From 60375247d78c5254771cad555469d2805a3df8d7 Mon Sep 17 00:00:00 2001 From: Alexey Volokitin Date: Wed, 8 May 2024 15:25:54 +0300 Subject: [PATCH] add callback to export secrets for SSLKEYLOGFILE --- src/lib/tls/tls12/tls_client_impl_12.cpp | 16 +++++++++ src/lib/tls/tls12/tls_server_impl_12.cpp | 16 +++++++++ src/lib/tls/tls13/tls_cipher_state.cpp | 46 +++++++++++++++++++++--- src/lib/tls/tls13/tls_cipher_state.h | 37 ++++++++++++++++--- src/lib/tls/tls13/tls_client_impl_13.cpp | 24 ++++++++++--- src/lib/tls/tls13/tls_client_impl_13.h | 9 ++++- src/lib/tls/tls13/tls_server_impl_13.cpp | 25 +++++++++---- src/lib/tls/tls13/tls_server_impl_13.h | 6 +++- src/lib/tls/tls_callbacks.h | 20 +++++++++++ src/lib/tls/tls_policy.cpp | 6 ++++ src/lib/tls/tls_policy.h | 7 ++++ src/lib/tls/tls_text_policy.cpp | 4 +++ src/tests/test_tls_cipher_state.cpp | 15 ++++---- src/tests/test_tls_record_layer_13.cpp | 6 ++-- 14 files changed, 207 insertions(+), 30 deletions(-) diff --git a/src/lib/tls/tls12/tls_client_impl_12.cpp b/src/lib/tls/tls12/tls_client_impl_12.cpp index 48867fc0932..db10698e3f5 100644 --- a/src/lib/tls/tls12/tls_client_impl_12.cpp +++ b/src/lib/tls/tls12/tls_client_impl_12.cpp @@ -403,6 +403,14 @@ void Client_Impl_12::process_handshake_msg(const Handshake_State* active_state, } state.compute_session_keys(state.resume_master_secret()); + if(policy().allow_ssl_key_log_file()) { + // draft-thomson-tls-keylogfile-00 Section 3.2 + // An implementation of TLS 1.2 (and also earlier versions) use + // the label "CLIENT_RANDOM" to identify the "master" secret for + // the connection. + callbacks().tls_ssl_key_log_data( + "CLIENT_RANDOM", state.client_hello()->random(), state.session_keys().master_secret()); + } if(state.server_hello()->supports_session_ticket()) { state.set_expected_next(Handshake_Type::NewSessionTicket); @@ -598,6 +606,14 @@ void Client_Impl_12::process_handshake_msg(const Handshake_State* active_state, state.handshake_io(), state, policy(), *m_creds, state.maybe_server_public_key(), m_info.hostname(), rng())); state.compute_session_keys(); + if(policy().allow_ssl_key_log_file()) { + // draft-thomson-tls-keylogfile-00 Section 3.2 + // An implementation of TLS 1.2 (and also earlier versions) use + // the label "CLIENT_RANDOM" to identify the "master" secret for + // the connection. + callbacks().tls_ssl_key_log_data( + "CLIENT_RANDOM", state.client_hello()->random(), state.session_keys().master_secret()); + } if(state.received_handshake_msg(Handshake_Type::CertificateRequest) && !state.client_certs()->empty()) { auto private_key = diff --git a/src/lib/tls/tls12/tls_server_impl_12.cpp b/src/lib/tls/tls12/tls_server_impl_12.cpp index 20d27fe9963..e19da15ac16 100644 --- a/src/lib/tls/tls12/tls_server_impl_12.cpp +++ b/src/lib/tls/tls12/tls_server_impl_12.cpp @@ -486,6 +486,14 @@ void Server_Impl_12::process_client_key_exchange_msg(Server_Handshake_State& pen new Client_Key_Exchange(contents, pending_state, pending_state.server_rsa_kex_key(), *m_creds, policy(), rng())); pending_state.compute_session_keys(); + if(policy().allow_ssl_key_log_file()) { + // draft-thomson-tls-keylogfile-00 Section 3.2 + // An implementation of TLS 1.2 (and also earlier versions) use + // the label "CLIENT_RANDOM" to identify the "master" secret for + // the connection. + callbacks().tls_ssl_key_log_data( + "CLIENT_RANDOM", pending_state.client_hello()->random(), pending_state.session_keys().master_secret()); + } } void Server_Impl_12::process_change_cipher_spec_msg(Server_Handshake_State& pending_state) { @@ -676,6 +684,14 @@ void Server_Impl_12::session_resume(Server_Handshake_State& pending_state, const pending_state.mark_as_resumption(); pending_state.compute_session_keys(session.session.master_secret()); + if(policy().allow_ssl_key_log_file()) { + // draft-thomson-tls-keylogfile-00 Section 3.2 + // An implementation of TLS 1.2 (and also earlier versions) use + // the label "CLIENT_RANDOM" to identify the "master" secret for + // the connection. + callbacks().tls_ssl_key_log_data( + "CLIENT_RANDOM", pending_state.client_hello()->random(), pending_state.session_keys().master_secret()); + } pending_state.set_resume_certs(session.session.peer_certs()); // Give the application a chance for a final veto before fully diff --git a/src/lib/tls/tls13/tls_cipher_state.cpp b/src/lib/tls/tls13/tls_cipher_state.cpp index 8ab5d17d5eb..834c9c1e9a0 100644 --- a/src/lib/tls/tls13/tls_cipher_state.cpp +++ b/src/lib/tls/tls13/tls_cipher_state.cpp @@ -119,10 +119,11 @@ constexpr size_t NONCE_LENGTH = 12; std::unique_ptr Cipher_State::init_with_server_hello(const Connection_Side side, secure_vector&& shared_secret, const Ciphersuite& cipher, - const Transcript_Hash& transcript_hash) { + const Transcript_Hash& transcript_hash, + const Secrets_Callback& callbacks) { auto cs = std::unique_ptr(new Cipher_State(side, cipher.prf_algo())); cs->advance_without_psk(); - cs->advance_with_server_hello(cipher, std::move(shared_secret), transcript_hash); + cs->advance_with_server_hello(cipher, std::move(shared_secret), transcript_hash, callbacks); return cs; } @@ -135,7 +136,8 @@ std::unique_ptr Cipher_State::init_with_psk(const Connection_Side return cs; } -void Cipher_State::advance_with_client_hello(const Transcript_Hash& transcript_hash) { +void Cipher_State::advance_with_client_hello(const Transcript_Hash& transcript_hash, + const Secrets_Callback& callbacks) { BOTAN_ASSERT_NOMSG(m_state == State::PskBinder); zap(m_binder_key); @@ -148,13 +150,21 @@ void Cipher_State::advance_with_client_hello(const Transcript_Hash& transcript_h m_exporter_master_secret = derive_secret(m_early_secret, "e exp master", transcript_hash); + // draft-thomson-tls-keylogfile-00 Section 3.1 + // An implementation of TLS 1.3 use + // the label "EARLY_EXPORTER_MASTER_SECRET" + // to identify the secret + // that is using for early exporters + callbacks.tls_log_secret("EARLY_EXPORTER_MASTER_SECRET", m_exporter_master_secret); + m_salt = derive_secret(m_early_secret, "derived", empty_hash()); zap(m_early_secret); m_state = State::EarlyTraffic; } -void Cipher_State::advance_with_server_finished(const Transcript_Hash& transcript_hash) { +void Cipher_State::advance_with_server_finished(const Transcript_Hash& transcript_hash, + const Secrets_Callback& callbacks) { BOTAN_ASSERT_NOMSG(m_state == State::HandshakeTraffic); const auto master_secret = hkdf_extract(secure_vector(m_hash->output_length(), 0x00)); @@ -162,6 +172,15 @@ void Cipher_State::advance_with_server_finished(const Transcript_Hash& transcrip auto client_application_traffic_secret = derive_secret(master_secret, "c ap traffic", transcript_hash); auto server_application_traffic_secret = derive_secret(master_secret, "s ap traffic", transcript_hash); + // draft-thomson-tls-keylogfile-00 Section 3.1 + // An implementation of TLS 1.3 use + // the label "CLIENT_TRAFFIC_SECRET_0" + // and "SERVER_TRAFFIC_SECRET_0" + // to identify the secrets are using to protect + // the connection. + callbacks.tls_log_secret("CLIENT_TRAFFIC_SECRET_0", client_application_traffic_secret); + callbacks.tls_log_secret("SERVER_TRAFFIC_SECRET_0", server_application_traffic_secret); + // Note: