Append keys on keylogfile

Also consider the SSLKEYLOGFILE variable, since the format is
identical and we are always appending keys.

4 files changed, 17 insertions, 24 deletions

diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 276be647af..07bee69799 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -159,6 +159,10 @@ error. Other available environment variables are shown in @ref{tab:environment}.
 @item @code{GNUTLS_DEBUG_LEVEL}
 @tab When set to a numeric value, it sets the default debugging level for GnuTLS applications.
 
+@item @code{GNUTLS_KEYLOGFILE}, @code{SSLKEYLOGFILE}
+@tab When set to a filename, GnuTLS will append to it the session keys in the NSS Key Log
+format. That format can be read by wireshark and will allow decryption of the session for debugging.
+
 @item @code{GNUTLS_CPUID_OVERRIDE}
 @tab That environment variable can be used to
 explicitly enable/disable the use of certain CPU capabilities. Note that CPU
diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c
index eafd29f460..5eb1e14df6 100644
--- a/lib/gnutls_global.c
+++ b/lib/gnutls_global.c
@@ -70,6 +70,7 @@ extern const ASN1_ARRAY_TYPE gnutls_asn1_tab[];
 extern const ASN1_ARRAY_TYPE pkix_asn1_tab[];
 void *_gnutls_file_mutex;
 void *_gnutls_pkcs11_mutex;
+const char *_gnutls_keylogfile = NULL;
 
 ASN1_TYPE _gnutls_pkix1_asn = ASN1_TYPE_EMPTY;
 ASN1_TYPE _gnutls_gnutls_asn = ASN1_TYPE_EMPTY;
@@ -240,6 +241,10 @@ int gnutls_global_init(void)
 
 	_gnutls_switch_lib_state(LIB_STATE_INIT);
 
+	_gnutls_keylogfile = getenv("GNUTLS_KEYLOGFILE");
+	if (_gnutls_keylogfile == NULL)
+		_gnutls_keylogfile = getenv("SSLKEYLOGFILE");
+
 	e = getenv("GNUTLS_DEBUG_LEVEL");
 	if (e != NULL) {
 		level = atoi(e);
diff --git a/lib/gnutls_global.h b/lib/gnutls_global.h
index e1a8f2e25c..e7b3613c93 100644
--- a/lib/gnutls_global.h
+++ b/lib/gnutls_global.h
@@ -38,6 +38,8 @@ extern ASN1_TYPE _gnutls_gnutls_asn;
 #define _gnutls_get_gnutls_asn() ((ASN1_TYPE) _gnutls_gnutls_asn)
 #define _gnutls_get_pkix() ((ASN1_TYPE) _gnutls_pkix1_asn)
 
+extern const char *_gnutls_keylogfile;
+
 extern gnutls_log_func _gnutls_log_func;
 extern gnutls_audit_log_func _gnutls_audit_log_func;
 extern int _gnutls_log_level;
diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c
index fd963421cf..6fe4ef6d32 100644
--- a/lib/gnutls_kx.c
+++ b/lib/gnutls_kx.c
@@ -97,42 +97,24 @@ int _gnutls_generate_master(gnutls_session_t session, int keep_premaster)
 
 static void write_nss_key_log(gnutls_session_t session, const gnutls_datum_t *premaster)
 {
-	const char *filename;
 	char buf[512];
+	char buf2[512];
 	FILE *fp;
 
-	if (session->security_parameters.entity == GNUTLS_SERVER)
+	if (_gnutls_keylogfile == NULL)
 		return;
 
-	filename = getenv("GNUTLS_KEYLOGFILE");
-
-	if (filename == NULL)
-		return;
-
-	fp = fopen(filename, "w");
+	fp = fopen(_gnutls_keylogfile, "a");
 	if (fp == NULL)
 		return;
 
-	if (session->security_parameters.kx_algorithm == GNUTLS_KX_RSA) {
-		fprintf(fp, "RSA %s ", 
-			_gnutls_bin2hex(premaster->data,
-					premaster->size,
-					buf, sizeof(buf),
-					NULL));
-		fprintf(fp, "%s\n",
-			 _gnutls_bin2hex(session->security_parameters.
-					 master_secret, GNUTLS_MASTER_SIZE,
-					 buf, sizeof(buf), NULL));
-	}
-
-	fprintf(fp, "CLIENT_RANDOM %s ", 
+	fprintf(fp, "CLIENT_RANDOM %s %s\n", 
 		 _gnutls_bin2hex(session->security_parameters.
 				 client_random, 32, buf,
-				 sizeof(buf), NULL));
-	fprintf(fp, "%s\n", 
+				 sizeof(buf), NULL),
 		 _gnutls_bin2hex(session->security_parameters.
 				 master_secret, GNUTLS_MASTER_SIZE,
-				 buf, sizeof(buf), NULL));
+				 buf2, sizeof(buf2), NULL));
 	fclose(fp);
 }