diff options
author | Tim Rühsen <tim.ruehsen@gmx.de> | 2019-07-16 11:44:02 +0200 |
---|---|---|
committer | Tim Rühsen <tim.ruehsen@gmx.de> | 2019-07-16 11:44:09 +0200 |
commit | c8db8e1724cd189d3865823dc3f0f1154e3a8868 (patch) | |
tree | 30dab8ece42f053f463aff7efaeca0bec4ccbba5 | |
parent | 9ba468c457478c1c1fbdd772b45c1564584a160e (diff) | |
download | gnutls-tmp-keylog-threadsafe.tar.gz |
Fix race condition when logging keystmp-keylog-threadsafe
Moves keylog initialization to _gnutls_global_init().
That means SSLKEYLOGFILE has to be set before starting the
application - or more exactly - before library initialization.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
-rw-r--r-- | lib/global.c | 1 | ||||
-rw-r--r-- | lib/global.h | 1 | ||||
-rw-r--r-- | lib/kx.c | 18 | ||||
-rw-r--r-- | tests/Makefile.am | 6 | ||||
-rw-r--r-- | tests/keylog-env.c | 15 | ||||
-rwxr-xr-x | tests/keylog-env.sh | 32 |
6 files changed, 47 insertions, 26 deletions
diff --git a/lib/global.c b/lib/global.c index 334148342e..2db225360e 100644 --- a/lib/global.c +++ b/lib/global.c @@ -369,6 +369,7 @@ static int _gnutls_global_init(unsigned constructor) _gnutls_register_accel_crypto(); _gnutls_cryptodev_init(); _gnutls_load_system_priorities(); + _gnutls_nss_keylog_init(); #ifdef ENABLE_FIPS140 /* These self tests are performed on the overridden algorithms diff --git a/lib/global.h b/lib/global.h index d9a09d8cdd..63133c49a8 100644 --- a/lib/global.h +++ b/lib/global.h @@ -44,6 +44,7 @@ extern int _gnutls_log_level; extern int gnutls_crypto_init(void); extern void gnutls_crypto_deinit(void); extern void _gnutls_tpm_global_deinit(void); +extern void _gnutls_nss_keylog_init(void); extern void _gnutls_nss_keylog_deinit(void); extern void _gnutls_load_system_priorities(void); @@ -74,16 +74,6 @@ void _gnutls_nss_keylog_write(gnutls_session_t session, const char *label, const uint8_t *secret, size_t secret_size) { - static const char *keylogfile = NULL; - static unsigned checked_env = 0; - - if (!checked_env) { - checked_env = 1; - keylogfile = secure_getenv("SSLKEYLOGFILE"); - if (keylogfile != NULL) - keylog = fopen(keylogfile, "a"); - } - if (keylog) { char client_random_hex[2*GNUTLS_RANDOM_SIZE+1]; char secret_hex[2*MAX_HASH_SIZE+1]; @@ -102,6 +92,14 @@ void _gnutls_nss_keylog_write(gnutls_session_t session, } } +void _gnutls_nss_keylog_init(void) +{ + const char *keylogfile = secure_getenv("SSLKEYLOGFILE"); + + if (keylogfile) + keylog = fopen(keylogfile, "a"); +} + void _gnutls_nss_keylog_deinit(void) { if (keylog) { diff --git a/tests/Makefile.am b/tests/Makefile.am index 34e3c5a970..efef919e38 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -105,7 +105,7 @@ noinst_LTLIBRARIES = libutils.la libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c libutils_la_LIBADD = ../lib/libgnutls.la -indirect_tests = tls13/prf-early system-override-hash system-override-sig +indirect_tests = tls13/prf-early system-override-hash system-override-sig keylog-env ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \ tls13/post-handshake-with-cert tls13/post-handshake-without-cert \ @@ -191,7 +191,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei set_x509_key_file_der set_x509_pkcs12_key crt_apis tls12-cert-key-exchange \ tls11-cert-key-exchange tls10-cert-key-exchange ssl30-cert-key-exchange \ dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \ - keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \ + ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \ tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \ set_x509_key_file_ocsp client-fastopen rng-sigint srp rng-pthread \ safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \ @@ -492,7 +492,7 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start ocsp-tests/ocsp-test cipher-listings.sh sni-hostname.sh server-multi-keys.sh \ psktool.sh ocsp-tests/ocsp-load-chain gnutls-cli-save-data.sh gnutls-cli-debug.sh \ sni-resume.sh ocsp-tests/ocsptool cert-reencoding.sh pkcs7-cat.sh long-crl.sh \ - serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh + serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh keylog-env.sh if !DISABLE_SYSTEM_CONFIG dist_check_SCRIPTS += system-override-sig-hash.sh system-override-versions.sh system-override-invalid.sh \ diff --git a/tests/keylog-env.c b/tests/keylog-env.c index 5f5f74e176..bdc079f868 100644 --- a/tests/keylog-env.c +++ b/tests/keylog-env.c @@ -98,16 +98,6 @@ static void run(const char *filename, const char *prio, const char **p; int ret; -#ifdef _WIN32 - { - char buf[512]; - snprintf(buf, sizeof(buf), "SSLKEYLOGFILE=%s", filename); - _putenv(buf); - } -#else - setenv("SSLKEYLOGFILE", filename, 1); -#endif - if (debug) { gnutls_global_set_log_level(6); gnutls_global_set_log_function(tls_log_func); @@ -151,11 +141,10 @@ static void run(const char *filename, const char *prio, void doit(void) { - char filename[TMPNAME_SIZE]; + const char *filename = getenv("SSLKEYLOGFILE"); - assert(get_tmpname(filename)!=NULL); + assert(filename != NULL); - remove(filename); global_init(); run(filename, diff --git a/tests/keylog-env.sh b/tests/keylog-env.sh new file mode 100755 index 0000000000..6290877d5b --- /dev/null +++ b/tests/keylog-env.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +# Copyright (C) 2019 Tim Ruehsen +# +# Author: Tim Ruehsen +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +TMPFILE=c.$$.tmp + +export SSLKEYLOGFILE="${TMPFILE}" + +${builddir}/keylog-env +if test $? != 0; then + exit 1 +fi + +exit 0 |