With the release of wolfSSL 4.7.0, we now support Keying Material Exporters for TLS as defined in RFC 5705! This new functionality allows applications to establish common secrets using the underlying (D)TLS connection. A popular project that makes use of exported keying material is OpenVPN (which wolfSSL supports!). It uses the user provided label, in the --keying-material-exporter option, to generate secure shared secrets for use by plugins from the (D)TLS connection.
To export keying material in wolfSSL, use the new API:
int wolfSSL_export_keying_material(WOLFSSL *ssl,
unsigned char *out, size_t outLen,
const char *label, size_t labelLen,
const unsigned char *context, size_t contextLen,
int use_context);
This API outputs outLen data to out. The label and context match those defined in the RFC:
label – “a disambiguating label string”
context – “a per-association context value provided by the [wolfSSL user]”
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.