Merge pull request #337 from qzhuyan/server-sslkeylogfile

Server sslkeylogfile
emqx · Jan 7, 2025 · d134702 · d134702
2 parents 97d8be9 + a4116fa
commit d134702
Show file tree

Hide file tree

Showing 11 changed files with 50 additions and 15 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -32,7 +32,7 @@ jobs:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
 
-      - uses: erlef/setup-beam@2f0cc07b4b9bea248ae098aba9e1a8a1de5ec24c # v1.17.5
+      - uses: erlef/setup-beam@v1.18.2
         with:
           otp-version: 24.3.4
 

diff --git a/.github/workflows/cover.yaml b/.github/workflows/cover.yaml
@@ -23,7 +23,7 @@ jobs:
     - name: Checkout
       uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
-    - uses: erlef/setup-beam@2f0cc07b4b9bea248ae098aba9e1a8a1de5ec24c # v1.17.5
+    - uses: erlef/setup-beam@v1.18.2
       with:
         otp-version: ${{ matrix.otp }}
         rebar3-version: ${{ matrix.rebar3 }}

diff --git a/.github/workflows/lux.yml b/.github/workflows/lux.yml
@@ -14,7 +14,7 @@ jobs:
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: recursive
-      - uses: erlef/setup-beam@2f0cc07b4b9bea248ae098aba9e1a8a1de5ec24c # v1.17.5
+      - uses: erlef/setup-beam@v1.18.2
         with:
           otp-version: ${{ matrix.otp }}
           rebar3-version: 3.23.0

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -13,7 +13,7 @@ jobs:
         clang-format-version: '13'
         check-path: 'c_src'
     - name: Prepare OTP and rebar3
-      uses: erlef/setup-beam@2f0cc07b4b9bea248ae098aba9e1a8a1de5ec24c # v1.17.5
+      uses: erlef/setup-beam@v1.18.2
       with:
         otp-version: 26
         rebar3-version: 3.20.0
@@ -114,7 +114,7 @@ jobs:
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: recursive
-      - uses: erlef/setup-beam@2f0cc07b4b9bea248ae098aba9e1a8a1de5ec24c # v1.17.5
+      - uses: erlef/setup-beam@v1.18.2
         with:
           otp-version: ${{ matrix.otp }}
           rebar3-version: ${{ matrix.rebar3 }}

diff --git a/c_src/quicer_connection.c b/c_src/quicer_connection.c
@@ -299,11 +299,6 @@ _IRQL_requires_max_(DISPATCH_LEVEL)
       // A monitor is automatically removed when it triggers or when the
       // resource is deallocated.
       status = handle_connection_event_connected(c_ctx, Event);
-      // Client dump SSL KEY
-      if (NULL != c_ctx->TlsSecrets && NULL != c_ctx->ssl_keylogfile)
-        {
-          dump_sslkeylogfile(c_ctx->ssl_keylogfile, *(c_ctx->TlsSecrets));
-        }
       break;
     case QUIC_CONNECTION_EVENT_PEER_STREAM_STARTED:
       //
@@ -1209,6 +1204,15 @@ handle_connection_event_connected(QuicerConnCTX *c_ctx,
   ERL_NIF_TERM report = make_event_with_props(
       c_ctx->env, ATOM_CONNECTED, ConnHandle, props_name, props_value, 2);
 
+  // Client&Server Dump SSL Key Log File
+  if (NULL != c_ctx->TlsSecrets && NULL != c_ctx->ssl_keylogfile)
+    {
+      dump_sslkeylogfile(c_ctx->ssl_keylogfile, *(c_ctx->TlsSecrets));
+      // @NOTE: only free ssl_keylogfile not TlsSecrets
+      CXPLAT_FREE(c_ctx->ssl_keylogfile, QUICER_TRACE);
+      c_ctx->ssl_keylogfile = NULL;
+    }
+
   // testing this, just unblock acceptor
   // should pick a 'acceptor' here?
   if (!enif_send(NULL, acc_pid, NULL, report))

diff --git a/c_src/quicer_ctx.c b/c_src/quicer_ctx.c
@@ -94,6 +94,7 @@ deinit_l_ctx(QuicerListenerCTX *l_ctx)
     {
       enif_release_resource(l_ctx->r_ctx);
     }
+  CXPLAT_FREE(l_ctx->ssl_keylogfile, QUICER_TRACE);
   enif_mutex_destroy(l_ctx->lock);
   enif_free_env(l_ctx->env);
 }

diff --git a/c_src/quicer_ctx.h b/c_src/quicer_ctx.h
@@ -76,6 +76,8 @@ typedef struct QuicerListenerCTX
   BOOLEAN is_stopped;
   BOOLEAN allow_insecure;
   CXPLAT_LIST_ENTRY RegistrationLink;
+  char *ssl_keylogfile;
+  uint16_t ssl_keylogfile_len;
   void *reserved1;
   void *reserved2;
   void *reserved3;

diff --git a/c_src/quicer_listener.c b/c_src/quicer_listener.c
@@ -203,6 +203,16 @@ ServerListenerCallback(__unused_parm__ HQUIC Listener,
                                  (void *)ServerConnectionCallback,
                                  c_ctx);
 
