* [ptxdist] [PATCH 0/3] openssl: update to 3.2.0, make kTLS configurable
@ 2024-01-22 8:48 Steffen Trumtrar
2024-01-22 8:48 ` [ptxdist] [PATCH 1/3] openssl: Version bump. 3.1.4 -> 3.2.0 Steffen Trumtrar
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Steffen Trumtrar @ 2024-01-22 8:48 UTC (permalink / raw)
To: ptxdist
This series updates openSSL to 3.2.0 and makes kTLS configurable.
As openSSL has a bug for the kTLS receive side, add upstream patch that
fixes this.
Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
---
Steffen Trumtrar (3):
openssl: Version bump. 3.1.4 -> 3.2.0
openssl: configure kTLS
openssl: add kTLS receive fix
.../0001-debian-targets.patch | 0
.../0002-pic.patch | 0
...llow-to-enable-ktls-if-target-does-not-st.patch | 8 ++---
...nf-Serialize-allocation-free-of-ssl_names.patch | 0
...rop-fzero-call-used-regs-used-gpr-from-De.patch | 0
...-max_frag_len-checking-if-no-Max-Fragment.patch | 41 ++++++++++++++++++++++
patches/{openssl-3.1.4 => openssl-3.2.0}/series | 3 +-
rules/openssl.in | 6 ++++
rules/openssl.make | 5 +--
9 files changed, 56 insertions(+), 7 deletions(-)
---
base-commit: 6c8952685f05b011c21dec645d990bad4776e6a4
change-id: 20240122-v2024-01-0-topic-openssl-0eb590f8d942
Best regards,
--
Steffen Trumtrar <s.trumtrar@pengutronix.de>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [ptxdist] [PATCH 1/3] openssl: Version bump. 3.1.4 -> 3.2.0
2024-01-22 8:48 [ptxdist] [PATCH 0/3] openssl: update to 3.2.0, make kTLS configurable Steffen Trumtrar
@ 2024-01-22 8:48 ` Steffen Trumtrar
2024-02-08 16:02 ` [ptxdist] [APPLIED] " Michael Olbrich
2024-01-22 8:48 ` [ptxdist] [PATCH 2/3] openssl: configure kTLS Steffen Trumtrar
2024-01-22 8:48 ` [ptxdist] [PATCH 3/3] openssl: add kTLS receive fix Steffen Trumtrar
2 siblings, 1 reply; 9+ messages in thread
From: Steffen Trumtrar @ 2024-01-22 8:48 UTC (permalink / raw)
To: ptxdist
Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
---
.../{openssl-3.1.4 => openssl-3.2.0}/0001-debian-targets.patch | 0
patches/{openssl-3.1.4 => openssl-3.2.0}/0002-pic.patch | 0
...003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch | 8 ++++----
.../0004-conf-Serialize-allocation-free-of-ssl_names.patch | 0
...005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch | 0
patches/{openssl-3.1.4 => openssl-3.2.0}/series | 0
rules/openssl.make | 4 ++--
7 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/patches/openssl-3.1.4/0001-debian-targets.patch b/patches/openssl-3.2.0/0001-debian-targets.patch
similarity index 100%
rename from patches/openssl-3.1.4/0001-debian-targets.patch
rename to patches/openssl-3.2.0/0001-debian-targets.patch
diff --git a/patches/openssl-3.1.4/0002-pic.patch b/patches/openssl-3.2.0/0002-pic.patch
similarity index 100%
rename from patches/openssl-3.1.4/0002-pic.patch
rename to patches/openssl-3.2.0/0002-pic.patch
diff --git a/patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
similarity index 92%
rename from patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
rename to patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
index 60e2da3ef..6275de708 100644
--- a/patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
+++ b/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
