From fb2a6baef79f4aadfd95e657fe5a18da20a1410e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 27 May 2016 22:19:40 +0200 Subject: Append keys on keylogfile Also consider the SSLKEYLOGFILE variable, since the format is identical and we are always appending keys. --- doc/cha-gtls-app.texi | 4 ++++ lib/gnutls_global.c | 5 +++++ lib/gnutls_global.h | 2 ++ lib/gnutls_kx.c | 30 ++++++------------------------ 4 files changed, 17 insertions(+), 24 deletions(-) diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 276be647af..07bee69799 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -159,6 +159,10 @@ error. Other available environment variables are shown in @ref{tab:environment}. @item @code{GNUTLS_DEBUG_LEVEL} @tab When set to a numeric value, it sets the default debugging level for GnuTLS applications. +@item @code{GNUTLS_KEYLOGFILE}, @code{SSLKEYLOGFILE} +@tab When set to a filename, GnuTLS will append to it the session keys in the NSS Key Log +format. That format can be read by wireshark and will allow decryption of the session for debugging. + @item @code{GNUTLS_CPUID_OVERRIDE} @tab That environment variable can be used to explicitly enable/disable the use of certain CPU capabilities. Note that CPU diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c index eafd29f460..5eb1e14df6 100644 --- a/lib/gnutls_global.c +++ b/lib/gnutls_global.c @@ -70,6 +70,7 @@ extern const ASN1_ARRAY_TYPE gnutls_asn1_tab[]; extern const ASN1_ARRAY_TYPE pkix_asn1_tab[]; void *_gnutls_file_mutex; void *_gnutls_pkcs11_mutex; +const char *_gnutls_keylogfile = NULL; ASN1_TYPE _gnutls_pkix1_asn = ASN1_TYPE_EMPTY; ASN1_TYPE _gnutls_gnutls_asn = ASN1_TYPE_EMPTY; @@ -240,6 +241,10 @@ int gnutls_global_init(void) _gnutls_switch_lib_state(LIB_STATE_INIT); + _gnutls_keylogfile = getenv("GNUTLS_KEYLOGFILE"); + if (_gnutls_keylogfile == NULL) + _gnutls_keylogfile = getenv("SSLKEYLOGFILE"); + e = getenv("GNUTLS_DEBUG_LEVEL"); if (e != NULL) { level = atoi(e); diff --git a/lib/gnutls_global.h b/lib/gnutls_global.h index e1a8f2e25c..e7b3613c93 100644 --- a/lib/gnutls_global.h +++ b/lib/gnutls_global.h @@ -38,6 +38,8 @@ extern ASN1_TYPE _gnutls_gnutls_asn; #define _gnutls_get_gnutls_asn() ((ASN1_TYPE) _gnutls_gnutls_asn) #define _gnutls_get_pkix() ((ASN1_TYPE) _gnutls_pkix1_asn) +extern const char *_gnutls_keylogfile; + extern gnutls_log_func _gnutls_log_func; extern gnutls_audit_log_func _gnutls_audit_log_func; extern int _gnutls_log_level; diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index fd963421cf..6fe4ef6d32 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -97,42 +97,24 @@ int _gnutls_generate_master(gnutls_session_t session, int keep_premaster) static void write_nss_key_log(gnutls_session_t session, const gnutls_datum_t *premaster) { - const char *filename; char buf[512]; + char buf2[512]; FILE *fp; - if (session->security_parameters.entity == GNUTLS_SERVER) + if (_gnutls_keylogfile == NULL) return; - filename = getenv("GNUTLS_KEYLOGFILE"); - - if (filename == NULL) - return; - - fp = fopen(filename, "w"); + fp = fopen(_gnutls_keylogfile, "a"); if (fp == NULL) return; - if (session->security_parameters.kx_algorithm == GNUTLS_KX_RSA) { - fprintf(fp, "RSA %s ", - _gnutls_bin2hex(premaster->data, - premaster->size, - buf, sizeof(buf), - NULL)); - fprintf(fp, "%s\n", - _gnutls_bin2hex(session->security_parameters. - master_secret, GNUTLS_MASTER_SIZE, - buf, sizeof(buf), NULL)); - } - - fprintf(fp, "CLIENT_RANDOM %s ", + fprintf(fp, "CLIENT_RANDOM %s %s\n", _gnutls_bin2hex(session->security_parameters. client_random, 32, buf, - sizeof(buf), NULL)); - fprintf(fp, "%s\n", + sizeof(buf), NULL), _gnutls_bin2hex(session->security_parameters. master_secret, GNUTLS_MASTER_SIZE, - buf, sizeof(buf), NULL)); + buf2, sizeof(buf2), NULL)); fclose(fp); } -- cgit v1.2.1