Move keying material exporter check from syshead.h to configure.ac

Commit ab27c9f7 added a compile-time check for availablitity of
keying-material-export functionality to syshead.h. It turns out that
openvpnserv also includes syshead.h, and has ENABLE_CRYPTO_* defined in
it's config.h, but doesn't have the necessary CFLAGS / LIBS to actually
compile and link against the crypto libraries. That of course breaks
openvpnserv builds.

To fix this, change the compile-time check in syshead.h into a
configure-time check in configure.ac. That's more consistent with how we
do other feature checks anyway.

Signed-off-by: Steffan Karger <steffan.karger@foxcrypto.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <E1itVts-0007ZG-NO@sfs-ml-2.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19328.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/configure.ac b/configure.ac
index a47e0a06ce92e655d37c018273cc303f460662c9..98fd39ceb8dac1f9114ef732b1adb5862734091b 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -912,6 +912,13 @@ if test "${with_crypto_library}" = "openssl"; then
                [have_crypto_aead_modes="no"; break]
        )
 
+       have_export_keying_material="yes"
+       AC_CHECK_FUNCS(
+               [SSL_export_keying_material],
+               ,
+               [have_export_keying_material="no"; break]
+       )
+
        AC_CHECK_FUNCS(
                [ \
                        HMAC_CTX_new \
@@ -1010,6 +1017,13 @@ elif test "${with_crypto_library}" = "mbedtls"; then
                [have_crypto_aead_modes="no"; break]
        )
 
+       have_export_keying_material="yes"
+       AC_CHECK_FUNCS(
+               [mbedtls_ssl_conf_export_keys_ext_cb],
+               ,
+               [have_export_keying_material="no"; break]
+       )
+
        CFLAGS="${saved_CFLAGS}"
        LIBS="${saved_LIBS}"
        AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
@@ -1217,6 +1231,12 @@ test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHEC
 
 test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
 test "${have_crypto_aead_modes}" = "yes" && AC_DEFINE([HAVE_AEAD_CIPHER_MODES], [1], [Use crypto library])
+if test "${have_export_keying_material}" = "yes"; then
+       AC_DEFINE(
+               [HAVE_EXPORT_KEYING_MATERIAL], [1],
+               [Crypto library supports keying material exporter]
+       )
+fi
 OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CFLAGS}"
 OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_LIBS}"
 

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index ce417df0c24458923a8265a2bac82faf7fcbad11..04207b61cab1a621f551056c093aec92177f74d9 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2931,7 +2931,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
     to.comp_options = options->comp;
 #endif
 
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
     if (options->keying_material_exporter_label)
     {
         to.ekm_size = options->keying_material_exporter_length;
@@ -2947,7 +2947,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
     {
         to.ekm_size = 0;
     }
-#endif /* HAVE_EKM */
+#endif /* HAVE_EXPORT_KEYING_MATERIAL */
 
     /* TLS handshake authentication (--tls-auth) */
     if (options->ce.tls_auth_file)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 173a1eea3a602b1d8e04e80c571469aa17e59e85..c459b260680a0e64b520cfc67bc99f0ca2481690 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -662,7 +662,7 @@ static const char usage_message[] =
     "                  an explicit nsCertType designation t = 'client' | 'server'.\n"
     "--x509-track x  : Save peer X509 attribute x in environment for use by\n"
     "                  plugins and management interface.\n"
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
     "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
     "                  of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
 #endif
@@ -8506,7 +8506,7 @@ add_option(struct options *options,
         options->use_peer_id = true;
         options->peer_id = atoi(p[1]);
     }
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
     else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
     {
         int ekm_length = positive_atoi(p[2]);

diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 3c6b1965406fb9f7b94f479dc93c798b52911b59..2f1f6faf13eb5a6f0bb56fc2e1b42585d18728aa 100644 (file)
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -640,7 +640,7 @@ struct options
     bool use_peer_id;
     uint32_t peer_id;
 
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
     /* Keying Material Exporters [RFC 5705] */
     const char *keying_material_exporter_label;
     int keying_material_exporter_length;

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 4114bb6ba60698d03c8154c434443064ed4836ca..0f0b035ba28873d74a24cc45481a16efb6cabc64 100644 (file)
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -190,7 +190,7 @@ tls_ctx_initialised(struct tls_root_ctx *ctx)
     return ctx->initialised;
 }
 
-#ifdef HAVE_EKM
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
 int mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms,
                                const unsigned char *kb, size_t maclen,
                                size_t keylen, size_t ivlen,
@@ -223,7 +223,7 @@ int mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms,
 
     return ret;
 }
-#endif /* HAVE_EKM */
+#endif /* HAVE_EXPORT_KEYING_MATERIAL */
 
 void
 key_state_export_keying_material(struct key_state_ssl *ssl,
@@ -1120,7 +1120,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
         }
     }
 
-#if MBEDTLS_VERSION_NUMBER >= 0x02120000
+#if HAVE_EXPORT_KEYING_MATERIAL
     /* Initialize keying material exporter */
     if (session->opt->ekm_size)
     {

diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 413ce6231a4baffda7fa1c84fd8f6f22a5c2b46c..b031dd604e83d26473e7dcff9269e7393794dbaf 100644 (file)
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -550,14 +550,9 @@ socket_defined(const socket_descriptor_t sd)
 #endif
 
 #ifdef ENABLE_CRYPTO_MBEDTLS
-#include <mbedtls/version.h>
 #define ENABLE_PREDICTION_RESISTANCE
 #endif /* ENABLE_CRYPTO_MBEDTLS */
 
-#ifdef ENABLE_CRYPTO_OPENSSL
-#include <openssl/opensslv.h>
-#endif /* ENABLE_CRYPTO_OPENSSL */
-
 /*
  * Enable packet filter?
  */
@@ -602,14 +597,6 @@ socket_defined(const socket_descriptor_t sd)
 #define ENABLE_CRYPTOAPI
 #endif
 
-/*
- * Do we support RFC 5705 keying material exporters?
- */
-#if (defined(ENABLE_CRYPTO_MBEDTLS) && MBEDTLS_VERSION_NUMBER >= 0x02120000) || \
-    (defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000)
-#define HAVE_EKM
-#endif
-
 /*
  * Is poll available on this platform?
  */