@@ -912,6 +912,13 @@ if test "${with_crypto_library}" = "openssl"; then
[have_crypto_aead_modes="no"; break]
)
+ have_export_keying_material="yes"
+ AC_CHECK_FUNCS(
+ [SSL_export_keying_material],
+ ,
+ [have_export_keying_material="no"; break]
+ )
+
AC_CHECK_FUNCS(
[ \
HMAC_CTX_new \
@@ -1010,6 +1017,13 @@ elif test "${with_crypto_library}" = "mbedtls"; then
[have_crypto_aead_modes="no"; break]
)
+ have_export_keying_material="yes"
+ AC_CHECK_FUNCS(
+ [mbedtls_ssl_conf_export_keys_ext_cb],
+ ,
+ [have_export_keying_material="no"; break]
+ )
+
CFLAGS="${saved_CFLAGS}"
LIBS="${saved_LIBS}"
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
@@ -1217,6 +1231,12 @@ test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHEC
test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
test "${have_crypto_aead_modes}" = "yes" && AC_DEFINE([HAVE_AEAD_CIPHER_MODES], [1], [Use crypto library])
+if test "${have_export_keying_material}" = "yes"; then
+ AC_DEFINE(
+ [HAVE_EXPORT_KEYING_MATERIAL], [1],
+ [Crypto library supports keying material exporter]
+ )
+fi
OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CFLAGS}"
OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_LIBS}"
@@ -2931,7 +2931,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
to.comp_options = options->comp;
#endif
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
if (options->keying_material_exporter_label)
{
to.ekm_size = options->keying_material_exporter_length;
@@ -2947,7 +2947,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
{
to.ekm_size = 0;
}
-#endif /* HAVE_EKM */
+#endif /* HAVE_EXPORT_KEYING_MATERIAL */
/* TLS handshake authentication (--tls-auth) */
if (options->ce.tls_auth_file)
@@ -662,7 +662,7 @@ static const char usage_message[] =
" an explicit nsCertType designation t = 'client' | 'server'.\n"
"--x509-track x : Save peer X509 attribute x in environment for use by\n"
" plugins and management interface.\n"
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
"--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
" of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
#endif
@@ -8506,7 +8506,7 @@ add_option(struct options *options,
options->use_peer_id = true;
options->peer_id = atoi(p[1]);
}
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
{
int ekm_length = positive_atoi(p[2]);
@@ -640,7 +640,7 @@ struct options
bool use_peer_id;
uint32_t peer_id;
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
/* Keying Material Exporters [RFC 5705] */
const char *keying_material_exporter_label;
int keying_material_exporter_length;
@@ -190,7 +190,7 @@ tls_ctx_initialised(struct tls_root_ctx *ctx)
return ctx->initialised;
}
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
int mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms,
const unsigned char *kb, size_t maclen,
size_t keylen, size_t ivlen,
@@ -223,7 +223,7 @@ int mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms,
return ret;
}
-#endif /* HAVE_EKM */
+#endif /* HAVE_EXPORT_KEYING_MATERIAL */
void
key_state_export_keying_material(struct key_state_ssl *ssl,
@@ -1120,7 +1120,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
}
}
-#if MBEDTLS_VERSION_NUMBER >= 0x02120000
+#if HAVE_EXPORT_KEYING_MATERIAL
/* Initialize keying material exporter */
if (session->opt->ekm_size)
{
@@ -550,14 +550,9 @@ socket_defined(const socket_descriptor_t sd)
#endif
#ifdef ENABLE_CRYPTO_MBEDTLS
-#include <mbedtls/version.h>
#define ENABLE_PREDICTION_RESISTANCE
#endif /* ENABLE_CRYPTO_MBEDTLS */
-#ifdef ENABLE_CRYPTO_OPENSSL
-#include <openssl/opensslv.h>
-#endif /* ENABLE_CRYPTO_OPENSSL */
-
/*
* Enable packet filter?
*/
@@ -602,14 +597,6 @@ socket_defined(const socket_descriptor_t sd)
#define ENABLE_CRYPTOAPI
#endif
-/*
- * Do we support RFC 5705 keying material exporters?
- */
-#if (defined(ENABLE_CRYPTO_MBEDTLS) && MBEDTLS_VERSION_NUMBER >= 0x02120000) || \
- (defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000)
-#define HAVE_EKM
-#endif
-
/*
* Is poll available on this platform?
*/
Commit ab27c9f7 added a compile-time check for availablitity of keying-material-export functionality to syshead.h. It turns out that openvpnserv also includes syshead.h, and has ENABLE_CRYPTO_* defined in it's config.h, but doesn't have the necessary CFLAGS / LIBS to actually compile and link against the crypto libraries. That of course breaks openvpnserv builds. To fix this, change the compile-time check in syshead.h into a configure-time check in configure.ac. That's more consistent with how we do other feature checks anyway. Signed-off-by: Steffan Karger <steffan.karger@foxcrypto.com> --- configure.ac | 20 ++++++++++++++++++++ src/openvpn/init.c | 4 ++-- src/openvpn/options.c | 4 ++-- src/openvpn/options.h | 2 +- src/openvpn/ssl_mbedtls.c | 6 +++--- src/openvpn/syshead.h | 13 ------------- 6 files changed, 28 insertions(+), 21 deletions(-)