Add support for SSLKEYLOGFILE

See https://everything.curl.dev/usingcurl/tls/sslkeylogfile
toniebox-reverse-engineering · Jul 28, 2023 · 058a2bb · 058a2bb
1 parent 4d628c5
commit 058a2bb
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 2 deletions.
diff --git a/include/tls_adapter.h b/include/tls_adapter.h
@@ -12,4 +12,6 @@ extern TlsCache *tlsCache;
 
 extern YarrowContext yarrowContext;
 
+void tls_context_key_log_init(TlsContext *context);
+
 #endif
diff --git a/include/tls_config.h b/include/tls_config.h
@@ -44,6 +44,9 @@
 // DTLS support
 #define DTLS_SUPPORT DISABLED
 
+//Key logging
+#define TLS_KEY_LOG_SUPPORT ENABLED
+
 // Client mode of operation
 #define TLS_CLIENT_SUPPORT ENABLED
 // Server mode of operation

diff --git a/src/cloud_request.c b/src/cloud_request.c
@@ -68,6 +68,8 @@ error_t httpClientTlsInitCallback(HttpClientContext *context,
     if (error)
         return error;
 
+    tls_context_key_log_init(tlsContext);
+
     TRACE_INFO("Initializing TLS done\r\n");
 
     // Successful processing
@@ -366,4 +368,4 @@ int_t cloud_request(const char *server, int port, bool https, const char *uri, c
     httpClientDeinit(&httpClientContext);
 
     return 0;
-}
+}
diff --git a/src/server.c b/src/server.c
@@ -467,6 +467,8 @@ error_t httpServerTlsInitCallback(HttpConnection *connection, TlsContext *tlsCon
         return error;
     }
 
+    tls_context_key_log_init(tlsContext);
+
     // Successful processing
     return NO_ERROR;
 }
@@ -533,4 +535,4 @@ void server_init()
     usleep(100000);
 
     exit(ret);
-}
+}
diff --git a/src/tls_adapter.c b/src/tls_adapter.c
@@ -30,6 +30,8 @@ TlsCache *tlsCache;
 
 YarrowContext yarrowContext;
 
+static FsFile *keyLogFile;
+
 /**
  * @enum eDerType
  * @brief Enumeration for the types of DER data
@@ -307,11 +309,68 @@ error_t read_certificate(const char_t *filename, char_t **buffer, size_t *length
     return error;
 }
 
+static error_t keylog_open(void)
+{
+    const char *logfile = getenv("SSLKEYLOGFILE");
+    if (logfile == NULL)
+        return ERROR_NOT_CONFIGURED;
+
+    if (keyLogFile == NULL)
+    {
+        FILE *fp = fopen(logfile, "a");
+        if (fp == NULL)
+        {
+            TRACE_ERROR("Failed to open ssl key log file \"%s\"\r\n", logfile);
+            return ERROR_FILE_OPENING_FAILED;
+        }
+#ifdef WIN32
+        (void)setvbuf(fp, NULL, _IONBF, 0);
+#else
+        (void)setvbuf(fp, NULL, _IOLBF, 4096);
+        keyLogFile = fp;
+#endif
+    }
+    return NO_ERROR;
+}
+
+static void keylog_write(TlsContext *context, const char_t *key)
+{
+    if (keyLogFile == NULL)
+        return;
+    char buf[256]; // key is at most 194 chars. see tlsDumpSecret
+    size_t len = osStrlen(key);
+    if (len > sizeof(buf) - 2)
+        return;
+    memcpy(buf, key, len);
+    buf[len++] = '\n';
+    buf[len] = '\0';
+    (void)fsWriteFile(keyLogFile, buf, len);
+}
+
+static void keylog_close(void)
+{
+    if (keyLogFile != NULL)
+    {
+        fsCloseFile(keyLogFile);
+        keyLogFile = NULL;
+    }
+}
+
+void tls_context_key_log_init(TlsContext *context)
+{
+    if (keylog_open() == NO_ERROR)
+    {
+        (void)tlsSetKeyLogCallback(context, keylog_write);
+    }
+}
+
 error_t tls_adapter_deinit()
 {
     // Release PRNG context
     yarrowRelease(&yarrowContext);
 
+    keylog_close();
+
     return NO_ERROR;
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -12,4 +12,6 @@ extern TlsCache *tlsCache;

		extern YarrowContext yarrowContext;

		void tls_context_key_log_init(TlsContext *context);

		#endif