the secrets for processing client's application data // are not derived before the client's Finished message // was seen and the handshake can be considered finished. @@ -177,6 +196,13 @@ void Cipher_State::advance_with_server_finished(const Transcript_Hash& transcrip m_exporter_master_secret = derive_secret(master_secret, "exp master", transcript_hash); + // draft-thomson-tls-keylogfile-00 Section 3.1 + // An implementation of TLS 1.3 use + // the label "EXPORTER_SECRET" + // to identify the secret + // that is used in generating exporters(rfc8446 Section 7.5). + callbacks.tls_log_secret("EXPORTER_SECRET", m_exporter_master_secret); + m_state = State::ServerApplicationTraffic; } @@ -460,7 +486,8 @@ void Cipher_State::advance_with_psk(PSK_Type type, secure_vector&& psk) void Cipher_State::advance_with_server_hello(const Ciphersuite& cipher, secure_vector&& shared_secret, - const Transcript_Hash& transcript_hash) { + const Transcript_Hash& transcript_hash, + const Secrets_Callback& callbacks) { BOTAN_ASSERT_NOMSG(m_state == State::EarlyTraffic); BOTAN_ASSERT_NOMSG(!m_encrypt); BOTAN_ASSERT_NOMSG(!m_decrypt); @@ -474,6 +501,15 @@ void Cipher_State::advance_with_server_hello(const Ciphersuite& cipher, const auto client_handshake_traffic_secret = derive_secret(handshake_secret, "c hs traffic", transcript_hash); const auto server_handshake_traffic_secret = derive_secret(handshake_secret, "s hs traffic", transcript_hash); + // draft-thomson-tls-keylogfile-00 Section 3.1 + // An implementation of TLS 1.3 use + // the label "CLIENT_HANDSHAKE_TRAFFIC_SECRET" + // and "SERVER_HANDSHAKE_TRAFFIC_SECRET" + // to identify the secrets + // are using to protect handshake messages. + callbacks.tls_log_secret("CLIENT_HANDSHAKE_TRAFFIC_SECRET", client_handshake_traffic_secret); + callbacks.tls_log_secret("SERVER_HANDSHAKE_TRAFFIC_SECRET", server_handshake_traffic_secret); + if(m_connection_side == Connection_Side::Server) { derive_read_traffic_key(client_handshake_traffic_secret, true); derive_write_traffic_key(server_handshake_traffic_secret, true); diff --git a/src/lib/tls/tls13/tls_cipher_state.h b/src/lib/tls/tls13/tls_cipher_state.h index 8ec1af8de3b..8e457b75dcf 100644 --- a/src/lib/tls/tls13/tls_cipher_state.h +++ b/src/lib/tls/tls13/tls_cipher_state.h @@ -9,6 +9,8 @@ #ifndef BOTAN_TLS_CIPHER_STATE_H_ #define BOTAN_TLS_CIPHER_STATE_H_ +#include + #include #include #include @@ -28,6 +30,31 @@ namespace Botan::TLS { class Ciphersuite; +/* + * Encapsulates the callbacks in the state machine described in RFC 8446 7.1, + * that will make the realisation the SSLKEYLOGFILE for connection debugging + * specified in ietf.org/archive/id/draft-thomson-tls-keylogfile-00.html + */ +class Secrets_Callback { + public: + Secrets_Callback() {} + + virtual ~Secrets_Callback() {} + + /** + * Allows access to a connection's secret data + * + * Default implementation simply ignores the inputs. + * + * @param label Identifies the reported secret type + * See draft-thomson-tls-keylogfile-00 Section 3.1 + * @param secret the actual secret value + */ + virtual void tls_log_secret(std::string_view label, const std::span& secret) const { + BOTAN_UNUSED(label, secret); + } +}; + /** * This class implements the key schedule for TLS 1.3 as described in RFC 8446 7.1. * @@ -82,25 +109,27 @@ class BOTAN_TEST_API Cipher_State { static std::unique_ptr init_with_server_hello(Connection_Side side, secure_vector&& shared_secret, const Ciphersuite& cipher, - const Transcript_Hash& transcript_hash); + const