From 01a2a65488e18b8b566bd4aa1b4a8b9adb9ecdf8 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Wed, 21 Mar 2018 14:03:15 +0100 Subject: [PATCH] Add support for logging early exporter secret This will be necessary to enable Wireshark to decrypt QUIC 0-RTT data. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/5702) --- ssl/ssl_locl.h | 1 + ssl/tls13_enc.c | 6 ++++++ test/sslapitest.c | 8 ++++++++ 3 files changed, 15 insertions(+) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 3ba9b000f2..d881458a6b 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2554,6 +2554,7 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, #define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET" #define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0" #define SERVER_APPLICATION_LABEL "SERVER_TRAFFIC_SECRET_0" +#define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET" #define EXPORTER_SECRET_LABEL "EXPORTER_SECRET" /* s3_cbc.c */ diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index e7cc8afe87..1613004f78 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -493,6 +493,12 @@ int tls13_change_cipher_state(SSL *s, int which) SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } + + if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, + s->early_exporter_master_secret, hashlen)) { + /* SSLfatal() already called */ + goto err; + } } else if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->client_finished_secret; diff --git a/test/sslapitest.c b/test/sslapitest.c index a71a1a9074..e97b228696 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -59,6 +59,7 @@ struct sslapitest_log_counts { unsigned int server_handshake_secret_count; unsigned int client_application_secret_count; unsigned int server_application_secret_count; + unsigned int early_exporter_secret_count; unsigned int exporter_secret_count; }; @@ -146,6 +147,7 @@ static int test_keylog_output(char *buffer, const SSL *ssl, unsigned int server_handshake_secret_count = 0; unsigned int client_application_secret_count = 0; unsigned int server_application_secret_count = 0; + unsigned int early_exporter_secret_count = 0; unsigned int exporter_secret_count = 0; for (token = strtok(buffer, " \n"); token != NULL; @@ -205,6 +207,7 @@ static int test_keylog_output(char *buffer, const SSL *ssl, || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0 + || strcmp(token, "EARLY_EXPORTER_SECRET") == 0 || strcmp(token, "EXPORTER_SECRET") == 0) { /* * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded @@ -222,6 +225,8 @@ static int test_keylog_output(char *buffer, const SSL *ssl, client_application_secret_count++; else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) server_application_secret_count++; + else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0) + early_exporter_secret_count++; else if (strcmp(token, "EXPORTER_SECRET") == 0) exporter_secret_count++; @@ -267,6 +272,8 @@ static int test_keylog_output(char *buffer, const SSL *ssl, expected->client_application_secret_count) || !TEST_size_t_eq(server_application_secret_count, expected->server_application_secret_count) + || !TEST_size_t_eq(early_exporter_secret_count, + expected->early_exporter_secret_count) || !TEST_size_t_eq(exporter_secret_count, expected->exporter_secret_count)) return 0; @@ -450,6 +457,7 @@ static int test_keylog_no_master_key(void) /* In addition to the previous entries, expect early secrets. */ expected.client_early_secret_count = 1; + expected.early_exporter_secret_count = 1; if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, SSL_get_session(clientssl), &expected)) || !TEST_true(test_keylog_output(server_log_buffer, serverssl,