From ac587595e505bff0b2fe66b08ade7ee0b9ebbc6e Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Tue, 17 Feb 2026 15:04:00 +0100 Subject: [PATCH 1/3] openssl: disable local keylog feature if built-in upstream --- lib/vtls/openssl.c | 8 +++++++- lib/vtls/openssl.h | 10 ++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index f4273008ffed..d4f29f95f728 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -682,6 +682,7 @@ static void ossl_bio_cf_method_free(BIO_METHOD *m) BIO_meth_free(m); } +#ifndef HAVE_KEYLOG_BUILTIN #ifdef HAVE_KEYLOG_CALLBACK static void ossl_keylog_callback(const SSL *ssl, const char *line) { @@ -727,6 +728,7 @@ static void ossl_log_tls12_secret(const SSL *ssl, bool *keylog_done) master_key, master_key_length); } #endif /* !HAVE_KEYLOG_CALLBACK */ +#endif /* HAVE_KEYLOG_BUILTIN */ static const char *SSL_ERROR_to_str(int err) { @@ -1661,7 +1663,9 @@ static int ossl_init(void) 0; OPENSSL_init_ssl(flags, NULL); +#ifndef HAVE_KEYLOG_BUILTIN Curl_tls_keylog_open(); +#endif return 1; } @@ -1669,7 +1673,9 @@ static int ossl_init(void) /* Global cleanup */ static void ossl_cleanup(void) { +#ifndef HAVE_KEYLOG_BUILTIN Curl_tls_keylog_close(); +#endif } /* Selects an OpenSSL crypto engine or provider. @@ -4163,7 +4169,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, octx->x509_store_setup = TRUE; } -#ifndef HAVE_KEYLOG_CALLBACK +#if !defined(HAVE_KEYLOG_CALLBACK) && !defined(HAVE_KEYLOG_BUILTIN) /* If key logging is enabled, wait for the handshake to complete and then * proceed with logging secrets (for TLS 1.2 or older). */ diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h index aeeb8dd805b0..9d97b93159b6 100644 --- a/lib/vtls/openssl.h +++ b/lib/vtls/openssl.h @@ -44,13 +44,19 @@ #define HAVE_BORINGSSL_LIKE #endif +/* OpenSSL 3.5.0+ has built-in `SSLKEYLOGFILE` support if built with + `enable-sslkeylog` */ +#if OPENSSL_VERSION_NUMBER >= 0x30500000L && !defined(OPENSSL_NO_SSLKEYLOG) +#define HAVE_KEYLOG_BUILTIN +#endif + /* * Whether SSL_CTX_set_keylog_callback is available. * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287 * BoringSSL: supported since d28f59c27bac (committed 2015-11-19) * LibreSSL: not supported. 3.5.0+ has a stub function that does nothing. */ -#ifndef LIBRESSL_VERSION_NUMBER +#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(HAVE_KEYLOG_BUILTIN) #define HAVE_KEYLOG_CALLBACK #endif @@ -73,7 +79,7 @@ struct ossl_ctx { CURLcode io_result; /* result of last BIO cfilter operation */ /* blocked writes need to retry with same length, remember it */ int blocked_ssl_write_len; -#ifndef HAVE_KEYLOG_CALLBACK +#if !defined(HAVE_KEYLOG_CALLBACK) && !defined(HAVE_KEYLOG_BUILTIN) /* Set to true once a valid keylog entry has been created to avoid dupes. This is a bool and not a bitfield because it is passed by address. */ bool keylog_done; From 9e23ed34dbc06734b827cfa3c9274fd76155d5f9 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Tue, 17 Feb 2026 16:08:18 +0100 Subject: [PATCH 2/3] cleanups --- lib/vtls/openssl.c | 4 ++-- lib/vtls/openssl.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index d4f29f95f728..118466b88ebe 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3947,7 +3947,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, SSL_CTX_set_verify(octx->ssl_ctx, SSL_VERIFY_NONE, NULL); /* Enable logging of secrets to the file specified in env SSLKEYLOGFILE. */ -#ifdef HAVE_KEYLOG_CALLBACK +#if !defined(HAVE_KEYLOG_BUILTIN) && defined(HAVE_KEYLOG_CALLBACK) if(Curl_tls_keylog_enabled()) { SSL_CTX_set_keylog_callback(octx->ssl_ctx, ossl_keylog_callback); } @@ -4169,7 +4169,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, octx->x509_store_setup = TRUE; } -#if !defined(HAVE_KEYLOG_CALLBACK) && !defined(HAVE_KEYLOG_BUILTIN) +#if !defined(HAVE_KEYLOG_BUILTIN) && !defined(HAVE_KEYLOG_CALLBACK) /* If key logging is enabled, wait for the handshake to complete and then * proceed with logging secrets (for TLS 1.2 or older). */ diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h index 9d97b93159b6..a36dfeb1a3a7 100644 --- a/lib/vtls/openssl.h +++ b/lib/vtls/openssl.h @@ -56,7 +56,7 @@ * BoringSSL: supported since d28f59c27bac (committed 2015-11-19) * LibreSSL: not supported. 