Hi Frances,
froggu 21 wrote:
hi all
May I know whether you have successfully verified the HMAC generated
by OpenVPN? I found that the HMAC value generated by the OpenVPN does
not tally with the HMAC value generated from the OpenSSL directly. I
wonder is there any incorrect implementation of HMAC by OpenVPN?
please see results:
Captured Output:
#Using 160 bit message hash 'SHA' for HMAC authentication --- HMAC KEY
Size: 20
#HMAC KEY: 4024a8e1 168ffb50 1b3c3fd7 e1fbe630 d2d26623
#HMAC work (input): 86d320dd b8d20f0b 4f79a041 4cc1cd47 70775ee8
1e770fc8 85d2ee0c dcd9d670 fd58393a 50fc4094 a8372cb0 16cf30e9 --
BLEN (&work): 48
#HMAC work (input): 9956b5bc 81286af6 a06b8d8e a5bdeca5 4a9324b9
86d320dd b8d20f0b 4f79a041 4cc1cd47 70775ee8 1e770fc8 85d2ee0c
dcd9d670 fd58393a 50fc4094 a8372cb0 16cf30e9 -- BLEN (&work): 68
#HMAC output (generated hmac): 9956b5bc 81286af6 a06b8d8e a5bdeca5
4a9324b9 -- hmac_len: 20
Using the OpenSSL to verify the HMAC output:
@@Testing HMAC digest SHA1
Key Data
0000 40 24 a8 e1 16 8f fb 50 1b 3c 3f d7 e1 fb e6 30
0010 d2 d2 66 23
Input Data
0000 86 d3 20 dd b8 d2 0f 0b 4f 79 a0 41 4c c1 cd 47
0010 70 77 5e e8 1e 77 0f c8 85 d2 ee 0c dc d9 d6 70
0020 fd 58 39 3a 50 fc 40 94 a8 37 2c b0 16 cf 30 e9
Expected Hash
0000 99 56 b5 bc 81 28 6a f6 a0 6b 8d 8e a5 bd ec a5
0010 4a 93 24 b9
HMAC Digest mismatch
Got
0000 83 cb 72 19 f4 2a 33 f8 37 a6 62 59 8f 2e 05 cb
0010 0a 39 0f 37
Expected
0000 99 56 b5 bc 81 28 6a f6 a0 6b 8d 8e a5 bd ec a5
0010 4a 93 24 b9
I wonder did I missed out anything? Or is there something different in
OpenVPN HMAC implementation? Could you advise?
how did you generate this output (on the openvpn side) ?
Note that there no "correct HMAC implementation" per se: to use HMAC you
generate a 2048 bit key using
openvpn --genkey -secret ta.key
OpenVPN then uses parts of this key for HMAC ciphers, encryption etc.
For more details, read the HMAC section in the FAQ:
http://openvpn.net/index.php/open-source/faq.html
HTH,
JJK
