Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.
Why? What is the problem with Comic Sans. I like it!
You can say more if you have something useful.
Thanks
Saiteja.
From: Michael Sierchio
Sent: Friday, December 29, 2017 10:38 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] How to form a proper hash after writing
somethinginto SSL handshake.
Comic Sans. Need I say more?
On Tue, Dec 26, 2017 at 4:53 AM, Sai Teja Chowdary
wrote:
Hi,
Happy Holidays everyone.
I want to send client certificate, client key exchange and client verify in a
single handshake message which appears as multiple handshake messages in a
single record. But to sent the client verify I need to first make a hash of
previous messages(client certificate and client key exchange) to create the
signature.
Can anyone help me to find the function in OpenSSL 1.1.1-dev xx XXX (or
right procedure that needs to be done before creating a certificate verify
message)that can do a proper transcript(digest or hash not clear). I tried
using ssl3_finish_mac() on the message containing client certificate and client
key exchange and then tried to generate the signature in certificate verify
message.
But it is giving me a digest error. I am new to the mailing list want a bit of
help to proceed forward stuck here. Please reply in case if anything is not
clear.
Here is a code snippet, how I am forming the data containing all client
certificate , client key exchange and certificate verify messages inside
write_state_machine().
if(WPACKET_init(&pkt, s->init_buf)){
//Client certificate formation
if(!ssl_set_handshake_header(s,&pkt,mt) || confunc != NULL &&
!confunc(s,&pkt) || !ssl_close_construct_packet(s,&pkt,mt)){
printf("PROBLEM\n");
}
transition(s); //transition to next state i.e client key exchange
get_construct_message_f(s, &pkt, &confunc, &mt);
//client key exchange formation
if(!ssl_set_handshake_header(s,&pkt,mt) || confunc != NULL &&
!confunc(s,&pkt) || !ssl_close_construct_packet(s,&pkt,mt)){
printf("AGAIN A PROBLEMO\n");
}
//ssl3_finish_mac(s, &s->init_buf->data[s->init_off], s->init_num);
st->write_state_work = post_work(s, st->write_state_work);
transition(s); // transition to next state i.e certificate verify
get_construct_message_f(s, &pkt, &confunc, &mt);
//certificate verify message formation.
if(!ssl_set_handshake_header(s,&pkt,mt) || confunc != NULL &&
!confunc(s,&pkt) ||
!ssl_close_construct_packet(s,&pkt,mt)){
printf("AGAIN A PROBLEMO\n");
}
WPACKET_finish(&pkt);
Please take a look at it, appreciate every bit of help.
Regards,
Saiteja
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
"Well," Brahma said, "even after ten thousand explanations, a fool is no wiser,
but an intelligent person requires only two thousand five hundred."
- The Mahābhārata
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.
For the same reason one doesn't wear a halloween costume to a technical
meeting, Comic Sans is looked down upon when used outside comics and
day-care centers. It is considered a snub to use it in non-trivial
settings.
Much as lifting up your middle finger has no inherent meaning per se,
but once one realizes that it definitely has meaning to others and one
lifts one's middle finger to others anyway, it can only be assumed that
one has intended to send the message others have assigned to it. So,
for whatever vague societal reasons, comic sans has become equivalent to
wearing a speedo to a formal wedding, giggling hysterically during one's
performance review, or skipping around the track in a tu-tu and
clownface during the 440 meter track event at the Olympics. Those are
the breaks! Sorry for your loss of a connotation free comic sans. I
feel your pain. Herd dynamics can be brutal and bleak.
http://knowyourmeme.com/memes/comic-sans
"...While adequate for certain industry sectors like childcare and
entertainment, its usage in business or professional settings has been
criticized by many aesthetic-conscious Internet users, who say Comic
Sans conveys silliness and irreverence that is hardly suitable for
serious matters:
On 12/29/2017 08:14 AM, Sai Teja Chowdary wrote:
Why? What is the problem with Comic Sans. I like it!
You can say more if you have something useful.
Thanks
Saiteja.
*From: *Michael Sierchio <mailto:ku...@tenebras.com>
*Sent: *Friday, December 29, 2017 10:38 AM
*To: *openssl-users@openssl.org <mailto:openssl-users@openssl.org>
*Subject: *Re: [openssl-users] How to form a proper hash after writing
somethinginto SSL handshake.
