Merge branch 'tmp-keylog-func' into 'master'

keylogfile: simplify the callback mechanism

See merge request gnutls/gnutls!1196

9 files changed, 40 insertions, 116 deletions

diff --git a/lib/constate.c b/lib/constate.c
index a11577d7ba..eb05fdd04c 100644
--- a/lib/constate.c
+++ b/lib/constate.c
@@ -197,7 +197,6 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage,
 	char buf[65];
 	record_state_st *upd_state;
 	record_parameters_st *prev = NULL;
-	gnutls_handshake_secret_type_t secret_type;
 	int ret;
 
 	/* generate new keys for direction needed and copy old from previous epoch */
@@ -275,7 +274,6 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage,
 		ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.ap_ckey, iv_size, iv_block);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
-		secret_type = GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET;
 	} else {
 		ret = _tls13_expand_secret(session, APPLICATION_TRAFFIC_UPDATE,
 					   sizeof(APPLICATION_TRAFFIC_UPDATE)-1,
@@ -293,14 +291,8 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage,
 		ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.ap_skey, iv_size, iv_block);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
-		secret_type = GNUTLS_SECRET_SERVER_TRAFFIC_SECRET;
 	}
 
-	ret = _gnutls_call_secret_func(session, secret_type,
-				       key_block, key_size);
-	if (ret < 0)
-		return gnutls_assert_val(ret);
-
 	upd_state->mac_key_size = 0;
 
 	assert(key_size <= sizeof(upd_state->key));
@@ -396,7 +388,7 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage,
 	record_state_st *client_write, *server_write;
 	const char *label;
 	unsigned label_size, hsk_len;
-	gnutls_handshake_secret_type_t secret_type;
+	const char *keylog_label;
 	void *ckey, *skey;
 	int ret;
 
@@ -412,13 +404,13 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage,
 		label = HANDSHAKE_CLIENT_TRAFFIC_LABEL;
 		label_size = sizeof(HANDSHAKE_CLIENT_TRAFFIC_LABEL)-1;
 		hsk_len = session->internals.handshake_hash_buffer.length;
-		secret_type = GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET;
+		keylog_label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
 		ckey = session->key.proto.tls13.hs_ckey;
 	} else {
 		label = APPLICATION_CLIENT_TRAFFIC_LABEL;
 		label_size = sizeof(APPLICATION_CLIENT_TRAFFIC_LABEL)-1;
 		hsk_len = session->internals.handshake_hash_buffer_server_finished_len;
-		secret_type = GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET;
+		keylog_label = "CLIENT_TRAFFIC_SECRET_0";
 		ckey = session->key.proto.tls13.ap_ckey;
 	}
 
@@ -430,7 +422,7 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
-	ret = _gnutls_call_secret_func(session, secret_type,
+	ret = _gnutls_call_keylog_func(session, keylog_label,
 				       ckey,
 				       session->security_parameters.prf->output_size);
 	if (ret < 0)
@@ -449,12 +441,12 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage,
 	if (stage == STAGE_HS) {
 		label = HANDSHAKE_SERVER_TRAFFIC_LABEL;
 		label_size = sizeof(HANDSHAKE_SERVER_TRAFFIC_LABEL)-1;
-		secret_type = GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET;
+		keylog_label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
 		skey = session->key.proto.tls13.hs_skey;
 	} else {
 		label = APPLICATION_SERVER_TRAFFIC_LABEL;
 		label_size = sizeof(APPLICATION_SERVER_TRAFFIC_LABEL)-1;
-		secret_type = GNUTLS_SECRET_SERVER_TRAFFIC_SECRET;
+		keylog_label = "SERVER_TRAFFIC_SECRET_0";
 		skey = session->key.proto.tls13.ap_skey;
 	}
 
@@ -467,7 +459,7 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
-	ret = _gnutls_call_secret_func(session, secret_type,
+	ret = _gnutls_call_keylog_func(session, keylog_label,
 				       skey,
 				       session->security_parameters.prf->output_size);
 	if (ret < 0)
diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
index eef84814d6..8a39cda153 100644
--- a/lib/ext/pre_shared_key.c
+++ b/lib/ext/pre_shared_key.c
@@ -203,7 +203,7 @@ generate_early_secrets(gnutls_session_t session,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
-	ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET,
+	ret = _gnutls_call_keylog_func(session, "CLIENT_EARLY_TRAFFIC_SECRET",
 				       session->key.proto.tls13.e_ckey,
 				       prf->output_size);
 	if (ret < 0)
@@ -217,7 +217,7 @@ generate_early_secrets(gnutls_session_t session,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
-	ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_EARLY_EXPORTER_SECRET,
+	ret = _gnutls_call_keylog_func(session, "EARLY_EXPORTER_SECRET",
 				       session->key.proto.tls13.ap_expkey,
 				       prf->output_size);
 	if (ret < 0)
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index cd2adc103d..d9d851be62 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -1243,7 +1243,7 @@ typedef struct {
 	unsigned int h_type;	/* the hooked type */
 	int16_t h_post;		/* whether post-generation/receive */
 
