You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/06/21 09:08:35 UTC
[tomcat-native] 01/02: Add support for TLS key logging
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit e55f56a28753c6abe3a9198a53b4de0c9a0ffc9a
Author: John Kelly <jo...@gmail.com>
AuthorDate: Tue May 21 12:08:18 2019 +0100
Add support for TLS key logging
---
native/include/ssl_private.h | 7 +++++++
native/src/ssl.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
native/src/sslcontext.c | 4 ++++
3 files changed, 55 insertions(+)
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index d640e26..d88e393 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -241,6 +241,10 @@
#define TLS_server_method SSLv23_server_method
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#define HAVE_KEYLOG_CALLBACK
+#endif
+
#define MAX_ALPN_NPN_PROTO_SIZE 65535
#define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1
@@ -387,6 +391,9 @@ int SSL_rand_seed(const char *file);
int SSL_callback_next_protos(SSL *, const unsigned char **, unsigned int *, void *);
int SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned char *, const unsigned char *, unsigned int,void *);
int SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsigned char *, const unsigned char *, unsigned int, void *);
+#ifdef HAVE_KEYLOG_CALLBACK
+void SSL_callback_add_keylog(SSL_CTX *);
+#endif
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) && ! (defined(WIN32) || defined(WIN64))
unsigned long SSL_ERR_get(void);
diff --git a/native/src/ssl.c b/native/src/ssl.c
index e4a5f76..9dbdcd4 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -34,6 +34,18 @@ extern apr_pool_t *tcn_global_pool;
ENGINE *tcn_ssl_engine = NULL;
tcn_pass_cb_t tcn_password_callback;
+#ifdef HAVE_KEYLOG_CALLBACK
+static BIO *key_log_file = NULL;
+
+static void ssl_keylog_callback(const SSL *ssl, const char *line)
+{
+ if (key_log_file && line && *line) {
+ BIO_puts(key_log_file, line);
+ BIO_puts(key_log_file, "\n");
+ }
+}
+#endif
+
/* From netty-tcnative */
static jclass byteArrayClass;
static jclass stringClass;
@@ -286,6 +298,15 @@ static void free_dh_params(void)
}
}
+#ifdef HAVE_KEYLOG_CALLBACK
+void SSL_callback_add_keylog(SSL_CTX *ctx)
+{
+ if (key_log_file) {
+ SSL_CTX_set_keylog_callback(ctx, ssl_keylog_callback);
+ }
+}
+#endif
+
/* Hand out the same DH structure though once generated as we leak
* memory otherwise and freeing the structure up after use would be
* hard to track and in fact is not needed at all as it is safe to
@@ -373,6 +394,13 @@ static apr_status_t ssl_init_cleanup(void *data)
ERR_remove_thread_state(NULL);
#endif
+#ifdef HAVE_KEYLOG_CALLBACK
+ if (key_log_file) {
+ BIO_free(key_log_file);
+ key_log_file = NULL;
+ }
+#endif
+
/* Don't call ERR_free_strings here; ERR_load_*_strings only
* actually load the error strings once per process due to static
* variable abuse in OpenSSL. */
@@ -846,6 +874,22 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
sClazz = (*e)->FindClass(e, "java/lang/String");
stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
+#ifdef HAVE_KEYLOG_CALLBACK
+ if (!key_log_file) {
+ char *key_log_file_name = getenv("SSLKEYLOGFILE");
+ if (key_log_file_name) {
+ FILE *file = fopen(key_log_file_name, "a");
+ if (file) {
+ if (setvbuf(file, NULL, _IONBF, 0)) {
+ fclose(file);
+ } else {
+ key_log_file = BIO_new_fp(file, BIO_CLOSE);
+ }
+ }
+ }
+ }
+#endif
+
return (jint)APR_SUCCESS;
}
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 1e82fa2..1d584f7 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -228,6 +228,10 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
goto init_failed;
}
+#ifdef HAVE_KEYLOG_CALLBACK
+ SSL_callback_add_keylog(ctx);
+#endif
+
c->protocol = protocol;
c->mode = mode;
c->ctx = ctx;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org