Comic Sans. Need I say more?
On Tue, Dec 26, 2017 at 4:53 AM, Sai Teja Chowdary
<mailto:asteja.chowdary.ec...@itbhu.ac.in>> wrote:
Hi,
Happy Holidays everyone.
I want to send client certificate, client key exchange and client
verify in a single handshake message which appears as multiple
handshake messages in a single record. But to sent the client
verify I need to first make a hash of previous messages(client
certificate and client key exchange) to create the signature.
Can anyone help me to find the function in OpenSSL 1.1.1-dev xx
XXX (or right procedure that needs to be done before creating
a certificate verify message)that can do a proper
transcript(digest or hash not clear). I tried using
*ssl3_finish_mac() *on the message containing client certificate
and client key exchange and then tried to generate the signature
in certificate verify message.
But it is giving me a digest error. I am new to the mailing list
want a bit of help to proceed forward stuck here. Please reply in
case if anything is not clear.
Here is a code snippet, how I am forming the data containing all
client certificate , client key exchange and certificate verify
messages inside write_state_machine().
if(WPACKET_init(&pkt, s->init_buf)){
//Client certificate formation
if(!ssl_set_handshake_header(s,&pkt,mt) || confunc != NULL &&
!confunc(s,&pkt) || !ssl_close_construct_packet(s,&pkt,mt)){
printf("PROBLEM\n");
}
transition(s); //transition to next state i.e client
key exchange
get_construct_message_f(s, &pkt, &confunc, &mt);
//client key exchange formation
if(!ssl_set_handshake_header(s,&pkt,mt) || confunc != NULL &&
!confunc(s,&pkt) || !ssl_close_construct_packet(s,&pkt,mt)){
printf("AGAIN A PROBLEMO\n");
}
//ssl3_finish_mac(s, &s->init_buf->data[s->init_off], s->init_num);
st->write_state_work = post_work(s, st->write_state_work);
transition(s); // transition to next state i.e
certificate verify
get_construct_message_f(s, &pkt, &confunc, &mt);
//certificate verify message formation.
if(!ssl_set_handshake_header(s,&pkt,mt) || confunc != NULL &&
!confunc(s,&pkt) || !ssl_close_construct_packet(s,&pkt,mt)){
printf("AGAIN A PROBLEMO\n");
}
WPACKET_finish(&pkt);
Please take a look at it, appreciate every bit of help.
Regards,
Saiteja
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
"Well," Brahma said, "even after ten thousand explanations, a fool is
no wiser, but an intelligent person requires only two thousand five
hundred."
- The Mahābhārata
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.
And to be honest, specifying any font for a technical or business email message (rather than simply letting the MUA use the user's default) is suspect. It says that you believe your stylistic preferences are more important than the reader's. That's a poor footing to begin a request for assistance or cooperation. Personally, due to Outlook's terrible handling of HTML email (particularly in formatting replies), I am considerably more likely to reply to a plain-text message posted to openssl-users than I am to an HTML one. That may well be a personal idiosyncrasy, but the general principle of not making your message any more complicated than it needs to be is worth keeping in mind. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.
Marty, you might want to consider that the values of western society
are hardly universal. Comic Sans isn't as badly seen everywhere, and
there's no reason why western society biases should trump any other.
Also, I'd like to remind everyone that we have a code of conduct,
https://www.openssl.org/community/conduct.html
Cordially,
Richard
In message <7d7e5da5-7ddb-4278-987b-21ce9f7b3...@gmail.com> on Fri, 29 Dec 2017
09:00:00 -0500, Marty G said:
martygalyean> For the same reason one doesn't wear a halloween costume to a
technical meeting, Comic Sans is
martygalyean> looked down upon when used outside comics and day-care centers.
