diff options
| author | Daiki Ueno <dueno@redhat.com> | 2020-02-21 16:38:29 +0100 |
|---|---|---|
| committer | Daiki Ueno <dueno@redhat.com> | 2020-02-22 08:19:08 +0100 |
| commit | 8da3a71b358aa4a3199d1ee72c4e0d25a4588131 (patch) | |
| tree | d5b4d45bbdf4543e88ef4e0bcd58cad5789efa49 | |
| parent | 0f48ce3d377e4975324216543d9a2d352ec825c3 (diff) | |
| download | gnutls-tmp-keylog-func.tar.gz | |
keylogfile: simplify the callback mechanismtmp-keylog-func
This partially reverts commit 97117556 with a simpler interface. The
original intention of having the callback mechanism was to reuse it
for monitoring QUIC encryption changes. However, it turned out to be
insufficient because such changes must be emitted after a new epoch is
ready.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | devel/libgnutls-latest-x86_64.abi | 2 | ||||
| -rw-r--r-- | devel/symbols.last | 2 | ||||
| -rw-r--r-- | doc/Makefile.am | 5 | ||||
| -rw-r--r-- | doc/manpages/Makefile.am | 2 | ||||
| -rw-r--r-- | lib/constate.c | 22 | ||||
| -rw-r--r-- | lib/ext/pre_shared_key.c | 4 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 2 | ||||
| -rw-r--r-- | lib/handshake-tls13.c | 2 | ||||
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 53 | ||||
| -rw-r--r-- | lib/kx.c | 56 | ||||
| -rw-r--r-- | lib/kx.h | 10 | ||||
| -rw-r--r-- | lib/libgnutls.map | 2 | ||||
| -rw-r--r-- | lib/state.c | 5 | ||||
| -rw-r--r-- | tests/Makefile.am | 2 | ||||
| -rw-r--r-- | tests/keylog-func.c (renamed from tests/secret-hook.c) | 74 |
16 files changed, 67 insertions, 182 deletions
@@ -9,12 +9,14 @@ See the end for copying conditions. ** libgnutls: Added new APIs to access KDF algorithms (#813). +** libgnutls: Added new callback gnutls_keylog_func that enables a custom + logging functionality. + ** API and ABI modifications: gnutls_hkdf_extract: Added gnutls_hkdf_expand: Added gnutls_pbkdf2: Added -gnutls_handshake_secret_type_t: New enumeration -gnutls_handshake_set_secret_function: Added +gnutls_session_set_keylog_function: Added * Version 3.6.12 (released 2020-02-01) diff --git a/devel/libgnutls-latest-x86_64.abi b/devel/libgnutls-latest-x86_64.abi index 3a9497697e..6fa8640926 100644 --- a/devel/libgnutls-latest-x86_64.abi +++ b/devel/libgnutls-latest-x86_64.abi @@ -300,7 +300,6 @@ <elf-symbol name='gnutls_handshake_set_post_client_hello_function' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_handshake_set_private_extensions' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_handshake_set_random' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> - <elf-symbol name='gnutls_handshake_set_secret_function' version='GNUTLS_3_6_13' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_handshake_set_timeout' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_hash' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_hash_copy' version='GNUTLS_3_6_9' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> @@ -797,6 +796,7 @@ <elf-symbol name='gnutls_session_resumption_requested' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_session_set_data' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_session_set_id' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> + <elf-symbol name='gnutls_session_set_keylog_function' version='GNUTLS_3_6_13' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_session_set_premaster' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_session_set_ptr' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_session_set_verify_cert2' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> diff --git a/devel/symbols.last b/devel/symbols.last index 037741c562..4654e4f708 100644 --- a/devel/symbols.last +++ b/devel/symbols.last @@ -267,7 +267,6 @@ gnutls_handshake_set_max_packet_length@GNUTLS_3_4 gnutls_handshake_set_post_client_hello_function@GNUTLS_3_4 gnutls_handshake_set_private_extensions@GNUTLS_3_4 gnutls_handshake_set_random@GNUTLS_3_4 -gnutls_handshake_set_secret_function@GNUTLS_3_6_13 