Merge pull request #9171 from effbiae/ss-callback

SparkiDev · web-flow · commit a17b10ef10e1 · 2025-09-12T08:02:51.000+10:00
refactor SessionSecret_callback*
diff --git a/src/internal.c b/src/internal.c
@@ -315,78 +315,57 @@ void wolfssl_priv_der_unblind(DerBuffer* key, DerBuffer* mask)
                        const unsigned char* secret, int secretSz, void* ctx);
 #endif
 
-
-    /* Label string for client random. */
-    #define SSC_CR      "CLIENT_RANDOM"
-
     /*
      * This function builds up string for key-logging then call user's
-     * key-log-callback to pass the string for TLS1.2 and older.
+     * key-log-callback to pass the string.
      * The user's key-logging callback has been set via
      * wolfSSL_CTX_set_keylog_callback function. The logging string format is:
-     * "CLIENT_RANDOM <hex-encoded client random> <hex-encoded master-secret>"
+     * "<Label> <hex-encoded client random> <hex-encoded secret>"
+     *
      * parameter
      *  - ssl: WOLFSSL object
-     *  - secret: pointer to the buffer holding master-secret
+     *  - secret: pointer to the buffer holding secret
      *  - secretSz: size of secret
-     *  - ctx: not used
+     *  - label: for logging string
+     *  - labelSz: label size
      * returns 0 on success, negative value on failure.
      */
-    static int SessionSecret_callback(WOLFSSL* ssl, void* secret,
-                    int* secretSz, void* ctx)
+    static int SessionSecret_callback_common(const WOLFSSL* ssl,
+                       const unsigned char* secret, int secretSz,
+                       const char* label, int labelSz)
     {
         wolfSSL_CTX_keylog_cb_func logCb = NULL;
-        int msSz;
-        int invalidCount;
-        int i;
-        const char* label = SSC_CR;
-        int labelSz = sizeof(SSC_CR);
         int buffSz;
         byte* log = NULL;
         word32 outSz;
         int idx;
         int ret;
-        (void)ctx;
 
-        if (ssl == NULL || secret == NULL || secretSz == NULL || *secretSz == 0)
+        if (ssl == NULL || secret == NULL || secretSz == 0 ||
+            label == NULL || labelSz == 0)
             return BAD_FUNC_ARG;
-        if (ssl->arrays == NULL)
+        if (ssl->arrays == NULL || ssl->ctx == NULL)
             return BAD_FUNC_ARG;
 
         /* get the user-callback func from CTX */
         logCb = ssl->ctx->keyLogCb;
-        if (logCb == NULL) {
-            return 0; /* no logging callback */
-        }
-
-        /* make sure the given master-secret has a meaningful value */
-        msSz   = *secretSz;
-        invalidCount = 0;
-        for (i = 0; i < msSz; i++) {
-            if (((byte*)secret)[i] == 0) {
-                invalidCount++;
-            }
-        }
-        if (invalidCount == *secretSz) {
-            WOLFSSL_MSG("master-secret is not valid");
-            return 0; /* ignore error */
-        }
+        if (logCb == NULL)
+            return 0;
 
-        /* build up a hex-decoded keylog string
-         * "CLIENT_RANDOM <hex-encoded client rand> <hex-encoded master-secret>"
-         * note that each keylog string does not have CR/LF.
-         */
-        buffSz  = labelSz + (RAN_LEN * 2) + 1 + ((*secretSz) * 2) + 1;
-        log     = XMALLOC(buffSz, ssl->heap, DYNAMIC_TYPE_SECRET);
+        /* prepare a log string for passing user callback
+         * "<Label> <hex-encoded client random> <hex-encoded secret>" */
+        buffSz = labelSz + (RAN_LEN * 2) + 1 + secretSz * 2 + 1;
+        log    = XMALLOC(buffSz, ssl->heap, DYNAMIC_TYPE_SECRET);
         if (log == NULL)
             return MEMORY_E;
 #ifdef WOLFSSL_CHECK_MEM_ZERO
         wc_MemZero_Add("SessionSecret log", log, buffSz);
 #endif
 
         XMEMSET(log, 0, buffSz);
-        XMEMCPY(log, label, labelSz -1);     /* put label w/o terminator */
+        XMEMCPY(log, label, labelSz - 1);    /* put label w/o terminator */
         log[labelSz - 1] = ' ';              /* '\0' -> ' ' */
+
         idx = labelSz;
         outSz = buffSz - idx;
         if ((ret = Base16_Encode(ssl->arrays->clientRandom, RAN_LEN,
@@ -395,26 +374,66 @@ void wolfssl_priv_der_unblind(DerBuffer* key, DerBuffer* mask)
             outSz = buffSz - idx;
 
             if (outSz > 1) {
-                log[idx++] = ' ';  /* add space*/
+                log[idx++] = ' ';        /* add space*/
                 outSz = buffSz - idx;
 
