Hi Pieter,
On 05/11/18 10:05, Pieter Hulshoff wrote:
2018-10-29 13:55 GMT+01:00 Pieter Hulshoff
<pieter.hulsh...@technolution.nl
<mailto:pieter.hulsh...@technolution.nl>>:
Hello Steffan,
Thank you for the links. How should I interpret this?
/GCM IV format:/
|[ - packet ID - ] [ - HMAC key data - ]|
This would be a 4 byte packet ID combined with 8 byte HMAC key
data to form a 12 byte IV? Does the TLS negotiation deliver an 8
byte HMAC key in this mode or is only part of the HMAC key used
(and if so: which part)?
Can anyone give me some insight into this matter? How is the HMAC key
data used in the AES-256-GCM IV determined?
with link-mtu=1500:
AES-256-CBC + SHA256:
crypto_adjust_frame_parameters:
packet_id_size= 4 bytes
cipher_kt_iv_size = 16 bytes
cipher_kt_block_size = 16 bytes
hmac_length = 32 bytes
crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by
68 bytes
Opcode = 1 byte
Peer-id = 3 bytes
Total overhead = 72 bytes:
Data Channel MTU parms [ L:1500 D:1450 EF:72 EB:386 ET:0 EL:3 ]
tun-mtu:
/usr/sbin/ip link set dev tun1 up mtu 1428
AES-256-GCM:
crypto_adjust_frame_parameters:
packet_id_size= 4 bytes
cipher_kt_iv_size = 12 bytes
cipher_kt_tag_size = 16 bytes
cipher_kt_block_size = 16 bytes
hmac_length = 0 bytes
crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by
48 bytes
Opcode = 1 byte
Peer-id = 3 bytes
Total overhead = 52 bytes:
Data Channel MTU parms [ L:1500 D:1450 EF:52 EB:386 ET:0 EL:3 ]
tun-mtu:
/usr/sbin/ip link set dev tun1 up mtu 1448
In short:
- in CBC+SHA mode (iv + cipher + tag + hmac) = (16 + 16 + 0 + 32) = 64
- in GCM mode (iv + cipher + tag + hmac) = (12 + 16 + 16 + 0) = 44
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
