Update verbose control

CMakeLists.txt

@@ -831,7 +831,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1114")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1115")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)

include/gmssl/tls.h

@@ -806,6 +806,11 @@ enum {
 	TLS_client_mode = 1,
 };
 
+enum {
+	TLS_verbose = 1,
+	TLS_verbose_print_key = 5,
+};
+
 #define TLS_MAX_CIPHER_SUITES_COUNT	64
 
 

include/gmssl/version.h

@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1114"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1115"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);

src/tls.c

@@ -929,7 +929,7 @@ int tls_derive_master_secret(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	if (conn->verbose == 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_bytes(stderr, 0, 0, "master_secret", conn->master_secret, 48);
 	}
 	return 1;
@@ -968,7 +968,7 @@ int tls_derive_key_block(TLS_CONNECT *conn)
 		return -1;
 	}
 
-	if (conn->verbose == 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_bytes(stderr, 0, 0, "key_blocks", conn->key_block, conn->key_block_len);
 	}
 	return 1;
@@ -1015,7 +1015,7 @@ int tls_init_application_keys(TLS_CONNECT *conn)
 					return -1;
 				}
 			}
-			if (conn->verbose >= 5) {
+			if (conn->verbose == TLS_verbose_print_key) {
 				format_bytes(stderr, 0, 0, "client_write_mac_key", conn->key_block, dgstlen);
 				format_bytes(stderr, 0, 0, "server_write_mac_key", conn->key_block + dgstlen, dgstlen);
 				format_bytes(stderr, 0, 0, "client_write_key", conn->key_block + dgstlen * 2, keylen);
@@ -1036,7 +1036,7 @@ int tls_init_application_keys(TLS_CONNECT *conn)
 		memset(conn->server_write_iv, 0, sizeof(conn->server_write_iv));
 		memcpy(conn->client_write_iv, conn->key_block + keylen * 2, 4);
 		memcpy(conn->server_write_iv, conn->key_block + keylen * 2 + 4, 4);
-		if (conn->verbose >= 5) {
+		if (conn->verbose == TLS_verbose_print_key) {
 			format_bytes(stderr, 0, 0, "client_write_key", conn->key_block, keylen);
 			format_bytes(stderr, 0, 0, "server_write_key", conn->key_block + keylen, keylen);
 			format_bytes(stderr, 0, 0, "client_write_iv", conn->key_block + keylen * 2, 4);
@@ -2835,7 +2835,7 @@ int tls_ctx_set_verbose(TLS_CTX *ctx, int verbose)
 		error_print();
 		return -1;
 	}
-	if (verbose < 0 || verbose > 5) {
+	if (verbose < 0 || verbose > TLS_verbose_print_key) {
 		error_print();
 		return -1;
 	}
@@ -2849,7 +2849,7 @@ int tls_ctx_enable_verbose(TLS_CTX *ctx, int enable)
 		error_print();
 		return -1;
 	}
-	ctx->verbose = enable ? 1 : 0;
+	ctx->verbose = enable ? TLS_verbose : 0;
 	return 1;
 }
 
@@ -3376,7 +3376,7 @@ int tls_set_verbose(TLS_CONNECT *conn, int verbose)
 		error_print();
 		return -1;
 	}
-	if (verbose < 0 || verbose > 5) {
+	if (verbose < 0 || verbose > TLS_verbose_print_key) {
 		error_print();
 		return -1;
 	}

src/tls12.c

@@ -2998,7 +2998,7 @@ int tls_send_server_finished(TLS_CONNECT *conn)
 			return -1;
 		}
 
-		if (conn->verbose >= 5) {
+		if (conn->verbose) {
 			format_bytes(stderr, 0, 0, "server verify_data", local_verify_data, 12);
 		}
 

src/tls13.c

@@ -652,7 +652,7 @@ int tls13_generate_early_keys(TLS_CONNECT *conn)
 	}
 	tls_seq_num_reset(conn->client_seq_num);
 
-	if (conn->verbose >= 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_print(stderr, 0, 0, "generate_early_keys\n");
 		format_bytes(stderr, 0, 4, "early_secret", conn->early_secret, conn->digest->digest_size);
 		format_bytes(stderr, 0, 4, "client_early_traffic_secret", conn->client_early_traffic_secret, conn->digest->digest_size);
@@ -705,7 +705,7 @@ int tls13_generate_handshake_secrets(TLS_CONNECT *conn)
 		return -1;
 	}
 
