git:master:254d5bd6: tls: added option to filter key logging - sr-dev

25 Jul 2025

Module: kamailio
Branch: master
Commit: 254d5bd652e1eb35772375d930786ee5489cebab
URL: https://github.com/kamailio/kamailio/commit/254d5bd652e1eb35772375d930786ee5...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2025-07-25T11:40:17+02:00
tls: added option to filter key logging
---
Modified: src/modules/tls/tls_domain.c
Modified: src/modules/tls/tls_util.c
Modified: src/modules/tls/tls_util.h
---
Diff:  https://github.com/kamailio/kamailio/commit/254d5bd652e1eb35772375d930786ee5...
Patch: https://github.com/kamailio/kamailio/commit/254d5bd652e1eb35772375d930786ee5...
---

diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c
index e6dbd60b502..4e2e5e76ede 100644
--- a/src/modules/tls/tls_domain.c
+++ b/src/modules/tls/tls_domain.c
@@ -1094,6 +1094,11 @@ static void ksr_tls_keylog_callback(const SSL *ssl, const char *line)
    if(!(ksr_tls_keylog_mode & KSR_TLS_KEYLOG_MODE_ACTIVE)) {
    	return;
    }
+	if(ksr_tls_keylog_mode & KSR_TLS_KEYLOG_MODE_VFILTER) {
+		if(ksr_tls_keylog_vfilter_match(line) == 0) {
+			return;
+		}
+	}
    if(ksr_tls_keylog_mode & KSR_TLS_KEYLOG_MODE_MLOG) {
    	LM_NOTICE("tlskeylog: %s\n", line);
    }
diff --git a/src/modules/tls/tls_util.c b/src/modules/tls/tls_util.c
index 7f35540c29d..01f2a0544e4 100644
--- a/src/modules/tls/tls_util.c
+++ b/src/modules/tls/tls_util.c
@@ -152,6 +152,36 @@ int ksr_tls_keylog_file_init(void)
    return 0;
 }
+/**
+ *
+ */
+/* clang-format off */
+static const char *ksr_tls_keylog_vfilters[] = {
+	"CLIENT_RANDOM ",
+	"CLIENT_HANDSHAKE_TRAFFIC_SECRET ",
+	"SERVER_HANDSHAKE_TRAFFIC_SECRET ",
+	"EXPORTER_SECRET ",
+	"CLIENT_TRAFFIC_SECRET_0 ",
+	"SERVER_TRAFFIC_SECRET_0 ",
+	NULL
+};
+/* clang-format on */
+
+/**
+ *
+ */
+int ksr_tls_keylog_vfilter_match(const char *line)
+{
+	int i;
+
+	for(i = 0; ksr_tls_keylog_vfilters[i] != NULL; i++) {
+		if(strcasecmp(ksr_tls_keylog_vfilters[i], line) == 0) {
+			return 1;
+		}
+	}
+	return 0;
+}
+
 /**
  *
  */
diff --git a/src/modules/tls/tls_util.h b/src/modules/tls/tls_util.h
index fde753e64d6..1b6be69383c 100644
--- a/src/modules/tls/tls_util.h
+++ b/src/modules/tls/tls_util.h
@@ -37,6 +37,7 @@
 #define KSR_TLS_KEYLOG_MODE_MLOG (1 << 2)
 #define KSR_TLS_KEYLOG_MODE_FILE (1 << 3)
 #define KSR_TLS_KEYLOG_MODE_PEER (1 << 4)
+#define KSR_TLS_KEYLOG_MODE_VFILTER (1 << 10)
static inline int tls_err_ret(
    	char *s, SSL *ssl, tls_domains_cfg_t **tls_domains_cfg)
@@ -94,5 +95,6 @@ int ksr_tls_keylog_file_init(void);
 int ksr_tls_keylog_file_write(const SSL *ssl, const char *line);
 int ksr_tls_keylog_peer_init(void);
 int ksr_tls_keylog_peer_send(const SSL *ssl, const char *line);
+int ksr_tls_keylog_vfilter_match(const char *line);
#endif /* _TLS_UTIL_H */

    