From patchwork Fri Nov 10 15:35:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "its_Giaan (Code Review)" X-Patchwork-Id: 3423 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:50e4:b0:f2:62eb:61c1 with SMTP id r4csp1261524dyd; Fri, 10 Nov 2023 07:36:31 -0800 (PST) X-Google-Smtp-Source: AGHT+IHCZhZTDtde5fuGXb71w3YxVp6/YxPKffSpqiBWSLNc10nSJ3rhsNNNIPtIdfwyEfFB5omE X-Received: by 2002:a17:902:db0f:b0:1cc:32c6:e5fa with SMTP id m15-20020a170902db0f00b001cc32c6e5famr9106933plx.6.1699630591612; Fri, 10 Nov 2023 07:36:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699630591; cv=none; d=google.com; s=arc-20160816; b=raxqsVi9qABWRrwuVz2XFZOQwd2QoV+31e/T0DITdtS2wUX7jQnSQzIYiUnSljxETz bEkJVN0EBgfXOGBlqw+NSTFr0lSzrPiru804cu4+CfiA3Sv+eVN7NZ0ghFpfbDpVYCil hqFS7Glf34oPvNEqBnAJPJssqt6ZBT62j5R6ZoDhs8RBYnIMO/6hZulGuugKDIY364o3 AH6bEo5OauAVLVrkTYiMqxdLHYbYI+pMEka1+m6Erh2tXsrLNq4R8jez0ZAzXtcZQ+JC jj0EaH0LRsnXr3WI6VK4n0jCOXG++Hp2jJ8P/DutSyfoPPhq6Qk3Rmt9mDf9pSGpTLRM HR4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=JJn0rDF/BLTeAUGheQDr3T+M2nPhi2nIiP6O+iZQG4c=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=0v2P9upKz+R1sOHyCJSkI3PEX9MTObwbBzbI48XGlLg2WNVv0yKPyl2sqXeeQltdT8 GhlfIIJ7bdXPfcFr6dcqIVNQPnCvRohU/1wxhDxrWXWhNrs0g5gzHBqZ+Ltz932Iy1EW Vuf8ocrpcQVpulVjl9abr3I6Sa/xCHZDhS8qdj/C8/uK40MsNlMgVgX4T+dAzQuzG9pn vy3CI/pXGQXDnh+ZM00/5T48hmg3c36l2l9yZ/hx//ggfM3JBGM1umzXH61XZiNlpPQ/ UgM1Y+UJd/9RBm1qNsIIMSEquJ7L1n/HkQxm1fw/pImkFSN8xkiZLni2ENiedCp33FMw qNrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=VKz1EfQd; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="WrBf/VRf"; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=NVDztuzM; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id be8-20020a170902aa0800b001c6189eaadesi7425391plb.132.2023.11.10.07.36.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Nov 2023 07:36:31 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=VKz1EfQd; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="WrBf/VRf"; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=NVDztuzM; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r1TYE-0008S7-Ra; Fri, 10 Nov 2023 15:36:06 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r1TYD-0008S0-HH for openvpn-devel@lists.sourceforge.net; Fri, 10 Nov 2023 15:36:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/knLlPlUHjPKf2Igp/OKLbjtlmX4fkAtuSXh7MRDn/U=; b=VKz1EfQd/4gNV3JSq8HZNxR8Rl KzJEIhFBaCoKOiwIJQTD9dHtKP3QASQ3nREt4waseM2bmjEoL/58DYHTSnEmx8dfLMnKEV8vM9DaU pPIwKfVJ55FRsbNhCrlklIxHeqvQpBPW47TXx8IXtr3F2X0/UmMQny0l6tzPWVVSzdF8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=/knLlPlUHjPKf2Igp/OKLbjtlmX4fkAtuSXh7MRDn/U=; b=W rBf/VRf4bnzslrbXAIqriBus9jKm4HNINNbM4X09J781ybmYVC1meSqXCIhO0qJa2ozlITxExFMOm XwdNtaVo4Bq/+yTRWn94/4M/1jIEy+Q1ZXGqZnjcrNIf6GcqwUotiLCwyOKwgQyaObCkTeveKYfLl VkDOhGGL9tE+Njzs=; Received: from mail-wm1-f42.google.com ([209.85.128.42]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1r1TY5-0006ER-N4 for openvpn-devel@lists.sourceforge.net; Fri, 10 Nov 2023 15:36:05 +0000 Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-40a46ea95f0so5184705e9.2 for ; Fri, 10 Nov 2023 07:35:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1699630551; x=1700235351; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=/knLlPlUHjPKf2Igp/OKLbjtlmX4fkAtuSXh7MRDn/U=; b=NVDztuzMH48TAWLRc0Gm5ISiD06b7O4pGydDGe6KiL49MQ2DMhWLNKcIRT3pDnes9u