From 189ae368d91d2c9de5ed1fa21e993f5c83fc4445 Mon Sep 17 00:00:00 2001 From: Martin Kaiser Date: Sat, 24 May 2014 00:02:24 +0100 Subject: [PATCH] Add an NSS output format to sess_id to export to export the session id and the master key in NSS keylog format. PR#3352 --- CHANGES | 4 ++++ apps/apps.c | 2 ++ apps/apps.h | 1 + apps/sess_id.c | 4 +++- doc/apps/sess_id.pod | 9 +++++---- ssl/ssl.h | 1 + ssl/ssl_txt.c | 30 ++++++++++++++++++++++++++++++ 7 files changed, 46 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index d5142beebb..a55bdc9e3e 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] + *) New output format NSS in the sess_id command line tool. This allows + exporting the session id and the master key in NSS keylog format. + [Martin Kaiser ] + *) Harmonize version and its documentation. -f flag is used to display compilation flags. [mancha ] diff --git a/apps/apps.c b/apps/apps.c index b82882aa0c..946884860f 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -263,6 +263,8 @@ int str2fmt(char *s) return(FORMAT_ASN1); else if ((*s == 'T') || (*s == 't')) return(FORMAT_TEXT); + else if ((strcmp(s,"NSS") == 0) || (strcmp(s,"nss") == 0)) + return(FORMAT_NSS); else if ((*s == 'N') || (*s == 'n')) return(FORMAT_NETSCAPE); else if ((*s == 'S') || (*s == 's')) diff --git a/apps/apps.h b/apps/apps.h index 5f083d4097..b4a9b49ce7 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -363,6 +363,7 @@ void store_setup_crl_download(X509_STORE *st); #define FORMAT_MSBLOB 11 /* MS Key blob format */ #define FORMAT_PVK 12 /* MS PVK file format */ #define FORMAT_HTTP 13 /* Download using HTTP */ +#define FORMAT_NSS 14 /* NSS keylog format */ #define EXT_COPY_NONE 0 #define EXT_COPY_ADD 1 diff --git a/apps/sess_id.c b/apps/sess_id.c index b16686c26d..d4bf1afe2d 100644 --- a/apps/sess_id.c +++ b/apps/sess_id.c @@ -73,7 +73,7 @@ static const char *sess_id_usage[]={ "usage: sess_id args\n", "\n", " -inform arg - input format - default PEM (DER or PEM)\n", -" -outform arg - output format - default PEM\n", +" -outform arg - output format - default PEM (PEM, DER or NSS)\n", " -in arg - input file - default stdin\n", " -out arg - output file - default stdout\n", " -text - print ssl session id details\n", @@ -246,6 +246,8 @@ bad: i=i2d_SSL_SESSION_bio(out,x); else if (outformat == FORMAT_PEM) i=PEM_write_bio_SSL_SESSION(out,x); + else if (outformat == FORMAT_NSS) + i=SSL_SESSION_print_keylog(out,x); else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod index 9988d2cd3d..fb5ce12962 100644 --- a/doc/apps/sess_id.pod +++ b/doc/apps/sess_id.pod @@ -9,7 +9,7 @@ sess_id - SSL/TLS session handling utility B B [B<-inform PEM|DER>] -[B<-outform PEM|DER>] +[B<-outform PEM|DER|NSS>] [B<-in filename>] [B<-out filename>] [B<-text>] @@ -33,10 +33,11 @@ format containing session details. The precise format can vary from one version to the next. The B form is the default format: it consists of the B format base64 encoded with additional header and footer lines. -=item B<-outform DER|PEM> +=item B<-outform DER|PEM|NSS> -This specifies the output format, the options have the same meaning as the -B<-inform> option. +This specifies the output format. The B and B options have the same meaning +as the B<-inform> option. The B option outputs the session id and the master key +in NSS keylog format. =item B<-in filename> diff --git a/ssl/ssl.h b/ssl/ssl.h index 92ffae95c1..7d0c7bbe72 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2235,6 +2235,7 @@ int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses); #endif #ifndef OPENSSL_NO_BIO int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses); +int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x); #endif void SSL_SESSION_free(SSL_SESSION *ses); int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 20b95a2829..0ffdcb0ea2 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -248,3 +248,33 @@ err: return(0); } +/* print session id and master key in NSS keylog format + (RSA Session-ID: Master-Key:) */ +int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x) + { + unsigned int i; + + if (x == NULL) goto err; + if (x->session_id_length==0 || x->master_key_length==0) goto err; + + /* the RSA prefix is required by the format's definition although there's + nothing RSA-specifc in the output, therefore, we don't have to check + if the cipher suite is based on RSA */ + if (BIO_puts(bp,"RSA ") <= 0) goto err; + + if (BIO_puts(bp,"Session-ID:") <= 0) goto err; + for (i=0; isession_id_length; i++) + { + if (BIO_printf(bp,"%02X",x->session_id[i]) <= 0) goto err; + } + if (BIO_puts(bp," Master-Key:") <= 0) goto err; + for (i=0; i<(unsigned int)x->master_key_length; i++) + { + if (BIO_printf(bp,"%02X",x->master_key[i]) <= 0) goto err; + } + if (BIO_puts(bp,"\n") <= 0) goto err; + + return(1); +err: + return(0); + } -- 2.25.1