diff options
-rw-r--r-- | crypto/trace.c | 1 | ||||
-rw-r--r-- | include/openssl/trace.h | 3 | ||||
-rw-r--r-- | ssl/s3_lib.c | 36 | ||||
-rw-r--r-- | ssl/ssl_ciph.c | 45 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 7 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 17 |
6 files changed, 60 insertions, 49 deletions
diff --git a/crypto/trace.c b/crypto/trace.c index 1b1e73d87f..61eba6abe7 100644 --- a/crypto/trace.c +++ b/crypto/trace.c @@ -121,6 +121,7 @@ struct trace_category_st { static const struct trace_category_st trace_categories[] = { TRACE_CATEGORY_(ANY), TRACE_CATEGORY_(TLS), + TRACE_CATEGORY_(TLS_CIPHER), }; const char *OSSL_trace_get_category_name(int num) diff --git a/include/openssl/trace.h b/include/openssl/trace.h index f25cd69342..d96a91bb7a 100644 --- a/include/openssl/trace.h +++ b/include/openssl/trace.h @@ -34,7 +34,8 @@ extern "C" { */ # define OSSL_TRACE_CATEGORY_ANY 0 /* The fallback */ # define OSSL_TRACE_CATEGORY_TLS 1 -# define OSSL_TRACE_CATEGORY_NUM 2 +# define OSSL_TRACE_CATEGORY_TLS_CIPHER 2 +# define OSSL_TRACE_CATEGORY_NUM 3 /* Returns the trace category number for the given |name| */ int OSSL_trace_get_category_num(const char *name); diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index a5b3dbbfd5..a3639fd18c 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -16,6 +16,7 @@ #include <openssl/md5.h> #include <openssl/dh.h> #include <openssl/rand.h> +#include <openssl/trace.h> #include "internal/cryptlib.h" #define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers) @@ -4153,20 +4154,20 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, * pay with the price of sk_SSL_CIPHER_dup(). */ -#ifdef CIPHER_DEBUG - fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), - (void *)srvr); - for (i = 0; i < sk_SSL_CIPHER_num(srvr); ++i) { - c = sk_SSL_CIPHER_value(srvr, i); - fprintf(stderr, "%p:%s\n", (void *)c, c->name); - } - fprintf(stderr, "Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), - (void *)clnt); - for (i = 0; i < sk_SSL_CIPHER_num(clnt); ++i) { - c = sk_SSL_CIPHER_value(clnt, i); - fprintf(stderr, "%p:%s\n", (void *)c, c->name); - } -#endif + OSSL_TRACE_BEGIN(TLS_CIPHER) { + BIO_printf(trc_out, "Server has %d from %p:\n", + sk_SSL_CIPHER_num(srvr), (void *)srvr); + for (i = 0; i < sk_SSL_CIPHER_num(srvr); ++i) { + c = sk_SSL_CIPHER_value(srvr, i); + BIO_printf(trc_out, "%p:%s\n", (void *)c, c->name); + } + BIO_printf(trc_out, "Client sent %d from %p:\n", + sk_SSL_CIPHER_num(clnt), (void *)clnt); + for (i = 0; i < sk_SSL_CIPHER_num(clnt); ++i) { + c = sk_SSL_CIPHER_value(clnt, i); + BIO_printf(trc_out, "%p:%s\n", (void *)c, c->name); + } + } OSSL_TRACE_END(TLS_CIPHER); /* SUITE-B takes precedence over server preference and ChaCha priortiy */ if (tls1_suiteb(s)) { @@ -4280,10 +4281,9 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #endif /* OPENSSL_NO_PSK */ ok = (alg_k & mask_k) && (alg_a & mask_a); -#ifdef CIPHER_DEBUG - fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, - alg_a, mask_k, mask_a, (void *)c, c->name); -#endif + OSSL_TRACE7(TLS_CIPHER, + "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", + ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name); #ifndef OPENSSL_NO_EC /* diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 461a9debab..5aa04dbd53 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -16,6 +16,7 @@ #include <openssl/engine.h> #include <openssl/crypto.h> #include <openssl/conf.h> +#include <openssl/trace.h> #include "internal/nelem.h" #include "ssl_locl.h" #include "internal/thread_once.h" @@ -781,12 +782,12 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, const SSL_CIPHER *cp; int reverse = 0; -#ifdef CIPHER_DEBUG - fprintf(stderr, - "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n", - rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls, - algo_strength, strength_bits); -#endif + OSSL_TRACE_BEGIN(TLS_CIPHER){ + BIO_printf(trc_out, + "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n", + rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls, + algo_strength, strength_bits); + } if (rule == CIPHER_DEL || rule == CIPHER_BUMP) reverse = 1; /* needed to maintain sorting between currently @@ -825,13 +826,14 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, if (strength_bits != cp->strength_bits) continue; } else { -#ifdef CIPHER_DEBUG - fprintf(stderr, - "\nName: %s:\nAlgo = %08x/%08x/%08x/%08x/%08x Algo_strength = %08x\n", - cp->name, cp->algorithm_mkey, cp->algorithm_auth, - cp->algorithm_enc, cp->algorithm_mac, cp->min_tls, - cp->algo_strength); -#endif + if (trc_out != NULL) { + BIO_printf(trc_out, + "\nName: %s:" + "\nAlgo = %08x/%08x/%08x/%08x/%08x Algo_strength = %08x\n", + cp->name, cp->algorithm_mkey, cp->algorithm_auth, + cp->algorithm_enc, cp->algorithm_mac, cp->min_tls, + cp->algo_strength); + } if (cipher_id != 0 && (cipher_id != cp->id)) continue; if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) @@ -852,9 +854,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, continue; } -#ifdef CIPHER_DEBUG - fprintf(stderr, "Action = %d\n", rule); -#endif + if (trc_out != NULL) + BIO_printf(trc_out, "Action = %d\n", rule); /* add the cipher if it has not been added yet. */ if (rule == CIPHER_ADD) { @@ -904,6 +905,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, *head_p = head; *tail_p = tail; + + OSSL_TRACE_END(TLS_CIPHER); } static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, @@ -1605,6 +1608,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, } } + OSSL_TRACE_BEGIN(TLS_CIPHER) { + BIO_printf(trc_out, "cipher selection:\n"); + } /* * The cipher selection for the list is done. The ciphers are added * to the resulting precedence to the STACK_OF(SSL_CIPHER). @@ -1614,14 +1620,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { OPENSSL_free(co_list); sk_SSL_CIPHER_free(cipherstack); + OSSL_TRACE_CANCEL(TLS_CIPHER); return NULL; } -#ifdef CIPHER_DEBUG - fprintf(stderr, "<%s>\n", curr->cipher->name); -#endif + if (trc_out != NULL) + BIO_printf(trc_out, "<%s>\n", curr->cipher->name); } } OPENSSL_free(co_list); /* Not needed any longer */ + OSSL_TRACE_END(TLS_CIPHER); if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) { sk_SSL_CIPHER_free(cipherstack); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 322a4381b0..f63e16b592 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -20,6 +20,7 @@ #include <openssl/engine.h> #include <openssl/async.h> #include <openssl/ct.h> +#include <openssl/trace.h> #include "internal/cryptlib.h" #include "internal/refcount.h" #include "internal/ktls.h" @@ -3329,10 +3330,8 @@ void ssl_set_masks(SSL *s) mask_k = 0; mask_a = 0; -#ifdef CIPHER_DEBUG - fprintf(stderr, "dht=%d re=%d rs=%d ds=%d\n", - dh_tmp, rsa_enc, rsa_sign, dsa_sign); -#endif + OSSL_TRACE4(TLS_CIPHER, "dh_tmp=%d rsa_enc=%d rsa_sign=%d dsa_sign=%d\n", + dh_tmp, rsa_enc, rsa_sign, dsa_sign); #ifndef OPENSSL_NO_GOST if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) { diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index bf1819d356..e482e2d074 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -23,6 +23,7 @@ #include <openssl/dh.h> #include <openssl/bn.h> #include <openssl/md5.h> +#include <openssl/trace.h> #define TICKET_NONCE_SIZE 8 @@ -1835,15 +1836,15 @@ static int tls_early_post_process_client_hello(SSL *s) j = 0; id = s->session->cipher->id; -#ifdef CIPHER_DEBUG - fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers)); -#endif + OSSL_TRACE_BEGIN(TLS_CIPHER) { + BIO_printf(trc_out, "client sent %d ciphers\n", + sk_SSL_CIPHER_num(ciphers)); + } for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { c = sk_SSL_CIPHER_value(ciphers, i); -#ifdef CIPHER_DEBUG - fprintf(stderr, "client [%2d of %2d]:%s\n", - i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c)); -#endif + if (trc_out != NULL) + BIO_printf(trc_out, "client [%2d of %2d]:%s\n", i, + sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c)); if (c->id == id) { j = 1; break; @@ -1857,8 +1858,10 @@ static int tls_early_post_process_client_hello(SSL *s) SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_REQUIRED_CIPHER_MISSING); + OSSL_TRACE_CANCEL(TLS_CIPHER); goto err; } + OSSL_TRACE_END(TLS_CIPHER); } for (loop = 0; loop < clienthello->compressions_len; loop++) { |