RFC 5705: Keying Material Exporters for TLS

With the release of wolfSSL 4.7.0, we now support Keying Material Exporters for TLS as defined in RFC 5705! This new functionality allows applications to establish common secrets using the underlying (D)TLS connection. A popular project that makes use of exported keying material is OpenVPN (which wolfSSL supports!). It uses the user provided label, in the --keying-material-exporter option, to generate secure shared secrets for use by plugins from the (D)TLS connection.

To export keying material in wolfSSL, use the new API:

int wolfSSL_export_keying_material(WOLFSSL *ssl,
    	unsigned char *out, size_t outLen,
    	const char *label, size_t labelLen,
    	const unsigned char *context, size_t contextLen,
    	int use_context);

This API outputs outLen data to out. The label and context match those defined in the RFC:

label – “a disambiguating label string”
context – “a per-association context value provided by the [wolfSSL user]”

If you are interested in using the new features available in wolfSSL 4.7.0, please contact us at facts@wolfssl.com.