w4XkH87ZzN3V9ywKFUBMuDdaSHXMo0Z+GhAU/0cwEf1ldgJge2xd3fEkCzHeIBoCrr4h gAfQvuM4+gSsElj9CpuAAKhI22rwgKzX3925BkXP/AtRYI0QXVYdgQCqot5HVYq0SkYu ggXAbWPzNPr6D1O80PyDdwZfcRKqhLgRrzb4seHQx9lNWVQH7L8FECOBsCcVOuiEqruA PCPldjTNuxpmimfA012BCXHNNh3A/Kbj+QJVFvi587/x6/agIa0XAH7ic7zFQkYe/OLX aKTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699630551; x=1700235351; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/knLlPlUHjPKf2Igp/OKLbjtlmX4fkAtuSXh7MRDn/U=; b=VIVQFhw/0LlYAhTUp5dCI4an8hY/n8j1S3w0kEEpHwXMR1zpqO7cjfVIF4MgRkzK2Q TBJcHW0Y486Nn6pknUpuHVhHrI2j5U5UrrQCL62R5s5q6pNC5PHL2VgiMNLtqgicASan 6s4woDqEfPm3Gg8XKT/yKor9WR7VZd2iKdEn/0iXECFWjI12153P5mA1Oo3gXPJ874BA 0W92wAuDjnJC5D+olm5YbvSPoDq/MR41/dLNDh4vZWkOZFmGmFfHCvk1cgRxBvRO4f4l zPngtPKQzQY+n3535qxtCeBYZt1TBl5yn6P4TbTZB1wrzke71UAMZGe2TlQ9oZEVbLds iJUw== X-Gm-Message-State: AOJu0Yw3DWv5SPn3EqyldpckujSa8eoyDOI1N+QLlUpPW+W91sUKdj/Y GSW8jDdyJjZSCfdLWGq3KJzgYAzXmJyH9gFaWZY= X-Received: by 2002:adf:ef46:0:b0:31f:fa61:961d with SMTP id c6-20020adfef46000000b0031ffa61961dmr8187761wrp.63.1699630551052; Fri, 10 Nov 2023 07:35:51 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id dk14-20020a0560000b4e00b0032d9523de65sm2131727wrb.48.2023.11.10.07.35.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Nov 2023 07:35:50 -0800 (PST) From: "MaxF (Code Review)" X-Google-Original-From: "MaxF (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 10 Nov 2023 15:35:50 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I8e90530726b7f7ba3cee0438f2d81a1ac42e821b X-Gerrit-Change-Number: 402 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: d272a7798ada0ef5505e0e0164252c76d8a9d478 References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.1 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL blocklist [URIs: config.h.cmake.in] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.42 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.42 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r1TY5-0006ER-N4 Subject: [Openvpn-devel] [M] Change in openvpn[master]: Enable key export with mbed TLS 3.x.y X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: max@max-fillinger.net, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1782191847469770030?= X-GMAIL-MSGID: =?utf-8?q?1782191847469770030?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/402?usp=email to review the following change. Change subject: Enable key export with mbed TLS 3.x.y ...................................................................... Enable key export with mbed TLS 3.x.y Change-Id: I8e90530726b7f7ba3cee0438f2d81a1ac42e821b Signed-off-by: Max Fillinger --- M config.h.cmake.in M configure.ac M src/openvpn/Makefile.am M src/openvpn/crypto_mbedtls.c M src/openvpn/mbedtls_compat.h M src/openvpn/ssl_mbedtls.c 6 files changed, 83 insertions(+), 21 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/02/402/1 diff --git a/config.h.cmake.in b/config.h.cmake.in index f2cdd39..ed4978a 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -387,7 +387,10 @@ #undef HAVE_VSNPRINTF /* we always assume a recent mbed TLS version */ -#define HAVE_CTR_DRBG_UPDATE_RET 1 +#define HAVE_MBEDTLS_PSA_CRYPTO_H 1 +#define HAVE_MBEDTLS_SSL_TLS_PRF 1 +#define HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB 1 +#define HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET 