MINOR: ssl: Add curves in ssl traces

Dump the ClientHello curves in the SSL traces.
This commit is contained in:
Remi Tricot-Le Breton 2025-07-15 10:45:09 +02:00 committed by William Lallemand
parent 046df68fde
commit a0829aba7a
3 changed files with 57 additions and 8 deletions

View File

@ -23,6 +23,7 @@ extern struct trace_source trace_ssl;
#define SSL_EV_CONN_CHOOSE_SNI_CTX (1ULL << 13)
#define SSL_EV_CONN_SIGALG_EXT (1ULL << 14)
#define SSL_EV_CONN_CIPHERS_EXT (1ULL << 15)
#define SSL_EV_CONN_CURVES_EXT (1ULL << 16)
#define SSL_VERB_CLEAN 1

View File

@ -346,18 +346,35 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
has_rsa_sig = 1;
}
if ((TRACE_SOURCE)->verbosity > SSL_VERB_ADVANCED &&
TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CIPHERS_EXT, conn, 0, 0, 0)) {
const uint8_t *cipher_suites;
size_t len;
if ((TRACE_SOURCE)->verbosity > SSL_VERB_ADVANCED) {
if (TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CIPHERS_EXT, conn, 0, 0, 0)) {
const uint8_t *cipher_suites;
size_t len;
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
len = ctx->cipher_suites_len;
cipher_suites = ctx->cipher_suites;
len = ctx->cipher_suites_len;
cipher_suites = ctx->cipher_suites;
#else
len = SSL_client_hello_get0_ciphers(ssl, &cipher_suites);
len = SSL_client_hello_get0_ciphers(ssl, &cipher_suites);
#endif
TRACE_DATA("Ciphers value", SSL_EV_CONN_CIPHERS_EXT, conn, ssl, cipher_suites, &len);
TRACE_DATA("Ciphers value", SSL_EV_CONN_CIPHERS_EXT, conn, ssl, cipher_suites, &len);
}
if (TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CURVES_EXT, conn, 0, 0, 0)) {
const uint8_t *extension_data;
size_t extension_len;
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_supported_groups,
&extension_data, &extension_len)) {
#else
if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_elliptic_curves,
&extension_data, &extension_len)) {
#endif
if (extension_len)
TRACE_DATA("Elliptic curves", SSL_EV_CONN_CURVES_EXT, conn, extension_data, &extension_len);
}
}
}
if (has_ecdsa_sig) { /* in very rare case: has ecdsa sign but not a ECDSA cipher */

View File

@ -42,6 +42,7 @@ static const struct trace_event ssl_trace_events[] = {
{ .mask = SSL_EV_CONN_CHOOSE_SNI_CTX, .name = "sslc_choose_sni_ctx", .desc = "SSL choose sni context"},
{ .mask = SSL_EV_CONN_SIGALG_EXT, .name = "sslc_sigalg_ext", .desc = "SSL sigalg extension parsing"},
{ .mask = SSL_EV_CONN_CIPHERS_EXT, .name = "sslc_ciphers_ext", .desc = "SSL ciphers extension parsing"},
{ .mask = SSL_EV_CONN_CURVES_EXT, .name = "sslc_curves_ext", .desc = "SSL curves extension parsing"},
{ }
};
@ -275,5 +276,35 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_
}
}
}
if (mask & SSL_EV_CONN_CURVES_EXT && src->verbosity > SSL_VERB_ADVANCED) {
if (a2 && a3) {
const uint16_t *extension_data = a2;
size_t extension_len = *((size_t*)a3);
int first = 1;
chunk_appendf(&trace_buf, " value=");
while (extension_len > 1) {
const char *curve_name = curveid2str(ntohs(*extension_data));
if (curve_name) {
chunk_appendf(&trace_buf, "%s%s(0x%02X%02X)", first ? "" : ":", curve_name,
((uint8_t*)extension_data)[0],
((uint8_t*)extension_data)[1]);
} else {
chunk_appendf(&trace_buf, "%s0x%02X%02X",
first ? "" : ":",
((uint8_t*)extension_data)[0],
((uint8_t*)extension_data)[1]);
}
first = 0;
extension_len-=sizeof(*extension_data);
++extension_data;
}
}
}
}