Thanks, applied as 7795bf2fb5dc78944132b3da0d5f6309aaae7b44.
Michael
[sent from post-receive hook]
On Thu, 08 Feb 2024 17:02:56 +0100, Steffen Trumtrar
<s.trumt...@pengutronix.de> wrote:
> Signed-off-by: Steffen Trumtrar <s.trumt...@pengutronix.de>
> Message-Id:
> <20240122-v2024-01-0-topic-openssl-v1-3-88a1234c0...@pengutronix.de>
> [mol: put new patch into a new section]
> Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de>
>
> diff --git
> a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
>
> b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> new file mode 100644
> index 000000000000..814bd07bec63
> --- /dev/null
> +++
> b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> @@ -0,0 +1,41 @@
> +From: Matt Caswell <m...@openssl.org>
> +Date: Tue, 2 Jan 2024 16:48:43 +0000
> +Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
> + extension
> +
> +Don't check the Max Fragment Length if the it hasn't been negotiated. We
> +were checking it anyway, and using the default value
> +(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
> +record length to actually exceed this in some cases.
> +
> +Fixes #23169
> +---
> + ssl/record/methods/tls_common.c | 14 ++++++++++----
> + 1 file changed, 10 insertions(+), 4 deletions(-)
> +
> +diff --git a/ssl/record/methods/tls_common.c
> b/ssl/record/methods/tls_common.c
> +index 423777c18dd4..1a9320ae74de 100644
> +--- a/ssl/record/methods/tls_common.c
> ++++ b/ssl/record/methods/tls_common.c
> +@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
> + }
> +
> + /*
> +- * Check if the received packet overflows the current
> +- * Max Fragment Length setting.
> +- * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
> ++ * Record overflow checking (e.g. checking if
> ++ * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility
> of
> ++ * the post_process_record() function above. However we check here
> if
> ++ * the received packet overflows the current Max Fragment Length
> setting
> ++ * if there is one.
> ++ * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
> ++ * mutually exclusive. Also note that with KTLS thisrr->length can
> ++ * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be
> ignored)
> + */
> +- if (thisrr->length > rl->max_frag_len) {
> ++ if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
> ++ && thisrr->length > rl->max_frag_len) {
> + RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
> SSL_R_DATA_LENGTH_TOO_LONG);
> + goto end;
> + }
> diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.0/series
> index d655cfc0212e..309ec1465b5e 100644
> --- a/patches/openssl-3.2.0/series
> +++ b/patches/openssl-3.2.0/series
> @@ -1,8 +1,11 @@
> # generated by git-ptx-patches
> #tag:base --start-number 1
> +#tag:debian --start-number 1
> 0001-debian-targets.patch
> 0002-pic.patch
> 0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> 0004-conf-Serialize-allocation-free-of-ssl_names.patch
> 0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> -# c935d671c5de74f0dec935f1f45438cc - git-ptx-patches magic
> +#tag:upstream --start-number 100
> +0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> +# d6f307e5d2ef578b08c895257daa6fbc - git-ptx-patches magic