Transcript_Hash& transcript_hash, + const Secrets_Callback& callbacks); /** * Transition internal secrets/keys for transporting early application data. * Note that this state transition is legal only for handshakes using PSK. */ - void advance_with_client_hello(const Transcript_Hash& transcript_hash); + void advance_with_client_hello(const Transcript_Hash& transcript_hash, const Secrets_Callback& callbacks); /** * Transition internal secrets/keys for transporting handshake data. */ void advance_with_server_hello(const Ciphersuite& cipher, secure_vector&& shared_secret, - const Transcript_Hash& transcript_hash); + const Transcript_Hash& transcript_hash, + const Secrets_Callback& callbacks); /** * Transition internal secrets/keys for transporting application data. */ - void advance_with_server_finished(const Transcript_Hash& transcript_hash); + void advance_with_server_finished(const Transcript_Hash& transcript_hash, const Secrets_Callback& callbacks); /** * Transition to the final internal state allowing to create resumptions. diff --git a/src/lib/tls/tls13/tls_client_impl_13.cpp b/src/lib/tls/tls13/tls_client_impl_13.cpp index 112b78a2571..b9d1296dd02 100644 --- a/src/lib/tls/tls13/tls_client_impl_13.cpp +++ b/src/lib/tls/tls13/tls_client_impl_13.cpp @@ -118,6 +118,12 @@ bool Client_Impl_13::is_handshake_complete() const { return m_handshake_state.handshake_finished(); } +void Client_Impl_13::tls_log_secret(std::string_view label, const std::span& secret) const { + if(policy().allow_ssl_key_log_file()) { + callbacks().tls_ssl_key_log_data(label, m_handshake_state.client_hello().random(), secret); + } +} + std::optional Client_Impl_13::find_session_for_resumption() { // RFC 8446 4.6.1 // Clients MUST only resume if the new SNI value is valid for the @@ -322,12 +328,19 @@ void Client_Impl_13::handle(const Server_Hello_13& sh) { // TODO: When implementing early data, `advance_with_client_hello` must // happen _before_ encrypting any early application data. // Same when we want to support early key export. - m_cipher_state->advance_with_client_hello(m_transcript_hash.previous()); - m_cipher_state->advance_with_server_hello(cipher.value(), std::move(shared_secret), m_transcript_hash.current()); + m_cipher_state->advance_with_client_hello(m_transcript_hash.previous(), + static_cast(*this)); + m_cipher_state->advance_with_server_hello(cipher.value(), + std::move(shared_secret), + m_transcript_hash.current(), + static_cast(*this)); } else { m_resumed_session.reset(); // might have been set if we attempted a resumption - m_cipher_state = Cipher_State::init_with_server_hello( - m_side, std::move(shared_secret), cipher.value(), m_transcript_hash.current()); + m_cipher_state = Cipher_State::init_with_server_hello(m_side, + std::move(shared_secret), + cipher.value(), + m_transcript_hash.current(), + static_cast(*this)); } callbacks().tls_examine_extensions(sh.extensions(), Connection_Side::Server, Handshake_Type::ServerHello); @@ -566,7 +579,8 @@ void Client_Impl_13::handle(const Finished_13& finished_msg) { // Derives the secrets for receiving application data but defers // the derivation of sending application data. - m_cipher_state->advance_with_server_finished(m_transcript_hash.current()); + m_cipher_state->advance_with_server_finished(m_transcript_hash.current(), + static_cast(*this)); auto flight = aggregate_handshake_messages(); diff --git a/src/lib/tls/tls13/tls_client_impl_13.h b/src/lib/tls/tls13/tls_client_impl_13.h index f8f376fcaef..c967726ff15 100644 --- a/src/lib/tls/tls13/tls_client_impl_13.h +++ b/src/lib/tls/tls13/tls_client_impl_13.h @@ -12,6 +12,7 @@ #include #include +#include #include #include @@ -24,7 +25,8 @@ namespace TLS { /** * SSL/TLS Client 1.3 implementation */ -class Client_Impl_13 : public Channel_Impl_13 { +class Client_Impl_13 : public Channel_Impl_13, + public Secrets_Callback { public: /** * Set up a new TLS client session @@ -78,6 +80,11 @@ class Client_Impl_13 : public Channel_Impl_13 { */ bool is_handshake_complete() const override; + /* + * Allows access to a connection's secret data + */ + void tls_log_secret(std::string_view label, const std::span& secret) const override; + private: void process_handshake_msg(Handshake_Message_13 msg) override; void process_post_handshake_msg(Post_Handshake_Message_13 msg) override; diff --git a/src/lib/tls/tls13/tls_server_impl_13.cpp b/src/lib/tls/tls13/tls_server_impl_13.cpp index b6edc9daabd..e614275706b 100644 --- a/src/lib/tls/tls13/tls_server_impl_13.cpp +++ b/src/lib/tls/tls13/tls_server_impl_13.cpp @@ -167,6 +167,12 @@ bool Server_Impl_13::is_handshake_complete() const { return m_handshake_state.handshake_finished(); } +void Server_Impl_13::tls_log_secret(std::string_view label, const std::span& secret) const { + if(policy().allow_ssl_key_log_file()) { + callbacks().tls_ssl_key_log_data(label, m_handshake_state.client_hello().random(), secret); + } +} + void Server_Impl_13::downgrade() { BOTAN_ASSERT_NOMSG(expects_downgrade()); @@ -287,14 +293,20 @@ void Server_Impl_13::handle_reply_to_client_hello(Server_Hello_13 server_hello) if(uses_psk) { BOTAN_ASSERT_NONNULL(psk_cipher_state); - psk_cipher_state->advance_with_client_hello(m_transcript_hash.previous()); - psk_cipher_state->advance_with_server_hello( - cipher, my_keyshare->take_shared_secret(), m_transcript_hash.current()); + psk_cipher_state->advance_with_client_hello(m_transcript_hash.previous(), + static_cast(*this)); + psk_cipher_state->advance_with_server_hello(cipher, + my_keyshare->take_shared_secret(), + m_transcript_hash.current(), + static_cast(*this)); return std::move(psk_cipher_state); } else { - return Cipher_State::init_with_server_hello( - m_side, my_keyshare->take_shared_secret(), cipher, m_transcript_hash.current()); + return Cipher_State::init_with_server_hello(m_side, + my_keyshare->take_shared_secret(), + cipher, + m_transcript_hash.current(), + static_cast(*this)); } }(); @@ -375,7 +387,8 @@ void Server_Impl_13::handle_reply_to_client_hello(Server_Hello_13 server_hello) flight.send(); - m_cipher_state->advance_with_server_finished(m_transcript_hash.current()); + m_cipher_state->advance_with_server_finished(m_transcript_hash.current(), + static_cast(*this)); if(m_handshake_state.has_certificate_request()) { // RFC 8446 4.4.2 diff --git a/src/lib/tls/tls13/tls_server_impl_13.h b/src/lib/tls/tls13/tls_server_impl_13.h index 0b543cad957..ec0e12a9beb 100644 --- a/src/lib/tls/tls13/tls_server_impl_13.h +++ b/src/lib/tls/tls13/tls_server_impl_13.h @@ -10,6 +10,7 @@ #define BOTAN_TLS_SERVER_IMPL_13_H_ #include +#include #include #include @@ -18,7 +19,8 @@ namespace Botan::TLS { /** * SSL/TLS Server 1.3 implementation */ -class Server_Impl_13 : public Channel_Impl_13 { +class Server_Impl_13 : public Channel_Impl_13, + public Secrets_Callback { public: explicit Server_Impl_13(const std::shared_ptr& callbacks, const std::shared_ptr& session_manager, @@ -36,6 +38,8 @@ class Server_Impl_13 : public Channel_Impl_13 { bool is_handshake_complete() const override; + void tls_log_secret(std::string_view label, const std::span& secret) const override; + private: void