Attention is currently required from: MaxF, flichtenheld, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1041?usp=email
to look at the new patch set (#3).
The following approvals got outdated and were removed:
Code-Review-1 by plaisthos
Change subject: Use mbedtls_ssl_export_keying_material()
......................................................................
Use mbedtls_ssl_export_keying_material()
Mbed TLS now has an implementation of the TLS-Exporter feature (though
not yet in a released version). Use it if it's available.
v2: Rebased, changed feature detection in configure.ac
Change-Id: I1204bc2ff85952160a86f0b9d1caae90e5065bc4
Signed-off-by: Max Fillinger <[email protected]>
---
M configure.ac
M src/openvpn/ssl_mbedtls.c
M src/openvpn/ssl_mbedtls.h
3 files changed, 33 insertions(+), 8 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/41/1041/3
diff --git a/configure.ac b/configure.ac
index 1b908e6..7fa2284 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1072,7 +1072,10 @@
[AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0],
[no])]
)
if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes;
then
- AC_MSG_ERROR(This version of mbed TLS has no support
for exporting key material.)
+ AC_CHECK_FUNC([mbedtls_ssl_export_keying_material])
+ if test
"x$ac_cv_func_mbedtls_ssl_export_keying_material" != xyes; then
+ AC_MSG_ERROR(This version of mbed TLS has no
support for exporting key material.)
+ fi
fi
fi
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 6474f80..0159166 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -251,8 +251,8 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#else /* if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
-#error either mbedtls_ssl_conf_export_keys_ext_cb or
mbedtls_ssl_set_export_keys_cb must be available in mbed TLS
+#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or
mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
bool
@@ -262,6 +262,20 @@
{
ASSERT(strlen(label) == label_size);
+#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+ /* Our version of mbed TLS has a built-in TLS-Exporter. */
+
+ mbedtls_ssl_context *ctx = session->key[KS_PRIMARY].ks_ssl.ctx;
+ if (mbed_ok(mbedtls_ssl_export_keying_material(ctx, ekm, ekm_size, label,
label_size, NULL, 0, 0)))
+ {
+ return true;
+ }
+ else
+ {
+ return false;
+ }
+
+#else /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
struct tls_key_cache *cache =
&session->key[KS_PRIMARY].ks_ssl.tls_key_cache;
/* If the type is NONE, we either have no cached secrets or
@@ -286,6 +300,7 @@
secure_memzero(ekm, session->opt->ekm_size);
return false;
}
+#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
}
bool
@@ -1226,7 +1241,7 @@
mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version);
}
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB &&
!defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, old style. */
mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config,
mbedtls_ssl_export_keys_cb, session);
@@ -1241,7 +1256,7 @@
* verification. */
ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));
-#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB &&
!defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, new style. */
mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb,
session);
#endif
diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h
index 9ebb2ce..6354231 100644
--- a/src/openvpn/ssl_mbedtls.h
+++ b/src/openvpn/ssl_mbedtls.h
@@ -85,14 +85,21 @@
void *sign_ctx;
};
-/** struct to cache TLS secrets for keying material exporter (RFC 5705).
- * The constants (64 and 48) are inherent to TLS version and
- * the whole keying material export will likely change when they change */
+#if !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+/**
+ * struct to cache TLS secrets for keying material exporter (RFC 5705).
+ * Not needed if the library itself implements the keying material exporter.
+ *
+ * The constants 64 and 48 are inherent to TLS 1.2. For TLS 1.3, it is not
+ * possible to obtain the exporter master secret from mbed TLS. */
struct tls_key_cache {
unsigned char client_server_random[64];
mbedtls_tls_prf_types tls_prf_type;
unsigned char master_secret[48];
};
+#else /* !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
+struct tls_key_cache { };
+#endif
/**
* Structure that wraps the TLS context. Contents differ depending on the
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1041?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I1204bc2ff85952160a86f0b9d1caae90e5065bc4
Gerrit-Change-Number: 1041
Gerrit-PatchSet: 3
Gerrit-Owner: MaxF <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
Gerrit-Attention: MaxF <[email protected]>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
