]>
Commit | Line | Data |
---|---|---|
23cec1f4 MC |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
b38ede80 TT |
5 | SSL_export_keying_material, |
6 | SSL_export_keying_material_early | |
7 | - obtain keying material for application use | |
23cec1f4 MC |
8 | |
9 | =head1 SYNOPSIS | |
10 | ||
11 | #include <openssl/ssl.h> | |
12 | ||
13 | int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, | |
14 | const char *label, size_t llen, | |
15 | const unsigned char *context, | |
16 | size_t contextlen, int use_context); | |
17 | ||
b38ede80 TT |
18 | int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, |
19 | const char *label, size_t llen, | |
20 | const unsigned char *context, | |
21 | size_t contextlen); | |
22 | ||
23cec1f4 MC |
23 | =head1 DESCRIPTION |
24 | ||
25 | During the creation of a TLS or DTLS connection shared keying material is | |
b38ede80 TT |
26 | established between the two endpoints. The functions |
27 | SSL_export_keying_material() and SSL_export_keying_material_early() enable an | |
28 | application to use some of this keying material for its own purposes in | |
35e742ec | 29 | accordance with RFC5705 (for TLSv1.2 and below) or RFC8446 (for TLSv1.3). |
23cec1f4 | 30 | |
b38ede80 TT |
31 | SSL_export_keying_material() derives keying material using |
32 | the F<exporter_master_secret> established in the handshake. | |
33 | ||
34 | SSL_export_keying_material_early() is only usable with TLSv1.3, and derives | |
35 | keying material using the F<early_exporter_master_secret> (as defined in the | |
36 | TLS 1.3 RFC). For the client, the F<early_exporter_master_secret> is only | |
37 | available when the client attempts to send 0-RTT data. For the server, it is | |
38 | only available when the server accepts 0-RTT data. | |
39 | ||
23cec1f4 MC |
40 | An application may need to securely establish the context within which this |
41 | keying material will be used. For example this may include identifiers for the | |
42 | application session, application algorithms or parameters, or the lifetime of | |
43 | the context. The context value is left to the application but must be the same | |
44 | on both sides of the communication. | |
45 | ||
46 | For a given SSL connection B<s>, B<olen> bytes of data will be written to | |
47 | B<out>. The application specific context should be supplied in the location | |
48 | pointed to by B<context> and should be B<contextlen> bytes long. Provision of | |
49 | a context is optional. If the context should be omitted entirely then | |
50 | B<use_context> should be set to 0. Otherwise it should be any other value. If | |
51 | B<use_context> is 0 then the values of B<context> and B<contextlen> are ignored. | |
a599574b | 52 | Note that in TLSv1.2 and below a zero length context is treated differently from |
e88c40af MC |
53 | no context at all, and will result in different keying material being returned. |
54 | In TLSv1.3 a zero length context is that same as no context at all and will | |
55 | result in the same keying material being returned. | |
23cec1f4 MC |
56 | |
57 | An application specific label should be provided in the location pointed to by | |
58 | B<label> and should be B<llen> bytes long. Typically this will be a value from | |
59 | the IANA Exporter Label Registry | |
60 | (L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>). | |
61 | Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard | |
db860ea3 MC |
62 | to be used without registration. TLSv1.3 imposes a maximum label length of |
63 | 249 bytes. | |
23cec1f4 MC |
64 | |
65 | Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and | |
66 | above. Attempting to use it in SSLv3 will result in an error. | |
67 | ||
68 | =head1 RETURN VALUES | |
69 | ||
70 | SSL_export_keying_material() returns 0 or -1 on failure or 1 on success. | |
71 | ||
b38ede80 TT |
72 | SSL_export_keying_material_early() returns 0 on failure or 1 on success. |
73 | ||
74 | =head1 HISTORY | |
75 | ||
df75c2bf | 76 | The SSL_export_keying_material_early() function was added in OpenSSL 1.1.1. |
b38ede80 | 77 | |
23cec1f4 MC |
78 | =head1 COPYRIGHT |
79 | ||
0d664759 | 80 | Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. |
23cec1f4 MC |
81 | |
82 | Licensed under the OpenSSL license (the "License"). You may not use | |
83 | this file except in compliance with the License. You can obtain a copy | |
84 | in the file LICENSE in the source distribution or at | |
85 | L<https://www.openssl.org/source/license.html>. | |
86 | ||
87 | =cut |