log ssl keys using a Lua script

a-denoyelle · a-denoyelle · commit cbc41c2f1d33 · 2023-02-16T11:44:48.000+01:00
Add a Lua script to log SSL keys to decipher traffic in an output file.
This is available through a http-request action. To execute only once
per connection a session variable is used.

To be able to use SSL keys fetch the setting tune.ssl.keylog must be
activated in haproxy configuration.

The output file is specified as a parameter to the http-request action.
It is set to /logs/keys.log which is the path inspected by the interop.

This will allow to support on the interop several tests which rely on
traffic deciphering even if the client do not log SSL keys. For the
moment, only mvfst seems to be in this case.
diff --git a/Dockerfile b/Dockerfile
@@ -49,6 +49,7 @@ COPY --from=builder-ssl \
   /usr/local/lib/libssl.so* /usr/local/lib/libcrypto.so* /usr/local/lib/
 COPY --from=builder /usr/local/sbin/haproxy /usr/local/sbin/
 COPY quic.cfg lighttpd.cfg /
+COPY sslkeylogger.lua /
 
 COPY run_endpoint.sh .
 RUN chmod +x run_endpoint.sh
diff --git a/quic.cfg b/quic.cfg
@@ -1,6 +1,9 @@
 global
     cluster-secret what-a-secret!
 
+    tune.ssl.keylog on
+    lua-load sslkeylogger.lua
+
     expose-experimental-directives
     trace quic sink stderr
     trace quic level developer
@@ -22,6 +25,9 @@ defaults
 frontend fe
 	bind quic4@:443 proto quic ssl allow-0rtt crt /tmp/cert.pem alpn hq-interop,h3 "${HAP_EXTRA_ARGS}"
 	bind quic6@:443 proto quic ssl allow-0rtt crt /tmp/cert.pem alpn hq-interop,h3 "${HAP_EXTRA_ARGS}"
+
+	http-request lua.sslkeylog /logs/keys.log
+
 	use_backend be
 
 backend be
diff --git a/sslkeylogger.lua b/sslkeylogger.lua
@@ -0,0 +1,27 @@
+local function sslkeylog(txn, filename)
+	local fields = {
+		CLIENT_EARLY_TRAFFIC_SECRET     = function() return txn.f:ssl_fc_client_early_traffic_secret()     end,
+		CLIENT_HANDSHAKE_TRAFFIC_SECRET = function() return txn.f:ssl_fc_client_handshake_traffic_secret() end,
+		SERVER_HANDSHAKE_TRAFFIC_SECRET = function() return txn.f:ssl_fc_server_handshake_traffic_secret() end,
+		CLIENT_TRAFFIC_SECRET_0         = function() return txn.f:ssl_fc_client_traffic_secret_0()         end,
+		SERVER_TRAFFIC_SECRET_0         = function() return txn.f:ssl_fc_server_traffic_secret_0()         end,
+		EXPORTER_SECRET                 = function() return txn.f:ssl_fc_exporter_secret()                 end,
+		EARLY_EXPORTER_SECRET           = function() return txn.f:ssl_fc_early_exporter_secret()           end
+	}
+
+	local client_random = txn.c:hex(txn.f:ssl_fc_client_random())
+
+	if not txn:get_var('sess.sslkeylogdone') then
+		file = io.open(filename, 'a')
+		for fieldname, fetch in pairs(fields) do
+			if fetch() then
+				file:write(string.format('%s %s %s\n', fieldname, client_random, fetch()))
+			end
+		end
+
+		file:close()
+		txn:set_var('sess.sslkeylogdone', true)
+	end
+end
+
+core.register_action('sslkeylog', { 'http-req' }, sslkeylog, 1)
