Skip to content
Permalink
Browse files

Merge pull request #110 in EA4/libcurl from 2019-Q4.EA-8754-ship to m…

…aster

* commit '39bed911eb93424a2907a8ff130ef9a026388b82':
  EA-8754: Patch libcurl 7.67.0 for OpenSSL issue breaking WHMCS
  • Loading branch information
gitcory committed Nov 22, 2019
2 parents 6fadda8 + 39bed91 commit 7ca2bbb724ac54a3c41950c8736076953bf1429b
@@ -1,7 +1,7 @@
From b15bfad914bffc111e59dd74c2b41f16ca8bc7ac Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rishwanth Yeddula <rish@cpanel.net>
Date: Thu, 12 Jul 2018 13:52:17 -0500
Subject: [PATCH 1/2] Allow for additional LDFLAG controls for Brotli, H2, and
Subject: [PATCH 1/3] Allow for additional LDFLAG controls for Brotli, H2, and
SSL

---
@@ -84,6 +84,3 @@ index 90924a6..822bd48 100644
AC_ARG_VAR([LT_SYS_LIBRARY_PATH],
[User-defined run-time library search path.])

--
2.21.0

@@ -1,7 +1,7 @@
From fe238f8f65639f8f669e00be88904827ae0efa39 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rishwanth Yeddula <rish@cpanel.net>
Date: Thu, 12 Jul 2018 13:53:29 -0500
Subject: [PATCH 2/2] Rebuild configure with the additional LDFLAG for Brotli,
Subject: [PATCH 2/3] Rebuild configure with the additional LDFLAG for Brotli,
H2, and SSL

---
@@ -210,6 +210,3 @@ index b703b6c..db2b1d7 100755

LDFLAGS="$LDFLAGS $LD_H2"
CPPFLAGS="$CPPFLAGS $CPP_H2"
--
2.21.0

@@ -0,0 +1,146 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Wed, 20 Nov 2019 18:44:18 -0500
Subject: [PATCH 3/3] openssl: Revert to less sensitivity for SYSCALL errors
(releases only)

Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity
of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were
also considered errors. For example, a server that does not send a known
protocol termination point (eg HTTP content length or chunked encoding)
_and_ does not send a TLS termination point (close_notify alert) would
cause an error if it closed the connection.

To be clear that behavior made it into release build 7.67.0
unintentionally. So far there is just one user report due to it.

Ultimately the idea is a good one, and other SSL backends may already
behave similarly (such as Windows native OS SSL Schannel). However much
more of our user base is using OpenSSL and there is a mass of legacy
users in that space, so I think that behavior should be partially
reverted and then rolled out slowly.

This commit changes the behavior so that the increased sensitivity is
disabled in curl release builds but remains enabled in curl development
builds. If after a period of time there are no major issues then it can
be enabled for OpenSSL 1.1.1+ in curl release builds.

Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794
Reported-by: Bjoern Franke

Closes #xxxx
---
include/curl/curlver.h | 3 +++
lib/vtls/openssl.c | 46 +++++++++++++++++++++++++++++++++++-------
maketgz | 1 +
3 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/include/curl/curlver.h b/include/curl/curlver.h
index cab09ee..58a13d5 100644
--- a/include/curl/curlver.h
+++ b/include/curl/curlver.h
@@ -32,6 +32,9 @@
file origins: */
#define LIBCURL_VERSION "7.67.0"

+/* This indicates a DEV build. Remove or comment it out for a release build.
+#define LIBCURL_DEV_BUILD
+*/
/* The numeric version number is also available "in parts" by using these
defines: */
#define LIBCURL_VERSION_MAJOR 7
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 760758d..52cf9bb 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -392,11 +392,20 @@ static const char *SSL_ERROR_to_str(int err)
*/
static char *ossl_strerror(unsigned long error, char *buf, size_t size)
{
+ if(size)
+ *buf = '\0';
+
#ifdef OPENSSL_IS_BORINGSSL
ERR_error_string_n((uint32_t)error, buf, size);
#else
ERR_error_string_n(error, buf, size);
#endif
+
+ if(size > 1 && !*buf) {
+ strncpy(buf, (error ? "Unknown error" : "No error"), size);
+ buf[size - 1] = '\0';
+ }
+
return buf;
}

