Add TLS-Exporter options to ssl_server2
The program prints out the derived symmetric key for testing purposes.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 5de734f..01be48a 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -71,6 +71,8 @@
#define DFL_NBIO 0
#define DFL_EVENT 0
#define DFL_READ_TIMEOUT 0
+#define DFL_EXP_LABEL NULL
+#define DFL_EXP_LEN 20
#define DFL_CA_FILE ""
#define DFL_CA_PATH ""
#define DFL_CRT_FILE ""
@@ -519,6 +521,10 @@
" event=%%d default: 0 (loop)\n" \
" options: 1 (level-triggered, implies nbio=1),\n" \
" read_timeout=%%d default: 0 ms (no timeout)\n" \
+ " exp_label=%%s Label to input into TLS-Exporter\n" \
+ " default: None (don't try to export a key)\n" \
+ " exp_len=%%d Length of key to extract from TLS-Exporter \n" \
+ " default: 20\n" \
"\n" \
USAGE_DTLS \
USAGE_SRTP \
@@ -610,6 +616,8 @@
int nbio; /* should I/O be blocking? */
int event; /* loop or event-driven IO? level or edge triggered? */
uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */
+ const char *exp_label; /* label to input into mbedtls_ssl_export_keying_material() */
+ int exp_len; /* Lenght of key to export using mbedtls_ssl_export_keying_material() */
int response_size; /* pad response with header to requested size */
uint16_t buffer_size; /* IO buffer size */
const char *ca_file; /* the file with the CA certificate(s) */
@@ -1699,6 +1707,8 @@
opt.cid_val = DFL_CID_VALUE;
opt.cid_val_renego = DFL_CID_VALUE_RENEGO;
opt.read_timeout = DFL_READ_TIMEOUT;
+ opt.exp_label = DFL_EXP_LABEL;
+ opt.exp_len = DFL_EXP_LEN;
opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH;
opt.crt_file = DFL_CRT_FILE;
@@ -1877,6 +1887,10 @@
}
} else if (strcmp(p, "read_timeout") == 0) {
opt.read_timeout = atoi(q);
+ } else if (strcmp(p, "exp_label") == 0) {
+ opt.exp_label = q;
+ } else if (strcmp(p, "exp_len") == 0) {
+ opt.exp_len = atoi(q);
} else if (strcmp(p, "buffer_size") == 0) {
opt.buffer_size = atoi(q);
if (opt.buffer_size < 1) {
@@ -3642,6 +3656,27 @@
mbedtls_printf("\n");
}
+ if (opt.exp_label != NULL && opt.exp_len > 0) {
+ unsigned char *exported_key = calloc((size_t)opt.exp_len, sizeof(unsigned int));
+ if (exported_key == NULL) {
+ mbedtls_printf("Could not allocate %d bytes\n", opt.exp_len);
+ ret = 3;
+ goto exit;
+ }
+ ret = mbedtls_ssl_export_keying_material(&ssl, exported_key, (size_t)opt.exp_len,
+ opt.exp_label, strlen(opt.exp_label),
+ NULL, 0, 0);
+ if (ret != 0) {
+ goto exit;
+ }
+ mbedtls_printf("Exporting key of length %d with label \"%s\": 0x", opt.exp_len, opt.exp_label);
+ for (i = 0; i < opt.exp_len; i++) {
+ mbedtls_printf("%02X", exported_key[i]);
+ }
+ mbedtls_printf("\n\n");
+ fflush(stdout);
+ }
+
#if defined(MBEDTLS_SSL_DTLS_SRTP)
else if (opt.use_srtp != 0) {
size_t j = 0;