Don't generate a MAC when using KTLS.

The kernel will generate the MAC when transmitting the frame. Doing so here causes the MAC to be included as part of the plain text that the kernel MACs and encrypts. Note that this path is not taken when using stitched cipher suites. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10045)
2019-10-09 11:33:00 -07:00 · 2019-10-09 11:33:00 -07:00 · f059e4cc43
commit f059e4cc43
parent 1ca50aa975
1 changed files with 1 additions and 1 deletions
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@ -986,7 +986,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
         * in the wb->buf
         */

-        if (!SSL_WRITE_ETM(s) && mac_size != 0) {
+        if (!BIO_get_ktls_send(s->wbio) && !SSL_WRITE_ETM(s) && mac_size != 0) {
            unsigned char *mac;

            if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)