Skip to content

Commit

Permalink
Allow setting keyLogFile to DoT/DoH backends
Browse files Browse the repository at this point in the history
  • Loading branch information
karelbilek committed Dec 6, 2024
1 parent 09df974 commit 47afbfe
Show file tree
Hide file tree
Showing 6 changed files with 15 additions and 5 deletions.
1 change: 1 addition & 0 deletions pdns/dnsdistdist/dnsdist-lua.cc
Original file line number Diff line number Diff line change
Expand Up @@ -553,6 +553,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
getOptionalValue<std::string>(vars, "ciphers", config.d_tlsParams.d_ciphers);
getOptionalValue<std::string>(vars, "ciphers13", config.d_tlsParams.d_ciphers13);
getOptionalValue<std::string>(vars, "caStore", config.d_tlsParams.d_caStore);
getOptionalValue<std::string>(vars, "keyLogFile", config.d_tlsParams.d_keyLogFile);
getOptionalValue<bool>(vars, "validateCertificates", config.d_tlsParams.d_validateCertificates);
getOptionalValue<bool>(vars, "releaseBuffers", config.d_tlsParams.d_releaseBuffers);
getOptionalValue<bool>(vars, "enableRenegotiation", config.d_tlsParams.d_enableRenegotiation);
Expand Down
3 changes: 3 additions & 0 deletions pdns/dnsdistdist/docs/reference/config.rst
Original file line number Diff line number Diff line change
Expand Up @@ -749,6 +749,9 @@ Servers
``proxyProtocolAdvertiseTLS`` ``bool`` "Whether to set the SSL Proxy Protocol TLV in the proxy protocol payload sent to the backend if the query was received over an encrypted channel (DNSCrypt, DoQ, DoH or DoT). Requires ``useProxyProtocol=true``. Default is false."
``xskSockets`` ``array`` "An array of :class:`XskSocket` objects to enable ``XSK`` / ``AF_XDP`` support for this backend. See :doc:`../advanced/xsk` for more information."
``MACAddr`` ``str`` "When the ``xskSocket`` option is set, this parameter can be used to specify the destination MAC address to use to reach the backend. If this options is not specified, dnsdist will try to get it from the IP of the backend by looking into the system's MAC address table, but it will fail if the corresponding MAC address is not present."
``keyLogFile`` ``str`` "Write the TLS keys in the specified fi
le so that an external program can decrypt TLS exchanges, in the format described in https://developer.mozi

Check warning on line 753 in pdns/dnsdistdist/docs/reference/config.rst

View workflow job for this annotation

GitHub Actions / Spell checking

`mozi` is not a recognized word. (unrecognized-spelling)
lla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. Note that this feature requires OpenSSL >= 1.1.1."

Check warning on line 754 in pdns/dnsdistdist/docs/reference/config.rst

View workflow job for this annotation

GitHub Actions / Spell checking

`lla` is not a recognized word. (unrecognized-spelling)

.. function:: getServer(index) -> Server

Expand Down
6 changes: 3 additions & 3 deletions pdns/libssl.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1110,16 +1110,16 @@ static void libssl_key_log_file_callback(const SSL* ssl, const char* line)
}
#endif /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */

pdns::UniqueFilePtr libssl_set_key_log_file(std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)>& ctx, const std::string& logFile)
pdns::UniqueFilePtr libssl_set_key_log_file(SSL_CTX* ctx, const std::string& logFile)
{
#ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
auto filePtr = pdns::openFileForWriting(logFile, 0600, false, true);
if (!filePtr) {
auto error = errno;
throw std::runtime_error("Error opening file " + logFile + " for writing: " + stringerror(error));
}
SSL_CTX_set_ex_data(ctx.get(), s_keyLogIndex, filePtr.get());
SSL_CTX_set_keylog_callback(ctx.get(), &libssl_key_log_file_callback);
SSL_CTX_set_ex_data(ctx, s_keyLogIndex, filePtr.get());
SSL_CTX_set_keylog_callback(ctx, &libssl_key_log_file_callback);
return filePtr;
#else
return pdns::UniqueFilePtr(nullptr);
Expand Down
2 changes: 1 addition & 1 deletion pdns/libssl.hh
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ bool libssl_set_min_tls_version(std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)
std::pair<std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)>, std::vector<std::string>> libssl_init_server_context(const TLSConfig& config,
std::map<int, std::string>& ocspResponses);

pdns::UniqueFilePtr libssl_set_key_log_file(std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)>& ctx, const std::string& logFile);
pdns::UniqueFilePtr libssl_set_key_log_file(SSL_CTX* ctx, const std::string& logFile);

/* called in a server context, to select an ALPN value advertised by the client if any */
void libssl_set_alpn_select_callback(SSL_CTX* ctx, int (*cb)(SSL* s, const unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg), void* arg);
Expand Down
7 changes: 6 additions & 1 deletion pdns/tcpiohandler.cc
Original file line number Diff line number Diff line change
Expand Up @@ -675,7 +675,7 @@ class OpenSSLTLSIOCtx: public TLSCtx, public std::enable_shared_from_this<OpenSS
libssl_set_alpn_select_callback(d_feContext->d_tlsCtx.get(), alpnServerSelectCallback, this);

if (!frontend.d_tlsConfig.d_keyLogFile.empty()) {
d_feContext->d_keyLogFile = libssl_set_key_log_file(d_feContext->d_tlsCtx, frontend.d_tlsConfig.d_keyLogFile);
d_feContext->d_keyLogFile = libssl_set_key_log_file(d_feContext->d_tlsCtx.get(), frontend.d_tlsConfig.d_keyLogFile);
}

try {
Expand Down Expand Up @@ -776,6 +776,10 @@ class OpenSSLTLSIOCtx: public TLSCtx, public std::enable_shared_from_this<OpenSS
SSL_CTX_set_session_cache_mode(d_tlsCtx.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
SSL_CTX_sess_set_new_cb(d_tlsCtx.get(), &OpenSSLTLSIOCtx::newTicketFromServerCb);

if (!params.d_keyLogFile.empty()) {
d_keyLogFile = libssl_set_key_log_file(d_tlsCtx.get(), params.d_keyLogFile);
}

libssl_set_alpn_protos(d_tlsCtx.get(), getALPNVector(params.d_alpn, true));

#ifdef SSL_MODE_RELEASE_BUFFERS
Expand Down Expand Up @@ -951,6 +955,7 @@ class OpenSSLTLSIOCtx: public TLSCtx, public std::enable_shared_from_this<OpenSS
std::shared_ptr<SSL_CTX> d_tlsCtx{nullptr}; // client context, on a server-side the context is stored in d_feContext->d_tlsCtx
std::unique_ptr<OpenSSLFrontendContext> d_feContext{nullptr};
bool d_ktls{false};
pdns::UniqueFilePtr d_keyLogFile{nullptr};
};

#endif /* HAVE_LIBSSL */
Expand Down
1 change: 1 addition & 0 deletions pdns/tcpiohandler.hh
Original file line number Diff line number Diff line change
Expand Up @@ -587,6 +587,7 @@ struct TLSContextParameters
bool d_releaseBuffers{true};
bool d_enableRenegotiation{false};
bool d_ktls{false};
std::string d_keyLogFile;
};

std::shared_ptr<TLSCtx> getTLSContext(const TLSContextParameters& params);
Expand Down

0 comments on commit 47afbfe

Please sign in to comment.