]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c9eb459)
KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it
authorTomas Mraz <tomas@openssl.org>
Tue, 20 Jul 2021 11:08:31 +0000 (13:08 +0200)
committerPauli <pauli@openssl.org>
Tue, 27 Jul 2021 03:19:20 +0000 (13:19 +1000)
Fixes #16089

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16120)

ssl/ktls.c patch | blob | blame | history

diff --git a/ssl/ktls.c b/ssl/ktls.c
index 2d691fdeb2fa03ab5dd85989f8ed086cf653dc4b..02dbb937eacacc843325c0316e9f506936be7742 100644 (file)
--- a/ssl/ktls.c
+++ b/ssl/ktls.c
@@ -133,7 +133,8 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
     {
 # ifdef OPENSSL_KTLS_AES_CCM_128
     case NID_aes_128_ccm:
-        if (EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN)
+        if (s->version == TLS_1_3_VERSION /* broken on 5.x kernels */
+            || EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN)
           return 0;
 # endif
 # ifdef OPENSSL_KTLS_AES_GCM_128
Mirror of https://github.com/openssl/openssl.git