From patchwork Tue May 27 16:03:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4265 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:ea43:b0:667:60b:5921 with SMTP id ou3csp158894mab; Tue, 27 May 2025 09:04:19 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWq8e6vZyEQsb3Yu6VZjy+Mlly086PFkpESfZK2BT0WCOOEGImSKKZIhoG43BLnHzQos2ScMI1TfSk=@openvpn.net X-Google-Smtp-Source: AGHT+IHUxPkkw00+/r22L3icEYoo69ItxduUaFuZu0+In/xMMylEOTOszuEr5SY2y9UKJAoTaGO0 X-Received: by 2002:a05:6870:ce07:b0:2d5:a360:7df9 with SMTP id 586e51a60fabf-2e861d6310amr7613202fac.5.1748361859015; Tue, 27 May 2025 09:04:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1748361859; cv=none; d=google.com; s=arc-20240605; b=gYeaJb1UeaDoFqjy+HWUhASDo/tf3lmx39CbzcZBDiXEwYz7thC1AryaSA0ueBKE6v aAF2Y33YVwdosmys+IARPuQQVkG/y2NFrat7quiUOezAdzaLB3lcQhxB6UYsuJ/IB1Vj sfbN7olmRswrVZ771KrOaVOpx0Eman/aP92cUdRPz5OPvOv+tOddeCqByC1msgn6/rAX /I0fTotnlQhS1ZZ1H94PYvjVvDx1KUUYd/DPretBE3WKvm7VukWLvDYt6pcZq0H+y352 o6Ly6NUp6Ddmz06IJwxVpHxyhDUSivj5zz3Gmh/wjFCTRpIMAmY10xqioK+oq8D4GNVd Mdkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=yplYqPxXxZMuFZ7ZXkq0M/TvxDWa0+aP+xh8qNAmO28=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=McXdP0/UG+E+JAqT4/mGvbZxKSzKo2VSg1suM2JDplsBj/n56Zk3gvMPNSVWu3GyyF l8Tg4HfC2YESArD/76W1xP9Hpa8+nP0r0O6VmAYxjArb/VH7EDd+lOJo//cCiYWbP+8i YC5eroRoRbr5jxoxYmzE+wI1w2ZBEq8f9U5twoBXdbmjbdAZI4TXZiTY1n7Ssll250D1 w++VEXcFOkky9ZtasrM5IIq+0xrkqfzjMBSwHpc7Z2fSFoMv+30tBICMdV1C0oYKZxX0 kew7dYvj/fhTgqAfZP09tuoyhS6uaQshM/T+gWid7iS8Vk9UPuwAZOamBj77livZk+2k P5gA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=DbeQVaad; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=KgTSeLSi; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=W37FaWTQ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2e3c0a74395si15219448fac.162.2025.05.27.09.04.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 May 2025 09:04:18 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=DbeQVaad; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=KgTSeLSi; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=W37FaWTQ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=yplYqPxXxZMuFZ7ZXkq0M/TvxDWa0+aP+xh8qNAmO28=; b=DbeQVaadtwOCht8Ove6hVxSXkj J7OTy606fcTj+OUlze5cwhxzjqsTE/h8xGJfHUouW3oR2Lk+wAOtvxUHG2jWBGKkyXz5+XxPosGvT 6eN4iR/oeKPqOEUXA+gEcfdbEiF3mf/jYAYdyFLr/5XBJyjqpm7D4oF50u2ObUDe8jio=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uJwmk-00083e-7y; Tue, 27 May 2025 16:04:14 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uJwmi-00083X-DC for openvpn-devel@lists.sourceforge.net; Tue, 27 May 2025 16:04:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=rpWAa+qTRMP68y7AdLZVKnqYordHHkpX+QtWfhtI/48=; b=KgTSeLSiYHiuOOjMI711Qzra0Q QTgtvuwuEoENBZJ8vhFAFSN8rS3ypKYTFKX6SIIsjnVQS6CBToTl/QCVRIkuNb4hp5btiPIjuu2Cm OFy/4TGAJwmZR9JK+9yB1NRINbQgo15wKLydAXqIhQisKi/m6GV1VUlXzKIsRBbIaCgE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=rpWAa+qTRMP68y7AdLZVKnqYordHHkpX+QtWfhtI/48=; b=W37FaWTQQUYhJbfuZGio2pOJ7u vznSp9Awrg8BZcuQlreJyoBLCUFaymXiwFv3obnRt2nGY5TQeB6MhjFwBG+vTjK1aGPdM0Ye7I21c PnvJyccJ4a3ajO+qONckNSH3EBpdktfAJbycZUctIUQtEa/5bxG3q2cfmKSSoJbMEFzs=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uJwmf-0007wW-Oz for openvpn-devel@lists.sourceforge.net; Tue, 27 May 2025 16:04:12 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 54RG3vEP010923 for ; Tue, 27 May 2025 18:03:57 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 54RG3vSi010922 for openvpn-devel@lists.sourceforge.net; Tue, 27 May 2025 18:03:57 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 27 May 2025 18:03:50 +0200 Message-ID: <20250527160356.10871-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 3.4 (+++) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Max Fillinger This was always defined in all supported versions of OpenSSL and WolfSSL. EKM is available in mbedtls versions from 2.18.0 onwards. This commit breaks builds on Debian 11 with the stock mbed TLS package. Content analysis details: (3.4 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: cmake.in] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.143 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.143 listed in sa-accredit.habeas.com] 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Rejected by SPF record] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uJwmf-0007wW-Oz Subject: [Openvpn-devel] [PATCH v3] Remove HAVE_EXPORT_KEYING_MATERIAL macro X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1833290284689349510?