gnutls-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gnutls-dev] Re: GnuTLS 1.2.8 with TLS Inner Application (TLS/IA) suppor


From: Simon Josefsson
Subject: [gnutls-dev] Re: GnuTLS 1.2.8 with TLS Inner Application (TLS/IA) support
Date: Thu, 15 Dec 2005 10:01:27 +0100
User-agent: Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux)

Jouni Malinen <address@hidden> writes:

> I haven't yet looked into details of the TLS/IA changes. However, I have
> one thing in my mind from the earlier experience of adding GnuTLS
> support. EAP-TLS/TTLS/PEAP/FAST require access to couple of values that
> are internal to the TLS handshake, namely, master_secret, client_random,
> and server_random. However, I have not found a supported, public API
> call for getting these from GnuTLS. These are stored in
> security_parameters_st, but that seems to be only used internally
> (defined in gnutls_int.h).
>
> My current workaround is to make a copy of this structure and fetch the
> parameters with direct read through gnutls_session::security_parameters.
> Another option would be to parse the values from debug messages (using
> log function callback). Neither option seems very nice since they
> are relying on the internal structure not changing and/or debug messages
> remaining in the same format. I'm actually keeping a list of tested
> GnuTLS versions and only allow tested versions to be used because of
> this workaround. Adding a public API call or structure definition for
> getting these values would be quite useful for EAP implementations.

Right.  I noticed this in your tls_gnutls.c, and it seemed ugly.  Of
course, it was the only solution for you.

I am working on adding two APIs, one to access the TLS PRF and one to
retrieve the master secret, the client/server-random and potentially
other useful data as well.  This will be part of the next GnuTLS 1.3.x
release (which will also include TLS/IA), hopefully due before the end
of this year.  Hopefully this will remove the need for your
workaround.

Thanks,
Simon



reply via email to

[Prev in Thread] Current Thread [Next in Thread]