We have a
situation with a non-openssl server (version 2 of SSL,
SSL_CK_RC4_128_EXPORT40_WITH_MD5) under development interfacing into an openssl
client (I downloaded a windows binary of openssl 0.9.6b). Everything goes good
until the server_finished is sent (which means that we have successfully sent
the server_verify which has been decrypted and mac-checked, thus verifing all
basic functions).
At this
point the mac verification fails. There was one message in the archives from
last year which described the same sort of behaviour but to which no replies
were forthcoming (see archives for message titled "OpenSSL 0.9.6a handshake
problem".
Any
thoughts? Note that the mac failure is before the session id is checked for
length or the message code is checked.
The prior
message, the server_verify was mac'ed as ssl record 1 and this record, the
server_finished was mac'd as ssl record 2. The same logic (using an Atalla
hardware card) was used to encrypt both records. Clearly, the demonstration of
success with the client_finished and the server_verify demonstrate that both of
the session keys have successfully been generated by both ends of the
connection.
Interestingly, there is no mac error if I change the server to send
the server_finished (mac'ed now as record 1) when it should be sending the
server_finished. Obviously, I get an error about the wrong message type
received, but it gets through the decryption and mac check sucessfully. I did
this to see if it were a data problem or not [called my routine
ssl_send_sv_finished() in place of ssl_send_sv_verify() ].
Either
there's a problem in the server logic (which I am able to debug) or the openssl
which I am not able to debug.
Any
thoughts on this one?
Attached
is the output of openssl s_client -connect <x> -debug -ssl2 >
log.txt
OpenSSL> CONNECTED(0000004C)
write to 0050FABC [00504DD9] (51 bytes => 51 (0x33)) <-- client_hello
0000 - 80 31 01 00 02 00 18 00-00 00 10 07 00 c0 05 00 .1..............
0010 - 80 03 00 80 01 00 80 08-00 80 06 00 40 04 00 80 ............@...
0020 - 02 00 80 1f 47 58 c1 5f-97 f3 60 fd d4 18 64 ad ....GX._..`...d.
0030 - 9b 46 55 .FU
read from 0050FABC [004FCDD0] (2 bytes => 2 (0x2))
0000 - 82 15 ..
read from 0050FABC [004FCDD2] (533 bytes => 533 (0x215)) <-- server_hello
write to 0050FABC [00504DD9] (51 bytes => 51 (0x33)) <-- client_hello
0000 - 80 31 01 00 02 00 18 00-00 00 10 07 00 c0 05 00 .1..............
0010 - 80 03 00 80 01 00 80 08-00 80 06 00 40 04 00 80 ............@...
0020 - 02 00 80 1f 47 58 c1 5f-97 f3 60 fd d4 18 64 ad ....GX._..`...d.
0030 - 9b 46 55 .FU
read from 0050FABC [004FCDD0] (2 bytes => 2 (0x2))
0000 - 82 15 ..
read from 0050FABC [004FCDD2] (533 bytes => 533 (0x215)) <-- server_hello
0000 -
04 00 01 00 02 01 f7 00-03 00 10 30 82 01 f3 30
...........0...0
0010 - 82 01 5c a0 03 02 01 00-02 10 02 f0 be 38 67 93 ..\..........8g.
0020 - 9d f5 00 00 00 00 00 00-00 00 30 0d 06 09 2a 86 ..........0...*.
0030 - 48 86 f7 0d 01 01 04 05-00 30 39 31 0c 30 0a 06 H........091.0..
0040 - 03 55 04 06 13 03 55 53-41 31 14 30 12 06 03 55 .U....USA1.0...U
0050 - 04 0a 13 0b 42 43 45 20-45 4d 45 52 47 49 53 31 ....BCE EMERGIS1
0060 - 13 30 11 06 03 55 04 03-13 0a 4d 65 73 73 61 67 .0...U....Messag
0070 - 65 77 61 79 30 1e 17 0d-30 32 30 31 32 31 30 30 eway0...02012100
0080 - 31 32 33 31 5a 17 0d 31-32 30 31 32 31 30 30 31 1231Z..120121001
0090 - 32 33 31 5a 30 37 31 0c-30 0a 06 03 55 04 06 13 231Z071.0...U...
00a0 - 03 55 53 41 31 14 30 12-06 03 55 04 0a 13 0b 42 .USA1.0...U....B
00b0 - 43 45 20 45 4d 45 52 47-49 53 31 11 30 0f 06 03 CE EMERGIS1.0...
00c0 - 55 04 03 13 08 43 4d 30-39 36 30 54 30 30 81 9f U....CM0960T00..
00d0 - 30 0d 06 09 2a 86 48 86-f7 0d 01 01 01 05 00 03 0...*.H.........
00e0 - 81 8d 00 30 81 89 02 81-81 00 c0 45 53 72 e8 a7 ...0.......ESr..
