svn commit: r529814 - in head/security/openssl: . files

Bernard Spil brnrd at FreeBSD.org
Sun Mar 29 16:01:06 UTC 2020


Author: brnrd
Date: Sun Mar 29 16:00:40 2020
New Revision: 529814
URL: https://svnweb.freebsd.org/changeset/ports/529814

Log:
  security/openssl: Fix EOF bug
  
  See https://github.com/openssl/openssl/pull/11400
  
  PR:		245154
  Reported by:	koobs
  MFH:		2020Q1

Added:
  head/security/openssl/files/patch-PR245154   (contents, props changed)
Modified:
  head/security/openssl/Makefile

Modified: head/security/openssl/Makefile
==============================================================================
--- head/security/openssl/Makefile	Sun Mar 29 15:57:09 2020	(r529813)
+++ head/security/openssl/Makefile	Sun Mar 29 16:00:40 2020	(r529814)
@@ -3,6 +3,7 @@
 
 PORTNAME=	openssl
 PORTVERSION=	1.1.1e
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	security devel
 MASTER_SITES=	https://www.openssl.org/source/ \

Added: head/security/openssl/files/patch-PR245154
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openssl/files/patch-PR245154	Sun Mar 29 16:00:40 2020	(r529814)
@@ -0,0 +1,155 @@
+From 0cd2ee64bffcdece599c3e4b5fac3830a55dc0fa Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz at fedoraproject.org>
+Date: Wed, 25 Mar 2020 14:18:13 +0100
+Subject: [PATCH] Document the revert of the proper reporting of an unexpected
+ EOF
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/11400)
+--- CHANGES.orig	2020-03-17 14:31:17 UTC
++++ CHANGES
+@@ -7,6 +7,15 @@
+  https://github.com/openssl/openssl/commits/ and pick the appropriate
+  release branch.
+ 
++  Changes between 1.1.1e and 1.1.1f [xx XXX xxxx]
++
++  *) Revert the change of EOF detection while reading in libssl to avoid
++     regressions in applications depending on the current way of reporting
++     the EOF. As the existing method is not fully accurate the change to
++     reporting the EOF via SSL_ERROR_SSL is kept on the current development
++     branch and will be present in the 3.0 release.
++     [Tomas Mraz]
++
+  Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
+   *) Properly detect EOF while reading in libssl. Previously if we hit an EOF
+      while reading in libssl then we would report an error back to the
+ CHANGES                    |  7 +++++++
+ NEWS                       |  4 +++-
+ doc/man3/SSL_get_error.pod | 12 ++++++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+--- NEWS.orig	2020-03-17 14:31:17 UTC
++++ NEWS
+@@ -5,7 +5,13 @@
+   This file gives a brief overview of the major changes between each OpenSSL
+   release. For more details please read the CHANGES file.
+ 
+-  Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]
++   Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [under development]
++
++      o Revert the unexpected EOF reporting via SSL_ERROR_SSL
++      o Properly detect unexpected EOF while reading in libssl and report
++        it via SSL_ERROR_SSL
++
++   Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]
+ 
+       o Fixed an overflow bug in the x64_64 Montgomery squaring procedure
+         used in exponentiation with 512-bit moduli (CVE-2019-1551)
+--- doc/man3/SSL_get_error.pod.orig	2020-03-17 14:31:17 UTC
++++ doc/man3/SSL_get_error.pod
+@@ -155,6 +155,18 @@ connection and SSL_shutdown() must not be called.
+ 
+ =back
+ 
++=head1 BUGS
++
++The B<SSL_ERROR_SYSCALL> with B<errno> value of 0 indicates unexpected EOF from
++the peer. This will be properly reported as B<SSL_ERROR_SSL> with reason
++code B<SSL_R_UNEXPECTED_EOF_WHILE_READING> in the OpenSSL 3.0 release because
++it is truly a TLS protocol error to terminate the connection without
++a SSL_shutdown().
++
++The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications
++which choose to ignore this protocol error depend on the existing way of
++reporting the error.
++
+ =head1 SEE ALSO
+ 
+ L<ssl(7)>
+From 30d190caf311d534867df97e26b552e628cb7d85 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz at fedoraproject.org>
+Date: Wed, 25 Mar 2020 14:15:31 +0100
+Subject: [PATCH] Partially revert "Detect EOF while reading in libssl"
+
+This partially reverts commit db943f43a60d1b5b1277e4b5317e8f288e7a0a3a.
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/11400)
+---
+ crypto/err/openssl.txt    | 1 -
+ include/openssl/sslerr.h  | 3 +--
+ ssl/record/rec_layer_s3.c | 6 ------
+ ssl/ssl_err.c             | 4 +---
+ 4 files changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index f5324c6819d8..35512f9caf96 100644
+--- crypto/err/openssl.txt.orig
++++ crypto/err/openssl.txt
+@@ -2852,7 +2852,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
+ SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
+ SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
+ SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
+-SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading
+ SSL_R_UNEXPECTED_MESSAGE:244:unexpected message
+ SSL_R_UNEXPECTED_RECORD:245:unexpected record
+ SSL_R_UNINITIALIZED:276:uninitialized
+diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
+index 0ef684f3c131..ba4c4ae5fbd3 100644
+--- include/openssl/sslerr.h.orig
++++ include/openssl/sslerr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void);
+ # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES          243
+ # define SSL_R_UNEXPECTED_CCS_MESSAGE                     262
+ # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA               178
+-# define SSL_R_UNEXPECTED_EOF_WHILE_READING               294
+ # define SSL_R_UNEXPECTED_MESSAGE                         244
+ # define SSL_R_UNEXPECTED_RECORD                          245
+ # define SSL_R_UNINITIALIZED                              276
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index 1c885a664f35..b2a7a47eb075 100644
+--- ssl/record/rec_layer_s3.c.orig
++++ ssl/record/rec_layer_s3.c
+@@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
+             ret = BIO_read(s->rbio, pkt + len + left, max - left);
+             if (ret >= 0)
+                 bioread = ret;
+-            if (ret <= 0
+-                    && !BIO_should_retry(s->rbio)
+-                    && BIO_eof(s->rbio)) {
+-                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N,
+-                         SSL_R_UNEXPECTED_EOF_WHILE_READING);
+-            }
+         } else {
+             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N,
+                      SSL_R_READ_BIO_NOT_SET);
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
+index a0c7b79659d4..4b12ed1485d9 100644
+--- ssl/ssl_err.c.orig
++++ ssl/ssl_err.c
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
+     "unexpected ccs message"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
+     "unexpected end of early data"},
+-    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING),
+-    "unexpected eof while reading"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},


More information about the svn-ports-head mailing list