@@ -28,10 +28,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index aedfa370ca15..dfc3a431559a 100644
+index d1a15a115274..d15d28499a21 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
-@@ -700,7 +700,7 @@ my %targets = (
+@@ -693,7 +693,7 @@ my %targets = (
shared_target => "linux-shared",
shared_cflag => "-fPIC",
shared_ldflag => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" },
@@ -41,10 +41,10 @@ index aedfa370ca15..dfc3a431559a 100644
"linux-latomic" => {
inherit_from => [ "linux-generic32" ],
diff --git a/Configure b/Configure
-index 227e5daea228..e1531d59e517 100755
+index cbba1749b5a3..a69068121949 100755
--- a/Configure
+++ b/Configure
-@@ -1699,7 +1699,7 @@ unless ($disabled{devcryptoeng}) {
+@@ -1765,7 +1765,7 @@ unless ($disabled{devcryptoeng}) {
unless ($disabled{ktls}) {
$config{ktls}="";
my $cc = $config{CROSS_COMPILE}.$config{CC};
diff --git a/patches/openssl-3.1.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
similarity index 100%
rename from patches/openssl-3.1.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch
rename to patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
diff --git a/patches/openssl-3.1.4/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch b/patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
similarity index 100%
rename from patches/openssl-3.1.4/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
rename to patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
diff --git a/patches/openssl-3.1.4/series b/patches/openssl-3.2.0/series
similarity index 100%
rename from patches/openssl-3.1.4/series
rename to patches/openssl-3.2.0/series
diff --git a/rules/openssl.make b/rules/openssl.make
index 4e03c95aa..6e7111c70 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
#
# Paths and names
#
-OPENSSL_VERSION := 3.1.4
-OPENSSL_MD5 := 653ad58812c751b887e8ec37e02bba70
+OPENSSL_VERSION := 3.2.0
+OPENSSL_MD5 := 7903549a14abebc5c323ce4e85f2cbb2
OPENSSL := openssl-$(OPENSSL_VERSION)
OPENSSL_SUFFIX := tar.gz
OPENSSL_URL := \
--
2.43.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [ptxdist] [PATCH 2/3] openssl: configure kTLS
2024-01-22 8:48 [ptxdist] [PATCH 0/3] openssl: update to 3.2.0, make kTLS configurable Steffen Trumtrar
2024-01-22 8:48 ` [ptxdist] [PATCH 1/3] openssl: Version bump. 3.1.4 -> 3.2.0 Steffen Trumtrar
@ 2024-01-22 8:48 ` Steffen Trumtrar
2024-02-08 16:02 ` [ptxdist] [APPLIED] " Michael Olbrich
2024-01-22 8:48 ` [ptxdist] [PATCH 3/3] openssl: add kTLS receive fix Steffen Trumtrar
2 siblings, 1 reply; 9+ messages in thread
From: Steffen Trumtrar @ 2024-01-22 8:48 UTC (permalink / raw)
To: ptxdist
Since 3.0.0 openSSL can use kTLS. Allow configuring it.
With kTLS enabled the linux kernel can handle the TLS connection in
kernel space and potentially offload to crypto/network hardware.
Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
---
rules/openssl.in | 6 ++++++
rules/openssl.make | 1 +
2 files changed, 7 insertions(+)
diff --git a/rules/openssl.in b/rules/openssl.in
index 629ee3057..4c00e1e05 100644
--- a/rules/openssl.in
+++ b/rules/openssl.in
@@ -35,4 +35,10 @@ config OPENSSL_CRYPTODEV
help
Enable the BSD cryptodev engine even if we are not using BSD.
+config OPENSSL_KTLS
+ bool
+ prompt "enable OpenSSL kTLS support"
+ help
+ Whether to build OpenSSL with kTLS support.