00f0 - 6a a7 bc f8 35 dd 89 74-d3 90 95 33 2b 6a 59 b0 j...5..t...3+jY.
0100 - 4f 80 40 15 95 90 76 28-8e 2c c2 78 91 de 79 1a O.@...v(.,.x..y.
0110 - 26 f1 bb a0 7c ac 8a 9b-7d 59 d1 2f f3 4d d8 19 &...|...}Y./.M..
0120 - f6 d7 6a 9c 89 58 77 42-54 5f 14 fe 4f 19 fa 71 ..j..XwBT_..O..q
0130 - 5a bd f5 81 e4 1e c2 11-d1 46 ee 67 9e 48 0c a1 Z........F.g.H..
0140 - ed b0 ad f0 0f c7 67 f7-31 c3 90 c5 18 99 6a 12 ......g.1.....j.
0150 - 2b 7d e7 c6 47 56 60 54-04 d0 bb c5 b6 ca 56 f2 +}..GV`T......V.
0160 - ab f3 64 81 61 76 60 ba-de 45 02 03 01 00 01 30 ..d.av`..E.....0
0170 - 0d 06 09 2a 86 48 86 f7-0d 01 01 04 05 00 03 81 ...*.H..........
0180 - 81 00 7c ae 51 4c d1 21-72 39 c1 c8 4d 9e 09 18 ..|.QL.!r9..M...
0190 - bd d7 0b d7 7d 5e 46 d2-15 e5 74 fc 26 16 99 67 ....}^F...t.&..g
01a0 - 6e f5 8a a0 8b b3 eb 8e-c4 07 03 76 0b 1d d2 23 n..........v...#
01b0 - 27 76 7a 4b d7 6f af a1-74 57 76 e0 0b da fa a1 'vzK.o..tWv.....
01c0 - c7 c5 cf f4 9b 5f e6 c7-57 97 39 ad 69 7a 64 3e ....._..W.9.izd>
01d0 - f9 be 36 48 ec da b8 44-69 a3 87 b0 a5 c9 c7 22 ..6H...Di......"
01e0 - 28 89 00 e9 e9 1a ce 22-19 33 75 89 d3 30 bd e6 (......".3u..0..
01f0 - 91 43 c8 71 bb 7b be 87-60 05 17 d2 f0 52 24 9d .C.q.{..`....R$.
0200 - 01 3f 02 00 80 bd ac 4f-d9 a7 af 17 00 4c 63 6f .?.....O.....Lco <-- rc4 128 export 40 offered
0210 - 66 22 84 14 d1 f"...
write to 0050FABC [00504DD9] (151 bytes => 151 (0x97)) <-- client_master_key
0000 - 80 95 02 02 00 80 00 0b-00 80 00 00 18 47 09 5d .............G.] <-- rc4 128 export 40 selected
0010 - a7 f4 de 01 6c c5 80 bf-f3 14 78 50 ec 99 dd 08 ....l.....xP....
0020 - b9 a7 3f 37 ea 62 09 3b-e9 e4 f7 0b 27 49 2b 10 ..?7.b.;....'I+.
0030 - 6e cd a6 8b cc e9 00 cf-29 95 ba 77 3c 13 3c 1b n.......)..w<.<.
0040 - 79 3c 85 32 de 49 0d 8e-b9 cb ab 6b 12 6a b6 0c y<.2.I.....k.j..
0050 - ba 2f 91 72 03 18 06 5f-46 22 4d e7 9c 9a 89 6e ./.r..._F"M....n
0060 - f6 0f f2 db 2f 49 9b 4e-28 98 78 22 ad 08 47 fa ..../I.N(.x"..G.
0070 - 9b 10 d4 aa de c7 e8 54-6d f8 ef 53 2d 22 70 15 .......Tm..S-"p.
0080 - 18 04 d8 39 3c 1a 0e 8c-9e 9e 70 7a de c2 02 81 ...9<.....pz....
0090 - 52 83 6f d1 07 a7 29 R.o...)
write to 0050FABC [00504DD9] (35 bytes => 35 (0x23)) <-- client_finished
0000 - 80 21 e2 c2 fa 66 e3 20-a2 b2 9b 18 d8 3e 91 10 .!...f. .....>.. <-- which is successfully verified
0010 - bc c2 c8 52 d3 67 b6 24-f1 66 9e 0b f9 c7 33 72 ...R.g.$.f....3r <-- by server
0020 - 28 b8 60 (.`
read from 0050FABC [004FCDD0] (2 bytes => 2 (0x2)) <-- server_verify
0000 - 80 21 .! <-- shows good decryption
read from 0050FABC [004FCDD2] (33 bytes => 33 (0x21)) <-- and mac checking
0000 - 71 2d 1f bb 89 12 37 b5-56 d8 8b d4 df fa 53 3c q-....7.V.....S<
0010 - bb 2e e6 0c 45 5b 6c bf-33 38 c5 e1 8c 1a 8b a0 ....E[l.38......
