[ptxdist] [PATCH 0/3] openssl: update to 3.2.0, make kTLS configurable

[ptxdist] [PATCH 0/3] openssl: update to 3.2.0, make kTLS configurable

[Steffen Trumtrar]

This series updates openSSL to 3.2.0 and makes kTLS configurable.
As openSSL has a bug for the kTLS receive side, add upstream patch that
fixes this.

Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
---
Steffen Trumtrar (3):
      openssl: Version bump. 3.1.4 -> 3.2.0
      openssl: configure kTLS
      openssl: add kTLS receive fix

 .../0001-debian-targets.patch                      |  0
 .../0002-pic.patch                                 |  0
 ...llow-to-enable-ktls-if-target-does-not-st.patch |  8 ++---
 ...nf-Serialize-allocation-free-of-ssl_names.patch |  0
 ...rop-fzero-call-used-regs-used-gpr-from-De.patch |  0
 ...-max_frag_len-checking-if-no-Max-Fragment.patch | 41 ++++++++++++++++++++++
 patches/{openssl-3.1.4 => openssl-3.2.0}/series    |  3 +-
 rules/openssl.in                                   |  6 ++++
 rules/openssl.make                                 |  5 +--
 9 files changed, 56 insertions(+), 7 deletions(-)
---
base-commit: 6c8952685f05b011c21dec645d990bad4776e6a4
change-id: 20240122-v2024-01-0-topic-openssl-0eb590f8d942

Best regards,
-- 
Steffen Trumtrar <s.trumtrar@pengutronix.de>

[ptxdist] [PATCH 1/3] openssl: Version bump. 3.1.4 -> 3.2.0

[Steffen Trumtrar]

Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
---
 .../{openssl-3.1.4 => openssl-3.2.0}/0001-debian-targets.patch    | 0
 patches/{openssl-3.1.4 => openssl-3.2.0}/0002-pic.patch           | 0
 ...003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch | 8 ++++----
 .../0004-conf-Serialize-allocation-free-of-ssl_names.patch        | 0
 ...005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch | 0
 patches/{openssl-3.1.4 => openssl-3.2.0}/series                   | 0
 rules/openssl.make                                                | 4 ++--
 7 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/patches/openssl-3.1.4/0001-debian-targets.patch b/patches/openssl-3.2.0/0001-debian-targets.patch
similarity index 100%
rename from patches/openssl-3.1.4/0001-debian-targets.patch
rename to patches/openssl-3.2.0/0001-debian-targets.patch
diff --git a/patches/openssl-3.1.4/0002-pic.patch b/patches/openssl-3.2.0/0002-pic.patch
similarity index 100%
rename from patches/openssl-3.1.4/0002-pic.patch
rename to patches/openssl-3.2.0/0002-pic.patch
diff --git a/patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
similarity index 92%
rename from patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
rename to patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
index 60e2da3ef..6275de708 100644
--- a/patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
+++ b/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
@@ -28,10 +28,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index aedfa370ca15..dfc3a431559a 100644
+index d1a15a115274..d15d28499a21 100644
 --- a/Configurations/10-main.conf
 +++ b/Configurations/10-main.conf
-@@ -700,7 +700,7 @@ my %targets = (
+@@ -693,7 +693,7 @@ my %targets = (
          shared_target    => "linux-shared",
          shared_cflag     => "-fPIC",
          shared_ldflag    => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" },
@@ -41,10 +41,10 @@ index aedfa370ca15..dfc3a431559a 100644
      "linux-latomic" => {
          inherit_from     => [ "linux-generic32" ],
 diff --git a/Configure b/Configure
-index 227e5daea228..e1531d59e517 100755
+index cbba1749b5a3..a69068121949 100755
 --- a/Configure
 +++ b/Configure
-@@ -1699,7 +1699,7 @@ unless ($disabled{devcryptoeng}) {
+@@ -1765,7 +1765,7 @@ unless ($disabled{devcryptoeng}) {
  unless ($disabled{ktls}) {
      $config{ktls}="";
      my $cc = $config{CROSS_COMPILE}.$config{CC};
diff --git a/patches/openssl-3.1.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
similarity index 100%
rename from patches/openssl-3.1.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch
rename to patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
diff --git a/patches/openssl-3.1.4/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch b/patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
similarity index 100%
rename from patches/openssl-3.1.4/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
rename to patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
diff --git a/patches/openssl-3.1.4/series b/patches/openssl-3.2.0/series
similarity index 100%
rename from patches/openssl-3.1.4/series
rename to patches/openssl-3.2.0/series
diff --git a/rules/openssl.make b/rules/openssl.make
index 4e03c95aa..6e7111c70 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
 #
 # Paths and names
 #
-OPENSSL_VERSION	:= 3.1.4
-OPENSSL_MD5	:= 653ad58812c751b887e8ec37e02bba70
+OPENSSL_VERSION	:= 3.2.0
+OPENSSL_MD5	:= 7903549a14abebc5c323ce4e85f2cbb2
 OPENSSL		:= openssl-$(OPENSSL_VERSION)
 OPENSSL_SUFFIX	:= tar.gz
 OPENSSL_URL	:= \

