From 2e8a4db9b6b942e3180afda0dc0fd8ac506527f1 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 26 Mar 2020 23:20:08 -0300 Subject: [PATCH] openssl: revert EOF detection change in 1.1.1 This adds patches to avoid possible application breakage caused by a change in behavior introduced in 1.1.1e. It affects at least nginx, which logs error messages such as: nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error: 4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while keepalive, client: xxxx, server: [::]:443 Openssl commits db943f4 (Detect EOF while reading in libssl), and 22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the behavior when encountering an EOF in SSL_read(). Previous behavior was to return SSL_ERROR_SYSCALL, but errno would still be 0. The commits being reverted changed it to SSL_ERRO_SSL, and add an error to the stack, which is correct. Unfortunately this affects a number of applications that counted on the old behavior, including nginx. The reversion was discussed in openssl/openssl#11378, and implemented as PR openssl/openssl#11400. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 2 +- ...t-Detect-EOF-while-reading-in-libssl.patch | 80 +++++++++++++++++++ 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 package/libs/openssl/patches/200-Partially-revert-Detect-EOF-while-reading-in-libssl.patch diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 353ae453f54..ca45549800a 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=e PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 diff --git a/package/libs/openssl/patches/200-Partially-revert-Detect-EOF-while-reading-in-libssl.patch b/package/libs/openssl/patches/200-Partially-revert-Detect-EOF-while-reading-in-libssl.patch new file mode 100644 index 00000000000..c269dff07c0 --- /dev/null +++ b/package/libs/openssl/patches/200-Partially-revert-Detect-EOF-while-reading-in-libssl.patch @@ -0,0 +1,80 @@ +From 30d190caf311d534867df97e26b552e628cb7d85 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 25 Mar 2020 14:15:31 +0100 +Subject: [PATCH] Partially revert "Detect EOF while reading in libssl" + +This partially reverts commit db943f43a60d1b5b1277e4b5317e8f288e7a0a3a. + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11400) + +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index f5324c6819..35512f9caf 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -2852,7 +2852,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines + SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines + SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message + SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data +-SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading + SSL_R_UNEXPECTED_MESSAGE:244:unexpected message + SSL_R_UNEXPECTED_RECORD:245:unexpected record + SSL_R_UNINITIALIZED:276:uninitialized +diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h +index 0ef684f3c1..ba4c4ae5fb 100644 +--- a/include/openssl/sslerr.h ++++ b/include/openssl/sslerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void); + # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 + # define SSL_R_UNEXPECTED_CCS_MESSAGE 262 + # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178 +-# define SSL_R_UNEXPECTED_EOF_WHILE_READING 294 + # define SSL_R_UNEXPECTED_MESSAGE 244 + # define SSL_R_UNEXPECTED_RECORD 245 + # define SSL_R_UNINITIALIZED 276 +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 1c885a664f..b2a7a47eb0 100644 +--- a/ssl/record/rec_layer_s3.c ++++ b/ssl/record/rec_layer_s3.c +@@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, + ret = BIO_read(s->rbio, pkt + len + left, max - left); + if (ret >= 0) + bioread = ret; +- if (ret <= 0 +- && !BIO_should_retry(s->rbio) +- && BIO_eof(s->rbio)) { +- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N, +- SSL_R_UNEXPECTED_EOF_WHILE_READING); +- } + } else { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, + SSL_R_READ_BIO_NOT_SET); +diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c +index a0c7b79659..4b12ed1485 100644 +--- a/ssl/ssl_err.c ++++ b/ssl/ssl_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { + "unexpected ccs message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA), + "unexpected end of early data"}, +- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING), +- "unexpected eof while reading"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},