Why does 'SSL_export_keying_material' return a different value than whats printed to the NSS keylog file?
Hubert Kario
hkario at redhat.com
Tue May 17 12:16:59 UTC 2022
On Tuesday, 17 May 2022 02:33:29 CEST, Ian Spence via openssl-users wrote:
> I am trying to wrap my head around the keying material I can access
> within my TLS client application using OpenSSL 3.0.3
>
> I have `SSL_CTX_set_keylog_callback` set to just printf() the lines.
>
> I also have the following code to extract the client random:
>
>
> unsigned char * keymat = malloc(48);
> const char * label = "CLIENT_RANDOM";
> SSL_export_keying_material(ssl, keymat, 48, label,
> strnlen(label), NULL, 0, 0);
> printf("[EXPORT] %s: ", label.UTF8String);
> for (int i = 0; i < 48; i++) {
> printf("%02x", keymat[i]);
> }
> printf("\n");
>
>
> Looking in ssl_local.h I found definitions for the various labels.
> I've omitted the code from this email for brevity sake, but I print
> out the value for each of the labels.
>
> What I don't understand is why I'm getting different values from the
> two. When connecting to a TLS1.3 server I see the following:
>
>
> [NSS_KEYLOG] SERVER_HANDSHAKE_TRAFFIC_SECRET
> f60a59b1ca9629281d4ee45b9966f19277de0652fb12513d71d388d9a8545077
> 882c1c081f9fe2708cee4067956717caf1936e60511d8d01b2e63541378e44671903e15c5a4b5b7fb3208452d71681e3
> [NSS_KEYLOG] EXPORTER_SECRET
> f60a59b1ca9629281d4ee45b9966f19277de0652fb12513d71d388d9a8545077
> 6333438b11e60e3ebd3a4795d7bd8400c08b878854e181ae2d084f95a264192e92ab108a2bd0cb284f7f82dd78a6b4eb
> [NSS_KEYLOG] SERVER_TRAFFIC_SECRET_0
> f60a59b1ca9629281d4ee45b9966f19277de0652fb12513d71d388d9a8545077
> eabc8a14fc818707f03c2e0d7456011aa6aed025cfc43c25591aa7444ee6a045f643bc05b0daf9de9a1e863e7254681e
> [NSS_KEYLOG] CLIENT_HANDSHAKE_TRAFFIC_SECRET
> f60a59b1ca9629281d4ee45b9966f19277de0652fb12513d71d388d9a8545077
> ef410252e24f3bc03d62218aa42d5f002d5a5bbf12d5f0f3e356ed2b56bc5e5151b26995f0dcb57564d2192fd2b6a1e8
> [NSS_KEYLOG] CLIENT_TRAFFIC_SECRET_0
> f60a59b1ca9629281d4ee45b9966f19277de0652fb12513d71d388d9a8545077
> c88e7cc09e1c5b271aa5c722b527aa3a3f9744011c28cddce9a258be853dac6798aac67588bfbb57108cdbaae3c76130
> [EXPORT] CLIENT_RANDOM:
> a5ec0b54b796ef98bd1c8fad4f2459b657f6850d0b222a351444fd9deafa125d86991612cbec030e4ca2ee46eadb66ab
> [EXPORT] CLIENT_EARLY_TRAFFIC_SECRET:
> ae2cca098e941c88b574f068a52ea1cabbc2100a7b52afe3a1ba7981220111f348f5a0925092f619576649e3ddf15921
> [EXPORT] CLIENT_HANDSHAKE_TRAFFIC_SECRET:
> f916455fb08173176794188bb52bef126517248f04e6da47d6426a71c4e9b6a9d4381cfa89f4fcbf8a79de5183589725
> [EXPORT] SERVER_HANDSHAKE_TRAFFIC_SECRET:
> e6c60c26694e9d1eaaf97fd83f030dd3d9a0133231a2f803169d131f2238343dffd0a5328b561549cfc32cb30f7955c8
> [EXPORT] CLIENT_TRAFFIC_SECRET_0:
> e84885f1be1a25cd798768c2cf07d5593173ebe8ec6d2ed0959ff0332d6ad6a3ce6a38abe528db6be4a25500ad81cabe
> [EXPORT] SERVER_TRAFFIC_SECRET_0:
> 643296314df063c06642faf895075afa2d8b9ec3922fcc94a46e69e1be628d09deb62c43fda18f2acdfe27d3b986f1dd
> [EXPORT] EARLY_EXPORTER_SECRET:
> c78b3e4ba7caca9318621f795100811cd6fbf4090f551e44bde0002e6ecdad78d211e9dc6a459fe44f305d35631c34bf
> [EXPORT] EXPORTER_SECRET:
> 02fec8ac7a633d6b532e1ee0699a455f5a454cecbd684f9ed1c573cd820196a8a2a764726fa9236c168f356d776a5f60
>
>
> Looking at the implementation of ssl_log_secret in ssl_lib.c I see
> that the first parameter to the NSS log is the client random, but then
> when I ask for CLIENT_RANDOM why do I get a different value?
>
> I can reproduce this behaviour as well using the s_client: openssl
> s_client ... -keymatexport "CLIENT_RANDOM" -keymatexportlen 48
> -keylogfile keylog.txt
Keying material exporter is a way to implement channel binding:
https://datatracker.ietf.org/doc/html/rfc5705
not to extract the keys used for the connection.
The option to replicate the SSLKEYLOGFILE of NSS is the -keylogfile in
s_server.
Here's an example use:
https://github.com/openssl/openssl/blob/598bd7741568a1aae678e5472f18aae1ab991e8d/apps/lib/s_cb.c#L1517
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the openssl-users
mailing list