-	gnutls_handshake_secret_func secret_func;
+	gnutls_keylog_func keylog_func;
 
 	/* holds the selected certificate and key.
 	 * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set()
diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c
index 39d002bd04..24f5af65c6 100644
--- a/lib/handshake-tls13.c
+++ b/lib/handshake-tls13.c
@@ -292,7 +292,7 @@ static int generate_ap_traffic_keys(gnutls_session_t session)
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
-	ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_EXPORTER_SECRET,
+	ret = _gnutls_call_keylog_func(session, "EXPORTER_SECRET",
 				       session->key.proto.tls13.ap_expkey,
 				       session->security_parameters.prf->output_size);
 	if (ret < 0)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 13b6c35659..cfc1f35e92 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2292,58 +2292,23 @@ void gnutls_global_set_log_function(gnutls_log_func log_func);
 void gnutls_global_set_audit_log_function(gnutls_audit_log_func log_func);
 void gnutls_global_set_log_level(int level);
 
-/**
- * gnutls_handshake_secret_type_t:
- * @GNUTLS_SECRET_CLIENT_RANDOM: 48 bytes for the master secret (for SSL 3.0,
- *    TLS 1.0, 1.1 and 1.2)
- * @GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET: the early traffic secret for the
- *    client side (for TLS 1.3)
- * @GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET: the handshake traffic secret
- *    for the client side (for TLS 1.3)
- * @GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET: the handshake traffic secret
- *    for the server side (for TLS 1.3)
- * @GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET: the application traffic secret for the
- *    client side (for TLS 1.3)
- * @GNUTLS_SECRET_SERVER_TRAFFIC_SECRET: the application traffic secret for the
- *    server side (for TLS 1.3)
- * @GNUTLS_SECRET_EARLY_EXPORTER_SECRET: the early exporter secret (for TLS 1.3,
- *    used for 0-RTT keys).
- * @GNUTLS_SECRET_EXPORTER_SECRET: the exporter secret (for TLS 1.3, used for
- *    1-RTT keys)
- *
- * Enumeration of different types of secrets derived during handshake.
- * This is used by gnutls_handshake_set_secret_function().
- *
- * Since: 3.6.13
- */
-typedef enum {
-	GNUTLS_SECRET_CLIENT_RANDOM,
-	GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET,
-	GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
-	GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET,
-	GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET,
-	GNUTLS_SECRET_SERVER_TRAFFIC_SECRET,
-	GNUTLS_SECRET_EARLY_EXPORTER_SECRET,
-	GNUTLS_SECRET_EXPORTER_SECRET
-} gnutls_handshake_secret_type_t;
-
   /**
-   * gnutls_handshake_secret_function:
+   * gnutls_keylog_func:
    * @session: the current session
-   * @type: #gnutls_handshake_secret_type_t
+   * @label: the keylog label
    * @secret: the (const) data of the derived secret.
    *
-   * Function prototype for secret derivation hooks. It is set using
-   * gnutls_handshake_set_secret_function().
+   * Function prototype for keylog hooks. It is set using
+   * gnutls_session_set_keylog_function().
    *
    * Returns: Non zero on error.
    * Since: 3.6.13
    */
-typedef int (*gnutls_handshake_secret_func) (gnutls_session_t session,
-					     gnutls_handshake_secret_type_t type,
-					     const gnutls_datum_t *secret);
-void gnutls_handshake_set_secret_function(gnutls_session_t session,
-					  gnutls_handshake_secret_func func);
+typedef int (*gnutls_keylog_func) (gnutls_session_t session,
+				   const char *label,
+				   const gnutls_datum_t *secret);
+void gnutls_session_set_keylog_function(gnutls_session_t session,
+					gnutls_keylog_func func);
 
 /* Diffie-Hellman parameter handling.
  */
diff --git a/lib/kx.c b/lib/kx.c
index 43056d412a..d5abf69ea7 100644
--- a/lib/kx.c
+++ b/lib/kx.c
@@ -71,7 +71,7 @@ int _gnutls_generate_master(gnutls_session_t session, int keep_premaster)
 }
 
 /**
- * gnutls_handshake_set_secret_function:
+ * gnutls_session_set_keylog_function:
  * @session: is #gnutls_session_t type
  * @func: is the function to be called
  *
@@ -81,68 +81,36 @@ int _gnutls_generate_master(gnutls_session_t session, int keep_premaster)
  * Since: 3.6.13
  */
 void
-gnutls_handshake_set_secret_function(gnutls_session_t session,
-				     gnutls_handshake_secret_func func)
+gnutls_session_set_keylog_function(gnutls_session_t session,
+				   gnutls_keylog_func func)
 {
-	session->internals.secret_func = func;
+	session->internals.keylog_func = func;
 }
 
 int
-_gnutls_call_secret_func(gnutls_session_t session,
-			 gnutls_handshake_secret_type_t type,
+_gnutls_call_keylog_func(gnutls_session_t session,
+			 const char *label,
 			 const uint8_t *data,
 			 unsigned size)
 {
-	if (session->internals.secret_func) {
+	if (session->internals.keylog_func) {
 		gnutls_datum_t secret = {(void*)data, size};
-		return session->internals.secret_func(session, type, &secret);
+		return session->internals.keylog_func(session, label, &secret);
 	}
 	return 0;
 }
 
