Add support for logging early exporter secret

This will be necessary to enable Wireshark to decrypt QUIC 0-RTT data.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 3ba9b000f2666991a91b763c70d8eb825f93ceb6..d881458a6bcc0872968d9c308561700c85e98532 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2554,6 +2554,7 @@ __owur int ssl_log_secret(SSL *ssl, const char *label,
 #define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET"
 #define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0"
 #define SERVER_APPLICATION_LABEL "SERVER_TRAFFIC_SECRET_0"
+#define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET"
 #define EXPORTER_SECRET_LABEL "EXPORTER_SECRET"
 
 /* s3_cbc.c */

diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index e7cc8afe87907e2c77a3af43a3a27ebb87b8d724..1613004f7891d6a56e91ed61768e54cc331d4fec 100644 (file)
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -493,6 +493,12 @@ int tls13_change_cipher_state(SSL *s, int which)
                          SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
                 goto err;
             }
+
+            if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL,
+                                s->early_exporter_master_secret, hashlen)) {
+                /* SSLfatal() already called */
+                goto err;
+            }
         } else if (which & SSL3_CC_HANDSHAKE) {
             insecret = s->handshake_secret;
             finsecret = s->client_finished_secret;

diff --git a/test/sslapitest.c b/test/sslapitest.c
index a71a1a90743eb88c88d2b8690339c3af97f88df0..e97b2286962c10f0e00774f9596fe3a4d478426f 100644 (file)
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -59,6 +59,7 @@ struct sslapitest_log_counts {
     unsigned int server_handshake_secret_count;
     unsigned int client_application_secret_count;
     unsigned int server_application_secret_count;
+    unsigned int early_exporter_secret_count;
     unsigned int exporter_secret_count;
 };
 
@@ -146,6 +147,7 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
     unsigned int server_handshake_secret_count = 0;
     unsigned int client_application_secret_count = 0;
     unsigned int server_application_secret_count = 0;
+    unsigned int early_exporter_secret_count = 0;
     unsigned int exporter_secret_count = 0;
 
     for (token = strtok(buffer, " \n"); token != NULL;
@@ -205,6 +207,7 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
                     || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
                     || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
                     || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
+                    || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
                     || strcmp(token, "EXPORTER_SECRET") == 0) {
             /*
              * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
@@ -222,6 +225,8 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
                 client_application_secret_count++;
             else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
                 server_application_secret_count++;
+            else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
+                early_exporter_secret_count++;
             else if (strcmp(token, "EXPORTER_SECRET") == 0)
                 exporter_secret_count++;
 
@@ -267,6 +272,8 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
                                expected->client_application_secret_count)
             || !TEST_size_t_eq(server_application_secret_count,
                                expected->server_application_secret_count)
+            || !TEST_size_t_eq(early_exporter_secret_count,
+                               expected->early_exporter_secret_count)
             || !TEST_size_t_eq(exporter_secret_count,
                                expected->exporter_secret_count))
         return 0;
@@ -450,6 +457,7 @@ static int test_keylog_no_master_key(void)
 
     /* In addition to the previous entries, expect early secrets. */
     expected.client_early_secret_count = 1;
+    expected.early_exporter_secret_count = 1;
     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
                                       SSL_get_session(clientssl), &expected))
             || !TEST_true(test_keylog_output(server_log_buffer, serverssl,