Merge pull request #43 from manuelm/sslkeylogfile

Add support for config.sslkeylogfile to log TLS keys

include/settings.h

@@ -116,6 +116,7 @@ typedef struct
     char *librarydir;
     char *datadir;
     char *wwwdir;
+    char *sslkeylogfile;
     settings_cert_opt_t server_cert;
     settings_cert_opt_t client_cert;
     char *allowOrigin;
@@ -420,4 +421,4 @@ float settings_get_float_ovl(const char *item, const char *overlay_name);
 bool settings_set_float(const char *item, float value);
 bool settings_set_float_ovl(const char *item, float value, const char *overlay_name);
 
-#endif
+#endif

include/tls_adapter.h

@@ -12,4 +12,6 @@ extern TlsCache *tlsCache;
 
 extern YarrowContext yarrowContext;
 
+void tls_context_key_log_init(TlsContext *context);
+
 #endif

include/tls_config.h

@@ -44,6 +44,9 @@
 // DTLS support
 #define DTLS_SUPPORT DISABLED
 
+//Key logging
+#define TLS_KEY_LOG_SUPPORT ENABLED
+
 // Client mode of operation
 #define TLS_CLIENT_SUPPORT ENABLED
 // Server mode of operation

src/cloud_request.c

@@ -87,6 +87,8 @@ error_t httpClientTlsInitCallback(HttpClientContext *context,
     if (error)
         return error;
 
+    tls_context_key_log_init(tlsContext);
+
     TRACE_INFO("Initializing TLS done\r\n");
 
     // Successful processing
@@ -395,4 +397,4 @@ int_t cloud_request(const char *server, int port, bool https, const char *uri, c
     httpClientDeinit(&httpClientContext);
 
     return 0;
-}
+}

src/server.c

@@ -403,6 +403,8 @@ error_t httpServerTlsInitCallback(HttpConnection *connection, TlsContext *tlsCon
     if (error)
         return error;
 
+    tls_context_key_log_init(tlsContext);
+
     // Session cache that will be used to save/resume TLS sessions
     error = tlsSetCache(tlsContext, tlsCache);
     // Any error to report?
@@ -551,4 +553,4 @@ void server_init()
     TRACE_INFO("Exiting TeddyCloud with returncode %d\r\n", ret);
 
     exit(ret);
-}
+}

src/settings.c

@@ -37,6 +37,7 @@ static void option_map_init(uint8_t settingsId)
     OPTION_STRING("core.librarydir", &settings->core.librarydir, "library", "Directory wof the audio library")
     OPTION_STRING("core.datadir", &settings->core.datadir, "data", "Base directory for contentdir/wwwdir when relative")
     OPTION_STRING("core.wwwdir", &settings->core.wwwdir, "www", "Directory where web content is placed")
+    OPTION_STRING("core.sslkeylogfile", &settings->core.sslkeylogfile, "", "SSL/TLS key log filename")
 
     OPTION_STRING("core.server_cert.file.ca", &settings->core.server_cert.file.ca, "certs/server/ca-root.pem", "Server CA")
     OPTION_STRING("core.server_cert.file.crt", &settings->core.server_cert.file.crt, "certs/server/teddy-cert.pem", "Server certificate")

src/tls_adapter.c

@@ -11,6 +11,7 @@
 #include "debug.h"
 #include "settings.h"
 #include "fs_port.h"
+#include "fs_ext.h"
 
 // tsl_certificate.c function Dependencies
 #include <string.h>
@@ -307,6 +308,41 @@ error_t read_certificate(const char_t *filename, char_t **buffer, size_t *length
     return error;
 }
 
+static void keylog_write(TlsContext *context, const char_t *key)
+{
+    static bool failed = false;
+    const char *logfile = settings_get_string("core.sslkeylogfile");
+    if (!logfile || !osStrlen(logfile))
+        return;
+
+    FsFile *keyLogFile = fsOpenFileEx(logfile, "a");
+    if (keyLogFile == NULL)
+    {
+        if (!failed)
+        {
+            TRACE_ERROR("Failed to open ssl key log file \"%s\"\r\n", logfile);
+            failed = true;
+        }
+        return;
+    }
+
+    char buf[256]; // key is at most 194 chars. see tlsDumpSecret
+    size_t len = osStrlen(key);
+    if (len > sizeof(buf) - 2)
+        return;
+    osMemcpy(buf, key, len);
+    buf[len++] = '\n';
+    buf[len] = '\0';
+    fsWriteFile(keyLogFile, buf, len);
+    fsCloseFile(keyLogFile);
+    failed = false;
+}
+
+void tls_context_key_log_init(TlsContext *context)
+{
+    (void)tlsSetKeyLogCallback(context, keylog_write);
+}
+
 error_t tls_adapter_deinit()
 {
     // Release PRNG context