[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Wed Apr 18 07:18:28 UTC 2018
The branch master has been updated
via d4da95a7736e9e74ec47f9e0077ad0ef18a4faf6 (commit)
via 01a2a65488e18b8b566bd4aa1b4a8b9adb9ecdf8 (commit)
via cffe973c45491b14d980e3b578da28e4a79a8705 (commit)
via 6329ce8fd8af653fb8fdde6d3fc09bdb0ec94031 (commit)
from 55442b8a5b719f54578083fae0fcc814b599cd84 (commit)
- Log -----------------------------------------------------------------
commit d4da95a7736e9e74ec47f9e0077ad0ef18a4faf6
Author: Peter Wu <peter at lekensteyn.nl>
Date: Wed Mar 21 19:44:44 2018 +0100
test: Remove redundant SSL_CTX_set_max_early_data
Client can only send early data if the PSK allows for it, the
max_early_data_size field can only be configured for the server side.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
commit 01a2a65488e18b8b566bd4aa1b4a8b9adb9ecdf8
Author: Peter Wu <peter at lekensteyn.nl>
Date: Wed Mar 21 14:03:15 2018 +0100
Add support for logging early exporter secret
This will be necessary to enable Wireshark to decrypt QUIC 0-RTT data.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
commit cffe973c45491b14d980e3b578da28e4a79a8705
Author: Peter Wu <peter at lekensteyn.nl>
Date: Wed Mar 21 14:00:42 2018 +0100
Add test for CLIENT_EARLY_TRAFFIC_SECRET key logging
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
commit 6329ce8fd8af653fb8fdde6d3fc09bdb0ec94031
Author: Peter Wu <peter at lekensteyn.nl>
Date: Tue Mar 20 21:16:38 2018 +0100
Add support for logging TLS 1.3 exporter secret
NSS 3.34 and boringssl have support for "EXPORTER_SECRET"
(https://bugzilla.mozilla.org/show_bug.cgi?id=1287711) which is needed
for QUIC 1-RTT decryption support in Wireshark.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_locl.h | 2 ++
ssl/tls13_enc.c | 12 ++++++++
test/sslapitest.c | 81 +++++++++++++++++++++++++++++++++++++++++++++++------
test/tls13ccstest.c | 2 --
4 files changed, 87 insertions(+), 10 deletions(-)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index b1d6e40..d881458 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2554,6 +2554,8 @@ __owur int ssl_log_secret(SSL *ssl, const char *label,
#define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET"
#define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0"
#define SERVER_APPLICATION_LABEL "SERVER_TRAFFIC_SECRET_0"
+#define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET"
+#define EXPORTER_SECRET_LABEL "EXPORTER_SECRET"
/* s3_cbc.c */
__owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index a793e0c..1613004 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -493,6 +493,12 @@ int tls13_change_cipher_state(SSL *s, int which)
SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err;
}
+
+ if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL,
+ s->early_exporter_master_secret, hashlen)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
} else if (which & SSL3_CC_HANDSHAKE) {
insecret = s->handshake_secret;
finsecret = s->client_finished_secret;
@@ -594,6 +600,12 @@ int tls13_change_cipher_state(SSL *s, int which)
/* SSLfatal() already called */
goto err;
}
+
+ if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret,
+ hashlen)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
} else if (label == client_application_traffic)
memcpy(s->client_app_traffic_secret, secret, hashlen);
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 338c61c..5fef058 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -28,7 +28,7 @@ static char *privkey = NULL;
static char *srpvfile = NULL;
static char *tmpfilename = NULL;
-#define LOG_BUFFER_SIZE 1024
+#define LOG_BUFFER_SIZE 2048
static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
static size_t server_log_buffer_index = 0;
static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
@@ -54,10 +54,13 @@ static X509 *ocspcert = NULL;
struct sslapitest_log_counts {
unsigned int rsa_key_exchange_count;
unsigned int master_secret_count;
+ unsigned int client_early_secret_count;
unsigned int client_handshake_secret_count;
unsigned int server_handshake_secret_count;
unsigned int client_application_secret_count;
unsigned int server_application_secret_count;
+ unsigned int early_exporter_secret_count;
+ unsigned int exporter_secret_count;
};
@@ -139,10 +142,13 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
unsigned int rsa_key_exchange_count = 0;
unsigned int master_secret_count = 0;
+ unsigned int client_early_secret_count = 0;
unsigned int client_handshake_secret_count = 0;
unsigned int server_handshake_secret_count = 0;
unsigned int client_application_secret_count = 0;
unsigned int server_application_secret_count = 0;
+ unsigned int early_exporter_secret_count = 0;
+ unsigned int exporter_secret_count = 0;
for (token = strtok(buffer, " \n"); token != NULL;
token = strtok(NULL, " \n")) {
@@ -196,17 +202,22 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
master_key_size)))
return 0;
master_secret_count++;
- } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
+ } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
+ || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
|| strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
|| strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
- || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
+ || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
+ || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
+ || strcmp(token, "EXPORTER_SECRET") == 0) {
/*
* TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
* client random, and then the hex-encoded secret. In this case,
* we treat all of these secrets identically and then just
* distinguish between them when counting what we saw.