+
endif
diff --git a/rules/openssl.make b/rules/openssl.make
index 6e7111c70..bc1322725 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -67,6 +67,7 @@ OPENSSL_CONF_OPT := \
--openssldir=/usr/lib/ssl \
shared \
$(call ptx/ifdef, PTXCONF_OPENSSL_CRYPTODEV, enable-devcryptoeng, no-devcryptoeng) \
+ $(call ptx/ifdef, PTXCONF_OPENSSL_KTLS, enable-ktls, no-ktls) \
no-idea \
no-mdc2 \
no-rc5 \
--
2.43.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [ptxdist] [PATCH 3/3] openssl: add kTLS receive fix
2024-01-22 8:48 [ptxdist] [PATCH 0/3] openssl: update to 3.2.0, make kTLS configurable Steffen Trumtrar
2024-01-22 8:48 ` [ptxdist] [PATCH 1/3] openssl: Version bump. 3.1.4 -> 3.2.0 Steffen Trumtrar
2024-01-22 8:48 ` [ptxdist] [PATCH 2/3] openssl: configure kTLS Steffen Trumtrar
@ 2024-01-22 8:48 ` Steffen Trumtrar
2024-01-22 10:24 ` Michael Olbrich
2024-02-08 16:02 ` [ptxdist] [APPLIED] " Michael Olbrich
2 siblings, 2 replies; 9+ messages in thread
From: Steffen Trumtrar @ 2024-01-22 8:48 UTC (permalink / raw)
To: ptxdist
Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
---
...-max_frag_len-checking-if-no-Max-Fragment.patch | 41 ++++++++++++++++++++++
patches/openssl-3.2.0/series | 3 +-
2 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
new file mode 100644
index 000000000..814bd07be
--- /dev/null
+++ b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
@@ -0,0 +1,41 @@
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 2 Jan 2024 16:48:43 +0000
+Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
+ extension
+
+Don't check the Max Fragment Length if the it hasn't been negotiated. We
+were checking it anyway, and using the default value
+(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
+record length to actually exceed this in some cases.
+
+Fixes #23169
+---
+ ssl/record/methods/tls_common.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
+index 423777c18dd4..1a9320ae74de 100644
+--- a/ssl/record/methods/tls_common.c
++++ b/ssl/record/methods/tls_common.c
+@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
+ }
+
+ /*
+- * Check if the received packet overflows the current
+- * Max Fragment Length setting.
+- * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
++ * Record overflow checking (e.g. checking if
++ * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
++ * the post_process_record() function above. However we check here if
++ * the received packet overflows the current Max Fragment Length setting
++ * if there is one.
++ * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
++ * mutually exclusive. Also note that with KTLS thisrr->length can
++ * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
+ */
+- if (thisrr->length > rl->max_frag_len) {
++ if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
++ && thisrr->length > rl->max_frag_len) {
+ RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
+ goto end;
+ }
diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.0/series
index d655cfc02..75c75e0cf 100644
--- a/patches/openssl-3.2.0/series
+++ b/patches/openssl-3.2.0/series
@@ -5,4 +5,5 @@
0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
0004-conf-Serialize-allocation-free-of-ssl_names.patch
0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
-# c935d671c5de74f0dec935f1f45438cc - git-ptx-patches magic
+0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
+# 224889bac59e4b20f72cdb177f2d29c8 - git-ptx-patches magic
--
2.43.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ptxdist] [PATCH 3/3] openssl: add kTLS receive fix
2024-01-22 8:48 ` [ptxdist] [PATCH 3/3] openssl: add kTLS receive fix Steffen Trumtrar
@ 2024-01-22 10:24 ` Michael Olbrich
2024-01-22 12:02 ` Steffen Trumtrar
2024-02-08 16:02 ` [ptxdist] [APPLIED] " Michael Olbrich
1 sibling, 1 reply; 9+ messages in thread
From: Michael Olbrich @ 2024-01-22 10:24 UTC (permalink / raw)
To: Steffen Trumtrar; +Cc: ptxdist
On Mon, Jan 22, 2024 at 09:48:26AM +0100, Steffen Trumtrar wrote:
> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
What's the upstream status of this patch?
