From a8143e50357d796b4f59b58a6add97e2b0c319b1 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Wed, 20 Nov 2019 18:26:19 +0000
Subject: sslkeylog: add macOS support

Tested with macOS 10.15.1 (Catalina). Works with python3 3.7.5 (requests
library) and openssl 1.1.1d (s_client) from Homebrew. Does not work with
curl 7.64.1 in /usr/bin/curl because it is signed and does not allow
DYLD environment variables to be passed when SIP is enabled.
---
 src/sslkeylog.sh | 51 ++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 48 insertions(+), 3 deletions(-)

(limited to 'src/sslkeylog.sh')

diff --git a/src/sslkeylog.sh b/src/sslkeylog.sh
index 0197302..38036f5 100755
--- a/src/sslkeylog.sh
+++ b/src/sslkeylog.sh
@@ -15,9 +15,54 @@ gdb() {
         "$@"
 }
 
-LD_PRELOAD=$(readlink -f "${BASH_SOURCE[0]%/*}")/libsslkeylog.so
-SSLKEYLOGFILE=${SSLKEYLOGFILE:-/dev/stderr}
-export LD_PRELOAD SSLKEYLOGFILE
+case "$OSTYPE" in
+darwin*)
+    # Unfortunately not all executables can be injected (e.g. /usr/bin/curl).
+    # See also man dyld
+    #
+    #   "Note: If System Integrity Protection is enabled, these environment
+    #    variables are ignored when executing binaries protected by System
+    #    Integrity Protection."
+    #
+    # Note that DYLD_* env vars are *not* propagated though system binaries such
+    # as bash. To set an environment variable, use 'env' as in:
+    #
+    #   ./sslkeylog.sh env DYLD_PRINT_OPTS=1 python3
+    #
+    # If the variable is picked up, it should show something like:
+    #
+    #   opt[0] = "python3"
+    #
+    # If not visible, then interception is not possible until SIP is disabled.
+
+    export DYLD_INSERT_LIBRARIES=$(cd "${BASH_SOURCE[0]%/*}" && pwd)/libsslkeylog.dylib
+    export DYLD_FORCE_FLAT_NAMESPACE=1
+    # Expected output: dyld: loaded: <1A23FBC9-68C9-3808-88A5-C2D3A18C7DE1> .../wireshark-notes/src/libsslkeylog.dylib
+    #export DYLD_PRINT_LIBRARIES=1
+    # Expected output: dyld: lazy bind: openssl:0x105B21CE0 = libsslkeylog.dylib:_SSL_new, *0x105B21CE0 = 0x105B59660
+    #export DYLD_PRINT_BINDINGS
+
+    # Since DYLD is not propagated when using 'env', simulate it here.
+    # This is safer than using 'eval'.
+    if [[ ${BASH_SOURCE[0]} == $0 ]] && [[ "$1" == env ]]; then
+        shift
+        while [ $# -gt 0 ]; do
+            case "$1" in
+            *=*)
+                export "$1"
+                shift
+                ;;
+            *)
+                break
+            esac
+        done
+    fi
+    ;;
+*)
+    export LD_PRELOAD=$(readlink -f "${BASH_SOURCE[0]%/*}")/libsslkeylog.so
+    ;;
+esac
+export SSLKEYLOGFILE=${SSLKEYLOGFILE:-/dev/stderr}
 
 # Run the command (if not sourced)
 [[ ${BASH_SOURCE[0]} != $0 ]] || \
-- 
cgit v1.2.1