[gnutls-dev] Re: GnuTLS 1.2.8 with TLS Inner Application (TLS/IA) support

Simon Josefsson jas at extundo.com
Thu Dec 15 10:01:27 CET 2005

Jouni Malinen <jkmaline at cc.hut.fi> writes:

> I haven't yet looked into details of the TLS/IA changes. However, I have
> one thing in my mind from the earlier experience of adding GnuTLS
> support. EAP-TLS/TTLS/PEAP/FAST require access to couple of values that
> are internal to the TLS handshake, namely, master_secret, client_random,
> and server_random. However, I have not found a supported, public API
> call for getting these from GnuTLS. These are stored in
> security_parameters_st, but that seems to be only used internally
> (defined in gnutls_int.h).
> My current workaround is to make a copy of this structure and fetch the
> parameters with direct read through gnutls_session::security_parameters.
> Another option would be to parse the values from debug messages (using
> log function callback). Neither option seems very nice since they
> are relying on the internal structure not changing and/or debug messages
> remaining in the same format. I'm actually keeping a list of tested
> GnuTLS versions and only allow tested versions to be used because of
> this workaround. Adding a public API call or structure definition for
> getting these values would be quite useful for EAP implementations.

Right.  I noticed this in your tls_gnutls.c, and it seemed ugly.  Of
course, it was the only solution for you.

I am working on adding two APIs, one to access the TLS PRF and one to
retrieve the master secret, the client/server-random and potentially
other useful data as well.  This will be part of the next GnuTLS 1.3.x
release (which will also include TLS/IA), hopefully due before the end
of this year.  Hopefully this will remove the need for your


More information about the Gnutls-devel mailing list