[Openvpn-devel] [XS] Change in openvpn[master]: Fix mbed TLS key exporter functionality in 3.6.x and cmake
cron2 has uploaded a new patch set (#4) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/920?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Fix mbed TLS key exporter functionality in 3.6.x and cmake .. Fix mbed TLS key exporter functionality in 3.6.x and cmake Cmake did not check for the mbedtls_ssl_set_export_keys_cb symbol when generating an mbed TLS configuration. This causes no actual working key exporter to be in the binary. Also add an explicit #error to catch this situation during compilation. Change-Id: If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20250425131002.21772-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31510.html Signed-off-by: Gert Doering --- M CMakeLists.txt M src/openvpn/ssl_mbedtls.c 2 files changed, 3 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/20/920/4 diff --git a/CMakeLists.txt b/CMakeLists.txt index b04adce..a8fb64b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -275,6 +275,7 @@ set(CMAKE_REQUIRED_LIBRARIES "mbedtls;mbedx509;mbedcrypto") check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) +check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H) endfunction() diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index e15c391..ec3135a 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -253,6 +253,8 @@ memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); cache->tls_prf_type = tls_prf_type; } +#else /* if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ +#error either HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB or HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB must be defined when HAVE_EXPORT_KEYING_MATERIAL is defined #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ bool -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/920?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0 Gerrit-Change-Number: 920 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: MaxF Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Fix mbed TLS key exporter functionality in 3.6.x and cmake
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/920?usp=email ) Change subject: Fix mbed TLS key exporter functionality in 3.6.x and cmake .. Fix mbed TLS key exporter functionality in 3.6.x and cmake Cmake did not check for the mbedtls_ssl_set_export_keys_cb symbol when generating an mbed TLS configuration. This causes no actual working key exporter to be in the binary. Also add an explicit #error to catch this situation during compilation. Change-Id: If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20250425131002.21772-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31510.html Signed-off-by: Gert Doering --- M CMakeLists.txt M src/openvpn/ssl_mbedtls.c 2 files changed, 3 insertions(+), 0 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index b04adce..a8fb64b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -275,6 +275,7 @@ set(CMAKE_REQUIRED_LIBRARIES "mbedtls;mbedx509;mbedcrypto") check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) +check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H) endfunction() diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index e15c391..ec3135a 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -253,6 +253,8 @@ memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); cache->tls_prf_type = tls_prf_type; } +#else /* if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ +#error either HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB or HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB must be defined when HAVE_EXPORT_KEYING_MATERIAL is defined #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ bool -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/920?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0 Gerrit-Change-Number: 920 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: MaxF Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix mbed TLS key exporter functionality in 3.6.x and cmake
This is basically a cmake build system fix (no code changes) together with code safeguards that we do not end up in a SIGSEGV because parts of the code assume "key exporter present" and the actual calls are not there... haven't tested this myself, but the buildbots have (and the macOS buildbot uncovered this originally). Your patch has been applied to the master branch. commit f563556bbfee729053d5c123ebc1bad6277f4c65 Author: Arne Schwabe Date: Fri Apr 25 15:09:54 2025 +0200 Fix mbed TLS key exporter functionality in 3.6.x and cmake Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20250425131002.21772-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31510.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Make dh none behaviour default if not specified and add dh auto
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/945?usp=email ) Change subject: Make dh none behaviour default if not specified and add dh auto .. Patch Set 2: Code-Review-1 (6 comments) Patchset: PS2: Some more nitpicking File doc/man-sections/tls-options.rst: http://gerrit.openvpn.net/c/openvpn/+/945/comment/0875d49b_2e79eee5 : PS1, Line 183: Set ``file`` to :code:`auto` enables using builtin Diffie Hellman > "Setting" Done http://gerrit.openvpn.net/c/openvpn/+/945/comment/24f9ab7c_0d7f8e5e : PS1, Line 188: use the public well-known parameter or using ``none``. > "parameters" Done File doc/man-sections/tls-options.rst: http://gerrit.openvpn.net/c/openvpn/+/945/comment/46dda9bc_dd7a8286 : PS2, Line 179: Note that this requires peers to be using an SSL library that supports "to use" instead of "to be using". While not incorrect I think it sounds clunky. http://gerrit.openvpn.net/c/openvpn/+/945/comment/ff6311bb_0efb9609 : PS2, Line 188: use the public well-known parameters or using ``none``. "use" versus "using". Maybe just remove the "using"? File src/openvpn/ssl.c: http://gerrit.openvpn.net/c/openvpn/+/945/comment/3cee585a_d672dc5f : PS2, Line 538: if (options->dh_file && !strcmp(options->dh_file, "auto")) Any reason not to use streq() here like in options.c? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/945?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ica02244c9f0ac9b4690a51f940fda9d900465289 Gerrit-Change-Number: 945 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Fri, 25 Apr 2025 11:39:02 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Fix mbed TLS key exporter functionality in 3.6.x and cmake
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/920?usp=email ) Change subject: Fix mbed TLS key exporter functionality in 3.6.x and cmake .. Patch Set 3: Code-Review+2 (1 comment) Commit Message: http://gerrit.openvpn.net/c/openvpn/+/920/comment/efbbf0b6_3e858402 : PS3, Line 10: when generating an mbed TLS configuration. This cause no actual "causes" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/920?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0 Gerrit-Change-Number: 920 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: MaxF Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Fri, 25 Apr 2025 11:42:42 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Fix mbed TLS key exporter functionality in 3.6.x and cmake
From: Arne Schwabe Cmake did not check for the mbedtls_ssl_set_export_keys_cb symbol when generating an mbed TLS configuration. This causes no actual working key exporter to be in the binary. Also add an explicit #error to catch this situation during compilation. Change-Id: If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/920 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/CMakeLists.txt b/CMakeLists.txt index b04adce..a8fb64b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -275,6 +275,7 @@ set(CMAKE_REQUIRED_LIBRARIES "mbedtls;mbedx509;mbedcrypto") check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) +check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H) endfunction() diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index e15c391..ec3135a 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -253,6 +253,8 @@ memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); cache->tls_prf_type = tls_prf_type; } +#else /* if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ +#error either HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB or HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB must be defined when HAVE_EXPORT_KEYING_MATERIAL is defined #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ bool ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
