Dart should provide a facility to create keylog files when secure sockets are used

[brianquinlan]

These files are used by network monitoring tools (e.g. Wireshark) to decrypt payloads.

Python offers this functionality through an API:
https://docs.python.org/3/library/ssl.html#ssl.SSLContext.keylog_filename

Implementation:
https://github.com/python/cpython/blob/main/Modules/_ssl/debughelpers.c#L177

curl offers it through an environment variable:
https://everything.curl.dev/usingcurl/tls/sslkeylogfile

This POC implementation works with Wireshark:

--- a/runtime/bin/security_context.cc
+++ b/runtime/bin/security_context.cc
@@ -37,6 +37,20 @@ const char* SSLCertContext::root_certs_cache_ = NULL;
 bool SSLCertContext::long_ssl_cert_evaluation_ = false;
 bool SSLCertContext::bypass_trusting_system_roots_ = false;

+static void _SSL_keylog_callback(const SSL* ssl, const char* line) {
+  FILE* fp = fopen("/tmp/foo.txt", "a");
+  fprintf(fp, "%s\n", line);
+  fclose(fp);
+}
+
+SSLCertContext::SSLCertContext(SSL_CTX* context)
+    : ReferenceCounted(),
+      context_(context),
+      alpn_protocol_string_(NULL),
+      trust_builtin_(false) {
+  SSL_CTX_set_keylog_callback(context, &_SSL_keylog_callback);
+}

[brianquinlan]

If we want to use a callback into dart and also allow TLS renegotiation, there is no isolate defined during the KeyLogCallback. The stack trace looks like:

  pc 0x000000010b2c1b6a fp 0x0000700008c191c0 dart::bin::SSLCertContext::KeyLogCallback(ssl_st const*, char const*)+0xca
  pc 0x000000010b3fcfa3 fp 0x0000700008c19240 bssl::ssl_log_secret(ssl_st const*, char const*, bssl::Span<unsigned char const>)+0x263
  pc 0x000000010b3e8222 fp 0x0000700008c19320 bssl::ssl_send_finished(bssl::SSL_HANDSHAKE*)+0x72
  pc 0x000000010b3e93d9 fp 0x0000700008c19630 bssl::ssl_client_handshake(bssl::SSL_HANDSHAKE*)+0x489
  pc 0x000000010b3e8612 fp 0x0000700008c19680 bssl::ssl_run_handshake(bssl::SSL_HANDSHAKE*, bool*)+0x152
  pc 0x000000010b3feb94 fp 0x0000700008c196b0 SSL_do_handshake+0x64
  pc 0x000000010b3ff192 fp 0x0000700008c19720 ssl_read_impl(ssl_st*)+0xf2
  pc 0x000000010b3fef71 fp 0x0000700008c19750 SSL_read+0x51
  pc 0x000000010b2c0a7a fp 0x0000700008c197c0 dart::bin::SSLFilter::ProcessAllBuffers(int*, int*, bool)+0x20a
  pc 0x000000010b2c057b fp 0x0000700008c19820 dart::bin::SSLFilter::ProcessFilterRequest(dart::bin::CObjectArray const&)+0x1db
  pc 0x000000010b2b8c01 fp 0x0000700008c19880 dart::bin::IOServiceCallback(long long, _Dart_CObject*)+0x3f1
  pc 0x000000010b59578a fp 0x0000700008c19d70 dart::NativeMessageHandler::HandleMessage(std::__2::unique_ptr<dart::Message, std::__2::default_delete<dart::Message> >)+0x5a
  pc 0x000000010b573ecc fp 0x0000700008c19e00 dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool)+0x1cc
  pc 0x000000010b574b3a fp 0x0000700008c19e70 dart::MessageHandler::TaskCallback()+0x2ea
  pc 0x000000010b754d26 fp 0x0000700008c19f10 dart::ThreadPool::WorkerLoop(dart::ThreadPool::Worker*)+0x196
  pc 0x000000010b75566d fp 0x0000700008c19f60 dart::ThreadPool::Worker::Main(unsigned long)+0x10d
  pc 0x000000010b69499e fp 0x0000700008c19fb0 dart::ThreadStart(void*)+0x9e
  pc 0x00007fff204dd8fc fp 0x0000700008c19fd0 _pthread_start+0xe0
  pc 0x00007fff204d9443 fp 0x0000700008c19ff0 thread_start+0xf

[brianquinlan]

The initial negotiation is invoked by Dart code:

  pc 0x000000010c778bcc fp 0x000070000b0f6f70 dart::bin::SSLCertContext::KeyLogCallback(ssl_st const*, char const*)+0x2c
  pc 0x000000010c8b3fe3 fp 0x000070000b0f6ff0 bssl::ssl_log_secret(ssl_st const*, char const*, bssl::Span<unsigned char const>)+0x263
  pc 0x000000010c89f262 fp 0x000070000b0f70d0 bssl::ssl_send_finished(bssl::SSL_HANDSHAKE*)+0x72
  pc 0x000000010c8a0419 fp 0x000070000b0f73e0 bssl::ssl_client_handshake(bssl::SSL_HANDSHAKE*)+0x489
  pc 0x000000010c89f652 fp 0x000070000b0f7430 bssl::ssl_run_handshake(bssl::SSL_HANDSHAKE*, bool*)+0x152
  pc 0x000000010c8b5bd4 fp 0x000070000b0f7460 SSL_do_handshake+0x64
  pc 0x000000010c776d4d fp 0x000070000b0f7490 dart::bin::SSLFilter::Handshake(long long)+0x1d
  pc 0x000000010c776ce2 fp 0x000070000b0f74c0 dart::bin::Builtin_SecureSocket_Handshake(_Dart_NativeArguments*)+0x72

[brianquinlan]

Fixed in 917ae52

[mit-mit]

For details on how to use this, see the API docs for SecureSocket.connect().