[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 45/151: openssl: Revert to less sensitivity for SYSCALL errors
From: |
gnunet |
Subject: |
[gnurl] 45/151: openssl: Revert to less sensitivity for SYSCALL errors |
Date: |
Fri, 20 Dec 2019 14:25:54 +0100 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 78cef068479d85f7af29b5ddf21ced5288a50f37
Author: Jay Satiro <address@hidden>
AuthorDate: Wed Nov 20 18:44:18 2019 -0500
openssl: Revert to less sensitivity for SYSCALL errors
- Disable the extra sensitivity except in debug builds (--enable-debug).
- Improve SYSCALL error message logic in ossl_send and ossl_recv so that
"No error" / "Success" socket error text isn't shown on SYSCALL error.
Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity
of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were
also considered errors. For example, a server that does not send a known
protocol termination point (eg HTTP content length or chunked encoding)
_and_ does not send a TLS termination point (close_notify alert) would
cause an error if it closed the connection.
To be clear that behavior made it into release build 7.67.0
unintentionally. Several users have reported it as an issue.
Ultimately the idea is a good one, since it can help prevent against a
truncation attack. Other SSL backends may already behave similarly (such
as Windows native OS SSL Schannel). However much more of our user base
is using OpenSSL and there is a mass of legacy users in that space, so I
think that behavior should be partially reverted and then rolled out
slowly.
This commit changes the behavior so that the increased sensitivity is
disabled in all curl builds except curl debug builds (DEBUGBUILD). If
after a period of time there are no major issues then it can be enabled
in dev and release builds with the newest OpenSSL (1.1.1+), since users
using the newest OpenSSL are the least likely to have legacy problems.
Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794
Reported-by: Bjoern Franke
Fixes https://github.com/curl/curl/issues/4624
Closes https://github.com/curl/curl/pull/4623
---
lib/vtls/openssl.c | 72 ++++++++++++++++++++++++++++++++++++++++++++----------
1 file changed, 59 insertions(+), 13 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 6b24c0cf4..e5bd9d604 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -392,11 +392,20 @@ static const char *SSL_ERROR_to_str(int err)
*/
static char *ossl_strerror(unsigned long error, char *buf, size_t size)
{
+ if(size)
+ *buf = '\0';
+
#ifdef OPENSSL_IS_BORINGSSL
ERR_error_string_n((uint32_t)error, buf, size);
#else
ERR_error_string_n(error, buf, size);
#endif
+
+ if(size > 1 && !*buf) {
+ strncpy(buf, (error ? "Unknown error" : "No error"), size);
+ buf[size - 1] = '\0';
+ }
+
return buf;
}
@@ -3833,10 +3842,22 @@ static ssize_t ossl_send(struct connectdata *conn,
*curlcode = CURLE_AGAIN;
return -1;
case SSL_ERROR_SYSCALL:
- Curl_strerror(SOCKERRNO, error_buffer, sizeof(error_buffer));
- failf(conn->data, OSSL_PACKAGE " SSL_write: %s", error_buffer);
- *curlcode = CURLE_SEND_ERROR;
- return -1;
+ {
+ int sockerr = SOCKERRNO;
+ sslerror = ERR_get_error();
+ if(sslerror)
+ ossl_strerror(sslerror, error_buffer, sizeof(error_buffer));
+ else if(sockerr)
+ Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
+ else {
+ strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer));
+ error_buffer[sizeof(error_buffer) - 1] = '\0';
+ }
+ failf(conn->data, OSSL_PACKAGE " SSL_write: %s, errno %d",
+ error_buffer, sockerr);
+ *curlcode = CURLE_SEND_ERROR;
+ return -1;
+ }
case SSL_ERROR_SSL:
/* A failure in the SSL library occurred, usually a protocol error.
