420644 - Improve SSL tracing of key derivation

Status: RESOLVED FIXED

(NSS :: Libraries, enhancement, P3)

Description

[Nelson Bolyard (seldom reads bugmail)]

Attachment: enhance the labeling of SSL key derivation

When we converted NSS to use PKCS#11 exclusively for crypto, a lot of the 
original tracing capability of NSS, done in the context of libSSL, was lost.
It was no longer possible to trace key values, because they were not seen 
outside of the PKCS#11 token.

When I implemented SSL Bypass, it became possible (again) to trace the 
derived key values.  I put some SSL tracing back into the bypass functions
that derive keys, in lib/ssl/derive.c, but I did a minimal job of it.

Now, there's been a request to restore that tracing back to its former glory.
The attached patch is a start in that direction.

With this patch, I was able to trace an SSL handshake, including key derivation
with the following set of shell commands:

SSLDEBUGFILE=/tmp/sslTrace.txt
SSLBYPASS=1
SSLTRACE=127
SSLDEBUG=127
tstclnt -vvv -2B -h www.microsoft.com -f -c depruvxy < stdin.txt

Where stdin.txt is a two-line file containing these lines:
----- two lines are below ------
GET / HTTP/1.0

---- the two lines are above this one ----

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 306958 [details] [diff] [review]
enhance the labeling of SSL key derivation

Julien, please review

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Thanks for the review.

Checking in lib/ssl/derive.c; new revision: 1.10; previous revision: 1.9