I have fixed my issue. For anyone who was wondering, what I ended up doing
was looking in the cipher name string appropriate cipher names, and mac
authentication name. I am writing a proxy that is only concerned with a
limited amount of ciphers, so this wasn't all that difficult. I know that
it's not the most elegant solution, and if anyone has the correct way to do
this I would appreciate it, but this will work for me for now.
Happy coding,
Sam
On Mon, Aug 23, 2010 at 12:45 PM, Sam Jantz <sjan...@gmail.com> wrote:
> Hello all,
>
> I am trying to reconstruct the key block from a given ssl connection,
> and I seem to have found a way to do it (borrowing heavily from the files
> t1_enc.c, and ssl_ciph.c) but I run into a problem. During a call to
> ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,const EVP_MD
> **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp, SSL* ssl) I
> get an error state, and I've tracked it down to something within the
> SSL_CIPHER structure. First, I'll paste the code here for reference, and
> highlight my changes with a diff style changes
>
> -- original code
> ++ my changes
>
> int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
> -- const EVP_MD **md, int *mac_pkey_type, int
> *mac_secret_size,SSL_COMP **comp)
> ++ const EVP_MD **md, int *mac_pkey_type, int
> *mac_secret_size,SSL_COMP **comp, SSL* ssl)
> {
> int i;
> const SSL_CIPHER *c;
> -- c=s->cipher;
> ++ c = SSL_get_current_cipher(ssl); //This was changed because
> s->cipher was returning 0, and causing the function to return.
> if (c == NULL) return(0);
> if (comp != NULL)
> {
> SSL_COMP ctmp;
> #ifndef OPENSSL_NO_COMP
> load_builtin_compressions();
> #endif
>
> *comp=NULL;
> ctmp.id=s->compress_meth;
> if (ssl_comp_methods != NULL)
> {
> i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
> if (i >= 0)
> *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
> else
> *comp=NULL;
> }
> }
>
> if ((enc == NULL) || (md == NULL)) return(0);
>
> switch (c->algorithm_enc)
> {
> case SSL_DES:
> i=SSL_ENC_DES_IDX;
> break;
> case SSL_3DES:
> i=SSL_ENC_3DES_IDX;
> break;
> case SSL_RC4:
> i=SSL_ENC_RC4_IDX;
> break;
> case SSL_RC2:
> i=SSL_ENC_RC2_IDX;
> break;
> case SSL_IDEA:
> i=SSL_ENC_IDEA_IDX;
> break;
> case SSL_eNULL:
> i=SSL_ENC_NULL_IDX;
> break;
> case SSL_AES128:
> i=SSL_ENC_AES128_IDX;
> break;
> case SSL_AES256:
> i=SSL_ENC_AES256_IDX;
> break;
> case SSL_CAMELLIA128:
> i=SSL_ENC_CAMELLIA128_IDX;
> break;
> case SSL_CAMELLIA256:
> i=SSL_ENC_CAMELLIA256_IDX;
> break;
> case SSL_eGOST2814789CNT:
> i=SSL_ENC_GOST89_IDX;
> break;
> case SSL_SEED:
> i=SSL_ENC_SEED_IDX;
> break;
> default:
> i= -1;
> break;
> }
>
> if ((i < 0) || (i > SSL_ENC_NUM_IDX))
> *enc=NULL;
> else
> {
> if (i == SSL_ENC_NULL_IDX)
> *enc=EVP_enc_null();
> else
> *enc=ssl_cipher_methods[i];
> }
>
> switch (c->algorithm_mac)
> {
> case SSL_MD5:
> i=SSL_MD_MD5_IDX;
> break;
> case SSL_SHA1:
> i=SSL_MD_SHA1_IDX;
> break;
> case SSL_GOST94:
> i = SSL_MD_GOST94_IDX;
> break;
> case SSL_GOST89MAC:
> i = SSL_MD_GOST89MAC_IDX;
> break;
> default:
> i= -1;
> break;
> }
> if ((i < 0) || (i > SSL_MD_NUM_IDX))
> {
> *md=NULL;
> if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
> if (mac_secret_size!=NULL) *mac_secret_size = 0;
>
> }
> else
> {
> *md=ssl_digest_methods[i];
> if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i];
> if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i];
> }
>
> if ((*enc != NULL) && (*md != NULL) && (!mac_pkey_type||*mac_pkey_type !=
> NID_undef))
> return(1);
> else
> return(0);
> }
>
> Like I said, this is heavily borrowed. I've only made 1 change so far, and
> changed the signature of the function. Any way the error comes when I'm
> switching on c->algorithm_enc. c->algorithm_enc is always zero no matter
> what the cipher spec. I don't understand why. c->algorithm_mac has a
> legitimate value, but not c->algorithm_enc. Why is this? Is there anyway
> to work around it like I did with with the SSL_get_current_cipher()? Please
> let me know if you know of any possible solution. I am really at a loss for
> why this field never gets populated.
>
> Thanks again,
>
> Sam
>
>
> --
> Sam Jantz
> Software Engineer
>
>
--
Sam Jantz
Software Engineer
