Last Comment Bug 420644 - Improve SSL tracing of key derivation
: Improve SSL tracing of key derivation
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.4
: All All
: P3 enhancement (vote)
: 3.12.1
Assigned To: Nelson Bolyard (seldom reads bugmail)
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-02 17:07 PST by Nelson Bolyard (seldom reads bugmail)
Modified: 2008-04-26 19:10 PDT (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
enhance the labeling of SSL key derivation (8.69 KB, patch)
2008-03-02 17:07 PST, Nelson Bolyard (seldom reads bugmail)
julien.pierre: review+
Details | Diff | Splinter Review

Description Nelson Bolyard (seldom reads bugmail) 2008-03-02 17:07:39 PST
Created attachment 306958 [details] [diff] [review]
enhance the labeling of SSL key derivation

When we converted NSS to use PKCS#11 exclusively for crypto, a lot of the 
original tracing capability of NSS, done in the context of libSSL, was lost.
It was no longer possible to trace key values, because they were not seen 
outside of the PKCS#11 token.

When I implemented SSL Bypass, it became possible (again) to trace the 
derived key values.  I put some SSL tracing back into the bypass functions
that derive keys, in lib/ssl/derive.c, but I did a minimal job of it.

Now, there's been a request to restore that tracing back to its former glory.
The attached patch is a start in that direction.

With this patch, I was able to trace an SSL handshake, including key derivation
with the following set of shell commands:

SSLDEBUGFILE=/tmp/sslTrace.txt
SSLBYPASS=1
SSLTRACE=127
SSLDEBUG=127
tstclnt -vvv -2B -h www.microsoft.com -f -c depruvxy < stdin.txt

Where stdin.txt is a two-line file containing these lines:
----- two lines are below ------
GET / HTTP/1.0

---- the two lines are above this one ----
Comment 1 Nelson Bolyard (seldom reads bugmail) 2008-04-01 20:44:24 PDT
Comment on attachment 306958 [details] [diff] [review]
enhance the labeling of SSL key derivation

Julien, please review
Comment 2 Nelson Bolyard (seldom reads bugmail) 2008-04-26 19:06:36 PDT
Thanks for the review.

Checking in lib/ssl/derive.c; new revision: 1.10; previous revision: 1.9

Note You need to log in before you can comment on or make changes to this bug.