diff options
| author | Daniel Kubec <niel@rtfm.cz> | 2015-03-12 15:14:20 +0100 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2015-10-10 00:02:40 +0200 |
| commit | 685e486e8b8f70c25f09590c24762ff734f94a51 (patch) | |
| tree | 2352755e34a75ea39f48497d6fb7dc7469330294 /src/openvpn/options.c | |
| parent | 7246ccfdbe6039c5c578ecaa07505307d53b8e84 (diff) | |
| download | openvpn-685e486e8b8f70c25f09590c24762ff734f94a51.tar.gz openvpn-685e486e8b8f70c25f09590c24762ff734f94a51.tar.xz openvpn-685e486e8b8f70c25f09590c24762ff734f94a51.zip | |
Added support for TLS Keying Material Exporters [RFC-5705]
Keying Material Exporter [RFC-5705] allow additional keying material to be
derived from existing TLS channel. This exported keying material can then be
used for a variety of purposes.
[DS: Updated man page to document both upper and lower length boundaries]
Signed-off-by: Daniel Kubec <niel@rtfm.cz>
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com
Acked-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'src/openvpn/options.c')
| -rw-r--r-- | src/openvpn/options.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index de4fa38..7906f46 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -611,6 +611,10 @@ static const char usage_message[] = "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" #endif +#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 + "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n" + " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n" +#endif "--remote-cert-ku v ... : Require that the peer certificate was signed with\n" " explicit key usage, you can specify more than one value.\n" " value should be given in hex format.\n" @@ -7066,6 +7070,29 @@ add_option (struct options *options, options->use_peer_id = true; options->peer_id = atoi(p[1]); } +#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 + else if (streq (p[0], "keying-material-exporter") && p[1] && p[2]) + { + int ekm_length = positive_atoi (p[2]); + + VERIFY_PERMISSION (OPT_P_GENERAL); + + if (strncmp(p[1], "EXPORTER", 8)) + { + msg (msglevel, "Keying material exporter label must begin with " + "\"EXPORTER\""); + goto err; + } + if (ekm_length < 16 || ekm_length > 4095) + { + msg (msglevel, "Invalid keying material exporter length"); + goto err; + } + + options->keying_material_exporter_label = p[1]; + options->keying_material_exporter_length = ekm_length; + } +#endif else { int i; |