From acb3aff6748e82212b6e35276a1d753595799fe4 Mon Sep 17 00:00:00 2001 From: simon Date: Sat, 15 Feb 2020 18:55:59 +0100 Subject: [PATCH] tls: expose SSL_export_keying_material MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://github.com/nodejs/node/issues/31802 PR-URL: https://github.com/nodejs/node/pull/31814 Reviewed-By: Anna Henningsen Reviewed-By: Ben Noordhuis Reviewed-By: James M Snell Reviewed-By: Tobias Nießen --- doc/api/errors.md | 9 ++ doc/api/tls.md | 34 ++++++ lib/_tls_wrap.js | 21 +++- lib/internal/errors.js | 2 + src/node_crypto.cc | 40 +++++++ src/node_crypto.h | 2 + .../parallel/test-tls-exportkeyingmaterial.js | 102 ++++++++++++++++++ 7 files changed, 208 insertions(+), 2 deletions(-) create mode 100644 test/parallel/test-tls-exportkeyingmaterial.js diff --git a/doc/api/errors.md b/doc/api/errors.md index ed4bfacf1cd57b..a7726cd03019cd 100644 --- a/doc/api/errors.md +++ b/doc/api/errors.md @@ -1858,6 +1858,15 @@ added: v13.3.0 The context must be a `SecureContext`. + +### `ERR_TLS_INVALID_STATE` + + +The TLS socket must be connected and securily established. Ensure the 'secure' +event is emitted, before you continue. + ### `ERR_TLS_INVALID_PROTOCOL_METHOD` diff --git a/doc/api/tls.md b/doc/api/tls.md index fee6e33d610581..3341e6e9ea514b 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -1094,6 +1094,39 @@ See [SSL_get_shared_sigalgs](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_shared_sigalgs.html) for more information. +### `tlsSocket.exportKeyingMaterial(length, label[, context])` + + +* `length` {number} number of bytes to retrieve from keying material +* `label` {string} an application specific label, typically this will be a +value from the +[IANA Exporter Label Registry](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels). +* `context` {Buffer} Optionally provide a context. + +* Returns: {Buffer} requested bytes of the keying material + +Keying material is used for validations to prevent different kind of attacks in +network protocols, for example in the specifications of IEEE 802.1X. + +Example + +```js +const keyingMaterial = tlsSocket.exportKeyingMaterial( + 128, + 'client finished'); + +/** + Example return value of keyingMaterial: + +*/ +``` +See the OpenSSL [`SSL_export_keying_material`][] documentation for more +information. + ### `tlsSocket.getTLSTicket()`