+      if (l_ctx->ssl_keylogfile)
+        {
+          char *ssl_keylogfile
+              = CXPLAT_ALLOC_NONPAGED(l_ctx->ssl_keylogfile_len, QUICER_TRACE);
+          strncpy(ssl_keylogfile,
+                  l_ctx->ssl_keylogfile,
+                  l_ctx->ssl_keylogfile_len);
+          set_conn_sslkeylogfile(c_ctx, ssl_keylogfile);
+        }
+
       QuicerRegistrationCTX *r_ctx;
       if (l_ctx->r_ctx)
         {
@@ -438,6 +448,12 @@ listen2(ErlNifEnv *env, __unused_parm__ int argc, const ERL_NIF_TERM argv[])
       goto exit;
     }
 
+  l_ctx->ssl_keylogfile
+      = str_from_map(env, ATOM_SSL_KEYLOGFILE_NAME, &options, NULL, PATH_MAX);
+  l_ctx->ssl_keylogfile_len
+      = l_ctx->ssl_keylogfile ? strlen(l_ctx->ssl_keylogfile) + 1 : 0;
+  CXPLAT_FRE_ASSERT(l_ctx->ssl_keylogfile_len < PATH_MAX);
+
   // Start Listener
   Status = MsQuic->ListenerStart(
       l_ctx->Listener, alpn_buffers, alpn_buffer_length, &Address);

diff --git a/c_src/quicer_tls.c b/c_src/quicer_tls.c
@@ -262,15 +262,21 @@ parse_sslkeylogfile_option(ErlNifEnv *env,
                            ERL_NIF_TERM eoptions,
                            QuicerConnCTX *c_ctx)
 {
-  QUIC_STATUS Status;
 
-  char *keylogfile = str_from_map(
-      env, ATOM_SSL_KEYLOGFILE_NAME, &eoptions, NULL, PATH_MAX + 1);
+  char *keylogfile
+      = str_from_map(env, ATOM_SSL_KEYLOGFILE_NAME, &eoptions, NULL, PATH_MAX);
 
   if (!keylogfile)
     {
       return;
     }
+  set_conn_sslkeylogfile(c_ctx, keylogfile);
+}
+
+void
+set_conn_sslkeylogfile(QuicerConnCTX *c_ctx, char *keylogfile)
+{
+  QUIC_STATUS Status;
 
   // Allocate the TLS secrets
   QUIC_TLS_SECRETS *TlsSecrets

diff --git a/c_src/quicer_tls.h b/c_src/quicer_tls.h
@@ -48,4 +48,6 @@ eoptions_to_cred_config(ErlNifEnv *env,
                         ERL_NIF_TERM eoptions,
                         QUIC_CREDENTIAL_CONFIG *CredConfig,
                         X509_STORE **trusted_store);
+
+void set_conn_sslkeylogfile(QuicerConnCTX *c_ctx, char *keylogfile);
 #endif // QUICER_TLS_H_
diff --git a/test/quicer_SUITE.erl b/test/quicer_SUITE.erl
@@ -2472,9 +2472,12 @@ tc_stream_send_shutdown_complete(Config) ->
 tc_conn_opt_sslkeylogfile(Config) ->
     Port = select_port(),
     TargetFName = "SSLKEYLOGFILE",
+    ServerTargetFName = "SERVERSSLKEYLOGFILE",
     file:delete(TargetFName),
     application:ensure_all_started(quicer),
-    ListenerOpts = [{conn_acceptors, 32} | default_listen_opts(Config)],
+    ListenerOpts = [
+        {sslkeylogfile, ServerTargetFName}, {conn_acceptors, 32} | default_listen_opts(Config)
+    ],
     ConnectionOpts = [
         {conn_callback, quicer_server_conn_callback},
         {stream_acceptors, 32}
@@ -2498,7 +2501,8 @@ tc_conn_opt_sslkeylogfile(Config) ->
     ),
     quicer:close_connection(Conn),
     timer:sleep(100),
-    {ok, #file_info{type = regular}} = file:read_file_info(TargetFName).
+    {ok, #file_info{type = regular}} = file:read_file_info(TargetFName),
+    {ok, #file_info{type = regular}} = file:read_file_info(ServerTargetFName).
 
 tc_insecure_traffic(Config) ->
     Port = select_port(),