gnutls_handshake_set_timeout@GNUTLS_3_4 gnutls_hash@GNUTLS_3_4 gnutls_hash_copy@GNUTLS_3_6_9 @@ -765,6 +764,7 @@ gnutls_session_key_update@GNUTLS_3_6_3 gnutls_session_resumption_requested@GNUTLS_3_4 gnutls_session_set_data@GNUTLS_3_4 gnutls_session_set_id@GNUTLS_3_4 +gnutls_session_set_keylog_function@GNUTLS_3_6_13 gnutls_session_set_premaster@GNUTLS_3_4 gnutls_session_set_ptr@GNUTLS_3_4 gnutls_session_set_verify_cert2@GNUTLS_3_4 diff --git a/doc/Makefile.am b/doc/Makefile.am index ef3c40f76c..0d24b33720 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -556,7 +556,6 @@ ENUMS += enums/gnutls_fips_mode_t ENUMS += enums/gnutls_gost_paramset_t ENUMS += enums/gnutls_group_t ENUMS += enums/gnutls_handshake_description_t -ENUMS += enums/gnutls_handshake_secret_type_t ENUMS += enums/gnutls_init_flags_t ENUMS += enums/gnutls_keygen_types_t ENUMS += enums/gnutls_keyid_flags_t @@ -1084,8 +1083,6 @@ FUNCS += functions/gnutls_handshake_set_private_extensions FUNCS += functions/gnutls_handshake_set_private_extensions.short FUNCS += functions/gnutls_handshake_set_random FUNCS += functions/gnutls_handshake_set_random.short -FUNCS += functions/gnutls_handshake_set_secret_function -FUNCS += functions/gnutls_handshake_set_secret_function.short FUNCS += functions/gnutls_handshake_set_timeout FUNCS += functions/gnutls_handshake_set_timeout.short FUNCS += functions/gnutls_hash @@ -1950,6 +1947,8 @@ FUNCS += functions/gnutls_session_set_data FUNCS += functions/gnutls_session_set_data.short FUNCS += functions/gnutls_session_set_id FUNCS += functions/gnutls_session_set_id.short +FUNCS += functions/gnutls_session_set_keylog_function +FUNCS += functions/gnutls_session_set_keylog_function.short FUNCS += functions/gnutls_session_set_premaster FUNCS += functions/gnutls_session_set_premaster.short FUNCS += functions/gnutls_session_set_ptr diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am index 14e591e62f..ca0e279e1c 100644 --- a/doc/manpages/Makefile.am +++ b/doc/manpages/Makefile.am @@ -343,7 +343,6 @@ APIMANS += gnutls_handshake_set_max_packet_length.3 APIMANS += gnutls_handshake_set_post_client_hello_function.3 APIMANS += gnutls_handshake_set_private_extensions.3 APIMANS += gnutls_handshake_set_random.3 -APIMANS += gnutls_handshake_set_secret_function.3 APIMANS += gnutls_handshake_set_timeout.3 APIMANS += gnutls_hash.3 APIMANS += gnutls_hash_copy.3 @@ -776,6 +775,7 @@ APIMANS += gnutls_session_key_update.3 APIMANS += gnutls_session_resumption_requested.3 APIMANS += gnutls_session_set_data.3 APIMANS += gnutls_session_set_id.3 +APIMANS += gnutls_session_set_keylog_function.3 APIMANS += gnutls_session_set_premaster.3 APIMANS += gnutls_session_set_ptr.3 APIMANS += gnutls_session_set_verify_cert.3 diff --git a/lib/constate.c b/lib/constate.c index a11577d7ba..eb05fdd04c 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -197,7 +197,6 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage, char buf[65]; record_state_st *upd_state; record_parameters_st *prev = NULL; - gnutls_handshake_secret_type_t secret_type; int ret; /* generate new keys for direction needed and copy old from previous epoch */ @@ -275,7 +274,6 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage, ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.ap_ckey, iv_size, iv_block); if (ret < 0) return gnutls_assert_val(ret); - secret_type = GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET; } else { ret = _tls13_expand_secret(session, APPLICATION_TRAFFIC_UPDATE, sizeof(APPLICATION_TRAFFIC_UPDATE)-1, @@ -293,14 +291,8 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage, ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.ap_skey, iv_size, iv_block); if (ret < 0) return gnutls_assert_val(ret); - secret_type = GNUTLS_SECRET_SERVER_TRAFFIC_SECRET; } - ret = _gnutls_call_secret_func(session, secret_type, - key_block, key_size); - if (ret < 0) - return gnutls_assert_val(ret); - upd_state->mac_key_size = 0; assert(key_size <= sizeof(upd_state->key)); @@ -396,7 +388,7 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, record_state_st *client_write, *server_write; const char *label; unsigned label_size, hsk_len; - gnutls_handshake_secret_type_t secret_type; + const char *keylog_label; void *ckey, *skey; int ret; @@ -412,13 +404,13 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, label = HANDSHAKE_CLIENT_TRAFFIC_LABEL; label_size = sizeof(HANDSHAKE_CLIENT_TRAFFIC_LABEL)-1; hsk_len = session->internals.handshake_hash_buffer.length; - secret_type = GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET; + keylog_label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; ckey = session->key.proto.tls13.hs_ckey; } else { label = APPLICATION_CLIENT_TRAFFIC_LABEL; label_size = sizeof(APPLICATION_CLIENT_TRAFFIC_LABEL)-1; hsk_len = session->internals.handshake_hash_buffer_server_finished_len; - secret_type = GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET; + keylog_label = "CLIENT_TRAFFIC_SECRET_0"; ckey = session->key.proto.tls13.ap_ckey; } @@ -430,7 +422,7 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_call_secret_func(session, secret_type, + ret = _gnutls_call_keylog_func(session, keylog_label, ckey, session->security_parameters.prf->output_size); if (ret < 0) @@ -449,12 +441,12 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, if (stage == STAGE_HS) { label = HANDSHAKE_SERVER_TRAFFIC_LABEL; label_size = sizeof(HANDSHAKE_SERVER_TRAFFIC_LABEL)-1; - secret_type = GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET; + keylog_label = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; skey = session->key.proto.tls13.hs_skey; } else { label = APPLICATION_SERVER_TRAFFIC_LABEL; label_size = sizeof(APPLICATION_SERVER_TRAFFIC_LABEL)-1; - secret_type = GNUTLS_SECRET_SERVER_TRAFFIC_SECRET; + keylog_label = "SERVER_TRAFFIC_SECRET_0"; skey = session->key.proto.tls13.ap_skey; } @@ -467,7 +459,7 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_call_secret_func(session, secret_type, + ret = _gnutls_call_keylog_func(session, keylog_label, skey, session->security_parameters.prf->output_size); if (ret < 0) diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c index eef84814d6..8a39cda153 100644 --- a/lib/ext/pre_shared_key.c +++ b/lib/ext/pre_shared_key.c @@ -203,7 +203,7 @@ generate_early_secrets(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET, + ret = _gnutls_call_keylog_func(session, "CLIENT_EARLY_TRAFFIC_SECRET", session->key.proto.tls13.e_ckey, prf->output_size); if (ret < 0) @@ -217,7 +217,7 @@ generate_early_secrets(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_EARLY_EXPORTER_SECRET, + ret = _gnutls_call_keylog_func(session, "EARLY_EXPORTER_SECRET", session->key.proto.tls13.ap_expkey, prf->output_size); if (ret < 0) diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index cd2adc103d..d9d851be62 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1243,7 +1243,7 @@ typedef struct { unsigned int h_type; /* the hooked type */ int16_t h_post; /* whether post-generation/receive */ - gnutls_handshake_secret_func secret_func; + gnutls_keylog_func keylog_func; /* holds the selected certificate and key. * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set() diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c index 39d002bd04..24f5af65c6 100644 --- a/lib/handshake-tls13.c +++ b/lib/handshake-tls13.c @@ -292,7 +292,7 @@ static int generate_ap_traffic_keys(gnutls_session_t session) if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_EXPORTER_SECRET, + ret = _gnutls_call_keylog_func(session, "EXPORTER_SECRET", session->key.proto.tls13.ap_expkey, session->security_parameters.prf->output_size); if (ret < 0) diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 13b6c35659..cfc1f35e92 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -2292,58 +2292,23 @@ void gnutls_global_set_log_function(gnutls_log_func log_func); void gnutls_global_set_audit_log_function(gnutls_audit_log_func