Index: src/or/connection_or.c
===================================================================
--- src/or/connection_or.c	(revision 17827)
+++ src/or/connection_or.c	(working copy)
@@ -801,7 +801,8 @@
 {
   conn->_base.state = OR_CONN_STATE_TLS_HANDSHAKING;
   conn->tls = tor_tls_new(conn->_base.s, receiving);
-  tor_tls_set_logged_address(conn->tls, escaped_safe_str(conn->_base.address));
+  tor_tls_set_logged_address(conn->tls, conn->_base.address,
+                             conn->_base.port);
   if (!conn->tls) {
     log_warn(LD_BUG,"tor_tls_new failed. Closing.");
     return -1;
@@ -861,6 +862,8 @@
              tor_tls_err_to_string(result));
       return -1;
     case TOR_TLS_DONE:
+      /** Log TLS master key */
+      tor_tls_dump_tls_key(conn->tls);
       if (! tor_tls_used_v1_handshake(conn->tls)) {
         if (!tor_tls_is_server(conn->tls)) {
           if (conn->_base.state == OR_CONN_STATE_TLS_HANDSHAKING) {
Index: src/or/circuitbuild.c
===================================================================
--- src/or/circuitbuild.c	(revision 17827)
+++ src/or/circuitbuild.c	(working copy)
@@ -63,6 +63,9 @@
 static void entry_guards_changed(void);
 static time_t start_of_month(time_t when);
 
+/** Log the keys used for the circuit */
+int circuit_log_keys(origin_circuit_t *circ, crypt_path_t *hop);
+
 /** Iterate over values of circ_id, starting from conn-\>next_circ_id,
  * and with the high bit specified by conn-\>circ_id_type, until we get
  * a circ_id that is not in use by any other circuit on that conn.
@@ -977,6 +980,9 @@
     return -END_CIRC_REASON_TORPROTOCOL;
   }
 
+  /* Log the key material just negotiated for this circuit */
+  circuit_log_keys(circ, hop);
+
   hop->state = CPATH_STATE_OPEN;
   log_info(LD_CIRC,"Finished building %scircuit hop:",
            (reply_type == CELL_CREATED_FAST) ? "fast " : "");
@@ -986,6 +992,17 @@
   return 0;
 }
 
+/**
+ * Log the keys negotiated for the specified <b>hop</b> on this <b>circ</b>
+ */
+int
+circuit_log_keys(origin_circuit_t *circ, crypt_path_t *hop) {
+  
+  crypto_dump_crypto_key(hop->f_crypto, 1, circ->_base.n_circ_id);
+  crypto_dump_crypto_key(hop->b_crypto, 0, circ->_base.n_circ_id);
+  return 0;
+}
+
 /** We received a relay truncated cell on circ.
  *
  * Since we don't ask for truncates currently, getting a truncated
Index: src/common/crypto.c
===================================================================
--- src/common/crypto.c	(revision 17827)
+++ src/common/crypto.c	(working copy)
@@ -334,6 +334,33 @@
   tor_free(env);
 }
 
+/**
+ * Log the keys specified in <b>crypto</b>, along with the string <b>purpose</b>
+ */
+int
+crypto_dump_crypto_key(crypto_cipher_env_t *crypto, int forward,
+                      int circid) {
+  char buf[CIPHER_KEY_LEN*2 + 1];
+  char tbuf[64];
+
+  int i;
+  
+  /* Zero buffer as it is possible length is zero and tor_snprintf will not get called */
+  bzero(buf, sizeof(buf));
+
+  for (i = 0; i<CIPHER_KEY_LEN; ++i)
+  {
+  	tor_snprintf(buf + 2*i, sizeof(buf) - 2*i, "%02x", ((int)crypto->key[i])&0xFF);
+  }
+  
+  tor_snprintf(tbuf, sizeof(tbuf), "%s crypto, n_circid: %d",
+               (forward)?"forward":"reverse",circid);
+  fprintf(stdout, "%i,%s,%s\n", circid,(forward)?"forward":"reverse", buf);
+  fprintf(stdout, "Key for %s: <%s>\n", tbuf, buf);
+  log_info(LD_CRYPTO, "Key for %s: <%s>", tbuf, buf);
+  return 0;
+}
+
 /** Create a new symmetric cipher for a given key and encryption flag
  * (1=encrypt, 0=decrypt).  Return the crypto object on success; NULL
  * on failure.
Index: src/common/crypto.h
===================================================================
--- src/common/crypto.h	(revision 17827)
+++ src/common/crypto.h	(working copy)
@@ -171,6 +171,9 @@
 int crypto_expand_key_material(const char *key_in, size_t in_len,
                                char *key_out, size_t key_out_len);
 
