The branch master has been updated via d4da95a7736e9e74ec47f9e0077ad0ef18a4faf6 (commit) via 01a2a65488e18b8b566bd4aa1b4a8b9adb9ecdf8 (commit) via cffe973c45491b14d980e3b578da28e4a79a8705 (commit) via 6329ce8fd8af653fb8fdde6d3fc09bdb0ec94031 (commit) from 55442b8a5b719f54578083fae0fcc814b599cd84 (commit)
- Log ----------------------------------------------------------------- commit d4da95a7736e9e74ec47f9e0077ad0ef18a4faf6 Author: Peter Wu <pe...@lekensteyn.nl> Date: Wed Mar 21 19:44:44 2018 +0100 test: Remove redundant SSL_CTX_set_max_early_data Client can only send early data if the PSK allows for it, the max_early_data_size field can only be configured for the server side. Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Richard Levitte <levi...@openssl.org> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5702) commit 01a2a65488e18b8b566bd4aa1b4a8b9adb9ecdf8 Author: Peter Wu <pe...@lekensteyn.nl> Date: Wed Mar 21 14:03:15 2018 +0100 Add support for logging early exporter secret This will be necessary to enable Wireshark to decrypt QUIC 0-RTT data. Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Richard Levitte <levi...@openssl.org> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5702) commit cffe973c45491b14d980e3b578da28e4a79a8705 Author: Peter Wu <pe...@lekensteyn.nl> Date: Wed Mar 21 14:00:42 2018 +0100 Add test for CLIENT_EARLY_TRAFFIC_SECRET key logging Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Richard Levitte <levi...@openssl.org> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5702) commit 6329ce8fd8af653fb8fdde6d3fc09bdb0ec94031 Author: Peter Wu <pe...@lekensteyn.nl> Date: Tue Mar 20 21:16:38 2018 +0100 Add support for logging TLS 1.3 exporter secret NSS 3.34 and boringssl have support for "EXPORTER_SECRET" (https://bugzilla.mozilla.org/show_bug.cgi?id=1287711) which is needed for QUIC 1-RTT decryption support in Wireshark. Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Richard Levitte <levi...@openssl.org> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5702) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_locl.h | 2 ++ ssl/tls13_enc.c | 12 ++++++++ test/sslapitest.c | 81 +++++++++++++++++++++++++++++++++++++++++++++++------ test/tls13ccstest.c | 2 -- 4 files changed, 87 insertions(+), 10 deletions(-) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index b1d6e40..d881458 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2554,6 +2554,8 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, #define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET" #define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0" #define SERVER_APPLICATION_LABEL "SERVER_TRAFFIC_SECRET_0" +#define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET" +#define EXPORTER_SECRET_LABEL "EXPORTER_SECRET" /* s3_cbc.c */ __owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index a793e0c..1613004 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -493,6 +493,12 @@ int tls13_change_cipher_state(SSL *s, int which) SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } + + if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, + s->early_exporter_master_secret, hashlen)) { + /* SSLfatal() already called */ + goto err; + } } else if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->client_finished_secret; @@ -594,6 +600,12 @@ int tls13_change_cipher_state(SSL *s, int which) /* SSLfatal() already called */ goto err; } + + if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, + hashlen)) { + /* SSLfatal() already called */ + goto err; + } } else if (label == client_application_traffic) memcpy(s->client_app_traffic_secret, secret, hashlen); diff --git a/test/sslapitest.c b/test/sslapitest.c index 338c61c..5fef058 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -28,7 +28,7 @@ static char *privkey = NULL; static char *srpvfile = NULL; static char *tmpfilename = NULL; -#define LOG_BUFFER_SIZE 1024 +#define LOG_BUFFER_SIZE 2048 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; static size_t server_log_buffer_index = 0; static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; @@ -54,10 +54,13 @@ static X509 *ocspcert = NULL; struct sslapitest_log_counts { unsigned int rsa_key_exchange_count; unsigned int master_secret_count; + unsigned int client_early_secret_count; unsigned int client_handshake_secret_count; unsigned int server_handshake_secret_count; unsigned int client_application_secret_count; unsigned int server_application_secret_count; + unsigned int early_exporter_secret_count; + unsigned int exporter_secret_count; }; @@ -139,10 +142,13 @@ static int test_keylog_output(char *buffer, const SSL *ssl, size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH; unsigned int rsa_key_exchange_count = 0; unsigned int master_secret_count = 0; + unsigned int client_early_secret_count = 0; unsigned int client_handshake_secret_count = 0; unsigned int server_handshake_secret_count = 0; unsigned int client_application_secret_count = 0; unsigned int server_application_secret_count = 0; + unsigned int early_exporter_secret_count = 0; + unsigned int exporter_secret_count = 0; for (token = strtok(buffer, " \n"); token != NULL; token = strtok(NULL, " \n")) { @@ -196,17 +202,22 @@ static int test_keylog_output(char *buffer, const SSL *ssl, master_key_size))) return 0; master_secret_count++; - } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0 + } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0 + || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0 - || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) { + || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0 + || strcmp(token, "EARLY_EXPORTER_SECRET") == 0 + || strcmp(token, "EXPORTER_SECRET") == 0) { /* * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded * client random, and then the hex-encoded secret. In this case, * we treat all of these secrets identically and then just * distinguish between them when counting what we saw. */ - if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0) + if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0) + client_early_secret_count++; + else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0) client_handshake_secret_count++; else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0) server_handshake_secret_count++; @@ -214,6 +225,10 @@ static int test_keylog_output(char *buffer, const SSL *ssl, client_application_secret_count++; else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) server_application_secret_count++; + else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0) + early_exporter_secret_count++; + else if (strcmp(token, "EXPORTER_SECRET") == 0) + exporter_secret_count++; client_random_size = SSL_get_client_random(ssl, actual_client_random, @@ -247,6 +262,8 @@ static int test_keylog_output(char *buffer, const SSL *ssl, expected->rsa_key_exchange_count) || !TEST_size_t_eq(master_secret_count, expected->master_secret_count) + || !TEST_size_t_eq(client_early_secret_count, + expected->client_early_secret_count) || !TEST_size_t_eq(client_handshake_secret_count, expected->client_handshake_secret_count) || !TEST_size_t_eq(server_handshake_secret_count, @@ -254,7 +271,11 @@ static int test_keylog_output(char *buffer, const SSL *ssl, || !TEST_size_t_eq(client_application_secret_count, expected->client_application_secret_count) || !TEST_size_t_eq(server_application_secret_count, - expected->server_application_secret_count)) + expected->server_application_secret_count) + || !TEST_size_t_eq(early_exporter_secret_count, + expected->early_exporter_secret_count) + || !TEST_size_t_eq(exporter_secret_count, + expected->exporter_secret_count)) return 0; return 1; } @@ -344,8 +365,11 @@ static int test_keylog_no_master_key(void) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; + SSL_SESSION *sess = NULL; int testresult = 0; struct sslapitest_log_counts expected = {0}; + unsigned char buf[1]; + size_t readbytes, written; /* Clean up logging space */ memset(client_log_buffer, 0, sizeof(client_log_buffer)); @@ -356,7 +380,9 @@ static int test_keylog_no_master_key(void) if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), TLS1_VERSION, TLS_MAX_VERSION, - &sctx, &cctx, cert, privkey))) + &sctx, &cctx, cert, privkey)) + || !TEST_true(SSL_CTX_set_max_early_data(sctx, + SSL3_RT_MAX_PLAIN_LENGTH))) return 0; if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL) @@ -390,6 +416,46 @@ static int test_keylog_no_master_key(void) expected.server_handshake_secret_count = 1; expected.client_application_secret_count = 1; expected.server_application_secret_count = 1; + expected.exporter_secret_count = 1; + if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, + SSL_get_session(clientssl), &expected)) + || !TEST_true(test_keylog_output(server_log_buffer, serverssl, + SSL_get_session(serverssl), + &expected))) + goto end; + + /* Terminate old session and resume with early data. */ + sess = SSL_get1_session(clientssl); + SSL_shutdown(clientssl); + SSL_shutdown(serverssl); + SSL_free(serverssl); + SSL_free(clientssl); + serverssl = clientssl = NULL; + + /* Reset key log */ + memset(client_log_buffer, 0, sizeof(client_log_buffer)); + memset(server_log_buffer, 0, sizeof(server_log_buffer)); + client_log_buffer_index = 0; + server_log_buffer_index = 0; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL)) + || !TEST_true(SSL_set_session(clientssl, sess)) + /* Here writing 0 length early data is enough. */ + || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written)) + || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), + &readbytes), + SSL_READ_EARLY_DATA_ERROR) + || !TEST_int_eq(SSL_get_early_data_status(serverssl), + SSL_EARLY_DATA_ACCEPTED) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE)) + || !TEST_true(SSL_session_reused(clientssl))) + goto end; + + /* In addition to the previous entries, expect early secrets. */ + expected.client_early_secret_count = 1; + expected.early_exporter_secret_count = 1; if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, SSL_get_session(clientssl), &expected)) || !TEST_true(test_keylog_output(server_log_buffer, serverssl, @@ -400,6 +466,7 @@ static int test_keylog_no_master_key(void) testresult = 1; end: + SSL_SESSION_free(sess); SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx); @@ -1637,8 +1704,6 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl, TLS1_VERSION, TLS_MAX_VERSION, sctx, cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_max_early_data(*sctx, - SSL3_RT_MAX_PLAIN_LENGTH)) - || !TEST_true(SSL_CTX_set_max_early_data(*cctx, SSL3_RT_MAX_PLAIN_LENGTH))) return 0; diff --git a/test/tls13ccstest.c b/test/tls13ccstest.c index 41e4896..25dc819 100644 --- a/test/tls13ccstest.c +++ b/test/tls13ccstest.c @@ -258,8 +258,6 @@ static int test_tls13ccs(int tst) TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_max_early_data(sctx, - SSL3_RT_MAX_PLAIN_LENGTH)) - || !TEST_true(SSL_CTX_set_max_early_data(cctx, SSL3_RT_MAX_PLAIN_LENGTH))) goto err; _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits