Hi Marek., Thanks once again for the detailed response.. Me now have a few more doubts..
Does this read_mac_secret and write_mac_secret change with Every md5 hash verification? I am not able to locate the code which actually updates this tcp Seq numbers and so on..what does this hash_update function do? Wht does it update? Thanks --Gayathri -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Friday, July 21, 2006 7:04 PM To: openssl-users@openssl.org Subject: RE: Query On SSL Processing Hello, > Thanks Marek, can you explain more on this "MAC" verification errors? When SSL record is read from TCP socket first is decrypted (using read_secret and CBC xor vector) and then MAC of decrypted packet is checked. When calculating MAC of decrypted packet the following information is used: - read_mac_secret - implied read sequence number (packet number) - packet type (handshake, data, alert ...) - length of packet data - packet data if any of this information will be incorrect or out of order (like sequence number) calculated MAC will be different from this received in packet and connection will be dropped. So silently removing some packets at (for example) TCP layer will break sequence numbering and will lead to breaking connection. Of course SSL_read() see only data from application records, not from handshake, alert or change_cipher_spec because this data if part of internal implementation of SSL protocol. This is something like in SMTP, when you receive e-mail you will see only headers and body but not SMTP conversation at SMTP server layer (MAIL FROM:, RCPT TO: ...). Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
