Browse Source

KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it

Fixes #16089

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16120)
master
Tomas Mraz 3 months ago
committed by Pauli
parent
commit
26411bc887
1 changed files with 2 additions and 1 deletions
  1. +2
    -1
      ssl/ktls.c

+ 2
- 1
ssl/ktls.c View File

@ -133,7 +133,8 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
{
# ifdef OPENSSL_KTLS_AES_CCM_128
case NID_aes_128_ccm:
if (EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN)
if (s->version == TLS_1_3_VERSION /* broken on 5.x kernels */
|| EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN)
return 0;
# endif
# ifdef OPENSSL_KTLS_AES_GCM_128


Loading…
Cancel
Save