1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-24 00:58:48 -05:00
curl/lib/vtls
Peter Wu 6011a986ca vtls: Extract and simplify key log file handling from OpenSSL
Create a set of routines for TLS key log file handling to enable reuse
with other TLS backends. Simplify the OpenSSL backend as follows:

 - Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled.
 - Do not perform dynamic memory allocation when preparing a log entry.
   Unless the TLS specifications change we can suffice with a reasonable
   fixed-size buffer.
 - Simplify state tracking when SSL_CTX_set_keylog_callback is
   unavailable. My original sslkeylog.c code included this tracking in
   order to handle multiple calls to SSL_connect and detect new keys
   after renegotiation (via SSL_read/SSL_write). For curl however we can
   be sure that a single master secret eventually becomes available
   after SSL_connect, so a simple flag is sufficient. An alternative to
   the flag is examining SSL_state(), but this seems more complex and is
   not pursued. Capturing keys after server renegotiation was already
   unsupported in curl and remains unsupported.

Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f
(`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`)
against an OpenSSL 1.1.1f server configured with:

    # Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2
    openssl s_server -www -tls1
    # Likewise, but fail the server handshake.
    openssl s_server -www -tls1 -Verify 2
    # TLS 1.3 test. No need to test the failing server handshake.
    openssl s_server -www -tls1_3

Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly
written using Wireshark. For the first and third case, expect four
matches per connection (decrypted Server Finished, Client Finished, HTTP
Request, HTTP Response). For the second case where the handshake fails,
expect a decrypted Server Finished only.

    tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \
        -eframe.number -eframe.time -etcp.stream -e_ws.col.Info \
        -dtls.port==4433,http -ohttp.desegment_body:FALSE \
        -Y 'tls.handshake.verify_data or http'

A single connection can easily be identified via the `tcp.stream` field.
2020-05-27 21:19:51 +02:00
..
bearssl.c bearssl: remove the BACKEND define kludge 2020-03-19 13:22:34 +01:00
bearssl.h TLS: add BearSSL vtls implementation 2019-11-26 08:32:23 +01:00
gskit.c source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
gskit.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
gtls.c all: fix codespell errors 2020-05-25 19:44:04 +00:00
gtls.h vtls: fold the backend ID into the Curl_ssl structure 2017-08-28 14:56:58 +02:00
keylog.c vtls: Extract and simplify key log file handling from OpenSSL 2020-05-27 21:19:51 +02:00
keylog.h vtls: Extract and simplify key log file handling from OpenSSL 2020-05-27 21:19:51 +02:00
mbedtls_threadlock.c polarssl: removed 2020-01-16 11:55:56 +01:00
mbedtls_threadlock.h polarssl: removed 2020-01-16 11:55:56 +01:00
mbedtls.c checksrc: enhance the ASTERISKSPACE and update code accordingly 2020-05-14 00:02:05 +02:00
mbedtls.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
mesalink.c vtls: fix narrowing conversion warnings 2019-09-23 09:44:35 +02:00
mesalink.h vtls: add a MesaLink vtls backend 2018-09-13 08:26:37 +02:00
nss.c source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
nssg.h vtls: fold the backend ID into the Curl_ssl structure 2017-08-28 14:56:58 +02:00
openssl.c vtls: Extract and simplify key log file handling from OpenSSL 2020-05-27 21:19:51 +02:00
openssl.h vtls: fold the backend ID into the Curl_ssl structure 2017-08-28 14:56:58 +02:00
schannel_verify.c cleanup: use a single space after equals sign in assignments 2020-05-26 08:28:38 +02:00
schannel.c all: fix codespell errors 2020-05-25 19:44:04 +00:00
schannel.h schannel: use Curl_ prefix for global private symbols 2018-11-01 09:39:45 +01:00
sectransp.c setopt: support certificate options in memory with struct curl_blob 2020-05-15 13:03:59 +02:00
sectransp.h Secure Transport: no more "darwinssl" 2019-02-28 08:42:59 +01:00
vtls.c source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
vtls.h checksrc: enhance the ASTERISKSPACE and update code accordingly 2020-05-14 00:02:05 +02:00
wolfssl.c source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
wolfssl.h wolfssl: refer to it as wolfSSL only 2019-06-10 09:18:16 +02:00