8?q?1837345596143480166?=

From: Arne Schwabe <arne@rfc2549.org>

The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.

Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1081
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..569421c 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
     ASSERT(NULL != ctx);
     return ctx->initialised;
 }
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
 /*
  * Key export callback for older versions of mbed TLS, to be used with
  * mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
 
     return 0;
 }
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
 /*
  * Key export callback for newer versions of mbed TLS, to be used with
  * mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
     memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
     cache->tls_prf_type = tls_prf_type;
 }
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#elif  /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
 #error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
 #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
 
+
 bool
 key_state_export_keying_material(struct tls_session *session,
                                  const char *label, size_t label_size,