Title: Add support for export_keying_material to SSL library
Type: enhancement Stage: patch review
Components: SSL Versions: Python 3.10
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, wingel71
Priority: normal Keywords: patch

Created on 2019-08-26 08:49 by wingel71, last changed 2021-04-07 13:57 by wingel71.

Pull Requests
URL Status Linked Edit
PR 25255 open wingel71, 2021-04-07 13:57
Messages (4)
msg350512 - (view) Author: Christer Weinigel (wingel71) * Date: 2019-08-26 08:49
Add support for the export_keying_material function to the SSL library.

Tested with Python 3.7.4 and Python master branch:

Is this the correct format for a patch?  Should I include the automatically generated clinic changes in my patch or not?  What about the "versionadded::" string in the documentation?  Should I include a line like that or does it only generate unneccessary conflicts?  Anything else I need to do?
msg350513 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-08-26 09:16
Could you please explain the purpose of the feature and why you want to expose the interface? What's the use case?

As this is a new feature, Python 3.7 and 3.8 are out of scope.
msg350514 - (view) Author: Christer Weinigel (wingel71) * Date: 2019-08-26 09:31
I'm doing an implementation of the NTS protocol for my customer Netnod:

NTS is draft RFC on its way to become a standard:

NTS requires the export_keying_material functionality as described in RFC5705.

Basically it's a part of the TLS standard, is used by 10 existing protocols with more on the way.  And I can't implement a NTS key establishment server or client without the function.  That's why I added the functionality and verified that it works both with the stable 3.7.4 release and with the master branch of the cpython repository.

I tested with 3.7.4 first on my machine because that's the release of Python that comes with Ubuntu and I wanted to have as few differences as as possible compared to the distribution version.  I then forward ported the patch to the master branch and verified that my NTS implementation still works with that branch.
msg390433 - (view) Author: Christer Weinigel (wingel71) * Date: 2021-04-07 13:51
OpenSSL has a function to "SSL_export_keying_material" as described in RFC5705.  This functionality is needed to be able to support a bunch of other protocols such as "Network Time Security for the Network Time Protocol" which has now become a proper RFC as RFC8915.  There are half a dozen other RFCs which also use this functionality.

I have written a patch to add support for this function which can be found on github:

And it is used in my implementation of the NTS procotol which can also be found on github:

It would be very nice if mainline Python could support for this function in the future so that I don't have to maintain a patched version of Python for this.
Date User Action Args
2021-04-07 13:57:39wingel71setkeywords: + patch
stage: patch review
pull_requests: + pull_request23991
2021-04-07 13:51:42wingel71setmessages: + msg390433
versions: + Python 3.10, - Python 3.9
2019-08-26 09:31:13wingel71setmessages: + msg350514
2019-08-26 09:16:27christian.heimessetmessages: + msg350513
versions: - Python 3.7
2019-08-26 08:49:04wingel71create