+/* Logging circuit crypto keys */
+int crypto_dump_crypto_key(crypto_cipher_env_t *crypto, int forward, int circid);
+
 /* random numbers */
 int crypto_seed_rng(int startup);
 int crypto_rand(char *to, size_t n);
Index: src/common/tortls.c
===================================================================
--- src/common/tortls.c	(revision 17827)
+++ src/common/tortls.c	(working copy)
@@ -74,6 +74,7 @@
   SSL *ssl; /**< An OpenSSL SSL object. */
   int socket; /**< The underlying file descriptor for this TLS connection. */
   char *address; /**< An address to log when describing this connectinon. */
+  uint16_t port; /**< An address to log when describing this connectinon. */
   enum {
     TOR_TLS_ST_HANDSHAKE, TOR_TLS_ST_OPEN, TOR_TLS_ST_GOTCLOSE,
     TOR_TLS_ST_SENTCLOSE, TOR_TLS_ST_CLOSED, TOR_TLS_ST_RENEGOTIATE,
@@ -873,11 +877,12 @@
  * <b>address</b>.
  */
 void
-tor_tls_set_logged_address(tor_tls_t *tls, const char *address)
+tor_tls_set_logged_address(tor_tls_t *tls, const char *address, uint16_t port)
 {
   tor_assert(tls);
   tor_free(tls->address);
   tls->address = tor_strdup(address);
+  tls->port = port;
 }
 
 /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
@@ -1003,6 +1008,37 @@
   return err;
 }
 
+/**
+ * Log the TLS master key
+ */
+int
+tor_tls_dump_tls_key(tor_tls_t *tls) {
+  char buf[SSL_MAX_MASTER_KEY_LENGTH*2 + 1];
+//   char buf2[SSL_MAX_MASTER_KEY_LENGTH*4 + 1];
+  int i;
+  SSL_SESSION *ctx;
+  
+  /* Get a reference to the OpenSSL session */
+  ctx = tls->ssl->session;
+  
+  if (! ctx) {
+  	log_info(LD_NET, "TLS master key: NULL");
+  	return 0;
+  }
+  
+  /* Zero buffer as it is possible length is zero and tor_snprintf will not get called */
+  bzero(buf, sizeof(buf));
+
+  /* Convert the master key to a hex string */
+  for (i = 0; i < ctx->master_key_length; ++i) {
+  	tor_snprintf(buf + 2*i, sizeof(buf) - 2*i, "%02x", ((int)ctx->master_key[i]) & 0xFF);
+  }
+  fprintf(stdout,"%s,%u,tor,%s\n", ADDR(tls),(tls)->port, buf);
+  fprintf(stdout, "TLS master key for %s: <%s>\n", ADDR(tls), buf);
+  fflush(stdout);
+  return 0;
+}
+
 /** Perform initial handshake on <b>tls</b>.  When finished, returns
  * TOR_TLS_DONE.  On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
  * or TOR_TLS_WANTWRITE.
Index: src/common/tortls.h
===================================================================
--- src/common/tortls.h	(revision 17827)
+++ src/common/tortls.h	(working copy)
@@ -54,7 +54,8 @@
 void tor_tls_free_all(void);
 int tor_tls_context_new(crypto_pk_env_t *rsa, unsigned int key_lifetime);
 tor_tls_t *tor_tls_new(int sock, int is_server);
-void tor_tls_set_logged_address(tor_tls_t *tls, const char *address);
+void tor_tls_set_logged_address(tor_tls_t *tls, const char *address,
+                                uint16_t port);
 void tor_tls_set_renegotiate_callback(tor_tls_t *tls,
                                       void (*cb)(tor_tls_t *, void *arg),
                                       void *arg);
@@ -86,5 +87,8 @@
 
 void _check_no_tls_errors(const char *fname, int line);
 
+/* Log the TLS master key */
+int tor_tls_dump_tls_key(tor_tls_t *tls);
+
 #endif