KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it

Fixes #16089 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16120)
2025-01-24 13:55:42 +08:00 · 2021-07-20 13:08:31 +02:00 · 2021-07-20 13:08:31 +02:00 · 26411bc887
commit 26411bc887
parent c9eb459870
1 changed files with 2 additions and 1 deletions
--- a/ssl/ktls.c
+++ b/ssl/ktls.c
@ -133,7 +133,8 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
    {
 # ifdef OPENSSL_KTLS_AES_CCM_128
    case NID_aes_128_ccm:
-        if (EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN)
+        if (s->version == TLS_1_3_VERSION /* broken on 5.x kernels */
+            || EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN)
          return 0;
 # endif
 # ifdef OPENSSL_KTLS_AES_GCM_128