On Mon, 2014-08-04 at 23:18 +0900, Youngsok Kim wrote:
> Hello,
> Could anyone provide assistance with obtaining
> client_write_{MAC_secret,key,IV} of an active TLS/SSL session? I'm
> trying to obtain these values for offload the data encryption and
> decryption routines to an accelerator without modifying GnuTLS's
> source codes.There is no straightforward way to export the TLS session secrets. Which accelerator do you use for off-loading? gnutls supports cryptodev and more can be registered using gnutls_crypto_single_cipher_register(), gnutls_crypto_single_mac_register() etc. If you are using one with free software drivers consider contributing it back with that API. A direct way to extract the calculated secrets (which is recommended for debugging only as it will break on any future upgrade of gnutls) is to export gnutls_session_int and security_parameters in your program. > // obtain 'key_block' > unsigned long key_block_size = hash_size * 2 + key_size * 2 + > IV_size * 2; > unsigned char key_block[key_block_size]; > err = gnutls_prf(m_session, 13, "key expansion", 1, 0, NULL, > key_block_size, (char *)key_block); I believe the 4th variable should be zero (the client random is first). Note also that this construction will only work if you negotiate TLS 1.0 or later. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
