From 0eaf42a2a47f2ee73045e48274ed98e00aa44dba Mon Sep 17 00:00:00 2001
From: Frederic Lecaille <flecaille@haproxy.com>
Date: Tue, 16 Jan 2024 10:17:27 +0100
Subject: [PATCH] BUG/MEDIUM: quic: keylog callback not called
 (USE_OPENSSL_COMPAT)

This bug impacts only the QUIC OpenSSL compatibility module (USE_QUIC_OPENSSL_COMPAT)
and it was introduced by this commit:

    BUG/MINOR: quic: Wrong keylog callback setting.

quic_tls_compat_keylog_callback() callback was no more set when the SSL keylog was
enabled by tune.ssl.keylog setting. This is the callback which sets the TLS secrets
into haproxy.

Set it again when the SSL keylog is not enabled by configuration.

Thank you to @Greg57070 for having reported this issue in GH #2412.

Must be backported as far as 2.8.
---
 src/quic_openssl_compat.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/quic_openssl_compat.c b/src/quic_openssl_compat.c
index 2a8f83dc4..d914ac4d0 100644
--- a/src/quic_openssl_compat.c
+++ b/src/quic_openssl_compat.c
@@ -61,6 +61,12 @@ int quic_tls_compat_init(struct bind_conf *bind_conf, SSL_CTX *ctx)
 	if (bind_conf->xprt != xprt_get(XPRT_QUIC))
 		return 1;
 
+	/* This callback is already registered if the TLS keylog is activated for
+	 * traffic decryption analysis.
+	 */
+	if (!global_ssl.keylog)
+		SSL_CTX_set_keylog_callback(ctx, quic_tls_compat_keylog_callback);
+
 	if (SSL_CTX_has_client_custom_ext(ctx, QUIC_OPENSSL_COMPAT_SSL_TP_EXT))
 		return 1;