From 753a282373b450b5c4e558c85d22b226a49030f6 Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Wed, 6 May 2026 18:32:51 +0200 Subject: [PATCH] BUG/MINOR: ssl: Use the sequence number with kTLS and TLS 1.2 When using TLS 1.2 and kTLS, use the sequence number as the explicit nonce (what the linux kTLS API calls "iv"), as is strongly recommanded, and done by most TLS implementations, instead of trying to generate a pseudo random-number. In practice, it changes nothing, because the kernel would override that with the sequence number anyway, but there is no need to have confusing code that uses statistical_prng_range() anyway. This should be backported to 3.3. --- src/ssl_sock.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index bcc57e280..1fd2681cf 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -6665,9 +6665,7 @@ static void ssl_sock_setup_ktls(struct ssl_sock_ctx *ctx) info.info.cipher_type = known_ciphers[i].tls_cipher; if (is_tls_12) { - unsigned char iv[iv_size]; int block_key_size = 2 * key_size + 2 * salt_size; - int i; /* * We may have to increase buf size if new ciphers are @@ -6699,10 +6697,9 @@ static void ssl_sock_setup_ktls(struct ssl_sock_ctx *ctx) */ seq = SSL_get_read_sequence(ssl); seq = my_htonll(seq); - for (i = 0; i < iv_size; i++) - iv[i] = (unsigned char)statistical_prng_range(256); - /* IV */ - memcpy(&info.buf[0], &iv, iv_size); + + /* Use the sequence number as the explicit nonce */ + memcpy(&info.buf[0], &seq, iv_size); if (!conn_is_back(ctx->conn)) { /* Key */ @@ -6726,9 +6723,8 @@ static void ssl_sock_setup_ktls(struct ssl_sock_ctx *ctx) */ seq = SSL_get_write_sequence(ssl); seq = my_htonll(seq); - for (i = 0; i < iv_size; i++) - iv[i] = (unsigned char)statistical_prng_range(256); - memcpy(&info.buf[0], &iv, iv_size); + /* Use the sequence number as the explicit nonce */ + memcpy(&info.buf[0], &seq, iv_size); if (!conn_is_back(ctx->conn)) { /* Key */ memcpy(&info.buf[iv_size], &buf[key_size], key_size);