Export key logging in normal builds.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ skipping 4814 matching lines @@
         goto loser;     /* err set by PORT_Alloc */
     }
 
     /* wrap pre-master secret in server's public key. */
     rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
         goto loser;
     }
 
-#if defined(TRACE)
-    if (ssl_trace >= 100 || ssl_keylog_iob) {
+    if (ssl_keylog_iob) {
         SECStatus extractRV = PK11_ExtractKeyValue(pms);
         if (extractRV == SECSuccess) {
             SECItem * keyData = PK11_GetKeyData(pms);
             if (keyData && keyData->data && keyData->len) {
+#ifdef TRACE
                 if (ssl_trace >= 100) {
                     ssl_PrintBuf(ss, "Pre-Master Secret",
                                  keyData->data, keyData->len);
                 }
+#endif
                 if (ssl_keylog_iob && enc_pms.len >= 8 && keyData->len == 48) {
                     /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
 
                     /* There could be multiple, concurrent writers to the
                      * keylog, so we have to do everything in a single call to
                      * fwrite. */
                     char buf[4 + 8*2 + 1 + 48*2 + 1];
                     static const char hextable[16] = "0123456789abcdef";
                     unsigned int i;
 
@@ skipping 10 matching lines @@
                         buf[21 + i*2 + 1] = hextable[keyData->data[i] & 15];
                     }
                     buf[sizeof(buf) - 1] = '\n';
 
                     fwrite(buf, sizeof(buf), 1, ssl_keylog_iob);
                     fflush(ssl_keylog_iob);
                 }
             }
         }
     }
-#endif
 
     rv = ssl3_InitPendingCipherSpec(ss,  pms);
     PK11_FreeSymKey(pms); pms = NULL;
 
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
         goto loser;
     }
 
     rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
@@ skipping 4091 matching lines @@
     if (spki)
         SECITEM_FreeItem(spki, PR_TRUE);
     if (channelID)
         SECKEY_DestroyPrivateKey(channelID);
     if (channelIDPub)
         SECKEY_DestroyPublicKey(channelIDPub);
 
     return rv;
 }
 
+/* called from ssl3_SendFinished
+ *
+ * Caller must already hold the SpecReadLock. (wish we could assert that!).
+ * This function is simply a debugging aid and therefore does not return a
+ * SECStatus. */
+static void
+ssl3_RecordKeyLog(sslSocket *ss)
+{
+    sslSessionID *sid;
+    SECStatus rv;
+    SECItem *keyData;
+    char buf[14 /* "CLIENT_RANDOM " */ +
+             32*2 /* client_random */ +

[wtc, 2012/06/05 23:45:22]

Nit: 32 => SSL3_RANDOM_LENGTH

[agl, 2012/06/06 19:17:13]

Done.

+             1 /* " " */ +
+             48*2 /* master secret */ +
+             1 /* new line */];
+    static const char hextable[16] = "0123456789abcdef";
+    unsigned int i, j;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));

[wtc, 2012/06/05 23:45:22]

The XmitBufLock should be unnecessary for this function.

[agl, 2012/06/06 19:17:13]

Done.

+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    sid = ss->sec.ci.sid;
+
+    if (!ssl_keylog_iob)
+        return;
+
+    rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);

[wtc, 2012/06/05 23:45:22]

Should this function call ssl_GetSpecReadLock?

[agl, 2012/06/06 19:17:13]

Done.

+    if (rv != SECSuccess)
+        return;
+
+    /* keyData does not need to be freed. */
+    keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret);
+    if (!keyData || !keyData->data || keyData->len != 48)
+        return;
+
+    /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
+
+    /* There could be multiple, concurrent writers to the
+     * keylog, so we have to do everything in a single call to
+     * fwrite. */
+
+    memcpy(buf, "CLIENT_RANDOM ", 14);

[wtc, 2012/06/05 23:45:22]

I guess the CLIENT_RANDOM is just for identification purposes
because the master secret alone should be enough to decrypt
the traffic, right?

Should we log both CLIENT_RANDOM and SERVER_RANDOM?

[agl, 2012/06/06 19:17:13]

Yes, having the CLIENT_RANDOM simply allows Wireshark to avoid trial decryptions
of each possible key.
I think either is sufficient for identification, no? And we'll have the
CLIENT_RANDOM first which might be helpful for tools in the future.

+    j = 14;
+    for (i = 0; i < SSL3_RANDOM_LENGTH; i++) {
+        buf[j + 2*i]     = hextable[ss->ssl3.hs.client_random.rand[i] >> 4];
+        buf[j + 2*i + 1] = hextable[ss->ssl3.hs.client_random.rand[i] & 15];
+    }
+    j += SSL3_RANDOM_LENGTH*2;
+    buf[j++] = ' ';
+
+    for (i = 0; i < 48; i++) {
+        buf[j + 2*i]     = hextable[keyData->data[i] >> 4];
+        buf[j + 2*i + 1] = hextable[keyData->data[i] & 15];
+    }
+    j += 48*2;
+    buf[j++] = '\n';
+
+    PORT_Assert(j == sizeof(buf));
+
+    if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1 ||
+        fflush(ssl_keylog_iob) != 0) {
+      return;
+    }
+
+    return;

[wtc, 2012/06/05 23:45:22]

Nit: write the last few lines like this:

    if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1)
        return;
    fflush(ssl_keylog_iob);

[agl, 2012/06/06 19:17:13]

Done.

+}
+
 /* called from ssl3_HandleServerHelloDone
  *             ssl3_HandleClientHello
  *             ssl3_HandleFinished
  */
 static SECStatus
 ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
 {
     ssl3CipherSpec *cwSpec;
     PRBool          isTLS;
     PRBool          isServer = ss->sec.isServer;
@@ skipping 41 matching lines @@
         if (rv != SECSuccess) 
             goto fail;          /* err set by AppendHandshake. */
         rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes);
         if (rv != SECSuccess) 
             goto fail;          /* err set by AppendHandshake. */
     }
     rv = ssl3_FlushHandshake(ss, flags);
     if (rv != SECSuccess) {
         goto fail;      /* error code set by ssl3_FlushHandshake */
     }
+
+    ssl3_RecordKeyLog(ss);
+
     return SECSuccess;
 
 fail:
     return rv;
 }
 
 /* wrap the master secret, and put it into the SID.
  * Caller holds the Spec read lock.
  */
 SECStatus
@@ skipping 1501 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */