I now pass the 32 bytes (after the 5 bytes Record Layer Header) to myYes, it will have the 4 byte Handshake Header, followed by 12 bytes of the verifyData, then the X byte HMAC, and finally, any padding (if needed.)
decrypt function and I expected a result that at least had the handshake
protocol header as the first 4 bytes indicating the handshake type (20)
and length but it is not. Thats what I meant with things not making
sense. The result seems to be just as random as the input. I know a
hashvalue is part of the Finished message but does it not have a four
byte header as well? Maby thats the problem.
So, for an example RSA 3DES EDE CBC SHA1 connection, you would have 40 bytes that were encrypted: 4 bytes for the Handshake header which contains 0x14 for Finished, then 3 bytes of length (in this case, 0x0, 0x0, 0xc since it's just the length of the handshake's verify_data)
12 bytes of verify_data
20 bytes of the SHA1_HMAC
3 bytes of padding
1 byte of pad length
-------------------------------
40 bytes of encrypted data.
I have used EVP_Decrypt*-functions to decrypt the Finished message. They
are part of openssl-0.9.7c. I think this should be ok but I'm not quite
sure how to use them. Not many examples from the openssl documentation.
Hmmmm Be sure you're initializing the decrypt process with the server's write key, and the server's IVec. Not the same keys you used to encrypt the client messages. And one thing I also needed to do that wasn't immediately obvious to me was to set the EVP_CIPHER_CTX_set_padding(&cipherCtx, 0); SSL/TLS padding is different than standard PKCS padding, so you should handle it instead of letting the EVP_Decrypt routines. The Pad Length byte doesn't count in the padding. So, in the above case, I would have 3 bytes of padding (set to 3) then the pad byte is set to 3 as well. Standard PKCS padding would have all of the padding bytes set to 4. But, if you're doing a stream cipher (like RC4) you won't have padding...
(Now that I've said that, does the EVP_ routines handle SSL style padding?)
Anyway, hopefully one of these things will help point you in the right direction to find what your actual problem is...
Thanks, and a happy new year.And to you as well!! :)
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
