aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Baldwin <jhb@FreeBSD.org>2021-10-13 19:12:58 +0000
committerJohn Baldwin <jhb@FreeBSD.org>2021-10-13 19:12:58 +0000
commita63752cce6462d08bbec08cad931d70dec2f5b4c (patch)
tree9a59115f482282c588fd691f3765afc182ab2fad
parent2144431c11529d1107f4440a5fe57559fb20002c (diff)
downloadsrc-a63752cce6462d08bbec08cad931d70dec2f5b4c.tar.gz
src-a63752cce6462d08bbec08cad931d70dec2f5b4c.zip
ktls: Reject attempts to enable AES-CBC with TLS 1.3.
AES-CBC cipher suites are not supported in TLS 1.3. Reported by: syzbot+ab501c50033ec01d53c6@syzkaller.appspotmail.com Reviewed by: tuexen, markj Differential Revision: https://reviews.freebsd.org/D32404
Diffstat
-rw-r--r--sys/kern/uipc_ktls.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index bc21e6fe2493..12bb02876083 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -560,6 +560,10 @@ ktls_create_session(struct socket *so, struct tls_enable *en,
}
if (en->auth_key_len == 0)
return (EINVAL);
+ if (en->tls_vminor != TLS_MINOR_VER_ZERO &&
+ en->tls_vminor != TLS_MINOR_VER_ONE &&
+ en->tls_vminor != TLS_MINOR_VER_TWO)
+ return (EINVAL);
break;
case CRYPTO_CHACHA20_POLY1305:
if (en->auth_algorithm != 0 || en->auth_key_len != 0)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-04 09:10:39 +0000