The latest kernel (including stable kernel) has fixed the issue
of decryption failure in CCM mode in TLS 1.3. It is necessary to
reenable CCM mode for KTLS.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17207)
*Hugo Landau*
+ * Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux
+ kernel versions that support KTLS have a known bug in CCM processing. That
+ has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7,
+ and all releases since 5.16. KTLS with CCM ciphersuites should be only used
+ on these releases.
+
+ *Tianjia Zhang*
+
OpenSSL 3.0
-----------
*/
# ifdef OPENSSL_KTLS_AES_CCM_128
if (EVP_CIPHER_is_a(c, "AES-128-CCM")) {
- if (rl->version == TLS_1_3_VERSION /* broken on 5.x kernels */
- || taglen != EVP_CCM_TLS_TAG_LEN)
+ if (taglen != EVP_CCM_TLS_TAG_LEN)
return 0;
return 1;
} else