log_func); void gnutls_global_set_log_level(int level); -/** - * gnutls_handshake_secret_type_t: - * @GNUTLS_SECRET_CLIENT_RANDOM: 48 bytes for the master secret (for SSL 3.0, - * TLS 1.0, 1.1 and 1.2) - * @GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET: the early traffic secret for the - * client side (for TLS 1.3) - * @GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET: the handshake traffic secret - * for the client side (for TLS 1.3) - * @GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET: the handshake traffic secret - * for the server side (for TLS 1.3) - * @GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET: the application traffic secret for the - * client side (for TLS 1.3) - * @GNUTLS_SECRET_SERVER_TRAFFIC_SECRET: the application traffic secret for the - * server side (for TLS 1.3) - * @GNUTLS_SECRET_EARLY_EXPORTER_SECRET: the early exporter secret (for TLS 1.3, - * used for 0-RTT keys). - * @GNUTLS_SECRET_EXPORTER_SECRET: the exporter secret (for TLS 1.3, used for - * 1-RTT keys) - * - * Enumeration of different types of secrets derived during handshake. - * This is used by gnutls_handshake_set_secret_function(). - * - * Since: 3.6.13 - */ -typedef enum { - GNUTLS_SECRET_CLIENT_RANDOM, - GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET, - GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET, - GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET, - GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET, - GNUTLS_SECRET_SERVER_TRAFFIC_SECRET, - GNUTLS_SECRET_EARLY_EXPORTER_SECRET, - GNUTLS_SECRET_EXPORTER_SECRET -} gnutls_handshake_secret_type_t; - /** - * gnutls_handshake_secret_function: + * gnutls_keylog_func: * @session: the current session - * @type: #gnutls_handshake_secret_type_t + * @label: the keylog label * @secret: the (const) data of the derived secret. * - * Function prototype for secret derivation hooks. It is set using - * gnutls_handshake_set_secret_function(). + * Function prototype for keylog hooks. It is set using + * gnutls_session_set_keylog_function(). * * Returns: Non zero on error. * Since: 3.6.13 */ -typedef int (*gnutls_handshake_secret_func) (gnutls_session_t session, - gnutls_handshake_secret_type_t type, - const gnutls_datum_t *secret); -void gnutls_handshake_set_secret_function(gnutls_session_t session, - gnutls_handshake_secret_func func); +typedef int (*gnutls_keylog_func) (gnutls_session_t session, + const char *label, + const gnutls_datum_t *secret); +void gnutls_session_set_keylog_function(gnutls_session_t session, + gnutls_keylog_func func); /* Diffie-Hellman parameter handling. */ @@ -71,7 +71,7 @@ int _gnutls_generate_master(gnutls_session_t session, int keep_premaster) } /** - * gnutls_handshake_set_secret_function: + * gnutls_session_set_keylog_function: * @session: is #gnutls_session_t type * @func: is the function to be called * @@ -81,68 +81,36 @@ int _gnutls_generate_master(gnutls_session_t session, int keep_premaster) * Since: 3.6.13 */ void -gnutls_handshake_set_secret_function(gnutls_session_t session, - gnutls_handshake_secret_func func) +gnutls_session_set_keylog_function(gnutls_session_t session, + gnutls_keylog_func func) { - session->internals.secret_func = func; + session->internals.keylog_func = func; } int -_gnutls_call_secret_func(gnutls_session_t session, - gnutls_handshake_secret_type_t type, +_gnutls_call_keylog_func(gnutls_session_t session, + const char *label, const uint8_t *data, unsigned size) { - if (session->internals.secret_func) { + if (session->internals.keylog_func) { gnutls_datum_t secret = {(void*)data, size}; - return session->internals.secret_func(session, type, &secret); + return session->internals.keylog_func(session, label, &secret); } return 0; } -static const char * -secret_type_to_nss_keylog_label(gnutls_handshake_secret_type_t type) -{ - switch (type) { - case GNUTLS_SECRET_CLIENT_RANDOM: - return "CLIENT_RANDOM"; - case GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET: - return "CLIENT_EARLY_TRAFFIC_SECRET"; - case GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET: - return "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; - case GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET: - return "SERVER_HANDSHAKE_TRAFFIC_SECRET"; - case GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET: - return "CLIENT_TRAFFIC_SECRET_0"; - case GNUTLS_SECRET_SERVER_TRAFFIC_SECRET: - return "SERVER_TRAFFIC_SECRET_0"; - case GNUTLS_SECRET_EARLY_EXPORTER_SECRET: - return "EARLY_EXPORTER_SECRET"; - case GNUTLS_SECRET_EXPORTER_SECRET: - return "EXPORTER_SECRET"; - default: - gnutls_assert(); - return NULL; - } -} - int -_gnutls_nss_keylog_secret_func(gnutls_session_t session, - gnutls_handshake_secret_type_t type, - const gnutls_datum_t *secret) +_gnutls_nss_keylog_func(gnutls_session_t session, + const char *label, + const gnutls_datum_t *secret) { - const char *label; - /* ignore subsequent traffic secrets that are calculated from * the previous traffic secret */ if (!session->internals.handshake_in_progress) return 0; - label = secret_type_to_nss_keylog_label(type); - if (unlikely(label == NULL)) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - _gnutls_nss_keylog_write(session, label, secret->data, secret->size); return 0; } @@ -265,7 +233,7 @@ generate_normal_master(gnutls_session_t session, if (ret < 0) return ret; - ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_CLIENT_RANDOM, + ret = _gnutls_call_keylog_func(session, "CLIENT_RANDOM", session->security_parameters.master_secret, GNUTLS_MASTER_SIZE); if (ret < 0) @@ -38,15 +38,15 @@ int _gnutls_recv_server_crt_request(gnutls_session_t session); int _gnutls_send_server_crt_request(gnutls_session_t session, int again); int _gnutls_recv_client_certificate_verify_message(gnutls_session_t session); -int _gnutls_call_secret_func(gnutls_session_t session, - gnutls_handshake_secret_type_t type, +int _gnutls_call_keylog_func(gnutls_session_t session, + const char *label, const uint8_t *data, unsigned size); void _gnutls_nss_keylog_write(gnutls_session_t session, const char *label, const uint8_t *secret, size_t secret_size); -int _gnutls_nss_keylog_secret_func(gnutls_session_t session, - gnutls_handshake_secret_type_t type, - const gnutls_datum_t *secret); +int _gnutls_nss_keylog_func(gnutls_session_t session, + const char *label, + const gnutls_datum_t *secret); #endif /* GNUTLS_LIB_KX_H */ diff --git a/lib/libgnutls.map b/lib/libgnutls.map index c1aace905e..234d43e755 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1315,7 +1315,7 @@ GNUTLS_3_6_13 gnutls_hkdf_extract; gnutls_hkdf_expand; gnutls_pbkdf2; - gnutls_handshake_set_secret_function; + gnutls_session_set_keylog_function; } GNUTLS_3_6_12; GNUTLS_FIPS140_3_4 { diff --git a/lib/state.c b/lib/state.c index f33cd5a8bc..35ebb2a230 100644 --- a/lib/state.c +++ b/lib/state.c @@ -588,9 +588,8 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags) if (_gnutls_disable_tls13 != 0) (*session)->internals.flags |= INT_FLAG_NO_TLS13; - /* Install the default secret function */ - gnutls_handshake_set_secret_function(*session, - _gnutls_nss_keylog_secret_func); + /* Install the default keylog function */ + gnutls_session_set_keylog_function(*session, _gnutls_nss_keylog_func); return 0; } diff --git a/tests/Makefile.am b/tests/Makefile.am index 5b9fdb7168..5c89f77c11 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -217,7 +217,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei tls-record-size-limit-asym dh-compute ecdh-compute sign-verify-data-newapi \ sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \ tls13-without-timeout-func buffer status-request-revoked \ - set_x509_ocsp_multi_cli kdf-api secret-hook + set_x509_ocsp_multi_cli kdf-api keylog-func if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/secret-hook.c b/tests/keylog-func.c index f4523a6a46..8c4d321142 100644 --- a/tests/secret-hook.c +++ b/tests/keylog-func.c @@ -49,8 +49,7 @@ int main(int argc, char **argv) #include "cert-common.h" #include "utils.h" -/* This program tests whether a secret hook function is called upon a - * new traffic secret is installed. +/* This program tests whether a keylog function is called. */ static void terminate(void); @@ -72,57 +71,30 @@ static pid_t child; #define MAX_BUF 1024 #define MSG "Hello TLS" -static const char * -secret_type_to_str(gnutls_handshake_secret_type_t type) -{ - switch (type) { - case GNUTLS_SECRET_CLIENT_RANDOM: - return "CLIENT_RANDOM"; - case GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET: - return "CLIENT_EARLY_TRAFFIC_SECRET"; - case GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET: - return "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; - case GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET: - return "SERVER_HANDSHAKE_TRAFFIC_SECRET"; - case GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET: - return "CLIENT_TRAFFIC_SECRET"; - case GNUTLS_SECRET_SERVER_TRAFFIC_SECRET: - return "SERVER_TRAFFIC_SECRET"; - case GNUTLS_SECRET_EARLY_EXPORTER_SECRET: - return "EARLY_EXPORTER_SECRET"; - case GNUTLS_SECRET_EXPORTER_SECRET: - return "EXPORTER_SECRET"; - default: - return NULL; - } -} - static int -secret_hook_func(gnutls_session_t session, - gnutls_handshake_secret_type_t type, - const gnutls_datum_t *secret) +keylog_func(gnutls_session_t session, + const char *label, + const gnutls_datum_t *secret) { unsigned int *call_count = gnutls_session_get_ptr(session); - static const gnutls_handshake_secret_type_t exp_types[] = { - GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET, - GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET, - GNUTLS_SECRET_EXPORTER_SECRET, - GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET, - GNUTLS_SECRET_SERVER_TRAFFIC_SECRET, - GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET, - GNUTLS_SECRET_SERVER_TRAFFIC_SECRET + static const char *exp_labels[] = { + "CLIENT_HANDSHAKE_TRAFFIC_SECRET", + "SERVER_HANDSHAKE_TRAFFIC_SECRET", + "EXPORTER_SECRET", + "CLIENT_TRAFFIC_SECRET_0", + "SERVER_TRAFFIC_SECRET_0" }; - if (*call_count >= sizeof(exp_types)/sizeof(exp_types[0])) + if (*call_count >= sizeof(exp_labels)/sizeof(exp_labels[0])) fail("unexpected secret at call count %u\n", *call_count); - if (type != exp_types[*call_count]) + if (strcmp(label, exp_labels[*call_count]) != 0) fail("unexpected %s at call count %u\n", - secret_type_to_str(type), *call_count); + label, *call_count); else if (debug) success("received %s at call count %u\n", - secret_type_to_str(type), *call_count); + label, *call_count); (*call_count)++; return 0; @@ -168,7 +140,7 @@ static void client(int fd, const char *prio, unsigned int exp_call_count) gnutls_transport_set_int(session, fd); - gnutls_handshake_set_secret_function(session, secret_hook_func); + gnutls_session_set_keylog_function(session, keylog_func); /* Perform the TLS handshake */ @@ -189,18 +161,6 @@ static void client(int fd, const char *prio, unsigned int exp_call_count) gnutls_protocol_get_name (gnutls_protocol_get_version(session))); - /* Send key update */ - do { - ret = gnutls_session_key_update(session, GNUTLS_KU_PEER); - } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); - - if (ret < 0) - fail("error in key update: %s\n", gnutls_strerror(ret)); - else { - if (debug) - success("client: Sent key update\n"); - } - gnutls_record_send(session, MSG, strlen(MSG)); do { @@ -279,7 +239,7 @@ static void server(int fd, const char *prio, unsigned int exp_call_count) gnutls_transport_set_int(session, fd); - gnutls_handshake_set_secret_function(session, secret_hook_func); + gnutls_session_set_keylog_function(session, keylog_func); do { ret = gnutls_handshake(session); @@ -383,7 +343,7 @@ run(const char *prio, unsigned int exp_call_count) void doit(void) { - run("NORMAL:-VERS-ALL:+VERS-TLS1.3", 7); + run("NORMAL:-VERS-ALL:+VERS-TLS1.3", 5); } #endif /* _WIN32 */ |