@@ -3826,8 +3835,12 @@ static ssize_t ossl_send(struct connectdata *conn,
*curlcode = CURLE_AGAIN;
return -1;
case SSL_ERROR_SYSCALL:
- Curl_strerror(SOCKERRNO, error_buffer, sizeof(error_buffer));
- failf(conn->data, OSSL_PACKAGE " SSL_write: %s", error_buffer);
+ sslerror = ERR_get_error();
+ failf(conn->data, OSSL_PACKAGE " SSL_write: %s, errno %d",
+ (sslerror ?
+ ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)) :
+ SSL_ERROR_to_str(err)),
+ SOCKERRNO);
*curlcode = CURLE_SEND_ERROR;
return -1;
case SSL_ERROR_SSL:
@@ -3894,11 +3907,6 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */
/* there's data pending, re-invoke SSL_read() */
*curlcode = CURLE_AGAIN;
return -1;
- case SSL_ERROR_SYSCALL:
- Curl_strerror(SOCKERRNO, error_buffer, sizeof(error_buffer));
- failf(conn->data, OSSL_PACKAGE " SSL_read: %s", error_buffer);
- *curlcode = CURLE_RECV_ERROR;
- return -1;
default:
/* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
value/errno" */
@@ -3915,6 +3923,30 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */
*curlcode = CURLE_RECV_ERROR;
return -1;
}
+ /* For developer's builds be a little stricter and error on any
+ SSL_ERROR_SYSCALL. For example a server may have closed the connection
+ abruptly without a close_notify alert. For compatibility with older
+ peers we don't do this by default.
+
+ We can use this to gauge how many users may be affected, and
+ if it goes ok eventually transition to allow in release with the
+ newest OpenSSL: #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) */
+#ifdef LIBCURL_DEV_BUILD
+ if(err == SSL_ERROR_SYSCALL) {
+ int sockerr = SOCKERRNO;
+ if(sockerr)
+ Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
+ else {
+ msnprintf(error_buffer, sizeof(error_buffer),
+ "Connection closed abruptly");
+ }
+ failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d"
+ " (Fatal because this is a curl developer's build)",
+ error_buffer, sockerr);
+ *curlcode = CURLE_RECV_ERROR;
+ return -1;
+ }
+#endif
}
}
return nread;
diff --git a/maketgz b/maketgz
index 55a57c1..fa4d6b9 100755
--- a/maketgz
+++ b/maketgz
@@ -85,6 +85,7 @@ sed -i.bak \
-e 's/^#define LIBCURL_VERSION_MINOR .*/#define LIBCURL_VERSION_MINOR '$minor'/g' \
-e 's/^#define LIBCURL_VERSION_PATCH .*/#define LIBCURL_VERSION_PATCH '$patch'/g' \
-e "s/^#define LIBCURL_TIMESTAMP .*/#define LIBCURL_TIMESTAMP \"$datestamp\"/g" \
+ -e "s/^#define LIBCURL_DEV_.*//g" \
$HEADER
rm -f "$HEADER.bak"

@@ -16,7 +16,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: %{pkg_name}
Version: 7.67.0
%define release_prefix 1
%define release_prefix 2
Release: %{release_prefix}%{?dist}.cpanel
License: MIT
Vendor: cPanel, Inc.
@@ -43,6 +43,7 @@ BuildRoot: %{_tmppath}/%{pkg_name}-%{version}-%{release}-root
# 4. Build the final patch files with:
# 4a. git format-patch --zero-commit --no-signature master..patches
Patch1: 0002-Rebuild-configure-with-the-additional-LDFLAG-for-Bro.patch
Patch2: 0003-openssl-Revert-to-less-sensitivity-for-SYSCALL-error.patch

Requires: libssh2
Requires: ea-openssl >= %{ea_openssl_ver}
@@ -79,6 +80,7 @@ headers, and manual pages to develop applications using libcurl.

%setup -q -n curl-%{version}
%patch1 -p1 -b .sslldflags
%patch2 -p1 -b .sslldflags

%build
cd %{curlroot} && (if [ -f configure.in ]; then mv -f configure.in configure.in.rpm; fi)
@@ -146,6 +148,9 @@ install -m 755 -d %{buildroot}%{_defaultdocdir}
%dir %{_defaultdocdir}

%changelog
* Thu Nov 21 2019 Tim Mullin <tim@cpanel.net> - 7.67.0-2
- EA-8754: Patch libcurl 7.67.0 for OpenSSL issue breaking WHMCS

* Fri Nov 08 2019 Cory McIntire <cory@cpanel.net> - 7.67.0-1
- EA-8739: Update libcurl from v7.66.0 to v7.67.0

0 comments on commit 7ca2bbb

Please sign in to comment.
You can’t perform that action at this time.