2 files changed, 31 insertions, 0 deletions

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 92ffae95c1..7d0c7bbe72 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2235,6 +2235,7 @@ int	SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
 #endif
 #ifndef OPENSSL_NO_BIO
 int	SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
+int	SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
 #endif
 void	SSL_SESSION_free(SSL_SESSION *ses);
 int	i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index 20b95a2829..0ffdcb0ea2 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -248,3 +248,33 @@ err:
 	return(0);
 	}
 
+/* print session id and master key in NSS keylog format
+   (RSA Session-ID:<session id> Master-Key:<master key>) */
+int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x)
+	{
+	unsigned int i;
+
+	if (x == NULL) goto err;
+	if (x->session_id_length==0 || x->master_key_length==0) goto err;
+
+	/* the RSA prefix is required by the format's definition although there's
+	   nothing RSA-specifc in the output, therefore, we don't have to check
+	   if the cipher suite is based on RSA */
+	if (BIO_puts(bp,"RSA ") <= 0) goto err;
+
+	if (BIO_puts(bp,"Session-ID:") <= 0) goto err;
+	for (i=0; i<x->session_id_length; i++)
+		{
+		if (BIO_printf(bp,"%02X",x->session_id[i]) <= 0) goto err;
+		}
+	if (BIO_puts(bp," Master-Key:") <= 0) goto err;
+	for (i=0; i<(unsigned int)x->master_key_length; i++)
+		{
+		if (BIO_printf(bp,"%02X",x->master_key[i]) <= 0) goto err;
+		}
+	if (BIO_puts(bp,"\n") <= 0) goto err;
+
+	return(1);
+err:
+	return(0);
+	}