[Openvpn-devel] [L] Change in openvpn[master]: Implement HKDF expand function based on RFC 8446

Wed, 20 Nov 2024 13:30:09 -0800 

Attention is currently required from: flichtenheld, plaisthos.

MaxF has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/798?usp=email )

Change subject: Implement HKDF expand function based on RFC 8446
......................................................................


Patch Set 4:

(1 comment)

File src/openvpn/crypto_epoch.c:

http://gerrit.openvpn.net/c/openvpn/+/798/comment/66b3a85e_5d30ac1a :
PS4, Line 86:     /* 2 byte for the outlen encoded as uint16, 5 bytes for "ovpn 
" */
            :     int hkdf_label_len = 2 + 5 + label_len + context_len;
            :     struct buffer hkdf_label = alloc_buf_gc(hkdf_label_len, &gc);
            :
            :
            :     buf_write_u16(&hkdf_label, out_len);
            :     buf_write(&hkdf_label, "ovpn ", 5);
            :     buf_write(&hkdf_label, label, label_len);
            :     if (context_len > 0)
            :     {
            :         buf_write(&hkdf_label, context, context_len);
            :     }
> Hm, I know what you are saying, at the same time, TLS 1. […]
TLS 1.3 does use length fields here, it's implied by the "opaque label<7..255>" 
notation.

You can look at the implementations in OpenSSL or mbed TLS. For example, see 
ssl_tls13_hkdf_encode_label() in 
https://github.com/Mbed-TLS/mbedtls/blob/development/library/ssl_tls13_keys.c

Removing the context argument and otherwise leaving the function as-is is fine.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/798?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I3a1c6561f4d9a69e2a441d49dff620b4258a1bcc
Gerrit-Change-Number: 798
Gerrit-PatchSet: 4
Gerrit-Owner: plaisthos <arne-open...@rfc2549.org>
Gerrit-Reviewer: MaxF <m...@max-fillinger.net>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: plaisthos <arne-open...@rfc2549.org>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-Comment-Date: Wed, 20 Nov 2024 21:28:48 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: plaisthos <arne-open...@rfc2549.org>
Comment-In-Reply-To: MaxF <m...@max-fillinger.net>
Gerrit-MessageType: comment

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to