-static const char *
-secret_type_to_nss_keylog_label(gnutls_handshake_secret_type_t type)
-{
-	switch (type) {
-	case GNUTLS_SECRET_CLIENT_RANDOM:
-		return "CLIENT_RANDOM";
-	case GNUTLS_SECRET_CLIENT_EARLY_TRAFFIC_SECRET:
-		return "CLIENT_EARLY_TRAFFIC_SECRET";
-	case GNUTLS_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET:
-		return "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
-	case GNUTLS_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET:
-		return "SERVER_HANDSHAKE_TRAFFIC_SECRET";
-	case GNUTLS_SECRET_CLIENT_TRAFFIC_SECRET:
-		return "CLIENT_TRAFFIC_SECRET_0";
-	case GNUTLS_SECRET_SERVER_TRAFFIC_SECRET:
-		return "SERVER_TRAFFIC_SECRET_0";
-	case GNUTLS_SECRET_EARLY_EXPORTER_SECRET:
-		return "EARLY_EXPORTER_SECRET";
-	case GNUTLS_SECRET_EXPORTER_SECRET:
-		return "EXPORTER_SECRET";
-	default:
-		gnutls_assert();
-		return NULL;
-	}
-}
-
 int
-_gnutls_nss_keylog_secret_func(gnutls_session_t session,
-			       gnutls_handshake_secret_type_t type,
-			       const gnutls_datum_t *secret)
+_gnutls_nss_keylog_func(gnutls_session_t session,
+			const char *label,
+			const gnutls_datum_t *secret)
 {
-	const char *label;
-
 	/* ignore subsequent traffic secrets that are calculated from
 	 * the previous traffic secret
 	 */
 	if (!session->internals.handshake_in_progress)
 		return 0;
 
-	label = secret_type_to_nss_keylog_label(type);
-	if (unlikely(label == NULL))
-		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
-
 	_gnutls_nss_keylog_write(session, label, secret->data, secret->size);
 	return 0;
 }
@@ -265,7 +233,7 @@ generate_normal_master(gnutls_session_t session,
 	if (ret < 0)
 		return ret;
 
-	ret = _gnutls_call_secret_func(session, GNUTLS_SECRET_CLIENT_RANDOM,
+	ret = _gnutls_call_keylog_func(session, "CLIENT_RANDOM",
 				       session->security_parameters.master_secret,
 				       GNUTLS_MASTER_SIZE);
 	if (ret < 0)
diff --git a/lib/kx.h b/lib/kx.h
index 8d8d4225ef..6b4a7fcae5 100644
--- a/lib/kx.h
+++ b/lib/kx.h
@@ -38,15 +38,15 @@ int _gnutls_recv_server_crt_request(gnutls_session_t session);
 int _gnutls_send_server_crt_request(gnutls_session_t session, int again);
 int _gnutls_recv_client_certificate_verify_message(gnutls_session_t
 						   session);
-int _gnutls_call_secret_func(gnutls_session_t session,
-			     gnutls_handshake_secret_type_t type,
+int _gnutls_call_keylog_func(gnutls_session_t session,
+			     const char *label,
 			     const uint8_t *data,
 			     unsigned size);
 void _gnutls_nss_keylog_write(gnutls_session_t session,
 			      const char *label,
 			      const uint8_t *secret, size_t secret_size);
-int _gnutls_nss_keylog_secret_func(gnutls_session_t session,
-				   gnutls_handshake_secret_type_t type,
-				   const gnutls_datum_t *secret);
+int _gnutls_nss_keylog_func(gnutls_session_t session,
+			    const char *label,
+			    const gnutls_datum_t *secret);
 
 #endif /* GNUTLS_LIB_KX_H */
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index c1aace905e..234d43e755 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1315,7 +1315,7 @@ GNUTLS_3_6_13
 	gnutls_hkdf_extract;
 	gnutls_hkdf_expand;
 	gnutls_pbkdf2;
-	gnutls_handshake_set_secret_function;
+	gnutls_session_set_keylog_function;
 } GNUTLS_3_6_12;
 
 GNUTLS_FIPS140_3_4 {
diff --git a/lib/state.c b/lib/state.c
index f33cd5a8bc..35ebb2a230 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -588,9 +588,8 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags)
 	if (_gnutls_disable_tls13 != 0)
 		(*session)->internals.flags |= INT_FLAG_NO_TLS13;
 
-	/* Install the default secret function */
-	gnutls_handshake_set_secret_function(*session,
-					     _gnutls_nss_keylog_secret_func);
+	/* Install the default keylog function */
+	gnutls_session_set_keylog_function(*session, _gnutls_nss_keylog_func);
 
 	return 0;
 }