From d1771e925dfb35e22963dd6ad41b91a93a840339 Mon Sep 17 00:00:00 2001
From: Per K <perkj@webrtc.org>
Date: Mon, 24 Apr 2023 12:44:27 +0200
Subject: [PATCH] Enable SSL logging per default

Done in order to simplify connection debuging.

Example log:

openssl_adapter.cc:829): connect_loop TLS client read_server_hello
(openssl_adapter.cc:829): connect_loop TLS client read_server_certificate
(openssl_adapter.cc:829): connect_loop TLS client read_certificate_status
(openssl_adapter.cc:829): connect_loop TLS client verify_server_certificate
(openssl_stream_adapter.cc:1128): Accepted peer certificate.
(openssl_adapter.cc:829): connect_loop TLS client read_server_key_exchange
(openssl_adapter.cc:829): connect_loop TLS client read_certificate_request
(openssl_adapter.cc:829): connect_loop TLS client read_server_hello_done
(openssl_adapter.cc:829): connect_loop TLS client send_client_certificate
(openssl_adapter.cc:829): connect_loop TLS client send_client_key_exchange
(openssl_adapter.cc:829): connect_loop TLS client send_client_certificate_verify
(openssl_adapter.cc:829): connect_loop TLS client send_client_finished
(openssl_adapter.cc:829): connect_loop TLS client finish_flight
(openssl_adapter.cc:829): connect_loop TLS client read_session_ticket
(openssl_adapter.cc:829): connect_exit TLS client read_session_ticket
(openssl_adapter.cc:829): accept_loop TLS server verify_client_certificate
(openssl_stream_adapter.cc:1128): Accepted peer certificate.
(openssl_adapter.cc:829): accept_loop TLS server read_client_key_exchange
(peer_connection.cc:1952): Changing IceConnectionState 0 => 1
(openssl_adapter.cc:829): accept_loop TLS server read_client_certificate_verify
(peer_connection.cc:1971): Changing standardized IceConnectionState 0 => 1
(peer_connection.cc:1971): Changing standardized IceConnectionState 0 => 1
(peer_connection.cc:1971): Changing standardized IceConnectionState 1 => 2
(peer_connection.cc:1971): Changing standardized IceConnectionState 1 => 2
(openssl_adapter.cc:829): accept_loop TLS server read_change_cipher_spec
(openssl_adapter.cc:829): accept_loop TLS server process_change_cipher_spec
(openssl_adapter.cc:829): accept_loop TLS server read_next_proto
(openssl_adapter.cc:829): accept_loop TLS server read_channel_id
(openssl_adapter.cc:829): accept_loop TLS server read_client_finished
(openssl_adapter.cc:829): accept_loop TLS server send_server_finished
(openssl_adapter.cc:829): accept_loop TLS server finish_server_handshake
(openssl_adapter.cc:829): accept_loop TLS server done
(openssl_adapter.cc:829): handshake_done TLS server done
(openssl_adapter.cc:829): accept_exit TLS server done
(dtls_transport.cc:688): DtlsTransport[0|1|__]: DTLS handshake complete.

Bug: b/275671043
Change-Id: Ib8d394aa74c5665c489b485bb44152aff67d3b7c
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/302300
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Commit-Queue: Per Kjellander <perkj@webrtc.org>
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#39955}
---
 rtc_base/openssl_adapter.cc        | 84 +++++++++++++++++++++---------
 rtc_base/openssl_adapter.h         |  4 +-
 rtc_base/openssl_stream_adapter.cc |  2 -
 3 files changed, 59 insertions(+), 31 deletions(-)

diff --git a/rtc_base/openssl_adapter.cc b/rtc_base/openssl_adapter.cc
index 7ac922041d..c68eb22f5c 100644
--- a/rtc_base/openssl_adapter.cc
+++ b/rtc_base/openssl_adapter.cc
@@ -777,36 +777,68 @@ bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, absl::string_view host) {
   return is_valid_cert_name;
 }
 
