Thanks, applied as 7795bf2fb5dc78944132b3da0d5f6309aaae7b44. Michael
[sent from post-receive hook] On Thu, 08 Feb 2024 17:02:56 +0100, Steffen Trumtrar <s.trumt...@pengutronix.de> wrote: > Signed-off-by: Steffen Trumtrar <s.trumt...@pengutronix.de> > Message-Id: > <20240122-v2024-01-0-topic-openssl-v1-3-88a1234c0...@pengutronix.de> > [mol: put new patch into a new section] > Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de> > > diff --git > a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch > > b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch > new file mode 100644 > index 000000000000..814bd07bec63 > --- /dev/null > +++ > b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch > @@ -0,0 +1,41 @@ > +From: Matt Caswell <m...@openssl.org> > +Date: Tue, 2 Jan 2024 16:48:43 +0000 > +Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length > + extension > + > +Don't check the Max Fragment Length if the it hasn't been negotiated. We > +were checking it anyway, and using the default value > +(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the > +record length to actually exceed this in some cases. > + > +Fixes #23169 > +--- > + ssl/record/methods/tls_common.c | 14 ++++++++++---- > + 1 file changed, 10 insertions(+), 4 deletions(-) > + > +diff --git a/ssl/record/methods/tls_common.c > b/ssl/record/methods/tls_common.c > +index 423777c18dd4..1a9320ae74de 100644 > +--- a/ssl/record/methods/tls_common.c > ++++ b/ssl/record/methods/tls_common.c > +@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl) > + } > + > + /* > +- * Check if the received packet overflows the current > +- * Max Fragment Length setting. > +- * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive. > ++ * Record overflow checking (e.g. checking if > ++ * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility > of > ++ * the post_process_record() function above. However we check here > if > ++ * the received packet overflows the current Max Fragment Length > setting > ++ * if there is one. > ++ * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are > ++ * mutually exclusive. Also note that with KTLS thisrr->length can > ++ * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be > ignored) > + */ > +- if (thisrr->length > rl->max_frag_len) { > ++ if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH > ++ && thisrr->length > rl->max_frag_len) { > + RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, > SSL_R_DATA_LENGTH_TOO_LONG); > + goto end; > + } > diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.0/series > index d655cfc0212e..309ec1465b5e 100644 > --- a/patches/openssl-3.2.0/series > +++ b/patches/openssl-3.2.0/series > @@ -1,8 +1,11 @@ > # generated by git-ptx-patches > #tag:base --start-number 1 > +#tag:debian --start-number 1 > 0001-debian-targets.patch > 0002-pic.patch > 0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > 0004-conf-Serialize-allocation-free-of-ssl_names.patch > 0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch > -# c935d671c5de74f0dec935f1f45438cc - git-ptx-patches magic > +#tag:upstream --start-number 100 > +0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch > +# d6f307e5d2ef578b08c895257daa6fbc - git-ptx-patches magic