vtls: log when key logging is enabled.

If built with LibreSSL, also warn that it only works for TLS <= 1.2

Inspired-by: Viktor Szakats
Closes #19814

diff --git a/lib/vtls/keylog.c b/lib/vtls/keylog.c
index aa37814e0629e0bb6366ab704e0585384f8b8720..9ffda33276e4569bae60de1ebf25b3bd87358682 100644 (file)
--- a/lib/vtls/keylog.c
+++ b/lib/vtls/keylog.c
@@ -22,21 +22,23 @@
  *
  ***************************************************************************/
 #include "curl_setup.h"
+#include "vtls/keylog.h"
 
 #if defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_WOLFSSL) || \
   defined(USE_RUSTLS)
 
-#include "vtls/keylog.h"
 #include "escape.h"
 #include "curlx/fopen.h"
 
 /* The fp for the open SSLKEYLOGFILE, or NULL if not open */
 static FILE *keylog_file_fp;
+/* Used for verbose logging */
+static char *keylog_file_name;
 
 void Curl_tls_keylog_open(void)
 {
   if(!keylog_file_fp) {
-    char *keylog_file_name = curl_getenv("SSLKEYLOGFILE");
+    keylog_file_name = curl_getenv("SSLKEYLOGFILE");
     if(keylog_file_name) {
       keylog_file_fp = curlx_fopen(keylog_file_name, FOPEN_APPENDTEXT);
       if(keylog_file_fp) {
@@ -50,7 +52,6 @@ void Curl_tls_keylog_open(void)
           keylog_file_fp = NULL;
         }
       }
-      curlx_safefree(keylog_file_name);
     }
   }
 }
@@ -61,6 +62,7 @@ void Curl_tls_keylog_close(void)
     curlx_fclose(keylog_file_fp);
     keylog_file_fp = NULL;
   }
+  curlx_safefree(keylog_file_name);
 }
 
 bool Curl_tls_keylog_enabled(void)
@@ -68,6 +70,11 @@ bool Curl_tls_keylog_enabled(void)
   return keylog_file_fp != NULL;
 }
 
+const char *Curl_tls_keylog_file_name(void)
+{
+  return keylog_file_name;
+}
+
 bool Curl_tls_keylog_write_line(const char *line)
 {
   /* The current maximum valid keylog line length LF and NUL is 195. */
@@ -139,4 +146,16 @@ bool Curl_tls_keylog_write(const char *label,
   return TRUE;
 }
 
-#endif /* TLS backend */
+#else /* TLS backend */
+
+bool Curl_tls_keylog_enabled(void)
+{
+  return FALSE;
+}
+
+const char *Curl_tls_keylog_file_name(void)
+{
+  return NULL;
+}
+
+#endif  /* TLS backend */

diff --git a/lib/vtls/keylog.h b/lib/vtls/keylog.h
index c1563243fbb88f0b35c3d856f428752fdea3f7bc..68ded4769d10939d6bfbdb6b43000d98d0b23f3d 100644 (file)
--- a/lib/vtls/keylog.h
+++ b/lib/vtls/keylog.h
@@ -52,6 +52,11 @@ void Curl_tls_keylog_close(void);
  */
 bool Curl_tls_keylog_enabled(void);
 
+/*
+ * Returns a pointer to the filename keys are being written to, if enabled.
+ */
+const char *Curl_tls_keylog_file_name(void);
+
 /*
  * Appends a key log file entry.
  * Returns true iff the key log file is open and a valid entry was provided.

diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 9287c61484a832dddcbf7b09d9db15eba6b7d028..1a3c433d1b78cd9114bd2583dd79a327f6212beb 100644 (file)
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -50,6 +50,7 @@
 #include "vtls/vtls.h" /* generic SSL protos etc */
 #include "vtls/vtls_int.h"
 #include "vtls/vtls_scache.h"
+#include "vtls/keylog.h"
 
 #include "vtls/openssl.h"        /* OpenSSL versions */
 #include "vtls/gtls.h"           /* GnuTLS versions */
@@ -1367,6 +1368,13 @@ static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
     if(connssl->state == ssl_connection_complete) {
       connssl->handshake_done = *Curl_pgrs_now(data);
     }
+    if(Curl_tls_keylog_enabled()) {
+      infof(data, "SSLKEYLOGFILE set, all TLS secrets are logged to '%s'",
+            Curl_tls_keylog_file_name());
+#ifdef LIBRESSL_VERSION_NUMBER
+      infof(data, "Note LibreSSL only supports SSLKEYLOGFILE for TLS <= 1.2");
+#endif
+    }
     /* Connection can be deferred when sending early data */
     DEBUGASSERT(connssl->state == ssl_connection_complete ||
                 connssl->state == ssl_connection_deferred);