Re: symmetric aes key

Fri, 06 Dec 2013 03:23:13 -0800 

Maybe the patch below can help.

Disclaimer: this is just a POC, it is not thread safe (a single file is
used)!!!
You'll have to adjust that to your needs.

SSL_SESSION_print will write all the session infos (including the master
key) to the file.
If you need the master key only, you could use session->master_key (with
session->master_key_length).

Using the ssl_callback_info() (in the SSL_CB_HANDSHAKE_DONE state) allows
you to catch any (re)negotiation when finished.

Regards,
Yann.


Index: modules/ssl/ssl_engine_kernel.c
===================================================================
--- modules/ssl/ssl_engine_kernel.c    (revision 1548486)
+++ modules/ssl/ssl_engine_kernel.c    (working copy)
@@ -1989,6 +1989,15 @@ void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl
         scr->reneg_state = RENEG_REJECT;
     }

+    if ((where & SSL_CB_HANDSHAKE_DONE)) {
+        SSL_SESSION *session = SSL_get_session((SSL *)ssl);
+        if (session) {
+            BIO *bio = BIO_new_file("/path/to/sessions/file", "a");
+            SSL_SESSION_print(bio, session);
+            BIO_free(bio);
+        }
+    }
+
     s = mySrvFromConn(c);
     if (s && s->loglevel >= APLOG_DEBUG) {
         log_tracing_state(ssl, c, s, where, rc);
[END OF PATCH]



On Fri, Dec 6, 2013 at 11:19 AM, Sebastian Biedermann <
biederm...@seceng.informatik.tu-darmstadt.de> wrote:

>  Dear developers,
>
> I work on a research project about SSL security.
> Currently, I'm trying to identify and write the negotiated
> symmetric AES key of a session to a file just by modifying the
> apache2-2.4.6 source code. Until now, I was not able to identify
> and locate the variable which temporary stores this key.
>
> In apache2-2.4.6/modules/ssl/*mod_ssl.c*
> a new ssl connection is initiated in
> int *ssl_init_ssl_connection*(conn_rec *c, request_rec *r)
> and there are several structs, I guess one of them stores the key:
>
> SSLSrvConfigRec *sc;
> SSLConnRec *sslconn
> modssl_ctx_t *mctx;
> server_rec *server;
>
> Unfortunately, there is very less information about this on the Internet
> and I don't really know where to start.
> Can anyone give my a hint or tell me which variable stores the aes key?
>
> Thank you!
>
>
> --
> Sebastian
>
>
>

Reply via email to