git.openssl.org Git - openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Wed, 7 Apr 2021 15:53:28 +0000 (16:53 +0100)
committer	Matt Caswell <matt@openssl.org>
	Mon, 12 Apr 2021 10:32:05 +0000 (11:32 +0100)
commit	a3a54179b6754fbed6d88e434baac710a83aaf80
tree	91364237de70c506616c3c92dabf0f5cf9267147	tree \| snapshot
parent	4ec4b063e0d4cc3d58c709e309b1ec5a9aea3379	commit \| diff

Only enable KTLS if it is explicitly configured

It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.

Instead we change KTLS so that it is disabled by default.

We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).

Fixes #13794

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14799)

include/openssl/ssl.h.in		diff \| blob \| history
ssl/ktls.c		diff \| blob \| history
ssl/ssl_conf.c		diff \| blob \| history
ssl/t1_enc.c		diff \| blob \| history
ssl/tls13_enc.c		diff \| blob \| history
test/sslapitest.c		diff \| blob \| history