From 72601be38a151beb33a6929bfa83a872e8786558 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 16 Jan 2019 15:12:33 +0000 Subject: [PATCH] GnuTLS: Debug output keying info. OpenSSL: TLS1.2 keying. --- src/src/tls-gnu.c | 40 ++++++++++++++++++++++++++++++++++++++-- src/src/tls-openssl.c | 27 +++++++++++++++++++++++---- 2 files changed, 61 insertions(+), 6 deletions(-) diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 6d60409d7..199b90d94 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1991,6 +1991,18 @@ return 0; #endif +static gstring * +ddump(gnutls_datum_t * d) +{ +gstring * g = string_get((d->size+1) * 2); +uschar * s = d->data; +for (unsigned i = d->size; i > 0; i--, s++) + { + g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1); + g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1); + } +return g; +} /* ------------------------------------------------------------------------ */ /* Exported functions */ @@ -2138,7 +2150,19 @@ if (rc != GNUTLS_E_SUCCESS) return FAIL; } -DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n"); +DEBUG(D_tls) + { + gnutls_datum_t c, s; + gstring * gc, * gs; + debug_printf("gnutls_handshake was successful\n"); + debug_printf("%s\n", gnutls_session_get_desc(state->session)); + + gnutls_session_get_random(state->session, &c, &s); + gnutls_session_get_master_secret(state->session, &s); + gc = ddump(&c); + gs = ddump(&s); + debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s); + } /* Verify after the fact */ @@ -2447,7 +2471,19 @@ if (rc != GNUTLS_E_SUCCESS) return NULL; } -DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n"); +DEBUG(D_tls) + { + gnutls_datum_t c, s; + gstring * gc, * gs; + debug_printf("gnutls_handshake was successful\n"); + debug_printf("%s\n", gnutls_session_get_desc(state->session)); + + gnutls_session_get_random(state->session, &c, &s); + gnutls_session_get_master_secret(state->session, &s); + gc = ddump(&c); + gs = ddump(&s); + debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s); + } /* Verify late */ diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 169cf564f..5353d2ce7 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -2302,16 +2302,25 @@ and initialize things. */ peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn)); -construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits); -tls_in.cipher = cipherbuf; - DEBUG(D_tls) { uschar buf[2048]; + BIO * bp = BIO_new(BIO_s_mem()); + uschar * s; + int len; + if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL) debug_printf("Shared ciphers: %s\n", buf); + + SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl)); + len = (int) BIO_get_mem_data(bp, CSS &s); + debug_printf("%.*s", len, s); + BIO_free(bp); } +construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits); +tls_in.cipher = cipherbuf; + /* Record the certificate we presented */ { X509 * crt = SSL_get_certificate(server_ssl); @@ -2678,7 +2687,17 @@ if (rc <= 0) return NULL; } -DEBUG(D_tls) debug_printf("SSL_connect succeeded\n"); +DEBUG(D_tls) + { + BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE); + uschar * s; + int len; + debug_printf("SSL_connect succeeded\n"); + SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl)); + len = (int) BIO_get_mem_data(bp, CSS &s); + debug_printf("%.*s", len, s); + BIO_free(bp); + } peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn)); -- 2.25.1