Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.(Revised)

2018-01-02 Thread Sai Teja Chowdary 
Hi,

Happy 2018 everyone.

I figured out this issue, I think it would be good to share it here in case if 
anyone is interested in knowing. The right way to make a hash is by calculating 
hash individually for the messages client certificate, client key exchange and 
store the message buffer in an array before calculating the signature in 
certificate verify message. later after forming the certificate verify message 
append this to the previous array and write the whole buffer into the wire with 
ssl3_write_bytes().This way all three message CC, CKE and CV goes in a single 
record as multiple handshake messages.

The function ssl3_finish_mac() is the one that does the hash (Digest) of bytes 
which ever are to be written to or read from wire.

Regards
Saiteja.
From: Viktor Dukhovni
Sent: Saturday, December 30, 2017 10:48 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] How to form a proper hash after writing 
somethinginto SSL handshake.(Revised)



> On Dec 29, 2017, at 10:18 PM, Sai Teja Chowdary 
> <asteja.chowdary.ec...@iitbhu.ac.in> wrote:
> 
> I want to send client certificate, client key exchange and client verify in a 
> single handshake message which appears as multiple handshake messages in a 
> single record. But to sent the client verify I need to first make a hash of 
> previous messages(client certificate and client key exchange) to create the 
> signature. I tried framing the record with above three messages and then 
> directly sending the record in the wire using SSL3_write_machine() which is 
> giving me Bad signature error. So i thought of doing a hash of client 
> certificate and client key exchange messages that go before client verify.
> 
> Can anyone help me to find the function in OpenSSL 1.1.1-dev  xx XXX  (or 
> right procedure that needs to be done before creating a certificate verify 
> message)that can do a proper transcript(digest or hash not clear). I tried 
> using ssl3_finish_mac() on the message containing client certificate and 
> client key exchange and then tried to generate the signature in certificate 
> verify message.

There is no such feature, and none is likely to ever be offered.
The reason is that you're essentially trying to write your own
TLS implementation, and SSL library in OpenSSL is provides public
interfaces for SSL users, not for new SSL implementations.

You can of course build your OpenSSL implementation based on the
OpenSSL source code, but figuring out how the code works is then
up to you. :-(

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to form a proper hash after writing something into SSL handshake.(Revised)

2017-12-29 Thread Sai Teja Chowdary 
Hi everyone,

I want to send client certificate, client key exchange and client verify in
a single handshake message which appears as multiple handshake messages in
a single record. But to sent the client verify I need to first make a hash
of previous messages(client certificate and client key exchange) to create
the signature. I tried framing the record with above three messages and
then directly sending the record in the wire using SSL3_write_machine()
which is giving me Bad signature error. So i thought of doing a hash of
client certificate and client key exchange messages that go before client
verify.

Can anyone help me to find the function in OpenSSL 1.1.1-dev  xx XXX 
(or right procedure that needs to be done before creating a certificate
verify message)that can do a proper transcript(digest or hash not clear). I
tried using ssl3_finish_mac() on the message containing client certificate
and client key exchange and then tried to generate the signature in
certificate verify message.

But it is giving me a digest check error. I am new to the mailing list want
a bit of help to proceed forward stuck here. Please reply in case if
anything is not clear.

Here is a code snippet, how I am forming the data containing all client
certificate , client key exchange and certificate verify messages inside
write_state_machine().

*if(WPACKET_init(, s->init_buf)){*
*//Client certificate formation*
* if(!ssl_set_handshake_header(s,,mt) || confunc != NULL &&
!confunc(s,) || !ssl_close_construct_packet(s,,mt)){*
*  printf("PROBLEM 1\n");*
*}*
* transition(s);  //transition to next state i.e client key
exchange*
* get_construct_message_f(s, , , );*
*//client key exchange formation*
* if(!ssl_set_handshake_header(s,,mt) || confunc != NULL &&
!confunc(s,) || !ssl_close_construct_packet(s,,mt)){*
*   printf("PROBLEM 2\n");*
*}*
*//ssl3_finish_mac(s, >init_buf->data[s->init_off], s->init_num);*
* st->write_state_work = post_work(s, st->write_state_work);*
* transition(s);  // transition to next state i.e  certificate
verify*
* get_construct_message_f(s, , , );*
*//certificate verify message formation.*
* if(!ssl_set_handshake_header(s,,mt) || confunc != NULL &&
!confunc(s,) ||
!ssl_close_construct_packet(s,,mt)){*
*   printf("PROBLEM 3\n");*
*}*
* WPACKET_finish();*
*}*

I also tried to do a ssl3_finish_mac() individually after forming Client
certificate and client key exchange (this part is not there in the code but
that way also gave me digest check error.)

Here is the stackoverflow link that i posted the question in. Take a look
at it for the trace snapshot for handshake message that I am trying to form.

Please take a look at it, appreciate every bit of help.

Jordan, thanks for the suggestion i will definitely try to state the error
now on. I am not sure whether SSL_get_error() logs these errors, i tried to
print SSL_get_error() it is returning NULL.

Regards
Saiteja.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.

