Hello,
> Thanks Marek, can you explain more on this "MAC" verification errors?
When SSL record is read from TCP socket first is decrypted (using
read_secret and CBC xor vector) and then MAC of decrypted packet
is checked. When calculating MAC of decrypted packet the following
information is used:
- read_mac_secret
- implied read sequence number (packet number)
- packet type (handshake, data, alert ...)
- length of packet data
- packet data
if any of this information will be incorrect or out of order
(like sequence number) calculated MAC will be different from
this received in packet and connection will be dropped.
So silently removing some packets at (for example) TCP layer
will break sequence numbering and will lead to breaking connection.
Of course SSL_read() see only data from application records,
not from handshake, alert or change_cipher_spec because this
data if part of internal implementation of SSL protocol.
This is something like in SMTP, when you receive e-mail
you will see only headers and body but not SMTP conversation
at SMTP server layer (MAIL FROM:, RCPT TO: ...).
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