= X-GMAIL-MSGID: =?utf-8?q?1833290284689349510?= From: Max Fillinger This was always defined in all supported versions of OpenSSL and WolfSSL. EKM is available in mbedtls versions from 2.18.0 onwards. This commit breaks builds on Debian 11 with the stock mbed TLS package. Change-Id: Icbfffae877f8eca8d94721a4d54e140c50d4a550 Signed-off-by: MaxF Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1043 This mail reflects revision 3 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/config.h.cmake.in b/config.h.cmake.in index 5164ce3..5df0ac8 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -120,9 +120,6 @@ /* Define to 1 if you have the header file. */ #cmakedefine HAVE_ERR_H -/* Crypto library supports keying material exporter */ -#define HAVE_EXPORT_KEYING_MATERIAL 1 - /* Define to 1 if you have the header file. */ #cmakedefine HAVE_FCNTL_H diff --git a/configure.ac b/configure.ac index 75367e8..1b908e6 100644 --- a/configure.ac +++ b/configure.ac @@ -988,10 +988,6 @@ [AC_MSG_ERROR([OpenSSL check for AES-256-GCM support failed])] ) - # All supported OpenSSL versions (>= 1.1.0) - # have this feature - have_export_keying_material="yes" - CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" @@ -1064,7 +1060,6 @@ [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])] ) - have_export_keying_material="yes" AC_CHECK_FUNC( [mbedtls_ssl_conf_export_keys_ext_cb], [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])], @@ -1077,7 +1072,7 @@ [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])] ) if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then - have_export_keying_material="no" + AC_MSG_ERROR(This version of mbed TLS has no support for exporting key material.) fi fi @@ -1132,17 +1127,12 @@ ) AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) - # wolfSSL signal EKM support - have_export_keying_material="yes" - if test "${enable_wolfssl_options_h}" = "yes"; then AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library]) else AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library]) fi - have_export_keying_material="yes" - CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" @@ -1346,12 +1336,6 @@ test "${enable_dns_updown_by_default}" = "yes" && AC_DEFINE([ENABLE_DNS_UPDOWN_BY_DEFAULT], [1], [Enable dns-updown hook by default]) test "${enable_ntlm}" = "yes" && AC_DEFINE([ENABLE_NTLM], [1], [Enable NTLMv2 proxy support]) test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes]) -if test "${have_export_keying_material}" = "yes"; then - AC_DEFINE( - [HAVE_EXPORT_KEYING_MATERIAL], [1], - [Crypto library supports keying material exporter] - ) -fi OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CFLAGS}" OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_LIBS}" diff --git a/src/openvpn/init.c b/src/openvpn/init.c index e0ba255..15eacab 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3483,7 +3483,6 @@ to.comp_options = options->comp; #endif -#ifdef HAVE_EXPORT_KEYING_MATERIAL if (options->keying_material_exporter_label) { to.ekm_size = options->keying_material_exporter_length; @@ -3499,7 +3498,6 @@ { to.ekm_size = 0; } -#endif /* HAVE_EXPORT_KEYING_MATERIAL */ /* TLS handshake authentication (--tls-auth) */ if (options->ce.tls_auth_file) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 80dd0c0..a5eee01 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1837,7 +1837,6 @@ c->c2.push_request_received = true; } -#ifdef HAVE_EXPORT_KEYING_MATERIAL if (proto & IV_PROTO_TLS_KEY_EXPORT) { o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT; @@ -1856,7 +1855,6 @@ { o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT; } -#endif if (proto & IV_PROTO_CC_EXIT_NOTIFY) { diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 6672b5c..6acec78 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -664,10 +664,8 @@ #endif "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" -#ifdef HAVE_EXPORT_KEYING_MATERIAL "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n" " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n" -#endif "--remote-cert-ku v ... : Require that the peer certificate was signed with\n" " explicit key usage, you can specify more than one value.\n" " value should be given in hex format.