Create MBEDTLS_SSL_KEYING_MATERIAL_EXPORT option Add the option MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to mbedtls_config.h to control if the function mbedtls_ssl_export_keying_material() should be available. By default, the option is disabled. This is because the exporter for TLS 1.2 requires client_random and server_random need to be stored after the handshake is complete. Signed-off-by: Max Fillinger <max@max-fillinger.net>

commit: 951b8868011366c8717e7136ba38cabf9d06cc72 [log] [tgz]
author: Max Fillinger <max@max-fillinger.net> Fri Oct 25 00:52:24 2024 +0200
committer: Max Fillinger <maximilian.fillinger@foxcrypto.com> Wed Apr 16 11:20:50 2025 +0200
tree: fd5d88aa0617bddc0c1bf625a8509184e2d25071
parent: 7b52328f6c43d5030ced3500e0ee333115d8f5f3 [diff] [blame]
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 45feb5e..76be297 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h

@@ -1764,6 +1764,21 @@
 #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 
 /**
+/*
+ * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+ *
+ * When this option is enabled, the client and server can extract additional
+ * shared symmetric keys after an SSL handshake using the function
+ * mbedtls_ssl_export_keying_material().
+ *
+ * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and
+ * in RFC 8446, Section 7.5, for TLS 1.3.
+ *
+ * Uncomment this macro to enable mbedtls_ssl_export_keying_material().
+ */
+//#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+
+/**
  * \def MBEDTLS_SSL_RENEGOTIATION
  *
  * Enable support for TLS renegotiation.
commit	951b8868011366c8717e7136ba38cabf9d06cc72	[log] [tgz]
author	Max Fillinger <max@max-fillinger.net>	Fri Oct 25 00:52:24 2024 +0200
committer	Max Fillinger <maximilian.fillinger@foxcrypto.com>	Wed Apr 16 11:20:50 2025 +0200
tree	fd5d88aa0617bddc0c1bf625a8509184e2d25071
parent	7b52328f6c43d5030ced3500e0ee333115d8f5f3 [diff] [blame]