From: Tomas Mraz Date: Tue, 20 Jul 2021 11:08:31 +0000 (+0200) Subject: KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it X-Git-Tag: openssl-3.0.0-beta2~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=26411bc8879bf979e3703357e9595de057528e28;p=thirdparty%2Fopenssl.git KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it Fixes #16089 Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16120) --- diff --git a/ssl/ktls.c b/ssl/ktls.c index 2d691fdeb2f..02dbb937eac 100644 --- a/ssl/ktls.c +++ b/ssl/ktls.c @@ -133,7 +133,8 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, { # ifdef OPENSSL_KTLS_AES_CCM_128 case NID_aes_128_ccm: - if (EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) + if (s->version == TLS_1_3_VERSION /* broken on 5.x kernels */ + || EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) return 0; # endif # ifdef OPENSSL_KTLS_AES_GCM_128