SSLEngine does not decrypt all the data

Question

I am trying to use SSLengine with SocketChannels in non-blocking mode.

The handshake is done correctly but when i try to read & decrypt http posts from channelsocket, only the headers are decrypted and the body disapear:

<code>
int num=0;

            while(num==0){
                num=socketChannel.read(peerNetData);
                if(num==-1)
                    break;
            }

            if (num == -1) {
                System.out.println("channel closed");
            } else if (num == 0) {
                System.out.println("no bytes to read");
            } else {
                // Process incoming data

                peerNetData.flip();

                SSLEngineResult res = engine.unwrap(peerNetData, peerAppData);
               //return a ok status 

peerNetData.flip();
            peerAppData.flip();
            System.out.println(new String(peerNetData.array()));  
            System.out.println(new String(peerAppData.array()));  


</code>

when printing the encrypted data in peerNetData i am getting :

?>.//POST test HTTP/1.1 Cache-Control: no-cache Content-Length: 20 Content-Type: application/octet-stream Host: 192.168.X.X

?>.//?>.//?>.//?>.//?>.//?>.//?>.//?>.//?>.//?>.//?>.// <--- encrypted chars here

but when i print the decrypted data in peerAppData i am getting

POST test HTTP/1.1/ Cache-Control: no-cache Content-Length: 20 Content-Type: application/octet-stream Host: 192.168.X.X // and then three empty lines here.

is this a decryption problem with SSlengine??

Thanks

Also i would like to add that unwrap method return an OK status.

`while(num==0)` ? Sorry, but what's wrong with all the other numbers out there? — Maarten Bodewes, Oct 07 '14 at 00:20
while(num==0) guarrante me that the loop while be exited if and only if socket have received something. ( in my case the socket is able to read all together since the message is small) — user3791570, Oct 07 '14 at 13:28
in general cases of course we have to handle the underflow case. But in my case all the data is being read and the SSLengine return an Ok status. — user3791570, Oct 07 '14 at 14:19
OK, in that case I'll reinstate my answer, but beware that I haven't had much experience with the particular channel and SSLEngine classes. Basically it is a description what could happen within the SSL layer. Note that it would be interesting to know the ciphersuite in use. — Maarten Bodewes, Oct 07 '14 at 14:23

score 1 · Accepted Answer · edited Apr 13 '17 at 12:48

It could well be that the actual POST content was empty except for the 2 empty lines (one line is standard after the header, if I'm not mistaken). Because of PKCS#7 padding, at least 16 bytes of data (one block, 16 bytes for AES) will be encrypted at the minimum.

Besides that the data will also contain a MAC as SSL usually uses MAC-then-encrypt (also known as the wrong way around according to most).

So it may look like there is data, even if it is just overhead.

SSLEngine does not decrypt all the data

1 Answers1