From owner-dev-commits-src-all@freebsd.org Wed Feb 3 00:47:22 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D56834FB816; Wed, 3 Feb 2021 00:47:22 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DVjgt5jBFz4nL9; Wed, 3 Feb 2021 00:47:22 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro.local (unknown [IPv6:2601:648:8681:1cb0:a03e:f824:f6c:d0c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 319F32EB63; Wed, 3 Feb 2021 00:47:22 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Subject: Re: git: aa906e2a4957 - main - OpenSSL: Support for kernel TLS offload (KTLS) To: Guido Falsi , src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org References: <202101281825.10SIPTGJ021104@gitrepo.freebsd.org> <8257bc17-3a2d-f348-a0d5-fbd0f637629f@FreeBSD.org> Cc: Benjamin Kaduk From: John Baldwin Message-ID: <1675730b-f559-a732-be49-d89c97a376f8@FreeBSD.org> Date: Tue, 2 Feb 2021 16:47:20 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: <8257bc17-3a2d-f348-a0d5-fbd0f637629f@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Feb 2021 00:47:22 -0000 On 1/31/21 10:41 AM, Guido Falsi wrote: > On 28/01/21 19:25, John Baldwin wrote: >> The branch main has been updated by jhb: >> >> URL: https://cgit.FreeBSD.org/src/commit/?id=aa906e2a4957db700d9e6cc60857e1afe1aecc85 >> >> commit aa906e2a4957db700d9e6cc60857e1afe1aecc85 >> Author: John Baldwin >> AuthorDate: 2021-01-16 00:17:31 +0000 >> Commit: John Baldwin >> CommitDate: 2021-01-28 18:24:13 +0000 >> >> OpenSSL: Support for kernel TLS offload (KTLS) >> >> This merges upstream patches from OpenSSL's master branch to add >> KTLS infrastructure for TLS 1.0-1.3 including both RX and TX >> offload and SSL_sendfile support on both Linux and FreeBSD. >> >> Note that TLS 1.3 only supports TX offload. >> >> A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with >> KTLS support. It defaults to enabled on amd64 and disabled on all >> other architectures. >> >> Reviewed by: jkim (earlier version) >> Approved by: secteam >> Obtained from: OpenSSL (patches from master) >> MFC after: 1 week >> Relnotes: yes >> Sponsored by: Netflix >> Differential Revision: https://reviews.freebsd.org/D28273 >> --- > > This commit causes a strange interaction/regression with subverison > client when using https protocol. > > I filed a bug report about this: > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253135 > > Workarounds: > > - Compiling system defining WITHOUT_OPENSSL_KTLS > - using the svn:// scheme I'm still waiting for a build to finish so I can test it, but I believe this is a bug in serf. This is the patch I'm going to test: diff --git a/contrib/serf/buckets/ssl_buckets.c b/contrib/serf/buckets/ssl_buckets.c index b01e5359db08..3c8b7e2a685f 100644 --- a/contrib/serf/buckets/ssl_buckets.c +++ b/contrib/serf/buckets/ssl_buckets.c @@ -407,7 +407,7 @@ static int bio_bucket_destroy(BIO *bio) static long bio_bucket_ctrl(BIO *bio, int cmd, long num, void *ptr) { - long ret = 1; + long ret = 0; switch (cmd) { default: @@ -415,6 +415,7 @@ static long bio_bucket_ctrl(BIO *bio, int cmd, long num, void *ptr) break; case BIO_CTRL_FLUSH: /* At this point we can't force a flush. */ + ret = 1; break; case BIO_CTRL_PUSH: case BIO_CTRL_POP: serf defines its own custom OpenSSL BIO classes, and the BIO_ctrl(3) manpage documents that the control methods of custom BIOs are supposed to return 0 for unknown or unsupported requests: Source/sink BIOs return an 0 if they do not recognize the BIO_ctrl() operation. However, the custom BIOs in serf broke this rule and returned 1 for unknown operations instead. OpenSSL uses BIO_ctrl methods to determine if a given BIO for a read or write side of an SSL connection is using KTLS. Because of the serf bug, this caused OpenSSL to believe that these BIOs were using KTLS when they in fact were not. serf will also probably break with OpenSSL 3.0 even without KTLS due to the recently added control for determining if a BIO has hit EOF which also returns 1 to indicate it has hit EOF. -- John Baldwin