cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB
are used the assertion outlen == iv_len is always false.
There's no CBC mode defined for the GOST 28147-89 block cipher. Hence
this patch is needed for it to work. It's needed for other ciphers like
BF-CFB as well, though.
Since GOST in OpenSSL is implemented in an engine, the engine must
be loaded before the SSL library is initialized for the algorithms
to become available for SSL/TLS.
This delays the initialization of the ssl lib until after the options
are parsed, so a possibly configured engine can be loaded
Since the crypto library and the crypto engine initialization are now
happening at the same time, there's no apparent need for two distinct
APIs the init them anymore.
The crypto engine is now initialized within the crypto library init
function, which makes to code look a bit cleaner.
OpenVPN supports using OpenSSL engines by loading them with the
--engine configuration option. Some of those engines require
configuration options themself.
This patch extends the --engine option so that engine-options can be
specified as well.
Signed-off-by: Heiko Hund
Using EVP_MD_CTX for MAC calculation allows to use other algorithms
than HMAC. In this particular case it allows the GOST-MAC to be used.
GOST-MAC uses a 256 bit key and produces a 32 bit signature.
Unfortunately OpenSSL has no API for querying a MAC's key length, so
the key length is returned
Sine there's --auth gost-mac, using HMAC throughout the code
is misleading. Especially in the crypto code itself.
This changes function and variable names as well as comments
to use the more generic MAC instead.
Signed-off-by: Heiko Hund
---
doc/openvpn.8
On Aug 15, 2012, at 05:53:40, Gert Doering wrote:
> Hi,
>
> On Wed, Aug 15, 2012 at 12:00:12PM +0200, Gert Doering wrote:
>> 3 - check for the existance of "--dev tap3" and remember, not cleaning
>> if it existed previously, doing this with RT_NETLINK which should
>>
This amends commit 62c613d46dc49 to check whether a named tun/tap
device ("--dev tunX" instead of "--dev tun") exists before OpenVPN
started - if yes, keep around at program end. If no, destroy.
Also has a spelling fix, and changes clear_tuntap() to be "static"
(only ever called from within
Hi,
as discussed on IRC, the "--version" output for IPv6 is no longer
useful in its existing form -> shorten (but keep, to point out "yes,
this has IPv6" even if *we* all know).
Add another convenience patch to t_client.sh, to put the command line
used by a specific test run into the
This is useful if a test fails, and the tester wants to run the very
same OpenVPN call with the very same arguments interactively to
pinpoint and fix the problem.
Signed-off-by: Gert Doering
---
tests/t_client.sh.in |3 ++-
1 files changed, 2 insertions(+), 1
For 2.3 release, we do not need to have more details, as there is no
separate patch set anymore, and both IPv6 transport and IPv6 payload
(PF_INET6) have been fully integrated.
Signed-off-by: Gert Doering
---
src/openvpn/options.c |3 +--
1 files changed, 1
11 matches
Mail list logo