1 /* Path to ifconfig tool */ #define IFCONFIG_PATH "@IFCONFIG_PATH@" diff --git a/configure.ac b/configure.ac index 7e5763d..84eaad6 100644 --- a/configure.ac +++ b/configure.ac @@ -1025,11 +1025,11 @@ [AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])] ) - AC_CHECK_HEADER( - psa/crypto.h, - [AC_DEFINE([MBEDTLS_HAVE_PSA_CRYPTO_H], [1], [yes])], - [AC_DEFINE([MBEDTLS_HAVE_PSA_CRYPTO_H], [0], [no])] - ) + AC_CHECK_HEADER( + psa/crypto.h, + [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [1], [yes])], + [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])] + ) AC_CHECK_FUNCS( [ \ @@ -1040,16 +1040,32 @@ [AC_MSG_ERROR([mbed TLS check for AEAD support failed])] ) + AC_CHECK_FUNC( + [mbedtls_ssl_tls_prf], + [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])], + [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])] + ) + have_export_keying_material="yes" AC_CHECK_FUNC( [mbedtls_ssl_conf_export_keys_ext_cb], - , - [have_export_keying_material="no"] + [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])], + [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])] ) + if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then + AC_CHECK_FUNC( + [mbedtls_ssl_set_export_keys_cb], + [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])], + [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])] + ) + if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then + have_export_keying_material="no" + fi + fi AC_CHECK_FUNC( [mbedtls_ctr_drbg_update_ret], - AC_DEFINE([HAVE_CTR_DRBG_UPDATE_RET], [1], + AC_DEFINE([HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET], [1], [Use mbedtls_ctr_drbg_update_ret from mbed TLS]), ) diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 52deef8..b953961 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -82,6 +82,7 @@ ovpn_dco_win.h \ platform.c platform.h \ console.c console.h console_builtin.c console_systemd.c \ + mbedtls_compat.h \ mroute.c mroute.h \ mss.c mss.h \ mstats.c mstats.h \ diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index aaf6ef7..ad3439c 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -989,8 +989,9 @@ return diff; } -/* mbedtls-2.18.0 or newer */ -#ifdef HAVE_MBEDTLS_SSL_TLS_PRF +/* mbedtls-2.18.0 or newer implements tls_prf, but prf_tls1 is removed + * from recent versions, so we use our own implementation if necessary. */ +#if HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) @@ -999,7 +1000,7 @@ secret_len, "", seed, seed_len, output, output_len)); } -#else /* ifdef HAVE_MBEDTLS_SSL_TLS_PRF */ +#else /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ /* * Generate the hash required by for the \c tls1_PRF function. * @@ -1128,5 +1129,5 @@ gc_free(&gc); return true; } -#endif /* ifdef HAVE_MBEDTLS_SSL_TLS_PRF */ +#endif /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ #endif /* ENABLE_CRYPTO_MBEDTLS */ diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h index fe7c3f9..610215b 100644 --- a/src/openvpn/mbedtls_compat.h +++ b/src/openvpn/mbedtls_compat.h @@ -33,6 +33,8 @@ #ifndef MBEDTLS_COMPAT_H_ #define MBEDTLS_COMPAT_H_ +#include "syshead.h" + #include "errlevel.h" #include @@ -41,24 +43,25 @@ #include #include #include +#include #include #include -#if MBEDTLS_HAVE_PSA_CRYPTO_H +#if HAVE_MBEDTLS_PSA_CRYPTO_H #include #endif static inline void mbedtls_compat_psa_crypto_init(void) { -#if