-                if ((ret = Base16_Encode((byte*)secret, *secretSz,
-                                             log + idx, &outSz)) == 0) {
-                    /* pass the log to the client callback*/
+                if ((ret = Base16_Encode((byte*)secret, secretSz,
+                                log + idx, &outSz)) == 0) {
                     logCb(ssl, (char*)log);
                     ret = 0;
                 }
             }
-            else {
-                ret = BUFFER_E;
-            }
+            else
+                ret = MEMORY_E;
         }
         /* Zero out Base16 encoded secret and other data. */
         ForceZero(log, buffSz);
         XFREE(log, ssl->heap, DYNAMIC_TYPE_SECRET);
         return ret;
     }
 
+    /* Label string for client random. */
+    #define SSC_CR      "CLIENT_RANDOM"
+
+    /*
+     * This function builds up string for key-logging then call user's
+     * key-log-callback to pass the string for TLS1.2 and older.
+     * The user's key-logging callback has been set via
+     * wolfSSL_CTX_set_keylog_callback function. The logging string format is:
+     * "CLIENT_RANDOM <hex-encoded client random> <hex-encoded master-secret>"
+     * parameter
+     *  - ssl: WOLFSSL object
+     *  - secret: pointer to the buffer holding master-secret
+     *  - secretSz: size of secret
+     *  - ctx: not used
+     * returns 0 on success, negative value on failure.
+     */
+    static int SessionSecret_callback(WOLFSSL* ssl, void* secret,
+                    int* secretSz, void* ctx)
+    {
+        int invalidCount;
+        int i;
+        (void)ctx;
+
+        if (secret == NULL || secretSz == NULL || *secretSz == 0)
+            return BAD_FUNC_ARG;
+
+        /* make sure the given master-secret has a meaningful value */
+        invalidCount = 0;
+        for (i = 0; i < *secretSz; i++) {
+            if (((byte*)secret)[i] == 0) {
+                invalidCount++;
+            }
+        }
+        if (invalidCount == *secretSz) {
+            WOLFSSL_MSG("master-secret is not valid");
+            return 0; /* ignore error */
+        }
+
+        return SessionSecret_callback_common(ssl, secret, *secretSz,
+                                             SSC_CR, sizeof(SSC_CR));
+    }
+
 #if defined(WOLFSSL_TLS13)
 
      /* Label string for client early traffic secret. */
@@ -450,27 +469,10 @@ void wolfssl_priv_der_unblind(DerBuffer* key, DerBuffer* mask)
     static int SessionSecret_callback_Tls13(WOLFSSL* ssl, int id,
         const unsigned char* secret, int secretSz, void* ctx)
     {
-        wolfSSL_CTX_keylog_cb_func logCb = NULL;
         const char* label;
         int         labelSz = 0;
-        int         buffSz  = 0;
-        byte*       log     = NULL;
-        word32 outSz;
-        int idx;
-        int ret;
-
         (void)ctx;
 
-        if (ssl == NULL || secret == NULL || secretSz == 0)
-            return BAD_FUNC_ARG;
-        if (ssl->arrays == NULL)
-            return BAD_FUNC_ARG;
-
-        /* get the user-callback func from CTX*/
-        logCb = ssl->ctx->keyLogCb;
-        if (logCb == NULL)
-            return 0;
-
         switch (id) {
             case CLIENT_EARLY_TRAFFIC_SECRET:
                 labelSz = sizeof(SSC_TLS13_CETS);
@@ -510,44 +512,8 @@ void wolfssl_priv_der_unblind(DerBuffer* key, DerBuffer* mask)
             default:
                 return BAD_FUNC_ARG;
         }
-        /* prepare a log string for passing user callback
-         * "<Label> <hex-encoded client random> <hex-encoded secret>" */
-        buffSz = labelSz + (RAN_LEN * 2) + 1 + secretSz * 2 + 1;
-        log    = XMALLOC(buffSz, ssl->heap, DYNAMIC_TYPE_SECRET);
-        if (log == NULL)
-            return MEMORY_E;
-#ifdef WOLFSSL_CHECK_MEM_ZERO
-        wc_MemZero_Add("SessionSecret log", log, buffSz);
-#endif
-
-        XMEMSET(log, 0, buffSz);
-        XMEMCPY(log, label, labelSz - 1);     /* put label w/o terminator */
-        log[labelSz - 1] = ' ';               /* '\0' -> ' ' */
-
-        idx = labelSz;
-        outSz = buffSz - idx;
-        if ((ret = Base16_Encode(ssl->arrays->clientRandom, RAN_LEN,
-                                            log + idx, &outSz)) == 0) {
-            idx  += (outSz - 1); /* reduce terminator byte */
-            outSz = buffSz - idx;
-
-            if (outSz >1) {
-                log[idx++] = ' ';        /* add space*/
-                outSz = buffSz - idx;
-
-                if ((ret = Base16_Encode((byte*)secret, secretSz,
-                                log + idx, &outSz)) == 0) {
-                    logCb(ssl, (char*)log);
-                    ret = 0;
-                }
-            }
-            else
-                ret = MEMORY_E;
-        }
-        /* Zero out Base16 encoded secret and other data. */
-        ForceZero(log, buffSz);
-        XFREE(log, ssl->heap, DYNAMIC_TYPE_SECRET);
-        return ret;
+        return SessionSecret_callback_common(ssl, secret, secretSz,
+                                             label, labelSz);
     }
 #endif /* WOLFSSL_TLS13*/
 #endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK*/