\n" @@ -3594,10 +3592,6 @@ "calculation anymore or your security policy (e.g. FIPS 140-2) " "forbids it. Connections will only work with peers running " "OpenVPN 2.6.0 or higher)"); -#ifndef HAVE_EXPORT_KEYING_MATERIAL - msg(M_FATAL, "Keying Material Exporters (RFC 5705) not available either. " - "No way to generate data channel keys left."); -#endif if (o->mode == MODE_SERVER) { msg(M_WARN, "Automatically enabling option " @@ -8663,13 +8657,11 @@ /* NCP only option that is pushed by the server to enable EKM, * should not be used by normal users in config files*/ VERIFY_PERMISSION(OPT_P_NCP) -#ifdef HAVE_EXPORT_KEYING_MATERIAL if (streq(p[1], "tls-ekm")) { options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT; } else -#endif { msg(msglevel, "Unknown key-derivation method %s", p[1]); } @@ -8686,7 +8678,6 @@ { options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY; } -#ifdef HAVE_EXPORT_KEYING_MATERIAL else if (streq(p[j], "tls-ekm")) { options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT; @@ -8695,7 +8686,6 @@ { options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT; } -#endif else if (streq(p[j], "aead-epoch")) { options->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT; @@ -9452,7 +9442,6 @@ options->use_peer_id = true; options->peer_id = atoi_warn(p[1], msglevel); } -#ifdef HAVE_EXPORT_KEYING_MATERIAL else if (streq(p[0], "keying-material-exporter") && p[1] && p[2]) { int ekm_length = positive_atoi(p[2], msglevel); @@ -9479,7 +9468,6 @@ options->keying_material_exporter_label = p[1]; options->keying_material_exporter_length = ekm_length; } -#endif /* HAVE_EXPORT_KEYING_MATERIAL */ else if (streq(p[0], "allow-recursive-routing") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 8d1ef6c..b0b8d96 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -701,11 +701,9 @@ bool use_peer_id; uint32_t peer_id; -#ifdef HAVE_EXPORT_KEYING_MATERIAL /* Keying Material Exporters [RFC 5705] */ const char *keying_material_exporter_label; int keying_material_exporter_length; -#endif /* force using TLS key material export for data channel key generation */ bool force_key_material_export; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index fd299ef..5ecf42b 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2034,10 +2034,8 @@ buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers); -#ifdef HAVE_EXPORT_KEYING_MATERIAL iv_proto |= IV_PROTO_TLS_KEY_EXPORT; iv_proto |= IV_PROTO_DYN_TLS_CRYPT; -#endif buf_printf(&out, "IV_PROTO=%d\n", iv_proto); diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ec3135a..6474f80 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -174,8 +174,6 @@ return ctx->initialised; } -#ifdef HAVE_EXPORT_KEYING_MATERIAL - #if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB /* * Key export callback for older versions of mbed TLS, to be used with @@ -254,7 +252,7 @@ cache->tls_prf_type = tls_prf_type; } #else /* if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ -#error either HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB or HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB must be defined when HAVE_EXPORT_KEYING_MATERIAL is defined +#error either mbedtls_ssl_conf_export_keys_ext_cb or mbedtls_ssl_set_export_keys_cb must be available in mbed TLS #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ bool @@ -289,16 +287,6 @@ return false; } } -#else /* ifdef HAVE_EXPORT_KEYING_MATERIAL */ -bool -key_state_export_keying_material(struct tls_session *session, - const char *label, size_t label_size, - void *ekm, size_t ekm_size) -{ - /* Dummy function to avoid ifdefs in the common code */ - return false; -} -#endif /* HAVE_EXPORT_KEYING_MATERIAL */ bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index ec30bb5..9ebb2ce 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -85,7 +85,6 @@ void *sign_ctx; }; -#ifdef HAVE_EXPORT_KEYING_MATERIAL /** struct to cache TLS secrets for keying material exporter (RFC 5705). * The constants (64 and 48) are inherent to TLS version and * the whole keying material export will likely change when they change */ @@ -94,9 +93,6 @@ mbedtls_tls_prf_types tls_prf_type; unsigned char master_secret[48]; }; -#else /* ifdef HAVE_EXPORT_KEYING_MATERIAL */ -struct tls_key_cache { }; -#endif /** * Structure that wraps the TLS context. Contents differ depending on the diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index ead91da..a9cd470 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -446,7 +446,6 @@ session->opt->crypto_flags &= ~CO_EPOCH_DATA_KEY_FORMAT; } -#if defined(HAVE_EXPORT_KEYING_MATERIAL) if (iv_proto_peer & IV_PROTO_TLS_KEY_EXPORT) { session->opt->crypto_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT; @@ -479,7 +478,6 @@ { session->opt->crypto_flags |= CO_USE_DYNAMIC_TLS_CRYPT; } -#endif /* if defined(HAVE_EXPORT_KEYING_MATERIAL) */ } void