updating comments in test recipie

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25297)

diff --git a/INSTALL.md b/INSTALL.md
index ae47e4d269f5ab00f9e1f9d2f03ba0c120e6850b..0f686532d3d1f9b7101cf60c33bf42dcc00885f6 100644 (file)
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -1085,8 +1085,9 @@ Build with support for the SSLKEYLOGFILE environment variable
 When enabled, setting SSLKEYLOGFILE to a file path records the keys exchanged
 during a TLS handshake for use in analysis tools like wireshark.  Note that the
 use of this mechanism allows for decryption of application payloads found in
-captured packets using keys from the key log file.  See Section 3 of 
-[the draft standard for SSLKEYLOGFILE](https://datatracker.ietf.org/doc/draft-thomson-tls-keylogfile/)
+captured packets using keys from the key log file and therefore has significant
+security consequences.  See Section 3 of
+[the draft standard for SSLKEYLOGFILE](https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/)
 
 ### no-ts
 

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ba4d6904687528881af26a7d3b260bd969802ef9..b94fc77e298d694d339b96880dd7b3518bdb6d55 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3904,7 +3904,7 @@ static long check_keylog_bio_free(BIO *b, int oper, const char *argp,
 /**
  * @brief records ssl secrets to a file
  */
-static void sslkeylogfile_cb(const SSL *ssl, const char *line)
+static void do_sslkeylogfile(const SSL *ssl, const char *line)
 {
     if (keylog_lock == NULL)
         return;
@@ -4202,7 +4202,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
             goto out;
         }
 
-        /* Grab out global lock */
+        /* Grab our global lock */
         if (!CRYPTO_THREAD_write_lock(keylog_lock)) {
             OSSL_TRACE(TLS, "Unable to acquire keylog write lock\n");
             goto out;
@@ -6909,7 +6909,7 @@ static int nss_keylog_int(const char *prefix,
 
 #ifndef OPENSSL_NO_SSLKEYLOG
     if (sctx->do_sslkeylog == 1)
-        sslkeylogfile_cb(SSL_CONNECTION_GET_SSL(sc), (const char *)out);
+        do_sslkeylogfile(SSL_CONNECTION_GET_SSL(sc), (const char *)out);
 #endif
     if (sctx->keylog_callback != NULL)
         sctx->keylog_callback(SSL_CONNECTION_GET_SSL(sc), (const char *)out);

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 06d78dd6359fa95bd0ea7c588def55fb5868caba..eaf9fbd68e435a5acc3ffb46cde1bc1397ca5210 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -1100,10 +1100,7 @@ struct ssl_ctx_st {
     SSL_CTX_keylog_cb_func keylog_callback;
 
     /*
-     * Private callback for internal key logging based on SSLKEYLOG env
-     * We don't want to create a chaining mechanism as we're never sure
-     * if the application wants to set an additional callback or override
-     * the one set via SSLKEYLOGFILE, so we just keep them separate
+     * Private flag for internal key logging based on SSLKEYLOG env
      */
 # ifndef OPENSSL_NO_SSLKEYLOG
     uint32_t do_sslkeylog;

diff --git a/test/recipes/70-test_sslkeylogfile.t b/test/recipes/70-test_sslkeylogfile.t
index 6261740e9078813e7446077162dc39b6c5649f24..acff862229af5fe2508871167b8c6b278b9ab845 100644 (file)
--- a/test/recipes/70-test_sslkeylogfile.t
+++ b/test/recipes/70-test_sslkeylogfile.t
@@ -36,8 +36,9 @@ my @s_server_cmd = ("s_server", "-accept", "0", "-naccept", "1",
                     "-cert", $server_pem, "-key", $server_key);
 my $s_server_pid = open3(my $s_server_i, my $s_server_o, my $s_server_e, $shlib_wrap, $apps_openssl, @s_server_cmd);
 
-# ACCEPT 0.0.0.0:45921
-# ACCEPT [::]:45921
+# expected outputs from the server
+# ACCEPT 0.0.0.0:<port>
+# ACCEPT [::]:<port>
 my $port = "0";
 # Figure out what port its listening on
 while (<$s_server_o>) {