import SSL_export_keying_material(3) from OpenSSL

author: schwarze <> 2017-08-21 10:10:25 +0000
committer: schwarze <> 2017-08-21 10:10:25 +0000
commit: ca86616f46aeda90888c0dc1a6784c014867e999 (patch)
tree: 68c9943062ea1e94cde233db729ced4b37060548
parent: 506970f259060e0119582ec8ae7af45977d56344 (diff)
download: openbsd-ca86616f46aeda90888c0dc1a6784c014867e999.tar.gz
openbsd-ca86616f46aeda90888c0dc1a6784c014867e999.tar.bz2
openbsd-ca86616f46aeda90888c0dc1a6784c014867e999.zip
3 files changed, 132 insertions, 3 deletions
diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile
index ab11293d1c..96daeb8975 100644
--- a/src/lib/libssl/man/Makefile
+++ b/src/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.58 2017/08/19 23:45:10 schwarze Exp $
+# $OpenBSD: Makefile,v 1.59 2017/08/21 10:10:25 schwarze Exp $
 .include <bsd.own.mk>
@@ -65,6 +65,7 @@ MAN =	BIO_f_ssl.3 \
        SSL_do_handshake.3 \
        SSL_dup.3 \
        SSL_dup_CA_list.3 \
+        SSL_export_keying_material.3 \
        SSL_free.3 \
        SSL_get_SSL_CTX.3 \
        SSL_get_certificate.3 \
diff --git a/src/lib/libssl/man/SSL_export_keying_material.3 b/src/lib/libssl/man/SSL_export_keying_material.3
new file mode 100644
index 0000000000..613446a275
--- /dev/null
+++ b/src/lib/libssl/man/SSL_export_keying_material.3
@@ -0,0 +1,127 @@
+.\"     $OpenBSD: SSL_export_keying_material.3,v 1.1 2017/08/21 10:10:25 schwarze Exp $
+.\"     OpenSSL a599574b Jun 28 17:18:27 2017 +0100
+.\"     OpenSSL 23cec1f4 Jun 21 13:55:02 2017 +0100
+.\"
+.\" This file was written by Matt Caswell <matt@openssl.org>.
+.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 21 2017 $
+.Dt SSL_EXPORT_KEYING_MATERIAL 3
+.Os
+.Sh NAME
+.Nm SSL_export_keying_material
+.Nd obtain keying material for application use
+.Sh SYNOPSIS
+.In openssl/ssl.h
+.Ft int
+.Fo SSL_export_keying_material
+.Fa "SSL *s"
+.Fa "unsigned char *out"
+.Fa "size_t olen"
+.Fa "const char *label"
+.Fa "size_t llen"
+.Fa "const unsigned char *context"
+.Fa "size_t contextlen"
+.Fa "int use_context"
+.Fc
+.Sh DESCRIPTION
+During the creation of a TLS or DTLS connection,
+shared keying material is established between the two endpoints.
+The function
+.Fn SSL_export_keying_material
+enables an application to use some of this keying material
+for its own purposes in accordance with RFC 5705.
+.Pp
+An application may need to securely establish the context
+within which this keying material will be used.
+For example, this may include identifiers for the application session,
+application algorithms or parameters, or the lifetime of the context.
+The context value is left to the application but must be the same on
+both sides of the communication.
+.Pp
+For a given SSL connection
+.Fa s ,
+.Fa olen
+bytes of data will be written to
+.Fa out .
+The application specific context should be supplied
+in the location pointed to by
+.Fa context
+and should be
+.Fa contextlen
+bytes long.
+Provision of a context is optional.
+If the context should be omitted entirely, then
+.Fa use_context
+should be set to 0.
+Otherwise it should be any other value.
+If
+.Fa use_context
+is 0, then the values of
+.Fa context
+and
+.Fa contextlen
+are ignored.
+.Pp
+In TLSv1.2 and below, a zero length context is treated differently
+from no context at all, and will result in different keying material
+being returned.
+.Pp
+An application specific label should be provided in the location pointed
+to by
+.Fa label
+and should be
+.Fa llen
+bytes long.
+Typically this will be a value from the
+.Lk https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels "IANA Exporter Label Registry" .
+.Pp
+Alternatively, labels beginning with "EXPERIMENTAL" are permitted by the
+standard to be used without registration.
