diff options
author | Christophe De La Fuente <christophe_delafuente@rapid7.com> | 2022-08-29 20:15:54 +0200 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2022-09-20 17:10:11 +0900 |
commit | 3b63232cf14115dc1b1ad7ab81bf1d459e2feeb7 (patch) | |
tree | b8f98525159820e94c2302dc11367f7dd9c42dae /test | |
parent | d36e6e5ef70917c5cb8f58a0c27f9eb6e583dc9a (diff) | |
download | ruby-openssl-3b63232cf14115dc1b1ad7ab81bf1d459e2feeb7.tar.gz |
Add support to SSL_CTX_set_keylog_callback
- This callback is invoked when TLS key material is generated or
received, in order to allow applications to store this keying material
for debugging purposes.
- It is invoked with an `SSLSocket` and a string containing the key
material in the format used by NSS for its SSLKEYLOGFILE debugging
output.
- This commit adds the Ruby binding `keylog_cb` and the related tests
- It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
`SSL_CTX_set_keylog_callback()` from v3.4.2, it does nothing (see
https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6)
Diffstat (limited to 'test')
-rw-r--r-- | test/openssl/test_ssl.rb | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 5679ae77..b922d292 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -804,6 +804,54 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end + def test_keylog_cb + pend "Keylog callback is not supported" if !openssl?(1, 1, 1) || libressl? + + prefix = 'CLIENT_RANDOM' + context = OpenSSL::SSL::SSLContext.new + context.min_version = context.max_version = OpenSSL::SSL::TLS1_2_VERSION + + cb_called = false + context.keylog_cb = proc do |_sock, line| + cb_called = true + assert_equal(prefix, line.split.first) + end + + start_server do |port| + server_connect(port, context) do |ssl| + ssl.puts "abc" + assert_equal("abc\n", ssl.gets) + assert_equal(true, cb_called) + end + end + + if tls13_supported? + prefixes = [ + 'SERVER_HANDSHAKE_TRAFFIC_SECRET', + 'EXPORTER_SECRET', + 'SERVER_TRAFFIC_SECRET_0', + 'CLIENT_HANDSHAKE_TRAFFIC_SECRET', + 'CLIENT_TRAFFIC_SECRET_0', + ] + context = OpenSSL::SSL::SSLContext.new + context.min_version = context.max_version = OpenSSL::SSL::TLS1_3_VERSION + cb_called = false + context.keylog_cb = proc do |_sock, line| + cb_called = true + assert_not_nil(prefixes.delete(line.split.first)) + end + + start_server do |port| + server_connect(port, context) do |ssl| + ssl.puts "abc" + assert_equal("abc\n", ssl.gets) + assert_equal(true, cb_called) + end + assert_equal(0, prefixes.size) + end + end + end + def test_tlsext_hostname fooctx = OpenSSL::SSL::SSLContext.new fooctx.cert = @cli_cert |