2017-12-29 Thread Sai Teja Chowdary 
Hi everyone,

I apologize for Comic Sans. And honestly I didn't know using it implies
this many impressions. As I said my other subscription named "Ananthaneni
Saiteja Chowdary" is my outlook account that i use for my office
work(because I am using a QHD resolution my fonts are so small so i
selected the font that looks good for me to read.)  I actually posted two
questions one from this email and other from outlook account. This question
was actually posted through my outlook account in the beginning, and just
as a followup and to include some more information in my question I thought
of asking the question again. So I copied the contents of my previous mail
and added few more info at the end in my Mail app, unfortunately the font
got changed to comic sans. Its not that i knowingly changed the font to
impress or insult. I am a non native English speaker and I sometimes don't
understand the exact emotion or feeling in non-technical conversation.

I am using OpenSSL client to create a custom TLS client which can send or
manipulate the default TLS handshake messages so that i can test for any
bugs in our TLS server implementation. I spent about 4 months in reading
OpenSSL code and making changes and adding new arguments to modify the
default client. So in that process i came across the WPACKET API. For
framing SSL records I had to use it.

I will post the question again in a new thread. Please take a look at it
and help me out.

Regards

Saiteja.

On Sat, Dec 30, 2017 at 12:17 AM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:

>
>
> > On Dec 29, 2017, at 1:34 PM, Michael Wojcik <
> michael.woj...@microfocus.com> wrote:
> >
> > That said, I suspect the larger reason why Saiteja has not had a
> technical response to the original query is that few people on
> openssl-users have experience with using the WPACKET API and other
> low-level operations in the 1.1 codebase. It still might be worth reposting
> without the controversial styling.
>
> More importantly, what problem is the OP really trying to solve?
>
> The WPACKET interface is an internal interface that does not
> appear in any public OpenSSL headers.  It is undocumented and
> subject to change without notice.  The OP should not be using
> this interface, except as part of a code contribution to improve
> the implementation of TLS in the OpenSSL library.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.

2017-12-29 Thread Sai Teja Chowdary 

Why? What is the problem with Comic Sans. I like it!

You can say more if you have something useful.

Thanks

Saiteja.

From: Michael Sierchio
Sent: Friday, December 29, 2017 10:38 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] How to form a proper hash after writing 
somethinginto SSL handshake.


Comic Sans. Need I say more?

On Tue, Dec 26, 2017 at 4:53 AM, Sai Teja Chowdary 
<asteja.chowdary.ec...@itbhu.ac.in> wrote:
 
Hi,
 
Happy Holidays everyone.
 
I want to send client certificate, client key exchange and client verify in a 
single handshake message which appears as multiple handshake messages in a 
single record. But to sent the client verify I need to first make a hash of 
previous messages(client certificate and client key exchange) to create the 
signature.
 
Can anyone help me to find the function in OpenSSL 1.1.1-dev  xx XXX  (or 
right procedure that needs to be done before creating a certificate verify 
message)that can do a proper transcript(digest or hash not clear). I tried 
using ssl3_finish_mac() on the message containing client certificate and client 
key exchange and then tried to generate the signature in certificate verify 
message.
But it is giving me a digest error. I am new to the mailing list want a bit of 
help to proceed forward stuck here. Please reply in case if anything is not 
clear.
 
Here is a code snippet, how I am forming the data containing all client 
certificate , client key exchange and certificate verify messages inside 
write_state_machine().
 
if(WPACKET_init(, s->init_buf)){
//Client certificate formation
 if(!ssl_set_handshake_header(s,,mt) || confunc != NULL && 
!confunc(s,) ||     !ssl_close_construct_packet(s,,mt)){
  printf("PROBLEM\n");
    }
 transition(s);  //transition to next state i.e client key exchange
 
 get_construct_message_f(s, , , );
//client key exchange formation
 if(!ssl_set_handshake_header(s,,mt) || confunc != NULL && 
!confunc(s,) ||     !ssl_close_construct_packet(s,,mt)){
   printf("AGAIN A PROBLEMO\n");
    }
 
//ssl3_finish_mac(s, >init_buf->data[s->init_off], s->init_num);
 st->write_state_work = post_work(s, st->write_state_work);
 transition(s);  // transition to next state i.e  certificate verify
 
 get_construct_message_f(s, , , );
//certificate verify message formation.
 if(!ssl_set_handshake_header(s,,mt) || confunc != NULL && 
!confunc(s,) ||          
!ssl_close_construct_packet(s,,mt)){
   printf("AGAIN A PROBLEMO\n");
    }
 WPACKET_finish();
 
 
Please take a look at it, appreciate every bit of help.
 
Regards,
Saiteja
 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




-- 
"Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, 
but an intelligent person requires only two thousand five hundred."

- The Mahābhārata

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to form a proper hash after writing something into SSL handshake.

2017-12-26 Thread Sai Teja Chowdary 

Hi,

Happy Holidays everyone.

I want to send client certificate, client key exchange and client verify in a 
single handshake message which appears as multiple handshake messages in a 
single record. But to sent the client verify I need to first make a hash of 
previous messages(client certificate and client key exchange) to create the 
signature.