0020 - 84 .
read from 0050FABC [004FCDD0] (2 bytes => 2 (0x2)) <-- server_finished.
0010 - 82 01 5c a0 03 02 01 00-02 10 02 f0 be 38 67 93 ..\..........8g.
0020 - 9d f5 00 00 00 00 00 00-00 00 30 0d 06 09 2a 86 ..........0...*.
0030 - 48 86 f7 0d 01 01 04 05-00 30 39 31 0c 30 0a 06 H........091.0..
0040 - 03 55 04 06 13 03 55 53-41 31 14 30 12 06 03 55 .U....USA1.0...U
0050 - 04 0a 13 0b 42 43 45 20-45 4d 45 52 47 49 53 31 ....BCE EMERGIS1
0060 - 13 30 11 06 03 55 04 03-13 0a 4d 65 73 73 61 67 .0...U....Messag
0070 - 65 77 61 79 30 1e 17 0d-30 32 30 31 32 31 30 30 eway0...02012100
0080 - 31 32 33 31 5a 17 0d 31-32 30 31 32 31 30 30 31 1231Z..120121001
0090 - 32 33 31 5a 30 37 31 0c-30 0a 06 03 55 04 06 13 231Z071.0...U...
00a0 - 03 55 53 41 31 14 30 12-06 03 55 04 0a 13 0b 42 .USA1.0...U....B
00b0 - 43 45 20 45 4d 45 52 47-49 53 31 11 30 0f 06 03 CE EMERGIS1.0...
00c0 - 55 04 03 13 08 43 4d 30-39 36 30 54 30 30 81 9f U....CM0960T00..
00d0 - 30 0d 06 09 2a 86 48 86-f7 0d 01 01 01 05 00 03 0...*.H.........
00e0 - 81 8d 00 30 81 89 02 81-81 00 c0 45 53 72 e8 a7 ...0.......ESr..
00f0 - 6a a7 bc f8 35 dd 89 74-d3 90 95 33 2b 6a 59 b0 j...5..t...3+jY.
0100 - 4f 80 40 15 95 90 76 28-8e 2c c2 78 91 de 79 1a O.@...v(.,.x..y.
0110 - 26 f1 bb a0 7c ac 8a 9b-7d 59 d1 2f f3 4d d8 19 &...|...}Y./.M..
0120 - f6 d7 6a 9c 89 58 77 42-54 5f 14 fe 4f 19 fa 71 ..j..XwBT_..O..q
0130 - 5a bd f5 81 e4 1e c2 11-d1 46 ee 67 9e 48 0c a1 Z........F.g.H..
0140 - ed b0 ad f0 0f c7 67 f7-31 c3 90 c5 18 99 6a 12 ......g.1.....j.
0150 - 2b 7d e7 c6 47 56 60 54-04 d0 bb c5 b6 ca 56 f2 +}..GV`T......V.
0160 - ab f3 64 81 61 76 60 ba-de 45 02 03 01 00 01 30 ..d.av`..E.....0
0170 - 0d 06 09 2a 86 48 86 f7-0d 01 01 04 05 00 03 81 ...*.H..........
0180 - 81 00 7c ae 51 4c d1 21-72 39 c1 c8 4d 9e 09 18 ..|.QL.!r9..M...
0190 - bd d7 0b d7 7d 5e 46 d2-15 e5 74 fc 26 16 99 67 ....}^F...t.&..g
01a0 - 6e f5 8a a0 8b b3 eb 8e-c4 07 03 76 0b 1d d2 23 n..........v...#
01b0 - 27 76 7a 4b d7 6f af a1-74 57 76 e0 0b da fa a1 'vzK.o..tWv.....
01c0 - c7 c5 cf f4 9b 5f e6 c7-57 97 39 ad 69 7a 64 3e ....._..W.9.izd>
01d0 - f9 be 36 48 ec da b8 44-69 a3 87 b0 a5 c9 c7 22 ..6H...Di......"
01e0 - 28 89 00 e9 e9 1a ce 22-19 33 75 89 d3 30 bd e6 (......".3u..0..
01f0 - 91 43 c8 71 bb 7b be 87-60 05 17 d2 f0 52 24 9d .C.q.{..`....R$.
0200 - 01 3f 02 00 80 bd ac 4f-d9 a7 af 17 00 4c 63 6f .?.....O.....Lco <-- rc4 128 export 40 offered
0210 - 66 22 84 14 d1 f"...
write to 0050FABC [00504DD9] (151 bytes => 151 (0x97)) <-- client_master_key
0000 - 80 95 02 02 00 80 00 0b-00 80 00 00 18 47 09 5d .............G.] <-- rc4 128 export 40 selected
0010 - a7 f4 de 01 6c c5 80 bf-f3 14 78 50 ec 99 dd 08 ....l.....xP....
