Re: [openssl-users] How to form a proper hash after writing something into SSL handshake.(Revised)

2017-12-29 Thread Viktor Dukhovni 


> On Dec 29, 2017, at 10:18 PM, Sai Teja Chowdary 
>  wrote:
> 
> I want to send client certificate, client key exchange and client verify in a 
> single handshake message which appears as multiple handshake messages in a 
> single record. But to sent the client verify I need to first make a hash of 
> previous messages(client certificate and client key exchange) to create the 
> signature. I tried framing the record with above three messages and then 
> directly sending the record in the wire using SSL3_write_machine() which is 
> giving me Bad signature error. So i thought of doing a hash of client 
> certificate and client key exchange messages that go before client verify.
> 
> Can anyone help me to find the function in OpenSSL 1.1.1-dev  xx XXX  (or 
> right procedure that needs to be done before creating a certificate verify 
> message)that can do a proper transcript(digest or hash not clear). I tried 
> using ssl3_finish_mac() on the message containing client certificate and 
> client key exchange and then tried to generate the signature in certificate 
> verify message.

There is no such feature, and none is likely to ever be offered.
The reason is that you're essentially trying to write your own
TLS implementation, and SSL library in OpenSSL is provides public
interfaces for SSL users, not for new SSL implementations.

You can of course build your OpenSSL implementation based on the
OpenSSL source code, but figuring out how the code works is then
up to you. :-(

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to form a proper hash after writing something into SSL handshake.(Revised)

2017-12-29 Thread Sai Teja Chowdary 
Hi everyone,

I want to send client certificate, client key exchange and client verify in
a single handshake message which appears as multiple handshake messages in
a single record. But to sent the client verify I need to first make a hash
of previous messages(client certificate and client key exchange) to create
the signature. I tried framing the record with above three messages and
then directly sending the record in the wire using SSL3_write_machine()
which is giving me Bad signature error. So i thought of doing a hash of
client certificate and client key exchange messages that go before client
verify.

Can anyone help me to find the function in OpenSSL 1.1.1-dev  xx XXX 
(or right procedure that needs to be done before creating a certificate
verify message)that can do a proper transcript(digest or hash not clear). I
tried using ssl3_finish_mac() on the message containing client certificate
and client key exchange and then tried to generate the signature in
certificate verify message.

But it is giving me a digest check error. I am new to the mailing list want
a bit of help to proceed forward stuck here. Please reply in case if
anything is not clear.

Here is a code snippet, how I am forming the data containing all client
certificate , client key exchange and certificate verify messages inside
write_state_machine().

*if(WPACKET_init(, s->init_buf)){*
*//Client certificate formation*
* if(!ssl_set_handshake_header(s,,mt) || confunc != NULL &&
!confunc(s,) || !ssl_close_construct_packet(s,,mt)){*
*  printf("PROBLEM 1\n");*
*}*
* transition(s);  //transition to next state i.e client key
exchange*
* get_construct_message_f(s, , , );*
*//client key exchange formation*
* if(!ssl_set_handshake_header(s,,mt) || confunc != NULL &&
!confunc(s,) || !ssl_close_construct_packet(s,,mt)){*
*   printf("PROBLEM 2\n");*
*}*
*//ssl3_finish_mac(s, >init_buf->data[s->init_off], s->init_num);*
* st->write_state_work = post_work(s, st->write_state_work);*
* transition(s);  // transition to next state i.e  certificate
verify*
* get_construct_message_f(s, , , );*
*//certificate verify message formation.*
* if(!ssl_set_handshake_header(s,,mt) || confunc != NULL &&
!confunc(s,) ||
!ssl_close_construct_packet(s,,mt)){*
*   printf("PROBLEM 3\n");*
*}*
* WPACKET_finish();*
*}*

I also tried to do a ssl3_finish_mac() individually after forming Client
certificate and client key exchange (this part is not there in the code but
that way also gave me digest check error.)

Here is the stackoverflow link that i posted the question in. Take a look
at it for the trace snapshot for handshake message that I am trying to form.

Please take a look at it, appreciate every bit of help.

Jordan, thanks for the suggestion i will definitely try to state the error
now on. I am not sure whether SSL_get_error() logs these errors, i tried to
print SSL_get_error() it is returning NULL.

Regards
Saiteja.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to form a proper hash after writing something into SSL handshake.

2017-12-28 Thread Michael Sierchio 
Comic Sans. Need I say more?

On Tue, Dec 26, 2017 at 4:53 AM, Sai Teja Chowdary <
asteja.chowdary.ec...@itbhu.ac.in> wrote:

>
>
> Hi,
>
>
>
> Happy Holidays everyone.
>
>
>
> I want to send client certificate, client key exchange and client verify
> in a single handshake message which appears as multiple handshake messages
> in a single record. But to sent the client verify I need to first make a
> hash of previous messages(client certificate and client key exchange) to
> create the signature.
>
>
>
> Can anyone help me to find the function in OpenSSL 1.1.1-dev  xx XXX 
> (or right procedure that needs to be done before creating a certificate
> verify message)that can do a proper transcript(digest or hash not clear). I
> tried using *ssl3_finish_mac() *on the message containing client
> certificate and client key exchange and then tried to generate the
> signature in certificate verify message.
>
> But it is giving me a digest error. I am new to the mailing list want a
> bit of help to proceed forward stuck here. Please reply in case if anything
> is not clear.
>
>
>
> Here is a code snippet, how I am forming the data containing all client
> certificate , client key exchange and certificate verify messages inside
> write_state_machine().
>
>
>
> if(WPACKET_init(, s->init_buf)){
>
> //Client certificate formation
>
>  if(!ssl_set_handshake_header(s,,mt) || confunc != NULL
> && !confunc(s,) || !ssl_close_construct_packet(s,,mt)){
>
>   printf("PROBLEM\n");
>
> }
>
>  transition(s);  //transition to next state i.e client key
> exchange
>
>
>
>  get_construct_message_f(s, , , );
>
> //client key exchange formation
>
>  if(!ssl_set_handshake_header(s,,mt) || confunc != NULL
> && !confunc(s,) || !ssl_close_construct_packet(s,,mt)){
>
>printf("AGAIN A PROBLEMO\n");
>
> }
>
>
>
> //ssl3_finish_mac(s, >init_buf->data[s->init_off], s->init_num);
>
>  st->write_state_work = post_work(s, st->write_state_work);
>
>  transition(s);  // transition to next state i.e  certificate
> verify
>
>
>
>  get_construct_message_f(s, , , );
>
> //certificate verify message formation.
>
>  if(!ssl_set_handshake_header(s,,mt) || confunc != NULL
> && !confunc(s,) ||
> !ssl_close_construct_packet(s,,mt)){
>
>printf("AGAIN A PROBLEMO\n");
>
> }
>
>  WPACKET_finish();
>
>
>
>
>
> Please take a look at it, appreciate every bit of help.
>
>
>
> Regards,
>
> Saiteja
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>


-- 
"Well," Brahma said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mahābhārata
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to form a proper hash after writing something into SSL handshake.

2017-12-26 Thread Sai Teja Chowdary 

Hi,

Happy Holidays everyone.

I want to send client certificate, client key exchange and client verify in a 
single handshake message which appears as multiple handshake messages in a 
single record. But to sent the client verify I need to first make a hash of 
previous messages(client certificate and client key exchange) to create the 
signature.

Can anyone help me to find the function in OpenSSL 1.1.1-dev  xx XXX  (or 
right procedure that needs to be done before creating a certificate verify 
message)that can do a proper transcript(digest or hash not clear). I tried 
using ssl3_finish_mac() on the message containing client certificate and client 
key exchange and then tried to generate the signature in certificate verify 
message.
But it is giving me a digest error. I am new to the mailing list want a bit of 
help to proceed forward stuck here. Please reply in case if anything is not 
clear.

Here is a code snippet, how I am forming the data containing all client 
certificate , client key exchange and certificate verify messages inside 
write_state_machine().

if(WPACKET_init(, s->init_buf)){
//Client certificate formation
 if(!ssl_set_handshake_header(s,,mt) || confunc != NULL && 
!confunc(s,) ||  !ssl_close_construct_packet(s,,mt)){
  printf("PROBLEM\n");
}
 transition(s);  //transition to next state i.e client key exchange

 get_construct_message_f(s, , , );
//client key exchange formation
 if(!ssl_set_handshake_header(s,,mt) || confunc != NULL && 
!confunc(s,) ||  !ssl_close_construct_packet(s,,mt)){
   printf("AGAIN A PROBLEMO\n");
}

//ssl3_finish_mac(s, >init_buf->data[s->init_off], s->init_num);
 st->write_state_work = post_work(s, st->write_state_work);
 transition(s);  // transition to next state i.e  certificate verify

 get_construct_message_f(s, , , );
//certificate verify message formation.
 if(!ssl_set_handshake_header(s,,mt) || confunc != NULL && 
!confunc(s,) ||  
!ssl_close_construct_packet(s,,mt)){
   printf("AGAIN A PROBLEMO\n");
}
 WPACKET_finish();


Please take a look at it, appreciate every bit of help.

Regards,
Saiteja

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users