BUG/MINOR: ssl: Use the sequence number with kTLS and TLS 1.2

When using TLS 1.2 and kTLS, use the sequence number as the explicit nonce (what the linux kTLS API calls "iv"), as is strongly recommanded, and done by most TLS implementations, instead of trying to generate a pseudo random-number. In practice, it changes nothing, because the kernel would override that with the sequence number anyway, but there is no need to have confusing code that uses statistical_prng_range() anyway. This should be backported to 3.3.
2026-05-07 22:16:10 +02:00 · 2026-05-06 18:32:51 +02:00 · 2026-05-06 18:32:51 +02:00 · 753a282373
commit 753a282373
parent 2be6744189
1 changed files with 5 additions and 9 deletions
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -6665,9 +6665,7 @@ static void ssl_sock_setup_ktls(struct ssl_sock_ctx *ctx)
 	info.info.cipher_type = known_ciphers[i].tls_cipher;

 	if (is_tls_12) {
-		unsigned char iv[iv_size];
 		int block_key_size = 2 * key_size + 2 * salt_size;
-		int i;

 		/*
 		 * We may have to increase buf size if new ciphers are
@ -6699,10 +6697,9 @@ static void ssl_sock_setup_ktls(struct ssl_sock_ctx *ctx)
 		 */
 		seq = SSL_get_read_sequence(ssl);
 		seq = my_htonll(seq);
-		for (i = 0; i < iv_size; i++)
-			iv[i] = (unsigned char)statistical_prng_range(256);
-		/* IV */
-		memcpy(&info.buf[0], &iv, iv_size);
+
+		/* Use the sequence number as the explicit nonce */
+		memcpy(&info.buf[0], &seq, iv_size);

 		if (!conn_is_back(ctx->conn)) {
 			/* Key */
@ -6726,9 +6723,8 @@ static void ssl_sock_setup_ktls(struct ssl_sock_ctx *ctx)
 		 */
 		seq = SSL_get_write_sequence(ssl);
 		seq = my_htonll(seq);
-		for (i = 0; i < iv_size; i++)
-			iv[i] = (unsigned char)statistical_prng_range(256);
-		memcpy(&info.buf[0], &iv, iv_size);
+		/* Use the sequence number as the explicit nonce */
+		memcpy(&info.buf[0], &seq, iv_size);
 		if (!conn_is_back(ctx->conn)) {
 			/* Key */
 			memcpy(&info.buf[iv_size], &buf[key_size], key_size);