[gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/, sys-apps/systemd/files/

Wed, 06 Aug 2025 19:47:23 -0700 

commit:     79b8606656caa3c84e004db85e072ca64c4a2917
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Thu Aug  7 02:45:41 2025 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu Aug  7 02:46:08 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79b86066

sys-apps/systemd: revert recent resolved change causing hangs in 257.8

Bug: https://github.com/systemd/systemd/issues/38509
Signed-off-by: Sam James <sam <AT> gentoo.org>

 ...lved-don-t-wait-for-TLS-close_notify-repl.patch | 146 +++++++++++++++++++++
 ...ystemd-257.8.ebuild => systemd-257.8-r1.ebuild} |   1 +
 2 files changed, 147 insertions(+)

diff --git 
a/sys-apps/systemd/files/257-Revert-resolved-don-t-wait-for-TLS-close_notify-repl.patch
 
b/sys-apps/systemd/files/257-Revert-resolved-don-t-wait-for-TLS-close_notify-repl.patch
new file mode 100644
index 000000000000..f61e0e653ef8
--- /dev/null
+++ 
b/sys-apps/systemd/files/257-Revert-resolved-don-t-wait-for-TLS-close_notify-repl.patch
@@ -0,0 +1,146 @@
+From 5917c6780f2c7852fdcf08ae48fb3966acb34428 Mon Sep 17 00:00:00 2001
+Message-ID: 
<5917c6780f2c7852fdcf08ae48fb3966acb34428.1754534163.git....@gentoo.org>
+From: Sam James <[email protected]>
+Date: Thu, 7 Aug 2025 03:35:47 +0100
+Subject: [PATCH] Revert "resolved: don't wait for TLS close_notify replies
+ unnecessarily"
+
+Bug: https://github.com/systemd/systemd/issues/38509
+This reverts commit 12a455db368340733ac9a701d9a5864b612d3408.
+--- a/src/resolve/resolved-dnstls-openssl.c
++++ b/src/resolve/resolved-dnstls-openssl.c
+@@ -159,39 +159,42 @@ int dnstls_stream_on_io(DnsStream *stream, uint32_t 
revents) {
+         }
+ 
+         if (stream->dnstls_data.shutdown) {
+-                /* NB: when a shutdown is initiated by us we'll wait until 
the close_notify TLS message is
+-                 * sent out, but we'll not wait for the reply to it, to 
minimize dependencies on slow
+-                 * servers */
+-
+                 ERR_clear_error();
+                 r = SSL_shutdown(stream->dnstls_data.ssl);
+-                if (r < 0) {
++                if (r == 0) {
++                        stream->dnstls_events = 0;
++
++                        r = dnstls_flush_write_buffer(stream);
++                        if (r < 0)
++                                return r;
++
++                        return -EAGAIN;
++                } else if (r < 0) {
+                         error = SSL_get_error(stream->dnstls_data.ssl, r);
+-                        if (error == SSL_ERROR_WANT_READ)
+-                                stream->dnstls_events = EPOLLIN;
+-                        else if (error == SSL_ERROR_WANT_WRITE)
+-                                stream->dnstls_events = EPOLLOUT;
+-                        else if (error == SSL_ERROR_SYSCALL) {
+-                                if (errno != 0)
+-                                        log_debug_errno(errno, "Failed to 
invoke SSL_shutdown(), ignoring: %m");
+-                                else
+-                                        log_debug("Failed to invoke 
SSL_shutdown(), ignoring (unknown system error).");
++                        if (IN_SET(error, SSL_ERROR_WANT_READ, 
SSL_ERROR_WANT_WRITE)) {
++                                stream->dnstls_events = error == 
SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
++
++                                r = dnstls_flush_write_buffer(stream);
++                                if (r < 0)
++                                        return r;
++
++                                return -EAGAIN;
++                        } else if (error == SSL_ERROR_SYSCALL) {
++                                if (errno > 0)
++                                        log_debug_errno(errno, "Failed to 
invoke SSL_shutdown, ignoring: %m");
+                         } else
+-                                log_debug("Failed to invoke SSL_shutdown(), 
ignoring: %s", DNSTLS_ERROR_STRING(error));
+-                } else
+-                        stream->dnstls_events = 0;
++                                log_debug("Failed to invoke SSL_shutdown, 
ignoring: %s", DNSTLS_ERROR_STRING(error));
++                }
++
++                stream->dnstls_events = 0;
++                stream->dnstls_data.shutdown = false;
+ 
+                 r = dnstls_flush_write_buffer(stream);
+                 if (r < 0)
+                         return r;
+ 
