tls: added option to filter key logging

src/modules/tls/tls_domain.c

@@ -1094,6 +1094,11 @@ static void ksr_tls_keylog_callback(const SSL *ssl, const char *line)
 	if(!(ksr_tls_keylog_mode & KSR_TLS_KEYLOG_MODE_ACTIVE)) {
 		return;
 	}
+	if(ksr_tls_keylog_mode & KSR_TLS_KEYLOG_MODE_VFILTER) {
+		if(ksr_tls_keylog_vfilter_match(line) == 0) {
+			return;
+		}
+	}
 	if(ksr_tls_keylog_mode & KSR_TLS_KEYLOG_MODE_MLOG) {
 		LM_NOTICE("tlskeylog: %s\n", line);
 	}

src/modules/tls/tls_util.c

@@ -152,6 +152,36 @@ int ksr_tls_keylog_file_init(void)
 	return 0;
 }
 
+/**
+ *
+ */
+/* clang-format off */
+static const char *ksr_tls_keylog_vfilters[] = {
+	"CLIENT_RANDOM ",
+	"CLIENT_HANDSHAKE_TRAFFIC_SECRET ",
+	"SERVER_HANDSHAKE_TRAFFIC_SECRET ",
+	"EXPORTER_SECRET ",
+	"CLIENT_TRAFFIC_SECRET_0 ",
+	"SERVER_TRAFFIC_SECRET_0 ",
+	NULL
+};
+/* clang-format on */
+
+/**
+ *
+ */
+int ksr_tls_keylog_vfilter_match(const char *line)
+{
+	int i;
+
+	for(i = 0; ksr_tls_keylog_vfilters[i] != NULL; i++) {
+		if(strcasecmp(ksr_tls_keylog_vfilters[i], line) == 0) {
+			return 1;
+		}
+	}
+	return 0;
+}
+
 /**
  *
  */

src/modules/tls/tls_util.h

@@ -37,6 +37,7 @@
 #define KSR_TLS_KEYLOG_MODE_MLOG (1 << 2)
 #define KSR_TLS_KEYLOG_MODE_FILE (1 << 3)
 #define KSR_TLS_KEYLOG_MODE_PEER (1 << 4)
+#define KSR_TLS_KEYLOG_MODE_VFILTER (1 << 10)
 
 static inline int tls_err_ret(
 		char *s, SSL *ssl, tls_domains_cfg_t **tls_domains_cfg)
@@ -94,5 +95,6 @@ int ksr_tls_keylog_file_init(void);
 int ksr_tls_keylog_file_write(const SSL *ssl, const char *line);
 int ksr_tls_keylog_peer_init(void);
 int ksr_tls_keylog_peer_send(const SSL *ssl, const char *line);
+int ksr_tls_keylog_vfilter_match(const char *line);
 
 #endif /* _TLS_UTIL_H */