wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard

Published 20 hours ago verified publisher icon wolfSSL

[Bug]: `wolfSSL_get_keys` without ifdefs in header, but with ifdefs in c file

Open laurenzfg opened this issue 1 year ago • 3 comments

Contact Details

[myfirstname][email protected]

Version

5.6.3

Description

Target + Build Environment: 64bit Linux

Configure Line: ./configure --enable-nullcipher --enable-psk --enable-opensslcoexist --enable-debug --enable-tls13 --enable-ecccustcurves --enable-brainpool --enable-curve25519 --enable-ed25519 --enable-curve448 --enable-ed448 CFLAGS="-DWOLFSSL_STATIC_RSA -DWOLFSSL_STATIC_DH -DKEEP_PEER_CERT -DHAVE_SECRET_CALLBACK"

I am trying to generate a NSS Key Log, but I cannot enable opensslextra as my software also contains OpenSSL. Hence, I cannot use wolfSSL_CTX_set_keylog_callback.

Thus, I decided to use wolfSSL_get_keys to write it out manually. It is contained in my headers without any ifdefs. But in ssl.c, the compilation is dependent on one of three ifdefs. Does this inconsistency classify as a bug?

Feedback

Furthermore, as said in an earlier issue, the function compiles just fine if moved outside the ifdef. Last but not least it is irritating that wolf has facilites to write the JUST TLS 1.2 keylog to a compile time defined location. Furthermore, there is the secret callback for JUST TLS 1.3. Last but not least, there is the manual wolfSSL_get_keys while the convient keylog function is only available with OPENSSL_EXTRA.

Reproduction steps

No response

Relevant log output

No response

Cheers,

Laurenz

laurenzfg avatar Aug 07 '23 14:08 laurenzfg

Hi @laurenzfg ,

You might need to call wolfSSL_KeepArrays(ssl);. We have a full TLS v1.3 example for using the secret callbacks for key log here: https://github.com/wolfSSL/wolfssl-examples/blob/master/tls/client-tls13.c#L218

I also asked @bigbrett to review this, since he is actively doing some key log integration with the sniffer.

Thanks, David Garske, wolfSSL

dgarske avatar Aug 07 '23 15:08 dgarske

Hi @laurenzfg ,

It is contained in my headers without any ifdefs. Does this inconsistency classify as a bug?

Thanks for pointing this out, we will get that resolved in a future release.

Regarding the TLS1.3 key log functionality: if you look at the example David provided, you will see that you actually want to be using wolfSSL_set_tls13_secret_cb if you don't wish to use the openSSL compatibility layer.

Furthermore, that example declares the callback manually, but wolfSSL now has the same functionality built into the library and can automatically generate a keylog file if you compile with SHOW_SECRETS, HAVE_SECRET_CALLBACK, and WOLFSSL_SSLKEYLOGFILE defined, and then define WOLFSSL_SSLKEYLOGFILE_OUTPUT to the desired name of your keylog file. No need to create the callback yourself.

Let me know if this doesn't resolve your questions.

bigbrett avatar Aug 07 '23 19:08 bigbrett

Hey @bigbrett

Thanks for including the header fix on your roadmap.

I ended up building manually with wolfSSL_set_tls13_secret_cb and a patched version of wolf exposing `wolfSSL_get_keys´. I could not use the built-in keylog approach as the path for the log file is not known at compile time.

You may close this issue for the time being.

Regards

Laurenz

laurenzfg avatar Aug 08 '23 08:08 laurenzfg