From ea310218f3fb1a363940c95a2bb452d2e07d951b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 26 Mar 2020 15:14:08 +0100 Subject: [PATCH] revert the unexpected EOF error reporting change it is too disruptive for the stable release branch --- openssl-1.1.1-eof-error-revert.patch | 101 +++++++++++++++++++++++++++ openssl.spec | 8 ++- 2 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 openssl-1.1.1-eof-error-revert.patch diff --git a/openssl-1.1.1-eof-error-revert.patch b/openssl-1.1.1-eof-error-revert.patch new file mode 100644 index 0000000..cfb0d6d --- /dev/null +++ b/openssl-1.1.1-eof-error-revert.patch @@ -0,0 +1,101 @@ +diff -up openssl-1.1.1e/CHANGES.eof-revert openssl-1.1.1e/CHANGES +--- openssl-1.1.1e/CHANGES.eof-revert 2020-03-26 15:07:42.123628736 +0100 ++++ openssl-1.1.1e/CHANGES 2020-03-26 15:10:13.309733024 +0100 +@@ -8,7 +8,8 @@ + release branch. + + Changes between 1.1.1d and 1.1.1e [17 Mar 2020] +- *) Properly detect EOF while reading in libssl. Previously if we hit an EOF ++ *) **** REVERTED on 1.1.1 branch after 1.1.1e release **** ++ Properly detect EOF while reading in libssl. Previously if we hit an EOF + while reading in libssl then we would report an error back to the + application (SSL_ERROR_SYSCALL) but errno would be 0. We now add + an error to the stack (which means we instead return SSL_ERROR_SSL) and +diff -up openssl-1.1.1e/crypto/err/openssl.txt.eof-revert openssl-1.1.1e/crypto/err/openssl.txt +--- openssl-1.1.1e/crypto/err/openssl.txt.eof-revert 2020-03-26 15:07:42.085629464 +0100 ++++ openssl-1.1.1e/crypto/err/openssl.txt 2020-03-26 15:07:42.124628717 +0100 +@@ -2901,7 +2901,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:2 + SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines + SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message + SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data +-SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading + SSL_R_UNEXPECTED_MESSAGE:244:unexpected message + SSL_R_UNEXPECTED_RECORD:245:unexpected record + SSL_R_UNINITIALIZED:276:uninitialized +diff -up openssl-1.1.1e/doc/man3/SSL_get_error.pod.eof-revert openssl-1.1.1e/doc/man3/SSL_get_error.pod +--- openssl-1.1.1e/doc/man3/SSL_get_error.pod.eof-revert 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/doc/man3/SSL_get_error.pod 2020-03-26 15:07:42.125628698 +0100 +@@ -155,6 +155,18 @@ connection and SSL_shutdown() must not b + + =back + ++=head1 BUGS ++ ++The B with B value of 0 indicates unexpected EOF from ++the peer. This will be properly reported as B with reason ++code B in the OpenSSL 3.0 release because ++it is truly a TLS protocol error to terminate the connection without ++a SSL_shutdown(). ++ ++The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications ++which choose to ignore this protocol error depend on the existing way of ++reporting the error. ++ + =head1 SEE ALSO + + L +diff -up openssl-1.1.1e/include/openssl/sslerr.h.eof-revert openssl-1.1.1e/include/openssl/sslerr.h +--- openssl-1.1.1e/include/openssl/sslerr.h.eof-revert 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/include/openssl/sslerr.h 2020-03-26 15:07:42.125628698 +0100 +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void); + # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 + # define SSL_R_UNEXPECTED_CCS_MESSAGE 262 + # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178 +-# define SSL_R_UNEXPECTED_EOF_WHILE_READING 294 + # define SSL_R_UNEXPECTED_MESSAGE 244 + # define SSL_R_UNEXPECTED_RECORD 245 + # define SSL_R_UNINITIALIZED 276 +diff -up openssl-1.1.1e/ssl/record/rec_layer_s3.c.eof-revert openssl-1.1.1e/ssl/record/rec_layer_s3.c +--- openssl-1.1.1e/ssl/record/rec_layer_s3.c.eof-revert 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/ssl/record/rec_layer_s3.c 2020-03-26 15:07:42.125628698 +0100 +@@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t + ret = BIO_read(s->rbio, pkt + len + left, max - left); + if (ret >= 0) + bioread = ret; +- if (ret <= 0 +- && !BIO_should_retry(s->rbio) +- && BIO_eof(s->rbio)) { +- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N, +- SSL_R_UNEXPECTED_EOF_WHILE_READING); +- } + } else { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, + SSL_R_READ_BIO_NOT_SET); +diff -up openssl-1.1.1e/ssl/ssl_err.c.eof-revert openssl-1.1.1e/ssl/ssl_err.c +--- openssl-1.1.1e/ssl/ssl_err.c.eof-revert 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/ssl/ssl_err.c 2020-03-26 15:07:42.126628679 +0100 +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_rea + "unexpected ccs message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA), + "unexpected end of early data"}, +- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING), +- "unexpected eof while reading"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"}, diff --git a/openssl.spec b/openssl.spec index 5b23b28..06667b6 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1e -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -69,6 +69,7 @@ Patch65: openssl-1.1.1-fips-drbg-selftest.patch Patch52: openssl-1.1.1-s390x-update.patch Patch53: openssl-1.1.1-fips-crng-test.patch Patch54: openssl-1.1.1-regression-fixes.patch +Patch55: openssl-1.1.1-eof-error-revert.patch License: OpenSSL URL: http://www.openssl.org/ @@ -173,6 +174,7 @@ cp %{SOURCE13} test/ %patch60 -p1 -b .krb5-kdf %patch61 -p1 -b .intel-cet %patch65 -p1 -b .drbg-selftest +%patch55 -p1 -b .eof-revert %build @@ -459,6 +461,10 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Thu Mar 26 2020 Tomáš Mráz 1.1.1e-2 +- revert the unexpected EOF error reporting change as it is + too disruptive for the stable release branch + * Fri Mar 20 2020 Tomáš Mráz 1.1.1e-1 - update to the 1.1.1e release - add selftest of the RAND_DRBG implementation