On Wed, Jan 30, 2013 at 05:29:51PM +1300, T J wrote: > How does one obtain the session key from a SSL structure after a > successful TLS handshake?
You don't, but, you shold instead obtain the "tls-unique" channel binding data ( https://tools.ietf.org/html/rfc5929#section-3 ) and run the result through a KDF (HKDF should work well) on both ends to obtain a suitable key for a symmetric algorithm of your choice. On the server: /* Support finished MAC of up to 512 bits! */ #define MAX_FINISHED_LEN 64 unsigned char buf[MAX_FINISHED_LEN]; size_t len; if (!SSL_session_reused(s)) len = SSL_get_peer_finished(s, buf, MAX_FINISHED_LEN); else len = SSL_get_finished(s, buf, MAX_FINISHED_LEN); ... Run len bytes of "buf" through a key-derivation function ... ... the expansion function of HKDF is a reasonable choice. ... On the client: /* Support finished MAC of up to 512 bits! */ #define MAX_FINISHED_LEN 64 unsigned char buf[MAX_FINISHED_LEN]; size_t len; if (!SSL_session_reused(s)) len = SSL_get_finished(s, buf, MAX_FINISHED_LEN); else len = SSL_get_peer_finished(s, buf, MAX_FINISHED_LEN); ... Run len bytes of "buf" through a key-derivation function ... ... the expansion function of HKDF is a reasonable choice. ... For HKDF see: https://tools.ietf.org/html/rfc5869 -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
