Dear Ger, ^_^ the reason is I didn't decrypt the 24 bytes data, so the IV don't update , as a result is the data decrypted is error.
thanks a lot. abc_123_ok 2008-08-04 发件人: Ger Hobbelt 发送时间: 2008-08-04 17:08:38 收件人: openssl-users@openssl.org 抄送: 主题: Re: Re: Re: hello everyone Great! I'm curious: what was the solution? Thanks, Ger On Sat, Aug 2, 2008 at 10:12 AM, abc_123_ok <[EMAIL PROTECTED] > wrote: > thanks Ger Hobbelt and All, > > my question have been solved, > > thanks a lot. > 2008-08-02 > ________________________________ > abc_123_ok > ________________________________ > 发件人: Ger Hobbelt > 发送时间: 2008-07-30 16:52:00 > 收件人: openssl-users > 抄送: > 主题: Re: Re: Re: hello everyone > > yes , you are correct , my client does not use Openssl code. > Okay... Well, this significantly complicates matters as I assume you > have either (a) written the embedded code from scratch, or (b) use a > different third party library for that code. Where 'gut feeling' makes > me bet on (a) here. Correct? > Anyway. The SSL protocol is standardized, so the problem is not there, > but your issues are /very/ likely due to subtle bugs and/or lacking > features in implementing the protocol in the embedded code. > Maybe an 'open door' but note that SSL is not only 'encrypting' your > raw data, but also includes protocol messages to signal the other side > (re-)authentication or other SSL-defined activity is required. One of > those messages is #23 (decimal) which is 'application_data' (see > RFC4346 and other relevant spec documents). > Message #23 does not just contain the 'encrypted application data' as > is, but includes extra stuff, depending on cipher suite and protocol > version. CBC ciphers require an IV to start, so the first few bytes > VERY PROBABLY are the IV being sent to the other side (since you use > CBC). Within the same message #23 (see RFC4346 for TLS1: appendix > A.1), you will find trailing data constituting the MAC and padding, > which will easily account for 24 bytes. (SHA-1 MAC at 160bits = 20 > bytes already; padding may be an 'arbitrary' length.) > Before we dive into that a little deeper, have a look at the network > data passed between an *OpenSSL* client and *OpenSSL* server, like the > s_client/s_server example you showed a little before here: notice > there that the 'user' gets to see the plaintext data *exactly* as > typed on the other side, but when you look at the raw TCP packets sent > up and down, the TCP 'data' (so anything beyond the TCP header in the > network packet) will contain some /extra/ (mostly encrypted) data as > well: that's the SSL protocol layer at work. (I refer to s_client + > s_server here, because you can quickly see those two 'work together > fine'. This is very complex stuff so we try to go down one level at a > time.) Your network sniffer apparently is able to decode the protocol > sufficiently to show you the individual SSL protocol messages as I see > SSL protocol message (23) explicitly mentioned there. > However, NEVER think 'application data' == "my encrypted data and that's all"! > Like I said, there's the IV, MAC and padding in there. And if you > really want/need to travel all seven levels of Dante's Hell, you may > wish to read the full SSL/TLS specification and then have a look at > the actual SSL implementation of OpenSSL. Excellent work in my > opinion, but like anything concerning cryptography, there's additional > tweaks in there for security issues found by researchers after the > specifications were cast in RFC rock. For a prime example of such, may > I point you to the source code of [ssl/s3_pkt.c] and that includes > reading the text available at the /~bodo/ URL mentioned in the > comments there. > Again, note that the code may be initially hard to read, but that > wasn't done for 'fun' but because you need to watch out for a zillion > things all at the same time. > <off topic > > Generally speaking, I've found that one of the things to quickly break > not-so-well-done SSL protocol implementations is having your [OpenSSL] > implementation send an enforced 'cipher suit change' / 'renegotiation' > message (and 'issue' which would otherwise only be reported for 'long > transfers' due to internal SSL renegotiate timeout being triggered). > You can try one example of this sort of neckbreaker by running > s_client and typing a lone 'R' on a line (that's typing [Enter], [R], > [Enter]). Hell, that breaks most 'overly naive' application code using > OpenSSL -- which is /not/ a problem with OpenSSL or SSL itself, but > rather programmers who cut&paste example code and don't check up on > specs nor test beyond the 'It Just Works Now(tm)' stage, but I digress > here. > </off topic > > Returning to your encrypted 'application data' chunks: as described in > the tls-cbc.txt (see URL in s3_pkt.c), the data not only contains your > encrypted plaintext, but also IV, MAC, padding and possibly extra > (zero length plaintext) data -- at least if I have interpreted the > tls-cbc.txt, the source code and the protocol correctly. (If I made > any mistake here, please correct me!) > Besides, SSL is allowed to fragment / bundle your data in more or > fewer application_data(23) messages as it deems necessary. (A process > somewhat comparable to packet fragmentation on the IP and physical > network layers for non-encrypted network communication protocols.) > You may find that the code uses *_RT_APPLICATION_DATA #defines for the > SSL protocol layer message [processing] where application data is > pushed across the wire. > Summarizing: > Your message #23(decimal) 'application_data' consists of cipher-suite > and protocol dependent 'extra data', next to the straight encrypted > plaintext you wanted to transmit across the wire. 'extra data' here > may be any of IV, MAC and padding, though it is not necessarily > limited to those. See the SSL/TLS RFCs and the OpenSSL ssl/*.[ch] code > for further investigation. > Also note that when constructing the protocol on your own that there > is no 'single correct answer' here: your receiver implementation MUST > be able to cope with the subtleties here (such as the ones mentioned > in the tls-cbc.txt text). > Given the /large/ complexity that comes with a /proper/ implementation > of the SSL protocol, I would personally advise you to spend your > efforts on porting OpenSSL to your embedded environment instead of > crafting your own -- assuming you are trying something like that now > (the (a) bet I mentioned at the start of this message). I have ported > OpenSSL to various non-UNIX platforms in the past and it may be more > or less of a challenge (memory footprint issues can be a factor, as is > the lack of a C runtime library offering file I/O APIs, etc.) but I > have found that the problems you will be facing then are of an > entirely different (and lacking readily available outside /expert/ > help, far more manageable) nature. In the end this leaves you time to > struggle with OpenSSL API issues you may run into instead. At THAT > level, extra help is available in the form of, for example, the > O'Reilly OpenSSL book and the wide range of experience available on > this mailing list as well, while your current issue reads to me as a > question only properly answerable by the few people on this earth who > have actually built an SSL protocol implementation themselves. > Ah, also have a look at this for the format of those SSL messages, > including application_data(23) (found these after I wrote the above, > may be easier to grok): > message layout in bytes: > http://en.wikipedia.org/wiki/Secure_Sockets_Layer > shows a message trace just like yours with a bit of explanation: > http://blogs.sun.com/sin/entry/ssltap_ing_ssl_and_tls > -- > Met vriendelijke groeten / Best regards, > Ger Hobbelt > -------------------------------------------------- > web: http://www.hobbelt.com/ > http://www.hebbut.net/ > mail: [EMAIL PROTECTED] > mobile: +31-6-11 120 978 > -------------------------------------------------- > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > . -- Met vriendelijke groeten / Best regards, Ger Hobbelt -------------------------------------------------- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -------------------------------------------------- :��I"袭��r�m���?(ラ觳Z+�K?│��1ē�x ��hラ觳[�z?ラ觳Z+� ��f�y意灿���f"�h��)z{,��