openssl: Fix return value from tls_net_read.

[krispraws]

Error codes returned from SSL_get_error() are positive values: https://github.com/openssl/openssl/blob/master/include/openssl/ssl.h.in#L1181
Without this fix, if the read fails and SSL_get_error() returned SSL_ERROR_SSL or any other similar error, tls_net_read returns 1 to the caller which thinks it read 1 byte.

Addresses

Addresses #4098

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change
• Debug log output from testing the change

• Attached Valgrind output that shows no leaks or memory corruption was found

Documentation

• Documentation required for this feature

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

[edsiper]

Some fixes are needed. Please sign-off your commits otherwise DCO won't pass (git commit -s -m "..")

In your other branch, you also have ERR_clear_error(); and you are right, that is needed before every SSL_Read|Write call.

Let's take some inspiration from Curl OpenSSL backend usage:

https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L4210-L4270 (fixed link)

[krispraws]

The curl implementation is a good reference but it is a little different from the current one.
I won’t be able to make major changes and test in time for today's release.
If you want it today,

• I can add the ERR_clear_error() to tls_net_read, tls_net_write and tls_net_handshake.
• In https://github.com/fluent/fluent-bit/blob/master/src/tls/openssl.c#L362, change if( ret < 0) to if (ret != SSL_ERROR_NONE && ret != SSL_ERROR_ZERO_RETURN)
SSL_ERROR_NONE is not really needed because we only call SSL_get_err() if SSL_read() < = 0 unlike the curl version. And the docs say SSL_ERROR_NONE The TLS/SSL I/O operation completed. This result code is returned if and only if ret > 0.
  I read conflicting opinions on handling SSL_ERROR_ZERO_RETURN so I am not confident about that.

My other branch based off 1.7.5 has changes to clear the error queue before and after the read/write/handshake call, and print the errors. it also checks errno for SSL_ERROR_SYSCALL. I can compare it with curl's implementation next week.

[krispraws]

Looking at

fluent-bit/src/tls/flb_tls.c

Line 210 in 37aa680

else if (ret == 0) {

, a 0 return is also treated as an error so returning distinct values for anything other than WANT_READ/WANT_WRITE is not going to make a difference to behaviour.
Current version:

ret = SSL_read(session->ssl, buf, len);
    if (ret <= 0) {
        ret = SSL_get_error(session->ssl, ret);
        if (ret == SSL_ERROR_WANT_READ) {
            ret = FLB_TLS_WANT_READ;
        }
        else if (ret < 0) {
            ret = -1;
        }
    }

PR change:

ret = SSL_read(session->ssl, buf, len);
    if (ret <= 0) {
        ret = SSL_get_error(session->ssl, ret);
        if (ret == SSL_ERROR_WANT_READ) {
            ret = FLB_TLS_WANT_READ;
        }
        else {
            ret = -1;
        }
    }

Adding a special check for other errors won't make a difference, IMO.

[edsiper]

note that current version and PR change commented above are the same code

[krispraws]

I had a typo - fixed it. So in the current version, i don't distinguish between errors other than WANT_READ/WANT_WRITE. And I don't see what I can include without more testing. Adding special cases for SSL_ERROR_ZERO_RETURN and SSL_ERROR_NONE won't make a difference as I explained.

Can you be more clear about what you are expecting for today's release?

[krispraws]

Updated the commit to clear error queue.

[edsiper]

here is a thing (and I still need to clarify more): the error might describe that "wants to read or write" in the case of "SSL_ERROR_WANT_WRITE", by definition:

#define SSL_ERROR_WANT_WRITE 3

that is not an error and removing the < 0 will make that case to fail. Not sure about the impact of that change.

[krispraws]

I understand that. However it is already a bug. tls_net_read is returning 3 today for SSL_ERROR_WANT_WRITE which is worse because it makes the http client adds 3 garbage bytes to its response buffer. It doesn't log an error but it will corrupt memory later on.

[krispraws]

Added the change to handle SSL_ERROR_WANT_WRITE.

[edsiper]

I think until we don't have full clarity of the impact of the change, let's put this PR on stand-by, I will ask other folks to provide their opinion on this (cc: @nokute78 @leonardo-albertovich)

[krispraws]

Thanks for clarifying. I think we do need to handle SSL_ERROR_WANT_WRITE for SSL_read and I asked about it in #4098.
In the current code, if SSL_ERROR_WANT_WRITE occurs, it will return 3 and the caller will think it read 3 bytes, which is wrong.
With the version in this PR, we will return -1. This is not ideal but it will at least kill the connection rather than adding garbage data to the response. I have an unpublished commit that actually handles SSL_ERROR_WANT_WRITE correctly but it is based off 1.7.5 and I wanted to get other's opinions.

[krispraws]

Holding off on this PR sounds fine. The fix for handling SSL_ERROR_WANT_WRITE is in my other branch: krispraws@d999787
I will create a formal PR next week. Thanks

[nokute78]

Looks good to me.

By the way, we may need to take care a case which mbedtls_ssl_read returns MBEDTLS_ERR_SSL_WANT_WRITE.
https://tls.mbed.org/api/ssl_8h.html#aa2c29eeb1deaf5ad9f01a7515006ede5

[hossain-rayhan]

Hi @edsiper what's our plan on this PR now?

[github-actions]

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[leonardo-albertovich]

This looks good to me, I double checked the documentation to be sure that the event loop event type switch is correct and indeed it is so let's make one last round of checkins to ensure that we all agree about it : @edsiper @krispraws

[krispraws]

This looks good to me, I double checked the documentation to be sure that the event loop event type switch is correct and indeed it is so let's make one last round of checkins to ensure that we all agree about it : @edsiper @krispraws

I will wait a day for additional comments and rebase this PR.

[nokute78]

@krispraws Could you fix conflict ?

Note: #4369 and aws/aws-for-fluent-bit#278 (comment) may be fixed by this patch.

[krispraws]

@nokute78 , I have rebased against the latest master branch and fixed conflicts. Please review.

[nokute78]

@krispraws Thank you for fixing.

[nokute78]

@edsiper

I think until we don't have full clarity of the impact of the change, let's put this PR on stand-by, I will ask other folks to provide their opinion on this (cc: @nokute78 @leonardo-albertovich)

I and @leonardo-albertovich approved this patch.
Let's merge this PR.

[nokute78]

@edsiper I can't merge this since At least 1 approving review is required to merge this pull request..
Could you review this ?

[krispraws]

@edsiper , Is there anything else needed for this PR?

[edsiper]

thanks everybody for your patience, I will re-force the CI since it's stuck and merge it as soon as is ready

[edsiper]

looks like everything is good, just a problem with the CI message update

[edsiper]

@krispraws @nokute78 @leonardo-albertovich @PettitWesley

are you ok with moving this change also to 1.8 branch for the next 1.8.12 release ?

[krispraws]

@edsiper , yes, we should move this to 1.8. Do you want me to create a PR for that?

[edsiper]

@krispraws thanks, yes please! so we can make it part of 1.8.12

[krispraws]

@edsiper, Backport PR for 1.8 is up : #4584