The branch master has been updated via 26411bc8879bf979e3703357e9595de057528e28 (commit) via c9eb45987036314b150fdeed8a8a8a24bfa71687 (commit) via bdb65e2ba63bc63456ec3d462bd2e2c3e62eb193 (commit) from a7e62fbdf89b9bbaac85826020c1033b35a67d52 (commit)
- Log ----------------------------------------------------------------- commit 26411bc8879bf979e3703357e9595de057528e28 Author: Tomas Mraz <to...@openssl.org> Date: Tue Jul 20 13:08:31 2021 +0200 KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it Fixes #16089 Reviewed-by: Shane Lontis <shane.lon...@oracle.com> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16120) commit c9eb45987036314b150fdeed8a8a8a24bfa71687 Author: Tomas Mraz <to...@openssl.org> Date: Tue Jul 20 12:23:24 2021 +0200 Test ktls in non-default options CI build Reviewed-by: Shane Lontis <shane.lon...@oracle.com> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16120) commit bdb65e2ba63bc63456ec3d462bd2e2c3e62eb193 Author: Tomas Mraz <to...@openssl.org> Date: Tue Jul 20 12:22:57 2021 +0200 Drop no-ktls from runchecker daily build as it has no effect Reviewed-by: Shane Lontis <shane.lon...@oracle.com> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16120) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 4 +++- .github/workflows/run-checker-daily.yml | 1 - ssl/ktls.c | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4f9bfbfb8a..9e89d455a9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -163,8 +163,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + - name: modprobe tls + run: sudo modprobe tls - name: config - run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-fips && perl configdata.pm --dump + run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index c66241743a..0ab02c5375 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -62,7 +62,6 @@ jobs: no-hw, no-hw-padlock, no-idea, - no-ktls, no-makedepend, enable-md2, no-md2, diff --git a/ssl/ktls.c b/ssl/ktls.c index 2d691fdeb2..02dbb937ea 100644 --- a/ssl/ktls.c +++ b/ssl/ktls.c @@ -133,7 +133,8 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, { # ifdef OPENSSL_KTLS_AES_CCM_128 case NID_aes_128_ccm: - if (EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) + if (s->version == TLS_1_3_VERSION /* broken on 5.x kernels */ + || EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) return 0; # endif # ifdef OPENSSL_KTLS_AES_GCM_128