Regarding construction of MasterSecret in ssl v3 handshake

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Regarding construction of MasterSecret in ssl v3 handshake

Suchindra Chandrahas
Hi All,
              I am trying to write an SSL v3 handshake without using openssl libraries. I have some problem with creation of MasterSecret in SSL v3. Here is the code snippet of hardcoded client that i am experimenting with:

My ClientHello:

unsigned char buf[BUFSIZE] =
        "\x01"                     /* Client Hello Message */
        "\x00\x00\x29"                 /* Length */
        "\x03\x00"                 /* Client Version */
        "\x44\x44\x44\x44"             /* GMT - just dummy values taken for now */
        "\x66\x66\x66\x66\x66\x66\x66\x66"
        "\x66\x66\x66\x66\x66\x66\x66\x66"
        "\x66\x66\x66\x66\x66\x66\x66\x66"
        "\x66\x66\x66\x66"             /* Random Bytes 28 */
        "\x00"                     /* Session ID Length */
        "\x00\x02"                 /* Cipers */
        "\x00\x35"                 /* One cipher - compatible with esx */
        "\x01\x00";                 /* Compression related details */

client_random is 28 bytes of 0x66 as of now

My Server Random is stored in ssl->server_random[28] array (excluding gmt 4 bytes)
My Client Random is stored in ssl->client_random[28] array (excluding gmt 4 bytes)

Note: I am guessing that client random and server random are 28 bytes long. I am excluding the 4 bytes of gmt time spec from the random for calculating the Master Secret

Master Secret Algorithm:

static const unsigned char *salt[10]={
        (const unsigned char *)"A",
        (const unsigned char *)"BB",
        (const unsigned char *)"CCC",
        (const unsigned char *)"DDDD",
        (const unsigned char *)"EEEEE",
        (const unsigned char *)"FFFFFF",
        (const unsigned char *)"GGGGGGG",
        (const unsigned char *)"HHHHHHHH",
        (const unsigned char *)"IIIIIIIII",
        (const unsigned char *)"JJJJJJJJJJ"
    };


/*                   
 * client_master_secret = MD5(client_premaster_secret + SHA('A' + client_random + server_random + client_premaster_secret)) +
 *              MD5(client_premaster_secret + SHA('BB' + client_random + server_random + client_premaster_secret)) +
 *              MD5(client_premaster_secret + SHA('CCC' + client_random + server_random + client_premaster_secret))
 *
 */

tmp = ssl->client_master_secret;

    for (i = 0; i < 3; i++) {

        SHA_Init(&ctx1_sha);

        SHA_Update(&ctx1_sha, salt[i], i + 1);

        SHA_Update(&ctx1_sha, ssl->client_random, 28);

        SHA_Update(&ctx1_sha, ssl->server_random, 28);           
        SHA_Update(&ctx1_sha, ssl->client_premaster_secret, 48);

        SHA_Final(buf,&ctx1_sha);

       

        MD5_Init(&ctx1_md5);

        MD5_Update(&ctx1_md5, ssl->client_premaster_secret, 48);

        MD5_Update(&ctx1_md5, buf, 20);

        MD5_Final(tmp, &ctx1_md5);

        tmp += 16;

    }

However, when i analyze using the wireshark decoder for ssl (with the key specified), i am getting a different MasterSecret calculated in Wireshark than that calculated by me, though both use the same mechanism

Is something wrong with the MasterSecret calculation algorithm? Can i use a generic OpenSSL v3 PRF function to calculate the same, without defining the other parameters of ssl connection structure (because i am only required to calculate the MasterSecret)?

Thanks and Regards,
Suchindra Chandrahas







Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
Reply | Threaded
Open this post in threaded view
|

Re: Regarding construction of MasterSecret in ssl v3 handshake

jimmy bahuleyan
Suchindra Chandrahas wrote:

> Hi All,
>               I am trying to write an SSL v3 handshake without using
> openssl libraries. I have some problem with creation of MasterSecret in
> SSL v3. Here is the code snippet of hardcoded client that i am
> experimenting with:
>
> client_random is 28 bytes of 0x66 as of now
>
> My Server Random is stored in ssl->server_random[28] array (excluding
> gmt 4 bytes)
> My Client Random is stored in ssl->client_random[28] array (excluding
> gmt 4 bytes)
>
> Note: I am guessing that client random and server random are 28 bytes
> long. I am excluding the 4 bytes of gmt time spec from the random for
> calculating the Master Secret
>

Why are you excluding the 4 bytes of time stamp? The client_random is
part of prf calculation which means client_random is 32 bytes, and that
implies time-stamp is part of PRF calculation.

> Is something wrong with the MasterSecret calculation algorithm? Can i
> use a generic OpenSSL v3 PRF function to calculate the same, without
> defining the other parameters of ssl connection structure (because i am
> only required to calculate the MasterSecret)?

You can use the PRF function code from openssl, tls1_PRF doesn't require
any connection parameters as input.

>
> Thanks and Regards,
> Suchindra Chandrahas

-jb
--
Don't have a sig to call my own; care to donate a fortune?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Regarding construction of MasterSecret in ssl v3 handshake

Suchindra Chandrahas
Hi Jimmy,
                    Yes i changed the no. of bytes to 32 (both client and server random). Also, is it ok to use openssl tls1_prf for ssl v3 handshake?

Thanks and Regards,
Suchindra Chandrahas

jimmy bahuleyan <[hidden email]> wrote:
Suchindra Chandrahas wrote:

> Hi All,
> I am trying to write an SSL v3 handshake without using
> openssl libraries. I have some problem with creation of MasterSecret in
> SSL v3. Here is the code snippet of hardcoded client that i am
> experimenting with:
>
> client_random is 28 bytes of 0x66 as of now
>
> My Server Random is stored in ssl->server_random[28] array (excluding
> gmt 4 bytes)
> My Client Random is stored in ssl->client_random[28] array (excluding
> gmt 4 bytes)
>
> Note: I am guessing that client random and server random are 28 bytes
> long. I am excluding the 4 bytes of gmt time spec from the random for
> calculating the Master Secret
>

Why are you excluding the 4 bytes of time stamp? The client_random is
part of prf calculation which means client_random is 32 bytes, and that
implies time-stamp is part of PRF calculation.

> Is something wrong with the MasterSecret calculation algorithm? Can i
> use a generic OpenSSL v3 PRF function to calculate the same, without
> defining the other parameters of ssl connection structure (because i am
> only required to calculate the MasterSecret)?

You can use the PRF function code from openssl, tls1_PRF doesn't require
any connection parameters as input.

>
> Thanks and Regards,
> Suchindra Chandrahas

-jb
--
Don't have a sig to call my own; care to donate a fortune?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Looking for last minute shopping deals? Find them fast with Yahoo! Search.
Reply | Threaded
Open this post in threaded view
|

Re: Regarding construction of MasterSecret in ssl v3 handshake

jimmy bahuleyan
Suchindra Chandrahas wrote:
> Hi Jimmy,
>                     Yes i changed the no. of bytes to 32 (both client
> and server random). Also, is it ok to use openssl tls1_prf for ssl v3
> handshake?
>

if you only want to do the prf calculation tls1_PRF() does just that for
you. It does the PRF as specified in rfc-2246, if that is what you have
in mind tls1_PRF() should work.

-jb
--
Don't have a sig to call my own; care to donate a fortune?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Regarding construction of MasterSecret in ssl v3 handshake

Suchindra Chandrahas
Hi Jimmy,
                     RFC-2246 is for TLS v1. However, i am going for SSL v3. I don't know whether there is any function for the same. I went through ssl3_enc.c in openssl code:

int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
             int len)
        {
        static const unsigned char *salt[3]={
#ifndef CHARSET_EBCDIC
                (const unsigned char *)"A",
                (const unsigned char *)"BB",
                (const unsigned char *)"CCC",
#else
                (const unsigned char *)"\x41",
                (const unsigned char *)"\x42\x42",
                (const unsigned char *)"\x43\x43\x43",
#endif
                };
        unsigned char buf[EVP_MAX_MD_SIZE];
        EVP_MD_CTX ctx;
        int i,ret=0;
        unsigned int n;

