|
5 | 5 | #include <aws/io/tls_channel_handler.h> |
6 | 6 |
|
7 | 7 | #include <aws/common/clock.h> |
| 8 | +#include <aws/common/encoding.h> |
| 9 | +#include <aws/common/environment.h> |
8 | 10 | #include <aws/common/mutex.h> |
9 | 11 |
|
10 | 12 | #include <aws/io/channel.h> |
@@ -41,6 +43,8 @@ struct s2n_delayed_shutdown_task { |
41 | 43 | int error; |
42 | 44 | }; |
43 | 45 |
|
| 46 | +AWS_STATIC_STRING_FROM_LITERAL(s_tls_key_log_env_var, "AWS_CRT_EXPORT_TLS_KEYS"); |
| 47 | + |
44 | 48 | struct s2n_handler { |
45 | 49 | struct aws_channel_handler handler; |
46 | 50 | struct aws_tls_channel_handler_shared shared_state; |
@@ -98,6 +102,67 @@ struct aws_tls_key_operation { |
98 | 102 | struct aws_atomic_var complete_count; |
99 | 103 | }; |
100 | 104 |
|
| 105 | +static aws_thread_once s_tls_key_log_warning_once = AWS_THREAD_ONCE_STATIC_INIT; |
| 106 | + |
| 107 | +static void s_emit_tls_key_log_warning(void *user_data) { |
| 108 | + (void)user_data; |
| 109 | + printf( |
| 110 | + "\n\n==================================================="); |
| 111 | + printf( |
| 112 | + "TLS key logging enabled via AWS_CRT_EXPORT_TLS_KEYS. Secrets will be emitted in NSS key log format."); |
| 113 | + printf( |
| 114 | + "===================================================\n\n"); |
| 115 | +} |
| 116 | + |
| 117 | +static bool s_tls_ctx_should_log_keys(struct aws_allocator *allocator) { |
| 118 | + struct aws_string *env_value = NULL; |
| 119 | + bool enabled = false; |
| 120 | + |
| 121 | + if (aws_get_environment_value(allocator, s_tls_key_log_env_var, &env_value) == AWS_OP_SUCCESS) { |
| 122 | + if (env_value != NULL) { |
| 123 | + struct aws_byte_cursor value_cursor = aws_byte_cursor_from_string(env_value); |
| 124 | + if (value_cursor.len > 0 && |
| 125 | + !aws_byte_cursor_eq_c_str_ignore_case(&value_cursor, "0") && |
| 126 | + !aws_byte_cursor_eq_c_str_ignore_case(&value_cursor, "false") && |
| 127 | + !aws_byte_cursor_eq_c_str_ignore_case(&value_cursor, "off")) { |
| 128 | + enabled = true; |
| 129 | + } |
| 130 | + aws_string_destroy(env_value); |
| 131 | + } |
| 132 | + } |
| 133 | + |
| 134 | + return enabled; |
| 135 | +} |
| 136 | + |
| 137 | +static int s_s2n_key_log_callback(void *user_data, struct s2n_connection *conn, uint8_t *log_line, size_t len) { |
| 138 | + (void)conn; |
| 139 | + |
| 140 | + if (log_line == NULL || len == 0) { |
| 141 | + return S2N_SUCCESS; |
| 142 | + } |
| 143 | + |
| 144 | + struct s2n_ctx *s2n_ctx = user_data; |
| 145 | + if (s2n_ctx == NULL) { |
| 146 | + AWS_LOGF_WARN(AWS_LS_IO_TLS, "TLS key log: missing TLS context for emitted secret."); |
| 147 | + return S2N_SUCCESS; |
| 148 | + } |
| 149 | + |
| 150 | + struct aws_allocator *allocator = s2n_ctx->ctx.alloc; |
| 151 | + |
| 152 | + struct aws_byte_cursor cursor = aws_byte_cursor_from_array(log_line, len); |
| 153 | + struct aws_string *line_str = aws_string_new_from_cursor(allocator, &cursor); |
| 154 | + if (line_str == NULL) { |
| 155 | + AWS_LOGF_WARN(AWS_LS_IO_TLS, "TLS key log: failed to allocate buffer for emitted secret."); |
| 156 | + return S2N_SUCCESS; |
| 157 | + } |
| 158 | + |
| 159 | + AWS_LOGF_INFO(AWS_LS_IO_TLS, "TLS key log: %s", (const char *)line_str->bytes); |
| 160 | + fprintf(stderr, "%s\n", (const char *)line_str->bytes); |
| 161 | + aws_string_destroy(line_str); |
| 162 | + |
| 163 | + return S2N_SUCCESS; |
| 164 | +} |
| 165 | + |
101 | 166 | AWS_STATIC_STRING_FROM_LITERAL(s_debian_path, "/etc/ssl/certs"); |
102 | 167 | AWS_STATIC_STRING_FROM_LITERAL(s_rhel_path, "/etc/pki/tls/certs"); |
103 | 168 | AWS_STATIC_STRING_FROM_LITERAL(s_android_path, "/system/etc/security/cacerts"); |
@@ -1354,6 +1419,7 @@ static struct aws_tls_ctx *s_tls_ctx_new( |
1354 | 1419 | struct aws_allocator *alloc, |
1355 | 1420 | const struct aws_tls_ctx_options *options, |
1356 | 1421 | s2n_mode mode) { |
| 1422 | + s_log_and_raise_s2n_errno("ASDF"); |
1357 | 1423 | struct s2n_ctx *s2n_ctx = aws_mem_calloc(alloc, 1, sizeof(struct s2n_ctx)); |
1358 | 1424 |
|
1359 | 1425 | if (!s2n_ctx) { |
@@ -1388,6 +1454,17 @@ static struct aws_tls_ctx *s_tls_ctx_new( |
1388 | 1454 | goto cleanup_s2n_config; |
1389 | 1455 | } |
1390 | 1456 |
|
| 1457 | + if (s_tls_ctx_should_log_keys(alloc)) { |
| 1458 | + if (s2n_config_set_key_log_cb(s2n_ctx->s2n_config, s_s2n_key_log_callback, s2n_ctx)) { |
| 1459 | + printf( |
| 1460 | + "\n\n\n\n\nctx: failed to enable TLS key logging: %s (%s)\n\n\n\n", |
| 1461 | + s2n_strerror(s2n_errno, "EN"), |
| 1462 | + s2n_strerror_debug(s2n_errno, "EN")); |
| 1463 | + } else { |
| 1464 | + aws_thread_call_once(&s_tls_key_log_warning_once, s_emit_tls_key_log_warning, NULL); |
| 1465 | + } |
| 1466 | + } |
| 1467 | + |
1391 | 1468 | const char *security_policy = NULL; |
1392 | 1469 | if (options->custom_key_op_handler != NULL) { |
1393 | 1470 | /* When custom_key_op_handler is set, don't use security policy that allow TLS 1.3. |
|
0 commit comments