mirror of
https://github.com/refraction-networking/utls.git
synced 2025-04-04 04:27:36 +03:00
crypto/tls: add KeyLogWriter for debugging
Add support for writing TLS client random and master secret in NSS key log format. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format Normally this is enabled by a developer debugging TLS based applications, especially HTTP/2, by setting the KeyLogWriter to an open file. The keys negotiated in handshake are then logged and can be used to decrypt TLS sessions e.g. in Wireshark. Applications may choose to add support similar to NSS where this is enabled by environment variable, but no such mechanism is built in to Go. Instead each application must explicitly enable. Fixes #13057. Change-Id: If6edd2d58999903e8390b1674ba4257ecc747ae1 Reviewed-on: https://go-review.googlesource.com/27434 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
Joonas Kuorilehto
Brad Fitzpatrick
parent
2c396d97fb
commit
94b4238f5f
8 changed files with 279 additions and 0 deletions
|
|
@ -727,6 +727,47 @@ func TestLRUClientSessionCache(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestHandshakeClientKeyLog(t *testing.T) {
|
||||
config := testConfig.clone()
|
||||
buf := &bytes.Buffer{}
|
||||
config.KeyLogWriter = buf
|
||||
|
||||
// config.Rand is zero reader, so client random is all-0
|
||||
var zeroRandom = strings.Repeat("0", 64)
|
||||
|
||||
test := &clientTest{
|
||||
name: "KeyLogWriter",
|
||||
command: []string{"openssl", "s_server"},
|
||||
config: config,
|
||||
validate: func(state ConnectionState) error {
|
||||
var format, clientRandom, masterSecret string
|
||||
if _, err := fmt.Fscanf(buf, "%s %s %s\n", &format, &clientRandom, &masterSecret); err != nil {
|
||||
return fmt.Errorf("failed to parse KeyLogWriter: " + err.Error())
|
||||
}
|
||||
if format != "CLIENT_RANDOM" {
|
||||
return fmt.Errorf("got key log format %q, wanted CLIENT_RANDOM", format)
|
||||
}
|
||||
if clientRandom != zeroRandom {
|
||||
return fmt.Errorf("got key log client random %q, wanted %q", clientRandom, zeroRandom)
|
||||
}
|
||||
|
||||
// Master secret is random from server; check length only
|
||||
if len(masterSecret) != 96 {
|
||||
return fmt.Errorf("got wrong length master secret in key log %v, want 96", len(masterSecret))
|
||||
}
|
||||
|
||||
// buf should contain no more lines
|
||||
var trailingGarbage string
|
||||
if _, err := fmt.Fscanln(buf, &trailingGarbage); err == nil {
|
||||
return fmt.Errorf("expected exactly one key in log, got trailing garbage %q", trailingGarbage)
|
||||
}
|
||||
|
||||
return nil
|
||||
},
|
||||
}
|
||||
runClientTestTLS10(t, test)
|
||||
}
|
||||
|
||||
func TestHandshakeClientALPNMatch(t *testing.T) {
|
||||
config := testConfig.clone()
|
||||
config.NextProtos = []string{"proto2", "proto1"}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue