From c56d7edfabe6403ac8f762df977598179cc58194 Mon Sep 17 00:00:00 2001 From: Zhi Guan Date: Fri, 12 Jun 2026 14:23:56 +0800 Subject: [PATCH] Update TLS -verbose options --- include/gmssl/tls.h | 4 +- src/tlcp.c | 87 ++++++++------- src/tls.c | 63 ++++++++--- src/tls12.c | 210 ++++++++++++++++++++--------------- src/tls13.c | 254 ++++++++++++++++++++++--------------------- tools/tlcp_client.c | 15 ++- tools/tlcp_server.c | 10 +- tools/tls12_client.c | 10 +- tools/tls12_server.c | 10 +- tools/tls13_client.c | 10 +- tools/tls13_server.c | 10 +- 11 files changed, 403 insertions(+), 280 deletions(-) diff --git a/include/gmssl/tls.h b/include/gmssl/tls.h index 106cf070..fd1fb123 100644 --- a/include/gmssl/tls.h +++ b/include/gmssl/tls.h @@ -775,7 +775,6 @@ typedef struct { typedef struct { int is_client; - int quiet; int verbose; int protocol; @@ -939,6 +938,7 @@ int tls_ctx_add_certificate_list_and_key(TLS_CTX *ctx, const char *chainfile, const char *keyfile, const char *keypass); +int tls_ctx_set_verbose(TLS_CTX *ctx, int verbose); int tls_ctx_enable_verbose(TLS_CTX *ctx, int enable); int tls_ctx_enable_trusted_ca_keys(TLS_CTX *ctx, int enable); @@ -1020,6 +1020,7 @@ typedef struct { tls_socket_t sock; TLS_CTX *ctx; + int verbose; // states for state machines int handshake_state; @@ -1513,6 +1514,7 @@ void tls_clean_record(TLS_CONNECT *conn); int tls_print_record(FILE *fp, int fmt, int ind, const char *label, TLS_CONNECT *conn); int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx); +int tls_set_verbose(TLS_CONNECT *conn, int verbose); int tls_set_hostname(TLS_CONNECT *conn, const char *hostname); int tls_set_socket(TLS_CONNECT *conn, tls_socket_t sock); diff --git a/src/tlcp.c b/src/tlcp.c index 13939a7a..cc8348fe 100644 --- a/src/tlcp.c +++ b/src/tlcp.c @@ -390,14 +390,14 @@ int tlcp_send_client_hello(TLS_CONNECT *conn) return -1; } - tls_trace("send ClientHello\n"); + if(conn->verbose) tls_trace("send ClientHello\n"); tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); if (conn->client_certificate_verify) { sm2_sign_update(&conn->sign_ctx, conn->record + 5, conn->recordlen - 5); @@ -436,7 +436,7 @@ int tlcp_recv_server_hello(TLS_CONNECT *conn) size_t application_layer_protocol_negotiation_len; - tls_trace("recv ServerHello\n"); + if(conn->verbose) tls_trace("recv ServerHello\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -611,7 +611,7 @@ int tlcp_recv_server_hello(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); if (conn->client_certs_len) { sm2_sign_update(&conn->sign_ctx, conn->record + 5, conn->recordlen - 5); @@ -627,7 +627,7 @@ int tlcp_recv_server_certificate(TLS_CONNECT *conn) const uint8_t *server_cert; size_t server_cert_len; - tls_trace("recv server Certificate\n"); + if(conn->verbose) tls_trace("recv server Certificate\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -647,7 +647,7 @@ int tlcp_recv_server_certificate(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx); if (conn->client_certs_len) { @@ -722,7 +722,7 @@ int tlcp_recv_server_key_exchange(TLS_CONNECT *conn) SM2_VERIFY_CTX verify_ctx; - tls_trace("recv ServerKeyExchange\n"); + if(conn->verbose) tls_trace("recv ServerKeyExchange\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -749,7 +749,7 @@ int tlcp_recv_server_key_exchange(TLS_CONNECT *conn) return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx); // verify ServerKeyExchange if (x509_certs_get_cert_by_index(conn->peer_cert_chain, conn->peer_cert_chain_len, 0, &cp, &len) != 1 @@ -840,13 +840,15 @@ int tlcp_recv_certificate_request(TLS_CONNECT *conn) if (handshake_type != TLS_handshake_certificate_request) { conn->client_certs_len = 0; - fprintf(stderr, "%s %d: no certificate_request\n", __FILE__, __LINE__); - fprintf(stderr, "recordlen = %zu\n", conn->recordlen); + if(conn->verbose) { + fprintf(stderr, "%s %d: no certificate_request\n", __FILE__, __LINE__); + fprintf(stderr, "recordlen = %zu\n", conn->recordlen); + } return 0; // 表明对方没有发送预期的报文 } - tls_trace("recv CertificateRequest\n"); + if(conn->verbose) tls_trace("recv CertificateRequest\n"); tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen); if (tls_record_get_handshake_certificate_request(conn->record, @@ -880,7 +882,7 @@ int tlcp_recv_certificate_request(TLS_CONNECT *conn) return -1; } - tls_handshake_digest_print(stderr, 0, 0, "CertificateRequest", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "CertificateRequest", &conn->dgst_ctx); sm2_sign_update(&conn->sign_ctx, conn->record + 5, conn->recordlen - 5); @@ -892,7 +894,7 @@ int tlcp_recv_certificate_request(TLS_CONNECT *conn) int tlcp_recv_server_hello_done(TLS_CONNECT *conn) { int ret; - tls_trace("recv ServerHelloDone\n"); + if(conn->verbose) tls_trace("recv ServerHelloDone\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -917,7 +919,7 @@ int tlcp_recv_server_hello_done(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx); @@ -934,7 +936,7 @@ int tlcp_recv_server_hello_done(TLS_CONNECT *conn) int tlcp_send_client_certificate(TLS_CONNECT *conn) { int ret; - tls_trace("send client Certificate\n"); + if(conn->verbose) tls_trace("send client Certificate\n"); // 如果我们没有证书,并且也没有设置optional,那么就得返回错误了 @@ -961,7 +963,7 @@ int tlcp_send_client_certificate(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "client Certificate", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Certificate", &conn->dgst_ctx); sm2_sign_update(&conn->sign_ctx, conn->record + 5, conn->recordlen - 5); @@ -985,7 +987,7 @@ int tlcp_send_client_key_exchange(TLS_CONNECT *conn) size_t enced_pre_master_secret_len; int ret; - tls_trace("send ClientKeyExchange\n"); + if(conn->verbose) tls_trace("send ClientKeyExchange\n"); if (!conn->recordlen) { if (tls_pre_master_secret_generate(conn->pre_master_secret, TLS_protocol_tlcp) != 1) { @@ -1007,7 +1009,7 @@ int tlcp_send_client_key_exchange(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx); } if ((ret = tls_send_record(conn)) != 1) { @@ -1042,7 +1044,7 @@ int tlcp_send_certificate_verify(TLS_CONNECT *conn) uint8_t sig[SM2_MAX_SIGNATURE_SIZE]; size_t siglen; - tls_trace("send CertificateVerify\n"); + if(conn->verbose) tls_trace("send CertificateVerify\n"); // 这句应该是没用的 if (!conn->client_certificate_verify) { @@ -1083,7 +1085,7 @@ int tlcp_send_client_finished(TLS_CONNECT *conn) if (conn->recordlen == 0) { uint8_t verify_data[12]; - tls_trace("send client {Finished}\n"); + if(conn->verbose) tls_trace("send client {Finished}\n"); if (tls_compute_verify_data(conn->master_secret, "client finished", &conn->dgst_ctx, verify_data) != 1) { @@ -1107,7 +1109,7 @@ int tlcp_send_client_finished(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx); if (tlcp_record_encrypt(conn->cipher_suite, @@ -1145,7 +1147,7 @@ int tlcp_recv_server_finished(TLS_CONNECT *conn) uint8_t local_verify_data[12]; - tls_trace("recv server {Finished}\n"); + if(conn->verbose) tls_trace("recv server {Finished}\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -1199,7 +1201,7 @@ int tlcp_recv_server_finished(TLS_CONNECT *conn) return -1; } - if (!conn->ctx->quiet) + if(conn->verbose) fprintf(stderr, "Connection established!\n"); @@ -1336,7 +1338,7 @@ int tlcp_recv_client_hello(TLS_CONNECT *conn) tls_client_verify_init(&conn->client_verify_ctx); */ - tls_trace("recv ClientHello\n"); + if(conn->verbose) tls_trace("recv ClientHello\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -1565,7 +1567,7 @@ int tlcp_recv_client_hello(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); //sm3_update(&conn->sm3_ctx, conn->record + 5, conn->recordlen - 5); //tlcp_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->sm3_ctx); @@ -1575,8 +1577,9 @@ int tlcp_recv_client_hello(TLS_CONNECT *conn) tls_client_verify_update(&conn->client_verify_ctx, conn->record + 5, conn->recordlen - 5); */ - - fprintf(stderr, "end of recv_client_hello\n"); + if(conn->verbose) { + fprintf(stderr, "end of recv_client_hello\n"); + } tls_clean_record(conn); return 1; @@ -1586,7 +1589,7 @@ int tlcp_send_server_hello(TLS_CONNECT *conn) { int ret; - tls_trace("send ServerHello\n"); + if(conn->verbose) tls_trace("send ServerHello\n"); if (conn->recordlen == 0) { uint8_t exts[TLS_MAX_EXTENSIONS_SIZE]; @@ -1661,13 +1664,13 @@ int tlcp_send_server_hello(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - tlcp_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tlcp_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); } if ((ret = tls_send_record(conn)) != 1) { @@ -1710,7 +1713,7 @@ int tlcp_send_server_certificate(TLS_CONNECT *conn) { int ret; - tls_trace("send ServerCertificate\n"); + if(conn->verbose) tls_trace("send ServerCertificate\n"); if (conn->recordlen == 0) { if (!conn->cert_chain || !conn->cert_chain_len) { @@ -1730,7 +1733,7 @@ int tlcp_send_server_certificate(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx); } if ((ret = tls_send_record(conn)) != 1) { @@ -1761,7 +1764,7 @@ int tlcp_send_server_key_exchange(TLS_CONNECT *conn) size_t server_ecc_params_len; int