[gnutls-devel] GnuTLS | How to write/extract session keys with gnutls-cli ? (#802)

Mon Jul 15 16:35:31 CEST 2019

Tim Rühsen commented:


Technically yes. But that adds overhead to anyone who is using libgnutls, while addressing this in `_gnutls_nss_keylog_write()` only has overhead if your path of execution comes here. Some kind of 'lazy loading'.

One possible fix would be
```

diff --git a/lib/kx.c b/lib/kx.c
index 69374908e..9b509ccbc 100644
--- a/lib/kx.c
+++ b/lib/kx.c
@@ -78,17 +78,22 @@ void _gnutls_nss_keylog_write(gnutls_session_t session,
        static unsigned checked_env = 0;
 
        if (!checked_env) {
-               checked_env = 1;
-               keylogfile = secure_getenv("SSLKEYLOGFILE");
-               if (keylogfile != NULL)
-                       keylog = fopen(keylogfile, "a");
+               GNUTLS_STATIC_MUTEX_LOCK(keylog_mutex);
+
+               if (!checked_env) {
+                       checked_env = 1;
+                       keylogfile = secure_getenv("SSLKEYLOGFILE");
+                       if (keylogfile != NULL)
+                               keylog = fopen(keylogfile, "a");
+               }
+
+               GNUTLS_STATIC_MUTEX_LOCK(keylog_mutex);
        }
 
        if (keylog) {
                char client_random_hex[2*GNUTLS_RANDOM_SIZE+1];
                char secret_hex[2*MAX_HASH_SIZE+1];
 
-               GNUTLS_STATIC_MUTEX_LOCK(keylog_mutex);
                fprintf(keylog, "%s %s %s\n",
                        label,
                        _gnutls_bin2hex(session->security_parameters.
@@ -98,8 +103,9 @@ void _gnutls_nss_keylog_write(gnutls_session_t session,
                        _gnutls_bin2hex(secret, secret_size,
                                        secret_hex, sizeof(secret_hex), NULL));
                fflush(keylog);
-               GNUTLS_STATIC_MUTEX_UNLOCK(keylog_mutex);
        }
+
+       GNUTLS_STATIC_MUTEX_UNLOCK(keylog_mutex);
 }
 
 void _gnutls_nss_keylog_deinit(void)
```

It adds an additional lock/unlock for the very first call. We could fine-tune it down to one lock/unlock with some slight additional code complexity. WDYT ?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/802#note_191905039
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190715/ad12af9f/attachment.html>
