From patchwork Mon Apr 12 07:46:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maximilian Fillinger X-Patchwork-Id: 1735 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.27.255.55]) by backend30.mail.ord1d.rsapps.net with LMTP id mEE2HdqHdGDsNgAAIUCqbw (envelope-from ) for ; Mon, 12 Apr 2021 13:48:10 -0400 Received: from proxy18.mail.iad3a.rsapps.net ([172.27.255.55]) by director15.mail.ord1d.rsapps.net with LMTP id oKj0HNqHdGDUbwAAIcMcQg (envelope-from ) for ; Mon, 12 Apr 2021 13:48:10 -0400 Received: from smtp2.gate.iad3a ([172.27.255.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.iad3a.rsapps.net with LMTPS id wHe/F9qHdGB5QQAAon3hFg (envelope-from ) for ; Mon, 12 Apr 2021 13:48:10 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp2.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (key not found in DNS) header.d=foxcrypto.com; dmarc=fail (p=none; dis=none) header.from=foxcrypto.com X-Suspicious-Flag: YES X-Classification-ID: 3e3aee44-9bb7-11eb-834c-525400de56ae-1-1 Received: from [216.105.38.7] ([216.105.38.7:57998] helo=lists.sourceforge.net) by smtp2.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 60/6A-20511-9D784706; Mon, 12 Apr 2021 13:48:09 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lW0eX-00012w-8S; Mon, 12 Apr 2021 17:47:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW0eW-00012m-Jj for openvpn-devel@lists.sourceforge.net; Mon, 12 Apr 2021 17:47:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Date:Subject:CC:To:From: Sender:Reply-To:Message-ID:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DmSbLjkKvj47o1+6xvSuW4ZoScwiNlIMP9GIwFA9ooY=; b=RTDuQYKkV7dbV20ETBSYxn/CPZ Zel6gZtfYEerwzmcUbuvcTb55nrADAlojxHYHd8Poa6ONaYhMbQ/qf0wKaK/tgLr8mCX/UiDimrIO tGMhh3JyXNle3bV6YntIeZCLnssxV7+/0yGLBJ3f8yUL9W2TZWBeeXQpOzXsWrJU7Fos=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Date:Subject:CC:To:From:Sender:Reply-To: Message-ID:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DmSbLjkKvj47o1+6xvSuW4ZoScwiNlIMP9GIwFA9ooY=; b=aPWF7Gvn7VOZ1HTgcrHmYMWs9d jMcJUdRWC0dm3TeZEF5pL5y+m0gQq6pBfD5120T1iH7ekMKhb+/Ek9RTBXmbDsnW0nuJDVb2tjuzO CSJaxs0VzqwVgUJ3yan35eh/rHSK5EO6OZ5v/VjCRouO4ErRPAWwKgN5poWPtyMlAcrA=; Received: from nl-dft-mx-01.fox-it.com ([178.250.144.135]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lW0eE-0002UT-AQ for openvpn-devel@lists.sourceforge.net; Mon, 12 Apr 2021 17:47:12 +0000 From: Max Fillinger To: Date: Mon, 12 Apr 2021 19:46:17 +0200 X-Mailer: git-send-email 2.11.0 MIME-Version: 1.0 X-ClientProxiedBy: FOXDFT1EX01.FOX.local (10.0.0.129) To FOXDFT1EX01.FOX.local (10.0.0.129) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=foxcrypto.com; s=NL-DFT-MX-01; c=relaxed/relaxed; h=from:to:cc:subject:date:mime-version:content-type; bh=DmSbLjkKvj47o1+6xvSuW4ZoScwiNlIMP9GIwFA9ooY=; b=wNFYuiKTwK4GenO4h71n0SHnuhcRuauSgOPOkNKyRULRvQmm8QUs6O4gqQMME6vm5Axzmdr/6VjN jRTUIHFthuhugTFm9FI4cNFVKApS0vizx5wZ8fCrusHhP1igwMFhiY5Y37vpfrGk8/ECCPMOTh7o Z2VtHTyUYEL6AUTVkCSkKw9py/hZVGiIoIoyzw2ODPCFsJfaqYLVjk46KDJcl36Yv7VS1wCdKj+r 1J2zUySzEkPtrbHThE+Pf3i/R6pHVXAiArbGSArKcQ0unRwZGBw2rQeZUydYkfBaXUZyj1HYoNLb e7fSYuK7HOrqfJucPV8XythogbaK4SDj/t1wnQ== X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 1.0 MISSING_MID Missing Message-Id: header 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-Headers-End: 1lW0eE-0002UT-AQ Subject: [Openvpn-devel] [PATCH] Fix build with mbedtls w/o SSL renegotiation support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net Message-Id: X-getmail-retrieved-from-mailbox: Inbox In mbedtls, support for SSL renegotiation can be disabled at compile-time. However, OpenVPN cannot be built with such a library because it calls mbedtls_ssl_conf_renegotiation() to disable this feature at runtime. This function doesn't exist when mbedtls was built without support for SSL renegotiation. This commit fixes the build by ifdef'ing out the function call when mbedtls was built without support for SSL renegotiation. Signed-off-by: Max Fillinger --- src/openvpn/ssl_mbedtls.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 8917fb18..7e2f0f5d 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1086,10 +1086,13 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, { mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups); } - /* Disable TLS renegotiations. OpenVPN's renegotiation creates new SSL - * session and does not depend on this feature. And TLS renegotiations have - * been problematic in the past */ + + /* Disable TLS renegotiations if the mbedtls library supports that feature. + * OpenVPN's renegotiation creates new SSL sessions and does not depend on + * this feature and TLS renegotiations have been problematic in the past. */ +#if defined(MBEDTLS_SSL_RENEGOTIATION) mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED); +#endif /* MBEDTLS_SSL_RENEGOTIATION */ /* Disable record splitting (for now). OpenVPN assumes records are sent * unfragmented, and changing that will require thorough review and