        EVP_MD_CTX_init(&ctx);
        for (i=0; i<3; i++)
                {
                EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL);
                EVP_DigestUpdate(&ctx,salt[i],strlen((const char *)salt[i]));
                EVP_DigestUpdate(&ctx,p,len);
                EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]),
                        SSL3_RANDOM_SIZE);
                EVP_DigestUpdate(&ctx,&(s->s3->server_random[0]),
                        SSL3_RANDOM_SIZE);
                EVP_DigestFinal_ex(&ctx,buf,&n);

                EVP_DigestInit_ex(&ctx,s->ctx->md5, NULL);
                EVP_DigestUpdate(&ctx,p,len);
                EVP_DigestUpdate(&ctx,buf,n);
                EVP_DigestFinal_ex(&ctx,out,&n);
                out+=n;
                ret+=n;
                }
        EVP_MD_CTX_cleanup(&ctx);
        return(ret);
        }


I guess *p above is pointer to premaster secret. I am doing the same thing here, only that EVP_Digest_Update is replaced MD5_Update/SHA_Update. I am not still sure whether my algorithm is correct or not!

Thanks and Regards,
Suchindra Chandrahas




jimmy bahuleyan <[hidden email]> wrote:
Suchindra Chandrahas wrote:
> Hi Jimmy,
> Yes i changed the no. of bytes to 32 (both client
> and server random). Also, is it ok to use openssl tls1_prf for ssl v3
> handshake?
>

if you only want to do the prf calculation tls1_PRF() does just that for
you. It does the PRF as specified in rfc-2246, if that is what you have
in mind tls1_PRF() should work.

-jb
--
Don't have a sig to call my own; care to donate a fortune?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Never miss a thing. Make Yahoo your homepage.
Reply | Threaded
Open this post in threaded view
|

Re: Regarding construction of MasterSecret in ssl v3 handshake

jimmy bahuleyan
Suchindra Chandrahas wrote:
> Hi Jimmy,
>                      RFC-2246 is for TLS v1. However, i am going for SSL
> v3. I don't know whether there is any function for the same. I went
> through ssl3_enc.c in openssl code:
>

ssl3_generate_master_secret() is the equivalent one for ssl3. Although
it takes some of the needed parameters from the SSL structure passed to
it; so you can't use it the same way as tls1_PRF(). But you could use
the code as reference for your PRF code.

> int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned
> char *p,
>              int len)
>         {
>         static const unsigned char *salt[3]={
> #ifndef CHARSET_EBCDIC
>                 (const unsigned char *)"A",
>                 (const unsigned char *)"BB",
>                 (const unsigned char *)"CCC",
> #else
>                 (const unsigned char *)"\x41",
>                 (const unsigned char *)"\x42\x42",
>                 (const unsigned char *)"\x43\x43\x43",
> #endif
>                 };
>         unsigned char buf[EVP_MAX_MD_SIZE];
>         EVP_MD_CTX ctx;
>         int i,ret=0;
>         unsigned int n;
>
>         EVP_MD_CTX_init(&ctx);
>         for (i=0; i<3; i++)
>                 {
>                 EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL);
>                 EVP_DigestUpdate(&ctx,salt[i],strlen((const char
> *)salt[i]));
>                 EVP_DigestUpdate(&ctx,p,len);
>                 EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]),
>                         SSL3_RANDOM_SIZE);
>                 EVP_DigestUpdate(&ctx,&(s->s3->server_random[0]),
>                         SSL3_RANDOM_SIZE);
>                 EVP_DigestFinal_ex(&ctx,buf,&n);
>
>                 EVP_DigestInit_ex(&ctx,s->ctx->md5, NULL);
>                 EVP_DigestUpdate(&ctx,p,len);
>                 EVP_DigestUpdate(&ctx,buf,n);
>                 EVP_DigestFinal_ex(&ctx,out,&n);
>                 out+=n;
>                 ret+=n;
>                 }
>         EVP_MD_CTX_cleanup(&ctx);
>         return(ret);
>         }
>
>
> I guess *p above is pointer to premaster secret. I am doing the same
> thing here, only that EVP_Digest_Update is replaced
> MD5_Update/SHA_Update. I am not still sure whether my algorithm is
> correct or not!
>

you can call the specific _Update functions; provided you don't forget
to also call the corresponding _Init function.

-jb
--
Don't have a sig to call my own; care to donate a fortune?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]