]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d00932b) | patch
OpenSSL: Only enable KTLS if it is explicitly configured
authorJohn Baldwin <jhb@FreeBSD.org>
Tue, 17 Aug 2021 21:39:03 +0000 (14:39 -0700)
committerJohn Baldwin <jhb@FreeBSD.org>
Tue, 24 Aug 2021 00:59:35 +0000 (17:59 -0700)
commit622809b0868f502550080dc2e3759fc645443744
treeeb97861b07c9da050c808fc9771c47d0c1e02caftree | snapshot
parentd00932bea68b702c22e105593777dbfe8c7a2479commit | diff
OpenSSL: Only enable KTLS if it is explicitly configured

It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.

Instead we change KTLS so that it is disabled by default.

We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).

Reviewed by: jkim
Obtained from: OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31440

(cherry picked from commit 62ca9fc1ad569eb3fafd281e03812a598b9856ee)
crypto/openssl/include/openssl/ssl.h diff | blob | history
crypto/openssl/ssl/ktls.c diff | blob | history
crypto/openssl/ssl/ssl_conf.c diff | blob | history
crypto/openssl/ssl/t1_enc.c diff | blob | history
crypto/openssl/ssl/tls13_enc.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.