In several cases, after a TLS connection is established, it is desirable to derive keys to be used in another application or protocol (e.g., in an other TLS session using pre-shared keys). The following describe GnuTLS’ implementation of RFC5705 to extract keys based on a session’s master secret.
The API to use is gnutls_prf_rfc5705. The
function needs to be provided with a label,
and additional context data to mix in the
session: is a
label_size: length of the
label: label used in PRF computation, typically a short string.
context_size: length of the
context: optional extra data to seed the PRF with.
outsize: size of pre-allocated output buffer to hold the output.
out: pre-allocated buffer to hold the generated data.
Exports keyring material from TLS/DTLS session to an application, as specified in RFC5705.
In the TLS versions prior to 1.3, it applies the TLS Pseudo-Random-Function (PRF) on the master secret and the provided data, seeded with the client and server random fields.
In TLS 1.3, it applies HKDF on the exporter master secret derived from the master secret.
label variable usually contains a string denoting the purpose
for the generated data.
context variable can be used to add more data to the seed, after
the random variables. It can be used to make sure the
generated output is strongly connected to some additional data
(e.g., a string used in user authentication).
The output is placed in
out , which must be pre-allocated.
Note that, to provide the RFC5705 context, the
must be non-null.
GNUTLS_E_SUCCESS on success, or an error code.
For example, after establishing a TLS session using gnutls_handshake, you can obtain 32-bytes to be used as key, using this call:
#define MYLABEL "EXPORTER-My-protocol-name" #define MYCONTEXT "my-protocol's-1st-session" char out; rc = gnutls_prf_rfc5705 (session, sizeof(MYLABEL)-1, MYLABEL, sizeof(MYCONTEXT)-1, MYCONTEXT, 32, out);
The output key depends on TLS’ master secret, and is the same on both client and server.
For legacy applications which need to use a more flexible API, there is
gnutls_prf, which in addition, allows to switch the mix of the
client and server random nonces, using the
For additional flexibility and low-level access to the TLS1.2 PRF,
there is a low-level TLS PRF interface called gnutls_prf_raw.
That however is not functional under newer protocol versions.