From owner-dev-commits-src-main@freebsd.org Wed Feb 3 15:54:04 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1D5EB53AB53; Wed, 3 Feb 2021 15:54:04 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DW5p40HKwz4nGM; Wed, 3 Feb 2021 15:54:04 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) Received: from marvin.madpilot.net (host-79-12-130-69.retail.telecomitalia.it [79.12.130.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: madpilot/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 42DDA354EC; Wed, 3 Feb 2021 15:54:03 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) Subject: Re: git: aa906e2a4957 - main - OpenSSL: Support for kernel TLS offload (KTLS) To: John Baldwin , src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Cc: Benjamin Kaduk References: <202101281825.10SIPTGJ021104@gitrepo.freebsd.org> <8257bc17-3a2d-f348-a0d5-fbd0f637629f@FreeBSD.org> <1675730b-f559-a732-be49-d89c97a376f8@FreeBSD.org> From: Guido Falsi Message-ID: <20cd3a96-0666-55f7-b389-5e9a7b2fa933@FreeBSD.org> Date: Wed, 3 Feb 2021 16:54:00 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: <1675730b-f559-a732-be49-d89c97a376f8@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Feb 2021 15:54:04 -0000 On 03/02/21 01:47, John Baldwin wrote: > On 1/31/21 10:41 AM, Guido Falsi wrote: >> On 28/01/21 19:25, John Baldwin wrote: >>> The branch main has been updated by jhb: >>> >>> URL: >>> https://cgit.FreeBSD.org/src/commit/?id=aa906e2a4957db700d9e6cc60857e1afe1aecc85 >>> >>> >>> commit aa906e2a4957db700d9e6cc60857e1afe1aecc85 >>> Author:     John Baldwin >>> AuthorDate: 2021-01-16 00:17:31 +0000 >>> Commit:     John Baldwin >>> CommitDate: 2021-01-28 18:24:13 +0000 >>> >>>       OpenSSL: Support for kernel TLS offload (KTLS) >>>       This merges upstream patches from OpenSSL's master branch to add >>>       KTLS infrastructure for TLS 1.0-1.3 including both RX and TX >>>       offload and SSL_sendfile support on both Linux and FreeBSD. >>>       Note that TLS 1.3 only supports TX offload. >>>       A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built >>> with >>>       KTLS support.  It defaults to enabled on amd64 and disabled on all >>>       other architectures. >>>       Reviewed by:    jkim (earlier version) >>>       Approved by:    secteam >>>       Obtained from:  OpenSSL (patches from master) >>>       MFC after:      1 week >>>       Relnotes:       yes >>>       Sponsored by:   Netflix >>>       Differential Revision:  https://reviews.freebsd.org/D28273 >>> --- >> >> This commit causes a strange interaction/regression with subverison >> client when using https protocol. >> >> I filed a bug report about this: >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253135 >> >> Workarounds: >> >> - Compiling system defining WITHOUT_OPENSSL_KTLS >> - using the svn:// scheme > > I'm still waiting for a build to finish so I can test it, but I believe > this is a bug in serf.  This is the patch I'm going to test: > > diff --git a/contrib/serf/buckets/ssl_buckets.c > b/contrib/serf/buckets/ssl_buckets.c > index b01e5359db08..3c8b7e2a685f 100644 > --- a/contrib/serf/buckets/ssl_buckets.c > +++ b/contrib/serf/buckets/ssl_buckets.c > @@ -407,7 +407,7 @@ static int bio_bucket_destroy(BIO *bio) > >  static long bio_bucket_ctrl(BIO *bio, int cmd, long num, void *ptr) >  { > -    long ret = 1; > +    long ret = 0; > >      switch (cmd) { >      default: > @@ -415,6 +415,7 @@ static long bio_bucket_ctrl(BIO *bio, int cmd, long > num, void *ptr) >          break; >      case BIO_CTRL_FLUSH: >          /* At this point we can't force a flush. */ > +        ret = 1; >          break; >      case BIO_CTRL_PUSH: >      case BIO_CTRL_POP: > > serf defines its own custom OpenSSL BIO classes, and the BIO_ctrl(3) > manpage documents that the control methods of custom BIOs are supposed > to return 0 for unknown or unsupported requests: > >        Source/sink BIOs return an 0 if they do not recognize the > BIO_ctrl() >        operation. > > However, the custom BIOs in serf broke this rule and returned 1 for > unknown operations instead.  OpenSSL uses BIO_ctrl methods to determine > if a given BIO for a read or write side of an SSL connection is using > KTLS.  Because of the serf bug, this caused OpenSSL to believe that > these BIOs were using KTLS when they in fact were not.  serf will also > probably break with OpenSSL 3.0 even without KTLS due to the recently > added control for determining if a BIO has hit EOF which also returns > 1 to indicate it has hit EOF. > Thanks for the feedback. I have tested this patch. After reinstalling the system, from newly compiled sources. svnlite from base works fine now. svn from the package and also rebuilt from port fails. I guess ports provided serf library also has this bug, so we should fix it there too. -- Guido Falsi