From: Stefan Eissing Date: Fri, 29 Aug 2025 15:38:45 +0000 (+0200) Subject: aws-lc: do not use large buffer X-Git-Tag: curl-8_16_0~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e65dc7fa23ec07babf0f9455709f8834d9ee1857;p=thirdparty%2Fcurl.git aws-lc: do not use large buffer test_10_08, uploading larger files for a h2 proxy, sporadically fails with a decrpytion error on received data in AWS-LC. The frequency can be increased by simulated network receive blocks. Not setting a 4 * TLS record sized buffer, leaving AWS-LC at its default buffer size seems to mitigate this problem. Closes #18434 --- diff --git a/lib/cf-h2-proxy.c b/lib/cf-h2-proxy.c index 007cc770d9..d67bbd55ad 100644 --- a/lib/cf-h2-proxy.c +++ b/lib/cf-h2-proxy.c @@ -474,7 +474,7 @@ static CURLcode proxy_h2_progress_ingress(struct Curl_cfilter *cf, Curl_bufq_len(&ctx->inbufq), result, nread); if(result) { if(result != CURLE_AGAIN) { - failf(data, "Failed receiving HTTP2 data"); + failf(data, "Failed receiving HTTP2 proxy data"); return result; } break; diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 45469205cf..5971d9a358 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -121,8 +121,14 @@ static void ossl_provider_cleanup(struct Curl_easy *data); #endif +/* + * AWS-LC has `SSL_CTX_set_default_read_buffer_len()?` but runs into + * decryption failures with large buffers. Sporadic failures in + * test_10_08 with h2 proxy uploads, increased frequency + * with CURL_DBG_SOCK_RBLOCK=50. Looks like a bug on their part. + */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ - !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) + !defined(LIBRESSL_VERSION_NUMBER) && !defined(HAVE_BORINGSSL_LIKE) #define HAVE_SSL_CTX_SET_DEFAULT_READ_BUFFER_LEN 1 #endif @@ -4129,7 +4135,6 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, However using a large buffer (8 packets) actually decreases performance. 4 packets is better. */ - #ifdef HAVE_SSL_CTX_SET_DEFAULT_READ_BUFFER_LEN SSL_CTX_set_default_read_buffer_len(octx->ssl_ctx, 0x401e * 4); #endif diff --git a/tests/http/test_10_proxy.py b/tests/http/test_10_proxy.py index ac70ec3eb2..e61284a4ca 100644 --- a/tests/http/test_10_proxy.py +++ b/tests/http/test_10_proxy.py @@ -226,11 +226,11 @@ class TestProxy: extra_args=xargs) assert self.get_tunnel_proto_used(r) == tunnel r.check_response(count=count, http_status=200) + assert r.total_connects == 1, r.dump_logs() indata = open(srcfile).readlines() for i in range(count): respdata = open(curl.response_file(i)).readlines() assert respdata == indata, f'response {i} differs' - assert r.total_connects == 1, r.dump_logs() @pytest.mark.skipif(condition=not Env.have_ssl_curl(), reason="curl without SSL") @pytest.mark.parametrize("tunnel", ['http/1.1', 'h2'])