From patchwork Tue Jul 15 12:29:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4308 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:8e92:b0:671:5a2c:6455 with SMTP id kd18csp1941790mab; Tue, 15 Jul 2025 05:30:18 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVkGzfKOj70o1THUNIydPwSyLvEGRVV+Na6nJ2vvZZqkaO2Q7vi5h9sjhjN56LybAWBEQKzWYZ35RE=@openvpn.net X-Google-Smtp-Source: AGHT+IG8SiqdSdK1F3FfG323ysSVg0tILwXKt2IgAg6Dup0vzTd2BwpeYN4ICac9gWCRi9movcS+ X-Received: by 2002:a05:6830:7204:b0:738:67aa:b7c0 with SMTP id 46e09a7af769-73da7b25976mr5551062a34.1.1752582617916; Tue, 15 Jul 2025 05:30:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1752582617; cv=none; d=google.com; s=arc-20240605; b=BjxLGBcl+onjdrFG4NzbcwvoiM+imxsxHSZx2OwpC9hWQolFZQlVbUTdt+nctS35Rg M0Ctd0sd20o8gU0TuSNZHGJwASuXRXw2uCoFkSFtibcOnDl9MeYXruVhqmski/b9D5p5 M7rVlQjE6YhEP5rnvBvu7hypcx/X2/sNXd3AAgn0pb9QuoJce9iC2fIlyZm4D0Jw6zzb IBdR/urcmuP8uuEp3MYpYCytJU+shdzGRcbsJaWeKfT5Sd6TVtKBkyiusEwyjST/tC+C 3C+KUmAl+sEO+dDC5OhWsZ87TqxwoaIs1rrKUoToFMQlPg182vo/+h0YZSMTFw0loOtT ZM5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=tcVfXDu/RF6BQ9HJC9c+aMpdiE0def8dQ+SkEGuJyCk=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=gsP0iaIK1ad7AzuheNqCI06wYccNL80INe9stP/qMopcxS8PC+QaH8kRSNUnAUb7cT W2XZL06w25TuqRRdbKOrhz5mB3xN9lKl3S9NrsYXKblJWN/QsuawzO6OfE+k4QBmwL1Y uG13SRRQrNRIaTYDS4Q960hygeK3kyCaHlYsT/sp7WIh3UDVVM05zJsjo5P6Fi6QrwIE SA0jYfx35gTNQ8Nxhp0zHD+cCw2ZddYai39iP8oVVIH+AcJA3cF1R7s8g14eTgompfLt sxx4PnKr5toz6+oTbX382eWitFB5NfD1bhY828VsD/XxQ2Bm35JvzbLbHPU8XY0t/sAj 5MaQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="f/6ziZWb"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CBzbVUWw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=B54mD0pF; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-73cf12cc87asi6220526a34.290.2025.07.15.05.30.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Jul 2025 05:30:17 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="f/6ziZWb"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CBzbVUWw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=B54mD0pF; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=tcVfXDu/RF6BQ9HJC9c+aMpdiE0def8dQ+SkEGuJyCk=; b=f/6ziZWbcelUUXkVvBsPJjuT31 Z+gqP8uGDFQDv9Q9ei16iHAFjH3IIJBAmLnFHLc4dRr5jS7p+2nXNtHtsGhWwQ2Z+ZP1L1/3qomRA gqebMx3bgMYJKlU057Y9edP5cIhNUt4NnHz8QGxlUefxIiTjKFwSIXhijhbTeUVp84j4=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ubenV-0000Wc-Rc; Tue, 15 Jul 2025 12:30:13 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ubenT-0000WW-18 for openvpn-devel@lists.sourceforge.net; Tue, 15 Jul 2025 12:30:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Qfu16lOMmlovBRjF4HAgoVVhIhbHBx1HXka36nDFnCE=; b=CBzbVUWwHqZ7QFdio4/aafVXR2 c+bibcC73Da3lcvebKOB7HzvQ+pcxZZ2hfXL6IDhJpprRAznCqm59MtoQtSFS+8fqDXtHmsALhAg6 H1t8KQWoueyI1YRxzSd4pmAt3WPshdrYHuXGt1nkEUfSCdT1sXrmeTWTRfIAfPKJalLk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Qfu16lOMmlovBRjF4HAgoVVhIhbHBx1HXka36nDFnCE=; b=B54mD0pFP8Lj66FdsDv/y3wdnE Xa8ZjZ9w77Y/y6HH82eIJWil9KoDlplSOJnnyiwlfdQtZIifU1gQ/iPD61Sj+nozcJnezqAajVqHD XgL0+C7jes59/oN3TC/CGyI0HzH/ySYOgzR/jbKgWzpF2nY+nezq9jd2v+FlJ4oNFyqo=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1ubenR-0005q2-MU for openvpn-devel@lists.sourceforge.net; Tue, 15 Jul 2025 12:30:10 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 56FCTwBe022394 for ; Tue, 15 Jul 2025 14:29:58 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 56FCTwmC022393 for openvpn-devel@lists.sourceforge.net; Tue, 15 Jul 2025 14:29:58 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 15 Jul 2025 14:29:49 +0200 Message-ID: <20250715122957.22311-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe Instead of a custom logic using 0/1 to be defined when the functions are present or not, use the standard check and adjust the source code accordingly. Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1ubenR-0005q2-MU Subject: [Openvpn-devel] [PATCH v9] Cleanup/simplify mbed TLS related define from autoconf X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1837716071167800718?= X-GMAIL-MSGID: =?utf-8?q?1837716071167800718?= From: Arne Schwabe Instead of a custom logic using 0/1 to be defined when the functions are present or not, use the standard check and adjust the source code accordingly. Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT The helper methods are only used when we don't have MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material. Remove AEAD check that tests for presence of mbedtls_cipher_write_tag and mbedtls_cipher_check_tag. Having an mbed TLS version that does not support that is highly unlikely. It might have been a good check in PolarSSL's time but is not today anymore. This also adds some missing support for mbed 2.x related defines to cmake based build. Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1081 This mail reflects revision 9 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/CMakeLists.txt b/CMakeLists.txt index 40bffd4..efb2d2d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -302,7 +302,8 @@ check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) - check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H) + check_symbol_exists(mbedtls_ssl_tls_prf mbedtls/ssl.h HAVE_MBEDTLS_SSL_TLS_PRF) + check_include_files(psa/crypto.h HAVE_PSA_CRYPTO_H) endfunction() if (${MBED}) diff --git a/config.h.cmake.in b/config.h.cmake.in index 5df0ac8..1c443ab 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -370,10 +370,11 @@ #undef HAVE_VFORK_H /* Availability of different mbed TLS features and APIs */ -#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H -#define HAVE_MBEDTLS_SSL_TLS_PRF 1 -#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB -#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#cmakedefine HAVE_PSA_CRYPTO_H +#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#cmakedefine HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#cmakedefine HAVE_MBEDTLS_SSL_TLS_PRF /* Path to ifconfig tool */ #define IFCONFIG_PATH "@IFCONFIG_PATH@" diff --git a/configure.ac b/configure.ac index 02b45f8..8fc48ba 100644 --- a/configure.ac +++ b/configure.ac @@ -1038,38 +1038,12 @@ [AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])] ) - AC_CHECK_HEADER( - psa/crypto.h, - [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])] - ) + AC_CHECK_HEADERS(psa/crypto.h) - AC_CHECK_FUNCS( - [ \ - mbedtls_cipher_write_tag \ - mbedtls_cipher_check_tag \ - ], - , - [AC_MSG_ERROR([mbed TLS check for AEAD support failed])] - ) + AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb]) - AC_CHECK_FUNC( - [mbedtls_ssl_tls_prf], - [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])] - ) - - AC_CHECK_FUNC( - [mbedtls_ssl_conf_export_keys_ext_cb], - [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])] - ) if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then - AC_CHECK_FUNC( - [mbedtls_ssl_set_export_keys_cb], - [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])] - ) + AC_CHECK_FUNCS([mbedtls_ssl_set_export_keys_cb]) if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then AC_CHECK_FUNC([mbedtls_ssl_export_keying_material]) if test "x$ac_cv_func_mbedtls_ssl_export_keying_material" != xyes; then diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index c05902d..1f3dcba 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -981,7 +981,7 @@ } /* mbedtls-2.18.0 or newer implements tls_prf, but prf_tls1 is removed * from recent versions, so we use our own implementation if necessary. */ -#if HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) +#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) @@ -990,7 +990,7 @@ secret_len, "", seed, seed_len, output, output_len)); } -#else /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ +#else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ /* * Generate the hash required by for the \c tls1_PRF function. * diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h index 145a7ae..aeb0c5f 100644 --- a/src/openvpn/mbedtls_compat.h +++ b/src/openvpn/mbedtls_compat.h @@ -48,7 +48,7 @@ #include #include -#if HAVE_MBEDTLS_PSA_CRYPTO_H +#ifdef HAVE_PSA_CRYPTO_H #include #endif @@ -61,14 +61,14 @@ static inline void mbedtls_compat_psa_crypto_init(void) { -#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(HAVE_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C) if (psa_crypto_init() != PSA_SUCCESS) { msg(M_FATAL, "mbedtls: psa_crypto_init() failed"); } #else return; -#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ +#endif } static inline mbedtls_compat_group_id @@ -96,7 +96,7 @@ { #if MBEDTLS_VERSION_NUMBER > 0x03000000 return mbedtls_ctr_drbg_update(ctx, additional, add_len); -#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len); #else mbedtls_ctr_drbg_update(ctx, additional, add_len); diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ecccc26..a4bb772 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -173,8 +173,9 @@ ASSERT(NULL != ctx); return ctx->initialised; } - -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +/* mbedtls_ssl_export_keying_material does not need helper/callback methods */ +#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) /* * Key export callback for older versions of mbed TLS, to be used with * mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master @@ -205,7 +206,7 @@ return 0; } -#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) /* * Key export callback for newer versions of mbed TLS, to be used with * mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback @@ -251,10 +252,11 @@ memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); cache->tls_prf_type = tls_prf_type; } -#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ #error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ + bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, @@ -1244,7 +1246,7 @@ mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version); } -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* Initialize keying material exporter, old style. */ mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config, mbedtls_ssl_export_keys_cb, session); @@ -1259,7 +1261,7 @@ * verification. */ ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL))); -#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* Initialize keying material exporter, new style. */ mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session); #endif