Merge pull request #7372 from julek-wolfssl/zd/17435

Add secret logging callback to TLS <= 1.2
2026-01-29 18:02:13 +01:00 · 2024-04-26 09:41:58 +10:00
parent 5ee0e34d89 c62faa048c
commit c8e51112c3
6 changed files with 91 additions and 40 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -7583,6 +7583,9 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
    defined(WOLFSSL_SSLKEYLOGFILE) && defined(WOLFSSL_TLS13)
    (void)wolfSSL_set_tls13_secret_cb(ssl, tls13ShowSecrets, NULL);
 #endif
+#if defined(HAVE_SECRET_CALLBACK) && defined(SHOW_SECRETS)
+    (void)wolfSSL_set_secret_cb(ssl, tlsShowSecrets, NULL);
+#endif
 #ifdef WOLFSSL_DUAL_ALG_CERTS
    ssl->sigSpec = ctx->sigSpec;
    ssl->sigSpecSz = ctx->sigSpecSz;
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -8236,6 +8236,75 @@ int wolfSSL_set_session_secret_cb(WOLFSSL* ssl, SessionSecretCb cb, void* ctx)
    return WOLFSSL_SUCCESS;
 }

+int wolfSSL_set_secret_cb(WOLFSSL* ssl, TlsSecretCb cb, void* ctx)
+{
+    WOLFSSL_ENTER("wolfSSL_set_secret_cb");
+    if (ssl == NULL)
+        return WOLFSSL_FATAL_ERROR;
+
+    ssl->tlsSecretCb = cb;
+    ssl->tlsSecretCtx = ctx;
+
+    return WOLFSSL_SUCCESS;
+}
+
+#ifdef SHOW_SECRETS
+int tlsShowSecrets(WOLFSSL* ssl, void* secret, int secretSz,
+        void* ctx)
+{
+    /* Wireshark Pre-Master-Secret Format:
+     *  CLIENT_RANDOM <clientrandom> <mastersecret>
+     */
+    const char* CLIENT_RANDOM_LABEL = "CLIENT_RANDOM";
+    int i, pmsPos = 0;
+    char pmsBuf[13 + 1 + 64 + 1 + 96 + 1 + 1];
+    byte clientRandom[RAN_LEN];
+    int clientRandomSz;
+
+    (void)ctx;
+
+    clientRandomSz = (int)wolfSSL_get_client_random(ssl, clientRandom,
+        sizeof(clientRandom));
+
+    if (clientRandomSz <= 0) {
+        printf("Error getting server random %d\n", clientRandomSz);
+        return BAD_FUNC_ARG;
+    }
+
+    XSNPRINTF(&pmsBuf[pmsPos], sizeof(pmsBuf) - pmsPos, "%s ",
+        CLIENT_RANDOM_LABEL);
+    pmsPos += XSTRLEN(CLIENT_RANDOM_LABEL) + 1;
+    for (i = 0; i < clientRandomSz; i++) {
+        XSNPRINTF(&pmsBuf[pmsPos], sizeof(pmsBuf) - pmsPos, "%02x",
+            clientRandom[i]);
+        pmsPos += 2;
+    }
+    XSNPRINTF(&pmsBuf[pmsPos], sizeof(pmsBuf) - pmsPos, " ");
+    pmsPos += 1;
+    for (i = 0; i < secretSz; i++) {
+        XSNPRINTF(&pmsBuf[pmsPos], sizeof(pmsBuf) - pmsPos, "%02x",
+            ((byte*)secret)[i]);
+        pmsPos += 2;
+    }
+    XSNPRINTF(&pmsBuf[pmsPos], sizeof(pmsBuf) - pmsPos, "\n");
+    pmsPos += 1;
+
+    /* print master secret */
+    puts(pmsBuf);
+
+    #if !defined(NO_FILESYSTEM) && defined(WOLFSSL_SSLKEYLOGFILE)
+    {
+        FILE* f = XFOPEN(WOLFSSL_SSLKEYLOGFILE_OUTPUT, "a");
+        if (f != XBADFILE) {
+            XFWRITE(pmsBuf, 1, pmsPos, f);
+            XFCLOSE(f);
+        }
+    }
+    #endif
+    return 0;
+}
+#endif /* SHOW_SECRETS */
+
 #endif


--- a/src/tls.c
+++ b/src/tls.c
@@ -586,47 +586,13 @@ int MakeTlsMasterSecret(WOLFSSL* ssl)
                      ssl->specs.mac_algorithm, ssl->heap, ssl->devId);
        }
    }
+#ifdef HAVE_SECRET_CALLBACK
+    if (ret == 0 && ssl->tlsSecretCb != NULL) {
+        ret = ssl->tlsSecretCb(ssl, ssl->arrays->masterSecret,
+                SECRET_LEN, ssl->tlsSecretCtx);
+    }
+#endif /* HAVE_SECRET_CALLBACK */
    if (ret == 0) {
-    #ifdef SHOW_SECRETS
-        /* Wireshark Pre-Master-Secret Format:
-         *  CLIENT_RANDOM <clientrandom> <mastersecret>
-         */
-        const char* CLIENT_RANDOM_LABEL = "CLIENT_RANDOM";
-        int i, pmsPos = 0;
-        char pmsBuf[13 + 1 + 64 + 1 + 96 + 1 + 1];
-
-        XSNPRINTF(&pmsBuf[pmsPos], sizeof(pmsBuf) - pmsPos, "%s ",
-            CLIENT_RANDOM_LABEL);
-        pmsPos += XSTRLEN(CLIENT_RANDOM_LABEL) + 1;
-        for (i = 0; i < RAN_LEN; i++) {
-            XSNPRINTF(&pmsBuf[pmsPos], sizeof(pmsBuf) - pmsPos, "%02x",
-                ssl->arrays->clientRandom[i]);
-            pmsPos += 2;
-        }
-        XSNPRINTF(&pmsBuf[pmsPos], sizeof(pmsBuf) - pmsPos, " ");
-        pmsPos += 1;
-        for (i = 0; i < SECRET_LEN; i++) {
-            XSNPRINTF(&pmsBuf[pmsPos], sizeof(pmsBuf) - pmsPos, "%02x",
-                ssl->arrays->masterSecret[i]);
-            pmsPos += 2;
-        }
-        XSNPRINTF(&pmsBuf[pmsPos], sizeof(pmsBuf) - pmsPos, "\n");
-        pmsPos += 1;
-
-        /* print master secret */
-        puts(pmsBuf);
-
-        #if !defined(NO_FILESYSTEM) && defined(WOLFSSL_SSLKEYLOGFILE)
-        {
-            FILE* f = XFOPEN(WOLFSSL_SSLKEYLOGFILE_OUTPUT, "a");
-            if (f != XBADFILE) {
-                XFWRITE(pmsBuf, 1, pmsPos, f);
-                XFCLOSE(f);
-            }
-        }
-        #endif
-    #endif /* SHOW_SECRETS */
-
        ret = DeriveTlsKeys(ssl);
    }

--- a/src/tls13.c
+++ b/src/tls13.c
@@ -14776,6 +14776,7 @@ int tls13ShowSecrets(WOLFSSL* ssl, int id, const unsigned char* secret,

    if (clientRandomSz <= 0) {
        printf("Error getting server random %d\n", clientRandomSz);
+        return BAD_FUNC_ARG;
    }

 #if 0