From cb7becb0671ae2ca435384b0133b484e495a2af2 Mon Sep 17 00:00:00 2001 From: Ali Mohammad Pur Date: Wed, 9 Feb 2022 23:12:56 +0330 Subject: [PATCH] LibTLS+RequestServer: Add an option to dump TLS keys to a log file This file allows us to decrypt TLS messages in wireshark, which can help immensely in debugging network stuff :^) --- AK/Debug.h.in | 4 ++++ Meta/CMake/all_the_debug_macros.cmake | 1 + Userland/Libraries/LibTLS/HandshakeClient.cpp | 11 +++++++++++ Userland/Services/RequestServer/main.cpp | 14 ++++++++++++-- 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/AK/Debug.h.in b/AK/Debug.h.in index c1ccbef4173..bc57678f951 100644 --- a/AK/Debug.h.in +++ b/AK/Debug.h.in @@ -434,6 +434,10 @@ #cmakedefine01 TLS_DEBUG #endif +#ifndef TLS_SSL_KEYLOG_DEBUG +#cmakedefine01 TLS_SSL_KEYLOG_DEBUG +#endif + #ifndef TOKENIZER_TRACE_DEBUG #cmakedefine01 TOKENIZER_TRACE_DEBUG #endif diff --git a/Meta/CMake/all_the_debug_macros.cmake b/Meta/CMake/all_the_debug_macros.cmake index 82f94223647..517b1c00b3e 100644 --- a/Meta/CMake/all_the_debug_macros.cmake +++ b/Meta/CMake/all_the_debug_macros.cmake @@ -182,6 +182,7 @@ set(TERMINAL_DEBUG ON) set(TEXTEDITOR_DEBUG ON) set(THREAD_DEBUG ON) set(TLS_DEBUG ON) +set(TLS_SSL_KEYLOG_DEBUG ON) set(TOKENIZER_TRACE_DEBUG ON) set(TTY_DEBUG ON) set(UCI_DEBUG ON) diff --git a/Userland/Libraries/LibTLS/HandshakeClient.cpp b/Userland/Libraries/LibTLS/HandshakeClient.cpp index 85e4e8f618c..bed9ffbb9d6 100644 --- a/Userland/Libraries/LibTLS/HandshakeClient.cpp +++ b/Userland/Libraries/LibTLS/HandshakeClient.cpp @@ -5,6 +5,7 @@ */ #include +#include #include #include #include @@ -136,6 +137,16 @@ bool TLSv12::compute_master_secret_from_pre_master_secret(size_t length) dbgln("master key:"); print_buffer(m_context.master_key); } + + if constexpr (TLS_SSL_KEYLOG_DEBUG) { + auto file = MUST(Core::Stream::File::open("/home/anon/ssl_keylog", Core::Stream::OpenMode::Append | Core::Stream::OpenMode::Write)); + VERIFY(file->write_or_error("CLIENT_RANDOM "sv.bytes())); + VERIFY(file->write_or_error(encode_hex({ m_context.local_random, 32 }).bytes())); + VERIFY(file->write_or_error(" "sv.bytes())); + VERIFY(file->write_or_error(encode_hex(m_context.master_key).bytes())); + VERIFY(file->write_or_error("\n"sv.bytes())); + } + expand_key(); return true; } diff --git a/Userland/Services/RequestServer/main.cpp b/Userland/Services/RequestServer/main.cpp index c9b1884b635..cc1f0dabff9 100644 --- a/Userland/Services/RequestServer/main.cpp +++ b/Userland/Services/RequestServer/main.cpp @@ -19,9 +19,17 @@ ErrorOr serenity_main(Main::Arguments) { - TRY(Core::System::pledge("stdio inet accept unix rpath sendfd recvfd sigaction")); + if constexpr (TLS_SSL_KEYLOG_DEBUG) + TRY(Core::System::pledge("stdio inet accept unix cpath wpath rpath sendfd recvfd sigaction")); + else + TRY(Core::System::pledge("stdio inet accept unix rpath sendfd recvfd sigaction")); + signal(SIGINFO, [](int) { RequestServer::ConnectionCache::dump_jobs(); }); - TRY(Core::System::pledge("stdio inet accept unix rpath sendfd recvfd")); + + if constexpr (TLS_SSL_KEYLOG_DEBUG) + TRY(Core::System::pledge("stdio inet accept unix cpath wpath rpath sendfd recvfd")); + else + TRY(Core::System::pledge("stdio inet accept unix rpath sendfd recvfd")); // Ensure the certificates are read out here. [[maybe_unused]] auto& certs = DefaultRootCACertificates::the(); @@ -30,6 +38,8 @@ ErrorOr serenity_main(Main::Arguments) // FIXME: Establish a connection to LookupServer and then drop "unix"? TRY(Core::System::unveil("/tmp/portal/lookup", "rw")); TRY(Core::System::unveil("/etc/timezone", "r")); + if constexpr (TLS_SSL_KEYLOG_DEBUG) + TRY(Core::System::unveil("/home/anon", "rwc")); TRY(Core::System::unveil(nullptr, nullptr)); [[maybe_unused]] auto gemini = make();