diff options
author | Marius Bakke <mbakke@fastmail.com> | 2020-03-26 23:09:15 +0100 |
---|---|---|
committer | Marius Bakke <mbakke@fastmail.com> | 2020-03-26 23:09:15 +0100 |
commit | 0ab8ad46322bea331ed5f5592843ba35e7f38b37 (patch) | |
tree | 0fa456ec3e82affe0a69840f5d26689f5f07f591 | |
parent | b12acffbd03c025b1e849f7a93d5edd47682a8ce (diff) | |
download | guix-0ab8ad46322bea331ed5f5592843ba35e7f38b37.tar guix-0ab8ad46322bea331ed5f5592843ba35e7f38b37.tar.gz |
gnu: OpenSSL: Add upstream patch to preserve compatibility in EOF handling.
This is a follow-up to ad8254c23a86c3ca4ca32bc68fc8d76954aa80fd, which
unexpectedly caused a test failure in the Python test suite.
* gnu/packages/patches/openssl-1.1.1e-revert-detect-eof.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/tls.scm (openssl)[source](patches): Add it.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/openssl-1.1.1e-revert-detect-eof.patch | 80 | ||||
-rw-r--r-- | gnu/packages/tls.scm | 3 |
3 files changed, 83 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index c1ee251e90..d687c53a8a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1267,6 +1267,7 @@ dist_patch_DATA = \ %D%/packages/patches/openocd-nrf52.patch \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.1-c-rehash-in.patch \ + %D%/packages/patches/openssl-1.1.1e-revert-detect-eof.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/openssl-CVE-2019-1559.patch \ %D%/packages/patches/open-zwave-hidapi.patch \ diff --git a/gnu/packages/patches/openssl-1.1.1e-revert-detect-eof.patch b/gnu/packages/patches/openssl-1.1.1e-revert-detect-eof.patch new file mode 100644 index 0000000000..973559440f --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.1e-revert-detect-eof.patch @@ -0,0 +1,80 @@ +This patch reverts a change in 1.1.1e that can break applications that do +not expect EOF to be reported via SSL_ERROR_SSL. + +https://bugs.python.org/issue40018 +https://github.com/openssl/openssl/pull/11400 +https://github.com/openssl/openssl/commit/0cd2ee64bffcdece599c3e4b5fac3830a55dc0fa + +Taken from upstream: +https://github.com/openssl/openssl/commit/30d190caf311d534867df97e26b552e628cb7d85 + +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index f5324c6819d8..35512f9caf96 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -2852,7 +2852,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines + SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines + SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message + SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data +-SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading + SSL_R_UNEXPECTED_MESSAGE:244:unexpected message + SSL_R_UNEXPECTED_RECORD:245:unexpected record + SSL_R_UNINITIALIZED:276:uninitialized +diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h +index 0ef684f3c131..ba4c4ae5fbd3 100644 +--- a/include/openssl/sslerr.h ++++ b/include/openssl/sslerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void); + # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 + # define SSL_R_UNEXPECTED_CCS_MESSAGE 262 + # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178 +-# define SSL_R_UNEXPECTED_EOF_WHILE_READING 294 + # define SSL_R_UNEXPECTED_MESSAGE 244 + # define SSL_R_UNEXPECTED_RECORD 245 + # define SSL_R_UNINITIALIZED 276 +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 1c885a664f35..b2a7a47eb075 100644 +--- a/ssl/record/rec_layer_s3.c ++++ b/ssl/record/rec_layer_s3.c +@@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, + ret = BIO_read(s->rbio, pkt + len + left, max - left); + if (ret >= 0) + bioread = ret; +- if (ret <= 0 +- && !BIO_should_retry(s->rbio) +- && BIO_eof(s->rbio)) { +- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N, +- SSL_R_UNEXPECTED_EOF_WHILE_READING); +- } + } else { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, + SSL_R_READ_BIO_NOT_SET); +diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c +index a0c7b79659d4..4b12ed1485d9 100644 +--- a/ssl/ssl_err.c ++++ b/ssl/ssl_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { + "unexpected ccs message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA), + "unexpected end of early data"}, +- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING), +- "unexpected eof while reading"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"}, diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index f6310222b9..a057432f4b 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -293,7 +293,8 @@ required structures.") (sha256 (base32 "1gnwlri1dphr5wdzmg9vlhkh6aq2yqgpfkpmffzwjlfb26n62kv9")) - (patches (search-patches "openssl-1.1-c-rehash-in.patch")))) + (patches (search-patches "openssl-1.1-c-rehash-in.patch" + "openssl-1.1.1e-revert-detect-eof.patch")))) (build-system gnu-build-system) (outputs '("out" "doc" ;6.8 MiB of man3 pages and full HTML documentation |