MBEDTLS_HAVE_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) +#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) if (psa_crypto_init() != PSA_SUCCESS) { msg(M_FATAL, "mbedtls: psa_crypto_init() failed"); } #else return; -#endif /* MBEDTLS_HAVE_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ +#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ } /* @@ -74,14 +77,14 @@ const unsigned char *additional, size_t add_len) { -#if HAVE_CTR_DRBG_UPDATE_RET +#if HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len); #elif MBEDTLS_VERSION_NUMBER < 0x03020100 mbedtls_ctr_drbg_update(ctx, additional, add_len); return 0; #else return mbedtls_ctr_drbg_update(ctx, additional, add_len); -#endif /* HAVE_CTR_DRBG_UPDATE_RET */ +#endif /* HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET */ } static inline int diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 4ece37e..09559be 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -173,6 +173,8 @@ } #ifdef HAVE_EXPORT_KEYING_MATERIAL + +#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB int mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms, const unsigned char *kb, size_t maclen, @@ -193,8 +195,38 @@ memcpy(cache->master_secret, ms, sizeof(cache->master_secret)); cache->tls_prf_type = tls_prf_type; - return true; + return 0; } +#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +void +mbedtls_ssl_export_keys_cb(void *p_expkey, + mbedtls_ssl_key_export_type type, + const unsigned char *secret, + size_t secret_len, + const unsigned char client_random[32], + const unsigned char server_random[32], + mbedtls_tls_prf_types tls_prf_type) +{ + if (type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET) + { + return; + } + + struct tls_session *session = p_expkey; + struct key_state_ssl *ks_ssl = &session->key[KS_PRIMARY].ks_ssl; + struct tls_key_cache *cache = &ks_ssl->tls_key_cache; + + if (secret_len != sizeof(cache->master_secret)) + { + return; + } + + memcpy(cache->client_server_random, client_random, 32); + memcpy(cache->client_server_random + 32, server_random, 32); + memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); + cache->tls_prf_type = tls_prf_type; +} +#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ bool key_state_export_keying_material(struct tls_session *session, @@ -212,6 +244,7 @@ return false; } + msg(M_INFO, "running prf"); int ret = mbedtls_ssl_tls_prf(cache->tls_prf_type, cache->master_secret, sizeof(cache->master_secret), label, cache->client_server_random, @@ -1205,8 +1238,8 @@ mbedtls_ssl_conf_max_version(ks_ssl->ssl_config, major, minor); } -#ifdef HAVE_EXPORT_KEYING_MATERIAL - /* Initialize keying material exporter */ +#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB + /* Initialize keying material exporter, old style. */ mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config, mbedtls_ssl_export_keys_cb, session); #endif @@ -1216,6 +1249,11 @@ mbedtls_ssl_init(ks_ssl->ctx); mbed_ok(mbedtls_ssl_setup(ks_ssl->ctx, ks_ssl->ssl_config)); +#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB + /* Initialize keying material exporter, new style. */ + mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session); +#endif + /* Initialise BIOs */ ALLOC_OBJ_CLEAR(ks_ssl->bio_ctx, bio_ctx); mbedtls_ssl_set_bio(ks_ssl->ctx, ks_ssl->bio_ctx, ssl_bio_write,