From 839e122e20e85d846c66e5ecc79f16345aea469a Mon Sep 17 00:00:00 2001
From: Nicholas Barbier <barbiernicholas@gmail.com>
Date: Sun, 9 Nov 2025 15:31:01 -0500
Subject: [PATCH] Add export_keying_material support to pingora-s2n

Adds ssl_export_keying_material function to pingora-s2n ext module,
wrapping s2n-tls's built-in tls_exporter method for RFC 5705.
---
 pingora-s2n/src/ext.rs | 57 ++++++++++++++++++++++++++++++++++++++++++
 pingora-s2n/src/lib.rs |  2 ++
 2 files changed, 59 insertions(+)
 create mode 100644 pingora-s2n/src/ext.rs

diff --git a/pingora-s2n/src/ext.rs b/pingora-s2n/src/ext.rs
new file mode 100644
index 00000000..0d4749c6
--- /dev/null
+++ b/pingora-s2n/src/ext.rs
@@ -0,0 +1,57 @@
+// Copyright 2025 Cloudflare, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Extended functionalities for s2n-tls
+
+use s2n_tls::connection::Connection;
+use s2n_tls::error::Error;
+
+/// Export keying material from a TLS connection
+///
+/// Derives keying material for application use in accordance with RFC 5705.
+///
+/// Note: Currently only available with TLS 1.3 connections.
+///
+/// See [tls_exporter](https://docs.rs/s2n-tls/latest/s2n_tls/connection/struct.Connection.html#method.tls_exporter).
+pub fn ssl_export_keying_material(
+    conn: &Connection,
+    out: &mut [u8],
+    label: &str,
+    context: Option<&[u8]>,
+) -> Result<(), Error> {
+    let context_bytes = context.unwrap_or(&[]);
+    conn.tls_exporter(label.as_bytes(), context_bytes, out)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use s2n_tls::config::Builder;
+    use s2n_tls::enums::Mode;
+
+    #[test]
+    fn test_ssl_export_keying_material_exists() {
+        // This test verifies that ssl_export_keying_material function exists
+        // and has the correct signature. Actual functional testing requires
+        // an established TLS connection.
+        let config = Builder::new().build().unwrap();
+        let mut conn = s2n_tls::connection::Connection::new(Mode::Client);
+        conn.set_config(config).unwrap();
+        let mut out = [0u8; 32];
+
+        // This will fail since there's no established connection, but verifies
+        // the function signature is correct
+        let _ = ssl_export_keying_material(&conn, &mut out, "test", None);
+    }
+}
diff --git a/pingora-s2n/src/lib.rs b/pingora-s2n/src/lib.rs
index 2a7a476e..6def6855 100644
--- a/pingora-s2n/src/lib.rs
+++ b/pingora-s2n/src/lib.rs
@@ -12,6 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+pub mod ext;
+
 use pingora_error::{Error, ErrorType, Result};
 use std::fs;