Create MBEDTLS_SSL_KEYING_MATERIAL_EXPORT option Add the option MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to mbedtls_config.h to control if the function mbedtls_ssl_export_keying_material() should be available. By default, the option is disabled. This is because the exporter for TLS 1.2 requires client_random and server_random need to be stored after the handshake is complete. Signed-off-by: Max Fillinger <max@max-fillinger.net>

commit: 2fe35f61bf90ea0d589ce2485482356a1263c017 [log] [tgz]
author: Max Fillinger <max@max-fillinger.net> Fri Oct 25 00:52:24 2024 +0200
committer: Max Fillinger <maximilian.fillinger@foxcrypto.com> Fri Mar 28 16:53:58 2025 +0100
tree: 0b021fd4d8927fb52d5e8a1e3b65dfa9c1078c78
parent: 281fb791166465ad50db97e4b0e47f51e9b2d867 [diff] [blame]
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 2dc475b..ca1486d 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h

@@ -737,6 +737,20 @@
  */
 //#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
 
+/*
+ * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+ *
+ * When this option is enabled, the client and server can extract additional
+ * shared symmetric keys after an SSL handshake using the function
+ * mbedtls_ssl_export_keying_material().
+ *
+ * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and
+ * in RFC 8446, Section 7.5, for TLS 1.3.
+ *
+ * Uncomment this macro to enable mbedtls_ssl_export_keying_material().
+ */
+//#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+
 /**
  * \def MBEDTLS_SSL_RENEGOTIATION
  *
commit	2fe35f61bf90ea0d589ce2485482356a1263c017	[log] [tgz]
author	Max Fillinger <max@max-fillinger.net>	Fri Oct 25 00:52:24 2024 +0200
committer	Max Fillinger <maximilian.fillinger@foxcrypto.com>	Fri Mar 28 16:53:58 2025 +0100
tree	0b021fd4d8927fb52d5e8a1e3b65dfa9c1078c78
parent	281fb791166465ad50db97e4b0e47f51e9b2d867 [diff] [blame]