process_handshake_msg(Handshake_Message_13 msg) override; void process_post_handshake_msg(Post_Handshake_Message_13 msg) override; diff --git a/src/lib/tls/tls_callbacks.h b/src/lib/tls/tls_callbacks.h index 4a889c5ccdb..00ee7c6d57b 100644 --- a/src/lib/tls/tls_callbacks.h +++ b/src/lib/tls/tls_callbacks.h @@ -560,6 +560,26 @@ class BOTAN_PUBLIC_API(2, 0) Callbacks { virtual void tls_log_debug_bin(const char* descr, const uint8_t val[], size_t val_len) { BOTAN_UNUSED(descr, val, val_len); } + + /** + * Optional callback: Allows access to a connection's secret data + * + * Useful to implement the SSLKEYLOGFILE for connection debugging as + * specified in ietf.org/archive/id/draft-thomson-tls-keylogfile-00.html + * + * Default implementation simply ignores the inputs. + * + * @param label Identifies the reported secret type + * See draft-thomson-tls-keylogfile-00 Section 3.1 and 3.2 + * @param client_random random value from ClientHello message acting as + * an identifier of the TLS sessions + * @param secret the actual secret value + */ + virtual void tls_ssl_key_log_data(std::string_view label, + const std::span& client_random, + const std::span& secret) const { + BOTAN_UNUSED(label, client_random, secret); + } }; } // namespace TLS diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 172964b340c..70e43488f32 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -14,12 +14,18 @@ #include #include #include +#include #include #include #include namespace Botan::TLS { +bool Policy::allow_ssl_key_log_file() const { + std::string data; + return Botan::OS::read_env_variable(data, "SSLKEYLOGFILE"); +} + std::vector Policy::allowed_signature_schemes() const { std::vector schemes; diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index 6e384b42941..1aa3863e1ee 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -31,6 +31,11 @@ namespace TLS { */ class BOTAN_PUBLIC_API(2, 0) Policy { public: + /** + * Allow ssl key log file + */ + virtual bool allow_ssl_key_log_file() const; + /** * Returns a list of ciphers we are willing to negotiate, in * order of preference. @@ -629,6 +634,8 @@ class BOTAN_PUBLIC_API(2, 0) Strict_Policy : public Policy { class BOTAN_PUBLIC_API(2, 0) Text_Policy : public Policy { public: + bool allow_ssl_key_log_file() const override; + std::vector allowed_ciphers() const override; std::vector allowed_signature_hashes() const override; diff --git a/src/lib/tls/tls_text_policy.cpp b/src/lib/tls/tls_text_policy.cpp index d363648857e..3f3b15060c3 100644 --- a/src/lib/tls/tls_text_policy.cpp +++ b/src/lib/tls/tls_text_policy.cpp @@ -15,6 +15,10 @@ namespace Botan::TLS { +bool Text_Policy::allow_ssl_key_log_file() const { + return get_bool("allow_ssl_key_log_file", Policy::allow_ssl_key_log_file()); +} + std::vector Text_Policy::allowed_ciphers() const { return get_list("ciphers", Policy::allowed_ciphers()); } diff --git a/src/tests/test_tls_cipher_state.cpp b/src/tests/test_tls_cipher_state.cpp index 1875bb82ba3..295cc5ce2da 100644 --- a/src/tests/test_tls_cipher_state.cpp +++ b/src/tests/test_tls_cipher_state.cpp @@ -256,10 +256,11 @@ std::vector test_secret_derivation_rfc8448_rtt1() { auto cipher = Ciphersuite::from_name("AES_128_GCM_SHA256").value(); // initialize Cipher_State with client_hello...server_hello + Secrets_Callback sc; auto cs_client = Cipher_State::init_with_server_hello( - Connection_Side::Client, secure_vector(shared_secret), cipher, th_server_hello); + Connection_Side::Client, secure_vector(shared_secret), cipher, th_server_hello, sc); auto cs_server = Cipher_State::init_with_server_hello( - Connection_Side::Server, secure_vector(shared_secret), cipher, th_server_hello); + Connection_Side::Server, secure_vector(shared_secret), cipher, th_server_hello, sc); auto CHECK_both = make_CHECK_both(cs_client.get(), cs_server.get()); @@ -311,7 +312,7 @@ std::vector test_secret_derivation_rfc8448_rtt1() { // advance Cipher_State with client_hello...server_Finished // (allows receiving of application data, but does not yet allow such sending) result.test_no_throw("state advancement is legal", - [&] { cs->advance_with_server_finished(th_server_finished); }); + [&] { cs->advance_with_server_finished(th_server_finished, sc); }); if(side == Connection_Side::Client) { result.confirm("can read application data", cs->can_decrypt_application_traffic()); @@ -577,7 +578,8 @@ std::vector test_secret_derivation_rfc8448_rtt0() { CHECK_both("calculate the early traffic secrets", [&](Cipher_State* cs, Connection_Side side, Test::Result& result) { - cs->advance_with_client_hello(th_client_hello); + Secrets_Callback sc; + cs->advance_with_client_hello(th_client_hello, sc); result.require("early key export is possible", cs->can_export_keys()); result.test_eq("early key export produces expected result", cs->export_key(early_export_label, early_export_context, 16), @@ -600,7 +602,8 @@ std::vector test_secret_derivation_rfc8448_rtt0() { CHECK_both("handshake traffic after PSK", [&](Cipher_State* cs, Connection_Side side, Test::Result& result) { - cs->advance_with_server_hello(cipher, secure_vector(shared_secret), th_server_hello); + Secrets_Callback sc; + cs->advance_with_server_hello(cipher, secure_vector(shared_secret), th_server_hello, sc); // decrypt encrypted extensions from server encrypted_extensions.xxcrypt(result, cs, side); @@ -630,7 +633,7 @@ std::vector test_secret_derivation_rfc8448_rtt0() { // advance Cipher_State with client_hello...server_Finished // (allows receiving of application data, but no such sending) result.test_no_throw("state advancement is legal", - [&] { cs->advance_with_server_finished(th_server_finished); }); + [&] { cs->advance_with_server_finished(th_server_finished, sc); }); if(side == Connection_Side::Client) { result.confirm("can read application data", cs->can_decrypt_application_traffic()); diff --git a/src/tests/test_tls_record_layer_13.cpp b/src/tests/test_tls_record_layer_13.cpp index 6b1c2951633..4c1c1ead265 100644 --- a/src/tests/test_tls_record_layer_13.cpp +++ b/src/tests/test_tls_record_layer_13.cpp @@ -59,7 +59,8 @@ std::unique_ptr rfc8448_rtt1_handshake_traffic( "8b d4 05 4f b5 5b 9d 63 fd fb ac f9 f0 4b 9f 0d" "35 e6 d6 3f 53 75 63 ef d4 62 72 90 0f 89 49 2d"); auto cipher = TLS::Ciphersuite::from_name("AES_128_GCM_SHA256").value(); - return TLS::Cipher_State::init_with_server_hello(side, std::move(shared_secret), cipher, transcript_hash); + Botan::TLS::Secrets_Callback sc; + return TLS::Cipher_State::init_with_server_hello(side, std::move(shared_secret), cipher, transcript_hash, sc); } std::vector read_full_records() { @@ -655,8 +656,9 @@ std::vector read_encrypted_records() { auto cs = rfc8448_rtt1_handshake_traffic(); // advance with arbitrary hashes that were used to produce the input data + Botan::TLS::Secrets_Callback sc; cs->advance_with_server_finished( - Botan::hex_decode("e1935a480babfc4403b2517f0ad414bed0ca51fa671e2061804afa78fd71d55c")); + Botan::hex_decode("e1935a480babfc4403b2517f0ad414bed0ca51fa671e2061804afa78fd71d55c"), sc); cs->advance_with_client_finished( Botan::hex_decode("305e4a0a7cee581b282c571b251b20138a1a6a21918937a6bb95b1e9ba1b5cac"));