rustls: Add support for SSLKEYLOGFILE

The current main branch of rustls-ffi supports setting up a callback for writing TLS secrets, so hook it up to call Curl_tls_keylog_write.
yedayak · Dec 22, 2024 · 4c875c7 · 4c875c7
1 parent 7a5f0ee
commit 4c875c7
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/docs/cmdline-opts/_ENVIRONMENT.md b/docs/cmdline-opts/_ENVIRONMENT.md
@@ -102,7 +102,7 @@ If you set this environment variable to a filename, curl stores TLS secrets
 from its connections in that file when invoked to enable you to analyze the
 TLS traffic in real time using network analyzing tools such as Wireshark. This
 works with the following TLS backends: OpenSSL, LibreSSL (TLS 1.2 max),
-BoringSSL, GnuTLS and wolfSSL.
+BoringSSL, GnuTLS, wolfSSL and Rustls.
 
 ## `USERPROFILE` <dir>
 On Windows, this variable is used when trying to find the home directory. If

diff --git a/lib/vtls/keylog.c b/lib/vtls/keylog.c
@@ -27,7 +27,8 @@
   defined(USE_GNUTLS) || \
   defined(USE_WOLFSSL) || \
   (defined(USE_NGTCP2) && defined(USE_NGHTTP3)) || \
-  defined(USE_QUICHE)
+  defined(USE_QUICHE) || \
+  defined(USE_RUSTLS)
 
 #include "keylog.h"
 #include <curl/curl.h>

diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c
@@ -38,6 +38,7 @@
 #include "vtls.h"
 #include "vtls_int.h"
 #include "rustls.h"
+#include "keylog.h"
 #include "select.h"
 #include "strerror.h"
 #include "multiif.h"
@@ -522,6 +523,18 @@ cr_get_selected_ciphers(struct Curl_easy *data,
   *selected_size = count;
 }
 
+static void
+cr_keylog_log_cb(struct rustls_str label,
+                 const uint8_t *client_random, size_t client_random_len,
+                 const uint8_t *secret, size_t secret_len)
+{
+  char clabel[KEYLOG_LABEL_MAXLEN];
+  DEBUGASSERT(client_random_len == CLIENT_RANDOM_SIZE);
+  /* Turning a "rustls_str" into a null delimited "c" string */
+  msnprintf(clabel, label.len + 1, "%.*s", (int)label.len, label.data);
+  Curl_tls_keylog_write(clabel, client_random, secret, secret_len);
+}
+
 static CURLcode
 cr_init_backend(struct Curl_cfilter *cf, struct Curl_easy *data,
                 struct rustls_ssl_backend_data *const backend)
@@ -648,6 +661,17 @@ cr_init_backend(struct Curl_cfilter *cf, struct Curl_easy *data,
   rustls_crypto_provider_builder_free(custom_provider_builder);
   rustls_crypto_provider_free(custom_provider);
 
+  Curl_tls_keylog_open();
+  result = rustls_client_config_builder_set_key_log(config_builder,
+                                                    cr_keylog_log_cb, NULL);
+  if(result != RUSTLS_RESULT_OK) {
+    rustls_error(result, errorbuf, sizeof(errorbuf), &errorlen);
+    failf(data, "rustls_client_config_builder_set_key_log: %.*s",
+          (int)errorlen, errorbuf);
+    rustls_client_config_builder_free(config_builder);
+    return map_error(result);
+  }
+
   if(connssl->alpn) {
     struct alpn_proto_buf proto;
     rustls_slice_bytes alpn[ALPN_ENTRIES_MAX];