Export key logging in normal builds.

net/third_party/nss/patches/keylog.patch

Index: net/third_party/nss/patches/keylog.patch
diff --git a/net/third_party/nss/patches/keylog.patch b/net/third_party/nss/patches/keylog.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7ad8e2de98e6f3baab0c3d806781b953cacec1e4
--- /dev/null
+++ b/net/third_party/nss/patches/keylog.patch
@@ -0,0 +1,149 @@
+diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
+index f714a98..886d45b 100644
+--- a/net/third_party/nss/ssl/ssl3con.c
++++ b/net/third_party/nss/ssl/ssl3con.c
+@@ -4832,16 +4832,17 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
+ 	goto loser;
+     }
+ 
+-#if defined(TRACE)
+-    if (ssl_trace >= 100 || ssl_keylog_iob) {
++    if (ssl_keylog_iob) {
+ 	SECStatus extractRV = PK11_ExtractKeyValue(pms);
+ 	if (extractRV == SECSuccess) {
+ 	    SECItem * keyData = PK11_GetKeyData(pms);
+ 	    if (keyData && keyData->data && keyData->len) {
++#ifdef TRACE
+ 		if (ssl_trace >= 100) {
+ 		    ssl_PrintBuf(ss, "Pre-Master Secret",
+ 				 keyData->data, keyData->len);
+ 		}
++#endif
+ 		if (ssl_keylog_iob && enc_pms.len >= 8 && keyData->len == 48) {
+ 		    /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
+ 
+@@ -4872,7 +4873,6 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
+ 	    }
+ 	}
+     }
+-#endif
+ 
+     rv = ssl3_InitPendingCipherSpec(ss,  pms);
+     PK11_FreeSymKey(pms); pms = NULL;
+@@ -8984,6 +8984,74 @@ loser:
+     return rv;
+ }
+ 
++/* called from ssl3_SendFinished
++ *
++ * Caller must already hold the SpecReadLock. (wish we could assert that!).
++ * This function is simply a debugging aid and therefore does not return a
++ * SECStatus. */
++static void
++ssl3_RecordKeyLog(sslSocket *ss)
++{
++    sslSessionID *sid;
++    SECStatus rv;
++    SECItem *keyData;
++    char buf[14 /* "CLIENT_RANDOM " */ +
++	     32*2 /* client_random */ +
++	     1 /* " " */ +
++	     48*2 /* master secret */ +
++             1 /* new line */];
++    static const char hextable[16] = "0123456789abcdef";
++    unsigned int i, j;
++
++    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
++    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
++
++    sid = ss->sec.ci.sid;
++
++    if (!ssl_keylog_iob)
++	return;
++
++    rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);
++    if (rv != SECSuccess)
++	return;
++
++    /* keyData does not need to be freed. */
++    keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret);
++    if (!keyData || !keyData->data || keyData->len != 48)
++	return;
++
++    /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
++
++    /* There could be multiple, concurrent writers to the
++     * keylog, so we have to do everything in a single call to
++     * fwrite. */
++
++    memcpy(buf, "CLIENT_RANDOM ", 14);
++    j = 14;
++    for (i = 0; i < SSL3_RANDOM_LENGTH; i++) {
++	buf[j + 2*i]     = hextable[ss->ssl3.hs.client_random.rand[i] >> 4];
++	buf[j + 2*i + 1] = hextable[ss->ssl3.hs.client_random.rand[i] & 15];
++    }
++    j += SSL3_RANDOM_LENGTH*2;
++    buf[j++] = ' ';
++
++    for (i = 0; i < 48; i++) {
++	buf[j + 2*i]     = hextable[keyData->data[i] >> 4];
++	buf[j + 2*i + 1] = hextable[keyData->data[i] & 15];
++    }
++    j += 48*2;
++    buf[j++] = '\n';
++
++    PORT_Assert(j == sizeof(buf));
++
++    if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1 ||
++        fflush(ssl_keylog_iob) != 0) {
++      return;
++    }
++
++    return;
++}
++
+ /* called from ssl3_HandleServerHelloDone
+  *             ssl3_HandleClientHello
+  *             ssl3_HandleFinished
+@@ -9045,6 +9113,9 @@ ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
+     if (rv != SECSuccess) {
+ 	goto fail;	/* error code set by ssl3_FlushHandshake */
+     }
++
++    ssl3_RecordKeyLog(ss);
++
+     return SECSuccess;
+ 
+ fail:
+diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
+index 9498828..146493f 100644
+--- a/net/third_party/nss/ssl/sslsock.c
++++ b/net/third_party/nss/ssl/sslsock.c
+@@ -2827,6 +2827,13 @@ ssl_SetDefaultsFromEnvironment(void)
+ 	    ssl_trace = atoi(ev);
+ 	    SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
+ 	}
++#endif /* TRACE */
++	ev = getenv("SSLDEBUG");
++	if (ev && ev[0]) {
++	    ssl_debug = atoi(ev);
++	    SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
++	}
++#endif /* DEBUG */
+ 	ev = getenv("SSLKEYLOGFILE");
+ 	if (ev && ev[0]) {
+ 	    ssl_keylog_iob = fopen(ev, "a");
+@@ -2836,13 +2843,6 @@ ssl_SetDefaultsFromEnvironment(void)
+ 	    }
+ 	    SSL_TRACE(("SSL: logging pre-master secrets to %s", ev));
+ 	}
+-#endif /* TRACE */
+-	ev = getenv("SSLDEBUG");
+-	if (ev && ev[0]) {
+-	    ssl_debug = atoi(ev);
+-	    SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
+-	}
+-#endif /* DEBUG */
+ 	ev = getenv("SSLBYPASS");
+ 	if (ev && ev[0]) {
+ 	    ssl_defaults.bypassPKCS11 = (ev[0] == '1');