On Thu, Mar 13, 2003, Brian Hatch wrote:
I want to be able to change the key and iv on a connection
that is already established. Currently I just have a simple
socket BIO and cipher BIO chained together. (Cipher is
EVP_bf_cbc() currently.)
The connection should look like this:
1) client connects to server
2) set both client and server to use key/iv foo/bar
3) send some data
4) set both client and server to use new key/iv one/two
5) send more data
#1 through #3 are working fine, I can easily verify that the data sent
is what I recieve. It's #4 and #5 that seem to be failing.
Doing doing operation #4 above is clearly what I need to fix.
I've tried:
* calling BIO_set_cipher on the cipher BIO directly.
* removing the cipher BIO and adding a new one with the
correct key/iv to the socket BIO.
* calling BIO_flush on the chain before using any of the
previous two changes, discarding any padding bytes from
the BIO_flush.
I'm doing the same thing on both ends, of course - it would never
work to change the key on client and not server and expect things
to work. This is unidirectional data flow -- the server never sends
any data to the client.
Any quick ideas where my brain or code is failing me?
This isn't something I've had to do personally however...
Popping and pushing the BIO should work provided you get it right. For this to
work properly of course you need change keys and IVs only after a multiple of
the block length has been sent, otherwise data will be lost and possibly
internal buffering could spoil you whole day due to synchronisation errors.
In fact synchronisation may well be a problem because when using padding the
EVP routines need to buffer a whole block on decrypt so that the block padding
check works. So when you read data from the end BIO in the chain it will
typically have internally buffered the next block using the current key/IV.
In OpenSSL 0.9.7X you can disable padding using the EVP API, that is the
preferred method because the internal buffering no longer occurs. You need to
retrieve the EVP_CIPHER_CTX structure from the BIO to do that, see the 0.9.7
manual pages for precise details.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]