It is considered a snub to use
martygalyean> it in non-trivial settings.
martygalyean>
martygalyean> Much as lifting up your middle finger has no inherent meaning per
se, but once one realizes that it
martygalyean> definitely has meaning to others and one lifts one's middle
finger to others anyway, it can only be
martygalyean> assumed that one has intended to send the message others have
assigned to it. So, for whatever
martygalyean> vague societal reasons, comic sans has become equivalent to
wearing a speedo to a formal
martygalyean> wedding, giggling hysterically during one's performance review,
or skipping around the track in a
martygalyean> tu-tu and clownface during the 440 meter track event at the
Olympics. Those are the breaks!
martygalyean> Sorry for your loss of a connotation free comic sans. I feel your
pain. Herd dynamics can be brutal
martygalyean> and bleak.
martygalyean>
martygalyean> http://knowyourmeme.com/memes/comic-sans
martygalyean> "...While adequate for certain industry sectors like childcare
and entertainment, its usage in
martygalyean> business or professional settings has been criticized by many
aesthetic-conscious Internet users,
martygalyean> who say Comic Sans conveys silliness and irreverence that is
hardly suitable for serious
martygalyean> matters:
martygalyean>
martygalyean> On 12/29/2017 08:14 AM, Sai Teja Chowdary wrote:
martygalyean>
martygalyean> Why? What is the problem with Comic Sans. I like it!
martygalyean>
martygalyean> You can say more if you have something useful.
martygalyean>
martygalyean> Thanks
martygalyean>
martygalyean> Saiteja.
martygalyean>
martygalyean> From: Michael Sierchio
martygalyean> Sent: Friday, December 29, 2017 10:38 AM
martygalyean> To: openssl-users@openssl.org
martygalyean> Subject: Re: [openssl-users] How to form a proper hash after
writing somethinginto SSL
martygalyean> handshake.
martygalyean>
martygalyean> Comic Sans. Need I say more?
martygalyean>
martygalyean> On Tue, Dec 26, 2017 at 4:53 AM, Sai Teja Chowdary
martygalyean> wrote:
martygalyean>
martygalyean> Hi,
martygalyean>
martygalyean> Happy Holidays everyone.
martygalyean>
martygalyean> I want to send client certificate, client key exchange and
client verify in a single handshake
martygalyean> message which appears as multiple handshake messages in a single
record. But to sent
martygalyean> the client verify I need to first make a hash of previous
messages(client certificate and
martygalyean> client key exchange) to create the signature.
martygalyean>
martygalyean> Can anyone help me to find the function in OpenSSL 1.1.1-dev xx
XXX (or right
martygalyean> procedure that needs to be done before creating a certificate
verify message)that can do
martygalyean> a proper transcript(digest or hash not clear). I tried using
ssl3_finish_mac() on the
martygalyean> message containing client certificate and client key exchange
and then tried to generate
martygalyean> the signature in certificate verify message.
martygalyean>
martygalyean> But it is giving me a digest error. I am new to the mailing list
want a bit of help to proceed
martygalyean> forward stuck here. Please reply in case if anything is not
clear.
martygalyean>
martygalyean> Here is a code snippet, how I am forming the data containing all
client certificate , client
martygalyean> key exchange and certificate verify messages inside
write_state_machine().
martygalyean>
martygalyean> if(WPACKET_init(&pkt, s->init_buf)){
martygalyean>
martygalyean> //Client certificate formation
martygalyean>
martygalyean> if(!ssl_set_handshake_header(s,&pkt,mt) || confunc != NULL &&
!confunc(s,&pkt) ||
martygalyean> !ssl_close_construct_packet(s,&pkt,mt)){
martygalyean>
martygalyean> printf("PROBLEM\n");
martygalyean>
martygalyean> }
martygalyean>
martygalyean> transition(s); //transition to next state i.e client key exchange
martygalyean>
martygalyean> get_construct_message_f(s, &pkt, &confunc, &mt);
martygalyean>
martygalyean> //client key exchange formation
martygalyean>
martygalyean> if(!ssl_set_handshake_header(s,&pkt,mt) || confunc != NULL &&
!confunc(s,&pkt) ||
martygalyean> !ssl_close_construct_packet(s,&pkt,mt)){
martygalyean>
martygalyean> printf("AGAIN A PROBLEMO\n");
martygalyean>
martygalyean> }
martyg
Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.
> On Dec 29, 2017, at 12:34 PM, Richard Levitte wrote: > > Marty, you might want to consider that the values of western society > are hardly universal. Comic Sans isn't as badly seen everywhere, and > there's no reason why western society biases should trump any other. My issue with the post was that it was just too difficult to read, largely as a result of the font. So I just deleted it and moved on. So this has little to do with Western vs. non-Western values. Written communication is most clear when the fonts don't get in the way of the content. Decorative fonts are for party announcements and the like, usually in large print on physical posters. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.