-	if (conn->verbose >= 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_print(stderr, 0, 0, "generate_handshake_secrets\n");
 		format_bytes(stderr, 0, 4, "early_secret", conn->early_secret, conn->digest->digest_size);
 		format_bytes(stderr, 0, 4, "derived_secret", derived_secret, conn->digest->digest_size);
@@ -740,7 +740,7 @@ int tls13_generate_master_secret(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	if (conn->verbose >= 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_print(stderr, 0, 0, "generate_master_secret\n");
 		format_bytes(stderr, 0, 4, "master_secret", conn->master_secret, conn->digest->digest_size);
 	}
@@ -767,7 +767,7 @@ int tls13_generate_client_handshake_keys(TLS_CONNECT *conn)
 	}
 	tls_seq_num_reset(conn->client_seq_num);
 
-	if (conn->verbose >= 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_print(stderr, 0, 0, "generate_client_handshake_keys\n");
 		format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len);
 		format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE);
@@ -798,7 +798,7 @@ int tls13_generate_server_handshake_keys(TLS_CONNECT *conn)
 	}
 	tls_seq_num_reset(conn->server_seq_num);
 
-	if (conn->verbose >= 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_print(stderr, 0, 0, "generate_server_handshake_keys\n");
 		format_bytes(stderr, 0, 4, "server_write_key", server_write_key, server_write_key_len);
 		format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, TLS13_IV_SIZE);
@@ -820,7 +820,7 @@ int tls13_generate_application_secrets(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	if (conn->verbose >= 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_print(stderr, 0, 0, "generate_application_secrets\n");
 		format_bytes(stderr, 0, 4, "client_application_traffic_secret", conn->client_application_traffic_secret, conn->dgst_ctx.digest->digest_size);
 		format_bytes(stderr, 0, 4, "server_application_traffic_secret", conn->server_application_traffic_secret, conn->dgst_ctx.digest->digest_size);
@@ -839,7 +839,7 @@ int tls13_update_client_application_secret(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	if (conn->verbose >= 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_print(stderr, 0, 0, "update_client_application_secret\n");
 		format_bytes(stderr, 0, 4, "client_application_traffic_secret",
 			conn->client_application_traffic_secret, conn->digest->digest_size);
@@ -858,7 +858,7 @@ int tls13_update_server_application_secret(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	if (conn->verbose >= 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_print(stderr, 0, 0, "update_server_application_secret\n");
 		format_bytes(stderr, 0, 4, "server_application_traffic_secret",
 			conn->server_application_traffic_secret, conn->digest->digest_size);
@@ -886,7 +886,7 @@ int tls13_generate_client_application_keys(TLS_CONNECT *conn)
 	}
 	tls_seq_num_reset(conn->client_seq_num);
 
-	if (conn->verbose >= 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_print(stderr, 0, 0, "update_client_application_keys\n");
 		format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len);
 		format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE);
@@ -917,7 +917,7 @@ int tls13_generate_server_application_keys(TLS_CONNECT *conn)
 	}
 	tls_seq_num_reset(conn->server_seq_num);
 
-	if (conn->verbose >= 5) {
+	if (conn->verbose == TLS_verbose_print_key) {
 		format_print(stderr, 0, 0, "update_server_application_keys\n");
 		format_bytes(stderr, 0, 4, "server_write_key", server_write_key, server_write_key_len);
 		format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, TLS13_IV_SIZE);

src/tls_psk.c

@@ -602,7 +602,9 @@ int tls13_add_pre_shared_key_from_session_file(TLS_CONNECT *conn, FILE *fp)
 	// FIXME: compute obfuscated_ticket_age from ticket_issue_time and ticket_age_add.
 	uint32_t obfuscated_ticket_age = 0;
 
-	format_print(stderr, 0, 0, "read SESSION\n");
+	if (conn->verbose) {
+		format_print(stderr, 0, 0, "read SESSION\n");
+	}
 
 	if ((ret = tls_uint16array_from_file(buf, &len, sizeof(buf), fp)) < 0) {
 		error_print();
@@ -650,7 +652,9 @@ int tls13_send_new_session_ticket(TLS_CONNECT *conn)
 	int ret;
 	size_t padding_len;
 
-	tls_trace("send {NewSessionTicket*}\n");
+	if (conn->verbose) {
+		tls_trace("send {NewSessionTicket*}\n");
+	}
 
 	if (conn->recordlen == 0) {
 		// new_session_ticket
@@ -688,7 +692,9 @@ int tls13_send_new_session_ticket(TLS_CONNECT *conn)
 		tls13_hkdf_expand_label(conn->digest, resumption_master_secret, "resumption",
 			ticket_nonce, sizeof(ticket_nonce), dgstlen, pre_shared_key);
 
-		format_bytes(stderr, 0, 0, ">>>> pre_shared_key", pre_shared_key, sizeof(pre_shared_key));
+		if (conn->verbose == TLS_verbose_print_key) {
+			format_bytes(stderr, 0, 0, ">>>> pre_shared_key", pre_shared_key, sizeof(pre_shared_key));
+		}
 
 		if (tls13_ticket_encrypt(conn->ctx->session_ticket_key,
 			pre_shared_key, conn->protocol, conn->cipher_suite,
@@ -715,13 +721,17 @@ int tls13_send_new_session_ticket(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
+		if (conn->verbose) {
+			tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
+		}
 
