From 02b14378e699854b93fa10d08ef3e3ce26198502 Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Fri, 17 May 2024 04:01:35 -0400
Subject: [PATCH] openssl: stop duplicate ssl key logging for legacy OpenSSL

- Don't call the keylog function if it has already logged the key.

For old OpenSSL versions and its forks that do not have support for
OpenSSL's keylog callback, libcurl has its own legacy key logging
function that logs the TLS 1.2 (and earlier) key (client random + master
key) on a single line.

Prior to this change, since e7de80e8 (precedes 8.8.0), the legacy key
logging function could write the same key line more than once (usually
twice) due to some incorrect logic.

Closes https://github.com/curl/curl/pull/13683
---
 lib/vtls/openssl.c | 13 +++++--------
 lib/vtls/openssl.h |  5 +++--
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 298a488a09..33ce0b11d2 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -4150,14 +4150,11 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
   }
 
 #ifndef HAVE_KEYLOG_CALLBACK
-  if(Curl_tls_keylog_enabled()) {
-    /* If key logging is enabled, wait for the handshake to complete and then
-     * proceed with logging secrets (for TLS 1.2 or older).
-     */
-    bool done = FALSE;
-    ossl_log_tls12_secret(octx->ssl, &done);
-    octx->keylog_done = done;
-  }
+  /* If key logging is enabled, wait for the handshake to complete and then
+   * proceed with logging secrets (for TLS 1.2 or older).
+   */
+  if(Curl_tls_keylog_enabled() && !octx->keylog_done)
+    ossl_log_tls12_secret(octx->ssl, &octx->keylog_done);
 #endif
 
   /* 1  is fine
diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h
index 55e06bda44..b0d78478a7 100644
--- a/lib/vtls/openssl.h
+++ b/lib/vtls/openssl.h
@@ -45,8 +45,9 @@ struct ossl_ctx {
   BIO_METHOD *bio_method;
   CURLcode io_result;       /* result of last BIO cfilter operation */
 #ifndef HAVE_KEYLOG_CALLBACK
-  /* Set to true once a valid keylog entry has been created to avoid dupes. */
-  BIT(keylog_done);
+  /* Set to true once a valid keylog entry has been created to avoid dupes.
+     This is a bool and not a bitfield because it is passed by address. */
+  bool keylog_done;
 #endif
   BIT(x509_store_setup);            /* x509 store has been set up */
   BIT(reused_session);              /* session-ID was reused for this */
-- 
2.47.3