Re: Running SSL on own socket code
On Wed, Jun 1, 2011 at 10:22 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Tue, May 31, 2011 at 09:05:29AM -0400, Jeff Saremi wrote: I'd like to know the feasibility or complexity around using my own socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of BIOs to read and write would that be sufficient? How tightly integrated the code is with bio_connect and bio_socket? thanks jeff man BIO_new_bio_pair Look at the example. As Victor pointed that you can use BIO pair to handle data transmission and separate data transmission procedure from SSL handshake and encrypt/decrypt procedure. Using BIO pair, the SSL structure only handle the data in SSL Record layer but not any lower layer. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to derive EAP-TLS key material from TLS?
On Wed, Jun 1, 2011 at 5:49 PM, Robin Seggelmann seggelm...@fh-muenster.dewrote: _key, but how can I find the PRF api used to calculate: as Michael stated, the function SSL_tls1_key_exporter() is exactly what you're looking for. The TLS Key Exporter is described in RFC 5705. The patch #1830, which Michael also mentioned, is available for the current OpenSSL 1.0.0 release on http://sctp.fh-muenster.de/dtls-patches.html and already included in the development version of OpenSSL 1.0.1 in the CVS, which can be checked out with: cvs -d anonym...@cvs.openssl.org:/openssl-cvs co -rOpenSSL_1_0_1-stable openssl I see. This is added recently and it was not provided in 1.0.0d, and due to the version used in my system I must implement this function myself. The content of the patch is sufficient for me to implement the function. Thanks. Best regards Robin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to derive EAP-TLS key material from TLS?
Hi, everyone, I'm developing a EAP-TLS server using OpenSSL. I need to derive key material from TLS session as described in RFC5216. Like the follow figure shows: | | pre_master_secret | server| | | client Random| V | Random | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | +| master_secret |+ | | | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | V V V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | |MSK, EMSK | | label == client EAP encryption | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ||| | MSK(0,31) | MSK(32,63) | EMSK(0,63) ||| ||| V V V Figure 2 - EAP-TLS Key Hierarchy How could I do this in OpenSSL? Thanks Neo LIu
Re: How to derive EAP-TLS key material from TLS?
On Tue, May 31, 2011 at 6:41 PM, Michael Tüxen michael.tue...@lurchi.franken.de wrote: What about using SSL_tls1_key_extractor()? I didn't this function in OpenSSL source. I can get master secret from SSL_SESSION-master_key, but how can I find the PRF api used to calculate: RPF(master_secret, client EAP encryption, client_random || server_random) Best regards Michael Thanks Neo LIu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
I think you can read this article and it will be help. http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu hvssi...@gmail.com wrote: David, So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets.
Re: SSL Communication using BIO
BIO pair is non-blocking BIO, so you need to call SSL_accept() or SSL_do_handshake() for server times. The example code looks like follows: BIO_write(ebio, ...) SSL_accept(ssl) BIO_read(ebio, ...) you can use BIO_pending() and BIO_wpending() to watch the buffer status of the BIO pairs. On Mon, May 23, 2011 at 9:18 AM, G S stokest...@gmail.com wrote: Ah, yes, I realized later that there wasn't any communication info in there. I only use it for encryption. Good luck!
Re: Can openssl support EAP-TLS?
Thanks for your advice. I have another question. If I don't use socket, how could I make TLS handshake happen? For example: incoming data TLS engine outgoing data My application get the incoming data from the client, and I feed it to the TLS engine, and then TLS engine give me the outgoing data which the application will send to the client. It seems like that my application is an agent of the client for both TLS handshake and TLS data transmission. How could I do it? On Wed, May 18, 2011 at 11:53 AM, Rene Hollan rene.hol...@watchguard.comwrote: You CAN use openssl as an engine, with bio pairs. Look here: http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html: Using BIOs for SSL Data Transmission (Optional) Instead of using SSL_write() and SSL_read(), you can transmit data by calling BIO_puts() and BIO_gets(), and BIO_write() and BIO_read(), provided that a buffer BIO is created and set up as follows: BIO*buf_io, *ssl_bio; char rbuf[READBUF_SIZE]; charwbuf[WRITEBUF_SIZE] buf_io = BIO_new(BIO_f_buffer()); /* create a buffer BIO */ ssl_bio = BIO_new(BIO_f_ssl()); /* create an ssl BIO */ BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE); /* assign the ssl BIO to SSL */ BIO_push(buf_io, ssl_bio); /* add ssl_bio to buf_io */ ret = BIO_puts(buf_io, wbuf); /* Write contents of wbuf[] into buf_io */ ret = BIO_write(buf_io, wbuf, wlen); /* Write wlen-byte contents of wbuf[] into buf_io */ ret = BIO_gets(buf_io, rbuf, READBUF_SIZE); /* Read data from buf_io and store in rbuf[] */ ret = BIO_read(buf_io, rbuf, rlen); /* Read rlen-byte data from buf_io and store rbuf[] */ And also here: http://www.openssl.org/docs/crypto/BIO_new_bio_pair.html: The BIO pair can be used to have full control over the network access of an application. The application can call select() on the socket as required without having to go through the SSL-interface. The idea is that you have SSL use a bio that is one half of a bio pair: SSL will read and write from one bio of the pair, and this will automagically appear in the other bio of the bio pair (what's written on one side is read from the other, and vice-versa). You can also wrap the SSL-application side in a bio as first mentioned. It's a little tricky if you want to do this asynchronously: writing to the BIO fronting the SSL engine can result in output on the BIO of the BIO pair backing the SSL engine and/or output on the other side of the BIO fronting the SSL engine, and vice versa. This is because the SSL handshake takes place independently of the transfer of the data. Of course, it does no good to block on a BIO read that is stuck waiting a write on the same BIO (or the one on the other side of the SSL engine). I'm sure others might be able to explain it better, but it's a technique I've used in cases where I can't have SSL front a traditional socket. -- *From:* owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Neo Liu [diablo...@gmail.com] *Sent:* Tuesday, May 17, 2011 7:33 PM *To:* openssl-users@openssl.org *Subject:* Re: Can openssl support EAP-TLS? On Thu, May 12, 2011 at 10:18 AM, Rene Hollan rene.hol...@watchguard.comwrote: If you're looking to do authentication, freeradius will do EAP, and talk to openssl for the TLS part (and an LDAP server for the actual authentication and authorization). -- FreeRADIUS is too big for me. I just want to utilize OpenSSL to implement a EAP-TLS server. I want to openssl to handle the tls handshake and data encrypting and decryption, but I encapsulate the eap packet in my application. Can I use something like BIO pair or BIO mem to meet my need? Thanks for your great help.