Can anyone help me to find the function in OpenSSL 1.1.1-dev  xx XXX  (or 
right procedure that needs to be done before creating a certificate verify 
message)that can do a proper transcript(digest or hash not clear). I tried 
using ssl3_finish_mac() on the message containing client certificate and client 
key exchange and then tried to generate the signature in certificate verify 
message.
But it is giving me a digest error. I am new to the mailing list want a bit of 
help to proceed forward stuck here. Please reply in case if anything is not 
clear.

Here is a code snippet, how I am forming the data containing all client 
certificate , client key exchange and certificate verify messages inside 
write_state_machine().

if(WPACKET_init(, s->init_buf)){
//Client certificate formation
 if(!ssl_set_handshake_header(s,,mt) || confunc != NULL && 
!confunc(s,) ||  !ssl_close_construct_packet(s,,mt)){
  printf("PROBLEM\n");
}
 transition(s);  //transition to next state i.e client key exchange

 get_construct_message_f(s, , , );
//client key exchange formation
 if(!ssl_set_handshake_header(s,,mt) || confunc != NULL && 
!confunc(s,) ||  !ssl_close_construct_packet(s,,mt)){
   printf("AGAIN A PROBLEMO\n");
}

//ssl3_finish_mac(s, >init_buf->data[s->init_off], s->init_num);
 st->write_state_work = post_work(s, st->write_state_work);
 transition(s);  // transition to next state i.e  certificate verify

 get_construct_message_f(s, , , );
//certificate verify message formation.
 if(!ssl_set_handshake_header(s,,mt) || confunc != NULL && 
!confunc(s,) ||  
!ssl_close_construct_packet(s,,mt)){
   printf("AGAIN A PROBLEMO\n");
}
 WPACKET_finish();


Please take a look at it, appreciate every bit of help.

Regards,
Saiteja

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Follow up

2017-12-21 Thread Sai Teja Chowdary 
Hi all,
Marry Christmas!

Please take a look at my previous question, appreciate every bit of help
I'm stuck.
FYI the guy named ananthaneni saiteja chowdary and myself are same. This
email had a problem subscribing to the mailing list earlier hence the other
name.

Thanks
Saiteja.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Testing ports through firewall

2017-12-21 Thread Sai Teja Chowdary 
Hi,
You can test ports with OpenSSL. But you gotta need a certificate for your
s_server. You can generate a self signed certificate with openssl.
Try this

https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

And place that file in the dir were you are running the s_server command,
or can use -cert argument to give the generated certificate.

And from the s_client connect to the port that you are listening with
s_server

Client:
openssl s_client -connect hostname:port

Server:
openssl s_server -accept PORT

Regards

Saiteja.

On 21-Dec-2017 7:07 PM, "warron.french"  wrote:

> Hello Community, and Merry Christmas/Happy Seasons Greetings,
>anyway, I need some help with understanding an openssl feature -
> *s_server*.
>
> I executed the following command:  openssl s_server -accept 21937 -www &
> And immediately got the following output:
> [1] 3286
> [sysadm@wfrench-rhel6c-cit ~]$ Error opening server certificate private
> key file server.pem
> 140679739017032:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:398:fopen('server.pem','r')
> 140679739017032:error:20074002:BIO routines:FILE_CTRL:system
> lib:bss_file.c:400:
> unable to load server certificate private key file
>
> In order to test ports that are not encrypted with SSL/TLS do I still have
> to generate a certificate and private key file (each)?
>
> I would like to test ports from one machine using openssl s_client against
> a remote machine on an opposing network, running a "listener", using
> openssl s_server.
>
> Perhaps I am way off?  I am not allowed to use openssl for this sort of
> thing?
> Any guidance would be greatly appreciated because I want to expand my
> understanding of the openssl suite of commands and its offerings.
>
>
> Have a nice day,
> --
> Warron French
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FW: Help to understand WPACKET API

2017-12-19 Thread Sai Teja Chowdary 

Hi,
I am trying to tweak openssl-master client to test a tls1.3 enabled server.

I want to club the client certificate, client key exchange , change cipher spec 
and certificate verify into single handshake message.( So that the record shows 
up as multiple handshake messages).

OpenSSL Version : OpenSSL 1.1.1-dev  xx XXX .

After going through the code I understand the new tls1.3 implemented OpenSSL 
code is using WPACKET API to frame the records. I need help in understanding 
what the following functions do. I am new to the mailing list, thanks in 
advance.

WPACKET_start_sub_packet_
WPACKET_allocate_bytes
WPACKET_sub_allocate_bytes__
WPACKET_reserve_bytes
WPACKET_start_sub_packet_len__
WPACKET_sub_memcpy__

Basically what does the word _sub_ mean in these functions and how do that 
differ from the non sub function say
Difference between WPACKET_sub_memcpy__ and WPACKET_memcpy__

Please feel free to reply if something is not understandable.
Sent from Mail for Windows 10

Thanks
Sate.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users