Fix for TLS v1.3 key log examples (#273)

2021-10-27 11:38:05 -07:00 · 2021-10-27 11:38:05 -07:00 · adbccfd8a2
parent 244fd99568
commit adbccfd8a2
3 changed files with 96 additions and 27 deletions
--- a/tls/README.md
+++ b/tls/README.md
@ -1198,19 +1198,22 @@ See the `client-tls-cryptocb.c` example for demonstrating the `--enable-cryptocb
 Build wolfSSL with `HAVE_SECRET_CALLBACK` included:
-```
+```sh
 ./configure --enable-tls13 CFLAGS="-DHAVE_SECRET_CALLBACK" && make && sudo make install
 ```
 In wolfssl-examples/tls:
-```
+
 ```sh
 make clean && make
 ./server-tls13 &
 ./client-tls13 127.0.0.1
 # Execute client-tls13 again with the message "shutdown" in order to end the execution of the server.
 ```
 Wireshark can decode traffic using the created "sslkeylog.log". To configure in Wireshark Prferences go to Protocols -> TLS. In the "(Pre)-Master-Secret log filename" choose the "sslkeylog.log" file in this directory.
-Capture TLS traffic and all packets will be decrypted (handshake and application data).
+Capture TLS traffic and all packets will be decrypted (handshake and application data). To see application data decrypted you may have to right-click on packet click "Follow" -> "TLS Stream".
 ## TLS over UART Example
--- a/tls/client-tls13.c
+++ b/tls/client-tls13.c
@ -34,6 +34,7 @@
 #include <wolfssl/options.h>
 #include <wolfssl/ssl.h>
 #include <wolfssl/wolfio.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #define DEFAULT_PORT 11111
@ -52,7 +53,7 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
    int i;
    const char* str = NULL;
    unsigned char clientRandom[32];
-    size_t clientRandomSz;
+    int clientRandomSz;
    XFILE fp = stderr;
    if (ctx) {
        fp = XFOPEN((const char*)ctx, "ab");
@ -61,9 +62,18 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
        }
    }
-    clientRandomSz = wolfSSL_get_client_random(ssl, clientRandom,
+    clientRandomSz = (int)wolfSSL_get_client_random(ssl, clientRandom,
        sizeof(clientRandom));
    if (clientRandomSz <= 0) {
        printf("Error getting client random %d\n", clientRandomSz);
    }
 #if 0
    printf("TLS Client Secret CB: Rand %d, Secret %d\n",
        clientRandomSz, secretSz);
 #endif
    switch (id) {
        case CLIENT_EARLY_TRAFFIC_SECRET:
            str = "CLIENT_EARLY_TRAFFIC_SECRET"; break;
@ -82,7 +92,7 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
    }
    fprintf(fp, "%s ", str);
-    for (i = 0; i < (int)clientRandomSz; i++) {
+    for (i = 0; i < clientRandomSz; i++) {
        fprintf(fp, "%02x", clientRandom[i]);
    }
    fprintf(fp, " ");
@ -182,6 +192,9 @@ int main(int argc, char** argv)
    }
 #ifdef HAVE_SECRET_CALLBACK
    /* required for getting random used */
    wolfSSL_KeepArrays(ssl);
    /* optional logging for wireshark */
    wolfSSL_set_tls13_secret_cb(ssl, Tls13SecretCallback,
        (void*)WOLFSSL_SSLKEYLOGFILE_OUTPUT);
@ -193,6 +206,10 @@ int main(int argc, char** argv)
        goto exit;
    }
 #ifdef HAVE_SECRET_CALLBACK
    wolfSSL_FreeArrays(ssl);
 #endif
    /* Get a message for the server from stdin */
    printf("Message for server: ");
    memset(buff, 0, sizeof(buff));
--- a/tls/server-tls13.c
+++ b/tls/server-tls13.c
@ -30,16 +30,23 @@
 #include <netinet/in.h>
 #include <unistd.h>
 #define HAVE_SIGNAL
 #ifdef HAVE_SIGNAL
 #include <signal.h>        /* signal */
 #endif
 /* wolfSSL */
 #include <wolfssl/options.h>
 #include <wolfssl/ssl.h>
 #include <wolfssl/wolfio.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #define DEFAULT_PORT 11111
 #define CERT_FILE "../certs/server-cert.pem"
 #define KEY_FILE  "../certs/server-key.pem"
 #if defined(WOLFSSL_TLS13) && defined(HAVE_SECRET_CALLBACK)
 #ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT
@ -53,7 +60,7 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
    int i;
    const char* str = NULL;
    unsigned char serverRandom[32];
-    size_t serverRandomSz;
+    int serverRandomSz;
    XFILE fp = stderr;
    if (ctx) {
        fp = XFOPEN((const char*)ctx, "ab");
@ -62,9 +69,18 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
        }
    }
-    serverRandomSz = wolfSSL_get_server_random(ssl, serverRandom,
+    serverRandomSz = (int)wolfSSL_get_server_random(ssl, serverRandom,
        sizeof(serverRandom));
    if (serverRandomSz <= 0) {
        printf("Error getting server random %d\n", serverRandomSz);
    }
 #if 0
    printf("TLS Server Secret CB: Rand %d, Secret %d\n",
        serverRandomSz, secretSz);
 #endif
    switch (id) {
        case CLIENT_EARLY_TRAFFIC_SECRET:
            str = "CLIENT_EARLY_TRAFFIC_SECRET"; break;
@ -100,31 +116,53 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
 }
 #endif /* WOLFSSL_TLS13 && HAVE_SECRET_CALLBACK */
 static int mSockfd = SOCKET_INVALID;
 static int mConnd = SOCKET_INVALID;
 static int mShutdown = 0;
 #ifdef HAVE_SIGNAL
 static void sig_handler(const int sig)
 {
    fprintf(stderr, "SIGINT handled = %d.\n", sig);
    mShutdown = 1;
