tls: add keylogger callback function

* THIS IS ONLY FOR DEBUGGING PURPOSE. * The key logger is only available with OpenSSL >= v1.1.1 * It is only compiled if TRACE_SSL is defined * TRACE_SSL must define a writeable location and filename * In case the conditions above are fulfiled, it allows the developer to log key material of a tls connection. Including the key material into eg. Wireshark allows the developer to decrypt the SSL stream.
baresip · Aug 6, 2021 · 661df63 · 661df63
1 parent e1d664d
commit 661df63
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/mk/re.mk b/mk/re.mk
@@ -20,6 +20,7 @@
 #   PROJECT        Project name
 #   RELEASE        Release build
 #   TRACE_ERR      Trace error codes
+#   TRACE_SSL      Log SSL key material = [/path/to/log/file.log]
 #   SYSROOT        System root of library and include files
 #   SYSROOT_ALT    Alternative system root of library and include files
 #   USE_OPENSSL    If non-empty, link to libssl library
@@ -56,6 +57,11 @@ ifneq ($(TRACE_ERR),)
 CFLAGS  += -DTRACE_ERR
 endif
 
+ifneq ($(TRACE_SSL),)
+CFLAGS  += -DTRACE_SSL="\"${TRACE_SSL}\""
+endif
+
+
 # Default system root
 ifeq ($(SYSROOT),)
 SYSROOT := /usr

diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c
@@ -30,6 +30,46 @@
 #include <re_dbg.h>
 
 
+#if defined(TRACE_SSL) && (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+/**
+ * Global flag if key material must be appended to file
+ */
+static bool fresh_keylog_file = true;
+
+
+/**
+ * SSL Key logger callback function
+ *
+ * @param ssl  OpenSSL SSL object
+ * @param line Key material in NSS format
+ */
+static void tls_keylogger_cb(const SSL *ssl,
+	const char *line)
+{
+	FILE *f = NULL;
+
+	(void) ssl;
+
+	if (fresh_keylog_file) {
+		f = fopen(TRACE_SSL, "w");
+		fresh_keylog_file = false;
+	}
+	else {
+		f = fopen(TRACE_SSL, "a");
+	}
+
+	if (!f)
+		return;
+
+	(void)re_fprintf(f, "%s\n", line);
+
+	if (f)
+		(void)fclose(f);
+
+}
+#endif
+
+
 /* NOTE: shadow struct defined in tls_*.c */
 struct tls_conn {
 	SSL *ssl;
@@ -197,6 +237,10 @@ int tls_alloc(struct tls **tlsp, enum tls_method method, const char *keyfile,
 	SSL_CTX_set_verify_depth(tls->ctx, 1);
 #endif
 
+#if defined(TRACE_SSL) && (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+	SSL_CTX_set_keylog_callback(tls->ctx, tls_keylogger_cb);
+#endif
+
 	/* Load our keys and certificates */
 	if (keyfile) {
 		if (pwd) {