-- 
2.43.0

[ptxdist] [PATCH 2/3] openssl: configure kTLS

[Steffen Trumtrar]

Since 3.0.0 openSSL can use kTLS. Allow configuring it.

With kTLS enabled the linux kernel can handle the TLS connection in
kernel space and potentially offload to crypto/network hardware.

Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
---
 rules/openssl.in   | 6 ++++++
 rules/openssl.make | 1 +
 2 files changed, 7 insertions(+)

diff --git a/rules/openssl.in b/rules/openssl.in
index 629ee3057..4c00e1e05 100644
--- a/rules/openssl.in
+++ b/rules/openssl.in
@@ -35,4 +35,10 @@ config OPENSSL_CRYPTODEV
 	help
 	  Enable the BSD cryptodev engine even if we are not using BSD.
 
+config OPENSSL_KTLS
+	bool
+	prompt "enable OpenSSL kTLS support"
+	help
+	  Whether to build OpenSSL with kTLS support.
+
 endif
diff --git a/rules/openssl.make b/rules/openssl.make
index 6e7111c70..bc1322725 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -67,6 +67,7 @@ OPENSSL_CONF_OPT := \
 	--openssldir=/usr/lib/ssl \
 	shared \
 	$(call ptx/ifdef, PTXCONF_OPENSSL_CRYPTODEV, enable-devcryptoeng, no-devcryptoeng) \
+	$(call ptx/ifdef, PTXCONF_OPENSSL_KTLS, enable-ktls, no-ktls) \
 	no-idea \
 	no-mdc2 \
 	no-rc5 \

-- 
2.43.0

[ptxdist] [PATCH 3/3] openssl: add kTLS receive fix

[Steffen Trumtrar]

Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
---
 ...-max_frag_len-checking-if-no-Max-Fragment.patch | 41 ++++++++++++++++++++++
 patches/openssl-3.2.0/series                       |  3 +-
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
new file mode 100644
index 000000000..814bd07be
--- /dev/null
+++ b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
@@ -0,0 +1,41 @@
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 2 Jan 2024 16:48:43 +0000
+Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
+ extension
+
+Don't check the Max Fragment Length if the it hasn't been negotiated. We
+were checking it anyway, and using the default value
+(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
+record length to actually exceed this in some cases.
+
+Fixes #23169
+---
+ ssl/record/methods/tls_common.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
+index 423777c18dd4..1a9320ae74de 100644
+--- a/ssl/record/methods/tls_common.c
++++ b/ssl/record/methods/tls_common.c
+@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
+         }
+ 
+         /*
+-         * Check if the received packet overflows the current
+-         * Max Fragment Length setting.
+-         * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
++         * Record overflow checking (e.g. checking if
++         * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
++         * the post_process_record() function above. However we check here if
++         * the received packet overflows the current Max Fragment Length setting
++         * if there is one.
++         * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
++         * mutually exclusive. Also note that with KTLS thisrr->length can
++         * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
+          */
+-        if (thisrr->length > rl->max_frag_len) {
++        if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
++                && thisrr->length > rl->max_frag_len) {
+             RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
+             goto end;
+         }
diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.0/series
index d655cfc02..75c75e0cf 100644
--- a/patches/openssl-3.2.0/series
+++ b/patches/openssl-3.2.0/series
@@ -5,4 +5,5 @@
 0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
 0004-conf-Serialize-allocation-free-of-ssl_names.patch
 0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
-# c935d671c5de74f0dec935f1f45438cc  - git-ptx-patches magic
+0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
+# 224889bac59e4b20f72cdb177f2d29c8  - git-ptx-patches magic

-- 
2.43.0

Re: [ptxdist] [PATCH 3/3] openssl: add kTLS receive fix

[Michael Olbrich]

On Mon, Jan 22, 2024 at 09:48:26AM +0100, Steffen Trumtrar wrote:
> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>

What's the upstream status of this patch?

Michael

> ---
>  ...-max_frag_len-checking-if-no-Max-Fragment.patch | 41 ++++++++++++++++++++++
>  patches/openssl-3.2.0/series                       |  3 +-
>  2 files changed, 43 insertions(+), 1 deletion(-)
> 
> diff --git a/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> new file mode 100644
> index 000000000..814bd07be
> --- /dev/null
> +++ b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> @@ -0,0 +1,41 @@
> +From: Matt Caswell <matt@openssl.org>
> +Date: Tue, 2 Jan 2024 16:48:43 +0000
> +Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
> + extension
> +
> +Don't check the Max Fragment Length if the it hasn't been negotiated. We
> +were checking it anyway, and using the default value
> +(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
> +record length to actually exceed this in some cases.
> +
> +Fixes #23169
> +---
> + ssl/record/methods/tls_common.c | 14 ++++++++++----
> + 1 file changed, 10 insertions(+), 4 deletions(-)
> +
> +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
> +index 423777c18dd4..1a9320ae74de 100644
> +--- a/ssl/record/methods/tls_common.c
> ++++ b/ssl/record/methods/tls_common.c
> +@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
> +         }
> + 
> +         /*
> +-         * Check if the received packet overflows the current
> +-         * Max Fragment Length setting.
> +-         * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
> ++         * Record overflow checking (e.g. checking if
> ++         * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
> ++         * the post_process_record() function above. However we check here if
> ++         * the received packet overflows the current Max Fragment Length setting
> ++         * if there is one.
> ++         * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
> ++         * mutually exclusive. Also note that with KTLS thisrr->length can
> ++         * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
> +          */
> +-        if (thisrr->length > rl->max_frag_len) {
> ++        if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
> ++                && thisrr->length > rl->max_frag_len) {
> +             RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
> +             goto end;
> +         }
> diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.0/series
> index d655cfc02..75c75e0cf 100644
> --- a/patches/openssl-3.2.0/series
> +++ b/patches/openssl-3.2.0/series
> @@ -5,4 +5,5 @@
>  0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
>  0004-conf-Serialize-allocation-free-of-ssl_names.patch
>  0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> -# c935d671c5de74f0dec935f1f45438cc  - git-ptx-patches magic
> +0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> +# 224889bac59e4b20f72cdb177f2d29c8  - git-ptx-patches magic
> 
> -- 
> 2.43.0
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Re: [ptxdist] [PATCH 3/3] openssl: add kTLS receive fix

[Steffen Trumtrar]

On 2024-01-22 at 11:24 +01, Michael Olbrich <m.olbrich@pengutronix.de> wrote:

> On Mon, Jan 22, 2024 at 09:48:26AM +0100, Steffen Trumtrar wrote:
>> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
>
> What's the upstream status of this patch?
>

The patch is in master. Should have added this to the description :(

Steffen

> Michael
>
>> ---
>>  ...-max_frag_len-checking-if-no-Max-Fragment.patch | 41 ++++++++++++++++++++++
>>  patches/openssl-3.2.0/series                       |  3 +-
>>  2 files changed, 43 insertions(+), 1 deletion(-)
>>
>> diff --git
>> a/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
>> b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
>> new file mode 100644
>> index 000000000..814bd07be
>> --- /dev/null
>> +++ b/patches/openssl-3.2.0/0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
>> @@ -0,0 +1,41 @@
>> +From: Matt Caswell <matt@openssl.org>
>> +Date: Tue, 2 Jan 2024 16:48:43 +0000
>> +Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
>> + extension
>> +
>> +Don't check the Max Fragment Length if the it hasn't been negotiated. We
>> +were checking it anyway, and using the default value
>> +(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
>> +record length to actually exceed this in some cases.
>> +
>> +Fixes #23169
>> +---
>> + ssl/record/methods/tls_common.c | 14 ++++++++++----
>> + 1 file changed, 10 insertions(+), 4 deletions(-)
>> +
>> +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
>> +index 423777c18dd4..1a9320ae74de 100644
>> +--- a/ssl/record/methods/tls_common.c
>> ++++ b/ssl/record/methods/tls_common.c
>> +@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
>> +         }
>> +
>> +         /*
>> +-         * Check if the received packet overflows the current
>> +-         * Max Fragment Length setting.
>> +-         * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
>> ++         * Record overflow checking (e.g. checking if
>> ++         * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
>> ++         * the post_process_record() function above. However we check here if
>> ++         * the received packet overflows the current Max Fragment Length setting
>> ++         * if there is one.
>> ++         * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
>> ++         * mutually exclusive. Also note that with KTLS thisrr->length can
>> ++         * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
>> +          */
>> +-        if (thisrr->length > rl->max_frag_len) {
>> ++        if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
>> ++                && thisrr->length > rl->max_frag_len) {
>> +             RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
>> +             goto end;
>> +         }
>> diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.0/series
>> index d655cfc02..75c75e0cf 100644
>> --- a/patches/openssl-3.2.0/series
>> +++ b/patches/openssl-3.2.0/series
>> @@ -5,4 +5,5 @@
>>  0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
>>  0004-conf-Serialize-allocation-free-of-ssl_names.patch
>>  0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
>> -# c935d671c5de74f0dec935f1f45438cc  - git-ptx-patches magic
>> +0006-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
>> +# 224889bac59e4b20f72cdb177f2d29c8  - git-ptx-patches magic
>>
>> --
>> 2.43.0
>>
>>
>>


--
Pengutronix e.K.                | Dipl.-Inform. Steffen Trumtrar |
Steuerwalder Str. 21            | https://www.pengutronix.de/    |
31137 Hildesheim, Germany       | Phone: +49-5121-206917-0       |
Amtsgericht Hildesheim, HRA 2686| Fax:   +49-5121-206917-5555    |

Re: [ptxdist] [APPLIED] openssl: Version bump. 3.1.4 -> 3.2.0

[Michael Olbrich]

Thanks, applied as 6aeb9adc04a4c44b7cc59567e21de1f870827e42.

