tls: added support for tls keys log

- they can be printed to syslog (NOTICE level) or file

src/modules/tls/tls_domain.c

@@ -66,6 +66,7 @@ extern EVP_PKEY *tls_engine_private_key(const char *key_id);
 #include "tls_verify.h"
 
 extern int ksr_tls_key_password_mode;
+extern int ksr_tls_keylog_mode;
 
 /*
  * ECDHE is enabled only on OpenSSL 1.0.0e and later.
@@ -1088,6 +1089,13 @@ static int tls_server_name_cb(SSL *ssl, int *ad, void *private)
 }
 #endif
 
+static void ksr_tls_keylog_callback(const SSL *ssl, const char *line)
+{
+	if(ksr_tls_keylog_mode & KSR_TLS_KEYLOG_MODE_MLOG) {
+		LM_NOTICE("tlskeylog: %s\n", line);
+	}
+	ksr_tls_keylog_file_write(ssl, line);
+}
 
 /**
  * @brief Initialize all domain attributes from default domains if necessary
@@ -1153,6 +1161,9 @@ static int ksr_tls_fix_domain(tls_domain_t *d, tls_domain_t *def)
 					ERR_reason_error_string(e));
 			return -1;
 		}
+		if(ksr_tls_keylog_mode & KSR_TLS_KEYLOG_MODE_ACTIVE) {
+			SSL_CTX_set_keylog_callback(d->ctx[i], ksr_tls_keylog_callback);
+		}
 		if(d->method > TLS_USE_TLSvRANGE) {
 			if(sr_tls_methods[d->method - 1].TLSMethodMin) {
 				SSL_CTX_set_min_proto_version(

src/modules/tls/tls_mod.c

@@ -246,6 +246,8 @@ gen_lock_t *tls_domains_cfg_lock = NULL;
 int sr_tls_renegotiation = 0;
 int ksr_tls_init_mode = 0;
 int ksr_tls_key_password_mode = 0;
+int ksr_tls_keylog_mode = 0;
+str ksr_tls_keylog_file = STR_NULL;
 
 /* clang-format off */
 /*
@@ -317,6 +319,8 @@ static param_export_t params[] = {
 			(void *)ksr_rand_engine_param},
 	{"init_mode", PARAM_INT, &ksr_tls_init_mode},
 	{"key_password_mode", PARAM_INT, &ksr_tls_key_password_mode},
+	{"keylog_mode", PARAM_INT, &ksr_tls_keylog_mode},
+	{"keylog_file", PARAM_STR, &ksr_tls_keylog_file},
 
 	{0, 0, 0}
 };
@@ -558,6 +562,11 @@ static int mod_init(void)
 		LM_WARN("set maximum pthreads key to %d\n", tls_pthreads_key_mark);
 	}
 #endif
+
+	if(ksr_tls_keylog_file_init() < 0) {
+		LM_ERR("failed to init keylog file\n");
+		goto error;
+	}
 	return 0;
 error:
 	tls_h_mod_destroy_f();

src/modules/tls/tls_util.c

@@ -28,6 +28,7 @@
 #define _GNU_SOURCE 1 /* Needed for strndup */
 
 #include <string.h>
+#include <stdio.h>
 #include <libgen.h>
 #include "../../core/mem/shm_mem.h"
 #include "../../core/globals.h"
@@ -36,6 +37,11 @@
 #include "tls_util.h"
 
 
+extern int ksr_tls_keylog_mode;
+extern str ksr_tls_keylog_file;
+
+static gen_lock_t *ksr_tls_keylog_file_lock = NULL;
+
 /*
  * Make a shared memory copy of ASCII zero terminated string
  * Return value: -1 on error
@@ -112,3 +118,53 @@ void tls_openssl_clear_errors(void)
 		INFO("clearing leftover error before SSL_* calls: %s\n", err);
 	}
 }
+
+/**
+ *
+ */
+int ksr_tls_keylog_file_init(void)
+{
+	if(!((ksr_tls_keylog_mode & KSR_TLS_KEYLOG_MODE_ACTIVE)
+			   && (ksr_tls_keylog_mode & KSR_TLS_KEYLOG_MODE_FILE))) {
+		return 0;
+	}
+	if(ksr_tls_keylog_file.s == NULL || ksr_tls_keylog_file.len <= 0) {
+		return -1;
+	}
+	if(ksr_tls_keylog_file_lock != NULL) {
+		return 0;
+	}
+	ksr_tls_keylog_file_lock = lock_alloc();
+	if(ksr_tls_keylog_file_lock == NULL) {
+		return -2;
+	}
+	if(lock_init(ksr_tls_keylog_file_lock) == NULL) {
+		return -3;
+	}
+	return 0;
+}
+
+/**
+ *
+ */
+int ksr_tls_keylog_file_write(const SSL *ssl, const char *line)
+{
+	FILE *lf = NULL;
+	int ret = 0;
+
+	if(ksr_tls_keylog_file_lock == NULL) {
+		return 0;
+	}
+
+	lock_get(ksr_tls_keylog_file_lock);
+	lf = fopen(ksr_tls_keylog_file.s, "a");
+	if(lf) {
+		fprintf(lf, "%s\n", line);
+		fclose(lf);
+	} else {
+		LM_ERR("failed to open keylog file: %s\n", ksr_tls_keylog_file.s);
+		ret = -1;
+	}
+	lock_release(ksr_tls_keylog_file_lock);
+	return ret;
+}

src/modules/tls/tls_util.h

@@ -32,6 +32,10 @@
 #include "../../core/str.h"
 #include "tls_domain.h"
 
+#define KSR_TLS_KEYLOG_MODE_ACTIVE (1)
+#define KSR_TLS_KEYLOG_MODE_MLOG (1 << 1)
+#define KSR_TLS_KEYLOG_MODE_FILE (1 << 2)
+
 static inline int tls_err_ret(
 		char *s, SSL *ssl, tls_domains_cfg_t **tls_domains_cfg)
 {
@@ -84,4 +88,7 @@ void collect_garbage(void);
 
 void tls_openssl_clear_errors(void);
 
+int ksr_tls_keylog_file_init(void);
+int ksr_tls_keylog_file_write(const SSL *ssl, const char *line);
+
 #endif /* _TLS_UTIL_H */