From what I understand so far, the "KeyBlock" is the place to look for the
key? It's just a matter of getting the sizes and order of the individual
Keys and IV's so that I can extract the bits I need. Any pointers in that
area?
While it is technically possible to extract keys (search for
tls_openssl.c in hostap.git for an example), I would not recommend
doing this unless you really have to get a specific key derivation
mechanism matching with a defined use. This will be ugly and OpenSSL
version dependent..
TLS keying material exporter, i.e., SSL_export_keying_material(), will
make your life much easier if you are just looking for a mechanism to
derive suitable keys for other uses assuming you are using recent
enough OpenSSL. That tls_openssl.c file I mentioned above has an
example of this, too.
- Jouni
Thanks very much Jouni - I think that will work nicely! Now if only
there was some documentation on it...
So to get a key, I would just establish the TLS connection, then use:
if (!SSL_export_keying_material(mySsl, key, key_len, label, label_len, NULL, 0,
0))
{
//handle error
}
before closing the connection? Do that on both ends and I have my
symmetric keys for use in my app(s).
(My app uses a completely seperate radio path for bulk data encrypted
using specialised hardware - hence my requirement for a key.)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