Michael

[sent from post-receive hook]

On Thu, 08 Feb 2024 17:02:55 +0100, Steffen Trumtrar <s.trumtrar@pengutronix.de> wrote:
> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> Message-Id: <20240122-v2024-01-0-topic-openssl-v1-1-88a1234c0fd2@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/openssl-3.1.4/0001-debian-targets.patch b/patches/openssl-3.2.0/0001-debian-targets.patch
> similarity index 100%
> rename from patches/openssl-3.1.4/0001-debian-targets.patch
> rename to patches/openssl-3.2.0/0001-debian-targets.patch
> diff --git a/patches/openssl-3.1.4/0002-pic.patch b/patches/openssl-3.2.0/0002-pic.patch
> similarity index 100%
> rename from patches/openssl-3.1.4/0002-pic.patch
> rename to patches/openssl-3.2.0/0002-pic.patch
> diff --git a/patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> similarity index 92%
> rename from patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> rename to patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> index 60e2da3efec3..6275de7089d7 100644
> --- a/patches/openssl-3.1.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> +++ b/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> @@ -28,10 +28,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>   2 files changed, 2 insertions(+), 2 deletions(-)
>  
>  diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
> -index aedfa370ca15..dfc3a431559a 100644
> +index d1a15a115274..d15d28499a21 100644
>  --- a/Configurations/10-main.conf
>  +++ b/Configurations/10-main.conf
> -@@ -700,7 +700,7 @@ my %targets = (
> +@@ -693,7 +693,7 @@ my %targets = (
>           shared_target    => "linux-shared",
>           shared_cflag     => "-fPIC",
>           shared_ldflag    => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" },
> @@ -41,10 +41,10 @@ index aedfa370ca15..dfc3a431559a 100644
>       "linux-latomic" => {
>           inherit_from     => [ "linux-generic32" ],
>  diff --git a/Configure b/Configure
> -index 227e5daea228..e1531d59e517 100755
> +index cbba1749b5a3..a69068121949 100755
>  --- a/Configure
>  +++ b/Configure
> -@@ -1699,7 +1699,7 @@ unless ($disabled{devcryptoeng}) {
> +@@ -1765,7 +1765,7 @@ unless ($disabled{devcryptoeng}) {
>   unless ($disabled{ktls}) {
>       $config{ktls}="";
>       my $cc = $config{CROSS_COMPILE}.$config{CC};
> diff --git a/patches/openssl-3.1.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> similarity index 100%
> rename from patches/openssl-3.1.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> rename to patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> diff --git a/patches/openssl-3.1.4/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch b/patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> similarity index 100%
> rename from patches/openssl-3.1.4/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> rename to patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> diff --git a/patches/openssl-3.1.4/series b/patches/openssl-3.2.0/series
> similarity index 100%
> rename from patches/openssl-3.1.4/series
> rename to patches/openssl-3.2.0/series
> diff --git a/rules/openssl.make b/rules/openssl.make
> index 4e03c95aab89..6e7111c70bab 100644
> --- a/rules/openssl.make
> +++ b/rules/openssl.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
>  #
>  # Paths and names
>  #
> -OPENSSL_VERSION	:= 3.1.4
> -OPENSSL_MD5	:= 653ad58812c751b887e8ec37e02bba70
> +OPENSSL_VERSION	:= 3.2.0
> +OPENSSL_MD5	:= 7903549a14abebc5c323ce4e85f2cbb2
>  OPENSSL		:= openssl-$(OPENSSL_VERSION)
>  OPENSSL_SUFFIX	:= tar.gz
>  OPENSSL_URL	:= \

Re: [ptxdist] [APPLIED] openssl: configure kTLS

[Michael Olbrich]

Thanks, applied as 9c104d243a4083448b53b5542654e561f5665b2a.

Michael

[sent from post-receive hook]

