KTLS: enable the CCM mode of ktls

The latest kernel (including stable kernel) has fixed the issue of decryption failure in CCM mode in TLS 1.3. It is necessary to reenable CCM mode for KTLS. Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17207)
openssl · Nov 16, 2022 · 34c2f90 · 34c2f90
1 parent 3b6154c
commit 34c2f90
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -223,6 +223,14 @@ OpenSSL 3.2
 
    *Hugo Landau*
 
+ * Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux
+   kernel versions that support KTLS have a known bug in CCM processing. That
+   has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7,
+   and all releases since 5.16. KTLS with CCM ciphersuites should be only used
+   on these releases.
+
+   *Tianjia Zhang*
+
 OpenSSL 3.0
 -----------
 

diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c
@@ -147,8 +147,7 @@ static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER *rl,
      */
 # ifdef OPENSSL_KTLS_AES_CCM_128
     if (EVP_CIPHER_is_a(c, "AES-128-CCM")) {
-        if (rl->version == TLS_1_3_VERSION /* broken on 5.x kernels */
-            || taglen != EVP_CCM_TLS_TAG_LEN)
+        if (taglen != EVP_CCM_TLS_TAG_LEN)
             return 0;
         return 1;
     } else