Next: , Previous: , Up: Advanced topics   [Contents][Index]

6.12.7 Deriving keys for other applications/protocols

In several cases, after a TLS connection is established, it is desirable to derive keys to be used in another application or protocol (e.g., in an other TLS session using pre-shared keys). The following describe GnuTLS’ implementation of RFC5705 to extract keys based on a session’s master secret.

The API to use is gnutls_prf_rfc5705. The function needs to be provided with a label, and additional context data to mix in the context parameter.

Function: int gnutls_prf_rfc5705 (gnutls_session_t session, size_t label_size, const char * label, size_t context_size, const char * context, size_t outsize, char * out)

session: is a gnutls_session_t type.

label_size: length of the label variable.

label: label used in PRF computation, typically a short string.

context_size: length of the extra variable.

context: optional extra data to seed the PRF with.

outsize: size of pre-allocated output buffer to hold the output.

out: pre-allocated buffer to hold the generated data.

Exports keying material from TLS/DTLS session to an application, as specified in RFC5705.

In the TLS versions prior to 1.3, it applies the TLS Pseudo-Random-Function (PRF) on the master secret and the provided data, seeded with the client and server random fields.

In TLS 1.3, it applies HKDF on the exporter master secret derived from the master secret.

The label variable usually contains a string denoting the purpose for the generated data.

The context variable can be used to add more data to the seed, after the random variables. It can be used to make sure the generated output is strongly connected to some additional data (e.g., a string used in user authentication).

The output is placed in out , which must be pre-allocated.

Note that, to provide the RFC5705 context, the context variable must be non-null.

Returns: GNUTLS_E_SUCCESS on success, or an error code.

Since: 3.4.4

For example, after establishing a TLS session using gnutls_handshake, you can obtain 32-bytes to be used as key, using this call:

#define MYLABEL "EXPORTER-My-protocol-name"
#define MYCONTEXT "my-protocol's-1st-session"

char out[32];
rc = gnutls_prf_rfc5705 (session, sizeof(MYLABEL)-1, MYLABEL,
                         sizeof(MYCONTEXT)-1, MYCONTEXT, 32, out);

The output key depends on TLS’ master secret, and is the same on both client and server.

For legacy applications which need to use a more flexible API, there is gnutls_prf, which in addition, allows to switch the mix of the client and server random nonces, using the server_random_first parameter. For additional flexibility and low-level access to the TLS1.2 PRF, there is a low-level TLS PRF interface called gnutls_prf_raw. That however is not functional under newer protocol versions.

Next: , Previous: , Up: Advanced topics   [Contents][Index]