hi Jan Thanks.
yes, the keys file was generated using the openvpn genkey function. The display was generated during the OpenVPN keys establishment phase. The keys are verified to be correct. Just that the HMAC generation output does not tally. In fact, I found that only the TLS PRF HMAC generation process is correct. I wonder is it due to the reusing of context that cause the inconsistencies? regards Frances On Tue, Mar 9, 2010 at 5:25 PM, Jan Just Keijser <janj...@nikhef.nl> wrote: > Hi Frances, > > > froggu 21 wrote: > >> hi all >> >> May I know whether you have successfully verified the HMAC generated by >> OpenVPN? I found that the HMAC value generated by the OpenVPN does not tally >> with the HMAC value generated from the OpenSSL directly. I wonder is there >> any incorrect implementation of HMAC by OpenVPN? >> >> please see results: >> Captured Output: >> #Using 160 bit message hash 'SHA' for HMAC authentication --- HMAC KEY >> Size: 20 >> #HMAC KEY: 4024a8e1 168ffb50 1b3c3fd7 e1fbe630 d2d26623 >> #HMAC work (input): 86d320dd b8d20f0b 4f79a041 4cc1cd47 70775ee8 1e770fc8 >> 85d2ee0c dcd9d670 fd58393a 50fc4094 a8372cb0 16cf30e9 -- BLEN (&work): 48 >> #HMAC work (input): 9956b5bc 81286af6 a06b8d8e a5bdeca5 4a9324b9 86d320dd >> b8d20f0b 4f79a041 4cc1cd47 70775ee8 1e770fc8 85d2ee0c dcd9d670 fd58393a >> 50fc4094 a8372cb0 16cf30e9 -- BLEN (&work): 68 >> #HMAC output (generated hmac): 9956b5bc 81286af6 a06b8d8e a5bdeca5 >> 4a9324b9 -- hmac_len: 20 >> >> >> Using the OpenSSL to verify the HMAC output: >> @@Testing HMAC digest SHA1 >> Key Data >> 0000 40 24 a8 e1 16 8f fb 50 1b 3c 3f d7 e1 fb e6 30 >> 0010 d2 d2 66 23 >> Input Data >> 0000 86 d3 20 dd b8 d2 0f 0b 4f 79 a0 41 4c c1 cd 47 >> 0010 70 77 5e e8 1e 77 0f c8 85 d2 ee 0c dc d9 d6 70 >> 0020 fd 58 39 3a 50 fc 40 94 a8 37 2c b0 16 cf 30 e9 >> Expected Hash >> 0000 99 56 b5 bc 81 28 6a f6 a0 6b 8d 8e a5 bd ec a5 >> 0010 4a 93 24 b9 >> >> HMAC Digest mismatch >> Got >> 0000 83 cb 72 19 f4 2a 33 f8 37 a6 62 59 8f 2e 05 cb >> 0010 0a 39 0f 37 >> Expected >> 0000 99 56 b5 bc 81 28 6a f6 a0 6b 8d 8e a5 bd ec a5 >> 0010 4a 93 24 b9 >> >> I wonder did I missed out anything? Or is there something different in >> OpenVPN HMAC implementation? Could you advise? >> >> how did you generate this output (on the openvpn side) ? > Note that there no "correct HMAC implementation" per se: to use HMAC you > generate a 2048 bit key using > openvpn --genkey -secret ta.key > OpenVPN then uses parts of this key for HMAC ciphers, encryption etc. > For more details, read the HMAC section in the FAQ: > http://openvpn.net/index.php/open-source/faq.html > > HTH, > > JJK > >