ret; - tls_trace("send ServerKeyExchange\n"); + if(conn->verbose) tls_trace("send ServerKeyExchange\n"); if (conn->recordlen == 0) { X509_KEY *sign_key; @@ -1814,7 +1817,7 @@ int tlcp_send_server_key_exchange(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx); } if ((ret = tls_send_record(conn)) != 1) { @@ -1961,6 +1964,10 @@ static int tlcp_generate_record_keys(TLS_CONNECT *conn) static void tlcp_secrets_print(TLS_CONNECT *conn) { + if (conn->verbose < 5) { + return; + } + if (conn->cipher_suite == TLS_cipher_ecc_sm4_gcm_sm3) { size_t keylen = conn->cipher->key_size; @@ -1984,7 +1991,7 @@ static void tlcp_secrets_print(TLS_CONNECT *conn) int tlcp_generate_keys(TLS_CONNECT *conn) { - tls_trace("generate secrets\n"); + if(conn->verbose) tls_trace("generate secrets\n"); if (tlcp_generate_master_secret(conn) != 1 || tlcp_generate_key_block(conn) != 1 @@ -2069,7 +2076,7 @@ int tlcp_recv_client_key_exchange(TLS_CONNECT *conn) X509_KEY *enc_key; int ret; - tls_trace("recv ClientKeyExchange\n"); + if(conn->verbose) tls_trace("recv ClientKeyExchange\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -2120,7 +2127,7 @@ int tlcp_recv_client_key_exchange(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx); if (tlcp_generate_keys(conn) != 1) { error_print(); @@ -2155,7 +2162,7 @@ int tlcp_recv_client_finished(TLS_CONNECT *conn) return -1; } - tls_trace("recv client {Finished}\n"); + if(conn->verbose) tls_trace("recv client {Finished}\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -2196,7 +2203,7 @@ int tlcp_recv_client_finished(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx); return 1; } @@ -2207,7 +2214,7 @@ int tlcp_send_server_finished(TLS_CONNECT *conn) uint8_t verify_data[12]; if (conn->recordlen == 0) { - tls_trace("send server {Finished}\n"); + if(conn->verbose) tls_trace("send server {Finished}\n"); if (tls_compute_verify_data(conn->master_secret, "server finished", &conn->dgst_ctx, verify_data) != 1) { diff --git a/src/tls.c b/src/tls.c index dfde5f4f..8cfea974 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1636,7 +1636,6 @@ int tls_record_recv(uint8_t *record, size_t *recordlen, tls_socket_t sock) p += n; len -= n; } else if (n == 0) { - tls_trace("TCP connection closed"); *recordlen = 0; return 0; } else { @@ -1674,7 +1673,6 @@ int tls_record_recv(uint8_t *record, size_t *recordlen, tls_socket_t sock) p += n; len -= n; } else if (n == 0) { - tls_trace("connection closed"); *recordlen = 0; return 0; } else { @@ -1738,7 +1736,7 @@ int tls_send_alert(TLS_CONNECT *conn, int alert) error_print(); return -1; } - tls_record_trace(stderr, record, sizeof(record), 0, 0); + if(conn->verbose) tls_record_trace(stderr, record, sizeof(record), 0, 0); return 1; } @@ -1787,7 +1785,7 @@ int tls_send_warning(TLS_CONNECT *conn, int alert) error_print(); return -1; } - tls_record_trace(stderr, record, sizeof(record), 0, 0); + if(conn->verbose) tls_record_trace(stderr, record, sizeof(record), 0, 0); return 1; } @@ -1848,7 +1846,7 @@ static int tls_encrypt_send(TLS_CONNECT *conn, int record_type, const uint8_t *i error_print(); return -1; } - tls_record_trace(stderr, conn->databuf, tls_record_length(conn->databuf), 0, 0); + if(conn->verbose) tls_record_trace(stderr, conn->databuf, tls_record_length(conn->databuf), 0, 0); if (conn->protocol == TLS_protocol_tls12) { switch (conn->cipher_suite) { @@ -1895,7 +1893,7 @@ static int tls_encrypt_send(TLS_CONNECT *conn, int record_type, const uint8_t *i conn->record_offset = 0; conn->sentlen = inlen; conn->send_state = TLS_state_send_record; - tls_encrypted_record_trace(stderr, conn->record, recordlen, 0, 0); + if(conn->verbose) tls_encrypted_record_trace(stderr, conn->record, recordlen, 0, 0); } ret = tls_send_record(conn); @@ -1935,7 +1933,7 @@ int tls_decrypt_recv(TLS_CONNECT *conn) seq_num = conn->client_seq_num; } - tls_trace("recv Encrypted Record\n"); + if(conn->verbose) tls_trace("recv Encrypted Record\n"); if (conn->send_state) { return TLS_ERROR_SEND_AGAIN; } @@ -1950,7 +1948,7 @@ int tls_decrypt_recv(TLS_CONNECT *conn) } conn->recv_state = 0; recordlen = conn->recordlen; - tls_encrypted_record_trace(stderr, record, recordlen, 0, 0); + if(conn->verbose) tls_encrypted_record_trace(stderr, record, recordlen, 0, 0); if (conn->protocol == TLS_protocol_tls12) { if (tls12_record_decrypt(conn->cipher_suite, hmac_ctx, dec_key, fixed_iv, seq_num, @@ -1977,14 +1975,14 @@ int tls_decrypt_recv(TLS_CONNECT *conn) conn->data = tls_record_data(conn->databuf); conn->datalen = tls_record_data_length(conn->databuf); - tls_record_trace(stderr, conn->databuf, tls_record_length(conn->databuf), 0, 0); + if(conn->verbose) tls_record_trace(stderr, conn->databuf, tls_record_length(conn->databuf), 0, 0); return 1; } static int tls12_tlcp_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentlen) { - tls_trace("send ApplicationData\n"); + if(conn->verbose) tls_trace("send ApplicationData\n"); return tls_encrypt_send(conn, TLS_record_application_data, in, inlen, sentlen); } @@ -2038,14 +2036,14 @@ static int tls12_tlcp_recv(TLS_CONNECT *conn, uint8_t *out, size_t outlen, size_ int alert; tls_record_get_alert(conn->databuf, &level, &alert); if (alert == TLS_alert_close_notify) { - tls_trace("recv Alert.close_notify\n"); + if(conn->verbose) tls_trace("recv Alert.close_notify\n"); conn->close_notify_received = 1; conn->data = NULL; conn->datalen = 0; tls_clean_record(conn); return 0; } - tls_trace("alert received\n"); + if(conn->verbose) tls_trace("alert received\n"); conn->data = NULL; conn->datalen = 0; tls_clean_record(conn); @@ -2109,7 +2107,7 @@ static int tls13_send_close_notify(TLS_CONNECT *conn) seq_num = conn->server_seq_num; } - tls_trace("send Alert.close_notify\n"); + if(conn->verbose) tls_trace("send Alert.close_notify\n"); tls_record_set_alert(conn->plain_record, &conn->plain_recordlen, TLS_alert_level_warning, TLS_alert_close_notify); @@ -2153,7 +2151,7 @@ static int tls_send_close_notify(TLS_CONNECT *conn) alert[0] = TLS_alert_level_warning; alert[1] = TLS_alert_close_notify; - tls_trace("send Alert.close_notify\n"); + if(conn->verbose) tls_trace("send Alert.close_notify\n"); return tls_encrypt_send(conn, TLS_record_alert, alert, sizeof(alert), &sentlen); } @@ -2187,7 +2185,7 @@ int tls_shutdown(TLS_CONNECT *conn) } if (conn->shutdown_state == TLS_state_shutdown_recv_close_notify) { - tls_trace("recv Alert.close_notify\n"); + if(conn->verbose) tls_trace("recv Alert.close_notify\n"); ret = tls_recv(conn, buf, sizeof(buf), &len); if (ret == 0 && conn->close_notify_received) { conn->shutdown_state = TLS_state_shutdown_over; @@ -2197,7 +2195,7 @@ int tls_shutdown(TLS_CONNECT *conn) return ret; } if (ret == TLS_ERROR_TCP_CLOSED) { - tls_trace("Connection closed by remote without close_notify\n"); + if(conn->verbose) tls_trace("Connection closed by remote without close_notify\n"); return ret; } error_print(); @@ -2586,6 +2584,20 @@ int tls_ctx_set_ca_certificates(TLS_CTX *ctx, const char *cacertsfile, int depth return 1; } +int tls_ctx_set_verbose(TLS_CTX *ctx, int verbose) +{ + if (!ctx) { + error_print(); + return -1; + } + if (verbose < 0 || verbose > 5) { + error_print(); + return -1; + } + ctx->verbose = verbose; + return 1; +} + int tls_ctx_enable_verbose(TLS_CTX *ctx, int enable) { if (!ctx) { @@ -3030,6 +3042,7 @@ int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx) conn->is_client = ctx->is_client; // TODO: remove conn->is_client conn->protocol = ctx->protocol; + conn->verbose = ctx->verbose; if (conn->is_client && ctx->cert_chains_len) { @@ -3067,7 +3080,9 @@ int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx) return -1; } - fprintf(stderr, "%s %d: conn->key_exchange_modes = %d\n", __FILE__, __LINE__, conn->key_exchange_modes); + if(conn->verbose) { + fprintf(stderr, "%s %d: conn->key_exchange_modes = %d\n", __FILE__, __LINE__, conn->key_exchange_modes); + } if (conn->key_exchange_modes & (TLS_KE_CERT_DHE|TLS_KE_PSK_DHE)) { conn->key_share = 1; @@ -3099,6 +3114,20 @@ void tls_cleanup(TLS_CONNECT *conn) gmssl_secure_clear(conn, sizeof(TLS_CONNECT)); } +int tls_set_verbose(TLS_CONNECT *conn, int verbose) +{ + if (!conn) { + error_print(); + return -1; + } + if (verbose < 0 || verbose > 5) { + error_print(); + return -1; + } + conn->verbose = verbose; + return 1; +} + int tls_set_socket(TLS_CONNECT *conn, tls_socket_t sock) { #ifdef WIN32 diff --git a/src/tls12.c b/src/tls12.c index 6743aaf8..d4d073ef 100644 --- a/src/tls12.c +++ b/src/tls12.c @@ -833,7 +833,7 @@ int tls_send_client_hello(TLS_CONNECT *conn) const int *client_cipher_suites = conn->ctx->cipher_suites; size_t client_cipher_suites_cnt = conn->ctx->cipher_suites_cnt; - tls_trace("send ClientHello\n"); + if(conn->verbose) tls_trace("send ClientHello\n"); tls_record_set_protocol(conn->record, TLS_protocol_tls1); @@ -1310,7 +1310,7 @@ int tls_recv_client_hello(TLS_CONNECT *conn) */ - tls_trace("recv ClientHello\n"); + if(conn->verbose) tls_trace("recv ClientHello\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -1318,7 +1318,7 @@ int tls_recv_client_hello(TLS_CONNECT *conn) } return ret; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (tls_record_protocol(conn->record) != TLS_protocol_tls1) { error_print(); @@ -1624,7 +1624,7 @@ int tls_recv_client_hello(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); @@ -1635,7 +1635,9 @@ int tls_recv_client_hello(TLS_CONNECT *conn) */ - fprintf(stderr, "end of recv_client_hello\n"); + if(conn->verbose) { + fprintf(stderr, "end of recv_client_hello\n"); + } tls_clean_record(conn); return 1; } @@ -1644,7 +1646,7 @@ int tls_send_server_hello(TLS_CONNECT *conn) { int ret; - tls_trace("send ServerHello\n"); + if(conn->verbose) tls_trace("send ServerHello\n"); if (conn->recordlen == 0) { @@ -1703,14 +1705,14 @@ int tls_send_server_hello(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); } @@ -1746,7 +1748,7 @@ int tls_recv_server_hello(TLS_CONNECT *conn) int trusted_ca_keys = 0; int renegotiation_info = 0; - tls_trace("recv ServerHello\n"); + if(conn->verbose) tls_trace("recv ServerHello\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -1894,13 +1896,13 @@ int tls_recv_server_hello(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); @@ -1919,7 +1921,7 @@ int tls_recv_server_hello(TLS_CONNECT *conn) int tls_send_server_certificate(TLS_CONNECT *conn) { int ret; - tls_trace("send ServerCertificate\n"); + if(conn->verbose) tls_trace("send ServerCertificate\n"); if (conn->recordlen == 0) { if (tls_record_set_handshake_certificate(conn->record, &conn->recordlen, @@ -1928,13 +1930,13 @@ int tls_send_server_certificate(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx); } @@ -1965,7 +1967,7 @@ int tls_recv_server_certificate(TLS_CONNECT *conn) size_t signature_algorithms_cert_cnt = 0; - tls_trace("recv server Certificate\n"); + if(conn->verbose) tls_trace("recv server Certificate\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -1973,7 +1975,7 @@ int tls_recv_server_certificate(TLS_CONNECT *conn) } return ret; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (tls_record_protocol(conn->record) != conn->protocol) { error_print(); @@ -2001,7 +2003,7 @@ int tls_recv_server_certificate(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx); // server_sign_key @@ -2145,7 +2147,7 @@ int tls_send_server_key_exchange(TLS_CONNECT *conn) { int ret; - tls_trace("send ServerKeyExchange\n"); + if(conn->verbose) tls_trace("send ServerKeyExchange\n"); if (conn->recordlen == 0) { int curve_oid = tls_named_curve_oid(conn->key_exchange_group); @@ -2198,13 +2200,13 @@ int tls_send_server_key_exchange(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx); } @@ -2312,7 +2314,7 @@ int tls_recv_server_key_exchange(TLS_CONNECT *conn) const void *sign_args = NULL; size_t sign_argslen = 0; - tls_trace("recv ServerKeyExchange\n"); + if(conn->verbose) tls_trace("recv ServerKeyExchange\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -2325,7 +2327,7 @@ int tls_recv_server_key_exchange(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_unexpected_message); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if ((ret = tls12_record_get_handshake_server_key_exchange(conn->record, @@ -2344,7 +2346,7 @@ int tls_recv_server_key_exchange(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx); switch (conn->cipher_suite) { case TLS_cipher_ecdhe_sm4_cbc_sm3: @@ -2472,7 +2474,9 @@ int tls_recv_server_key_exchange(TLS_CONNECT *conn) return -1; } - fprintf(stderr, ">>>>>> ServerKeyExchange verify success\n"); + if(conn->verbose) { + fprintf(stderr, ">>>>>> ServerKeyExchange verify success\n"); + } // xxxx @@ -2499,7 +2503,7 @@ int tls_send_certificate_request(TLS_CONNECT *conn) } if (conn->recordlen == 0) { - tls_trace("send CertificateRequest\n"); + if(conn->verbose) tls_trace("send CertificateRequest\n"); if (tls_authorities_from_certs(ca_names, &ca_names_len, sizeof(ca_names), conn->ctx->cacerts, conn->ctx->cacertslen) != 1) { error_print(); @@ -2513,7 +2517,7 @@ int tls_send_certificate_request(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); } if ((ret = tls_send_record(conn)) != 1) { @@ -2542,7 +2546,7 @@ int tls_recv_certificate_request(TLS_CONNECT *conn) const uint8_t *ca_names; size_t ca_names_len; - tls_trace("recv CertificateRequest*\n"); + if(conn->verbose) tls_trace("recv CertificateRequest*\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -2563,10 +2567,10 @@ int tls_recv_certificate_request(TLS_CONNECT *conn) } if (handshake_type != TLS_handshake_certificate_request) { - tls_trace(" no CertificateRequest\n"); + if(conn->verbose) tls_trace(" no CertificateRequest\n"); return 0; // 表明对方没有发送预期的报文 } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (tls_record_get_handshake_certificate_request(conn->record, @@ -2607,19 +2611,19 @@ int tls_recv_certificate_request(TLS_CONNECT *conn) int tls_send_server_hello_done(TLS_CONNECT *conn) { int ret; - tls_trace("send ServerHelloDone\n"); + if(conn->verbose) tls_trace("send ServerHelloDone\n"); if (conn->recordlen == 0) { tls_record_set_handshake_server_hello_done(conn->record, &conn->recordlen); - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx); } @@ -2642,7 +2646,7 @@ int tls_send_server_hello_done(TLS_CONNECT *conn) int tls_recv_server_hello_done(TLS_CONNECT *conn) { int ret; - tls_trace("recv ServerHelloDone\n"); + if(conn->verbose) tls_trace("recv ServerHelloDone\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -2655,7 +2659,7 @@ int tls_recv_server_hello_done(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_unexpected_message); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (tls_record_get_handshake_server_hello_done(conn->record) != 1) { error_print(); @@ -2667,7 +2671,7 @@ int tls_recv_server_hello_done(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx); @@ -2681,7 +2685,7 @@ int tls_recv_server_hello_done(TLS_CONNECT *conn) int tls_send_client_certificate(TLS_CONNECT *conn) { int ret; - tls_trace("send ClientCertificate\n"); + if(conn->verbose) tls_trace("send ClientCertificate\n"); if (conn->client_certs_len == 0) { error_print(); @@ -2695,7 +2699,7 @@ int tls_send_client_certificate(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); } if ((ret = tls_send_record(conn)) != 1) { @@ -2719,7 +2723,7 @@ int tls_recv_client_certificate(TLS_CONNECT *conn) const int verify_depth = 5; int verify_result; - tls_trace("recv ClientCertificate\n"); + if(conn->verbose) tls_trace("recv ClientCertificate\n"); if (conn->ctx->cacertslen == 0) { error_print(); @@ -2737,7 +2741,7 @@ int tls_recv_client_certificate(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_unexpected_message); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (tls_record_get_handshake_certificate(conn->record, conn->client_certs, &conn->client_certs_len) != 1) { error_print(); tls_send_alert(conn, TLS_alert_unexpected_message); @@ -2771,7 +2775,9 @@ static int tls12_generate_pre_master_secret(TLS_CONNECT *conn, error_print(); return -1; } - format_bytes(stderr, 0, 0, "pre_master_secret", pre_master_secret, *pre_master_secret_len); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "pre_master_secret", pre_master_secret, *pre_master_secret_len); + } return 1; } @@ -2791,7 +2797,9 @@ static int tls12_generate_master_secret(TLS_CONNECT *conn, return -1; } - format_bytes(stderr, 0, 0, "master_secret", conn->master_secret, 48); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "master_secret", conn->master_secret, 48); + } return 1; } @@ -2813,7 +2821,9 @@ static int tls12_generate_key_block(TLS_CONNECT *conn) return -1; } - format_bytes(stderr, 0, 0, "key_blocks", conn->key_block, key_block_len); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "key_blocks", conn->key_block, key_block_len); + } break; } case TLS_cipher_ecdhe_sm4_cbc_sm3: @@ -2837,7 +2847,9 @@ static int tls12_generate_key_block(TLS_CONNECT *conn) */ - format_bytes(stderr, 0, 0, "key_blocks", conn->key_block, 96); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "key_blocks", conn->key_block, 96); + } break; default: error_print(); @@ -2854,10 +2866,12 @@ static int tls12_generate_record_keys(TLS_CONNECT *conn) { size_t keylen = conn->cipher->key_size; - format_bytes(stderr, 0, 0, "client_write_key", conn->key_block, keylen); - format_bytes(stderr, 0, 0, "server_write_key", conn->key_block + keylen, keylen); - format_bytes(stderr, 0, 0, "client_write_iv", conn->key_block + keylen * 2, 4); - format_bytes(stderr, 0, 0, "server_write_iv", conn->key_block + keylen * 2 + 4, 4); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "client_write_key", conn->key_block, keylen); + format_bytes(stderr, 0, 0, "server_write_key", conn->key_block + keylen, keylen); + format_bytes(stderr, 0, 0, "client_write_iv", conn->key_block + keylen * 2, 4); + format_bytes(stderr, 0, 0, "server_write_iv", conn->key_block + keylen * 2 + 4, 4); + } memset(conn->client_write_iv, 0, sizeof(conn->client_write_iv)); memset(conn->server_write_iv, 0, sizeof(conn->server_write_iv)); @@ -2882,10 +2896,12 @@ static int tls12_generate_record_keys(TLS_CONNECT *conn) return -1; } - format_bytes(stderr, 0, 0, "client_write_mac_key", conn->key_block, 32); - format_bytes(stderr, 0, 0, "server_write_mac_key", conn->key_block + 32, 32); - format_bytes(stderr, 0, 0, "client_write_key", conn->key_block + 64, 16); - format_bytes(stderr, 0, 0, "server_write_key", conn->key_block + 80, 16); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "client_write_mac_key", conn->key_block, 32); + format_bytes(stderr, 0, 0, "server_write_mac_key", conn->key_block + 32, 32); + format_bytes(stderr, 0, 0, "client_write_key", conn->key_block + 64, 16); + format_bytes(stderr, 0, 0, "server_write_key", conn->key_block + 80, 16); + } if (conn->is_client) { @@ -2964,20 +2980,20 @@ int tls_send_client_key_exchange(TLS_CONNECT *conn) return -1; } - tls_trace("send ClientKeyExchange\n"); + if(conn->verbose) tls_trace("send ClientKeyExchange\n"); if (tls_record_set_handshake_client_key_exchange(conn->record, &conn->recordlen, point_octets, len) != 1) { error_print(); tls_send_alert(conn, TLS_alert_internal_error); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx); } if ((ret = tls_send_record(conn)) != 1) { @@ -3004,7 +3020,7 @@ int tls_recv_client_key_exchange(TLS_CONNECT *conn) const uint8_t *point_octets; size_t point_octets_len; - tls_trace("recv ClientKeyExchange\n"); + if(conn->verbose) tls_trace("recv ClientKeyExchange\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { error_print(); @@ -3016,7 +3032,7 @@ int tls_recv_client_key_exchange(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_unexpected_message); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (tls_record_get_handshake_client_key_exchange(conn->record, &point_octets, &point_octets_len) != 1) { @@ -3037,7 +3053,7 @@ int tls_recv_client_key_exchange(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx); @@ -3061,7 +3077,7 @@ int tls_send_certificate_verify(TLS_CONNECT *conn) uint8_t sig[SM2_MAX_SIGNATURE_SIZE]; size_t siglen; - tls_trace("send CertificateVerify\n"); + if(conn->verbose) tls_trace("send CertificateVerify\n"); if (!conn->client_certificate_verify) { error_print(); @@ -3078,7 +3094,7 @@ int tls_send_certificate_verify(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); } if ((ret = tls_send_record(conn)) != 1) { @@ -3108,7 +3124,7 @@ int tls_recv_certificate_verify(TLS_CONNECT *conn) return -1; } - tls_trace("recv CertificateVerify\n"); + if(conn->verbose) tls_trace("recv CertificateVerify\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { error_print(); @@ -3120,7 +3136,7 @@ int tls_recv_certificate_verify(TLS_CONNECT *conn) error_print(); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); // get signature from certificate_verify if (tls_record_get_handshake_certificate_verify(conn->record, &sig, &siglen) != 1) { @@ -3163,13 +3179,13 @@ int tls_send_change_cipher_spec(TLS_CONNECT *conn) { int ret; if (conn->recordlen == 0) { - tls_trace("send [ChangeCipherSpec]\n"); + if(conn->verbose) tls_trace("send [ChangeCipherSpec]\n"); if (tls_record_set_change_cipher_spec(conn->record, &conn->recordlen) !=1) { error_print(); tls_send_alert(conn, TLS_alert_internal_error); return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); } if ((ret = tls_send_record(conn)) != 1) { if (ret != TLS_ERROR_SEND_AGAIN) { @@ -3184,7 +3200,7 @@ int tls_recv_change_cipher_spec(TLS_CONNECT *conn) { int ret; - tls_trace("recv [ChangeCipherSpec]\n"); + if(conn->verbose) tls_trace("recv [ChangeCipherSpec]\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { error_print(); @@ -3198,7 +3214,7 @@ int tls_recv_change_cipher_spec(TLS_CONNECT *conn) return -1; } - tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0); if (tls_record_get_change_cipher_spec(conn->record) != 1) { error_print(); tls_send_alert(conn, TLS_alert_unexpected_message); @@ -3213,7 +3229,7 @@ int tls_send_client_finished(TLS_CONNECT *conn) if (conn->recordlen == 0) { - tls_trace("send client {Finished}\n"); + if(conn->verbose) tls_trace("send client {Finished}\n"); uint8_t local_verify_data[12]; @@ -3244,13 +3260,13 @@ int tls_send_client_finished(TLS_CONNECT *conn) return -1; } - tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); if (digest_update(&conn->dgst_ctx, conn->plain_record + 5, conn->plain_recordlen - 5) != 1) { error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "Finished", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Finished", &conn->dgst_ctx); if (tls12_record_encrypt(conn->cipher_suite, &conn->client_write_mac_ctx, &conn->client_write_key, conn->client_write_iv, @@ -3263,7 +3279,9 @@ int tls_send_client_finished(TLS_CONNECT *conn) } tls_seq_num_incr(conn->client_seq_num); - format_bytes(stderr, 0, 0, "encrypted finsished ..... ", conn->record, conn->recordlen); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "encrypted finsished ..... ", conn->record, conn->recordlen); + } } if ((ret = tls_send_record(conn)) != 1) { @@ -3301,11 +3319,13 @@ int tls_recv_client_finished(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - format_bytes(stderr, 0, 0, "verify_data", local_verify_data, 12); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "verify_data", local_verify_data, 12); + } // recv ClientFinished - tls_trace("recv client {Finished}\n"); + if(conn->verbose) tls_trace("recv client {Finished}\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { error_print(); @@ -3314,7 +3334,9 @@ int tls_recv_client_finished(TLS_CONNECT *conn) } //tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0); - format_bytes(stderr, 0, 0, "Finished", conn->record, conn->recordlen); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "Finished", conn->record, conn->recordlen); + } if (tls_record_protocol(conn->record) != conn->protocol) { @@ -3324,10 +3346,12 @@ int tls_recv_client_finished(TLS_CONNECT *conn) } // decrypt ClientFinished - tls_trace(">>>>>>>decrypt Finished\n"); + if(conn->verbose) tls_trace(">>>>>>>decrypt Finished\n"); - format_bytes(stderr, 0, 0, "client_seq_num", conn->client_seq_num, 8); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "client_seq_num", conn->client_seq_num, 8); + } if (tls12_record_decrypt(conn->cipher_suite, &conn->client_write_mac_ctx, &conn->client_write_key, conn->client_write_iv, conn->client_seq_num, conn->record, conn->recordlen, @@ -3340,7 +3364,7 @@ int tls_recv_client_finished(TLS_CONNECT *conn) - tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); if (tls_record_get_handshake_finished(conn->plain_record, &verify_data, &verify_data_len) != 1) { error_print(); @@ -3358,7 +3382,7 @@ int tls_recv_client_finished(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx); // verify ClientFinished @@ -3383,7 +3407,7 @@ int tls_send_server_finished(TLS_CONNECT *conn) tls_record_set_protocol(conn->plain_record, conn->protocol); if (conn->recordlen == 0) { - tls_trace("send server Finished\n"); + if(conn->verbose) tls_trace("send server Finished\n"); uint8_t dgst[32]; size_t dgstlen; @@ -3396,7 +3420,9 @@ int tls_send_server_finished(TLS_CONNECT *conn) return -1; } - format_bytes(stderr, 0, 0, "server verify_data", local_verify_data, 12); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "server verify_data", local_verify_data, 12); + } if (tls_record_set_handshake_finished(conn->plain_record, &conn->plain_recordlen, local_verify_data, sizeof(local_verify_data)) != 1) { @@ -3404,7 +3430,7 @@ int tls_send_server_finished(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); + if(conn->verbose) tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); if (tls12_record_encrypt(conn->cipher_suite, &conn->server_write_mac_ctx, &conn->server_write_key, conn->server_write_iv, @@ -3454,11 +3480,13 @@ int tls_recv_server_finished(TLS_CONNECT *conn) tls_send_alert(conn, TLS_alert_internal_error); return -1; } - format_bytes(stderr, 0, 0, ">>> verify_data", local_verify_data, 12); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, ">>> verify_data", local_verify_data, 12); + } // Finished - tls_trace("recv server Finished\n"); + if(conn->verbose) tls_trace("recv server Finished\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { error_print(); @@ -3472,10 +3500,12 @@ int tls_recv_server_finished(TLS_CONNECT *conn) } - tls_trace("decrypt Finished\n"); + if(conn->verbose) tls_trace("decrypt Finished\n"); - format_bytes(stderr, 0, 0, "server_seq_num", conn->server_seq_num, 8); + if (conn->verbose >= 5) { + format_bytes(stderr, 0, 0, "server_seq_num", conn->server_seq_num, 8); + } if (tls12_record_decrypt(conn->cipher_suite, &conn->server_write_mac_ctx, &conn->server_write_key, conn->server_write_iv, conn->server_seq_num, conn->record, conn->recordlen, @@ -3506,7 +3536,7 @@ int tls_recv_server_finished(TLS_CONNECT *conn) return -1; } - if (!conn->ctx->quiet) + if(conn->verbose) fprintf(stderr, "Connection established!