OLD | NEW |
(Empty) | |
| 1 diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con
.c |
| 2 index f714a98..886d45b 100644 |
| 3 --- a/net/third_party/nss/ssl/ssl3con.c |
| 4 +++ b/net/third_party/nss/ssl/ssl3con.c |
| 5 @@ -4832,16 +4832,17 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey
* svrPubKey) |
| 6 goto loser; |
| 7 } |
| 8 |
| 9 -#if defined(TRACE) |
| 10 - if (ssl_trace >= 100 || ssl_keylog_iob) { |
| 11 + if (ssl_keylog_iob) { |
| 12 SECStatus extractRV = PK11_ExtractKeyValue(pms); |
| 13 if (extractRV == SECSuccess) { |
| 14 SECItem * keyData = PK11_GetKeyData(pms); |
| 15 if (keyData && keyData->data && keyData->len) { |
| 16 +#ifdef TRACE |
| 17 if (ssl_trace >= 100) { |
| 18 ssl_PrintBuf(ss, "Pre-Master Secret", |
| 19 keyData->data, keyData->len); |
| 20 } |
| 21 +#endif |
| 22 if (ssl_keylog_iob && enc_pms.len >= 8 && keyData->len == 48) { |
| 23 /* https://developer.mozilla.org/en/NSS_Key_Log_Format */ |
| 24 |
| 25 @@ -4872,7 +4873,6 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey *
svrPubKey) |
| 26 } |
| 27 } |
| 28 } |
| 29 -#endif |
| 30 |
| 31 rv = ssl3_InitPendingCipherSpec(ss, pms); |
| 32 PK11_FreeSymKey(pms); pms = NULL; |
| 33 @@ -8984,6 +8984,74 @@ loser: |
| 34 return rv; |
| 35 } |
| 36 |
| 37 +/* called from ssl3_SendFinished |
| 38 + * |
| 39 + * Caller must already hold the SpecReadLock. (wish we could assert that!). |
| 40 + * This function is simply a debugging aid and therefore does not return a |
| 41 + * SECStatus. */ |
| 42 +static void |
| 43 +ssl3_RecordKeyLog(sslSocket *ss) |
| 44 +{ |
| 45 + sslSessionID *sid; |
| 46 + SECStatus rv; |
| 47 + SECItem *keyData; |
| 48 + char buf[14 /* "CLIENT_RANDOM " */ + |
| 49 + 32*2 /* client_random */ + |
| 50 + 1 /* " " */ + |
| 51 + 48*2 /* master secret */ + |
| 52 + 1 /* new line */]; |
| 53 + static const char hextable[16] = "0123456789abcdef"; |
| 54 + unsigned int i, j; |
| 55 + |
| 56 + PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 57 + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 58 + |
| 59 + sid = ss->sec.ci.sid; |
| 60 + |
| 61 + if (!ssl_keylog_iob) |
| 62 + return; |
| 63 + |
| 64 + rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret); |
| 65 + if (rv != SECSuccess) |
| 66 + return; |
| 67 + |
| 68 + /* keyData does not need to be freed. */ |
| 69 + keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret); |
| 70 + if (!keyData || !keyData->data || keyData->len != 48) |
| 71 + return; |
| 72 + |
| 73 + /* https://developer.mozilla.org/en/NSS_Key_Log_Format */ |
| 74 + |
| 75 + /* There could be multiple, concurrent writers to the |
| 76 + * keylog, so we have to do everything in a single call to |
| 77 + * fwrite. */ |
| 78 + |
| 79 + memcpy(buf, "CLIENT_RANDOM ", 14); |
| 80 + j = 14; |
| 81 + for (i = 0; i < SSL3_RANDOM_LENGTH; i++) { |
| 82 + buf[j + 2*i] = hextable[ss->ssl3.hs.client_random.rand[i] >> 4]; |
| 83 + buf[j + 2*i + 1] = hextable[ss->ssl3.hs.client_random.rand[i] & 15]; |
| 84 + } |
| 85 + j += SSL3_RANDOM_LENGTH*2; |
| 86 + buf[j++] = ' '; |
| 87 + |
| 88 + for (i = 0; i < 48; i++) { |
| 89 + buf[j + 2*i] = hextable[keyData->data[i] >> 4]; |
| 90 + buf[j + 2*i + 1] = hextable[keyData->data[i] & 15]; |
| 91 + } |
| 92 + j += 48*2; |
| 93 + buf[j++] = '\n'; |
| 94 + |
| 95 + PORT_Assert(j == sizeof(buf)); |
| 96 + |
| 97 + if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1 || |
| 98 + fflush(ssl_keylog_iob) != 0) { |
| 99 + return; |
| 100 + } |
| 101 + |
| 102 + return; |
| 103 +} |
| 104 + |
| 105 /* called from ssl3_HandleServerHelloDone |
| 106 * ssl3_HandleClientHello |
| 107 * ssl3_HandleFinished |
| 108 @@ -9045,6 +9113,9 @@ ssl3_SendFinished(sslSocket *ss, PRInt32 flags) |
| 109 if (rv != SECSuccess) { |
| 110 goto fail; /* error code set by ssl3_FlushHandshake */ |
| 111 } |
| 112 + |
| 113 + ssl3_RecordKeyLog(ss); |
| 114 + |
| 115 return SECSuccess; |
| 116 |
| 117 fail: |
| 118 diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock
.c |
| 119 index 9498828..146493f 100644 |
| 120 --- a/net/third_party/nss/ssl/sslsock.c |
| 121 +++ b/net/third_party/nss/ssl/sslsock.c |
| 122 @@ -2827,6 +2827,13 @@ ssl_SetDefaultsFromEnvironment(void) |
| 123 ssl_trace = atoi(ev); |
| 124 SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); |
| 125 } |
| 126 +#endif /* TRACE */ |
| 127 + ev = getenv("SSLDEBUG"); |
| 128 + if (ev && ev[0]) { |
| 129 + ssl_debug = atoi(ev); |
| 130 + SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); |
| 131 + } |
| 132 +#endif /* DEBUG */ |
| 133 ev = getenv("SSLKEYLOGFILE"); |
| 134 if (ev && ev[0]) { |
| 135 ssl_keylog_iob = fopen(ev, "a"); |
| 136 @@ -2836,13 +2843,6 @@ ssl_SetDefaultsFromEnvironment(void) |
| 137 } |
| 138 SSL_TRACE(("SSL: logging pre-master secrets to %s", ev)); |
| 139 } |
| 140 -#endif /* TRACE */ |
| 141 - ev = getenv("SSLDEBUG"); |
| 142 - if (ev && ev[0]) { |
| 143 - ssl_debug = atoi(ev); |
| 144 - SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); |
| 145 - } |
| 146 -#endif /* DEBUG */ |
| 147 ev = getenv("SSLBYPASS"); |
| 148 if (ev && ev[0]) { |
| 149 ssl_defaults.bypassPKCS11 = (ev[0] == '1'); |
OLD | NEW |