diff options
author | Matt Caswell <matt@openssl.org> | 2021-04-07 16:53:28 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-04-12 11:32:05 +0100 |
commit | a3a54179b6754fbed6d88e434baac710a83aaf80 (patch) | |
tree | 91364237de70c506616c3c92dabf0f5cf9267147 /ssl/ktls.c | |
parent | 4ec4b063e0d4cc3d58c709e309b1ec5a9aea3379 (diff) |
Only enable KTLS if it is explicitly configured
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.
Instead we change KTLS so that it is disabled by default.
We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).
Fixes #13794
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14799)
Diffstat (limited to 'ssl/ktls.c')
-rw-r--r-- | ssl/ktls.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/ssl/ktls.c b/ssl/ktls.c index 167baa90e0..2d1ef693c2 100644 --- a/ssl/ktls.c +++ b/ssl/ktls.c @@ -137,6 +137,7 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, return 0; # endif # ifdef OPENSSL_KTLS_AES_GCM_128 + /* Fall through */ case NID_aes_128_gcm: # endif # ifdef OPENSSL_KTLS_AES_GCM_256 |