-		format_print(stderr, 0, 0, "update server secrets\n");
+		if (conn->verbose == TLS_verbose_print_key) {
-		format_bytes(stderr, 0, 4, "server_application_traffic_secret", conn->server_application_traffic_secret, 48);
+			format_print(stderr, 0, 0, "update server secrets\n");
-		format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, 12);
+			format_bytes(stderr, 0, 4, "server_application_traffic_secret", conn->server_application_traffic_secret, 48);
-		format_bytes(stderr, 0, 4, "server_seq_num", conn->server_seq_num, 8);
+			format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, 12);
-		format_print(stderr, 0, 0, "\n");
+			format_bytes(stderr, 0, 4, "server_seq_num", conn->server_seq_num, 8);
+			format_print(stderr, 0, 0, "\n");
+		}
 
 		tls13_padding_len_rand(&padding_len);
 		if (tls13_record_encrypt(conn->cipher_suite, &conn->server_write_key, conn->server_write_iv,
@@ -826,7 +836,9 @@ int tls13_process_new_session_ticket(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	if(conn->verbose) tls13_session_print(stderr, 0, 0, "SESSION", session, sessionlen);
+	if (conn->verbose == TLS_verbose_print_key) {
+		tls13_session_print(stderr, 0, 0, "SESSION", session, sessionlen);
+	}
 
 	if (conn->session_out) {
 		FILE *fp;
@@ -1798,9 +1810,13 @@ int tls13_send_end_of_early_data(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_trace("send EndOfEarlyData\n");
+		if (conn->verbose) {
+			tls_trace("send EndOfEarlyData\n");
+		}
 
-		format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
+		if (conn->verbose == TLS_verbose_print_key) {
+			format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
+		}
 
 		size_t padding_len;
 		tls13_padding_len_rand(&padding_len);
@@ -1812,7 +1828,9 @@ int tls13_send_end_of_early_data(TLS_CONNECT *conn)
 			return -1;
 		}
 
-		tls13_record_print(stderr, 0, 0, conn->record, conn->recordlen);
+		if (conn->verbose) {
+			tls13_record_print(stderr, 0, 0, conn->record, conn->recordlen);
+		}
 	}
 
 	if ((ret = tls_send_record(conn)) != 1) {
@@ -1831,10 +1849,12 @@ int tls13_send_end_of_early_data(TLS_CONNECT *conn)
 	tls_seq_num_reset(conn->client_seq_num);
 
 	// client_early_traffic_secret 用来加密early_data, end_of_early_data
-	format_print(stderr, 0, 0, "client_write_key/iv <= client_handshake_traffic_secret\n");
+	if (conn->verbose == TLS_verbose_print_key) {
-	format_bytes(stderr, 0, 4, "client_handshake_traffic_secret", conn->client_handshake_traffic_secret, 32);
+		format_print(stderr, 0, 0, "client_write_key/iv <= client_handshake_traffic_secret\n");
-	format_bytes(stderr, 0, 4, "client_write_key", client_write_key, 16);
+		format_bytes(stderr, 0, 4, "client_handshake_traffic_secret", conn->client_handshake_traffic_secret, 32);
-	format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
+		format_bytes(stderr, 0, 4, "client_write_key", client_write_key, 16);
+		format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
+	}
 
 	tls_clean_record(conn);
 	return 1;
@@ -1844,7 +1864,9 @@ int tls13_send_end_of_early_data(TLS_CONNECT *conn)
 int tls13_recv_end_of_early_data(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("recv {EndOfEarlyData}\n");
+	if (conn->verbose) {
+		tls_trace("recv {EndOfEarlyData}\n");
+	}
 
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -1853,7 +1875,9 @@ int tls13_recv_end_of_early_data(TLS_CONNECT *conn)
 		return ret;
 	}
 
-	format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
+	if (conn->verbose == TLS_verbose_print_key) {
+		format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
+	}
 
 	if (tls13_record_decrypt(conn->cipher_suite, &conn->client_write_key, conn->client_write_iv,
 		conn->client_seq_num, conn->record, conn->recordlen,
@@ -1862,7 +1886,9 @@ int tls13_recv_end_of_early_data(TLS_CONNECT *conn)
 		tls13_send_alert(conn, TLS_alert_bad_record_mac);
 		return -1;
 	}
-	tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
+	if (conn->verbose) {
+		tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
+	}
 
 	if ((ret = tls13_record_get_handshake_end_of_early_data(conn->plain_record)) < 0) {
 		error_print();
@@ -1883,10 +1909,12 @@ int tls13_recv_end_of_early_data(TLS_CONNECT *conn)
 	tls13_hkdf_expand_label(conn->digest, conn->client_handshake_traffic_secret, "iv", NULL, 0, 12, conn->client_write_iv);
 	tls_seq_num_reset(conn->client_seq_num);
 