+-                /* All data written? Then we are done, release the stream */
+-
+-                stream->dnstls_data.shutdown = false;
+                 dns_stream_unref(stream);
+-
+                 return DNSTLS_STREAM_CLOSED;
+-
+         } else if (stream->dnstls_data.handshake <= 0) {
+                 ERR_clear_error();
+                 stream->dnstls_data.handshake = 
SSL_do_handshake(stream->dnstls_data.ssl);
+@@ -238,35 +241,45 @@ int dnstls_stream_shutdown(DnsStream *stream, int error) 
{
+         }
+ 
+         if (error == ETIMEDOUT) {
+-                /* Initiate a shutdown from our side, and remember so. Pin 
the stream until that's complete. */
+-                if (!stream->dnstls_data.shutdown) {
+-                        stream->dnstls_data.shutdown = true;
+-                        dns_stream_ref(stream);
+-                }
+-
+                 ERR_clear_error();
+                 r = SSL_shutdown(stream->dnstls_data.ssl);
+-                if (r < 0) {
++                if (r == 0) {
++                        if (!stream->dnstls_data.shutdown) {
++                                stream->dnstls_data.shutdown = true;
++                                dns_stream_ref(stream);
++                        }
++
++                        stream->dnstls_events = 0;
++
++                        r = dnstls_flush_write_buffer(stream);
++                        if (r < 0)
++                                return r;
++
++                        return -EAGAIN;
++                } else if (r < 0) {
+                         ssl_error = SSL_get_error(stream->dnstls_data.ssl, r);
+-                        if (ssl_error == SSL_ERROR_WANT_READ)
+-                                stream->dnstls_events = EPOLLIN;
+-                        else if (ssl_error == SSL_ERROR_WANT_WRITE)
+-                                stream->dnstls_events = EPOLLOUT;
+-                        else if (ssl_error == SSL_ERROR_SYSCALL) {
+-                                if (errno != 0)
+-                                        log_debug_errno(errno, "Failed to 
invoke SSL_shutdown(), ignoring: %m");
+-                                else
+-                                        log_debug("Failed to invoke 
SSL_shutdown(), ignoring (unknown system error).");
++                        if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, 
SSL_ERROR_WANT_WRITE)) {
++                                stream->dnstls_events = ssl_error == 
SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
++                                r = dnstls_flush_write_buffer(stream);
++                                if (r < 0 && r != -EAGAIN)
++                                        return r;
++
++                                if (!stream->dnstls_data.shutdown) {
++                                        stream->dnstls_data.shutdown = true;
++                                        dns_stream_ref(stream);
++                                }
++                                return -EAGAIN;
++                        } else if (ssl_error == SSL_ERROR_SYSCALL) {
++                                if (errno > 0)
++                                        log_debug_errno(errno, "Failed to 
invoke SSL_shutdown, ignoring: %m");
+                         } else
+-                                log_debug("Failed to invoke SSL_shutdown(), 
ignoring: %s", DNSTLS_ERROR_STRING(error));
+-                } else
+-                        stream->dnstls_events = 0;
++                                log_debug("Failed to invoke SSL_shutdown, 
ignoring: %s", DNSTLS_ERROR_STRING(ssl_error));
++                }
+ 
++                stream->dnstls_events = 0;
+                 r = dnstls_flush_write_buffer(stream);
+                 if (r < 0)
+                         return r;
+-
+-                /* dnstls_stream_on_io() will complete the shutdown for us */
+         }
+ 
+         return 0;
+-- 
+2.50.1
+

diff --git a/sys-apps/systemd/systemd-257.8.ebuild 
b/sys-apps/systemd/systemd-257.8-r1.ebuild
similarity index 99%
rename from sys-apps/systemd/systemd-257.8.ebuild
rename to sys-apps/systemd/systemd-257.8-r1.ebuild
index d8afeeb7bd70..4fc16bd378a4 100644
--- a/sys-apps/systemd/systemd-257.8.ebuild
+++ b/sys-apps/systemd/systemd-257.8-r1.ebuild
@@ -273,6 +273,7 @@ src_unpack() {
 src_prepare() {
        local PATCHES=(
                "${FILESDIR}"/systemd-257-cred-util-tpm2.patch
+               
"${FILESDIR}"/257-Revert-resolved-don-t-wait-for-TLS-close_notify-repl.patch
        )
 
        if ! use vanilla; then

Reply via email to