    if (mConnd != SOCKET_INVALID) {
        close(mConnd);           /* Close the connection to the client   */
        mConnd = SOCKET_INVALID;
    }
    if (mSockfd != SOCKET_INVALID) {
        close(mSockfd);          /* Close the socket listening for clients   */
        mSockfd = SOCKET_INVALID;
    }
 }
 #endif
 int main(int argc, char** argv)
 {
    int ret = 0;
 #ifdef WOLFSSL_TLS13
    int                sockfd = SOCKET_INVALID;
    int                connd = SOCKET_INVALID;
    struct sockaddr_in servAddr;
    struct sockaddr_in clientAddr;
    socklen_t          size = sizeof(clientAddr);
    char               buff[256];
    size_t             len;
    int                shutdown = 0;
    const char*        reply = "I hear ya fa shizzle!\n";
    /* declare wolfSSL objects */
    WOLFSSL_CTX* ctx = NULL;
    WOLFSSL*     ssl = NULL;
 #ifdef HAVE_SIGNAL
    signal(SIGINT, sig_handler);
 #endif
    /* Initialize wolfSSL */
    wolfSSL_Init();
    /* Create a socket that uses an internet IPv4 address,
     * Sets the socket to be stream based (TCP),
     * 0 means choose the default protocol. */
-    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
+    if ((mSockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
        fprintf(stderr, "ERROR: failed to create the socket\n");
        goto exit;
    }
@ -163,24 +201,23 @@ int main(int argc, char** argv)
    /* Bind the server socket to our port */
-    if (bind(sockfd, (struct sockaddr*)&servAddr, sizeof(servAddr)) == -1) {
+    if (bind(mSockfd, (struct sockaddr*)&servAddr, sizeof(servAddr)) == -1) {
        fprintf(stderr, "ERROR: failed to bind\n");
        goto exit;
    }
    /* Listen for a new connection, allow 5 pending connections */
-    if (listen(sockfd, 5) == -1) {
+    if (listen(mSockfd, 5) == -1) {
        fprintf(stderr, "ERROR: failed to listen\n");
        goto exit;
    }
-
+    /* Continue to accept clients until mShutdown is issued */
-    /* Continue to accept clients until shutdown is issued */
+    while (!mShutdown) {
    while (!shutdown) {
        printf("Waiting for a connection...\n");
        /* Accept client connections */
-        if ((connd = accept(sockfd, (struct sockaddr*)&clientAddr, &size))
+        if ((mConnd = accept(mSockfd, (struct sockaddr*)&clientAddr, &size))
            == -1) {
            fprintf(stderr, "ERROR: failed to accept the connection\n\n");
            ret = -1; goto exit;
@ -193,9 +230,12 @@ int main(int argc, char** argv)
        }
        /* Attach wolfSSL to the socket */
-        wolfSSL_set_fd(ssl, connd);
+        wolfSSL_set_fd(ssl, mConnd);
    #ifdef HAVE_SECRET_CALLBACK
        /* required for getting random used */
        wolfSSL_KeepArrays(ssl);
        /* optional logging for wireshark */
        wolfSSL_set_tls13_secret_cb(ssl, Tls13SecretCallback,
            (void*)WOLFSSL_SSLKEYLOGFILE_OUTPUT);
@ -210,6 +250,10 @@ int main(int argc, char** argv)
        printf("Client connected successfully\n");
    #ifdef HAVE_SECRET_CALLBACK
        wolfSSL_FreeArrays(ssl);
    #endif
        /* Read the client data into our buff array */
        memset(buff, 0, sizeof(buff));
        if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) < 0) {
@ -223,7 +267,7 @@ int main(int argc, char** argv)
        /* Check for server shutdown command */
        if (strncmp(buff, "shutdown", 8) == 0) {
            printf("Shutdown command issued!\n");
-            shutdown = 1;
+            mShutdown = 1;
        }
        /* Write our reply into buff */
@ -238,13 +282,14 @@ int main(int argc, char** argv)
        }
        /* Cleanup after this connection */
        wolfSSL_shutdown(ssl);
        if (ssl) {
            wolfSSL_free(ssl);      /* Free the wolfSSL object              */
            ssl = NULL;
        }
-        if (connd != SOCKET_INVALID) {
+        if (mConnd != SOCKET_INVALID) {
-            close(connd);           /* Close the connection to the client   */
+            close(mConnd);           /* Close the connection to the client   */
-            connd = SOCKET_INVALID;
+            mConnd = SOCKET_INVALID;
        }
    }
@ -254,10 +299,14 @@ exit:
    /* Cleanup and return */
    if (ssl)
        wolfSSL_free(ssl);      /* Free the wolfSSL object              */
-    if (connd != SOCKET_INVALID)
+    if (mConnd != SOCKET_INVALID) {
-        close(connd);           /* Close the connection to the client   */
+        close(mConnd);           /* Close the connection to the client   */
-    if (sockfd != SOCKET_INVALID)
+        mConnd = SOCKET_INVALID;
-        close(sockfd);          /* Close the socket listening for clients   */
+    }
    if (mSockfd != SOCKET_INVALID) {
        close(mSockfd);          /* Close the socket listening for clients   */
        mSockfd = SOCKET_INVALID;
    }
    if (ctx)
        wolfSSL_CTX_free(ctx);  /* Free the wolfSSL context object          */
    wolfSSL_Cleanup();          /* Cleanup the wolfSSL environment          */