Create MBEDTLS_SSL_KEYING_MATERIAL_EXPORT option

Add the option MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to mbedtls_config.h to control if the function mbedtls_ssl_export_keying_material() should be available. By default, the option is disabled. This is because the exporter for TLS 1.2 requires client_random and server_random need to be stored after the handshake is complete. Signed-off-by: Max Fillinger <max@max-fillinger.net>
2025-07-30 22:43:08 +03:00 · 2024-10-25 00:52:24 +02:00
parent 7b52328f6c
commit 951b886801
6 changed files with 56 additions and 19 deletions
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -347,11 +347,7 @@ int main(void)
    "                        in the form of base64 code (serialize option\n"   \
    "                        must be set)\n"                                   \
    "                         default: \"\" (do nothing)\n"                    \
-    "                         option: a file path\n" \
-    "    exp_label=%%s       Label to input into TLS-Exporter\n" \
-    "                         default: None (don't try to export a key)\n" \
-    "    exp_len=%%d         Length of key to extract from TLS-Exporter \n" \
-    "                         default: 20\n"
+    "                         option: a file path\n"
 #else
 #define USAGE_SERIALIZATION ""
 #endif
@ -381,6 +377,16 @@ int main(void)
 #define USAGE_TLS1_3_KEY_EXCHANGE_MODES ""
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

+#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#define USAGE_EXPORT \
+    "    exp_label=%%s       Label to input into TLS-Exporter\n" \
+    "                         default: None (don't try to export a key)\n" \
+    "    exp_len=%%d         Length of key to extract from TLS-Exporter \n" \
+    "                         default: 20\n"
+#else
+#define USAGE_EXPORT ""
+#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
+
 /* USAGE is arbitrarily split to stay under the portable string literal
 * length limit: 4095 bytes in C99. */
 #define USAGE1 \
@ -471,6 +477,7 @@ int main(void)
    "                                otherwise. The expansion of the macro\n" \
    "                                is printed if it is defined\n"           \
    USAGE_SERIALIZATION                                                       \
+    USAGE_EXPORT                                                              \
    "\n"

 /*
@ -2574,7 +2581,7 @@ usage:
    }
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */

-#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
    if (opt.exp_label != NULL && opt.exp_len > 0) {
        unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int));
        if (exported_key == NULL) {
@ -2597,7 +2604,7 @@ usage:
        mbedtls_printf("\n\n");
        fflush(stdout);
    }
-#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) */
+#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */

    /*
     * 6. Write the GET request