[Openvpn-devel] [L] Change in openvpn[master]: Implement HKDF expand function based on RFC 8446

Thu, 21 Nov 2024 05:08:39 -0800 

Attention is currently required from: MaxF, flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/798?usp=email )

Change subject: Implement HKDF expand function based on RFC 8446
......................................................................


Patch Set 4:

(1 comment)

File src/openvpn/crypto_epoch.c:

http://gerrit.openvpn.net/c/openvpn/+/798/comment/a9e383fb_853c2f64 :
PS4, Line 86:     /* 2 byte for the outlen encoded as uint16, 5 bytes for "ovpn 
" */
            :     int hkdf_label_len = 2 + 5 + label_len + context_len;
            :     struct buffer hkdf_label = alloc_buf_gc(hkdf_label_len, &gc);
            :
            :
            :     buf_write_u16(&hkdf_label, out_len);
            :     buf_write(&hkdf_label, "ovpn ", 5);
            :     buf_write(&hkdf_label, label, label_len);
            :     if (context_len > 0)
            :     {
            :         buf_write(&hkdf_label, context, context_len);
            :     }
> TLS 1.3 does use length fields here, it's implied by the "opaque 
> label<7..255>" notation. […]
Yeah, you are right. I think I still want to modify it to be the same as in the 
TLS standard as that is propabably better in the long run, especially for DCO 
implementation as they then may reuse something written for TLS in kernel etc.

I just now have to figure out why OpenSSL ends up having 0x00 0x54 between opvn 
and unit test in the expanded label and if that is on purpose or if I messed up 
using the OpenSSL API.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/798?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I3a1c6561f4d9a69e2a441d49dff620b4258a1bcc
Gerrit-Change-Number: 798
Gerrit-PatchSet: 4
Gerrit-Owner: plaisthos <arne-open...@rfc2549.org>
Gerrit-Reviewer: MaxF <m...@max-fillinger.net>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-Attention: MaxF <m...@max-fillinger.net>
Gerrit-Comment-Date: Thu, 21 Nov 2024 13:07:14 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: plaisthos <arne-open...@rfc2549.org>
Comment-In-Reply-To: MaxF <m...@max-fillinger.net>
Gerrit-MessageType: comment

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to