[MediaWiki-commits] [Gerrit] Cherrypick 64193c8218540499984cd63cda41f3cd491f3f59 from the... - change (operations...openssl)

Muehlenhoff (Code Review) Fri, 12 Feb 2016 02:36:07 -0800

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/270257


Change subject: Cherrypick 64193c8218540499984cd63cda41f3cd491f3f59 from the 
1.0.2 branch to fix spurious log messages if SSL clients quit during the SSL 
handshake
......................................................................

Cherrypick 64193c8218540499984cd63cda41f3cd491f3f59 from the 1.0.2
branch to fix spurious log messages if SSL clients quit during the
SSL handshake

Bug: T126616
Change-Id: I5d98aabf09f178620b28bd47a3416b064e643b42
---
M debian/changelog
A debian/patches/handle-ssl-shutdown-while-in-init-more-appropriately-v2.patch
M debian/patches/series
3 files changed, 108 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/openssl 
refs/changes/57/270257/1

diff --git a/debian/changelog b/debian/changelog
index 961289f..1c3f876 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openssl (1.0.2f-1~wmf3) jessie-wikimedia; urgency=medium
+
+  * Cherrypick 64193c8218540499984cd63cda41f3cd491f3f59 from the 1.0.2
+    branch to fix spurious log messages if SSL clients quit during the
+    SSL handshake (Bug: T126616)
+
+ -- Moritz Muehlenhoff <mmuhlenh...@wikimedia.org>  Fri, 12 Feb 2016 11:32:31 
+0100
+
 openssl (1.0.2f-1~wmf2) jessie-wikimedia; urgency=medium
 
   * Correct target distribution
diff --git 
a/debian/patches/handle-ssl-shutdown-while-in-init-more-appropriately-v2.patch 
b/debian/patches/handle-ssl-shutdown-while-in-init-more-appropriately-v2.patch
new file mode 100644
index 0000000..7dc9f8b
--- /dev/null
+++ 
b/debian/patches/handle-ssl-shutdown-while-in-init-more-appropriately-v2.patch
@@ -0,0 +1,99 @@
+From 64193c8218540499984cd63cda41f3cd491f3f59 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <m...@openssl.org>
+Date: Tue, 2 Feb 2016 10:05:43 +0000
+Subject: [PATCH] Handle SSL_shutdown while in init more appropriately #2
+
+Previous commit f73c737c7 attempted to "fix" a problem with the way
+SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
+SSL_shutdown() return immediately having taken no action if called mid-
+handshake with a return value of 1 (meaning everything was shutdown
+successfully). In fact the shutdown has not been successful.
+
+Commit f73c737c7 changed that to send a close_notify anyway and then
+return. This seems to be causing some problems for some applications so
+perhaps a better (much simpler) approach is revert to the previous
+behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
+was not successful).
+
+This also fixes a bug where SSL_shutdown always returns 0 when shutdown
+*very* early in the handshake (i.e. we are still using SSLv23_method).
+
+Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
+---
+ ssl/s3_lib.c  | 15 ---------------
+ ssl/ssl.h     |  1 -
+ ssl/ssl_err.c |  1 -
+ ssl/ssl_lib.c |  7 ++++++-
+ 4 files changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index f846cb5..6a06625 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -4326,21 +4326,6 @@ int ssl3_shutdown(SSL *s)
+         }
+ #endif
+     } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
+-        if (SSL_in_init(s)) {
+-            /*
+-             * We can't shutdown properly if we are in the middle of a
+-             * handshake. Doing so is problematic because the peer may send a
+-             * CCS before it acts on our close_notify. However we should not
+-             * continue to process received handshake messages or CCS once our
+-             * close_notify has been sent. Therefore any close_notify from
+-             * the peer will be unreadable because we have not moved to the 
next
+-             * cipher state. Its best just to avoid this can-of-worms. Return
+-             * an error if we are wanting to wait for a close_notify from the
+-             * peer and we are in init.
+-             */
+-            SSLerr(SSL_F_SSL3_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT);
+-            return -1;
+-        }
+         /*
+          * If we are waiting for a close from our peer, we are closed
+          */
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index ae8c925..04d4007 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -2713,7 +2713,6 @@ void ERR_load_SSL_strings(void);
+ # define SSL_F_SSL3_SETUP_KEY_BLOCK                       157
+ # define SSL_F_SSL3_SETUP_READ_BUFFER                     156
+ # define SSL_F_SSL3_SETUP_WRITE_BUFFER                    291
+-# define SSL_F_SSL3_SHUTDOWN                              396
+ # define SSL_F_SSL3_WRITE_BYTES                           158
+ # define SSL_F_SSL3_WRITE_PENDING                         159
+ # define SSL_F_SSL_ADD_CERT_CHAIN                         318
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
+index dd3b2af..704088d 100644
+--- a/ssl/ssl_err.c
++++ b/ssl/ssl_err.c
+@@ -206,7 +206,6 @@ static ERR_STRING_DATA SSL_str_functs[] = {
+     {ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "ssl3_setup_key_block"},
+     {ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER), "ssl3_setup_read_buffer"},
+     {ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER), "ssl3_setup_write_buffer"},
+-    {ERR_FUNC(SSL_F_SSL3_SHUTDOWN), "ssl3_shutdown"},
+     {ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "ssl3_write_bytes"},
+     {ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "ssl3_write_pending"},
+     {ERR_FUNC(SSL_F_SSL_ADD_CERT_CHAIN), "ssl_add_cert_chain"},
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 2744be8..7c23f9e 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -1060,7 +1060,12 @@ int SSL_shutdown(SSL *s)
+         return -1;
+     }
+ 
+-    return s->method->ssl_shutdown(s);
++    if (!SSL_in_init(s)) {
++        return s->method->ssl_shutdown(s);
++    } else {
++        SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT);
++        return -1;
++    }
+ }
+ 
+ int SSL_renegotiate(SSL *s)
+-- 
+1.9.1
+
diff --git a/debian/patches/series b/debian/patches/series
index f95760e..5d2b63d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@
 block_digicert_malaysia.patch
 #padlock_conf.patch
 disable_freelist.patch
+handle-ssl-shutdown-while-in-init-more-appropriately-v2.patch

-- 
To view, visit https://gerrit.wikimedia.org/r/270257
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I5d98aabf09f178620b28bd47a3416b064e643b42
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/openssl
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Cherrypick 64193c8218540499984cd63cda41f3cd491f3f59 from the... - change (operations...openssl)

Reply via email to