revert the unexpected EOF error reporting change

it is too disruptive for the stable release branch
2020-03-26 15:14:08 +01:00 · 2020-03-26 15:14:08 +01:00 · ea310218f3
parent c9936c55c2
commit ea310218f3
2 changed files with 108 additions and 1 deletions
--- a/openssl-1.1.1-eof-error-revert.patch
+++ b/openssl-1.1.1-eof-error-revert.patch
@ -0,0 +1,101 @@
+diff -up openssl-1.1.1e/CHANGES.eof-revert openssl-1.1.1e/CHANGES
+--- openssl-1.1.1e/CHANGES.eof-revert	2020-03-26 15:07:42.123628736 +0100
+++ openssl-1.1.1e/CHANGES	2020-03-26 15:10:13.309733024 +0100
+@@ -8,7 +8,8 @@
+  release branch.
+ 
+  Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
+-  *) Properly detect EOF while reading in libssl. Previously if we hit an EOF
+  *) **** REVERTED on 1.1.1 branch after 1.1.1e release ****
+     Properly detect EOF while reading in libssl. Previously if we hit an EOF
+      while reading in libssl then we would report an error back to the
+      application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
+      an error to the stack (which means we instead return SSL_ERROR_SSL) and
+diff -up openssl-1.1.1e/crypto/err/openssl.txt.eof-revert openssl-1.1.1e/crypto/err/openssl.txt
+--- openssl-1.1.1e/crypto/err/openssl.txt.eof-revert	2020-03-26 15:07:42.085629464 +0100
+++ openssl-1.1.1e/crypto/err/openssl.txt	2020-03-26 15:07:42.124628717 +0100
+@@ -2901,7 +2901,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:2
+ SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
+ SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
+ SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
+-SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading
+ SSL_R_UNEXPECTED_MESSAGE:244:unexpected message
+ SSL_R_UNEXPECTED_RECORD:245:unexpected record
+ SSL_R_UNINITIALIZED:276:uninitialized
+diff -up openssl-1.1.1e/doc/man3/SSL_get_error.pod.eof-revert openssl-1.1.1e/doc/man3/SSL_get_error.pod
+--- openssl-1.1.1e/doc/man3/SSL_get_error.pod.eof-revert	2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/doc/man3/SSL_get_error.pod	2020-03-26 15:07:42.125628698 +0100
+@@ -155,6 +155,18 @@ connection and SSL_shutdown() must not b
+ 
+ =back
+ 
+=head1 BUGS
+
+The B<SSL_ERROR_SYSCALL> with B<errno> value of 0 indicates unexpected EOF from
+the peer. This will be properly reported as B<SSL_ERROR_SSL> with reason
+code B<SSL_R_UNEXPECTED_EOF_WHILE_READING> in the OpenSSL 3.0 release because
+it is truly a TLS protocol error to terminate the connection without
+a SSL_shutdown().
+
+The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications
+which choose to ignore this protocol error depend on the existing way of
+reporting the error.
+
+ =head1 SEE ALSO
+ 
+ L<ssl(7)>
+diff -up openssl-1.1.1e/include/openssl/sslerr.h.eof-revert openssl-1.1.1e/include/openssl/sslerr.h
+--- openssl-1.1.1e/include/openssl/sslerr.h.eof-revert	2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/include/openssl/sslerr.h	2020-03-26 15:07:42.125628698 +0100
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void);
+ # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES          243
+ # define SSL_R_UNEXPECTED_CCS_MESSAGE                     262
+ # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA               178
+-# define SSL_R_UNEXPECTED_EOF_WHILE_READING               294
+ # define SSL_R_UNEXPECTED_MESSAGE                         244
+ # define SSL_R_UNEXPECTED_RECORD                          245
+ # define SSL_R_UNINITIALIZED                              276
+diff -up openssl-1.1.1e/ssl/record/rec_layer_s3.c.eof-revert openssl-1.1.1e/ssl/record/rec_layer_s3.c
+--- openssl-1.1.1e/ssl/record/rec_layer_s3.c.eof-revert	2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/ssl/record/rec_layer_s3.c	2020-03-26 15:07:42.125628698 +0100
+@@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t
+             ret = BIO_read(s->rbio, pkt + len + left, max - left);
+             if (ret >= 0)
+                 bioread = ret;
+-            if (ret <= 0
+-                    && !BIO_should_retry(s->rbio)
+-                    && BIO_eof(s->rbio)) {
+-                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N,
+-                         SSL_R_UNEXPECTED_EOF_WHILE_READING);
+-            }
+         } else {
+             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N,
+                      SSL_R_READ_BIO_NOT_SET);
+diff -up openssl-1.1.1e/ssl/ssl_err.c.eof-revert openssl-1.1.1e/ssl/ssl_err.c
+--- openssl-1.1.1e/ssl/ssl_err.c.eof-revert	2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/ssl/ssl_err.c	2020-03-26 15:07:42.126628679 +0100
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_rea
+     "unexpected ccs message"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
+     "unexpected end of early data"},
+-    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING),
+-    "unexpected eof while reading"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
--- a/openssl.spec
+++ b/openssl.spec
@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1e
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -69,6 +69,7 @@ Patch65: openssl-1.1.1-fips-drbg-selftest.patch
 Patch52: openssl-1.1.1-s390x-update.patch
 Patch53: openssl-1.1.1-fips-crng-test.patch
 Patch54: openssl-1.1.1-regression-fixes.patch
+Patch55: openssl-1.1.1-eof-error-revert.patch

 License: OpenSSL
 URL: http://www.openssl.org/
@ -173,6 +174,7 @@ cp %{SOURCE13} test/
 %patch60 -p1 -b .krb5-kdf
 %patch61 -p1 -b .intel-cet
 %patch65 -p1 -b .drbg-selftest
+%patch55 -p1 -b .eof-revert


 %build
@ -459,6 +461,10 @@ export LD_LIBRARY_PATH
 %ldconfig_scriptlets libs

 %changelog
+* Thu Mar 26 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1e-2
+- revert the unexpected EOF error reporting change as it is
+  too disruptive for the stable release branch
+
 * Fri Mar 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1e-1
 - update to the 1.1.1e release
 - add selftest of the RAND_DRBG implementation