On 12/29/2017 6:00 AM, Marty G wrote: > For the same reason one doesn't wear a halloween costume to a > technical meeting, Comic Sans is looked down upon when used outside > comics and day-care centers. It is considered a snub to use it in > non-trivial settings. > > Much as lifting up your middle finger has no inherent meaning per se, > but once one realizes that it definitely has meaning to others and one > lifts one's middle finger to others anyway, it can only be assumed > that one has intended to send the message others have assigned to it. > So, for whatever vague societal reasons, comic sans has become > equivalent to wearing a speedo to a formal wedding, giggling > hysterically during one's performance review, or skipping around the > track in a tu-tu and clownface during the 440 meter track event at the > Olympics. Those are the breaks! Sorry for your loss of a connotation > free comic sans. I feel your pain. Herd dynamics can be brutal and > bleak. > > http://knowyourmeme.com/memes/comic-sans > "...While adequate for certain industry sectors like childcare and > entertainment, its usage in business or professional settings has been > criticized by many aesthetic-conscious Internet users, who say Comic > Sans conveys silliness and irreverence that is hardly suitable for > serious matters: Committing a fashion faux pas may be gauche, but pointing and laughing is even more so. If you think that somebody's choice of fashion is inappropriate, keep it to yourself or an appropriate gossip forum. Congratulations, you've just convinced this newcomer that the openssl-users group is populated by fashionistas rather than serious technical people. The original poster had a technical question. I don't know enough to answer it, or I would. Could somebody who *does* know enough please take a stab? Saiteja, one suggestion: when an error occurs, don't just report that there was a problem. Report what the problem was. Don't these functions set the results that SSL_get_error( ) returns? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Friday, December 29, 2017 13:04 > > > On Dec 29, 2017, at 12:34 PM, Richard Levitte wrote: > > > > Marty, you might want to consider that the values of western society > > are hardly universal. Comic Sans isn't as badly seen everywhere, and > > there's no reason why western society biases should trump any other. > > My issue with the post was that it was just too difficult to read, > largely as a result of the font. So I just deleted it and moved on. > So this has little to do with Western vs. non-Western values. Written > communication is most clear when the fonts don't get in the way of the > content. Decorative fonts are for party announcements and the like, > usually in large print on physical posters. Indeed. This has little to do with "the values of western society", or the values of any other community. (Nor, with apologies to Richard, does it have much to do with the OpenSSL mailing-list code of conduct; the messages on this topic have ranged from curt to civil, but none have been abusive under any reasonable definition.) It has to do with appealing to the intended audience, which of course is one of the most critical aspects of writing. I could cite thousands of years of rhetorical theory - from cultures European and otherwise - but this is such a commonplace that there's no need. Marty's message was a useful, generous, and polite response to Saiteja's query. And while his examples were culturally specific, his argument was not. That said, I suspect the larger reason why Saiteja has not had a technical response to the original query is that few people on openssl-users have experience with using the WPACKET API and other low-level operations in the 1.1 codebase. It still might be worth reposting without the controversial styling. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.
> On Dec 29, 2017, at 1:34 PM, Michael Wojcik > wrote: > > That said, I suspect the larger reason why Saiteja has not had a technical > response to the original query is that few people on openssl-users have > experience with using the WPACKET API and other low-level operations in the > 1.1 codebase. It still might be worth reposting without the controversial > styling. More importantly, what problem is the OP really trying to solve? The WPACKET interface is an internal interface that does not appear in any public OpenSSL headers. It is undocumented and subject to change without notice. The OP should not be using this interface, except as part of a code contribution to improve the implementation of TLS in the OpenSSL library. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.
