summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornelson%bolyard.com <devnull@localhost>2008-04-27 02:06:05 +0000
committernelson%bolyard.com <devnull@localhost>2008-04-27 02:06:05 +0000
commit8374e172bb832ae3be041581f2bea01be05e0787 (patch)
tree46e5715c8ce60593d8bb0f4fd42631158d2b4966
parentd4ecb1551445aaca8e489f91898b56fe1ec6b9ed (diff)
downloadnss-hg-8374e172bb832ae3be041581f2bea01be05e0787.tar.gz
Bug 420644: Improve SSL tracing of key derivation, r=julien.pierre
-rw-r--r--security/nss/lib/ssl/derive.c65
1 files changed, 43 insertions, 22 deletions
diff --git a/security/nss/lib/ssl/derive.c b/security/nss/lib/ssl/derive.c
index aa3623505..041a66fa5 100644
--- a/security/nss/lib/ssl/derive.c
+++ b/security/nss/lib/ssl/derive.c
@@ -56,20 +56,21 @@
/* make this a macro! */
#ifdef NOT_A_MACRO
static void
-buildSSLKey(unsigned char * keyBlock, unsigned int keyLen, SECItem * result)
+buildSSLKey(unsigned char * keyBlock, unsigned int keyLen, SECItem * result,
+ const char * label)
{
result->type = siBuffer;
result->data = keyBlock;
result->len = keyLen;
- PRINT_BUF(100, (NULL, "key value", keyBlock, keyLen));
+ PRINT_BUF(100, (NULL, label, keyBlock, keyLen));
}
#else
-#define buildSSLKey(keyBlock, keyLen, result) \
+#define buildSSLKey(keyBlock, keyLen, result, label) \
{ \
(result)->type = siBuffer; \
(result)->data = keyBlock; \
(result)->len = keyLen; \
- PRINT_BUF(100, (NULL, "key value", keyBlock, keyLen)); \
+ PRINT_BUF(100, (NULL, label, keyBlock, keyLen)); \
}
#endif
@@ -230,46 +231,56 @@ ssl3_KeyAndMacDeriveBypass(
* The key_block is partitioned as follows:
* client_write_MAC_secret[CipherSpec.hash_size]
*/
- buildSSLKey(&key_block[i],macSize, &pwSpec->client.write_mac_key_item);
+ buildSSLKey(&key_block[i],macSize, &pwSpec->client.write_mac_key_item, \
+ "Client Write MAC Secret");
i += macSize;
/*
* server_write_MAC_secret[CipherSpec.hash_size]
*/
- buildSSLKey(&key_block[i],macSize, &pwSpec->server.write_mac_key_item);
+ buildSSLKey(&key_block[i],macSize, &pwSpec->server.write_mac_key_item, \
+ "Server Write MAC Secret");
i += macSize;
if (!keySize) {
/* only MACing */
- buildSSLKey(NULL, 0, &pwSpec->client.write_key_item);
- buildSSLKey(NULL, 0, &pwSpec->server.write_key_item);
- buildSSLKey(NULL, 0, &pwSpec->client.write_iv_item);
- buildSSLKey(NULL, 0, &pwSpec->server.write_iv_item);
+ buildSSLKey(NULL, 0, &pwSpec->client.write_key_item, \
+ "Client Write Key (MAC only)");
+ buildSSLKey(NULL, 0, &pwSpec->server.write_key_item, \
+ "Server Write Key (MAC only)");
+ buildSSLKey(NULL, 0, &pwSpec->client.write_iv_item, \
+ "Client Write IV (MAC only)");
+ buildSSLKey(NULL, 0, &pwSpec->server.write_iv_item, \
+ "Server Write IV (MAC only)");
