From 6329ce8fd8af653fb8fdde6d3fc09bdb0ec94031 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Tue, 20 Mar 2018 21:16:38 +0100 Subject: [PATCH] Add support for logging TLS 1.3 exporter secret NSS 3.34 and boringssl have support for "EXPORTER_SECRET" (https://bugzilla.mozilla.org/show_bug.cgi?id=1287711) which is needed for QUIC 1-RTT decryption support in Wireshark. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/5702) --- ssl/ssl_locl.h | 1 + ssl/tls13_enc.c | 6 ++++++ test/sslapitest.c | 12 ++++++++++-- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index b1d6e40ed1..3ba9b000f2 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2554,6 +2554,7 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, #define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET" #define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0" #define SERVER_APPLICATION_LABEL "SERVER_TRAFFIC_SECRET_0" +#define EXPORTER_SECRET_LABEL "EXPORTER_SECRET" /* s3_cbc.c */ __owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index a793e0c8af..e7cc8afe87 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -594,6 +594,12 @@ int tls13_change_cipher_state(SSL *s, int which) /* SSLfatal() already called */ goto err; } + + if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, + hashlen)) { + /* SSLfatal() already called */ + goto err; + } } else if (label == client_application_traffic) memcpy(s->client_app_traffic_secret, secret, hashlen); diff --git a/test/sslapitest.c b/test/sslapitest.c index 338c61c6c0..1d57f7173a 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -58,6 +58,7 @@ struct sslapitest_log_counts { unsigned int server_handshake_secret_count; unsigned int client_application_secret_count; unsigned int server_application_secret_count; + unsigned int exporter_secret_count; }; @@ -143,6 +144,7 @@ static int test_keylog_output(char *buffer, const SSL *ssl, unsigned int server_handshake_secret_count = 0; unsigned int client_application_secret_count = 0; unsigned int server_application_secret_count = 0; + unsigned int exporter_secret_count = 0; for (token = strtok(buffer, " \n"); token != NULL; token = strtok(NULL, " \n")) { @@ -199,7 +201,8 @@ static int test_keylog_output(char *buffer, const SSL *ssl, } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0 - || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) { + || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0 + || strcmp(token, "EXPORTER_SECRET") == 0) { /* * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded * client random, and then the hex-encoded secret. In this case, @@ -214,6 +217,8 @@ static int test_keylog_output(char *buffer, const SSL *ssl, client_application_secret_count++; else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) server_application_secret_count++; + else if (strcmp(token, "EXPORTER_SECRET") == 0) + exporter_secret_count++; client_random_size = SSL_get_client_random(ssl, actual_client_random, @@ -254,7 +259,9 @@ static int test_keylog_output(char *buffer, const SSL *ssl, || !TEST_size_t_eq(client_application_secret_count, expected->client_application_secret_count) || !TEST_size_t_eq(server_application_secret_count, - expected->server_application_secret_count)) + expected->server_application_secret_count) + || !TEST_size_t_eq(exporter_secret_count, + expected->exporter_secret_count)) return 0; return 1; } @@ -390,6 +397,7 @@ static int test_keylog_no_master_key(void) expected.server_handshake_secret_count = 1; expected.client_application_secret_count = 1; expected.server_application_secret_count = 1; + expected.exporter_secret_count = 1; if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, SSL_get_session(clientssl), &expected)) || !TEST_true(test_keylog_output(server_log_buffer, serverssl,