Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(446)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/patches/keylog.patch

Issue 10509009: Export key logging in normal builds. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: add hexEncode helper function Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/ssl3con.c » ('j') | net/third_party/nss/ssl/ssl3con.c » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con .c
2 index 6780a84..eefb552 100644
3 --- a/net/third_party/nss/ssl/ssl3con.c
4 +++ b/net/third_party/nss/ssl/ssl3con.c
5 @@ -4793,6 +4793,18 @@ done:
6 return unwrappedWrappingKey;
7 }
8
9 +/* hexEncode hex encodes |length| bytes from |in| and writes it as |length*2|
10 + * bytes to |out|. */
11 +static hexEncode(char *out, const unsigned char *in, size_t length) {
12 + static const char hextable[] = "0123456789abcdef";
13 + size_t i;
14 +
15 + for (i = 0; i < length; i++) {
16 + *(out++) = hextable[in[i] >> 4];
17 + *(out++) = hextable[in[i] & 15];
18 + }
19 +}
20 +
21
22 /* Called from ssl3_SendClientKeyExchange(). */
23 /* Presently, this always uses PKCS11. There is no bypass for this. */
24 @@ -4832,16 +4844,17 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
25 goto loser;
26 }
27
28 -#if defined(TRACE)
29 - if (ssl_trace >= 100 || ssl_keylog_iob) {
30 + if (ssl_keylog_iob) {
31 SECStatus extractRV = PK11_ExtractKeyValue(pms);
32 if (extractRV == SECSuccess) {
33 SECItem * keyData = PK11_GetKeyData(pms);
34 if (keyData && keyData->data && keyData->len) {
35 +#ifdef TRACE
36 if (ssl_trace >= 100) {
37 ssl_PrintBuf(ss, "Pre-Master Secret",
38 keyData->data, keyData->len);
39 }
40 +#endif
41 if (ssl_keylog_iob && enc_pms.len >= 8 && keyData->len == 48) {
42 /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
43
44 @@ -4849,21 +4862,11 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
45 * keylog, so we have to do everything in a single call to
46 * fwrite. */
47 char buf[4 + 8*2 + 1 + 48*2 + 1];
48 - static const char hextable[16] = "0123456789abcdef";
49 - unsigned int i;
50
51 strcpy(buf, "RSA ");
52 -
53 - for (i = 0; i < 8; i++) {
54 - buf[4 + i*2] = hextable[enc_pms.data[i] >> 4];
55 - buf[4 + i*2 + 1] = hextable[enc_pms.data[i] & 15];
56 - }
57 + hexEncode(buf + 4, enc_pms.data, 8);
58 buf[20] = ' ';
59 -
60 - for (i = 0; i < 48; i++) {
61 - buf[21 + i*2] = hextable[keyData->data[i] >> 4];
62 - buf[21 + i*2 + 1] = hextable[keyData->data[i] & 15];
63 - }
64 + hexEncode(buf + 21, keyData->data, 48);
65 buf[sizeof(buf) - 1] = '\n';
66
67 fwrite(buf, sizeof(buf), 1, ssl_keylog_iob);
68 @@ -4872,7 +4875,6 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
69 }
70 }
71 }
72 -#endif
73
74 rv = ssl3_InitPendingCipherSpec(ss, pms);
75 PK11_FreeSymKey(pms); pms = NULL;
76 @@ -9046,6 +9048,69 @@ ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss,
77 return SECSuccess;
78 }
79
80 +/* called from ssl3_SendFinished
81 + *
82 + * Caller must already hold the SpecReadLock. (wish we could assert that!).
83 + * This function is simply a debugging aid and therefore does not return a
84 + * SECStatus. */
85 +static void
86 +ssl3_RecordKeyLog(sslSocket *ss)
87 +{
88 + sslSessionID *sid;
89 + SECStatus rv;
90 + SECItem *keyData;
91 + char buf[14 /* "CLIENT_RANDOM " */ +
92 + SSL3_RANDOM_LENGTH*2 /* client_random */ +
93 + 1 /* " " */ +
94 + 48*2 /* master secret */ +
95 + 1 /* new line */];
96 + unsigned int j;
97 +
98 + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
99 +
100 + sid = ss->sec.ci.sid;
101 +
102 + if (!ssl_keylog_iob)
103 + return;
104 +
105 + rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);
106 + if (rv != SECSuccess)
107 + return;
108 +
109 + ssl_GetSpecReadLock(ss);
110 +
111 + /* keyData does not need to be freed. */
112 + keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret);
113 + if (!keyData || !keyData->data || keyData->len != 48) {
114 + ssl_ReleaseSpecReadLock(ss);
115 + return;
116 + }
117 +
118 + /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
119 +
120 + /* There could be multiple, concurrent writers to the
121 + * keylog, so we have to do everything in a single call to
122 + * fwrite. */
123 +
124 + memcpy(buf, "CLIENT_RANDOM ", 14);
125 + j = 14;
126 + hexEncode(buf + j, ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
127 + j += SSL3_RANDOM_LENGTH*2;
128 + buf[j++] = ' ';
129 + hexEncode(buf + j, keyData->data, 48);
130 + j += 48*2;
131 + buf[j++] = '\n';
132 +
133 + PORT_Assert(j == sizeof(buf));
134 +
135 + ssl_ReleaseSpecReadLock(ss);
136 +
137 + if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1)
138 + return;
139 + fflush(ssl_keylog_iob);
140 + return;
141 +}
142 +
143 /* called from ssl3_HandleServerHelloDone
144 * ssl3_HandleClientHello
145 * ssl3_HandleFinished
146 @@ -9107,6 +9172,9 @@ ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
147 if (rv != SECSuccess) {
148 goto fail; /* error code set by ssl3_FlushHandshake */
149 }
150 +
151 + ssl3_RecordKeyLog(ss);
152 +
153 return SECSuccess;
154
155 fail:
156 diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock .c
157 index c61ab44..3bd11d2 100644
158 --- a/net/third_party/nss/ssl/sslsock.c
159 +++ b/net/third_party/nss/ssl/sslsock.c
160 @@ -2903,6 +2903,13 @@ ssl_SetDefaultsFromEnvironment(void)
161 ssl_trace = atoi(ev);
162 SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
163 }
164 +#endif /* TRACE */
165 + ev = getenv("SSLDEBUG");
166 + if (ev && ev[0]) {
167 + ssl_debug = atoi(ev);
168 + SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
169 + }
170 +#endif /* DEBUG */
171 ev = getenv("SSLKEYLOGFILE");
172 if (ev && ev[0]) {
173 ssl_keylog_iob = fopen(ev, "a");
174 @@ -2912,13 +2919,6 @@ ssl_SetDefaultsFromEnvironment(void)
175 }
176 SSL_TRACE(("SSL: logging pre-master secrets to %s", ev));
177 }
178 -#endif /* TRACE */
179 - ev = getenv("SSLDEBUG");
180 - if (ev && ev[0]) {
181 - ssl_debug = atoi(ev);
182 - SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
183 - }
184 -#endif /* DEBUG */
185 ev = getenv("SSLBYPASS");
186 if (ev && ev[0]) {
187 ssl_defaults.bypassPKCS11 = (ev[0] == '1');
OLDNEW
« no previous file with comments | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/ssl3con.c » ('j') | net/third_party/nss/ssl/ssl3con.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698