+.Sh RETURN VALUES
+.Fn SSL_export_keying_material
+returns 1 on success or 0 or -1 on failure.
diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3
index fe72bbc4d2..9f3f121b32 100644
--- a/src/lib/libssl/man/ssl.3
+++ b/src/lib/libssl/man/ssl.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssl.3,v 1.10 2017/08/19 23:45:10 schwarze Exp $
+.\"     $OpenBSD: ssl.3,v 1.11 2017/08/21 10:10:25 schwarze Exp $
 .\"     OpenSSL e330f55d Nov 11 00:51:04 2016 +0100
 .\"
 .\" This file was written by Ralf S. Engelschall <rse@openssl.org>,
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 19 2017 $
+.Dd $Mdocdate: August 21 2017 $
 .Dt SSL 3
 .Os
 .Sh NAME
@@ -285,6 +285,7 @@ I/O:
 .Pp
 Accessors:
 .Xr SSL_copy_session_id 3 ,
+.Xr SSL_export_keying_material 3 ,
 .Xr SSL_get_SSL_CTX 3 ,
 .Xr SSL_get_certificate 3 ,
 .Xr SSL_get_default_timeout 3 ,
author	schwarze <>	2017-08-21 10:10:25 +0000
committer	schwarze <>	2017-08-21 10:10:25 +0000
commit	ca86616f46aeda90888c0dc1a6784c014867e999 (patch)
tree	68c9943062ea1e94cde233db729ced4b37060548
parent	506970f259060e0119582ec8ae7af45977d56344 (diff)
download	openbsd-ca86616f46aeda90888c0dc1a6784c014867e999.tar.gz openbsd-ca86616f46aeda90888c0dc1a6784c014867e999.tar.bz2 openbsd-ca86616f46aeda90888c0dc1a6784c014867e999.zip

diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile index ab11293d1c..96daeb8975 100644 --- a/src/lib/libssl/man/Makefile +++ b/src/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.58 2017/08/19 23:45:10 schwarze Exp $	1	# $OpenBSD: Makefile,v 1.59 2017/08/21 10:10:25 schwarze Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -65,6 +65,7 @@ MAN = BIO_f_ssl.3 \
65	SSL_do_handshake.3 \	65	SSL_do_handshake.3 \
66	SSL_dup.3 \	66	SSL_dup.3 \
67	SSL_dup_CA_list.3 \	67	SSL_dup_CA_list.3 \
		68	SSL_export_keying_material.3 \
68	SSL_free.3 \	69	SSL_free.3 \
69	SSL_get_SSL_CTX.3 \	70	SSL_get_SSL_CTX.3 \
70	SSL_get_certificate.3 \	71	SSL_get_certificate.3 \


diff --git a/src/lib/libssl/man/SSL_export_keying_material.3 b/src/lib/libssl/man/SSL_export_keying_material.3 new file mode 100644 index 0000000000..613446a275 --- /dev/null +++ b/src/lib/libssl/man/SSL_export_keying_material.3
@@ -0,0 +1,127 @@
		1	.\" $OpenBSD: SSL_export_keying_material.3,v 1.1 2017/08/21 10:10:25 schwarze Exp $
		2	.\" OpenSSL a599574b Jun 28 17:18:27 2017 +0100
		3	.\" OpenSSL 23cec1f4 Jun 21 13:55:02 2017 +0100
		4	.\"
		5	.\" This file was written by Matt Caswell <matt@openssl.org>.
		6	.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved.
		7	.\"
		8	.\" Redistribution and use in source and binary forms, with or without
		9	.\" modification, are permitted provided that the following conditions
		10	.\" are met:
		11	.\"
		12	.\" 1. Redistributions of source code must retain the above copyright
		13	.\" notice, this list of conditions and the following disclaimer.
		14	.\"
		15	.\" 2. Redistributions in binary form must reproduce the above copyright
		16	.\" notice, this list of conditions and the following disclaimer in
		17	.\" the documentation and/or other materials provided with the
		18	.\" distribution.
		19	.\"
		20	.\" 3. All advertising materials mentioning features or use of this
		21	.\" software must display the following acknowledgment:
		22	.\" "This product includes software developed by the OpenSSL Project
		23	.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
		24	.\"
		25	.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
		26	.\" endorse or promote products derived from this software without
		27	.\" prior written permission. For written permission, please contact
		28	.\" openssl-core@openssl.org.
		29	.\"
		30	.\" 5. Products derived from this software may not be called "OpenSSL"
		31	.\" nor may "OpenSSL" appear in their names without prior written
		32	.\" permission of the OpenSSL Project.
		33	.\"
		34	.\" 6. Redistributions of any form whatsoever must retain the following
		35	.\" acknowledgment:
		36	.\" "This product includes software developed by the OpenSSL Project
		37	.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
		38	.\"
		39	.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
		40	.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		41	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
		42	.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
		43	.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
		44	.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		45	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
		46	.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		47	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
		48	.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
		49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
		50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
		51	.\"
		52	.Dd $Mdocdate: August 21 2017 $
		53	.Dt SSL_EXPORT_KEYING_MATERIAL 3
		54	.Os
		55	.Sh NAME
		56	.Nm SSL_export_keying_material
		57	.Nd obtain keying material for application use
		58	.Sh SYNOPSIS
		59	.In openssl/ssl.h
		60	.Ft int
		61	.Fo SSL_export_keying_material
		62	.Fa "SSL *s"
		63	.Fa "unsigned char *out"
		64	.Fa "size_t olen"
		65	.Fa "const char *label"
		66	.Fa "size_t llen"
		67	.Fa "const unsigned char *context"
		68	.Fa "size_t contextlen"
		69	.Fa "int use_context"
		70	.Fc
		71	.Sh DESCRIPTION
		72	During the creation of a TLS or DTLS connection,
		73	shared keying material is established between the two endpoints.
		74	The function
		75	.Fn SSL_export_keying_material
		76	enables an application to use some of this keying material
		77	for its own purposes in accordance with RFC 5705.
		78	.Pp
		79	An application may need to securely establish the context
		80	within which this keying material will be used.
		81	For example, this may include identifiers for the application session,
		82	application algorithms or parameters, or the lifetime of the context.
		83	The context value is left to the application but must be the same on
		84	both sides of the communication.
		85	.Pp
		86	For a given SSL connection
		87	.Fa s ,
		88	.Fa olen
		89	bytes of data will be written to
		90	.Fa out .
		91	The application specific context should be supplied
		92	in the location pointed to by
		93	.Fa context
		94	and should be
		95	.Fa contextlen
		96	bytes long.
		97	Provision of a context is optional.
		98	If the context should be omitted entirely, then
		99	.Fa use_context
		100	should be set to 0.
		101	Otherwise it should be any other value.
		102	If
		103	.Fa use_context
		104	is 0, then the values of
		105	.Fa context
		106	and
		107	.Fa contextlen
		108	are ignored.
		109	.Pp
		110	In TLSv1.2 and below, a zero length context is treated differently
		111	from no context at all, and will result in different keying material
		112	being returned.
		113	.Pp
		114	An application specific label should be provided in the location pointed
		115	to by
		116	.Fa label
		117	and should be
		118	.Fa llen
		119	bytes long.
		120	Typically this will be a value from the
		121	.Lk https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels "IANA Exporter Label Registry" .
		122	.Pp
		123	Alternatively, labels beginning with "EXPERIMENTAL" are permitted by the
		124	standard to be used without registration.
		125	.Sh RETURN VALUES
		126	.Fn SSL_export_keying_material
		127	returns 1 on success or 0 or -1 on failure.


diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3 index fe72bbc4d2..9f3f121b32 100644 --- a/src/lib/libssl/man/ssl.3 +++ b/src/lib/libssl/man/ssl.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssl.3,v 1.10 2017/08/19 23:45:10 schwarze Exp $	1	.\" $OpenBSD: ssl.3,v 1.11 2017/08/21 10:10:25 schwarze Exp $
2	.\" OpenSSL e330f55d Nov 11 00:51:04 2016 +0100	2	.\" OpenSSL e330f55d Nov 11 00:51:04 2016 +0100
3	.\"	3	.\"
4	.\" This file was written by Ralf S. Engelschall <rse@openssl.org>,	4	.\" This file was written by Ralf S. Engelschall <rse@openssl.org>,
@@ -50,7 +50,7 @@
50	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	50	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	51	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
52	.\"	52	.\"
53	.Dd $Mdocdate: August 19 2017 $	53	.Dd $Mdocdate: August 21 2017 $
54	.Dt SSL 3	54	.Dt SSL 3
55	.Os	55	.Os
56	.Sh NAME	56	.Sh NAME
@@ -285,6 +285,7 @@ I/O:
285	.Pp	285	.Pp
286	Accessors:	286	Accessors:
287	.Xr SSL_copy_session_id 3 ,	287	.Xr SSL_copy_session_id 3 ,
		288	.Xr SSL_export_keying_material 3 ,
288	.Xr SSL_get_SSL_CTX 3 ,	289	.Xr SSL_get_SSL_CTX 3 ,
289	.Xr SSL_get_certificate 3 ,	290	.Xr SSL_get_certificate 3 ,
290	.Xr SSL_get_default_timeout 3 ,	291	.Xr SSL_get_default_timeout 3 ,