diff options
| author | Daiki Ueno <ueno@gnu.org> | 2020-02-27 10:47:44 +0000 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2020-02-27 10:47:44 +0000 |
| commit | 41404c6e91c06c1c1f3c65c2addf0c43b6eb3174 (patch) | |
| tree | 90f4927f4dd8cbfbaddcc249d3e2bfd73cc60337 | |
| parent | ad5b1569c6a5e143bee49c050645c32d6acb7708 (diff) | |
| parent | 8da3a71b358aa4a3199d1ee72c4e0d25a4588131 (diff) | |
| download | gnutls-41404c6e91c06c1c1f3c65c2addf0c43b6eb3174.tar.gz | |
Merge branch 'tmp-keylog-func' into 'master'
keylogfile: simplify the callback mechanism
See merge request gnutls/gnutls!1196
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | devel/libgnutls-latest-x86_64.abi | 2 | ||||
| -rw-r--r-- | devel/symbols.last | 2 | ||||
| -rw-r--r-- | doc/Makefile.am | 5 | ||||
| -rw-r--r-- | doc/manpages/Makefile.am | 2 | ||||
| -rw-r--r-- | lib/constate.c | 22 | ||||
| -rw-r--r-- | lib/ext/pre_shared_key.c | 4 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 2 | ||||
| -rw-r--r-- | lib/handshake-tls13.c | 2 | ||||
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 53 | ||||
| -rw-r--r-- | lib/kx.c | 56 | ||||
| -rw-r--r-- | lib/kx.h | 10 | ||||
| -rw-r--r-- | lib/libgnutls.map | 2 | ||||
| -rw-r--r-- | lib/state.c | 5 | ||||
| -rw-r--r-- | tests/Makefile.am | 2 | ||||
| -rw-r--r-- | tests/keylog-func.c (renamed from tests/secret-hook.c) | 74 |
16 files changed, 67 insertions, 182 deletions
@@ -9,12 +9,14 @@ See the end for copying conditions. ** libgnutls: Added new APIs to access KDF algorithms (#813). +** libgnutls: Added new callback gnutls_keylog_func that enables a custom + logging functionality. + ** API and ABI modifications: gnutls_hkdf_extract: Added gnutls_hkdf_expand: Added gnutls_pbkdf2: Added -gnutls_handshake_secret_type_t: New enumeration -gnutls_handshake_set_secret_function: Added +gnutls_session_set_keylog_function: Added * Version 3.6.12 (released 2020-02-01) diff --git a/devel/libgnutls-latest-x86_64.abi b/devel/libgnutls-latest-x86_64.abi index 3a9497697e..6fa8640926 100644 --- a/devel/libgnutls-latest-x86_64.abi +++ b/devel/libgnutls-latest-x86_64.abi @@ -300,7 +300,6 @@ <elf-symbol name='gnutls_handshake_set_post_client_hello_function' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_handshake_set_private_extensions' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_handshake_set_random' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> - <elf-symbol name='gnutls_handshake_set_secret_function' version='GNUTLS_3_6_13' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_handshake_set_timeout' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_hash' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_hash_copy' version='GNUTLS_3_6_9' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> @@ -797,6 +796,7 @@ <elf-symbol name='gnutls_session_resumption_requested' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_session_set_data' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_session_set_id' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> + <elf-symbol name='gnutls_session_set_keylog_function' version='GNUTLS_3_6_13' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_session_set_premaster' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_session_set_ptr' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_session_set_verify_cert2' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> diff --git a/devel/symbols.last b/devel/symbols.last index 037741c562..4654e4f708 100644 --- a/devel/symbols.last +++ b/devel/symbols.last @@ -267,7 +267,6 @@ gnutls_handshake_set_max_packet_length@GNUTLS_3_4 gnutls_handshake_set_post_client_hello_function@GNUTLS_3_4 gnutls_handshake_set_private_extensions@GNUTLS_3_4 gnutls_handshake_set_random@GNUTLS_3_4 -gnutls_handshake_set_secret_function@GNUTLS_3_6_13 gnutls_handshake_set_timeout@GNUTLS_3_4 gnutls_hash@GNUTLS_3_4 gnutls_hash_copy@GNUTLS_3_6_9 @@ -765,6 +764,7 @@ gnutls_session_key_update@GNUTLS_3_6_3 gnutls_session_resumption_requested@GNUTLS_3_4 gnutls_session_set_data@GNUTLS_3_4 gnutls_session_set_id@GNUTLS_3_4 +gnutls_session_set_keylog_function@GNUTLS_3_6_13 gnutls_session_set_premaster@GNUTLS_3_4 gnutls_session_set_ptr@GNUTLS_3_4 gnutls_session_set_verify_cert2@GNUTLS_3_4 diff --git a/doc/Makefile.am b/doc/Makefile.am index ef3c40f76c..0d24b33720 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -556,7 +556,6 @@ ENUMS += enums/gnutls_fips_mode_t ENUMS += enums/gnutls_gost_paramset_t ENUMS += enums/gnutls_group_t ENUMS += enums/gnutls_handshake_description_t -ENUMS += enums/gnutls_handshake_secret_type_t ENUMS += enums/gnutls_init_flags_t ENUMS += enums/gnutls_keygen_types_t ENUMS += enums/gnutls_keyid_flags_t @@ -1084,8 +1083,6 @@ FUNCS += functions/gnutls_handshake_set_private_extensions FUNCS += functions/gnutls_handshake_set_private_extensions.short FUNCS += functions/gnutls_handshake_set_random FUNCS += functions/gnutls_handshake_set_random.short -FUNCS += functions/gnutls_handshake_set_secret_function -FUNCS += functions/gnutls_handshake_set_secret_function.short FUNCS += functions/gnutls_handshake_set_timeout FUNCS += functions/gnutls_handshake_set_timeout.short FUNCS += functions/gnutls_hash @@ -1950,6 +1947,8 @@ FUNCS += functions/gnutls_session_set_data FUNCS += functions/gnutls_session_set_data.short FUNCS += functions/gnutls_session_set_id FUNCS += functions/gnutls_session_set_id.short +FUNCS += functions/gnutls_session_set_keylog_function +FUNCS += functions/gnutls_session_set_keylog_function.short FUNCS += functions/gnutls_session_set_premaster FUNCS += functions/gnutls_session_set_premaster.short FUNCS += functions/gnutls_session_set_ptr diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am index 14e591e62f..ca0e279e1c 100644 --- a/doc/manpages/Makefile.am +++ b/doc/manpages/Makefile.am @@ -343,7 +343,6 @@ APIMANS += gnutls_handshake_set_max_packet_length.3 APIMANS += gnutls_handshake_set_post_client_hello_function.3 APIMANS += gnutls_handshake_set_private_extensions.3 APIMANS += gnutls_handshake_set_random.3 -APIMANS += gnutls_handshake_set_secret_function.3 APIMANS += gnutls_handshake_set_timeout.3 APIMANS += gnutls_hash.3 APIMANS += gnutls_hash_copy.3 @@ -776,6 +775,7 @@ APIMANS += gnutls_session_key_update.3 APIMANS += gnutls_session_resumption_requested.3 APIMANS += gnutls_session_set_data.3 APIMANS += gnutls_session_set_id.3 +APIMANS += gnutls_session_set_keylog_function.3 APIMANS += gnutls_session_set_premaster.3 APIMANS += gnutls_session_set_ptr.3 APIMANS += gnutls_session_set_verify_cert.3 diff --git a/lib/constate.c b/lib/constate.c index a11577d7ba..eb05fdd04c 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -197,7 +197,6 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage, char buf[65]; record_state_st *upd_state; record_parameters_st *prev = NULL; - gnutls_handshake_secret_type_t secret_type; int ret; /* generate new keys for direction needed and copy old from previous epoch */ @@ -275,7 +274,6 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage, ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.ap_ckey, iv_size, iv_block); if (ret < 0) return gnutls_assert_val(ret); - secret_type = GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET; } else { ret = _tls13_expand_secret(session, APPLICATION_TRAFFIC_UPDATE, sizeof(APPLICATION_TRAFFIC_UPDATE)-1, @@ -293,14 +291,8 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage, ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.ap_skey, iv_size, iv_block); if (ret < 0) return gnutls_assert_val(ret); - secret_type = GNUTLS_SECRET_SERVER_TRAFFIC_SECRET; } - ret = _gnutls_call_secret_func(session, secret_type, - key_block, key_size); - if (ret < 0) - return gnutls_assert_val(ret); - upd_state->mac_key_size = 0; assert(key_size <= sizeof(upd_state->key)); @@ -396,7 +388,7 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, record_state_st *client_write, *server_write; const char *label; unsigned label_size, hsk_len; - gnutls_handshake_secret_type_t secret_type; + const char *keylog_label; void *ckey, *skey; int ret; @@ -412,13 +404,13 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, label = HANDSHAKE_CLIENT_TRAFFIC_LABEL; label_size = sizeof(HANDSHAKE_CLIENT_TRAFFIC_LABEL)-1; hsk_len = session->internals.handshake_hash_buffer.length; - secret_type = GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET; + keylog_label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; ckey = session->key.proto.tls13.hs_ckey; } else { label = APPLICATION_CLIENT_TRAFFIC_LABEL; label_size = sizeof(APPLICATION_CLIENT_TRAFFIC_LABEL)-1; hsk_len = session->internals.handshake_hash_buffer_server_finished_len; - secret_type = GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET; + keylog_label = "CLIENT_TRAFFIC_SECRET_0"; ckey = session->key.proto.tls13.ap_ckey; } @@ -430,7 +422,7 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_call_secret_func(session, secret_type, + ret = _gnutls_call_keylog_func(session, keylog_label, ckey, session->security_parameters.prf->output_size); if (ret < 0) @@ -449,12 +441,12 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, if (stage == STAGE_HS) { label = HANDSHAKE_SERVER_TRAFFIC_LABEL; label_size = sizeof(HANDSHAKE_SERVER_TRAFFIC_LABEL)-1; - secret_type = GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET; + keylog_label = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; skey = session->key.proto.tls13.hs_skey; } else { label = APPLICATION_SERVER_TRAFFIC_LABEL; label_size = sizeof(APPLICATION_SERVER_TRAFFIC_LABEL)-1; - secret_type = GNUTLS_SECRET_SERVER_TRAFFIC_SECRET; + keylog_label = "SERVER_TRAFFIC_SECRET_0"; skey = session->key.proto.tls13.ap_skey; } @@ -467,7 +459,7 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_call_secret_func(session, secret_type, + ret = _gnutls_call_keylog_func(session, keylog_label, skey, session->security_parameters.prf->output_size); if (ret < 0) diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c index eef84814d6..8a39cda153 100644 --- a/lib/ext/pre_shared_key.c +++ b/lib/ext/pre_shared_key.c @@ -203,7 +203,7 @@ generate_early_secrets(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET, + ret = _gnutls_call_keylog_func(session, "CLIENT_EARLY_TRAFFIC_SECRET", session->key.proto.tls13.e_ckey, prf->output_size); if (ret < 0) @@ -217,7 +217,7 @@ generate_early_secrets(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_EARLY_EXPORTER_SECRET, + ret = _gnutls_call_keylog_func(session, "EARLY_EXPORTER_SECRET", session->key.proto.tls13.ap_expkey, prf->output_size); if (ret < 0) diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index cd2adc103d..d9d851be62 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1243,7 +1243,7 @@ typedef struct { unsigned int h_type; /* the hooked type */ int16_t h_post; /* whether post-generation/receive */ - gnutls_handshake_secret_func secret_func; + gnutls_keylog_func keylog_func; /* holds the selected certificate and key. * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set() diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c index 39d002bd04..24f5af65c6 100644 --- a/lib/handshake-tls13.c +++ b/lib/handshake-tls13.c @@ -292,7 +292,7 @@ static int generate_ap_traffic_keys(gnutls_session_t session) if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_EXPORTER_SECRET, + ret = _gnutls_call_keylog_func(session, "EXPORTER_SECRET", session->key.proto.tls13.ap_expkey, session->security_parameters.prf->output_size); if (ret < 0) diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 13b6c35659..cfc1f35e92 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -2292,58 +2292,23 @@ void gnutls_global_set_log_function(gnutls_log_func log_func); void gnutls_global_set_audit_log_function(gnutls_audit_log_func log_func); void gnutls_global_set_log_level(int