diff options
author | Daniel Kubec <niel@rtfm.cz> | 2015-03-12 15:14:20 +0100 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2015-10-10 00:02:40 +0200 |
commit | 685e486e8b8f70c25f09590c24762ff734f94a51 (patch) | |
tree | 2352755e34a75ea39f48497d6fb7dc7469330294 /src/openvpn/init.c | |
parent | 7246ccfdbe6039c5c578ecaa07505307d53b8e84 (diff) | |
download | openvpn-685e486e8b8f70c25f09590c24762ff734f94a51.tar.gz openvpn-685e486e8b8f70c25f09590c24762ff734f94a51.tar.xz openvpn-685e486e8b8f70c25f09590c24762ff734f94a51.zip |
Added support for TLS Keying Material Exporters [RFC-5705]
Keying Material Exporter [RFC-5705] allow additional keying material to be
derived from existing TLS channel. This exported keying material can then be
used for a variety of purposes.
[DS: Updated man page to document both upper and lower length boundaries]
Signed-off-by: Daniel Kubec <niel@rtfm.cz>
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com
Acked-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'src/openvpn/init.c')
-rw-r--r-- | src/openvpn/init.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 3decd23..c32a809 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2279,6 +2279,22 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.comp_options = options->comp; #endif +#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 + if (options->keying_material_exporter_label) + { + to.ekm_size = options->keying_material_exporter_length; + if (to.ekm_size < 16 || to.ekm_size > 4095) + to.ekm_size = 0; + + to.ekm_label = options->keying_material_exporter_label; + to.ekm_label_size = strlen(to.ekm_label); + } + else + { + to.ekm_size = 0; + } +#endif + /* TLS handshake authentication (--tls-auth) */ if (options->tls_auth_file) { |