/* Define to 1 if you have the <err.h> header file. */
#cmakedefine HAVE_ERR_H
-/* Crypto library supports keying material exporter */
-#define HAVE_EXPORT_KEYING_MATERIAL 1
-
/* Define to 1 if you have the <fcntl.h> header file. */
#cmakedefine HAVE_FCNTL_H
[AC_MSG_ERROR([OpenSSL check for AES-256-GCM support failed])]
)
- # All supported OpenSSL versions (>= 1.1.0)
- # have this feature
- have_export_keying_material="yes"
-
CFLAGS="${saved_CFLAGS}"
LIBS="${saved_LIBS}"
[AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])]
)
- have_export_keying_material="yes"
AC_CHECK_FUNC(
[mbedtls_ssl_conf_export_keys_ext_cb],
[AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])],
[AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])]
)
if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then
- have_export_keying_material="no"
+ AC_MSG_ERROR(This version of mbed TLS has no support for exporting key material.)
fi
fi
)
AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])
- # wolfSSL signal EKM support
- have_export_keying_material="yes"
-
if test "${enable_wolfssl_options_h}" = "yes"; then
AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library])
else
AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library])
fi
- have_export_keying_material="yes"
-
CFLAGS="${saved_CFLAGS}"
LIBS="${saved_LIBS}"
test "${enable_dns_updown_by_default}" = "yes" && AC_DEFINE([ENABLE_DNS_UPDOWN_BY_DEFAULT], [1], [Enable dns-updown hook by default])
test "${enable_ntlm}" = "yes" && AC_DEFINE([ENABLE_NTLM], [1], [Enable NTLMv2 proxy support])
test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
-if test "${have_export_keying_material}" = "yes"; then
- AC_DEFINE(
- [HAVE_EXPORT_KEYING_MATERIAL], [1],
- [Crypto library supports keying material exporter]
- )
-fi
OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CFLAGS}"
OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_LIBS}"
to.comp_options = options->comp;
#endif
-#ifdef HAVE_EXPORT_KEYING_MATERIAL
if (options->keying_material_exporter_label)
{
to.ekm_size = options->keying_material_exporter_length;
{
to.ekm_size = 0;
}
-#endif /* HAVE_EXPORT_KEYING_MATERIAL */
/* TLS handshake authentication (--tls-auth) */
if (options->ce.tls_auth_file)
c->c2.push_request_received = true;
}
-#ifdef HAVE_EXPORT_KEYING_MATERIAL
if (proto & IV_PROTO_TLS_KEY_EXPORT)
{
o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
{
o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
}
-#endif
if (proto & IV_PROTO_CC_EXIT_NOTIFY)
{
#endif
"--x509-track x : Save peer X509 attribute x in environment for use by\n"
" plugins and management interface.\n"
-#ifdef HAVE_EXPORT_KEYING_MATERIAL
"--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
" of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
-#endif
"--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
" explicit key usage, you can specify more than one value.\n"
" value should be given in hex format.\n"
"calculation anymore or your security policy (e.g. FIPS 140-2) "
"forbids it. Connections will only work with peers running "
"OpenVPN 2.6.0 or higher)");
-#ifndef HAVE_EXPORT_KEYING_MATERIAL
- msg(M_FATAL, "Keying Material Exporters (RFC 5705) not available either. "
- "No way to generate data channel keys left.");
-#endif
if (o->mode == MODE_SERVER)
{
msg(M_WARN, "Automatically enabling option "
/* NCP only option that is pushed by the server to enable EKM,
* should not be used by normal users in config files*/
VERIFY_PERMISSION(OPT_P_NCP)
-#ifdef HAVE_EXPORT_KEYING_MATERIAL
if (streq(p[1], "tls-ekm"))
{
options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
}
else
-#endif
{
msg(msglevel, "Unknown key-derivation method %s", p[1]);
}
{
options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
}
-#ifdef HAVE_EXPORT_KEYING_MATERIAL
else if (streq(p[j], "tls-ekm"))
{
options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
{
options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
}
-#endif
else if (streq(p[j], "aead-epoch"))
{
options->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
options->use_peer_id = true;
options->peer_id = atoi_warn(p[1], msglevel);
}
-#ifdef HAVE_EXPORT_KEYING_MATERIAL
else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
{
int ekm_length = positive_atoi(p[2], msglevel);
options->keying_material_exporter_label = p[1];
options->keying_material_exporter_length = ekm_length;
}
-#endif /* HAVE_EXPORT_KEYING_MATERIAL */
else if (streq(p[0], "allow-recursive-routing") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
bool use_peer_id;
uint32_t peer_id;
-#ifdef HAVE_EXPORT_KEYING_MATERIAL
/* Keying Material Exporters [RFC 5705] */
const char *keying_material_exporter_label;
int keying_material_exporter_length;
-#endif
/* force using TLS key material export for data channel key generation */
bool force_key_material_export;
buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers);
-#ifdef HAVE_EXPORT_KEYING_MATERIAL
iv_proto |= IV_PROTO_TLS_KEY_EXPORT;
iv_proto |= IV_PROTO_DYN_TLS_CRYPT;
-#endif
buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
return ctx->initialised;
}
-#ifdef HAVE_EXPORT_KEYING_MATERIAL
-
#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
/*
* Key export callback for older versions of mbed TLS, to be used with
cache->tls_prf_type = tls_prf_type;
}
#else /* if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
-#error either HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB or HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB must be defined when HAVE_EXPORT_KEYING_MATERIAL is defined
+#error either mbedtls_ssl_conf_export_keys_ext_cb or mbedtls_ssl_set_export_keys_cb must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
bool
return false;
}
}
-#else /* ifdef HAVE_EXPORT_KEYING_MATERIAL */
-bool
-key_state_export_keying_material(struct tls_session *session,
- const char *label, size_t label_size,
- void *ekm, size_t ekm_size)
-{
- /* Dummy function to avoid ifdefs in the common code */
- return false;
-}
-#endif /* HAVE_EXPORT_KEYING_MATERIAL */
bool
tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
void *sign_ctx;
};
-#ifdef HAVE_EXPORT_KEYING_MATERIAL
/** struct to cache TLS secrets for keying material exporter (RFC 5705).
* The constants (64 and 48) are inherent to TLS version and
* the whole keying material export will likely change when they change */
mbedtls_tls_prf_types tls_prf_type;
unsigned char master_secret[48];
};
-#else /* ifdef HAVE_EXPORT_KEYING_MATERIAL */
-struct tls_key_cache { };
-#endif
/**
* Structure that wraps the TLS context. Contents differ depending on the
session->opt->crypto_flags &= ~CO_EPOCH_DATA_KEY_FORMAT;
}
-#if defined(HAVE_EXPORT_KEYING_MATERIAL)
if (iv_proto_peer & IV_PROTO_TLS_KEY_EXPORT)
{
session->opt->crypto_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
{
session->opt->crypto_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
}
-#endif /* if defined(HAVE_EXPORT_KEYING_MATERIAL) */
}
void
projects / thirdparty / openvpn.git / commitdiff