Re: Can openssl support EAP-TLS?
I found an answer on the StackOverFlow. http://stackoverflow.com/questions/2512026/x-509-certificate-based-authentication-with-openssl-without-using-sockets It may work and I am trying on it. On Wed, May 18, 2011 at 3:35 PM, Neo Liu diablo...@gmail.com wrote: Thanks for your advice. I have another question. If I don't use socket, how could I make TLS handshake happen? For example: incoming data TLS engine outgoing data My application get the incoming data from the client, and I feed it to the TLS engine, and then TLS engine give me the outgoing data which the application will send to the client. It seems like that my application is an agent of the client for both TLS handshake and TLS data transmission. How could I do it? On Wed, May 18, 2011 at 11:53 AM, Rene Hollan rene.hol...@watchguard.comwrote: You CAN use openssl as an engine, with bio pairs. Look here: http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html : Using BIOs for SSL Data Transmission (Optional) Instead of using SSL_write() and SSL_read(), you can transmit data by calling BIO_puts() and BIO_gets(), and BIO_write() and BIO_read(), provided that a buffer BIO is created and set up as follows: BIO*buf_io, *ssl_bio; char rbuf[READBUF_SIZE]; charwbuf[WRITEBUF_SIZE] buf_io = BIO_new(BIO_f_buffer()); /* create a buffer BIO */ ssl_bio = BIO_new(BIO_f_ssl()); /* create an ssl BIO */ BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE); /* assign the ssl BIO to SSL */ BIO_push(buf_io, ssl_bio); /* add ssl_bio to buf_io */ ret = BIO_puts(buf_io, wbuf); /* Write contents of wbuf[] into buf_io */ ret = BIO_write(buf_io, wbuf, wlen); /* Write wlen-byte contents of wbuf[] into buf_io */ ret = BIO_gets(buf_io, rbuf, READBUF_SIZE); /* Read data from buf_io and store in rbuf[] */ ret = BIO_read(buf_io, rbuf, rlen); /* Read rlen-byte data from buf_io and store rbuf[] */ And also here: http://www.openssl.org/docs/crypto/BIO_new_bio_pair.html: The BIO pair can be used to have full control over the network access of an application. The application can call select() on the socket as required without having to go through the SSL-interface. The idea is that you have SSL use a bio that is one half of a bio pair: SSL will read and write from one bio of the pair, and this will automagically appear in the other bio of the bio pair (what's written on one side is read from the other, and vice-versa). You can also wrap the SSL-application side in a bio as first mentioned. It's a little tricky if you want to do this asynchronously: writing to the BIO fronting the SSL engine can result in output on the BIO of the BIO pair backing the SSL engine and/or output on the other side of the BIO fronting the SSL engine, and vice versa. This is because the SSL handshake takes place independently of the transfer of the data. Of course, it does no good to block on a BIO read that is stuck waiting a write on the same BIO (or the one on the other side of the SSL engine). I'm sure others might be able to explain it better, but it's a technique I've used in cases where I can't have SSL front a traditional socket. -- *From:* owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Neo Liu [diablo...@gmail.com] *Sent:* Tuesday, May 17, 2011 7:33 PM *To:* openssl-users@openssl.org *Subject:* Re: Can openssl support EAP-TLS? On Thu, May 12, 2011 at 10:18 AM, Rene Hollan rene.hol...@watchguard.com wrote: If you're looking to do authentication, freeradius will do EAP, and talk to openssl for the TLS part (and an LDAP server for the actual authentication and authorization). -- FreeRADIUS is too big for me. I just want to utilize OpenSSL to implement a EAP-TLS server. I want to openssl to handle the tls handshake and data encrypting and decryption, but I encapsulate the eap packet in my application. Can I use something like BIO pair or BIO mem to meet my need? Thanks for your great help.
Re: Can openssl support EAP-TLS?
On Thu, May 12, 2011 at 10:18 AM, Rene Hollan rene.hol...@watchguard.comwrote: If you're looking to do authentication, freeradius will do EAP, and talk to openssl for the TLS part (and an LDAP server for the actual authentication and authorization). -- FreeRADIUS is too big for me. I just want to utilize OpenSSL to implement a EAP-TLS server. I want to openssl to handle the tls handshake and data encrypting and decryption, but I encapsulate the eap packet in my application. Can I use something like BIO pair or BIO mem to meet my need? Thanks for your great help.
Can openssl support EAP-TLS?
Hi, everyone: I wanna know that if openssl support EAP-TLS protocol?