From 90ed7f7f5e56427218d03d98befbb7534a9d65f6 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 22 Jul 2024 14:44:09 +0200 Subject: [PATCH] Add TLS-Exporter options to ssl_server2 The program prints out the derived symmetric key for testing purposes. Signed-off-by: Max Fillinger --- programs/ssl/ssl_server2.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 5de734f7eb..01be48ab7f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -71,6 +71,8 @@ int main(void) #define DFL_NBIO 0 #define DFL_EVENT 0 #define DFL_READ_TIMEOUT 0 +#define DFL_EXP_LABEL NULL +#define DFL_EXP_LEN 20 #define DFL_CA_FILE "" #define DFL_CA_PATH "" #define DFL_CRT_FILE "" @@ -519,6 +521,10 @@ int main(void) " event=%%d default: 0 (loop)\n" \ " options: 1 (level-triggered, implies nbio=1),\n" \ " read_timeout=%%d default: 0 ms (no timeout)\n" \ + " exp_label=%%s Label to input into TLS-Exporter\n" \ + " default: None (don't try to export a key)\n" \ + " exp_len=%%d Length of key to extract from TLS-Exporter \n" \ + " default: 20\n" \ "\n" \ USAGE_DTLS \ USAGE_SRTP \ @@ -610,6 +616,8 @@ struct options { int nbio; /* should I/O be blocking? */ int event; /* loop or event-driven IO? level or edge triggered? */ uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */ + const char *exp_label; /* label to input into mbedtls_ssl_export_keying_material() */ + int exp_len; /* Lenght of key to export using mbedtls_ssl_export_keying_material() */ int response_size; /* pad response with header to requested size */ uint16_t buffer_size; /* IO buffer size */ const char *ca_file; /* the file with the CA certificate(s) */ @@ -1699,6 +1707,8 @@ int main(int argc, char *argv[]) opt.cid_val = DFL_CID_VALUE; opt.cid_val_renego = DFL_CID_VALUE_RENEGO; opt.read_timeout = DFL_READ_TIMEOUT; + opt.exp_label = DFL_EXP_LABEL; + opt.exp_len = DFL_EXP_LEN; opt.ca_file = DFL_CA_FILE; opt.ca_path = DFL_CA_PATH; opt.crt_file = DFL_CRT_FILE; @@ -1877,6 +1887,10 @@ usage: } } else if (strcmp(p, "read_timeout") == 0) { opt.read_timeout = atoi(q); + } else if (strcmp(p, "exp_label") == 0) { + opt.exp_label = q; + } else if (strcmp(p, "exp_len") == 0) { + opt.exp_len = atoi(q); } else if (strcmp(p, "buffer_size") == 0) { opt.buffer_size = atoi(q); if (opt.buffer_size < 1) { @@ -3642,6 +3656,27 @@ handshake: mbedtls_printf("\n"); } + if (opt.exp_label != NULL && opt.exp_len > 0) { + unsigned char *exported_key = calloc((size_t)opt.exp_len, sizeof(unsigned int)); + if (exported_key == NULL) { + mbedtls_printf("Could not allocate %d bytes\n", opt.exp_len); + ret = 3; + goto exit; + } + ret = mbedtls_ssl_export_keying_material(&ssl, exported_key, (size_t)opt.exp_len, + opt.exp_label, strlen(opt.exp_label), + NULL, 0, 0); + if (ret != 0) { + goto exit; + } + mbedtls_printf("Exporting key of length %d with label \"%s\": 0x", opt.exp_len, opt.exp_label); + for (i = 0; i < opt.exp_len; i++) { + mbedtls_printf("%02X", exported_key[i]); + } + mbedtls_printf("\n\n"); + fflush(stdout); + } + #if defined(MBEDTLS_SSL_DTLS_SRTP) else if (opt.use_srtp != 0) { size_t j = 0;