*/
- if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
+ if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
+ client_early_secret_count++;
+ else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
client_handshake_secret_count++;
else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
server_handshake_secret_count++;
@@ -214,6 +225,10 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
client_application_secret_count++;
else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
server_application_secret_count++;
+ else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
+ early_exporter_secret_count++;
+ else if (strcmp(token, "EXPORTER_SECRET") == 0)
+ exporter_secret_count++;
client_random_size = SSL_get_client_random(ssl,
actual_client_random,
@@ -247,6 +262,8 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
expected->rsa_key_exchange_count)
|| !TEST_size_t_eq(master_secret_count,
expected->master_secret_count)
+ || !TEST_size_t_eq(client_early_secret_count,
+ expected->client_early_secret_count)
|| !TEST_size_t_eq(client_handshake_secret_count,
expected->client_handshake_secret_count)
|| !TEST_size_t_eq(server_handshake_secret_count,
@@ -254,7 +271,11 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
|| !TEST_size_t_eq(client_application_secret_count,
expected->client_application_secret_count)
|| !TEST_size_t_eq(server_application_secret_count,
- expected->server_application_secret_count))
+ expected->server_application_secret_count)
+ || !TEST_size_t_eq(early_exporter_secret_count,
+ expected->early_exporter_secret_count)
+ || !TEST_size_t_eq(exporter_secret_count,
+ expected->exporter_secret_count))
return 0;
return 1;
}
@@ -344,8 +365,11 @@ static int test_keylog_no_master_key(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
+ SSL_SESSION *sess = NULL;
int testresult = 0;
struct sslapitest_log_counts expected = {0};
+ unsigned char buf[1];
+ size_t readbytes, written;
/* Clean up logging space */
memset(client_log_buffer, 0, sizeof(client_log_buffer));
@@ -356,7 +380,9 @@ static int test_keylog_no_master_key(void)
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
TLS1_VERSION, TLS_MAX_VERSION,
- &sctx, &cctx, cert, privkey)))
+ &sctx, &cctx, cert, privkey))
+ || !TEST_true(SSL_CTX_set_max_early_data(sctx,
+ SSL3_RT_MAX_PLAIN_LENGTH)))
return 0;
if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
@@ -390,6 +416,46 @@ static int test_keylog_no_master_key(void)
expected.server_handshake_secret_count = 1;
expected.client_application_secret_count = 1;
expected.server_application_secret_count = 1;
+ expected.exporter_secret_count = 1;
+ if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
+ SSL_get_session(clientssl), &expected))
+ || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
+ SSL_get_session(serverssl),
+ &expected)))
+ goto end;
+
+ /* Terminate old session and resume with early data. */
+ sess = SSL_get1_session(clientssl);
+ SSL_shutdown(clientssl);
+ SSL_shutdown(serverssl);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ serverssl = clientssl = NULL;
+
+ /* Reset key log */
+ memset(client_log_buffer, 0, sizeof(client_log_buffer));
+ memset(server_log_buffer, 0, sizeof(server_log_buffer));
+ client_log_buffer_index = 0;
+ server_log_buffer_index = 0;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
+ &clientssl, NULL, NULL))
+ || !TEST_true(SSL_set_session(clientssl, sess))
+ /* Here writing 0 length early data is enough. */
+ || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
+ || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
+ &readbytes),
+ SSL_READ_EARLY_DATA_ERROR)
+ || !TEST_int_eq(SSL_get_early_data_status(serverssl),
+ SSL_EARLY_DATA_ACCEPTED)
+ || !TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE))
+ || !TEST_true(SSL_session_reused(clientssl)))
+ goto end;
+
+ /* In addition to the previous entries, expect early secrets. */
+ expected.client_early_secret_count = 1;
+ expected.early_exporter_secret_count = 1;
if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
SSL_get_session(clientssl), &expected))
|| !TEST_true(test_keylog_output(server_log_buffer, serverssl,
@@ -400,6 +466,7 @@ static int test_keylog_no_master_key(void)
testresult = 1;
end:
+ SSL_SESSION_free(sess);
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx);
@@ -1637,8 +1704,6 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
TLS1_VERSION, TLS_MAX_VERSION,
sctx, cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_max_early_data(*sctx,
- SSL3_RT_MAX_PLAIN_LENGTH))
- || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
SSL3_RT_MAX_PLAIN_LENGTH)))
return 0;
diff --git a/test/tls13ccstest.c b/test/tls13ccstest.c
index 41e4896..25dc819 100644
--- a/test/tls13ccstest.c
+++ b/test/tls13ccstest.c
@@ -258,8 +258,6 @@ static int test_tls13ccs(int tst)
TLS1_VERSION, TLS_MAX_VERSION,
&sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_max_early_data(sctx,
- SSL3_RT_MAX_PLAIN_LENGTH))
- || !TEST_true(SSL_CTX_set_max_early_data(cctx,
SSL3_RT_MAX_PLAIN_LENGTH)))
goto err;
More information about the openssl-commits
mailing list