\n"); return 1; @@ -3562,16 +3592,22 @@ int tls12_do_client_handshake(TLS_CONNECT *conn) // the only optional state case TLS_state_certificate_request: - fprintf(stderr, "TLS_state_certificate_request\n"); + if(conn->verbose) { + fprintf(stderr, "TLS_state_certificate_request\n"); + } ret = tls_recv_certificate_request(conn); - fprintf(stderr, " ret = %d\n", ret); + if(conn->verbose) { + fprintf(stderr, " ret = %d\n", ret); + } if (ret == 1) conn->client_certificate_verify = 1; next_state = TLS_state_server_hello_done; break; case TLS_state_server_hello_done: - fprintf(stderr, "TLS_state_server_hello_done\n"); + if(conn->verbose) { + fprintf(stderr, "TLS_state_server_hello_done\n"); + } ret = tls_recv_server_hello_done(conn); if (conn->client_certificate_verify) next_state = TLS_state_client_certificate; diff --git a/src/tls13.c b/src/tls13.c index d013be70..43f374e3 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -479,13 +479,13 @@ int tls13_generate_early_keys(TLS_CONNECT *conn) } tls_seq_num_reset(conn->client_seq_num); - /* - format_print(stderr, 0, 0, "generate_early_keys\n"); - format_bytes(stderr, 0, 4, "early_secret", conn->early_secret, conn->digest->digest_size); - format_bytes(stderr, 0, 4, "client_early_traffic_secret", conn->client_early_traffic_secret, conn->digest->digest_size); - format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len); - format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE); - */ + if (conn->verbose >= 5) { + format_print(stderr, 0, 0, "generate_early_keys\n"); + format_bytes(stderr, 0, 4, "early_secret", conn->early_secret, conn->digest->digest_size); + format_bytes(stderr, 0, 4, "client_early_traffic_secret", conn->client_early_traffic_secret, conn->digest->digest_size); + format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len); + format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE); + } gmssl_secure_clear(client_write_key, sizeof(client_write_key)); return 1; @@ -532,15 +532,15 @@ int tls13_generate_handshake_secrets(TLS_CONNECT *conn) return -1; } - /* - format_print(stderr, 0, 0, "generate_handshake_secrets\n"); - format_bytes(stderr, 0, 4, "early_secret", conn->early_secret, conn->digest->digest_size); - format_bytes(stderr, 0, 4, "derived_secret", derived_secret, conn->digest->digest_size); - format_bytes(stderr, 0, 4, "ecdhe_shared_secret", ecdhe_shared_secret, ecdhe_shared_secret_len); - format_bytes(stderr, 0, 4, "handshake_secret",conn->handshake_secret, conn->digest->digest_size); - format_bytes(stderr, 0, 4, "client_handshake_traffic_secret", conn->client_handshake_traffic_secret, conn->digest->digest_size); - format_bytes(stderr, 0, 4, "server_handshake_traffic_secret", conn->server_handshake_traffic_secret, conn->digest->digest_size); - */ + if (conn->verbose >= 5) { + format_print(stderr, 0, 0, "generate_handshake_secrets\n"); + format_bytes(stderr, 0, 4, "early_secret", conn->early_secret, conn->digest->digest_size); + format_bytes(stderr, 0, 4, "derived_secret", derived_secret, conn->digest->digest_size); + format_bytes(stderr, 0, 4, "ecdhe_shared_secret", ecdhe_shared_secret, ecdhe_shared_secret_len); + format_bytes(stderr, 0, 4, "handshake_secret", conn->handshake_secret, conn->digest->digest_size); + format_bytes(stderr, 0, 4, "client_handshake_traffic_secret", conn->client_handshake_traffic_secret, conn->digest->digest_size); + format_bytes(stderr, 0, 4, "server_handshake_traffic_secret", conn->server_handshake_traffic_secret, conn->digest->digest_size); + } gmssl_secure_clear(ecdhe_shared_secret, sizeof(ecdhe_shared_secret)); gmssl_secure_clear(derived_secret, sizeof(derived_secret)); @@ -567,10 +567,10 @@ int tls13_generate_master_secret(TLS_CONNECT *conn) error_print(); return -1; } - /* - format_print(stderr, 0, 0, "generate_master_secret\n"); - format_bytes(stderr, 0, 4, "master_secret", conn->master_secret, conn->digest->digest_size); - */ + if (conn->verbose >= 5) { + format_print(stderr, 0, 0, "generate_master_secret\n"); + format_bytes(stderr, 0, 4, "master_secret", conn->master_secret, conn->digest->digest_size); + } return 1; } @@ -594,12 +594,12 @@ int tls13_generate_client_handshake_keys(TLS_CONNECT *conn) } tls_seq_num_reset(conn->client_seq_num); - /* - format_print(stderr, 0, 0, "generate_client_handshake_keys\n"); - format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len); - format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE); - format_print(stderr, 0, 4, "client_seq_num: %"PRIu64"\n", GETU64(conn->client_seq_num)); - */ + if (conn->verbose >= 5) { + format_print(stderr, 0, 0, "generate_client_handshake_keys\n"); + format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len); + format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE); + format_print(stderr, 0, 4, "client_seq_num: %"PRIu64"\n", GETU64(conn->client_seq_num)); + } gmssl_secure_clear(client_write_key, sizeof(client_write_key)); return 1; @@ -625,12 +625,12 @@ int tls13_generate_server_handshake_keys(TLS_CONNECT *conn) } tls_seq_num_reset(conn->server_seq_num); - /* - format_print(stderr, 0, 0, "generate_server_handshake_keys\n"); - format_bytes(stderr, 0, 4, "server_write_key", server_write_key, server_write_key_len); - format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, TLS13_IV_SIZE); - format_print(stderr, 0, 4, "server_seq_num: %"PRIu64"\n", GETU64(conn->server_seq_num)); - */ + if (conn->verbose >= 5) { + format_print(stderr, 0, 0, "generate_server_handshake_keys\n"); + format_bytes(stderr, 0, 4, "server_write_key", server_write_key, server_write_key_len); + format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, TLS13_IV_SIZE); + format_print(stderr, 0, 4, "server_seq_num: %"PRIu64"\n", GETU64(conn->server_seq_num)); + } gmssl_secure_clear(server_write_key, sizeof(server_write_key)); return 1; @@ -647,11 +647,11 @@ int tls13_generate_application_secrets(TLS_CONNECT *conn) error_print(); return -1; } - /* - format_print(stderr, 0, 0, "generate_application_secrets\n"); - format_bytes(stderr, 0, 4, "client_application_traffic_secret", conn->client_application_traffic_secret, conn->dgst_ctx.digest->digest_size); - format_bytes(stderr, 0, 4, "server_application_traffic_secret", conn->server_application_traffic_secret, conn->dgst_ctx.digest->digest_size); - */ + if (conn->verbose >= 5) { + format_print(stderr, 0, 0, "generate_application_secrets\n"); + format_bytes(stderr, 0, 4, "client_application_traffic_secret", conn->client_application_traffic_secret, conn->dgst_ctx.digest->digest_size); + format_bytes(stderr, 0, 4, "server_application_traffic_secret", conn->server_application_traffic_secret, conn->dgst_ctx.digest->digest_size); + } return 1; } @@ -666,11 +666,11 @@ int tls13_update_client_application_secret(TLS_CONNECT *conn) error_print(); return -1; } - /* - format_print(stderr, 0, 0, "update_client_application_secret\n"); - format_bytes(stderr, 0, 4, "client_application_traffic_secret", - conn->client_application_traffic_secret, conn->digest->digest_size); - */ + if (conn->verbose >= 5) { + format_print(stderr, 0, 0, "update_client_application_secret\n"); + format_bytes(stderr, 0, 4, "client_application_traffic_secret", + conn->client_application_traffic_secret, conn->digest->digest_size); + } return 1; } @@ -685,11 +685,11 @@ int tls13_update_server_application_secret(TLS_CONNECT *conn) error_print(); return -1; } - /* - format_print(stderr, 0, 0, "update_server_application_secret\n"); - format_bytes(stderr, 0, 4, "server_application_traffic_secret", - conn->server_application_traffic_secret, conn->digest->digest_size); - */ + if (conn->verbose >= 5) { + format_print(stderr, 0, 0, "update_server_application_secret\n"); + format_bytes(stderr, 0, 4, "server_application_traffic_secret", + conn->server_application_traffic_secret, conn->digest->digest_size); + } return 1; } @@ -713,12 +713,12 @@ int tls13_generate_client_application_keys(TLS_CONNECT *conn) } tls_seq_num_reset(conn->client_seq_num); - /* - format_print(stderr, 0, 0, "update_client_application_keys\n"); - format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len); - format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE); - format_print(stderr, 0, 4, "client_seq_num: %"PRIu64"\n", GETU64(conn->client_seq_num)); - */ + if (conn->verbose >= 5) { + format_print(stderr, 0, 0, "update_client_application_keys\n"); + format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len); + format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE); + format_print(stderr, 0, 4, "client_seq_num: %"PRIu64"\n", GETU64(conn->client_seq_num)); + } gmssl_secure_clear(client_write_key, sizeof(client_write_key)); return 1; @@ -744,12 +744,12 @@ int tls13_generate_server_application_keys(TLS_CONNECT *conn) } tls_seq_num_reset(conn->server_seq_num); - /* - format_print(stderr, 0, 0, "update_server_application_keys\n"); - format_bytes(stderr, 0, 4, "server_write_key", server_write_key, server_write_key_len); - format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, TLS13_IV_SIZE); - format_print(stderr, 0, 4, "server_seq_num: %"PRIu64"\n", GETU64(conn->server_seq_num)); - */ + if (conn->verbose >= 5) { + format_print(stderr, 0, 0, "update_server_application_keys\n"); + format_bytes(stderr, 0, 4, "server_write_key", server_write_key, server_write_key_len); + format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, TLS13_IV_SIZE); + format_print(stderr, 0, 4, "server_seq_num: %"PRIu64"\n", GETU64(conn->server_seq_num)); + } gmssl_secure_clear(server_write_key, sizeof(server_write_key)); return 1; @@ -1071,7 +1071,9 @@ int tls13_send(TLS_CONNECT *conn, const uint8_t *data, size_t datalen, size_t *s datalen = TLS_MAX_PLAINTEXT_SIZE; } - format_bytes(stderr, 0, 0, "send", data, datalen); + if(conn->verbose) { + format_bytes(stderr, 0, 0, "send", data, datalen); + } tls13_padding_len_rand(&padding_len); @@ -1098,7 +1100,7 @@ int tls13_send(TLS_CONNECT *conn, const uint8_t *data, size_t datalen, size_t *s conn->sentlen = datalen; - tls_trace("send {ApplicationData}\n"); + if(conn->verbose) tls_trace("send {ApplicationData}\n"); tls13_record_print(stderr, 0, 0, conn->record, conn->recordlen); } @@ -1201,7 +1203,7 @@ int tls13_do_recv(TLS_CONNECT *conn) conn->recordlen = tls_record_length(conn->record); - tls_trace("recv {ApplicationData}\n"); + if(conn->verbose) tls_trace("recv {ApplicationData}\n"); tls13_record_print(stderr, 0, 0, conn->record, conn->recordlen); @@ -1296,7 +1298,9 @@ int tls13_do_recv(TLS_CONNECT *conn) seq_num = GETU64(conn->server_seq_num); if (seq_num > 2 && update_requested && conn->ctx->key_update) { - fprintf(stderr, "server prepare key_update\n"); + if(conn->verbose) { + fprintf(stderr, "server prepare key_update\n"); + } conn->key_update = 1; } } @@ -1319,7 +1323,7 @@ int tls13_do_recv(TLS_CONNECT *conn) return -1; } if (alert_description == TLS_alert_close_notify) { - tls_trace("recv Alert.close_notify\n"); + if(conn->verbose) tls_trace("recv Alert.close_notify\n"); conn->close_notify_received = 1; conn->data = NULL; conn->datalen = 0; @@ -1374,7 +1378,7 @@ int tls13_recv_early_data(TLS_CONNECT *conn) { int ret; - tls_trace("recv EarlyData\n"); + if(conn->verbose) tls_trace("recv EarlyData\n"); if ((ret = tls13_do_recv(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN && ret != TLS_ERROR_SEND_AGAIN) { @@ -1385,7 +1389,9 @@ int tls13_recv_early_data(TLS_CONNECT *conn) memcpy(conn->early_data_buf, conn->data, conn->datalen); conn->early_data_len = conn->datalen; - format_string(stderr, 0, 4, "EarlyData", conn->early_data_buf, conn->early_data_len); + if(conn->verbose) { + format_string(stderr, 0, 4, "EarlyData", conn->early_data_buf, conn->early_data_len); + } // 清空记录,防止后续的握手处理过程出现问题 @@ -3697,6 +3703,7 @@ int tls13_init(TLS_CONNECT *conn, TLS_CTX *ctx) conn->ctx = ctx; conn->is_client = ctx->is_client; + conn->verbose = ctx->verbose; conn->protocol = ctx->protocol; @@ -3785,7 +3792,7 @@ int tls13_send_client_hello(TLS_CONNECT *conn) uint8_t *pexts = exts; size_t extslen = 0; - tls_trace("send ClientHello\n"); + if(conn->verbose) tls_trace("send ClientHello\n"); // record_version tls_record_set_protocol(conn->record, TLS_protocol_tls1); @@ -4112,12 +4119,14 @@ int tls13_recv_hello_retry_request(TLS_CONNECT *conn) int selected_version; int key_exchange_group; - tls_trace("recv HelloRetryRequest*\n"); + if(conn->verbose) tls_trace("recv HelloRetryRequest*\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { - fprintf(stderr, "tls_recv_record return %d\n", ret); + if(conn->verbose) { + fprintf(stderr, "tls_recv_record return %d\n", ret); + } error_print(); } @@ -4141,7 +4150,7 @@ int tls13_recv_hello_retry_request(TLS_CONNECT *conn) return -1; } if (handshake_type != TLS_handshake_hello_retry_request) { - tls_trace(" no HelloRetryRequest\n"); + if(conn->verbose) tls_trace(" no HelloRetryRequest\n"); return 0; } @@ -4432,7 +4441,7 @@ int tls13_client_hello_again_psk_update(TLS_CONNECT *conn) int tls13_send_client_hello_again(TLS_CONNECT *conn) { int ret; - tls_trace("send ClientHello again\n"); + if(conn->verbose) tls_trace("send ClientHello again\n"); if (!conn->recordlen) { const uint8_t *legacy_session_id = NULL; @@ -4719,7 +4728,7 @@ int tls13_recv_server_hello(TLS_CONNECT *conn) int selected_version; int server_key_exchange_mode = 0; - tls_trace("recv ServerHello\n"); + if(conn->verbose) tls_trace("recv ServerHello\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -5032,7 +5041,7 @@ int tls13_recv_server_hello(TLS_CONNECT *conn) tls13_send_alert(conn, TLS_alert_internal_error); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); } else { if (digest_init(&conn->dgst_ctx, conn->digest) != 1) { error_print(); @@ -5044,14 +5053,14 @@ int tls13_recv_server_hello(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); // update(ServerHello) if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) { error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); } if (conn->client_certs_len) { @@ -5085,7 +5094,7 @@ int tls13_send_change_cipher_spec(TLS_CONNECT *conn) if (!conn->recordlen) { - tls_trace("send [ChangeCipherSpec]\n"); + if(conn->verbose) tls_trace("send [ChangeCipherSpec]\n"); if (tls_record_set_change_cipher_spec(conn->record, &conn->recordlen) != 1) { error_print(); tls_send_alert(conn, TLS_alert_internal_error); @@ -5108,7 +5117,7 @@ int tls13_recv_change_cipher_spec(TLS_CONNECT *conn) { int ret; - tls_trace("recv [ChangeCipherSpec]\n"); + if(conn->verbose) tls_trace("recv [ChangeCipherSpec]\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -5143,7 +5152,9 @@ int tls13_recv_encrypted_extensions(TLS_CONNECT *conn) int early_data = 0; int alpn = 0; - printf("recv {EncryptedExtensions}\n"); + if(conn->verbose) { + printf("recv {EncryptedExtensions}\n"); + } if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -5169,7 +5180,7 @@ int tls13_recv_encrypted_extensions(TLS_CONNECT *conn) } tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen); - tls_handshake_digest_print(stderr, 0, 0, "EncryptedExtension", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "EncryptedExtension", &conn->dgst_ctx); if ((ret = tls13_record_get_handshake_encrypted_extensions(conn->plain_record, @@ -5490,9 +5501,6 @@ int tls_cert_chain_match_extensions( // server_name if (host_name && host_name_len) { - format_string(stderr, 0,0, "host_name", host_name, host_name_len); - - if ((ret = tls_cert_match_server_name(cert, certlen, host_name, host_name_len)) < 0) { error_print(); @@ -5501,8 +5509,6 @@ int tls_cert_chain_match_extensions( return 0; } - format_print(stderr, 0, 0, "passed\n"); - } // signature_algorithms_cert @@ -5632,7 +5638,7 @@ int tls13_recv_certificate_request(TLS_CONNECT *conn) const uint8_t *filters = NULL; size_t filters_len = 0; - tls_trace("recv {CertificateRequest*}\n"); + if(conn->verbose) tls_trace("recv {CertificateRequest*}\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -5657,7 +5663,7 @@ int tls13_recv_certificate_request(TLS_CONNECT *conn) return -1; } if (handshake_type != TLS_handshake_certificate_request) { - tls_trace(" no {CertificateRequest}\n"); + if(conn->verbose) tls_trace(" no {CertificateRequest}\n"); return 0; } tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen); @@ -5915,7 +5921,7 @@ int tls13_recv_server_certificate(TLS_CONNECT *conn) int verify_result; - tls_trace("recv server {Certificate}\n"); + if(conn->verbose) tls_trace("recv server {Certificate}\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -5942,7 +5948,7 @@ int tls13_recv_server_certificate(TLS_CONNECT *conn) return -1; } tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen); - tls_handshake_digest_print(stderr, 0, 0, "ServerCertificate", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerCertificate", &conn->dgst_ctx); if ((ret = tls13_record_get_handshake_certificate(conn->plain_record, &request_context, &request_context_len, @@ -6051,7 +6057,7 @@ int tls13_recv_server_certificate_verify(TLS_CONNECT *conn) size_t certlen; X509_KEY public_key; - tls_trace("recv server {CertificateVerify}\n"); + if(conn->verbose) tls_trace("recv server {CertificateVerify}\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -6127,7 +6133,7 @@ int tls13_recv_client_certificate_verify(TLS_CONNECT *conn) size_t certlen; X509_KEY public_key; - tls_trace("recv client {CertificateVerify}\n"); + if(conn->verbose) tls_trace("recv client {CertificateVerify}\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -6191,7 +6197,7 @@ int tls13_recv_client_certificate_verify(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "CertificateVerify", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "CertificateVerify", &conn->dgst_ctx); return 1; } @@ -6211,7 +6217,7 @@ int tls13_recv_server_finished(TLS_CONNECT *conn) return -1; } - tls_trace("recv server {Finished}\n"); + if(conn->verbose) tls_trace("recv server {Finished}\n"); if (!conn->plain_recordlen) { @@ -6237,7 +6243,7 @@ int tls13_recv_server_finished(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerFinished", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerFinished", &conn->dgst_ctx); if ((ret = tls13_record_get_handshake_finished(conn->plain_record, @@ -6270,7 +6276,7 @@ int tls13_send_client_certificate(TLS_CONNECT *conn) { int ret; - tls_trace("send client {Certificate*}\n"); + if(conn->verbose) tls_trace("send client {Certificate*}\n"); if (conn->recordlen == 0) { const uint8_t *request_context = NULL; @@ -6308,7 +6314,7 @@ int tls13_send_client_certificate(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "client Certficate", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Certficate", &conn->dgst_ctx); tls13_padding_len_rand(&padding_len); @@ -6335,7 +6341,7 @@ int tls13_send_client_certificate_verify(TLS_CONNECT *conn) { int ret; - tls_trace("send client {CertificateVerify*}\n"); + if(conn->verbose) tls_trace("send client {CertificateVerify*}\n"); if (!conn->recordlen) { X509_KEY *sign_key = &conn->ctx->x509_keys[conn->cert_chain_idx - 1]; @@ -6362,7 +6368,7 @@ int tls13_send_client_certificate_verify(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "after client CertificateVerify", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "after client CertificateVerify", &conn->dgst_ctx); tls13_padding_len_rand(&padding_len); if (tls13_record_encrypt(&conn->client_write_key, conn->client_write_iv, @@ -6389,7 +6395,7 @@ int tls13_send_client_finished(TLS_CONNECT *conn) { int ret; - tls_trace("send client {Finished}\n"); + if(conn->verbose) tls_trace("send client {Finished}\n"); if (!conn->recordlen) { uint8_t verify_data[64]; @@ -6546,7 +6552,7 @@ int tls13_recv_client_hello(TLS_CONNECT *conn) tls_client_verify_init(&conn->client_verify_ctx); */ - tls_trace("recv ClientHello\n"); + if(conn->verbose) tls_trace("recv ClientHello\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -7242,7 +7248,7 @@ int tls13_recv_client_hello(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx); } // early_data @@ -7272,7 +7278,7 @@ int tls13_send_hello_retry_request(TLS_CONNECT *conn) { int ret; - tls_trace("send HelloRetryRequest\n"); + if(conn->verbose) tls_trace("send HelloRetryRequest\n"); if (conn->recordlen == 0) { const uint8_t *legacy_session_id_echo = NULL; @@ -7398,7 +7404,7 @@ int tls13_recv_client_hello_again(TLS_CONNECT *conn) size_t key_exchange_len; - tls_trace("recv ClientHello again\n"); + if(conn->verbose) tls_trace("recv ClientHello again\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -7689,7 +7695,7 @@ int tls13_send_server_hello(TLS_CONNECT *conn) { int ret; - tls_trace("send ServerHello\n"); + if(conn->verbose) tls_trace("send ServerHello\n"); if (conn->recordlen == 0) { uint8_t exts[256];// 256=> 需要的长度 @@ -7765,7 +7771,7 @@ int tls13_send_server_hello(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx); if (tls13_generate_handshake_secrets(conn) != 1) { @@ -7806,7 +7812,7 @@ int tls13_send_alert(TLS_CONNECT *conn, int alert) int ret; size_t padding_len; - tls_trace("send {Alert}\n"); + if(conn->verbose) tls_trace("send {Alert}\n"); if (conn->recordlen == 0) { tls_record_set_protocol(conn->plain_record, TLS_protocol_tls12); @@ -7848,7 +7854,7 @@ int tls13_send_alert(TLS_CONNECT *conn, int alert) int tls13_send_encrypted_extensions(TLS_CONNECT *conn) { int ret; - tls_trace("send {EncryptedExtensions}\n"); + if(conn->verbose) tls_trace("send {EncryptedExtensions}\n"); if (conn->recordlen == 0) { uint8_t exts[256]; @@ -7917,7 +7923,7 @@ int tls13_send_encrypted_extensions(TLS_CONNECT *conn) digest_update(&conn->dgst_ctx, conn->plain_record + 5, conn->plain_recordlen - 5); - tls_handshake_digest_print(stderr, 0, 0, "EncryptedExtensions", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "EncryptedExtensions", &conn->dgst_ctx); tls13_padding_len_rand(&padding_len); @@ -7953,7 +7959,7 @@ int tls13_send_encrypted_extensions(TLS_CONNECT *conn) int tls13_send_certificate_request(TLS_CONNECT *conn) { int ret; - tls_trace("send {CertificateRequest*}\n"); + if(conn->verbose) tls_trace("send {CertificateRequest*}\n"); if (conn->recordlen == 0) { const uint8_t *request_context = NULL; @@ -8043,7 +8049,7 @@ int tls13_send_certificate_request(TLS_CONNECT *conn) } tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen); - tls_handshake_digest_print(stderr, 0, 0, "after CertificateRequest", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "after CertificateRequest", &conn->dgst_ctx); //format_print(stderr, 0, 0, "server_seq_num: "PRIu64"\n", GETU64(conn->server_seq_num)); @@ -8072,7 +8078,7 @@ int tls13_send_server_certificate(TLS_CONNECT *conn) { int ret; - tls_trace("send server {Certificate}\n"); + if(conn->verbose) tls_trace("send server {Certificate}\n"); if (conn->recordlen == 0) { const uint8_t *request_context = NULL; @@ -8112,7 +8118,7 @@ int tls13_send_server_certificate(TLS_CONNECT *conn) error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "ServerCertificate", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerCertificate", &conn->dgst_ctx); tls13_padding_len_rand(&padding_len); if (tls13_record_encrypt(&conn->server_write_key, conn->server_write_iv, @@ -8139,7 +8145,7 @@ int tls13_send_server_certificate_verify(TLS_CONNECT *conn) { int ret; - tls_trace("send server {CertificateVerify}\n"); + if(conn->verbose) tls_trace("send server {CertificateVerify}\n"); if (conn->recordlen == 0) { X509_KEY *sign_key = &conn->ctx->x509_keys[conn->cert_chain_idx - 1]; @@ -8191,7 +8197,7 @@ int tls13_send_server_finished(TLS_CONNECT *conn) int ret; size_t padding_len; - tls_trace("send server {Finished}\n"); + if(conn->verbose) tls_trace("send server {Finished}\n"); if (conn->recordlen == 0) { uint8_t verify_data[64]; @@ -8212,7 +8218,7 @@ int tls13_send_server_finished(TLS_CONNECT *conn) } tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen); - tls_handshake_digest_print(stderr, 0, 0, "ServerFinished", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerFinished", &conn->dgst_ctx); //format_print(stderr, 0, 0, "server_seq_num: "PRIu64"\n", GETU64(conn->server_seq_num)); @@ -8264,7 +8270,7 @@ int tls13_recv_client_certificate(TLS_CONNECT *conn) int verify_result; - tls_trace("recv client {Certificate*}\n"); + if(conn->verbose) tls_trace("recv client {Certificate*}\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { @@ -8290,13 +8296,13 @@ int tls13_recv_client_certificate(TLS_CONNECT *conn) } tls_seq_num_incr(conn->client_seq_num); - tls13_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); + if(conn->verbose) tls13_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); if (digest_update(&conn->dgst_ctx, conn->plain_record + 5, conn->plain_recordlen - 5) != 1) { error_print(); return -1; } - tls_handshake_digest_print(stderr, 0, 0, "after client Certificate", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "after client Certificate", &conn->dgst_ctx); if ((ret = tls13_record_get_handshake_certificate(conn->plain_record, @@ -8402,7 +8408,7 @@ int tls13_recv_client_finished(TLS_CONNECT *conn) const uint8_t *verify_data; size_t verify_data_len; - tls_trace("recv client {Finished}\n"); + if(conn->verbose) tls_trace("recv client {Finished}\n"); if ((ret = tls_recv_record(conn)) != 1) { if (ret != TLS_ERROR_RECV_AGAIN) { error_print(); @@ -8427,7 +8433,7 @@ int tls13_recv_client_finished(TLS_CONNECT *conn) } tls_seq_num_incr(conn->client_seq_num); - tls13_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); + if(conn->verbose) tls13_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0); if ((ret = tls13_record_get_handshake_finished(conn->plain_record, @@ -8441,7 +8447,7 @@ int tls13_recv_client_finished(TLS_CONNECT *conn) return -1; } - tls_handshake_digest_print(stderr, 0, 0, "before ClientFinished", &conn->dgst_ctx); + if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "before ClientFinished", &conn->dgst_ctx); if (tls13_compute_verify_data(conn->client_handshake_traffic_secret, &conn->dgst_ctx, local_verify_data, &local_verify_data_len) != 1) { @@ -8471,7 +8477,7 @@ int tls13_send_early_data(TLS_CONNECT *conn) { size_t sentlen; - tls_trace("send EarlyData\n"); + if(conn->verbose) tls_trace("send EarlyData\n"); if (!conn->early_data) { error_print(); @@ -8506,7 +8512,7 @@ int tls13_send_client_key_update(TLS_CONNECT *conn, int request_update) if (conn->recordlen == 0) { size_t padding_len = 0; - tls_trace("send client {KeyUpdate}\n"); + if(conn->verbose) tls_trace("send client {KeyUpdate}\n"); if (tls13_record_set_handshake_key_update(conn->plain_record, &conn->plain_recordlen, request_update) != 1) { @@ -8562,7 +8568,7 @@ int tls13_send_server_key_update(TLS_CONNECT *conn, int request_update) if (conn->recordlen == 0) { size_t padding_len = 0; - tls_trace("send server {KeyUpdate}\n"); + if(conn->verbose) tls_trace("send server {KeyUpdate}\n"); if (tls13_record_set_handshake_key_update(conn->plain_record, &conn->plain_recordlen, request_update) != 1) { @@ -8621,7 +8627,7 @@ int tls13_do_client_handshake(TLS_CONNECT *conn) case TLS_state_server_hello: case TLS_state_encrypted_extensions: if (conn->early_data && conn->early_data_offset < conn->early_data_len) { - tls_trace("send EarlyData\n"); + if(conn->verbose) tls_trace("send