schierlm · February 28, 2021 18:04
diff --git a/README.md b/README.md
diff --git a/apache_ssl_key_log_file.diff b/apache_ssl_key_log_file.diff
 Index: modules/ssl/mod_ssl.c
 ===================================================================
 --- modules/ssl/mod_ssl.c	(revision 1849572)
 +++ modules/ssl/mod_ssl.c	(working copy)
 @@ -316,6 +316,9 @@
                 "OpenSSL configuration command")
 #endif
 
 +    SSL_CMD_SRV(KeyLogFile, TAKE1,
 +                "File to store SSL key log to")
 +
     /* Deprecated directives. */
     AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
       "SSLLog directive is no longer supported - use ErrorLog."),
 Index: modules/ssl/ssl_engine_config.c
 ===================================================================
 --- modules/ssl/ssl_engine_config.c	(revision 1849572)
 +++ modules/ssl/ssl_engine_config.c	(working copy)
 @@ -322,6 +322,8 @@
     cfgMergeArray(ssl_ctx_param);
 #endif
 
 +    cfgMerge(key_log_file_name, NULL);
 +    
     cfgMergeBool(ssl_check_peer_cn);
     cfgMergeBool(ssl_check_peer_name);
     cfgMergeBool(ssl_check_peer_expire);
 @@ -2177,6 +2179,14 @@
 }
 #endif
 
 +const char *ssl_cmd_SSLKeyLogFile(cmd_parms *cmd, void *dcfg, const char *arg)
 +{
 +    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
 +    sc->server->key_log_file_name = arg;
 +
 +    return NULL;
 +}
 +
 #ifdef HAVE_SRP
 
 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
 @@ -2605,6 +2615,8 @@
         }
 #endif
 
 +	DMP_STRING("SSLKeyLogFile", ctx->key_log_file_name);
 +
 #ifdef HAVE_TLS_SESSION_TICKETS
         if (ctx->ticket_key) {
             DMP_STRING("SSLSessionTicketKeyFile", ctx->ticket_key->file_path);
 Index: modules/ssl/ssl_engine_init.c
 ===================================================================
 --- modules/ssl/ssl_engine_init.c	(revision 1849572)
 +++ modules/ssl/ssl_engine_init.c	(working copy)
 @@ -1708,6 +1708,7 @@
 static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
 {
     MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
 +    MODSSL_CFG_ITEM_FREE(apr_file_close, mctx->key_log_file);
 
 #ifdef HAVE_SRP
     if (mctx->srp_vbase != NULL) {
 @@ -1769,6 +1770,15 @@
     return APR_SUCCESS;
 }
 
 +static void ssl_keylog_callback(const SSL *ssl, const char *line)
 +{
 +    conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
 +    server_rec *s = mySrvFromConn(c);
 +    SSLSrvConfigRec *sc = mySrvConfig(s);
 +    apr_file_write_full(sc->server->key_log_file, line, strlen(line), NULL);
 +    apr_file_write_full(sc->server->key_log_file, "\n", 1, NULL);
 +}
 +
 static apr_status_t ssl_init_server_ctx(server_rec *s,
                                         apr_pool_t *p,
                                         apr_pool_t *ptemp,
 @@ -1916,6 +1926,18 @@
     }
 #endif
 
 +    if(sc->server->key_log_file_name != NULL) {
 +        rv = apr_file_open(&sc->server->key_log_file, sc->server->key_log_file_name,
 +                           APR_FOPEN_WRITE|APR_FOPEN_CREATE|APR_FOPEN_APPEND
 +                           |APR_FOPEN_BINARY|APR_FOPEN_NOCLEANUP,
 +                           APR_FPROT_OS_DEFAULT, p);
 +
 +	if (rv != APR_SUCCESS)
 +	    return rv;
 +    
 +        SSL_CTX_set_keylog_callback(sc->server->ssl_ctx, ssl_keylog_callback);
 +    }
 +
     SSL_CTX_set_timeout(sc->server->ssl_ctx,
                         sc->session_cache_timeout == UNSET ?
                         SSL_SESSION_CACHE_TIMEOUT : sc->session_cache_timeout);
 Index: modules/ssl/ssl_private.h
 ===================================================================
 --- modules/ssl/ssl_private.h	(revision 1849572)
 +++ modules/ssl/ssl_private.h	(working copy)
 @@ -732,6 +732,10 @@
     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
 #endif
 
 +    const char *key_log_file_name;
 +    apr_file_t *key_log_file;
 +    
 +
     BOOL ssl_check_peer_cn;
     BOOL ssl_check_peer_name;
     BOOL ssl_check_peer_expire;
 @@ -870,6 +874,8 @@
 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
 #endif
 
 +const char *ssl_cmd_SSLKeyLogFile(cmd_parms *cmd, void *dcfg, const char *arg);
 +
 #ifdef HAVE_SRP
 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
	Index: modules/ssl/mod_ssl.c
	===================================================================
	--- modules/ssl/mod_ssl.c (revision 1849572)
	+++ modules/ssl/mod_ssl.c (working copy)
	@@ -316,6 +316,9 @@
	"OpenSSL configuration command")
	#endif