The OpenSSL error queue contains more information on the error. */
@@ -3901,11 +3922,6 @@ static ssize_t ossl_recv(struct connectdata *conn, /*
connection data */
/* there's data pending, re-invoke SSL_read() */
*curlcode = CURLE_AGAIN;
return -1;
- case SSL_ERROR_SYSCALL:
- Curl_strerror(SOCKERRNO, error_buffer, sizeof(error_buffer));
- failf(conn->data, OSSL_PACKAGE " SSL_read: %s", error_buffer);
- *curlcode = CURLE_RECV_ERROR;
- return -1;
default:
/* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
value/errno" */
@@ -3914,14 +3930,44 @@ static ssize_t ossl_recv(struct connectdata *conn, /*
connection data */
if((nread < 0) || sslerror) {
/* If the return code was negative or there actually is an error in the
queue */
+ int sockerr = SOCKERRNO;
+ if(sslerror)
+ ossl_strerror(sslerror, error_buffer, sizeof(error_buffer));
+ else if(sockerr && err == SSL_ERROR_SYSCALL)
+ Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
+ else {
+ strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer));
+ error_buffer[sizeof(error_buffer) - 1] = '\0';
+ }
failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d",
- (sslerror ?
- ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)) :
- SSL_ERROR_to_str(err)),
- SOCKERRNO);
+ error_buffer, sockerr);
+ *curlcode = CURLE_RECV_ERROR;
+ return -1;
+ }
+ /* For debug builds be a little stricter and error on any
+ SSL_ERROR_SYSCALL. For example a server may have closed the connection
+ abruptly without a close_notify alert. For compatibility with older
+ peers we don't do this by default. #4624
+
+ We can use this to gauge how many users may be affected, and
+ if it goes ok eventually transition to allow in dev and release with
+ the newest OpenSSL: #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) */
+#ifdef DEBUGBUILD
+ if(err == SSL_ERROR_SYSCALL) {
+ int sockerr = SOCKERRNO;
+ if(sockerr)
+ Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
+ else {
+ msnprintf(error_buffer, sizeof(error_buffer),
+ "Connection closed abruptly");
+ }
+ failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d"
+ " (Fatal because this is a curl debug build)",
+ error_buffer, sockerr);
*curlcode = CURLE_RECV_ERROR;
return -1;
}
+#endif
}
}
return nread;
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [gnurl] 26/151: examples: add multi-poll.c, (continued)
- [gnurl] 26/151: examples: add multi-poll.c, gnunet, 2019/12/20
- [gnurl] 14/151: TODO: curl_multi_unblock, gnunet, 2019/12/20
- [gnurl] 17/151: pause: avoid updating socket if done was already called, gnunet, 2019/12/20
- [gnurl] 25/151: multi_poll: avoid busy-loop when called without easy handles attached, gnunet, 2019/12/20
- [gnurl] 27/151: config-win32: cpu-machine-OS for Windows on ARM, gnunet, 2019/12/20
- [gnurl] 33/151: ngtcp2: handle key updates as ngtcp2 master branch tells us, gnunet, 2019/12/20
- [gnurl] 32/151: multi: Fix curl_multi_poll wait when extra_fds && !extra_nfds, gnunet, 2019/12/20
- [gnurl] 29/151: doh: improced both encoding and decoding, gnunet, 2019/12/20
- [gnurl] 28/151: ngtcp2: increase QUIC window size when data is consumed, gnunet, 2019/12/20
- [gnurl] 34/151: ngtcp2: free used resources on disconnect, gnunet, 2019/12/20
- [gnurl] 45/151: openssl: Revert to less sensitivity for SYSCALL errors,
gnunet <=
- [gnurl] 44/151: openssl: improve error message for SYSCALL during connect, gnunet, 2019/12/20
- [gnurl] 40/151: curl: add --parallel-immediate, gnunet, 2019/12/20
- [gnurl] 37/151: RELEASE-NOTES: synced, gnunet, 2019/12/20
- [gnurl] 42/151: include: make CURLE_HTTP3 use a new error code, gnunet, 2019/12/20
- [gnurl] 39/151: docs: fix typos, gnunet, 2019/12/20
- [gnurl] 30/151: INSTALL.md: provide Android build instructions, gnunet, 2019/12/20
- [gnurl] 43/151: test1175: verify symbols-in-versions and libcurl-errors.3 in sync, gnunet, 2019/12/20
- [gnurl] 41/151: bump: next release will be 7.68.0, gnunet, 2019/12/20
- [gnurl] 35/151: altsvc: bump to h3-24, gnunet, 2019/12/20
- [gnurl] 36/151: ngtcp2: use overflow buffer for extra HTTP/3 data, gnunet, 2019/12/20