0020 - b9 a7 3f 37 ea 62 09 3b-e9 e4 f7 0b 27 49 2b 10 ..?7.b.;....'I+.
0030 - 6e cd a6 8b cc e9 00 cf-29 95 ba 77 3c 13 3c 1b n.......)..w<.<.
0040 - 79 3c 85 32 de 49 0d 8e-b9 cb ab 6b 12 6a b6 0c y<.2.I.....k.j..
0050 - ba 2f 91 72 03 18 06 5f-46 22 4d e7 9c 9a 89 6e ./.r..._F"M....n
0060 - f6 0f f2 db 2f 49 9b 4e-28 98 78 22 ad 08 47 fa ..../I.N(.x"..G.
0070 - 9b 10 d4 aa de c7 e8 54-6d f8 ef 53 2d 22 70 15 .......Tm..S-"p.
0080 - 18 04 d8 39 3c 1a 0e 8c-9e 9e 70 7a de c2 02 81 ...9<.....pz....
0090 - 52 83 6f d1 07 a7 29 R.o...)
write to 0050FABC [00504DD9] (35 bytes => 35 (0x23)) <-- client_finished
0000 - 80 21 e2 c2 fa 66 e3 20-a2 b2 9b 18 d8 3e 91 10 .!...f. .....>.. <-- which is successfully verified
0010 - bc c2 c8 52 d3 67 b6 24-f1 66 9e 0b f9 c7 33 72 ...R.g.$.f....3r <-- by server
0020 - 28 b8 60 (.`
read from 0050FABC [004FCDD0] (2 bytes => 2 (0x2)) <-- server_verify
0000 - 80 21 .! <-- shows good decryption
read from 0050FABC [004FCDD2] (33 bytes => 33 (0x21)) <-- and mac checking
0000 - 71 2d 1f bb 89 12 37 b5-56 d8 8b d4 df fa 53 3c q-....7.V.....S<
0010 - bb 2e e6 0c 45 5b 6c bf-33 38 c5 e1 8c 1a 8b a0 ....E[l.38......
0020 - 84 .
read from 0050FABC [004FCDD0] (2 bytes => 2 (0x2)) <-- server_finished.
0000 -
80
21
.!
<-- actual clear data is msgcode
read from 0050FABC [004FCDD2] (33 bytes => 33 (0x21)) <-- plus 16 bytes of session id
0000 - 67 01 39 6c cc 22 01 0c-96 67 27 50 84 e3 c0 5c g.9l."...g'P...\
0010 - b8 33 51 ea 36 58 d7 28-87 c5 11 f9 e8 b7 10 e6 .3Q.6X.(........
0020 - d1 .
4294353583:error:140EC071:SSL routines:SSL2_READ_INTERNAL:bad mac decode:./ssl/s
2_pkt.c:265:
OpenSSL>
read from 0050FABC [004FCDD2] (33 bytes => 33 (0x21)) <-- plus 16 bytes of session id
0000 - 67 01 39 6c cc 22 01 0c-96 67 27 50 84 e3 c0 5c g.9l."...g'P...\
0010 - b8 33 51 ea 36 58 d7 28-87 c5 11 f9 e8 b7 10 e6 .3Q.6X.(........
0020 - d1 .
4294353583:error:140EC071:SSL routines:SSL2_READ_INTERNAL:bad mac decode:./ssl/s
2_pkt.c:265:
OpenSSL>
The
corresponding source in openssl ssl2_pkt.c is:
s->s2->ract_data_length=s->s2->rlength;
/* added a check for length > max_size in case
* encryption was not turned on yet due to an error */
if ((!s->s2->clear_text) &&
(s->s2->rlength >= mac_size))
{
ssl2_enc(s,0);
s->s2->ract_data_length-=mac_size;
ssl2_mac(s,mac,0);
s->s2->ract_data_length-=s->s2->padding;
if ( (memcmp(mac,s->s2->mac_data,
(unsigned int)mac_size) != 0) ||
(s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
{
SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
return(-1);
}
}
INC32(s->s2->read_sequence); /* expect next number */
/* added a check for length > max_size in case
* encryption was not turned on yet due to an error */
if ((!s->s2->clear_text) &&
(s->s2->rlength >= mac_size))
{
ssl2_enc(s,0);
s->s2->ract_data_length-=mac_size;
ssl2_mac(s,mac,0);
s->s2->ract_data_length-=s->s2->padding;
if ( (memcmp(mac,s->s2->mac_data,
(unsigned int)mac_size) != 0) ||
(s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
{
SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
return(-1);
}
}
INC32(s->s2->read_sequence); /* expect next number */
