use OpenSSL's keylog callback for SSLKEYLOGFILE, refs #3994

mitmproxy/net/tls.py

@@ -86,36 +86,17 @@ class MasterSecretLogger:
     # required for functools.wraps, which pyOpenSSL uses.
     __name__ = "MasterSecretLogger"
 
-    def __call__(self, connection, where, ret):
+    def __call__(self, connection, keymaterial):
-        done_now = (
+        with self.lock:
-            where == SSL.SSL_CB_HANDSHAKE_DONE and ret == 1
+            if not self.f:
-        )
+                d = os.path.dirname(self.filename)
-        # this is a horrendous workaround for https://github.com/mitmproxy/mitmproxy/pull/3692#issuecomment-608454530:
+                if not os.path.isdir(d):
-        # OpenSSL 1.1.1f decided to not make connection.master_key() fail in the SSL_CB_HANDSHAKE_DONE callback.
+                    os.makedirs(d)
-        # To support various OpenSSL versions and still log master secrets, we now mark connections where this has
+                self.f = open(self.filename, "ab")
-        # happened and then try again on the next event. This is ugly and shouldn't be done, but eventually we
+                self.f.write(b"\n")
-        # replace this with context.set_keylog_callback anyways.
+            self.f.write(keymaterial)
-        done_previously_but_not_logged_yet = (
+            self.f.write(b"\n")
-            hasattr(connection, "_still_needs_masterkey")
+            self.f.flush()
-        )
-        if done_now or done_previously_but_not_logged_yet:
-            with self.lock:
-                if not self.f:
-                    d = os.path.dirname(self.filename)
-                    if not os.path.isdir(d):
-                        os.makedirs(d)
-                    self.f = open(self.filename, "ab")
-                    self.f.write(b"\r\n")
-                try:
-                    client_random = binascii.hexlify(connection.client_random())
-                    masterkey = binascii.hexlify(connection.master_key())
-                except (AssertionError, SSL.Error):  # careful: exception type changes between pyOpenSSL versions
-                    connection._still_needs_masterkey = True
-                else:
-                    self.f.write(b"CLIENT_RANDOM %s %s\r\n" % (client_random, masterkey))
-                    self.f.flush()
-                    if hasattr(connection, "_still_needs_masterkey"):
-                        delattr(connection, "_still_needs_masterkey")
 
     def close(self):
         with self.lock:
@@ -203,7 +184,7 @@ def _create_ssl_context(
 
     # SSLKEYLOGFILE
     if log_master_secret:
-        context.set_info_callback(log_master_secret)
+        context.set_keylog_callback(log_master_secret)
 
     if alpn_protos is not None:
         # advertise application layer protocols

test/mitmproxy/net/test_tls.py

@@ -43,7 +43,7 @@ class TestMasterSecretLogger(tservers.ServerTestBase):
 
             tls.log_master_secret.close()
             with open(logfile, "rb") as f:
-                assert f.read().count(b"CLIENT_RANDOM") >= 2
+                assert f.read().count(b"SERVER_HANDSHAKE_TRAFFIC_SECRET") >= 2
 
         tls.log_master_secret = _logfun