Cryptography Reference
In-Depth Information
Getting back to
send_message
, you have a data buffer with the MAC of the
plaintext data. Now, from the
data
pointer that was passed into the function
in the fi rst place, copy the actual plaintext after it and encrypt the whole thing
into the target buffer.
// Add the data (padding was already set to zeros)
memcpy( encrypt_buf + parameters->active_cipher_spec->hash_size,
data, data_len );
// Finally encrypt the whole thing
parameters->active_cipher_spec->bulk_encrypt( encrypt_buf,
buf_len - 3, encrypted,
parameters->write_state ? parameters->write_state :
parameters->write_iv,
parameters->write_key );
Now, the
encrypted
buffer contains the MAC, the plaintext, and the padding,
all encrypted using the client write key. Finally, copy the encrypted data into
the target
buffer
:
memcpy( buffer + 3, encrypted, buf_len - 3 );
free( encrypt_buf );
free( encrypted );
}
The only other addition to
send_message
is the following, which updates the
sequence number upon which the
add_mac
function relies:
parameters->write_sequence_number++;
The server receives this encrypted message, decrypts it using the negotiated
keys, and verifi es the MAC. If decryption and MAC verifi cation succeed, the
server fi nally verifi es that the connection ID received matches the one that it sent.
What if any of these steps fail? The specifi cation states that a MAC verify or
decrypt error “is to be treated as if an 'I/O Error' had occurred (i.e. an unrecover-
able error is asserted and the connection is closed).” However, it doesn't defi ne any
unrecoverable (or recoverable, for that matter) error codes describing this scenario.
As a result, all existing implementations simply shut down the socket on error.
SSL Server Verify
As discussed earlier, OpenSSL goes ahead and sends the
server_verify
as
soon as the key exchange is complete, although the specifi cation suggests that it
should wait until the
client_finished
is received correctly. The
ServerVerify
message in Listing C-26 looks just like, and serves the same purpose as, the
client fi nished message.
Search WWH ::
Custom Search