Calculate hash of Client Hello message with SSL (ssl

client_early_traffic_secret and early_exporter_master_secret was defined in RFC 8446 as

client_early_traffic_secret = Derive-Secret(Early Secret, "c e traffic", ClientHello)
early_exporter_master_secret = Derive-Secret(Early Secret, "e exp master", ClientHello)

early_exporter_master_secret is calculated and saved into the SSL (ssl_st) struct in tls13_change_cipher_state() method in tls13_enc.c in OpenSSL 1.1.1 stable versions. However, client_early_traffic_secret is also calculated but not saved anywhere. To calculate client_early_traffic_secret, both the Early Secret (which is already saved as ssl_st->early_secret) and the hash of the Client Hello message (which is not saved either) are needed.

How can I get the hash of the Client Hello message with only SSL (ssl_st) struct? Or is there another way to calculate client_early_traffic_secret with SSL (ssl_st) struct?

CodePudding user response：

To calculate the hash of a Client Hello message with the ssl_st struct in OpenSSL and save it, you can use the SSL_SESSION_get_master_key and EVP_Digest functions in combination with the BIO_write function.

Here is an example of how this can be done:

// Create an SSL context
SSL_CTX* ctx = SSL_CTX_new(TLS_client_method());

// Connect to a server using the SSL context
SSL* ssl = SSL_new(ctx);
BIO* bio = BIO_new_connect("localhost:443");
SSL_set_bio(ssl, bio, bio);
SSL_connect(ssl);

// Get the SSL session associated with the SSL connection
SSL_SESSION* session = SSL_get_session(ssl);

// Get the master key from the SSL session
unsigned char master_key[48];
unsigned int master_key_len;
SSL_SESSION_get_master_key(session, master_key, &master_key_len);

// Calculate the SHA256 hash of the master key
unsigned char hash[32];
EVP_Digest(master_key, master_key_len, hash, NULL, EVP_sha256(), NULL);

// Save the SHA256 hash of the master key to a file
BIO* out = BIO_new_file("hash.bin", "w");
BIO_write(out, hash, 32);
BIO_free(out);

// Clean up
SSL_free(ssl);
SSL_CTX_free(ctx);

In this example, the SSL_SESSION_get_master_key function is used to retrieve the master key from the SSL session associated with the SSL connection. This master key is then passed to the EVP_Digest function, which calculates the SHA256 hash of the master key and stores it in the hash array.

Next, the BIO_new_file function is used to create a new BIO object that writes to a file called hash.bin. The BIO_write function is then used to write the SHA256 hash to the file.

Finally, the BIO_free function is used to free the BIO object, and the SSL_free and SSL_CTX_free functions are used to clean up the SSL connection and context.

You can use this technique to calculate the hash of the master key for any Client Hello message that is exchanged during an SSL/TLS handshake using the ssl_st struct in OpenSSL, and save it to a file for later use.

CodePudding user response：

The hash of the Client Hello message is not saved in the ssl_st struct, so it is not possible to calculate the hash of the Client Hello message with only the ssl_st struct. The ssl_st struct is intended to store the current state of an SSL/TLS connection, but it does not store a full record of all messages that have been sent and received during the connection.

To calculate the client_early_traffic_secret, you would need access to the Early Secret and the hash of the Client Hello message. Since the hash of the Client Hello message is not saved in the ssl_st struct, you would need to find another way to obtain it.

One possible solution would be to use the SSL_get_message_hash() function, which is available in recent versions of OpenSSL. This function allows you to obtain the hash of the most recently processed message in an SSL/TLS connection. This could be used to obtain the hash of the Client Hello message, but only if the Client Hello message has already been processed by the OpenSSL library.

Alternatively, you could try to obtain the hash of the Client Hello message by directly accessing the message data and calculating the hash using a cryptographic hash function such as SHA-256. However, this would require access to the raw message data, which may not be available in the ssl_st struct.

In summary, it is not possible to calculate the client_early_traffic_secret using only the ssl_st struct, as the ssl_st struct does not store the necessary information (the Early Secret and the hash of the Client Hello message). You would need to use additional information or a different approach to calculate the client_early_traffic_secret.