diff --git a/crypto/bio/bio_sock2.c b/crypto/bio/bio_sock2.c index 252a9ab074..aa9772bc46 100644 --- a/crypto/bio/bio_sock2.c +++ b/crypto/bio/bio_sock2.c @@ -181,15 +181,6 @@ int BIO_connect(int sock, const BIO_ADDR *addr, int options) } return 0; } -# ifndef OPENSSL_NO_KTLS - /* - * The new socket is created successfully regardless of ktls_enable. - * ktls_enable doesn't change any functionality of the socket, except - * changing the setsockopt to enable the processing of ktls_start. - * Thus, it is not a problem to call it for non-TLS sockets. - */ - ktls_enable(sock); -# endif return 1; } diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index 8830f8f142..783de8ffd6 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -252,15 +252,6 @@ static int conn_state(BIO *b, BIO_CONNECT *c) if (!conn_create_dgram_bio(b, c)) break; c->state = BIO_CONN_S_OK; -# ifndef OPENSSL_NO_KTLS - /* - * The new socket is created successfully regardless of ktls_enable. - * ktls_enable doesn't change any functionality of the socket, except - * changing the setsockopt to enable the processing of ktls_start. - * Thus, it is not a problem to call it for non-TLS sockets. - */ - ktls_enable(b->num); -# endif } break; diff --git a/crypto/bio/bss_sock.c b/crypto/bio/bss_sock.c index 41b6965a80..a7067b5dea 100644 --- a/crypto/bio/bss_sock.c +++ b/crypto/bio/bss_sock.c @@ -72,17 +72,6 @@ BIO *BIO_new_socket(int fd, int close_flag) if (ret == NULL) return NULL; BIO_set_fd(ret, fd, close_flag); -# ifndef OPENSSL_NO_KTLS - { - /* - * The new socket is created successfully regardless of ktls_enable. - * ktls_enable doesn't change any functionality of the socket, except - * changing the setsockopt to enable the processing of ktls_start. - * Thus, it is not a problem to call it for non-TLS sockets. - */ - ktls_enable(fd); - } -# endif return ret; } diff --git a/include/internal/ktls.h b/include/internal/ktls.h index 072653dc5e..368ff10e4f 100644 --- a/include/internal/ktls.h +++ b/include/internal/ktls.h @@ -302,6 +302,12 @@ static ossl_inline int ktls_enable(int fd) static ossl_inline int ktls_start(int fd, ktls_crypto_info_t *crypto_info, int is_tx) { + /* + * Socket must be in TCP established state to enable KTLS. + * Further calls to enable ktls will return EEXIST + */ + ktls_enable(fd); + return setsockopt(fd, SOL_TLS, is_tx ? TLS_TX : TLS_RX, crypto_info, crypto_info->tls_crypto_info_len) ? 0 : 1; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index da99fd2631..e9d8d88a8c 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1740,15 +1740,6 @@ int SSL_set_fd(SSL *s, int fd) } BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set_bio(s, bio, bio); -#ifndef OPENSSL_NO_KTLS - /* - * The new socket is created successfully regardless of ktls_enable. - * ktls_enable doesn't change any functionality of the socket, except - * changing the setsockopt to enable the processing of ktls_start. - * Thus, it is not a problem to call it for non-TLS sockets. - */ - ktls_enable(fd); -#endif /* OPENSSL_NO_KTLS */ ret = 1; err: return ret; @@ -1774,15 +1765,6 @@ int SSL_set_wfd(SSL *s, int fd) } BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set0_wbio(s, bio); -#ifndef OPENSSL_NO_KTLS - /* - * The new socket is created successfully regardless of ktls_enable. - * ktls_enable doesn't change any functionality of the socket, except - * changing the setsockopt to enable the processing of ktls_start. - * Thus, it is not a problem to call it for non-TLS sockets. - */ - ktls_enable(fd); -#endif /* OPENSSL_NO_KTLS */ } else { if (!BIO_up_ref(rbio)) return 0;