Michael
> ---
> ...-max_frag_len-checking-if-no-Max-Fragment.patch | 41 ++++++++++++++++++++++
> patches/openssl-3.2.0/series | 3 +-
> 2 files changed, 43 insertions(+), 1 deletion(-)
>
> diff --git a/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> new file mode 100644
> index 000000000..814bd07be
> --- /dev/null
> +++ b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> @@ -0,0 +1,41 @@
> +From: Matt Caswell <matt@openssl.org>
> +Date: Tue, 2 Jan 2024 16:48:43 +0000
> +Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
> + extension
> +
> +Don't check the Max Fragment Length if the it hasn't been negotiated. We
> +were checking it anyway, and using the default value
> +(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
> +record length to actually exceed this in some cases.
> +
> +Fixes #23169
> +---
> + ssl/record/methods/tls_common.c | 14 ++++++++++----
> + 1 file changed, 10 insertions(+), 4 deletions(-)
> +
> +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
> +index 423777c18dd4..1a9320ae74de 100644
> +--- a/ssl/record/methods/tls_common.c
> ++++ b/ssl/record/methods/tls_common.c
> +@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
> + }
> +
> + /*
> +- * Check if the received packet overflows the current
> +- * Max Fragment Length setting.
> +- * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
> ++ * Record overflow checking (e.g. checking if
> ++ * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
> ++ * the post_process_record() function above. However we check here if
> ++ * the received packet overflows the current Max Fragment Length setting
> ++ * if there is one.
> ++ * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
> ++ * mutually exclusive. Also note that with KTLS thisrr->length can
> ++ * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
> + */
> +- if (thisrr->length > rl->max_frag_len) {
> ++ if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
> ++ && thisrr->length > rl->max_frag_len) {
> + RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
> + goto end;
> + }
> diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.0/series
> index d655cfc02..75c75e0cf 100644
> --- a/patches/openssl-3.2.0/series
> +++ b/patches/openssl-3.2.0/series
> @@ -5,4 +5,5 @@
> 0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> 0004-conf-Serialize-allocation-free-of-ssl_names.patch
> 0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> -# c935d671c5de74f0dec935f1f45438cc - git-ptx-patches magic
> +0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> +# 224889bac59e4b20f72cdb177f2d29c8 - git-ptx-patches magic
>
> --
> 2.43.0
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ptxdist] [PATCH 3/3] openssl: add kTLS receive fix
2024-01-22 10:24 ` Michael Olbrich
@ 2024-01-22 12:02 ` Steffen Trumtrar
0 siblings, 0 replies; 9+ messages in thread
From: Steffen Trumtrar @ 2024-01-22 12:02 UTC (permalink / raw)
To: Michael Olbrich; +Cc: ptxdist
On 2024-01-22 at 11:24 +01, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> On Mon, Jan 22, 2024 at 09:48:26AM +0100, Steffen Trumtrar wrote:
>> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
>
> What's the upstream status of this patch?
>
The patch is in master. Should have added this to the description :(
Steffen
> Michael
>
>> ---
>> ...-max_frag_len-checking-if-no-Max-Fragment.patch | 41 ++++++++++++++++++++++
>> patches/openssl-3.2.0/series | 3 +-
>> 2 files changed, 43 insertions(+), 1 deletion(-)
>>
>> diff --git
>> a/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
>> b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
>> new file mode 100644
>> index 000000000..814bd07be
>> --- /dev/null
>> +++ b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
>> @@ -0,0 +1,41 @@
>> +From: Matt Caswell <matt@openssl.org>
>> +Date: Tue, 2 Jan 2024 16:48:43 +0000
>> +Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
>> + extension
>> +
>> +Don't check the Max Fragment Length if the it hasn't been negotiated. We
>> +were checking it anyway, and using the default value
>> +(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
>> +record length to actually exceed this in some cases.
>> +
>> +Fixes #23169
>> +---
>> + ssl/record/methods/tls_common.c | 14 ++++++++++----
>> + 1 file changed, 10 insertions(+), 4 deletions(-)
>> +
>> +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
>> +index 423777c18dd4..1a9320ae74de 100644
>> +--- a/ssl/record/methods/tls_common.c
>> ++++ b/ssl/record/methods/tls_common.c
>> +@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
>> + }
>> +
>> + /*
>> +- * Check if the received packet overflows the current
>> +- * Max Fragment Length setting.