-	format_print(stderr, 0, 0, "client_write_key/iv <= client_handshake_traffic_secret\n");
+	if (conn->verbose == TLS_verbose_print_key) {
-	format_bytes(stderr, 0, 4, "client_handshake_traffic_secret", conn->client_handshake_traffic_secret, 32);
+		format_print(stderr, 0, 0, "client_write_key/iv <= client_handshake_traffic_secret\n");
-	format_bytes(stderr, 0, 4, "client_write_key", client_write_key, 16);
+		format_bytes(stderr, 0, 4, "client_handshake_traffic_secret", conn->client_handshake_traffic_secret, 32);
-	format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
+		format_bytes(stderr, 0, 4, "client_write_key", client_write_key, 16);
+		format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, 12);
+	}
 
 	return 1;
 }

src/tls_trace.c

@@ -500,12 +500,29 @@ int tls_extension_print(FILE *fp, int fmt, int ind, int handshake_type, int type
 	const uint8_t *p;
 	size_t len;
 
-	(void)handshake_type;
-
 	format_print(fp, fmt, ind, "%s (%d)\n", tls_extension_name(type), type);
 	ind += 4;
 
 	switch (type) {
+	case TLS_extension_server_name:
+		switch (handshake_type) {
+		case TLS_handshake_client_hello:
+			if (tls_server_name_print(fp, fmt, ind, data, datalen) != 1) {
+				error_print();
+				return -1;
+			}
+			break;
+		case TLS_handshake_server_hello:
+			if (datalen) {
+				error_print();
+				return -1;
+			}
+			format_print(fp, fmt, ind, "(empty)\n");
+			break;
+		default:
+			format_bytes(fp, fmt, ind, "raw_data", data, datalen);
+		}
+		break;
 	// FIXME: 不支持ServerHello
 	case TLS_extension_supported_versions:
 		if (tls_uint16array_from_bytes(&p, &len, &data, &datalen) != 1

tests/tls13test.c

@@ -735,6 +735,16 @@ static int test_tls_server_name_ext(void)
 		return -1;
 	}
 	tls_server_name_print(stderr, 0, 0, ext_data, ext_datalen);
+	if (tls_extension_print(stderr, 0, 0, TLS_handshake_client_hello,
+		ext_type, ext_data, ext_datalen) != 1) {
+		error_print();
+		return -1;
+	}
+	if (tls_extension_print(stderr, 0, 0, TLS_handshake_server_hello,
+		TLS_extension_server_name, NULL, 0) != 1) {
+		error_print();
+		return -1;
+	}
 
 
 	// 这里应该补充一个包含多个host_name的例子

tools/tlcp_client.c

@@ -351,7 +351,7 @@ int tlcp_client_main(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			certoutfile = *(++argv);
 		} else if (!strcmp(*argv, "-verbose")) {
-			verbose = 5;
+			verbose = TLS_verbose;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;

tools/tlcp_server.c

@@ -234,7 +234,7 @@ int tlcp_server_main(int argc , char **argv)
 			if (--argc < 1) goto bad;
 			cacertfile = *(++argv);
 		} else if (!strcmp(*argv, "-verbose")) {
-			verbose = 5;
+			verbose = TLS_verbose;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;

tools/tls12_client.c

@@ -334,7 +334,7 @@ int tls12_client_main(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			infile = *(++argv);
 		} else if (!strcmp(*argv, "-verbose")) {
-			verbose = 5;
+			verbose = TLS_verbose;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;

tools/tls12_server.c

@@ -260,7 +260,7 @@ int tls12_server_main(int argc , char **argv)
 		} else if (!strcmp(*argv, "-renegotiation_info")) {
 			renegotiation_info = 1;
 		} else if (!strcmp(*argv, "-verbose")) {
-			verbose = 5;
+			verbose = TLS_verbose;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;

tools/tls13_client.c

@@ -486,7 +486,7 @@ int tls13_client_main(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			infile = *(++argv);
 		} else if (!strcmp(*argv, "-verbose")) {
-			verbose = 5;
+			verbose = TLS_verbose;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;

tools/tls13_server.c

@@ -329,7 +329,7 @@ int tls13_server_main(int argc , char **argv)
 		} else if (!strcmp(*argv, "-tls13_change_cipher_spec")) {
 			tls13_change_cipher_spec = 1;
 		} else if (!strcmp(*argv, "-verbose")) {
-			verbose = 5;
+			verbose = TLS_verbose;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;