openssl icon indicating copy to clipboard operation
openssl copied to clipboard

Published 20 hours ago verified publisher icon ruby

implement SSLSocket#export_keying_material for doing RFC 5705 operations

Open madblobfish opened this issue 2 years ago • 5 comments

I need to generate shared ttls secrets from TLS sessions using this API. Note this implementation is incomplete! as it does not allow using the context. See the first commit how that could look. It did not work for me so I removed it.

Should I write a test for this?

Refs: https://datatracker.ietf.org/doc/html/rfc5705 https://datatracker.ietf.org/doc/html/rfc8446#section-7.5 https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels https://man.openbsd.org/SSL_export_keying_material.3

madblobfish avatar Aug 03 '22 21:08 madblobfish

A super hacky radius implementation as a "real live" example can be found here: https://gist.github.com/madblobfish/9f1e89a3b5847ab80dcef16c56a4c0f9

madblobfish avatar Aug 03 '22 23:08 madblobfish

See the first commit how that could look. It did not work for me so I removed it.

What is blocking it from working? Check for rb_scan_args() for how to implement optional parameters in C extensions.

It also needs a StringValue() to ensure that the argument is actually an instance of String.

Should I write a test for this?

Yes. :)

rhenium avatar Aug 06 '22 12:08 rhenium

This should fix everything, also squashed everything together (also did it wrong the first time, sorry for that noise). Thanks for the rb_scan_args hint, that really helped :) I've added a simple test, not sure how to test it deeper, but it seems to work (I also verified it with my application).

I got no example application code for the optional context functionality though.

Edit: removed useless comments from the test by another fix and squash

madblobfish avatar Aug 12 '22 23:08 madblobfish

Don't worry about taking your time. Thanks for the review

madblobfish avatar Aug 20 '22 09:08 madblobfish

new push should fix all comments, lets see if the CI agrees :)

madblobfish avatar Aug 21 '22 22:08 madblobfish

Fixed failed tests (should have checked locally first :facepalm:) lets hope there are no compiler warnings left now

madblobfish avatar Aug 22 '22 22:08 madblobfish

Thank you so much!

rhenium avatar Aug 31 '22 13:08 rhenium

@madblobfish, @rhenium: Thanks a lot!

It is not possible to add text about RFC 9266 support in code?

Neustradamus avatar Aug 31 '22 22:08 Neustradamus

Hi @Neustradamus The mechanism is defined in https://datatracker.ietf.org/doc/html/rfc8446#section-7.5 and formerly in https://datatracker.ietf.org/doc/html/rfc5705. I do not think it makes sense to collect all implementing RFCs for that in this openssl library. The information would quickly be outdated and annoying to keep up to date.

An official and proper overview of them may be found in IANA's registry: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels. Maybe this could be linked. But in the end you can already find this registry linked in the openssl documentation: https://www.openssl.org/docs/man3.0/man3/SSL_export_keying_material.html

madblobfish avatar Sep 03 '22 16:09 madblobfish