>> +- * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
>> ++ * Record overflow checking (e.g. checking if
>> ++ * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
>> ++ * the post_process_record() function above. However we check here if
>> ++ * the received packet overflows the current Max Fragment Length setting
>> ++ * if there is one.
>> ++ * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
>> ++ * mutually exclusive. Also note that with KTLS thisrr->length can
>> ++ * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
>> + */
>> +- if (thisrr->length > rl->max_frag_len) {
>> ++ if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
>> ++ && thisrr->length > rl->max_frag_len) {
>> + RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
>> + goto end;
>> + }
>> diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.0/series
>> index d655cfc02..75c75e0cf 100644
>> --- a/patches/openssl-3.2.0/series
>> +++ b/patches/openssl-3.2.0/series
>> @@ -5,4 +5,5 @@
>> 0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
>> 0004-conf-Serialize-allocation-free-of-ssl_names.patch
>> 0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
>> -# c935d671c5de74f0dec935f1f45438cc - git-ptx-patches magic
>> +0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
>> +# 224889bac59e4b20f72cdb177f2d29c8 - git-ptx-patches magic
>>
>> --
>> 2.43.0
>>
>>
>>
--
Pengutronix e.K. | Dipl.-Inform. Steffen Trumtrar |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686| Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ptxdist] [APPLIED] openssl: Version bump. 3.1.4 -> 3.2.0
2024-01-22 8:48 ` [ptxdist] [PATCH 1/3] openssl: Version bump. 3.1.4 -> 3.2.0 Steffen Trumtrar
@ 2024-02-08 16:02 ` Michael Olbrich
0 siblings, 0 replies; 9+ messages in thread
From: Michael Olbrich @ 2024-02-08 16:02 UTC (permalink / raw)
To: ptxdist; +Cc: Steffen Trumtrar
Thanks, applied as 6aeb9adc04a4c44b7cc59567e21de1f870827e42.
Michael
[sent from post-receive hook]
On Thu, 08 Feb 2024 17:02:55 +0100, Steffen Trumtrar <s.trumtrar@pengutronix.de> wrote:
> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> Message-Id: <20240122-v2024-01-0-topic-openssl-v1-1-88a1234c0fd2@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/patches/openssl-3.1.4/0001-debian-targets.patch b/patches/openssl-3.2.0/0001-debian-targets.patch
> similarity index 100%
> rename from patches/openssl-3.1.4/0001-debian-targets.patch
> rename to patches/openssl-3.2.0/0001-debian-targets.patch
> diff --git a/patches/openssl-3.1.4/0002-pic.patch b/patches/openssl-3.2.0/0002-pic.patch
> similarity index 100%
> rename from patches/openssl-3.1.4/0002-pic.patch
> rename to patches/openssl-3.2.0/0002-pic.patch
> diff --git a/patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> similarity index 92%
> rename from patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> rename to patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> index 60e2da3efec3..6275de7089d7 100644
> --- a/patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> +++ b/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> @@ -28,10 +28,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
> -index aedfa370ca15..dfc3a431559a 100644
> +index d1a15a115274..d15d28499a21 100644
> --- a/Configurations/10-main.conf
> +++ b/Configurations/10-main.conf
> -@@ -700,7 +700,7 @@ my %targets = (
> +@@ -693,7 +693,7 @@ my %targets = (
> shared_target => "linux-shared",
> shared_cflag => "-fPIC",
> shared_ldflag => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" },
> @@ -41,10 +41,10 @@ index aedfa370ca15..dfc3a431559a 100644
> "linux-latomic" => {
> inherit_from => [ "linux-generic32" ],
> diff --git a/Configure b/Configure
> -index 227e5daea228..e1531d59e517 100755