Hi everyone, I apologize for Comic Sans. And honestly I didn't know using it implies this many impressions. As I said my other subscription named "Ananthaneni Saiteja Chowdary" is my outlook account that i use for my office work(because I am using a QHD resolution my fonts are so small so i selected the font that looks good for me to read.) I actually posted two questions one from this email and other from outlook account. This question was actually posted through my outlook account in the beginning, and just as a followup and to include some more information in my question I thought of asking the question again. So I copied the contents of my previous mail and added few more info at the end in my Mail app, unfortunately the font got changed to comic sans. Its not that i knowingly changed the font to impress or insult. I am a non native English speaker and I sometimes don't understand the exact emotion or feeling in non-technical conversation. I am using OpenSSL client to create a custom TLS client which can send or manipulate the default TLS handshake messages so that i can test for any bugs in our TLS server implementation. I spent about 4 months in reading OpenSSL code and making changes and adding new arguments to modify the default client. So in that process i came across the WPACKET API. For framing SSL records I had to use it. I will post the question again in a new thread. Please take a look at it and help me out. Regards Saiteja. On Sat, Dec 30, 2017 at 12:17 AM, Viktor Dukhovni < openssl-us...@dukhovni.org> wrote: > > > > On Dec 29, 2017, at 1:34 PM, Michael Wojcik < > michael.woj...@microfocus.com> wrote: > > > > That said, I suspect the larger reason why Saiteja has not had a > technical response to the original query is that few people on > openssl-users have experience with using the WPACKET API and other > low-level operations in the 1.1 codebase. It still might be worth reposting > without the controversial styling. > > More importantly, what problem is the OP really trying to solve? > > The WPACKET interface is an internal interface that does not > appear in any public OpenSSL headers. It is undocumented and > subject to change without notice. The OP should not be using > this interface, except as part of a code contribution to improve > the implementation of TLS in the OpenSSL library. > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Sai Teja Chowdary > Sent: Friday, December 29, 2017 21:44 > I am using OpenSSL client to create a custom TLS client which can send or > manipulate the default TLS handshake > messages so that i can test for any bugs in our TLS server implementation. I > spent about 4 months in reading OpenSSL > code and making changes and adding new arguments to modify the default > client. So in that process i came across the > WPACKET API. For framing SSL records I had to use it. I can't help with your specific issue. I don't know the 1.1.x codebase (my teams are still using 1.0.2). But I'd suggest that perhaps OpenSSL is not the ideal starting point for this. When security researchers do this sort of thing - generate specific TLS messages to test a peer implementation - they often use a scripting language with suitable add-on modules, such as Python with the ssl, cryptography, and gmpy2 modules. While these scripts are often quick-and-dirty, they're probably easier to modify. So you might look at various open-source TLS test scripts, such as the one Hanno Böck wrote for ROBOT (see robotattack.org). There are also various open-source test frameworks for TLS, such as TLSPretense. I don't have any experience with them myself, but it's worth taking a look. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.(Revised)
Hi, Happy 2018 everyone. I figured out this issue, I think it would be good to share it here in case if anyone is interested in knowing. The right way to make a hash is by calculating hash individually for the messages client certificate, client key exchange and store the message buffer in an array before calculating the signature in certificate verify message. later after forming the certificate verify message append this to the previous array and write the whole buffer into the wire with ssl3_write_bytes().This way all three message CC, CKE and CV goes in a single record as multiple handshake messages. The function ssl3_finish_mac() is the one that does the hash (Digest) of bytes which ever are to be written to or read from wire. Regards Saiteja. From: Viktor Dukhovni Sent: Saturday, December 30, 2017 10:48 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] How to form a proper hash after writing somethinginto SSL handshake.(Revised) > On Dec 29, 2017, at 10:18 PM, Sai Teja Chowdary > wrote: > > I want to send client certificate, client key exchange and client verify in a > single handshake message which appears as multiple handshake messages in a > single record. But to sent the client verify I need to first make a hash of > previous messages(client certificate and client key exchange) to create the > signature. I tried framing the record with above three messages and then > directly sending the record in the wire using SSL3_write_machine() which is > giving me Bad signature error. So i thought of doing a hash of client > certificate and client key exchange messages that go before client verify. > > Can anyone help me to find the function in OpenSSL 1.1.1-dev xx XXX (or > right procedure that needs to be done before creating a certificate verify > message)that can do a proper transcript(digest or hash not clear). I tried > using ssl3_finish_mac() on the message containing client certificate and > client key exchange and then tried to generate the signature in certificate > verify message. There is no such feature, and none is likely to ever be offered. The reason is that you're essentially trying to write your own TLS implementation, and SSL library in OpenSSL is provides public interfaces for SSL users, not for new SSL implementations. You can of course build your OpenSSL implementation based on the OpenSSL source code, but figuring out how the code works is then up to you. :-( -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
