Page MenuHomeFreeBSD

ktls: Reject attempts to enable AES-CBC with TLS 1.3.
ClosedPublic

Authored by jhb on Oct 9 2021, 3:13 PM.
Tags
None
Referenced Files
F105756720: D32404.diff
Fri, Dec 20, 5:50 AM
Unknown Object (File)
Sun, Dec 8, 7:07 PM
Unknown Object (File)
Fri, Dec 6, 4:40 AM
Unknown Object (File)
Nov 8 2024, 8:45 PM
Unknown Object (File)
Oct 22 2024, 2:18 PM
Unknown Object (File)
Oct 22 2024, 2:18 PM
Unknown Object (File)
Oct 22 2024, 2:18 PM
Unknown Object (File)
Oct 22 2024, 2:05 PM
Subscribers

Details

Summary

AES-CBC cipher suites are not supported in TLS 1.3.

Reported by: syzbot+ab501c50033ec01d53c6@syzkaller.appspotmail.com

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 42044
Build 38932: arc lint + arc unit

Event Timeline

jhb requested review of this revision.Oct 9 2021, 3:13 PM

I haven't tested this yet. I can try to do that this week unless one of y'all want to beat me to it.

In D32404#731030, @jhb wrote:

I haven't tested this yet. I can try to do that this week unless one of y'all want to beat me to it.

I verified that the repro works and that this patch causes it to return EINVAL instead.

This revision is now accepted and ready to land.Oct 9 2021, 3:30 PM

I've tested that all the expected cipher suites and versions still work.