OpenVPN/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2025-05-09 05:31:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix mbed TLS key exporter functionality in 3.6.x and cmake

Browse Source 
Cmake did not check for the mbedtls_ssl_set_export_keys_cb symbol
when generating an mbed TLS configuration. This causes no actual
working key exporter to be in the binary.

Also add an explicit #error to catch this situation during compilation.

Change-Id: If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250425131002.21772-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31510.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Arne Schwabe 2025-04-25 15:09:54 +02:00 committed by Gert Doering
parent f7aedca70e
commit f563556bbf
2 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CMakeLists.txt
View File

@ -275,6 +275,7 @@ function(check_mbed_configuration)
set(CMAKE_REQUIRED_LIBRARIES "mbedtls;mbedx509;mbedcrypto") set(CMAKE_REQUIRED_LIBRARIES "mbedtls;mbedx509;mbedcrypto")
check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H) check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H)
endfunction() endfunction()

2
src/openvpn/ssl_mbedtls.c
View File

@ -253,6 +253,8 @@ mbedtls_ssl_export_keys_cb(void *p_expkey,
memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type; cache->tls_prf_type = tls_prf_type;
} }
#else /* if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
#error either HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB or HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB must be defined when HAVE_EXPORT_KEYING_MATERIAL is defined
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
bool bool