From patchwork Mon Jan 20 00:55:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 967 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id sKkHDTmZJV4JMQAAIUCqbw for ; Mon, 20 Jan 2020 07:12:41 -0500 Received: from proxy1.mail.iad3b.rsapps.net ([172.31.255.6]) by director10.mail.ord1d.rsapps.net with LMTP id GA67CjmZJV6WNwAApN4f7A ; Mon, 20 Jan 2020 07:12:41 -0500 Received: from smtp2.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.iad3b.rsapps.net with LMTP id 2AZYBTmZJV4BbQAALM5PBw ; Mon, 20 Jan 2020 07:12:41 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp2.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=foxcrypto.com; dmarc=fail (p=none; dis=none) header.from=foxcrypto.com X-Suspicious-Flag: YES X-Classification-ID: 2739fedc-3b7e-11ea-8b4e-5254000fbace-1-1 Received: from [216.105.38.7] ([216.105.38.7:50184] helo=lists.sourceforge.net) by smtp2.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id B0/AE-25952-839952E5; Mon, 20 Jan 2020 07:12:40 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1itVts-0007ZG-L0; Mon, 20 Jan 2020 12:11:24 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1itVtq-0007Z8-Hy for openvpn-devel@lists.sourceforge.net; Mon, 20 Jan 2020 12:11:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Date:Subject:CC:To:From: Sender:Reply-To:Message-ID:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zWsEEZEbfuAj7zhaceUOW7U7lxUquMkLNhDfeMjc708=; b=CP/wriukSgIYgXmAoaAezGlaM0 bNy5T4AwEndWJRj59iHxIUv3HrNyreF0Can2eqWqUQr4ZfwsLZnR3qP1XDcF0c0gLfWnDmVmCksf1 ipajmLTdyXhX/OelLkM47HpzBRVLiZUsKsAQLhduHe0MSod3xnTeG4zTYNUVjyehuEaY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Date:Subject:CC:To:From:Sender:Reply-To: Message-ID:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zWsEEZEbfuAj7zhaceUOW7U7lxUquMkLNhDfeMjc708=; b=H31+DctZQTF/6ZFrwPcF99Ca3X TG1FKgVCeGBE3rZjiX3jqjHsPlQHpwGzNBG3kqv+p53eKTJEbUW1sz3Hyqom3ixT0MxWNuLAZuraq 037iM0XYswJonS+Mlm4jhqnh4jlHiPkKiQEgRIlWq/EHtg4tCi3XvUKW/Doy1+SB0JPY=; Received: from nl-dft-mx-01.fox-it.com ([178.250.144.135]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1itVtl-00EvEW-As for openvpn-devel@lists.sourceforge.net; Mon, 20 Jan 2020 12:11:22 +0000 From: Steffan Karger To: Date: Mon, 20 Jan 2020 12:55:18 +0100 X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 X-ClientProxiedBy: FOXDFT52.FOX.local (10.0.0.129) To FOXDFT52.FOX.local (10.0.0.129) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=foxcrypto.com; s=NL-DFT-MX-01; c=relaxed/relaxed; h=from:to:cc:subject:date:mime-version:content-type; bh=zWsEEZEbfuAj7zhaceUOW7U7lxUquMkLNhDfeMjc708=; b=OsO6k0XDt1RqchqrrtaFogs/SRvuRTdpim2Z56U1ROopasXQ8Can8OJBoHOO32vf51mvmCTh1Pcj DSFSPD2NsqC9nudNYpSHBkYTFzXDiJCONgEEbjaDeqHDZMfOwQe6qp7FD/TD4gVIEszYQbAYqEJW kaJteqKnzon4T+PEToDK+0VxOg36y3NprQCD9Aq/R/iZKKIKV/9YWJB4j820jrdVjEs1dqzQGjdP W6ZqZQRdgqc0RV/krWaSjYwhYeSyAYco0zZme+xDGUZvGK+L2WjLXSXpYlDzIfnoDOmboHDDtpPv /0Edt+jG+NtD82Ad+Ea9hiy9Dl6gmU0UjPtHiA== X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 1.0 MISSING_MID Missing Message-Id: header X-Headers-End: 1itVtl-00EvEW-As Subject: [Openvpn-devel] [PATCH] Move keying material exporter check from syshead.h to configure.ac X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net Message-Id: X-getmail-retrieved-from-mailbox: Inbox Commit ab27c9f7 added a compile-time check for availablitity of keying-material-export functionality to syshead.h. It turns out that openvpnserv also includes syshead.h, and has ENABLE_CRYPTO_* defined in it's config.h, but doesn't have the necessary CFLAGS / LIBS to actually compile and link against the crypto libraries. That of course breaks openvpnserv builds. To fix this, change the compile-time check in syshead.h into a configure-time check in configure.ac. That's more consistent with how we do other feature checks anyway. Signed-off-by: Steffan Karger --- configure.ac | 20 ++++++++++++++++++++ src/openvpn/init.c | 4 ++-- src/openvpn/options.c | 4 ++-- src/openvpn/options.h | 2 +- src/openvpn/ssl_mbedtls.c | 6 +++--- src/openvpn/syshead.h | 13 ------------- 6 files changed, 28 insertions(+), 21 deletions(-) diff --git a/configure.ac b/configure.ac index a47e0a06..98fd39ce 100644 --- a/configure.ac +++ b/configure.ac @@ -912,6 +912,13 @@ if test "${with_crypto_library}" = "openssl"; then [have_crypto_aead_modes="no"; break] ) + have_export_keying_material="yes" + AC_CHECK_FUNCS( + [SSL_export_keying_material], + , + [have_export_keying_material="no"; break] + ) + AC_CHECK_FUNCS( [ \ HMAC_CTX_new \ @@ -1010,6 +1017,13 @@ elif test "${with_crypto_library}" = "mbedtls"; then [have_crypto_aead_modes="no"; break] ) + have_export_keying_material="yes" + AC_CHECK_FUNCS( + [mbedtls_ssl_conf_export_keys_ext_cb], + , + [have_export_keying_material="no"; break] + ) + CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) @@ -1217,6 +1231,12 @@ test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHEC test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes]) test "${have_crypto_aead_modes}" = "yes" && AC_DEFINE([HAVE_AEAD_CIPHER_MODES], [1], [Use crypto library]) +if test "${have_export_keying_material}" = "yes"; then + AC_DEFINE( + [HAVE_EXPORT_KEYING_MATERIAL], [1], + [Crypto library supports keying material exporter] + ) +fi OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CFLAGS}" OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_LIBS}" diff --git a/src/openvpn/init.c b/src/openvpn/init.c index ce417df0..04207b61 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2931,7 +2931,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.comp_options = options->comp; #endif -#ifdef HAVE_EKM +#ifdef HAVE_EXPORT_KEYING_MATERIAL if (options->keying_material_exporter_label) { to.ekm_size = options->keying_material_exporter_length; @@ -2947,7 +2947,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) { to.ekm_size = 0; } -#endif /* HAVE_EKM */ +#endif /* HAVE_EXPORT_KEYING_MATERIAL */ /* TLS handshake authentication (--tls-auth) */ if (options->ce.tls_auth_file) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 173a1eea..c459b260 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -662,7 +662,7 @@ static const char usage_message[] = " an explicit nsCertType designation t = 'client' | 'server'.\n" "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" -#ifdef HAVE_EKM +#ifdef HAVE_EXPORT_KEYING_MATERIAL "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n" " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n" #endif @@ -8506,7 +8506,7 @@ add_option(struct options *options, options->use_peer_id = true; options->peer_id = atoi(p[1]); } -#ifdef HAVE_EKM +#ifdef HAVE_EXPORT_KEYING_MATERIAL else if (streq(p[0], "keying-material-exporter") && p[1] && p[2]) { int ekm_length = positive_atoi(p[2]); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 3c6b1965..2f1f6faf 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -640,7 +640,7 @@ struct options bool use_peer_id; uint32_t peer_id; -#ifdef HAVE_EKM +#ifdef HAVE_EXPORT_KEYING_MATERIAL /* Keying Material Exporters [RFC 5705] */ const char *keying_material_exporter_label; int keying_material_exporter_length; diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 4114bb6b..0f0b035b 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -190,7 +190,7 @@ tls_ctx_initialised(struct tls_root_ctx *ctx) return ctx->initialised; } -#ifdef HAVE_EKM +#ifdef HAVE_EXPORT_KEYING_MATERIAL int mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms, const unsigned char *kb, size_t maclen, size_t keylen, size_t ivlen, @@ -223,7 +223,7 @@ int mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms, return ret; } -#endif /* HAVE_EKM */ +#endif /* HAVE_EXPORT_KEYING_MATERIAL */ void key_state_export_keying_material(struct key_state_ssl *ssl, @@ -1120,7 +1120,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, } } -#if MBEDTLS_VERSION_NUMBER >= 0x02120000 +#if HAVE_EXPORT_KEYING_MATERIAL /* Initialize keying material exporter */ if (session->opt->ekm_size) { diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 413ce623..b031dd60 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -550,14 +550,9 @@ socket_defined(const socket_descriptor_t sd) #endif #ifdef ENABLE_CRYPTO_MBEDTLS -#include #define ENABLE_PREDICTION_RESISTANCE #endif /* ENABLE_CRYPTO_MBEDTLS */ -#ifdef ENABLE_CRYPTO_OPENSSL -#include -#endif /* ENABLE_CRYPTO_OPENSSL */ - /* * Enable packet filter? */ @@ -602,14 +597,6 @@ socket_defined(const socket_descriptor_t sd) #define ENABLE_CRYPTOAPI #endif -/* - * Do we support RFC 5705 keying material exporters? - */ -#if (defined(ENABLE_CRYPTO_MBEDTLS) && MBEDTLS_VERSION_NUMBER >= 0x02120000) || \ - (defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000) -#define HAVE_EKM -#endif - /* * Is poll available on this platform? */