You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/06/21 09:08:35 UTC
[tomcat-native] 01/02: Add support for TLS key logging

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git

commit e55f56a28753c6abe3a9198a53b4de0c9a0ffc9a
Author: John Kelly <jo...@gmail.com>
AuthorDate: Tue May 21 12:08:18 2019 +0100

    Add support for TLS key logging
---
 native/include/ssl_private.h |  7 +++++++
 native/src/ssl.c             | 44 ++++++++++++++++++++++++++++++++++++++++++++
 native/src/sslcontext.c      |  4 ++++
 3 files changed, 55 insertions(+)

diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index d640e26..d88e393 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -241,6 +241,10 @@
 #define TLS_server_method                SSLv23_server_method
 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
 
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#define HAVE_KEYLOG_CALLBACK
+#endif
+
 #define MAX_ALPN_NPN_PROTO_SIZE 65535
 #define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL            1
 
@@ -387,6 +391,9 @@ int         SSL_rand_seed(const char *file);
 int         SSL_callback_next_protos(SSL *, const unsigned char **, unsigned int *, void *);
 int         SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned char *, const unsigned char *, unsigned int,void *);
 int         SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsigned char *, const unsigned char *, unsigned int, void *);
+#ifdef HAVE_KEYLOG_CALLBACK
+void        SSL_callback_add_keylog(SSL_CTX *);
+#endif
 
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) && ! (defined(WIN32) || defined(WIN64))
 unsigned long SSL_ERR_get(void);
diff --git a/native/src/ssl.c b/native/src/ssl.c
index e4a5f76..9dbdcd4 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -34,6 +34,18 @@ extern apr_pool_t *tcn_global_pool;
 ENGINE *tcn_ssl_engine = NULL;
 tcn_pass_cb_t tcn_password_callback;
 
+#ifdef HAVE_KEYLOG_CALLBACK
+static BIO *key_log_file = NULL;
+
+static void ssl_keylog_callback(const SSL *ssl, const char *line)
+{
+    if (key_log_file && line && *line) {
+        BIO_puts(key_log_file, line);
+        BIO_puts(key_log_file, "\n");
+    }
+}
+#endif
+
 /* From netty-tcnative */
 static jclass byteArrayClass;
 static jclass stringClass;
@@ -286,6 +298,15 @@ static void free_dh_params(void)
     }
 }
 
+#ifdef HAVE_KEYLOG_CALLBACK
+void SSL_callback_add_keylog(SSL_CTX *ctx)
+{
+    if (key_log_file) {
+        SSL_CTX_set_keylog_callback(ctx, ssl_keylog_callback);
+    }
+}
+#endif
+
 /* Hand out the same DH structure though once generated as we leak
  * memory otherwise and freeing the structure up after use would be
  * hard to track and in fact is not needed at all as it is safe to
@@ -373,6 +394,13 @@ static apr_status_t ssl_init_cleanup(void *data)
     ERR_remove_thread_state(NULL);
 #endif
 
+#ifdef HAVE_KEYLOG_CALLBACK
+    if (key_log_file) {
+        BIO_free(key_log_file);
+        key_log_file = NULL;
+    }
+#endif
+
     /* Don't call ERR_free_strings here; ERR_load_*_strings only
      * actually load the error strings once per process due to static
      * variable abuse in OpenSSL. */
@@ -846,6 +874,22 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
     sClazz = (*e)->FindClass(e, "java/lang/String");
     stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
 
+#ifdef HAVE_KEYLOG_CALLBACK
+    if (!key_log_file) {
+        char *key_log_file_name = getenv("SSLKEYLOGFILE");
+        if (key_log_file_name) {
+            FILE *file = fopen(key_log_file_name, "a");
+            if (file) {
+                if (setvbuf(file, NULL, _IONBF, 0)) {
+                    fclose(file);
+                } else {
+                    key_log_file = BIO_new_fp(file, BIO_CLOSE);
+                }
+            }
+        }
+    }
+#endif
+
     return (jint)APR_SUCCESS;
 }
 
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 1e82fa2..1d584f7 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -228,6 +228,10 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
         goto init_failed;
     }
 
+#ifdef HAVE_KEYLOG_CALLBACK
+    SSL_callback_add_keylog(ctx);
+#endif
+
     c->protocol = protocol;
     c->mode     = mode;
     c->ctx      = ctx;


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org