[OpenWrt-Devel] [RFC PATCH 1/1] openssl: revert EOF detection change in 1.1.1
Eneas U de Queiroz
cotequeiroz at gmail.com
Tue Mar 24 22:23:28 EDT 2020
This adds patches to fix errors in nginx session resumption, and logging
messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443
Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read(). Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0. The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct. Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.
Currently, openssl is discussing what to do, but leaning towards
reverting the commits in 1.1.1, while making the change for the next
release.
Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 353ae453f5..ca45549800 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=e
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
diff --git a/package/libs/openssl/patches/200-Revert-Detect-EOF-while-reading-in-libssl.patch b/package/libs/openssl/patches/200-Revert-Detect-EOF-while-reading-in-libssl.patch
new file mode 100644
index 0000000000..307a0980e3
--- /dev/null
+++ b/package/libs/openssl/patches/200-Revert-Detect-EOF-while-reading-in-libssl.patch
@@ -0,0 +1,112 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cotequeiroz at gmail.com>
+Date: Tue, 24 Mar 2020 22:09:01 -0300
+Subject: [PATCH] Revert "Detect EOF while reading in libssl"
+
+This reverts commit db943f43a60d1b5b1277e4b5317e8f288e7a0a3a.
+
+diff --git a/crypto/bio/bss_sock.c b/crypto/bio/bss_sock.c
+index 6251f3d46a..a3d34daab3 100644
+--- a/crypto/bio/bss_sock.c
++++ b/crypto/bio/bss_sock.c
+@@ -101,8 +101,6 @@ static int sock_read(BIO *b, char *out, int outl)
+ if (ret <= 0) {
+ if (BIO_sock_should_retry(ret))
+ BIO_set_retry_read(b);
+- else if (ret == 0)
+- b->flags |= BIO_FLAGS_IN_EOF;
+ }
+ }
+ return ret;
+@@ -153,9 +151,6 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr)
+ case BIO_CTRL_FLUSH:
+ ret = 1;
+ break;
+- case BIO_CTRL_EOF:
+- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
+- break;
+ default:
+ ret = 0;
+ break;
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index f5324c6819..35512f9caf 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -2852,7 +2852,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
+ SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
+ SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
+ SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
+-SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading
+ SSL_R_UNEXPECTED_MESSAGE:244:unexpected message
+ SSL_R_UNEXPECTED_RECORD:245:unexpected record
+ SSL_R_UNINITIALIZED:276:uninitialized
+diff --git a/include/openssl/bio.h b/include/openssl/bio.h
+index ae559a5105..250aecba27 100644
+--- a/include/openssl/bio.h
++++ b/include/openssl/bio.h
+@@ -169,7 +169,6 @@ extern "C" {
+ */
+ # define BIO_FLAGS_MEM_RDONLY 0x200
+ # define BIO_FLAGS_NONCLEAR_RST 0x400
+-# define BIO_FLAGS_IN_EOF 0x800
+
+ typedef union bio_addr_st BIO_ADDR;
+ typedef struct bio_addrinfo_st BIO_ADDRINFO;
+diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
+index 0ef684f3c1..ba4c4ae5fb 100644
+--- a/include/openssl/sslerr.h
++++ b/include/openssl/sslerr.h
+@@ -1,6 +1,6 @@
+ /*
+ * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+@@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void);
+ # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
+ # define SSL_R_UNEXPECTED_CCS_MESSAGE 262
+ # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178
+-# define SSL_R_UNEXPECTED_EOF_WHILE_READING 294
+ # define SSL_R_UNEXPECTED_MESSAGE 244
+ # define SSL_R_UNEXPECTED_RECORD 245
+ # define SSL_R_UNINITIALIZED 276
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index 1c885a664f..b2a7a47eb0 100644
+--- a/ssl/record/rec_layer_s3.c
++++ b/ssl/record/rec_layer_s3.c
+@@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
+ ret = BIO_read(s->rbio, pkt + len + left, max - left);
+ if (ret >= 0)
+ bioread = ret;
+- if (ret <= 0
+- && !BIO_should_retry(s->rbio)
+- && BIO_eof(s->rbio)) {
+- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N,
+- SSL_R_UNEXPECTED_EOF_WHILE_READING);
+- }
+ } else {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N,
+ SSL_R_READ_BIO_NOT_SET);
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
+index a0c7b79659..4b12ed1485 100644
+--- a/ssl/ssl_err.c
++++ b/ssl/ssl_err.c
+@@ -1,6 +1,6 @@
+ /*
+ * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+@@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
+ "unexpected ccs message"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
+ "unexpected end of early data"},
+- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING),
+- "unexpected eof while reading"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
diff --git a/package/libs/openssl/patches/210-Revert-Teach-more-BIOs-how-to-handle-BIO_CTRL_EOF.patch b/package/libs/openssl/patches/210-Revert-Teach-more-BIOs-how-to-handle-BIO_CTRL_EOF.patch
new file mode 100644
index 0000000000..2adde6f41d
--- /dev/null
+++ b/package/libs/openssl/patches/210-Revert-Teach-more-BIOs-how-to-handle-BIO_CTRL_EOF.patch
@@ -0,0 +1,71 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cotequeiroz at gmail.com>
+Date: Tue, 24 Mar 2020 22:16:06 -0300
+Subject: [PATCH] Revert "Teach more BIOs how to handle BIO_CTRL_EOF"
+
+This reverts commit 22623e0cc26a11908253206a721873d4101cd466.
+
+diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c
+index b38e47a592..f0272ef32f 100644
+--- a/crypto/bio/bss_acpt.c
++++ b/crypto/bio/bss_acpt.c
+@@ -527,12 +527,7 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
+ break;
+ case BIO_CTRL_DUP:
+ break;
+- case BIO_CTRL_EOF:
+- if (b->next_bio == NULL)
+- ret = 0;
+- else
+- ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
+- break;
++
+ default:
+ ret = 0;
+ break;
+diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c
+index dd43a40601..84b9520328 100644
+--- a/crypto/bio/bss_conn.c
++++ b/crypto/bio/bss_conn.c
+@@ -316,8 +316,6 @@ static int conn_read(BIO *b, char *out, int outl)
+ if (ret <= 0) {
+ if (BIO_sock_should_retry(ret))
+ BIO_set_retry_read(b);
+- else if (ret == 0)
+- b->flags |= BIO_FLAGS_IN_EOF;
+ }
+ }
+ return ret;
+@@ -497,9 +495,6 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
+ *fptr = data->info_callback;
+ }
+ break;
+- case BIO_CTRL_EOF:
+- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
+- break;
+ default:
+ ret = 0;
+ break;
+diff --git a/crypto/bio/bss_fd.c b/crypto/bio/bss_fd.c
+index ccbe1626ba..31d5241e6a 100644
+--- a/crypto/bio/bss_fd.c
++++ b/crypto/bio/bss_fd.c
+@@ -123,8 +123,6 @@ static int fd_read(BIO *b, char *out, int outl)
+ if (ret <= 0) {
+ if (BIO_fd_should_retry(ret))
+ BIO_set_retry_read(b);
+- else if (ret == 0)
+- b->flags |= BIO_FLAGS_IN_EOF;
+ }
+ }
+ return ret;
+@@ -188,9 +186,6 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr)
+ case BIO_CTRL_FLUSH:
+ ret = 1;
+ break;
+- case BIO_CTRL_EOF:
+- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
+- break;
+ default:
+ ret = 0;
+ break;
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list