Add support for fetching 'tls-exporter' channel binding

processone · Oct 24, 2023 · c98c1a7 · c98c1a7
1 parent 5aa1e02
commit c98c1a7
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 2 deletions.
diff --git a/c_src/fast_tls.c b/c_src/fast_tls.c
@@ -1395,6 +1395,23 @@ static ERL_NIF_TERM tls_get_finished_nif(ErlNifEnv *env, int argc, const ERL_NIF
     return OK_T(bin);
 }
 
+static ERL_NIF_TERM get_tls_cb_exporter_nif(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[]) {
+    state_t *state = NULL;
+    if (!enif_get_resource(env, argv[0], tls_state_t, (void *) &state))
+        return enif_make_badarg(env);
+
+    ERL_NIF_TERM bin;
+    unsigned char *buf = enif_make_new_binary(env, 32, &bin);
+    if (!buf)
+        return ERR_T(enif_make_atom(env, "enomem"));
+
+    if (SSL_export_keying_material(state->ssl, buf, 32,
+         "EXPORTER-Channel-Binding", 24, NULL, 0, 0) != 1)
+        return ERR_T(enif_make_atom(env, "undefined"));
+
+    return OK_T(bin);
+}
+
 static ERL_NIF_TERM set_fips_mode_nif(ErlNifEnv *env, int argc,
                                       const ERL_NIF_TERM argv[]) {
   int ret = 1;
@@ -1451,6 +1468,7 @@ static ErlNifFunc nif_funcs[] =
                 {"get_negotiated_cipher_nif", 1,  get_negotiated_cipher_nif},
                 {"tls_get_peer_finished_nif", 1,  tls_get_peer_finished_nif},
                 {"tls_get_finished_nif",      1,  tls_get_finished_nif},
+                {"get_tls_cb_exporter_nif",   1,  get_tls_cb_exporter_nif},
                 {"set_fips_mode_nif",         1,  set_fips_mode_nif},
                 {"get_fips_mode_nif",         0,  get_fips_mode_nif}
         };

diff --git a/src/fast_tls.erl b/src/fast_tls.erl
@@ -29,7 +29,7 @@
 -export([open_nif/10, loop_nif/4, get_peer_certificate_nif/1,
          get_verify_result_nif/1, invalidate_nif/1,
          get_negotiated_cipher_nif/1, set_fips_mode_nif/1,
-         get_fips_mode_nif/0]).
+         get_fips_mode_nif/0, get_tls_cb_exporter_nif/1]).
 
 -export([tcp_to_tls/2,
          tls_to_tcp/1, send/2, recv/2, recv/3, recv_data/2,
@@ -39,7 +39,8 @@
          get_verify_result/1, get_cert_verify_string/2,
          add_certfile/2, get_certfile/1, delete_certfile/1,
          clear_cache/0, get_negotiated_cipher/1,
-         get_tls_last_message/2, set_fips_mode/1, get_fips_mode/0]).
+         get_tls_last_message/2, set_fips_mode/1, get_fips_mode/0,
+         get_tls_cb_exporter/1]).
 
 -ifdef(TEST).
 -include_lib("eunit/include/eunit.hrl").
@@ -113,6 +114,9 @@ tls_get_peer_finished_nif(_Port) ->
 tls_get_finished_nif(_Port) ->
     erlang:nif_error({nif_not_loaded, ?MODULE}).
 
+get_tls_cb_exporter_nif(_Port) ->
+    erlang:nif_error({nif_not_loaded, ?MODULE}).
+
 set_fips_mode_nif(_Flag) ->
     erlang:nif_error({nif_not_loaded, ?MODULE}).
 
@@ -340,6 +344,10 @@ get_tls_last_message(peer, #tlssock{tlsport = Port}) ->
 get_tls_last_message(self, #tlssock{tlsport = Port}) ->
     tls_get_finished_nif(Port).
 
+-spec get_tls_cb_exporter(tls_socket()) -> {ok, binary()} | {error, term()}.
+get_tls_cb_exporter(#tlssock{tlsport = Port}) ->
+    get_tls_cb_exporter_nif(Port).
+
 -spec get_verify_result(tls_socket()) -> byte().
 get_verify_result(#tlssock{tlsport = Port}) ->
     {ok, Res} = get_verify_result_nif(Port),