> +index cbba1749b5a3..a69068121949 100755
> --- a/Configure
> +++ b/Configure
> -@@ -1699,7 +1699,7 @@ unless ($disabled{devcryptoeng}) {
> +@@ -1765,7 +1765,7 @@ unless ($disabled{devcryptoeng}) {
> unless ($disabled{ktls}) {
> $config{ktls}="";
> my $cc = $config{CROSS_COMPILE}.$config{CC};
> diff --git a/patches/openssl-3.1.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> similarity index 100%
> rename from patches/openssl-3.1.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> rename to patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> diff --git a/patches/openssl-3.1.4/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch b/patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> similarity index 100%
> rename from patches/openssl-3.1.4/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> rename to patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> diff --git a/patches/openssl-3.1.4/series b/patches/openssl-3.2.0/series
> similarity index 100%
> rename from patches/openssl-3.1.4/series
> rename to patches/openssl-3.2.0/series
> diff --git a/rules/openssl.make b/rules/openssl.make
> index 4e03c95aab89..6e7111c70bab 100644
> --- a/rules/openssl.make
> +++ b/rules/openssl.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
> #
> # Paths and names
> #
> -OPENSSL_VERSION := 3.1.4
> -OPENSSL_MD5 := 653ad58812c751b887e8ec37e02bba70
> +OPENSSL_VERSION := 3.2.0
> +OPENSSL_MD5 := 7903549a14abebc5c323ce4e85f2cbb2
> OPENSSL := openssl-$(OPENSSL_VERSION)
> OPENSSL_SUFFIX := tar.gz
> OPENSSL_URL := \
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ptxdist] [APPLIED] openssl: configure kTLS
2024-01-22 8:48 ` [ptxdist] [PATCH 2/3] openssl: configure kTLS Steffen Trumtrar
@ 2024-02-08 16:02 ` Michael Olbrich
0 siblings, 0 replies; 9+ messages in thread
From: Michael Olbrich @ 2024-02-08 16:02 UTC (permalink / raw)
To: ptxdist; +Cc: Steffen Trumtrar
Thanks, applied as 9c104d243a4083448b53b5542654e561f5665b2a.
Michael
[sent from post-receive hook]
On Thu, 08 Feb 2024 17:02:56 +0100, Steffen Trumtrar <s.trumtrar@pengutronix.de> wrote:
> Since 3.0.0 openSSL can use kTLS. Allow configuring it.
>
> With kTLS enabled the linux kernel can handle the TLS connection in
> kernel space and potentially offload to crypto/network hardware.
>
> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> Message-Id: <20240122-v2024-01-0-topic-openssl-v1-2-88a1234c0fd2@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/rules/openssl.in b/rules/openssl.in
> index 629ee305726d..4c00e1e055e1 100644
> --- a/rules/openssl.in
> +++ b/rules/openssl.in
> @@ -35,4 +35,10 @@ config OPENSSL_CRYPTODEV
> help
> Enable the BSD cryptodev engine even if we are not using BSD.
>
> +config OPENSSL_KTLS
> + bool
> + prompt "enable OpenSSL kTLS support"
> + help
> + Whether to build OpenSSL with kTLS support.
> +
> endif
> diff --git a/rules/openssl.make b/rules/openssl.make
> index 6e7111c70bab..bc1322725260 100644
> --- a/rules/openssl.make
> +++ b/rules/openssl.make
> @@ -67,6 +67,7 @@ OPENSSL_CONF_OPT := \
> --openssldir=/usr/lib/ssl \
> shared \
> $(call ptx/ifdef, PTXCONF_OPENSSL_CRYPTODEV, enable-devcryptoeng, no-devcryptoeng) \
> + $(call ptx/ifdef, PTXCONF_OPENSSL_KTLS, enable-ktls, no-ktls) \
> no-idea \
> no-mdc2 \
> no-rc5 \
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ptxdist] [APPLIED] openssl: add kTLS receive fix
2024-01-22 8:48 ` [ptxdist] [PATCH 3/3] openssl: add kTLS receive fix Steffen Trumtrar
2024-01-22 10:24 ` Michael Olbrich
@ 2024-02-08 16:02 ` Michael Olbrich
1 sibling, 0 replies; 9+ messages in thread
From: Michael Olbrich @ 2024-02-08 16:02 UTC (permalink / raw)
To: ptxdist; +Cc: Steffen Trumtrar
Thanks, applied as 7795bf2fb5dc78944132b3da0d5f6309aaae7b44.
