On Mon, 10 Dec 2007, Marek Marcola wrote:
Hello,
Your description seems like on Certificate Verify message?
I was talking about Finished message.
Finished message is build with two hashes:
dgst1=md1(hs_msgs+label+master_secret+48*0x36)
dgst1=md1(master_secret+48*0x5c+dgst1)
dgst2=md2(hs_msgs+label+master_secret+40*0x36)
dgst2=md2(master_secret+40*0x5c+dgst2)
where md1=MD5 (for RSA) and md2=SHA1 (for RSA and DSA)
label="CLNT" for client, label="SRVR" for server.
This two digests is then encrypted with negotiated symmetric algorithm
(with padding for block ciphers) and sent to peer.
Peer decrypts SSL packet, calculates your own digests and compares
(peer drops connection if digests differs).
>Looks like the hash generation technique is same for finished and
the client verify message, except the contents fed to the hash differs.
Best regards,
********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s)
and may contain confidential, proprietary and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email and destroy all copies of the original message.
Thank you.
Intoto Inc.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