EarlyData\n"); if (tls13_send_early_data(conn) != 1) { error_print(); return -1; diff --git a/tools/tlcp_client.c b/tools/tlcp_client.c index 84ac6ade..a055e4d2 100644 --- a/tools/tlcp_client.c +++ b/tools/tlcp_client.c @@ -26,7 +26,7 @@ static const char *usage = " [-get path]" " [-alpn str]" " [-trusted_ca_keys]" - " [-quiet]"; + " [-verbose]"; static const char *help = "Options\n" @@ -48,7 +48,7 @@ static const char *help = " -trusted_ca_keys Send trusted_ca_keys request\n" " -alpn str Application protocol name, may appear multiple times, higher priority first\n" " -status_request Send status_request (OCSP Stapling) request\n" -" -quiet Without printing any status message\n" +" -verbose Print TLS handshake messages\n" "\n" #include "tlcp_help.h" "\n"; @@ -187,7 +187,7 @@ int tlcp_client_main(int argc, char *argv[]) int client_cert_optional = 0; char *get = NULL; char *certoutfile = NULL; - int quiet = 0; + int verbose = 0; struct hostent *hp; struct sockaddr_in server; tls_socket_t sock = -1; @@ -297,8 +297,8 @@ int tlcp_client_main(int argc, char *argv[]) } else if (!strcmp(*argv, "-certout")) { if (--argc < 1) goto bad; certoutfile = *(++argv); - } else if (!strcmp(*argv, "-quiet")) { - quiet = 1; + } else if (!strcmp(*argv, "-verbose")) { + verbose = 1; } else { fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv); return 1; @@ -388,7 +388,10 @@ bad: } } - // quiet/verbose + if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) { + error_print(); + goto end; + } if (tls_init(&conn, &ctx) != 1) { error_print(); diff --git a/tools/tlcp_server.c b/tools/tlcp_server.c index 50630365..f0cc77f9 100644 --- a/tools/tlcp_server.c +++ b/tools/tlcp_server.c @@ -18,7 +18,7 @@ #include -static const char *options = "[-port num] -cert pem -key pem -pass str [-alpn str] [-cacert pem]"; +static const char *options = "[-port num] -cert pem -key pem -pass str [-alpn str] [-cacert pem] [-verbose]"; static const char *help = @@ -30,6 +30,7 @@ static const char *help = " -pass str Password to decrypt both private keys in the same -key PEM, may appear multiple times\n" " -alpn str Application protocol name, may appear multiple times, higher priority first\n" " -cacert pem CA certificate for client certificate verification\n" +" -verbose Print TLS handshake messages\n" "\n" #include "tlcp_help.h" "\n"; @@ -156,6 +157,7 @@ int tlcp_server_main(int argc , char **argv) char *alpn_protocols[4]; size_t alpn_protocols_cnt = 0; char *cacertfile = NULL; + int verbose = 0; int server_ciphers[] = { TLS_cipher_ecc_sm4_gcm_sm3, @@ -220,6 +222,8 @@ int tlcp_server_main(int argc , char **argv) } else if (!strcmp(*argv, "-cacert")) { if (--argc < 1) goto bad; cacertfile = *(++argv); + } else if (!strcmp(*argv, "-verbose")) { + verbose = 1; } else { fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv); return 1; @@ -255,6 +259,10 @@ bad: error_print(); return -1; } + if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) { + error_print(); + return -1; + } if (alpn_protocols_cnt) { if (tls_ctx_set_application_layer_protocol_negotiation(&ctx, alpn_protocols, alpn_protocols_cnt) != 1) { diff --git a/tools/tls12_client.c b/tools/tls12_client.c index 1714b9f8..667fcf0d 100644 --- a/tools/tls12_client.c +++ b/tools/tls12_client.c @@ -23,7 +23,7 @@ static const char *http_get = "Hostname: aaa\r\n" "\r\n\r\n"; -static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str] [-trusted_ca_keys]"; +static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str] [-trusted_ca_keys] [-verbose]"; static const char *help = "Options\n" @@ -45,6 +45,7 @@ static const char *help = " -renegotiation_info_scsv\n" " Send TLS_EMPTY_RENEGOTIATION_INFO_SCSV\n" " -status_request Send status_request (OCSP Stapling) request\n" +" -verbose Print TLS handshake messages\n" "\n" #include "tls12_help.h" "\n"; @@ -179,6 +180,7 @@ int tls12_client_main(int argc, char *argv[]) int trusted_ca_keys = 0; int renegotiation_info = 0; int empty_renegotiation_info_scsv = 0; + int verbose = 0; TLS_CTX ctx; TLS_CONNECT conn; struct hostent *hp; @@ -278,6 +280,8 @@ int tls12_client_main(int argc, char *argv[]) empty_renegotiation_info_scsv = 1; } else if (!strcmp(*argv, "-client_cert_optional")) { client_cert_optional = 1; + } else if (!strcmp(*argv, "-verbose")) { + verbose = 1; } else { fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv); return 1; @@ -308,6 +312,10 @@ bad: error_print(); return -1; } + if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) { + error_print(); + goto end; + } if (tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) { error_print(); diff --git a/tools/tls12_server.c b/tools/tls12_server.c index 94de3b3d..77a904d7 100644 --- a/tools/tls12_server.c +++ b/tools/tls12_server.c @@ -18,7 +18,7 @@ #include -static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem]"; +static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem] [-verbose]"; static const char *help = "Options\n" @@ -35,6 +35,7 @@ static const char *help = " -verify_depth num Certificate verification depth\n" " -client_cert_optional Allow client send empty Certificate\n" " -renegotiation_info Send renegotiation_info response when client supports RFC 5746\n" +" -verbose Print TLS handshake messages\n" "\n" #include "tls12_help.h" "\n"; @@ -170,6 +171,7 @@ int tls12_server_main(int argc , char **argv) int verify_depth = TLS_DEFAULT_VERIFY_DEPTH; int client_cert_optional = 0; int renegotiation_info = 0; + int verbose = 0; TLS_CTX ctx; TLS_CONNECT conn; char buf[1600] = {0}; @@ -277,6 +279,8 @@ int tls12_server_main(int argc , char **argv) client_cert_optional = 1; } else if (!strcmp(*argv, "-renegotiation_info")) { renegotiation_info = 1; + } else if (!strcmp(*argv, "-verbose")) { + verbose = 1; } else { fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv); return 1; @@ -314,6 +318,10 @@ bad: error_print(); return -1; } + if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) { + error_print(); + goto end; + } if (tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) { fprintf(stderr, "%s: context init error\n", prog); diff --git a/tools/tls13_client.c b/tools/tls13_client.c index 7a63bf69..927e1da0 100644 --- a/tools/tls13_client.c +++ b/tools/tls13_client.c @@ -103,7 +103,7 @@ static const char *http_get = "Hostname: aaa\r\n" "\r\n\r\n"; -static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str]"; +static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str] [-verbose]"; static const char *help = "Options\n" @@ -136,6 +136,7 @@ static const char *help = " -post_handshake_auth Support post_handshake_auth\n" " -client_cert_optional Allow client send empty Certificate\n" " -tls13_change_cipher_spec Support ChangeCipherSpec in TLS 1.3 to be compatible with middlebox\n" +" -verbose Print TLS handshake messages\n" "\n" #include "tls13_help.h" "\n"; @@ -232,6 +233,7 @@ int tls13_client_main(int argc, char *argv[]) // ChangeCipherSpec int tls13_change_cipher_spec = 0; + int verbose = 0; int send_again = 0; @@ -397,6 +399,8 @@ int tls13_client_main(int argc, char *argv[]) client_cert_optional = 1; } else if (!strcmp(*argv, "-tls13_change_cipher_spec")) { tls13_change_cipher_spec = 1; + } else if (!strcmp(*argv, "-verbose")) { + verbose = 1; } else { fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv); return 1; @@ -424,6 +428,10 @@ bad: error_print(); return -1; } + if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) { + error_print(); + goto end; + } // cipher_suites if (tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) { diff --git a/tools/tls13_server.c b/tools/tls13_server.c index 75de46fb..0b7e3924 100644 --- a/tools/tls13_server.c +++ b/tools/tls13_server.c @@ -20,7 +20,7 @@ -static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem]"; +static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem] [-verbose]"; static const char *help = "Options\n" @@ -47,6 +47,7 @@ static const char *help = " -ticket_key hex Session ticket encrypt/decrypt key in HEX format\n" " -key_update_seq_num num Send KeyUpdate handshake after sending/receiving records\n" " -tls13_change_cipher_spec Support ChangeCipherSpec in TLS 1.3 to be compatible with middlebox\n" +" -verbose Print TLS handshake messages\n" "\n" #include "tls13_help.h" "\n"; @@ -192,6 +193,7 @@ int tls13_server_main(int argc , char **argv) // ChangeCipherSpec int tls13_change_cipher_spec = 0; + int verbose = 0; size_t i; @@ -346,6 +348,8 @@ int tls13_server_main(int argc , char **argv) client_cert_optional = 1; } else if (!strcmp(*argv, "-tls13_change_cipher_spec")) { tls13_change_cipher_spec = 1; + } else if (!strcmp(*argv, "-verbose")) { + verbose = 1; } else { fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv); return 1; @@ -385,6 +389,10 @@ bad: error_print(); return -1; } + if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) { + error_print(); + goto end; + } if (tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) { fprintf(stderr, "%s: context init error\n", prog);