Michael
[sent from post-receive hook]
On Thu, 08 Feb 2024 17:02:56 +0100, Steffen Trumtrar <s.trumtrar@pengutronix.de> wrote:
> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> Message-Id: <20240122-v2024-01-0-topic-openssl-v1-3-88a1234c0fd2@pengutronix.de>
> [mol: put new patch into a new section]
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> new file mode 100644
> index 000000000000..814bd07bec63
> --- /dev/null
> +++ b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> @@ -0,0 +1,41 @@
> +From: Matt Caswell <matt@openssl.org>
> +Date: Tue, 2 Jan 2024 16:48:43 +0000
> +Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
> + extension
> +
> +Don't check the Max Fragment Length if the it hasn't been negotiated. We
> +were checking it anyway, and using the default value
> +(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
> +record length to actually exceed this in some cases.
> +
> +Fixes #23169
> +---
> + ssl/record/methods/tls_common.c | 14 ++++++++++----
> + 1 file changed, 10 insertions(+), 4 deletions(-)
> +
> +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
> +index 423777c18dd4..1a9320ae74de 100644
> +--- a/ssl/record/methods/tls_common.c
> ++++ b/ssl/record/methods/tls_common.c
> +@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
> + }
> +
> + /*
> +- * Check if the received packet overflows the current
> +- * Max Fragment Length setting.
> +- * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
> ++ * Record overflow checking (e.g. checking if
> ++ * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
> ++ * the post_process_record() function above. However we check here if
> ++ * the received packet overflows the current Max Fragment Length setting
> ++ * if there is one.
> ++ * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
> ++ * mutually exclusive. Also note that with KTLS thisrr->length can
> ++ * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
> + */
> +- if (thisrr->length > rl->max_frag_len) {
> ++ if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
> ++ && thisrr->length > rl->max_frag_len) {
> + RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
> + goto end;
> + }
> diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.0/series
> index d655cfc0212e..309ec1465b5e 100644
> --- a/patches/openssl-3.2.0/series
> +++ b/patches/openssl-3.2.0/series
> @@ -1,8 +1,11 @@
> # generated by git-ptx-patches
> #tag:base --start-number 1
> +#tag:debian --start-number 1
> 0001-debian-targets.patch
> 0002-pic.patch
> 0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> 0004-conf-Serialize-allocation-free-of-ssl_names.patch
> 0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> -# c935d671c5de74f0dec935f1f45438cc - git-ptx-patches magic
> +#tag:upstream --start-number 100
> +0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> +# d6f307e5d2ef578b08c895257daa6fbc - git-ptx-patches magic
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-02-08 16:03 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-22 8:48 [ptxdist] [PATCH 0/3] openssl: update to 3.2.0, make kTLS configurable Steffen Trumtrar
2024-01-22 8:48 ` [ptxdist] [PATCH 1/3] openssl: Version bump. 3.1.4 -> 3.2.0 Steffen Trumtrar
2024-02-08 16:02 ` [ptxdist] [APPLIED] " Michael Olbrich
2024-01-22 8:48 ` [ptxdist] [PATCH 2/3] openssl: configure kTLS Steffen Trumtrar
2024-02-08 16:02 ` [ptxdist] [APPLIED] " Michael Olbrich
2024-01-22 8:48 ` [ptxdist] [PATCH 3/3] openssl: add kTLS receive fix Steffen Trumtrar
2024-01-22 10:24 ` Michael Olbrich
2024-01-22 12:02 ` Steffen Trumtrar
2024-02-08 16:02 ` [ptxdist] [APPLIED] " Michael Olbrich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox