From: Neil Horman Date: Tue, 8 Oct 2024 14:35:57 +0000 (-0400) Subject: Convert keylogging in response to comments X-Git-Tag: openssl-3.5.0-alpha1~991 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f7273a9b0cb9891f72842bc88de561c83c4e7f8;p=thirdparty%2Fopenssl.git Convert keylogging in response to comments 1) Convert failures in keylog setup to trace messages for a warning-like mechanism 2) Convert sslkeylogfile_cb to be a flag used to determine making a direct call to the internal logging function Reviewed-by: Tim Hudson Reviewed-by: Saša Nedvědický Reviewed-by: Hugo Landau Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/25297) --- diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 2087331f586..ba4d6904687 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4197,15 +4197,15 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, if (keylogfile != NULL && strlen(keylogfile) != 0) { /* Make sure we have a global lock allocated */ if (!RUN_ONCE(&ssl_keylog_once, ssl_keylog_init)) { - /* log an error, but don't fail here */ - ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB); - goto err; + /* use a trace message as a warning */ + OSSL_TRACE(TLS, "Unable to initalize keylog data\n"); + goto out; } /* Grab out global lock */ if (!CRYPTO_THREAD_write_lock(keylog_lock)) { - ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB); - goto err; + OSSL_TRACE(TLS, "Unable to acquire keylog write lock\n"); + goto out; } else { /* * If the bio for the requested keylog file hasn't been @@ -4215,8 +4215,8 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, if (keylog_bio == NULL) { keylog_bio = BIO_new_file(keylogfile, "a"); if (keylog_bio == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB); - goto err; + OSSL_TRACE(TLS, "Unable to create keylog bio\n"); + goto out; } BIO_set_callback_ex(keylog_bio, check_keylog_bio_free); } else { @@ -4225,11 +4225,12 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, } /* If we have a bio now, assign the callback handler */ if (keylog_bio != NULL) - ret->sslkeylog_callback = sslkeylogfile_cb; + ret->do_sslkeylog = 1; /* unlock, and we're done */ CRYPTO_THREAD_unlock(keylog_lock); } } +out: #endif return ret; err: @@ -4273,9 +4274,9 @@ void SSL_CTX_free(SSL_CTX *a) #ifndef OPENSSL_NO_SSLKEYLOG if (keylog_lock != NULL && CRYPTO_THREAD_write_lock(keylog_lock)) { - if (a->sslkeylog_callback != NULL) + if (a->do_sslkeylog == 1) BIO_free(keylog_bio); - a->sslkeylog_callback = NULL; + a->do_sslkeylog = 0; CRYPTO_THREAD_unlock(keylog_lock); } #endif @@ -6874,7 +6875,7 @@ static int nss_keylog_int(const char *prefix, SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc); #ifndef OPENSSL_NO_SSLKEYLOG - if (sctx->keylog_callback == NULL && sctx->sslkeylog_callback == NULL) + if (sctx->keylog_callback == NULL && sctx->do_sslkeylog == 0) return 1; #else if (sctx->keylog_callback == NULL) @@ -6907,8 +6908,8 @@ static int nss_keylog_int(const char *prefix, *cursor = '\0'; #ifndef OPENSSL_NO_SSLKEYLOG - if (sctx->sslkeylog_callback != NULL) - sctx->sslkeylog_callback(SSL_CONNECTION_GET_SSL(sc), (const char *)out); + if (sctx->do_sslkeylog == 1) + sslkeylogfile_cb(SSL_CONNECTION_GET_SSL(sc), (const char *)out); #endif if (sctx->keylog_callback != NULL) sctx->keylog_callback(SSL_CONNECTION_GET_SSL(sc), (const char *)out); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 2d2e4674b05..06d78dd6359 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1106,7 +1106,7 @@ struct ssl_ctx_st { * the one set via SSLKEYLOGFILE, so we just keep them separate */ # ifndef OPENSSL_NO_SSLKEYLOG - SSL_CTX_keylog_cb_func sslkeylog_callback; + uint32_t do_sslkeylog; # endif /*