Hi,
On 12-08-2020 16:01, Arne Schwabe wrote:
> This refactors the common code between mbed SSL and OpenSSL into
> export_user_keying_material and also prepares the backend functions
> to export more than one key.
>
> Also fix checking the return value of SSL_export_keying_material
> only 1 is a s
typos/grammar
On 12/08/2020 15:01, Arne Schwabe wrote:
OpenVPN currently uses its own (based on TLS 1.0) key derivation
mechansim to generate the 256 bytes key data in key2 struct that
mechansim -> mechanism
are then used used to generate encryption/hmac/iv vectors. While
this mechanism is
typo
On 12/08/2020 15:01, Arne Schwabe wrote:
This refactors the common code between mbed SSL and OpenSSL into
export_user_keying_material and also prepares the backend functions
to export more than one key.
Also fix checking the return value of SSL_export_keying_material
only 1 is a sucess, -1
OpenVPN currently uses its own (based on TLS 1.0) key derivation
mechansim to generate the 256 bytes key data in key2 struct that
are then used used to generate encryption/hmac/iv vectors. While
this mechanism is still secure, it is not state of the art.
Instead of modernisating our own approach,
This moves the OpenVPN specific PRF into its own function also
simplifies the code a bit by passing tls_session directly instead of
5 of its fields.
Signed-off-by: Arne Schwabe
Patch V2: Rebase
---
src/openvpn/ssl.c | 109 +-
1 file changed, 69 insert
This refactors the common code between mbed SSL and OpenSSL into
export_user_keying_material and also prepares the backend functions
to export more than one key.
Also fix checking the return value of SSL_export_keying_material
only 1 is a sucess, -1 is also an error.
Signed-off-by: Arne Schwabe
Hi,
Couldn't resist giving this a quick look.
Feature-ACK on the patch set, but some comments on the approach:
On 12-08-2020 10:55, Arne Schwabe wrote:
> This refactors the common code between mbed SSL and OpenSSL into
> export_user_keying_material and also prepares the backend functions
> to ex
Acked-by: Gert Doering
Good work, Richard and Arne, thanks!
Your patch has been applied to the master branch.
commit 9262f1454d78157226f20b15a374f3c750e19cdd
Author: Arne Schwabe
Date: Wed Aug 12 10:54:12 2020 +0200
Improve sections about older OpenVPN clients in cipher-negotiation.rst
Am 23.07.20 um 14:19 schrieb Gert Doering:
> On FreeBSD 12 (tested and verified on 12.1-RELEASE-p2), after "ifconfig
> inet6" for a tun/tap interface, there sometimes is a race condition
> where the "IFDISABLED" flag shows up after a short time frame, under
> a second, and never clears itself. Thi
- Explain the IV_NCP=2 client situation in 2.4 a bit better.
- Make more clear what exact versions are meant in the old client section
- add a missing - in a heading
Thanks to Richard Bohnhomme for initial proof reading.
Signed-off-by: Arne Schwabe
---
doc/man-sections/cipher-negotiation.rst
This moves the OpenVPN specific PRF into its own function also
simplifies the code a bit by passing tls_session directly instead of
5 of its fields.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl.c | 109 +-
1 file changed, 69 insertions(+), 40 deleti
OpenVPN currently uses its own (based on TLS 1.0) key derivation
mechansim to generate the 256 bytes key data in key2 struct that
are then used used to generate encryption/hmac/iv vectors. While
this mechanism is still secure, it is not state of the art.
Instead of modernisating our own approach,
This refactors the common code between mbed SSL and OpenSSL into
export_user_keying_material and also prepares the backend functions
to export more than one key.
Also fix checking the return value of SSL_export_keying_material
only 1 is a sucess, -1 is also an error.
Signed-off-by: Arne Schwabe
13 matches
Mail list logo