	+ SSL_CMD_SRV(KeyLogFile, TAKE1,
	+ "File to store SSL key log to")
	+
	/* Deprecated directives. */
	AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
	"SSLLog directive is no longer supported - use ErrorLog."),
	Index: modules/ssl/ssl_engine_config.c
	===================================================================
	--- modules/ssl/ssl_engine_config.c (revision 1849572)
	+++ modules/ssl/ssl_engine_config.c (working copy)
	@@ -322,6 +322,8 @@
	cfgMergeArray(ssl_ctx_param);
	#endif

	+ cfgMerge(key_log_file_name, NULL);
	+
	cfgMergeBool(ssl_check_peer_cn);
	cfgMergeBool(ssl_check_peer_name);
	cfgMergeBool(ssl_check_peer_expire);
	@@ -2177,6 +2179,14 @@
	}
	#endif

	+const char ssl_cmd_SSLKeyLogFile(cmd_parms cmd, void dcfg, const char arg)
	+{
	+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
	+ sc->server->key_log_file_name = arg;
	+
	+ return NULL;
	+}
	+
	#ifdef HAVE_SRP

	const char ssl_cmd_SSLSRPVerifierFile(cmd_parms cmd, void *dcfg,
	@@ -2605,6 +2615,8 @@
	}
	#endif

	+ DMP_STRING("SSLKeyLogFile", ctx->key_log_file_name);
	+
	#ifdef HAVE_TLS_SESSION_TICKETS
	if (ctx->ticket_key) {
	DMP_STRING("SSLSessionTicketKeyFile", ctx->ticket_key->file_path);
	Index: modules/ssl/ssl_engine_init.c
	===================================================================
	--- modules/ssl/ssl_engine_init.c (revision 1849572)
	+++ modules/ssl/ssl_engine_init.c (working copy)
	@@ -1708,6 +1708,7 @@
	static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
	{
	MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
	+ MODSSL_CFG_ITEM_FREE(apr_file_close, mctx->key_log_file);

	#ifdef HAVE_SRP
	if (mctx->srp_vbase != NULL) {
	@@ -1769,6 +1770,15 @@
	return APR_SUCCESS;
	}

	+static void ssl_keylog_callback(const SSL ssl, const char line)
	+{
	+ conn_rec c = (conn_rec )SSL_get_app_data(ssl);
	+ server_rec *s = mySrvFromConn(c);
	+ SSLSrvConfigRec *sc = mySrvConfig(s);
	+ apr_file_write_full(sc->server->key_log_file, line, strlen(line), NULL);
	+ apr_file_write_full(sc->server->key_log_file, "\n", 1, NULL);
	+}
	+
	static apr_status_t ssl_init_server_ctx(server_rec *s,
	apr_pool_t *p,
	apr_pool_t *ptemp,
	@@ -1916,6 +1926,18 @@
	}
	#endif

	+ if(sc->server->key_log_file_name != NULL) {
	+ rv = apr_file_open(&sc->server->key_log_file, sc->server->key_log_file_name,
	+ APR_FOPEN_WRITE\|APR_FOPEN_CREATE\|APR_FOPEN_APPEND
	+ \|APR_FOPEN_BINARY\|APR_FOPEN_NOCLEANUP,
	+ APR_FPROT_OS_DEFAULT, p);
	+
	+ if (rv != APR_SUCCESS)
	+ return rv;
	+
	+ SSL_CTX_set_keylog_callback(sc->server->ssl_ctx, ssl_keylog_callback);
	+ }
	+
	SSL_CTX_set_timeout(sc->server->ssl_ctx,
	sc->session_cache_timeout == UNSET ?
	SSL_SESSION_CACHE_TIMEOUT : sc->session_cache_timeout);
	Index: modules/ssl/ssl_private.h
	===================================================================
	--- modules/ssl/ssl_private.h (revision 1849572)
	+++ modules/ssl/ssl_private.h (working copy)
	@@ -732,6 +732,10 @@
	apr_array_header_t ssl_ctx_param; / parameters to pass to SSL_CTX */
	#endif

	+ const char *key_log_file_name;
	+ apr_file_t *key_log_file;
	+
	+
	BOOL ssl_check_peer_cn;
	BOOL ssl_check_peer_name;
	BOOL ssl_check_peer_expire;
	@@ -870,6 +874,8 @@
	const char ssl_cmd_SSLOpenSSLConfCmd(cmd_parms cmd, void dcfg, const char arg1, const char *arg2);
	#endif

	+const char ssl_cmd_SSLKeyLogFile(cmd_parms cmd, void dcfg, const char arg);
	+
	#ifdef HAVE_SRP
	const char ssl_cmd_SSLSRPVerifierFile(cmd_parms cmd, void dcfg, const char arg);
	const char ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms cmd, void dcfg, const char arg);