3.5.0+ has a stub function that does nothing. */ -#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(HAVE_KEYLOG_BUILTIN) +#ifndef LIBRESSL_VERSION_NUMBER #define HAVE_KEYLOG_CALLBACK #endif @@ -79,7 +79,7 @@ struct ossl_ctx { CURLcode io_result; /* result of last BIO cfilter operation */ /* blocked writes need to retry with same length, remember it */ int blocked_ssl_write_len; -#if !defined(HAVE_KEYLOG_CALLBACK) && !defined(HAVE_KEYLOG_BUILTIN) +#if !defined(HAVE_KEYLOG_BUILTIN) && !defined(HAVE_KEYLOG_CALLBACK) /* Set to true once a valid keylog entry has been created to avoid dupes. This is a bool and not a bitfield because it is passed by address. */ bool keylog_done; From c67463174ca82483892d45526402290afef94eed Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Tue, 17 Feb 2026 16:09:21 +0100 Subject: [PATCH 3/3] rename for clarity --- lib/vtls/openssl.c | 12 ++++++------ lib/vtls/openssl.h | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 118466b88ebe..21847205811d 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -682,7 +682,7 @@ static void ossl_bio_cf_method_free(BIO_METHOD *m) BIO_meth_free(m); } -#ifndef HAVE_KEYLOG_BUILTIN +#ifndef HAVE_KEYLOG_UPSTREAM #ifdef HAVE_KEYLOG_CALLBACK static void ossl_keylog_callback(const SSL *ssl, const char *line) { @@ -728,7 +728,7 @@ static void ossl_log_tls12_secret(const SSL *ssl, bool *keylog_done) master_key, master_key_length); } #endif /* !HAVE_KEYLOG_CALLBACK */ -#endif /* HAVE_KEYLOG_BUILTIN */ +#endif /* HAVE_KEYLOG_UPSTREAM */ static const char *SSL_ERROR_to_str(int err) { @@ -1663,7 +1663,7 @@ static int ossl_init(void) 0; OPENSSL_init_ssl(flags, NULL); -#ifndef HAVE_KEYLOG_BUILTIN +#ifndef HAVE_KEYLOG_UPSTREAM Curl_tls_keylog_open(); #endif @@ -1673,7 +1673,7 @@ static int ossl_init(void) /* Global cleanup */ static void ossl_cleanup(void) { -#ifndef HAVE_KEYLOG_BUILTIN +#ifndef HAVE_KEYLOG_UPSTREAM Curl_tls_keylog_close(); #endif } @@ -3947,7 +3947,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, SSL_CTX_set_verify(octx->ssl_ctx, SSL_VERIFY_NONE, NULL); /* Enable logging of secrets to the file specified in env SSLKEYLOGFILE. */ -#if !defined(HAVE_KEYLOG_BUILTIN) && defined(HAVE_KEYLOG_CALLBACK) +#if !defined(HAVE_KEYLOG_UPSTREAM) && defined(HAVE_KEYLOG_CALLBACK) if(Curl_tls_keylog_enabled()) { SSL_CTX_set_keylog_callback(octx->ssl_ctx, ossl_keylog_callback); } @@ -4169,7 +4169,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, octx->x509_store_setup = TRUE; } -#if !defined(HAVE_KEYLOG_BUILTIN) && !defined(HAVE_KEYLOG_CALLBACK) +#if !defined(HAVE_KEYLOG_UPSTREAM) && !defined(HAVE_KEYLOG_CALLBACK) /* If key logging is enabled, wait for the handshake to complete and then * proceed with logging secrets (for TLS 1.2 or older). */ diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h index a36dfeb1a3a7..38c8d3ac6b04 100644 --- a/lib/vtls/openssl.h +++ b/lib/vtls/openssl.h @@ -47,7 +47,7 @@ /* OpenSSL 3.5.0+ has built-in `SSLKEYLOGFILE` support if built with `enable-sslkeylog` */ #if OPENSSL_VERSION_NUMBER >= 0x30500000L && !defined(OPENSSL_NO_SSLKEYLOG) -#define HAVE_KEYLOG_BUILTIN +#define HAVE_KEYLOG_UPSTREAM #endif /* @@ -79,7 +79,7 @@ struct ossl_ctx { CURLcode io_result; /* result of last BIO cfilter operation */ /* blocked writes need to retry with same length, remember it */ int blocked_ssl_write_len; -#if !defined(HAVE_KEYLOG_BUILTIN) && !defined(HAVE_KEYLOG_CALLBACK) +#if !defined(HAVE_KEYLOG_UPSTREAM) && !defined(HAVE_KEYLOG_CALLBACK) /* Set to true once a valid keylog entry has been created to avoid dupes. This is a bool and not a bitfield because it is passed by address. */ bool keylog_done;