Hello! I noticed that serf bio implementation does not properly handle unknown ctrl requests by returning 1 instead of 0. According to the documentation [1], the implementation is expected to return 0 for unknown ctrls.
This issue has been discussed in SERF-198 [2]. I would like to propose an updated and extended patch to solve the issue. The patch includes: - The fix for the bio_bucket_ctrl() function. - Similar fix for the new bio_file_ctrl() function. - Similar fix for the bio_apr_socket_ctrl() function in the MockHTTP server. [1] https://www.openssl.org/docs/manmaster/man3/BIO_ctrl.html#NOTES [2] https://issues.apache.org/jira/browse/SERF-198 Kind Regards, Denis Kovalchuk
Fix the return value for unknown controls in the BIO control functions. According to the BIO_ctrl() manual page [1]: [[[ Source/sink BIOs return an 0 if they do not recognize the BIO_ctrl() operation. ]]] OpenSSL 3.0 adds support for Kernel TLS and uses new controls to determine if KTLS is used for sending or receiving: 1) BIO_get_ktls_send() 2) BIO_get_ktls_recv() These controls return 1 if KTLS is used and 0 if not [2]. As a result, OpenSSL believed that serf BIOs support KTLS and thus handle TLS header insertion and encryption/decryption in the BIO layer, breaking the use of HTTPS. This bug was observed in FreeBSD [3]. [1] https://www.openssl.org/docs/manmaster/man3/BIO_ctrl.html#NOTES [2] https://www.openssl.org/docs/manmaster/man3/BIO_ctrl.html#RETURN-VALUES [3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253135 * buckets/ssl_buckets.c (bio_bucket_ctrl, bio_file_ctrl): Return 0 for unknown controls. * test/MockHTTPinC/MockHTTP_server.c (bio_apr_socket_ctrl): Return 0 for unknown controls. Index: test/MockHTTPinC/MockHTTP_server.c =================================================================== --- test/MockHTTPinC/MockHTTP_server.c (revision 1902209) +++ test/MockHTTPinC/MockHTTP_server.c (working copy) @@ -2339,7 +2339,7 @@ static long bio_apr_socket_ctrl(BIO *bio, int cmd, return ssl_ctx->hit_eof; default: /* abort(); */ - return 1; + return 0; } } Index: buckets/ssl_buckets.c =================================================================== --- buckets/ssl_buckets.c (revision 1902209) +++ buckets/ssl_buckets.c (working copy) @@ -524,7 +524,7 @@ static long bio_bucket_ctrl(BIO *bio, int cmd, lon return ctx->hit_eof; default: /* abort(); */ - return 1; + return 0; } } @@ -546,7 +546,7 @@ static long bio_file_ctrl(BIO *bio, int cmd, long return 0; default: /* abort(); */ - return 1; + return 0; } }
