Linux Security System Study Note 3: OpenSSL source code analysis (2)

 

How SSL works: the SSL handshake process for two-way certificate authentication.

The following describes how the SSL protocol works. The client needs to send and receive several handshakes:

1. Send a "ClientHello" message, indicating that it supports the list of cryptographic algorithms, compression methods, and the maximum Protocol version, as well as the random number to be used later.

2. Then, you receive a "ServerHello" message, which contains the connection parameters selected by the server, which is derived from the "ClientHello" provided at the beginning of the client ".

3. When both parties know the connection parameters, the client exchanges certificates with the server (depending on the selected public key system ). These certificates are generally based on X.509, but the draft already supports certificates based on OpenPGP.

4. The server requests the public key of the client. The client has a certificate, that is, two-way identity authentication. When there is no certificate, the Public Key is randomly generated.

5. the client and the server negotiate the primary and private keys through the Public Key for confidentiality (both parties negotiate randomly), which is achieved through the pseudo-random number function carefully designed. The result may be Diffie-Hellman exchange or simplified public key encryption. Both parties use the private key for decryption. The CMK is used for encryption of all other key data ".

The Record layer in data transmission is used to encapsulate higher-level HTTP protocols. Data at the record layer can be compressed and encrypted at will, and compressed together with the message verification code. Each record layer package has a Content-Type segment to record the protocol used by the upper layer.

 

To use an SSL-layer interface function, follow these steps:

 

1. initialize the OpenSSL library

 

The initialization functions are listed as follows:

 

# Define OpenSSL_add_ssl_algorithms () SSL_library_init ()

# Define SSLeay_add_ssl_algorithms () SSL_library_init ()

 

2. Select the Session Protocol

 

The client uses the following function to select the Session Protocol:

 

Const SSL_METHOD * SSLv2_client_method (void);/* SSLv2 */

 

Const SSL_METHOD * SSLv3_client_method (void);/* SSLv3 */

 

Const SSL_METHOD * SSLv23_client_method (void);/* SSLv3 but can rollback to v2 */

 

Const SSL_METHOD * TLSv1_client_method (void);/* TLSv1.0 */

 

Const SSL_METHOD * DTLSv1_client_method (void);/* DTLSv1.0 */

 

The server uses the following function to select the Session Protocol:

 

Const SSL_METHOD * SSLv2_server_method (void);/* SSLv2 */

Const SSL_METHOD * SSLv3_server_method (void);/* SSLv3 */

Const SSL_METHOD * SSLv23_server_method (void);/* SSLv3 but can rollback to v2 */

Const SSL_METHOD * TLSv1_server_method (void);/* TLSv1.0 */

Const SSL_METHOD * DTLSv1_server_method (void);/* DTLSv1.0 */

 

3. Create a session Environment

 

Create a session environment:

 

SSL_CTX * SSL_CTX_new (const SSL_METHOD * meth );

 

Set the certificate authentication method:

 

Void SSL_CTX_set_verify (SSL_CTX * ctx, int mode,

Int (* callback) (int, X509_STORE_CTX *));

 

Attach the CA certificate to the session environment:

 

Int SSL_CTX_use_certificate (SSL_CTX * ctx, X509 * x );

Int SSL_CTX_use_certificate_ASN1 (SSL_CTX * ctx, int len, const unsigned char * d );

 

Load the user's private key to the session environment:

 

Int SSL_CTX_use_PrivateKey (SSL_CTX * ctx, EVP_PKEY * pkey );

Int SSL_CTX_use_PrivateKey_ASN1 (int pk, SSL_CTX * ctx,

Const unsigned char * d, long len );

 

Verify that the private key and certificate are consistent:

 

Int SSL_CTX_check_private_key (const SSL_CTX * ctx );

 

4. Create an SSL socket

 

An SSL socket is built on a common TCP socket. After an application creates a common socket and obtains the socket descriptor fd, it creates an SSL socket and binds the fd to the SSL socket.

 

SSL * SSL_new (SSL_CTX * ctx );

 

IntSSL_set_fd (SSL * s, int fd );

Int SSL_set_rfd (SSL * s, int fd );

Int SSL_set_wfd (SSL * s, int fd );

 

5. Complete SSL handshake

 

Similar to common socket programming, after an SSL socket is created, the client uses SSL_connect to replace the connect function of the common socket, and the server uses SSL_accept to replace the accept () function of the common socket.

 

Int

SSL_accept (SSL * ssl );

Int SSL_connect (SSL * ssl );

 

After the handshake is complete, ask the CA for the certificate information:

 

X509 * SSL_get_peer_certificate (const SSL * s );

 

X509_NAME * X509_get_subject_name (X509 * a); // <openssl/x509.h>

 

6. Data Transmission

 

Secure Data Transmission includes encryption, decryption, compression, and decompression.

 

Int

SSL_read (SSL * ssl, void * buf, int num );

Int SSL_peek (SSL * ssl, void * buf, int num );

Int SSL_write (SSL * ssl, const void * buf, int num );

 

7. SSL communication ends

 

Disable SSL sockets and release the session environment.

 

Int SSL_shutdown (SSL * s );

 

VoidSSL_free (SSL * ssl );

 

VoidSSL_CTX_free (SSL_CTX *);

 

Aegeaner Column