net/third_party/nss/ssl/ssl3con.c - Issue 10509009: Export key logging in normal builds.

Unified Diff: net/third_party/nss/ssl/ssl3con.c

Issue 10509009: Export key logging in normal builds. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 8 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: net/third_party/nss/ssl/ssl3con.c

diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c

index f714a98cd142218c446cb1de4a87166a65724e2b..886d45b4a7056300528a3d09a4adb68ff13c04e5 100644

--- a/net/third_party/nss/ssl/ssl3con.c

+++ b/net/third_party/nss/ssl/ssl3con.c

@@ -4832,16 +4832,17 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)

goto loser;

}

-#if defined(TRACE)

- if (ssl_trace >= 100 || ssl_keylog_iob) {

+ if (ssl_keylog_iob) {

SECStatus extractRV = PK11_ExtractKeyValue(pms);

if (extractRV == SECSuccess) {

SECItem * keyData = PK11_GetKeyData(pms);

if (keyData && keyData->data && keyData->len) {

+#ifdef TRACE

if (ssl_trace >= 100) {

ssl_PrintBuf(ss, "Pre-Master Secret",

keyData->data, keyData->len);

}

+#endif

if (ssl_keylog_iob && enc_pms.len >= 8 && keyData->len == 48) {

/* https://developer.mozilla.org/en/NSS_Key_Log_Format */

@@ -4872,7 +4873,6 @@ sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)

}

-#endif

rv = ssl3_InitPendingCipherSpec(ss, pms);

PK11_FreeSymKey(pms); pms = NULL;

@@ -8984,6 +8984,74 @@ loser:

return rv;

}

+/* called from ssl3_SendFinished

+ *

+ * Caller must already hold the SpecReadLock. (wish we could assert that!).

+ * This function is simply a debugging aid and therefore does not return a

+ * SECStatus. */

+static void

+ssl3_RecordKeyLog(sslSocket *ss)

+ sslSessionID *sid;

+ SECStatus rv;

+ SECItem *keyData;

+ char buf[14 /* "CLIENT_RANDOM " */ +

+ 32*2 /* client_random */ +

wtc 2012/06/05 23:45:22 Nit: 32 => SSL3_RANDOM_LENGTH

agl 2012/06/06 19:17:13 Done.

+ 1 /* " " */ +

+ 48*2 /* master secret */ +

+ 1 /* new line */];

+ static const char hextable[16] = "0123456789abcdef";

+ unsigned int i, j;

+ PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));

wtc 2012/06/05 23:45:22 The XmitBufLock should be unnecessary for this fun

agl 2012/06/06 19:17:13 Done.

+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));

+ sid = ss->sec.ci.sid;

+ if (!ssl_keylog_iob)

+ return;

+ rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);

wtc 2012/06/05 23:45:22 Should this function call ssl_GetSpecReadLock?

agl 2012/06/06 19:17:13 Done.

+ if (rv != SECSuccess)

+ return;

+ /* keyData does not need to be freed. */

+ keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret);

+ if (!keyData || !keyData->data || keyData->len != 48)

+ return;

+ /* https://developer.mozilla.org/en/NSS_Key_Log_Format */

+ /* There could be multiple, concurrent writers to the

+ * keylog, so we have to do everything in a single call to

+ * fwrite. */

+ memcpy(buf, "CLIENT_RANDOM ", 14);

wtc 2012/06/05 23:45:22 I guess the CLIENT_RANDOM is just for identificati

agl 2012/06/06 19:17:13 Yes, having the CLIENT_RANDOM simply allows Wiresh

+ j = 14;

+ for (i = 0; i < SSL3_RANDOM_LENGTH; i++) {

+ buf[j + 2*i] = hextable[ss->ssl3.hs.client_random.rand[i] >> 4];

+ buf[j + 2*i + 1] = hextable[ss->ssl3.hs.client_random.rand[i] & 15];

+ }

+ j += SSL3_RANDOM_LENGTH*2;

+ buf[j++] = ' ';

+ for (i = 0; i < 48; i++) {

+ buf[j + 2*i] = hextable[keyData->data[i] >> 4];

+ buf[j + 2*i + 1] = hextable[keyData->data[i] & 15];

+ }

+ j += 48*2;

+ buf[j++] = '\n';

+ PORT_Assert(j == sizeof(buf));

+ if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1 ||

+ fflush(ssl_keylog_iob) != 0) {

+ return;

+ }

+ return;

wtc 2012/06/05 23:45:22 Nit: write the last few lines like this: if (

agl 2012/06/06 19:17:13 Done.

/* called from ssl3_HandleServerHelloDone

* ssl3_HandleClientHello

* ssl3_HandleFinished

@@ -9045,6 +9113,9 @@ ssl3_SendFinished(sslSocket *ss, PRInt32 flags)

if (rv != SECSuccess) {

goto fail; /* error code set by ssl3_FlushHandshake */

}

+ ssl3_RecordKeyLog(ss);

return SECSuccess;

fail:

« no previous file with comments | « net/third_party/nss/patches/keylog.patch ('k') | net/third_party/nss/ssl/sslsock.c » ('j') | no next file with comments »