diff options
author | Erlang/OTP <otp@erlang.org> | 2023-04-25 17:08:57 +0200 |
---|---|---|
committer | Erlang/OTP <otp@erlang.org> | 2023-04-25 17:08:57 +0200 |
commit | a882f0ec96cce173299cf4ee005a94cb21952264 (patch) | |
tree | 224eba24f80c9fb8ca5ba0879a6d836b75f3a795 /lib/ssl/src/ssl_gen_statem.erl | |
parent | f69bdbe5df164d7b15de49bd3b72c95259d160ce (diff) | |
parent | 6aeeadc093f7ec020b4ef2061417c049c6efc800 (diff) | |
download | erlang-a882f0ec96cce173299cf4ee005a94cb21952264.tar.gz |
Merge branch 'kuba/ssl/kuba/ssl/keylog_fix/OTP-18489' into maint-25
* kuba/ssl/kuba/ssl/keylog_fix/OTP-18489:
ssl: fix keylog mechanism
Diffstat (limited to 'lib/ssl/src/ssl_gen_statem.erl')
-rw-r--r-- | lib/ssl/src/ssl_gen_statem.erl | 32 |
1 files changed, 26 insertions, 6 deletions
diff --git a/lib/ssl/src/ssl_gen_statem.erl b/lib/ssl/src/ssl_gen_statem.erl index 36768ab6c7..62c09c60ae 100644 --- a/lib/ssl/src/ssl_gen_statem.erl +++ b/lib/ssl/src/ssl_gen_statem.erl @@ -1897,7 +1897,8 @@ connection_info(#state{handshake_env = #handshake_env{sni_hostname = SNIHostname security_info(#state{connection_states = ConnectionStates, static_env = #static_env{role = Role}, - ssl_options = #{keep_secrets := KeepSecrets}}) -> + ssl_options = #{keep_secrets := KeepSecrets}, + protocol_specific = ProtocolSpecific}) -> ReadState = ssl_record:current_connection_state(ConnectionStates, read), #{security_parameters := #security_parameters{client_random = ClientRand, @@ -1911,10 +1912,12 @@ security_info(#state{connection_states = ConnectionStates, BaseSecurityInfo; true -> #{security_parameters := - #security_parameters{application_traffic_secret = AppTrafSecretWrite, - client_early_data_secret = ClientEarlyData - }} = + #security_parameters{ + application_traffic_secret = AppTrafSecretWrite0, + client_early_data_secret = ClientEarlyData}} = ssl_record:current_connection_state(ConnectionStates, write), + Sender = maps:get(sender, ProtocolSpecific, undefined), + AppTrafSecretWrite = {Sender, AppTrafSecretWrite0}, if Role == server -> if ServerEarlyData =/= undefined -> [{server_traffic_secret_0, AppTrafSecretWrite}, @@ -2118,8 +2121,25 @@ maybe_add_keylog({_, 'tlsv1.2'}, Info) -> maybe_add_keylog({_, 'tlsv1.3'}, Info) -> try {client_random, ClientRandomBin} = lists:keyfind(client_random, 1, Info), - {client_traffic_secret_0, ClientTrafficSecret0Bin} = lists:keyfind(client_traffic_secret_0, 1, Info), - {server_traffic_secret_0, ServerTrafficSecret0Bin} = lists:keyfind(server_traffic_secret_0, 1, Info), + %% after traffic key update current traffic secret + %% is stored in tls_sender process state + MaybeUpdateTrafficSecret = + fun({Direction, {Sender, TrafficSecret0}}) -> + TrafficSecret = + case call(Sender, get_application_traffic_secret) of + {ok, SenderAppTrafSecretWrite} -> + SenderAppTrafSecretWrite; + _ -> + TrafficSecret0 + end, + {Direction, TrafficSecret}; + (TrafficSecret0) -> + TrafficSecret0 + end, + {client_traffic_secret_0, ClientTrafficSecret0Bin} = + MaybeUpdateTrafficSecret(lists:keyfind(client_traffic_secret_0, 1, Info)), + {server_traffic_secret_0, ServerTrafficSecret0Bin} = + MaybeUpdateTrafficSecret(lists:keyfind(server_traffic_secret_0, 1, Info)), {client_handshake_traffic_secret, ClientHSecretBin} = lists:keyfind(client_handshake_traffic_secret, 1, Info), {server_handshake_traffic_secret, ServerHSecretBin} = lists:keyfind(server_handshake_traffic_secret, 1, Info), {selected_cipher_suite, #{prf := Prf}} = lists:keyfind(selected_cipher_suite, 1, Info), |