Closed oidipos closed 6 years ago
liquidat
commented
6 years ago Thanks for the comment - I need to get a test setup working first before I can add the patch.
Speaking about, you sure you meant to replace line 92 by this? I would have thought to add it between line 94 and 95?!
oidipos
commented
6 years ago Oops, sorry. You're right, I got my numbers mixed up. The patch is supposed to replace line 94. Currently, line 94 is the special case for digest_size=20 (SHA1) and thus only works for that.
foobarable
commented
6 years ago Is this fixed in the most recent version? I can't seem to use tls auth with SHA256 as well.
Update: i revert my statement, it works with your supplied patch (and the correct key direction ;))
seren
commented
6 years ago Thanks @oidipos for this patch!
liquidat
commented
6 years ago Ahhh! I totally forgot about that patch! @seren Thanks for bringing this up again. Can you confirm that it works?
seren
commented
6 years ago Yup, just applied it and it's working with SHA256.
liquidat
commented
6 years ago @seren So you did change line 94? Would you mind making a patch and creating a PR, or posting it here?
seren
commented
6 years ago Yup, line 94. I just created https://github.com/liquidat/nagios-icinga-openvpn/pull/19 for you.
Packet verification fails for set-ups using other non-SHA1 hashes like SHA256 because, the length of the HMAC digest is hard-coded to 20 bytes (SHA1) in line 92.
Possible fix, change line 92 to:
elif len(packet) - struct.unpack('>B', packet[17+digest_size:18+digest_size])[0] * 4 == 30+digest_size: plen = 2 # type(1) sid(8) hmac(digest_size) pid(4) ts(4) mpida(1) rsid(8) mpid(mpida*4)