On Thu, 08 Feb 2024 17:02:56 +0100, Steffen Trumtrar <s.trumtrar@pengutronix.de> wrote:
> Since 3.0.0 openSSL can use kTLS. Allow configuring it.
> 
> With kTLS enabled the linux kernel can handle the TLS connection in
> kernel space and potentially offload to crypto/network hardware.
> 
> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> Message-Id: <20240122-v2024-01-0-topic-openssl-v1-2-88a1234c0fd2@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/openssl.in b/rules/openssl.in
> index 629ee305726d..4c00e1e055e1 100644
> --- a/rules/openssl.in
> +++ b/rules/openssl.in
> @@ -35,4 +35,10 @@ config OPENSSL_CRYPTODEV
>  	help
>  	  Enable the BSD cryptodev engine even if we are not using BSD.
>  
> +config OPENSSL_KTLS
> +	bool
> +	prompt "enable OpenSSL kTLS support"
> +	help
> +	  Whether to build OpenSSL with kTLS support.
> +
>  endif
> diff --git a/rules/openssl.make b/rules/openssl.make
> index 6e7111c70bab..bc1322725260 100644
> --- a/rules/openssl.make
> +++ b/rules/openssl.make
> @@ -67,6 +67,7 @@ OPENSSL_CONF_OPT := \
>  	--openssldir=/usr/lib/ssl \
>  	shared \
>  	$(call ptx/ifdef, PTXCONF_OPENSSL_CRYPTODEV, enable-devcryptoeng, no-devcryptoeng) \
> +	$(call ptx/ifdef, PTXCONF_OPENSSL_KTLS, enable-ktls, no-ktls) \
>  	no-idea \
>  	no-mdc2 \
>  	no-rc5 \

Re: [ptxdist] [APPLIED] openssl: add kTLS receive fix

[Michael Olbrich]

Thanks, applied as 7795bf2fb5dc78944132b3da0d5f6309aaae7b44.

Michael

[sent from post-receive hook]

On Thu, 08 Feb 2024 17:02:56 +0100, Steffen Trumtrar <s.trumtrar@pengutronix.de> wrote:
> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> Message-Id: <20240122-v2024-01-0-topic-openssl-v1-3-88a1234c0fd2@pengutronix.de>
> [mol: put new patch into a new section]
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> new file mode 100644
> index 000000000000..814bd07bec63
> --- /dev/null
> +++ b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> @@ -0,0 +1,41 @@
> +From: Matt Caswell <matt@openssl.org>
> +Date: Tue, 2 Jan 2024 16:48:43 +0000
> +Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length
> + extension
> +
> +Don't check the Max Fragment Length if the it hasn't been negotiated. We
> +were checking it anyway, and using the default value
> +(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the
> +record length to actually exceed this in some cases.
> +
> +Fixes #23169
> +---
> + ssl/record/methods/tls_common.c | 14 ++++++++++----
> + 1 file changed, 10 insertions(+), 4 deletions(-)
> +
> +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
> +index 423777c18dd4..1a9320ae74de 100644
> +--- a/ssl/record/methods/tls_common.c
> ++++ b/ssl/record/methods/tls_common.c
> +@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
> +         }
> + 
> +         /*
> +-         * Check if the received packet overflows the current
> +-         * Max Fragment Length setting.
> +-         * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
> ++         * Record overflow checking (e.g. checking if
> ++         * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
> ++         * the post_process_record() function above. However we check here if
> ++         * the received packet overflows the current Max Fragment Length setting
> ++         * if there is one.
> ++         * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
> ++         * mutually exclusive. Also note that with KTLS thisrr->length can
> ++         * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
> +          */
> +-        if (thisrr->length > rl->max_frag_len) {
> ++        if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
> ++                && thisrr->length > rl->max_frag_len) {
> +             RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
> +             goto end;
> +         }
> diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.0/series
> index d655cfc0212e..309ec1465b5e 100644
> --- a/patches/openssl-3.2.0/series
> +++ b/patches/openssl-3.2.0/series
> @@ -1,8 +1,11 @@
>  # generated by git-ptx-patches
>  #tag:base --start-number 1
> +#tag:debian --start-number 1
>  0001-debian-targets.patch
>  0002-pic.patch
>  0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
>  0004-conf-Serialize-allocation-free-of-ssl_names.patch
>  0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch
> -# c935d671c5de74f0dec935f1f45438cc  - git-ptx-patches magic
> +#tag:upstream --start-number 100
> +0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch
> +# d6f307e5d2ef578b08c895257daa6fbc  - git-ptx-patches magic