} else if (!isExport) {
/*
** Generate Domestic write keys and IVs.
** client_write_key[CipherSpec.key_material]
*/
- buildSSLKey(&key_block[i], keySize, &pwSpec->client.write_key_item);
+ buildSSLKey(&key_block[i], keySize, &pwSpec->client.write_key_item, \
+ "Domestic Client Write Key");
i += keySize;
/*
** server_write_key[CipherSpec.key_material]
*/
- buildSSLKey(&key_block[i], keySize, &pwSpec->server.write_key_item);
+ buildSSLKey(&key_block[i], keySize, &pwSpec->server.write_key_item, \
+ "Domestic Server Write Key");
i += keySize;
if (IVSize > 0) {
/*
** client_write_IV[CipherSpec.IV_size]
*/
- buildSSLKey(&key_block[i], IVSize, &pwSpec->client.write_iv_item);
+ buildSSLKey(&key_block[i], IVSize, &pwSpec->client.write_iv_item, \
+ "Domestic Client Write IV");
i += IVSize;
/*
** server_write_IV[CipherSpec.IV_size]
*/
- buildSSLKey(&key_block[i], IVSize, &pwSpec->server.write_iv_item);
+ buildSSLKey(&key_block[i], IVSize, &pwSpec->server.write_iv_item, \
+ "Domestic Server Write IV");
i += IVSize;
}
PORT_Assert(i <= block_bytes);
@@ -290,7 +301,8 @@ ssl3_KeyAndMacDeriveBypass(
MD5_Update(md5Ctx, crsr.data, crsr.len);
MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
i += effKeySize;
- buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item);
+ buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item, \
+ "SSL3 Export Client Write Key");
key_block2 += keySize;
/*
@@ -303,7 +315,8 @@ ssl3_KeyAndMacDeriveBypass(
MD5_Update(md5Ctx, srcr.data, srcr.len);
MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
i += effKeySize;
- buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item);
+ buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item, \
+ "SSL3 Export Server Write Key");
key_block2 += keySize;
PORT_Assert(i <= block_bytes);
@@ -315,7 +328,8 @@ ssl3_KeyAndMacDeriveBypass(
MD5_Begin(md5Ctx);
MD5_Update(md5Ctx, crsr.data, crsr.len);
MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
- buildSSLKey(key_block2, IVSize, &pwSpec->client.write_iv_item);
+ buildSSLKey(key_block2, IVSize, &pwSpec->client.write_iv_item, \
+ "SSL3 Export Client Write IV");
key_block2 += IVSize;
/*
@@ -325,7 +339,8 @@ ssl3_KeyAndMacDeriveBypass(
MD5_Begin(md5Ctx);
MD5_Update(md5Ctx, srcr.data, srcr.len);
MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
- buildSSLKey(key_block2, IVSize, &pwSpec->server.write_iv_item);
+ buildSSLKey(key_block2, IVSize, &pwSpec->server.write_iv_item, \
+ "SSL3 Export Server Write IV");
key_block2 += IVSize;
}
@@ -354,7 +369,8 @@ ssl3_KeyAndMacDeriveBypass(
if (status != SECSuccess) {
goto key_and_mac_derive_fail;
}
- buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item);
+ buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item, \
+ "TLS Export Client Write Key");
key_block2 += keySize;
/*
@@ -372,7 +388,8 @@ ssl3_KeyAndMacDeriveBypass(
if (status != SECSuccess) {
goto key_and_mac_derive_fail;
}
- buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item);
+ buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item, \
+ "TLS Export Server Write Key");
key_block2 += keySize;
/*
@@ -389,8 +406,12 @@ ssl3_KeyAndMacDeriveBypass(
if (status != SECSuccess) {
goto key_and_mac_derive_fail;
}
- buildSSLKey(key_block2, IVSize, &pwSpec->client.write_iv_item);
- buildSSLKey(key_block2 + IVSize, IVSize, &pwSpec->server.write_iv_item);
+ buildSSLKey(key_block2, IVSize, \
+ &pwSpec->client.write_iv_item, \
+ "TLS Export Client Write IV");
+ buildSSLKey(key_block2 + IVSize, IVSize, \
+ &pwSpec->server.write_iv_item, \
+ "TLS Export Server Write IV");
key_block2 += 2 * IVSize;
}
PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block);