From f059e4cc435b7b850cfc8188d265a8925edff0bd Mon Sep 17 00:00:00 2001 From: John Baldwin Date: Wed, 9 Oct 2019 11:33:00 -0700 Subject: [PATCH] Don't generate a MAC when using KTLS. The kernel will generate the MAC when transmitting the frame. Doing so here causes the MAC to be included as part of the plain text that the kernel MACs and encrypts. Note that this path is not taken when using stitched cipher suites. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10045) --- ssl/record/rec_layer_s3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index a34f9df1df..0b9d18fd00 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -986,7 +986,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, * in the wb->buf */ - if (!SSL_WRITE_ETM(s) && mac_size != 0) { + if (!BIO_get_ktls_send(s->wbio) && !SSL_WRITE_ETM(s) && mac_size != 0) { unsigned char *mac; if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) -- 2.25.1