From: Tianjia Zhang Date: Mon, 6 Dec 2021 09:50:50 +0000 (+0800) Subject: KTLS: enable the CCM mode of ktls X-Git-Tag: openssl-3.2.0-alpha1~1713 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34c2f90d8ed325a892618ce0e42ebe916966d4d8;p=thirdparty%2Fopenssl.git KTLS: enable the CCM mode of ktls The latest kernel (including stable kernel) has fixed the issue of decryption failure in CCM mode in TLS 1.3. It is necessary to reenable CCM mode for KTLS. Signed-off-by: Tianjia Zhang Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17207) --- diff --git a/CHANGES.md b/CHANGES.md index f0ecb25483a..a55a6c47aaa 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -223,6 +223,14 @@ OpenSSL 3.2 *Hugo Landau* + * Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux + kernel versions that support KTLS have a known bug in CCM processing. That + has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7, + and all releases since 5.16. KTLS with CCM ciphersuites should be only used + on these releases. + + *Tianjia Zhang* + OpenSSL 3.0 ----------- diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c index 1fd83c94f22..5c94837dc0b 100644 --- a/ssl/record/methods/ktls_meth.c +++ b/ssl/record/methods/ktls_meth.c @@ -147,8 +147,7 @@ static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER *rl, */ # ifdef OPENSSL_KTLS_AES_CCM_128 if (EVP_CIPHER_is_a(c, "AES-128-CCM")) { - if (rl->version == TLS_1_3_VERSION /* broken on 5.x kernels */ - || taglen != EVP_CCM_TLS_TAG_LEN) + if (taglen != EVP_CCM_TLS_TAG_LEN) return 0; return 1; } else