[gnutls-dev] [Pkg-gnutls-maint] Re: Possible bug in GnuTLS AES/SHA1

Simon Josefsson simon at josefsson.org
Tue Feb 6 09:27:05 CET 2007


James Westby <jw+debian at jameswestby.net> writes:

> Yes, I realise this. Last night I sent Marc the correct parameters to
> get OpenSSL s_server to request a client certificate and to select the
> same cipher suite. At least I hope they were correct this time.
>
> When I get the dump of that session from Marc I will look for any
> differences in the configuration, and if I can't see any I'll start
> looking for problems in the numbers.

Great, I think that is the best approach.

> I have found the code in OpenSSL that calculates the finished message,
> so I think I should be able to use that. The hard part after that is to
> work out how do the hashes, and to get the data to go in them.
>
> I am assuming that the handshake messages that must be hashed refers to
> the data that the SSL library sent over the wire, excluding the headers
> like type of packet, version and length. Or does it include those? I
> don't imagine that it is the whole packets with TCP/IP headers etc.

RFC 4346 says:

      verify_data
          PRF(master_secret, finished_label, MD5(handshake_messages) +
          SHA-1(handshake_messages)) [0..11];
...
      handshake_messages
          All of the data from all messages in this handshake (not
          including any HelloRequest messages) up to but not including
          this message.  This is only data visible at the handshake
          layer and does not include record layer headers.  This is the
          concatenation of all the Handshake structures, as defined in
          7.4, exchanged thus far.

So, yes, it will be tedious to compute which data goes into the hash.
Easiest to start by printing the input to the hash function and
comparing it against a wireshark dump.

However, if there is a problem in the finished message, I think we
should have much more serious problems.  I wouldn't spend too much
time on the finished message theory, especially when you can find
easier differences to debug first -- things like the missing/present
certificate request messages are IMHO more likely to cause a problem
like this.

/Simon




More information about the Gnutls-devel mailing list