level); -/** - * gnutls_handshake_secret_type_t: - * @GNUTLS_SECRET_CLIENT_RANDOM: 48 bytes for the master secret (for SSL 3.0, - * TLS 1.0, 1.1 and 1.2) - * @GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET: the early traffic secret for the - * client side (for TLS 1.3) - * @GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET: the handshake traffic secret - * for the client side (for TLS 1.3) - * @GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET: the handshake traffic secret - * for the server side (for TLS 1.3) - * @GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET: the application traffic secret for the - * client side (for TLS 1.3) - * @GNUTLS_SECRET_SERVER_TRAFFIC_SECRET: the application traffic secret for the - * server side (for TLS 1.3) - * @GNUTLS_SECRET_EARLY_EXPORTER_SECRET: the early exporter secret (for TLS 1.3, - * used for 0-RTT keys). - * @GNUTLS_SECRET_EXPORTER_SECRET: the exporter secret (for TLS 1.3, used for - * 1-RTT keys) - * - * Enumeration of different types of secrets derived during handshake. - * This is used by gnutls_handshake_set_secret_function(). - * - * Since: 3.6.13 - */ -typedef enum { - GNUTLS_SECRET_CLIENT_RANDOM, - GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET, - GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET, - GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET, - GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET, - GNUTLS_SECRET_SERVER_TRAFFIC_SECRET, - GNUTLS_SECRET_EARLY_EXPORTER_SECRET, - GNUTLS_SECRET_EXPORTER_SECRET -} gnutls_handshake_secret_type_t; - /** - * gnutls_handshake_secret_function: + * gnutls_keylog_func: * @session: the current session - * @type: #gnutls_handshake_secret_type_t + * @label: the keylog label * @secret: the (const) data of the derived secret. * - * Function prototype for secret derivation hooks. It is set using - * gnutls_handshake_set_secret_function(). + * Function prototype for keylog hooks. It is set using + * gnutls_session_set_keylog_function(). * * Returns: Non zero on error. * Since: 3.6.13 */ -typedef int (*gnutls_handshake_secret_func) (gnutls_session_t session, - gnutls_handshake_secret_type_t type, - const gnutls_datum_t *secret); -void gnutls_handshake_set_secret_function(gnutls_session_t session, - gnutls_handshake_secret_func func); +typedef int (*gnutls_keylog_func) (gnutls_session_t session, + const char *label, + const gnutls_datum_t *secret); +void gnutls_session_set_keylog_function(gnutls_session_t session, + gnutls_keylog_func func); /* Diffie-Hellman parameter handling. */ @@ -71,7 +71,7 @@ int _gnutls_generate_master(gnutls_session_t session, int keep_premaster) } /** - * gnutls_handshake_set_secret_function: + * gnutls_session_set_keylog_function: * @session: is #gnutls_session_t type * @func: is the function to be called * @@ -81,68 +81,36 @@ int _gnutls_generate_master(gnutls_session_t session, int keep_premaster) * Since: 3.6.13 */ void -gnutls_handshake_set_secret_function(gnutls_session_t session, - gnutls_handshake_secret_func func) +gnutls_session_set_keylog_function(gnutls_session_t session, + gnutls_keylog_func func) { - session->internals.secret_func = func; + session->internals.keylog_func = func; } int -_gnutls_call_secret_func(gnutls_session_t session, - gnutls_handshake_secret_type_t type, +_gnutls_call_keylog_func(gnutls_session_t session, + const char *label, const uint8_t *data, unsigned size) { - if (session->internals.secret_func) { + if (session->internals.keylog_func) { gnutls_datum_t secret = {(void*)data, size}; - return session->internals.secret_func(session, type, &secret); + return session->internals.keylog_func(session, label, &secret); } return 0; } -static const char * -secret_type_to_nss_keylog_label(gnutls_handshake_secret_type_t type) -{ - switch (type) { - case GNUTLS_SECRET_CLIENT_RANDOM: - return "CLIENT_RANDOM"; - case GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET: - return "CLIENT_EARLY_TRAFFIC_SECRET"; - case GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET: - return "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; - case GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET: - return "SERVER_HANDSHAKE_TRAFFIC_SECRET"; - case GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET: - return "CLIENT_TRAFFIC_SECRET_0"; - case GNUTLS_SECRET_SERVER_TRAFFIC_SECRET: - return "SERVER_TRAFFIC_SECRET_0"; - case GNUTLS_SECRET_EARLY_EXPORTER_SECRET: - return "EARLY_EXPORTER_SECRET"; - case GNUTLS_SECRET_EXPORTER_SECRET: - return "EXPORTER_SECRET"; - default: - gnutls_assert(); - return NULL; - } -} - int -_gnutls_nss_keylog_secret_func(gnutls_session_t session, - gnutls_handshake_secret_type_t type, - const gnutls_datum_t *secret) +_gnutls_nss_keylog_func(gnutls_session_t session, + const char *label, + const gnutls_datum_t *secret) { - const char *label; - /* ignore subsequent traffic secrets that are calculated from * the previous traffic secret */ if (!session->internals.handshake_in_progress) return 0; - label = secret_type_to_nss_keylog_label(type); - if (unlikely(label == NULL)) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - _gnutls_nss_keylog_write(session, label, secret->data, secret->size); return 0; } @@ -265,7 +233,7 @@ generate_normal_master(gnutls_session_t session, if (ret < 0) return ret; - ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_CLIENT_RANDOM, + ret = _gnutls_call_keylog_func(session, "CLIENT_RANDOM", session->security_parameters.master_secret, GNUTLS_MASTER_SIZE); if (ret < 0) @@ -38,15 +38,15 @@ int _gnutls_recv_server_crt_request(gnutls_session_t session); int _gnutls_send_server_crt_request(gnutls_session_t session, int again); int _gnutls_recv_client_certificate_verify_message(gnutls_session_t session); -int _gnutls_call_secret_func(gnutls_session_t session, - gnutls_handshake_secret_type_t type, +int _gnutls_call_keylog_func(gnutls_session_t session, + const char *label, const uint8_t *data, unsigned size); void _gnutls_nss_keylog_write(gnutls_session_t session, const char *label, const uint8_t *secret, size_t secret_size); -int _gnutls_nss_keylog_secret_func(gnutls_session_t session, - gnutls_handshake_secret_type_t type, - const gnutls_datum_t *secret); +int _gnutls_nss_keylog_func(gnutls_session_t session, + const char *label, + const gnutls_datum_t *secret); #endif /* GNUTLS_LIB_KX_H */ diff --git a/lib/libgnutls.map b/lib/libgnutls.map index c1aace905e..234d43e755 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1315,7 +1315,7 @@ GNUTLS_3_6_13 gnutls_hkdf_extract; gnutls_hkdf_expand; gnutls_pbkdf2; - gnutls_handshake_set_secret_function; + gnutls_session_set_keylog_function; } GNUTLS_3_6_12; GNUTLS_FIPS140_3_4 { diff --git a/lib/state.c b/lib/state.c index f33cd5a8bc..35ebb2a230 100644 --- a/lib/state.c +++ b/lib/state.c @@ -588,9 +588,8 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags) if (_gnutls_disable_tls13 != 0) (*session)->internals.flags |= INT_FLAG_NO_TLS13; - /* Install the default secret function */ - gnutls_handshake_set_secret_function(*session, - _gnutls_nss_keylog_secret_func); + /* Install the default keylog function */ + gnutls_session_set_keylog_function(*session, _gnutls_nss_keylog_func); return 0; } diff --git a/tests/Makefile.am b/tests/Makefile.am index 5b9fdb7168..5c89f77c11 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -217,7 +217,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei tls-record-size-limit-asym dh-compute ecdh-compute sign-verify-data-newapi \ sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \ tls13-without-timeout-func buffer status-request-revoked \ - set_x509_ocsp_multi_cli kdf-api secret-hook + set_x509_ocsp_multi_cli kdf-api keylog-func if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/secret-hook.c b/tests/keylog-func.c index f4523a6a46..8c4d321142 100644 --- a/tests/secret-hook.c +++ b/tests/keylog-func.c @@ -49,8 +49,7 @@ int main(int argc, char **argv) #include "cert-common.h" #include "utils.h" -/* This program tests whether a secret hook function is called upon a - * new traffic secret is installed. +/* This program tests whether a keylog function is called. */ static void terminate(void); @@ -72,57 +71,30 @@ static pid_t child; #define MAX_BUF 1024 #define MSG "Hello TLS" -static const char * -secret_type_to_str(gnutls_handshake_secret_type_t type) -{ - switch (type) { - case GNUTLS_SECRET_CLIENT_RANDOM: - return "CLIENT_RANDOM"; - case GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET: - return "CLIENT_EARLY_TRAFFIC_SECRET"; - case GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET: - return "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; - case GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET: - return "SERVER_HANDSHAKE_TRAFFIC_SECRET"; - case GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET: - return "CLIENT_TRAFFIC_SECRET"; - case GNUTLS_SECRET_SERVER_TRAFFIC_SECRET: - return "SERVER_TRAFFIC_SECRET"; - case GNUTLS_SECRET_EARLY_EXPORTER_SECRET: - return "EARLY_EXPORTER_SECRET"; - case GNUTLS_SECRET_EXPORTER_SECRET: - return "EXPORTER_SECRET"; - default: - return NULL; - } -} - static int -secret_hook_func(gnutls_session_t session, - gnutls_handshake_secret_type_t type, - const gnutls_datum_t *secret) +keylog_func(gnutls_session_t session, + const char *label, + const gnutls_datum_t *secret) { unsigned int *call_count = gnutls_session_get_ptr(session); - static const gnutls_handshake_secret_type_t exp_types[] = { - GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET, - GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET, - GNUTLS_SECRET_EXPORTER_SECRET, - GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET, - GNUTLS_SECRET_SERVER_TRAFFIC_SECRET, - GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET, - GNUTLS_SECRET_SERVER_TRAFFIC_SECRET + static const char *exp_labels[] = { + "CLIENT_HANDSHAKE_TRAFFIC_SECRET", + "SERVER_HANDSHAKE_TRAFFIC_SECRET", + "EXPORTER_SECRET", + "CLIENT_TRAFFIC_SECRET_0", + "SERVER_TRAFFIC_SECRET_0" }; - if (*call_count >= sizeof(exp_types)/sizeof(exp_types[0])) + if (*call_count >= sizeof(exp_labels)/sizeof(exp_labels[0])) fail("unexpected secret at call count %u\n", *call_count); - if (type != exp_types[*call_count]) + if (strcmp(label, exp_labels[*call_count]) != 0) fail("unexpected %s at call count %u\n", - secret_type_to_str(type), *call_count); + label, *call_count); else if (debug) success("received %s at call count %u\n", - secret_type_to_str(type), *call_count); + label, *call_count); (*call_count)++; return 0; @@ -168,7 +140,7 @@ static void client(int fd, const char *prio, unsigned int exp_call_count) gnutls_transport_set_int(session, fd); - gnutls_handshake_set_secret_function(session, secret_hook_func); + gnutls_session_set_keylog_function(session, keylog_func); /* Perform the TLS handshake */ @@ -189,18 +161,6 @@ static void client(int fd, const char *prio, unsigned int exp_call_count) gnutls_protocol_get_name (gnutls_protocol_get_version(session))); - /* Send key update */ - do { - ret = gnutls_session_key_update(session, GNUTLS_KU_PEER); - } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); - - if (ret < 0) - fail("error in key update: %s\n", gnutls_strerror(ret)); - else { - if (debug) - success("client: Sent key update\n"); - } - gnutls_record_send(session, MSG, strlen(MSG)); do { @@ -279,7 +239,7 @@ static void server(int fd, const char *prio, unsigned int exp_call_count) gnutls_transport_set_int(session, fd); - gnutls_handshake_set_secret_function(session, secret_hook_func); + gnutls_session_set_keylog_function(session, keylog_func); do { ret = gnutls_handshake(session); @@ -383,7 +343,7 @@ run(const char *prio, unsigned int exp_call_count) void doit(void) { - run("NORMAL:-VERS-ALL:+VERS-TLS1.3", 7); + run("NORMAL:-VERS-ALL:+VERS-TLS1.3", 5); } #endif /* _WIN32 */ |