You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/02/26 21:30:41 UTC

[Bug 65160] New: Custom OpenSSL BIO_ctrl methods return incorrect default value

https://bz.apache.org/bugzilla/show_bug.cgi?id=65160

            Bug ID: 65160
           Summary: Custom OpenSSL BIO_ctrl methods return incorrect
                    default value
           Product: Apache httpd-2
           Version: 2.4.46
          Hardware: PC
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: jhb@FreeBSD.org
  Target Milestone: ---

Created attachment 37747
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37747&action=edit
bio_ctrl_methods.patch

This is similar to the bug I reported for serf at
https://issues.apache.org/jira/browse/SERF-198.  Specifically, the BIO_ctrl(3)
manual page documents that BIO control methods should return 0 for unknown
requests.  Technically the custom BIO classes in mod_ssl look like filters
rather than source/sink BIOs at least in name, but functionally they need to
follow the same convention.

The specific breakage is that OpenSSL 3.0 introduces new control operations
related to kernel TLS offload that are used by libssl to determine if a BIO is
using kernel TLS offload.  A non-zero return value from the BIO_ctrl method is
for these operations is interpreted by libssl as meaning that the BIO is using
kernel TLS offload, and thus OpenSSL does not perform encrypt/decryption or
append/strip trailers assuming the kernel will do that instead.  The current
control methods were returning non-zero values meaning that OpenSSL would not
encrypt/decrypt TLS records.  Note that OpenSSL 3.0 is still in beta, but
FreeBSD 14-current also includes a back ported version of these patches in its
OpenSSL 1.1.1 in the base system which is where this breakage was observed.

The attached patch changes the two BIO_ctrl methods in mod_ssl to return 0 for
unknown requests.  It also clarifies that one of the control methods is now
used by OpenSSL.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65160] Custom OpenSSL BIO_ctrl methods return incorrect default value

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65160

Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Joe Orton <jo...@redhat.com> ---
The _out_ctrl part of that patch is a noop AFAICT since for unknown requests
the function will fall through the default switch statement:

https://github.com/apache/httpd/blob/2.4.x/modules/ssl/ssl_engine_io.c#L289

The _in_ctrl part was fixed in 2.4.x in r1895868 (for 2.4.52).

Feel free to re-open if I'm missing anything.  Thanks for sending in the patch
& analysis.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org