mirror of https://github.com/hak5/openwrt.git
openssl: revert EOF detection change in 1.1.1
This adds patches to avoid possible application breakage caused by a
change in behavior introduced in 1.1.1e. It affects at least nginx,
which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443
Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read(). Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0. The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct. Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.
The reversion was discussed in openssl/openssl#11378, and implemented as
PR openssl/openssl#11400.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 2e8a4db9b6
)
openwrt-19.07
parent
c6c3f6bb0a
commit
eea3a9625c
|
@ -11,7 +11,7 @@ PKG_NAME:=openssl
|
|||
PKG_BASE:=1.1.1
|
||||
PKG_BUGFIX:=e
|
||||
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
PKG_USE_MIPS16:=0
|
||||
ENGINES_DIR=engines-1.1
|
||||
|
||||
|
|
|
@ -0,0 +1,80 @@
|
|||
From 30d190caf311d534867df97e26b552e628cb7d85 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Wed, 25 Mar 2020 14:15:31 +0100
|
||||
Subject: [PATCH] Partially revert "Detect EOF while reading in libssl"
|
||||
|
||||
This partially reverts commit db943f43a60d1b5b1277e4b5317e8f288e7a0a3a.
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/11400)
|
||||
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index f5324c6819..35512f9caf 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -2852,7 +2852,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
|
||||
SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
|
||||
SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
|
||||
SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
|
||||
-SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading
|
||||
SSL_R_UNEXPECTED_MESSAGE:244:unexpected message
|
||||
SSL_R_UNEXPECTED_RECORD:245:unexpected record
|
||||
SSL_R_UNINITIALIZED:276:uninitialized
|
||||
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
|
||||
index 0ef684f3c1..ba4c4ae5fb 100644
|
||||
--- a/include/openssl/sslerr.h
|
||||
+++ b/include/openssl/sslerr.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void);
|
||||
# define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
|
||||
# define SSL_R_UNEXPECTED_CCS_MESSAGE 262
|
||||
# define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178
|
||||
-# define SSL_R_UNEXPECTED_EOF_WHILE_READING 294
|
||||
# define SSL_R_UNEXPECTED_MESSAGE 244
|
||||
# define SSL_R_UNEXPECTED_RECORD 245
|
||||
# define SSL_R_UNINITIALIZED 276
|
||||
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
|
||||
index 1c885a664f..b2a7a47eb0 100644
|
||||
--- a/ssl/record/rec_layer_s3.c
|
||||
+++ b/ssl/record/rec_layer_s3.c
|
||||
@@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
|
||||
ret = BIO_read(s->rbio, pkt + len + left, max - left);
|
||||
if (ret >= 0)
|
||||
bioread = ret;
|
||||
- if (ret <= 0
|
||||
- && !BIO_should_retry(s->rbio)
|
||||
- && BIO_eof(s->rbio)) {
|
||||
- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N,
|
||||
- SSL_R_UNEXPECTED_EOF_WHILE_READING);
|
||||
- }
|
||||
} else {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N,
|
||||
SSL_R_READ_BIO_NOT_SET);
|
||||
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
|
||||
index a0c7b79659..4b12ed1485 100644
|
||||
--- a/ssl/ssl_err.c
|
||||
+++ b/ssl/ssl_err.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
|
||||
"unexpected ccs message"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
|
||||
"unexpected end of early data"},
|
||||
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING),
|
||||
- "unexpected eof while reading"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
|
Loading…
Reference in New Issue