-#if !defined(NDEBUG)
-
-// We only use this for tracing and so it is only needed in debug mode
-
-void OpenSSLAdapter::SSLInfoCallback(const SSL* s, int where, int ret) {
-  const char* str = "undefined";
-  int w = where & ~SSL_ST_MASK;
-  if (w & SSL_ST_CONNECT) {
-    str = "SSL_connect";
-  } else if (w & SSL_ST_ACCEPT) {
-    str = "SSL_accept";
+void OpenSSLAdapter::SSLInfoCallback(const SSL* s, int where, int value) {
+  std::string type;
+  bool info_log = false;
+  bool alert_log = false;
+  switch (where) {
+    case SSL_CB_EXIT:
+      info_log = true;
+      type = "exit";
+      break;
+    case SSL_CB_ALERT:
+      alert_log = true;
+      type = "alert";
+      break;
+    case SSL_CB_READ_ALERT:
+      alert_log = true;
+      type = "read_alert";
+      break;
+    case SSL_CB_WRITE_ALERT:
+      alert_log = true;
+      type = "write_alert";
+      break;
+    case SSL_CB_ACCEPT_LOOP:
+      info_log = true;
+      type = "accept_loop";
+      break;
+    case SSL_CB_ACCEPT_EXIT:
+      info_log = true;
+      type = "accept_exit";
+      break;
+    case SSL_CB_CONNECT_LOOP:
+      info_log = true;
+      type = "connect_loop";
+      break;
+    case SSL_CB_CONNECT_EXIT:
+      info_log = true;
+      type = "connect_exit";
+      break;
+    case SSL_CB_HANDSHAKE_START:
+      info_log = true;
+      type = "handshake_start";
+      break;
+    case SSL_CB_HANDSHAKE_DONE:
+      info_log = true;
+      type = "handshake_done";
+      break;
+    case SSL_CB_LOOP:
+    case SSL_CB_READ:
+    case SSL_CB_WRITE:
+    default:
+      break;
   }
-  if (where & SSL_CB_LOOP) {
-    RTC_DLOG(LS_VERBOSE) << str << ":" << SSL_state_string_long(s);
-  } else if (where & SSL_CB_ALERT) {
-    str = (where & SSL_CB_READ) ? "read" : "write";
-    RTC_DLOG(LS_INFO) << "SSL3 alert " << str << ":"
-                      << SSL_alert_type_string_long(ret) << ":"
-                      << SSL_alert_desc_string_long(ret);
-  } else if (where & SSL_CB_EXIT) {
-    if (ret == 0) {
-      RTC_DLOG(LS_INFO) << str << ":failed in " << SSL_state_string_long(s);
-    } else if (ret < 0) {
-      RTC_DLOG(LS_INFO) << str << ":error in " << SSL_state_string_long(s);
-    }
+
+  if (info_log) {
+    RTC_LOG(LS_INFO) << type << " " << SSL_state_string_long(s);
+  }
+  if (alert_log) {
+    RTC_LOG(LS_WARNING) << type << " " << SSL_alert_type_string_long(value)
+                        << " " << SSL_alert_desc_string_long(value) << " "
+                        << SSL_state_string_long(s);
   }
 }
 
-#endif
-
 #ifdef WEBRTC_USE_CRYPTO_BUFFER_CALLBACK
 // static
 enum ssl_verify_result_t OpenSSLAdapter::SSLVerifyCallback(SSL* ssl,
diff --git a/rtc_base/openssl_adapter.h b/rtc_base/openssl_adapter.h
index 3ce33e1f5b..558a04077a 100644
--- a/rtc_base/openssl_adapter.h
+++ b/rtc_base/openssl_adapter.h
@@ -124,10 +124,8 @@ class OpenSSLAdapter final : public SSLAdapter {
   int DoSslWrite(const void* pv, size_t cb, int* error);
   bool SSLPostConnectionCheck(SSL* ssl, absl::string_view host);
 
-#if !defined(NDEBUG)
-  // In debug builds, logs info about the state of the SSL connection.
+  // Logs info about the state of the SSL connection.
   static void SSLInfoCallback(const SSL* ssl, int where, int ret);
-#endif
 
 #if defined(OPENSSL_IS_BORINGSSL) && \
     defined(WEBRTC_EXCLUDE_BUILT_IN_SSL_ROOT_CERTS)
diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc
index 9fd8c8f395..bf400ff4ec 100644
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@@ -1057,9 +1057,7 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
     return nullptr;
   }
 
-#if !defined(NDEBUG)
   SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback);
-#endif
 
   int mode = SSL_VERIFY_PEER;
   if (GetClientAuthEnabled()) {