Fix build with mbedtls w/o SSL renegotiation support

In mbedtls, support for SSL renegotiation can be disabled at compile-time. However, OpenVPN cannot be built with such a library because it calls mbedtls_ssl_conf_renegotiation() to disable this feature at runtime. This function doesn't exist when mbedtls was built without support for SSL renegotiation. This commit fixes the build by ifdef'ing out the function call when mbedtls was built without support for SSL renegotiation. Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Antonio Quartulli <antonio@openvpn.net> Message-Id: <E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com> URL: https://www.mail-archive.com/search?l=mid&q=E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com Signed-off-by: Gert Doering <gert@greenie.muc.de>
2024-09-20 12:02:28 +02:00 · 2021-04-12 19:46:17 +02:00 · 2021-04-12 19:46:17 +02:00 · e4bd17c86e
commit e4bd17c86e
parent 3fbeeda5cd
1 changed files with 6 additions and 3 deletions
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@ -1086,10 +1086,13 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
    {
        mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups);
    }
-    /* Disable TLS renegotiations. OpenVPN's renegotiation creates new SSL
-     * session and does not depend on this feature. And TLS renegotiations have
-     * been problematic in the past */
+
+    /* Disable TLS renegotiations if the mbedtls library supports that feature.
+     * OpenVPN's renegotiation creates new SSL sessions and does not depend on
+     * this feature and TLS renegotiations have been problematic in the past. */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
    mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
+#endif /* MBEDTLS_SSL_RENEGOTIATION */

    /* Disable record splitting (for now).  OpenVPN assumes records are sent
     * unfragmented, and changing that will require thorough review and