Allow setting keyLogFile to DoT/DoH backends

pdns/dnsdistdist/dnsdist-lua.cc

@@ -553,6 +553,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
                          getOptionalValue<std::string>(vars, "ciphers", config.d_tlsParams.d_ciphers);
                          getOptionalValue<std::string>(vars, "ciphers13", config.d_tlsParams.d_ciphers13);
                          getOptionalValue<std::string>(vars, "caStore", config.d_tlsParams.d_caStore);
+                         getOptionalValue<std::string>(vars, "keyLogFile", config.d_tlsParams.d_keyLogFile);
                          getOptionalValue<bool>(vars, "validateCertificates", config.d_tlsParams.d_validateCertificates);
                          getOptionalValue<bool>(vars, "releaseBuffers", config.d_tlsParams.d_releaseBuffers);
                          getOptionalValue<bool>(vars, "enableRenegotiation", config.d_tlsParams.d_enableRenegotiation);

pdns/dnsdistdist/docs/reference/config.rst

@@ -749,6 +749,7 @@ Servers
     ``proxyProtocolAdvertiseTLS``            ``bool``              "Whether to set the SSL Proxy Protocol TLV in the proxy protocol payload sent to the backend if the query was received over an encrypted channel (DNSCrypt, DoQ, DoH or DoT). Requires ``useProxyProtocol=true``. Default is false."
     ``xskSockets``                            ``array``            "An array of :class:`XskSocket` objects to enable ``XSK`` / ``AF_XDP`` support for this backend. See :doc:`../advanced/xsk` for more information."
     ``MACAddr``                              ``str``               "When the ``xskSocket`` option is set, this parameter can be used to specify the destination MAC address to use to reach the backend. If this options is not specified, dnsdist will try to get it from the IP of the backend by looking into the system's MAC address table, but it will fail if the corresponding MAC address is not present."
+    ``keyLogFile``                           ``str``               "Write the TLS keys in the specified file so that an external program can decrypt TLS exchanges, in the format described in https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. Note that this feature requires OpenSSL >= 1.1.1."
 
 .. function:: getServer(index) -> Server
 

pdns/libssl.cc

@@ -1110,16 +1110,16 @@ static void libssl_key_log_file_callback(const SSL* ssl, const char* line)
 }
 #endif /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
 
-pdns::UniqueFilePtr libssl_set_key_log_file(std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)>& ctx, const std::string& logFile)
+pdns::UniqueFilePtr libssl_set_key_log_file(SSL_CTX* ctx, const std::string& logFile)
 {
 #ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
   auto filePtr = pdns::openFileForWriting(logFile, 0600, false, true);
   if (!filePtr) {
     auto error = errno;
     throw std::runtime_error("Error opening file " + logFile + " for writing: " + stringerror(error));
   }
-  SSL_CTX_set_ex_data(ctx.get(), s_keyLogIndex, filePtr.get());
-  SSL_CTX_set_keylog_callback(ctx.get(), &libssl_key_log_file_callback);
+  SSL_CTX_set_ex_data(ctx, s_keyLogIndex, filePtr.get());
+  SSL_CTX_set_keylog_callback(ctx, &libssl_key_log_file_callback);
   return filePtr;
 #else
   return pdns::UniqueFilePtr(nullptr);

pdns/libssl.hh

@@ -158,7 +158,7 @@ bool libssl_set_min_tls_version(std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)
 std::pair<std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)>, std::vector<std::string>> libssl_init_server_context(const TLSConfig& config,
                                                                                                             std::map<int, std::string>& ocspResponses);
 
-pdns::UniqueFilePtr libssl_set_key_log_file(std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)>& ctx, const std::string& logFile);
+pdns::UniqueFilePtr libssl_set_key_log_file(SSL_CTX* ctx, const std::string& logFile);
 
 /* called in a server context, to select an ALPN value advertised by the client if any */
 void libssl_set_alpn_select_callback(SSL_CTX* ctx, int (*cb)(SSL* s, const unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg), void* arg);

pdns/tcpiohandler.cc

@@ -675,7 +675,7 @@ class OpenSSLTLSIOCtx: public TLSCtx, public std::enable_shared_from_this<OpenSS
     libssl_set_alpn_select_callback(d_feContext->d_tlsCtx.get(), alpnServerSelectCallback, this);
 
     if (!frontend.d_tlsConfig.d_keyLogFile.empty()) {
-      d_feContext->d_keyLogFile = libssl_set_key_log_file(d_feContext->d_tlsCtx, frontend.d_tlsConfig.d_keyLogFile);
+      d_feContext->d_keyLogFile = libssl_set_key_log_file(d_feContext->d_tlsCtx.get(), frontend.d_tlsConfig.d_keyLogFile);
     }
 
     try {
@@ -776,6 +776,10 @@ class OpenSSLTLSIOCtx: public TLSCtx, public std::enable_shared_from_this<OpenSS
     SSL_CTX_set_session_cache_mode(d_tlsCtx.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
     SSL_CTX_sess_set_new_cb(d_tlsCtx.get(), &OpenSSLTLSIOCtx::newTicketFromServerCb);
 
+    if (!params.d_keyLogFile.empty()) {
+      d_keyLogFile = libssl_set_key_log_file(d_tlsCtx.get(), params.d_keyLogFile);
+    }
+
     libssl_set_alpn_protos(d_tlsCtx.get(), getALPNVector(params.d_alpn, true));
 
 #ifdef SSL_MODE_RELEASE_BUFFERS
@@ -951,6 +955,7 @@ class OpenSSLTLSIOCtx: public TLSCtx, public std::enable_shared_from_this<OpenSS
   std::shared_ptr<SSL_CTX> d_tlsCtx{nullptr}; // client context, on a server-side the context is stored in d_feContext->d_tlsCtx
   std::unique_ptr<OpenSSLFrontendContext> d_feContext{nullptr};
   bool d_ktls{false};
+  pdns::UniqueFilePtr d_keyLogFile{nullptr};
 };
 
 #endif /* HAVE_LIBSSL */

pdns/tcpiohandler.hh

@@ -587,6 +587,7 @@ struct TLSContextParameters
   bool d_releaseBuffers{true};
   bool d_enableRenegotiation{false};
   bool d_ktls{false};
+  std::string d_keyLogFile;
 };
 
 std::shared_ptr<TLSCtx> getTLSContext(const TLSContextParameters& params);