ktls: Reject attempts to enable AES-CBC with TLS 1.3.
ClosedPublic
Actions

Authored by jhb on Oct 9 2021, 3:13 PM.

Details

Reviewers

markj
tuexen

Commits

rG0053fedc1b47: ktls: Reject attempts to enable AES-CBC with TLS 1.3.
rGa63752cce646: ktls: Reject attempts to enable AES-CBC with TLS 1.3.

Summary

AES-CBC cipher suites are not supported in TLS 1.3.

Reported by: syzbot+ab501c50033ec01d53c6@syzkaller.appspotmail.com

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 42044
Build 38932: arc lint + arc unit

Event Timeline

jhb created this revision.Oct 9 2021, 3:13 PM

Herald added a subscriber: imp. · View Herald TranscriptOct 9 2021, 3:13 PM

jhb requested review of this revision.Oct 9 2021, 3:13 PM

Harbormaster completed remote builds in B42044: Diff 96550.Oct 9 2021, 3:13 PM

I haven't tested this yet. I can try to do that this week unless one of y'all want to beat me to it.

In D32404#731030, @jhb wrote:

I haven't tested this yet. I can try to do that this week unless one of y'all want to beat me to it.

I verified that the repro works and that this patch causes it to return EINVAL instead.

This revision is now accepted and ready to land.Oct 9 2021, 3:30 PM

tuexen accepted this revision.Oct 9 2021, 4:12 PM

I've tested that all the expected cipher suites and versions still work.

Closed by commit rGa63752cce646: ktls: Reject attempts to enable AES-CBC with TLS 1.3. (authored by jhb). · Explain WhyOct 13 2021, 7:14 PM

This revision was automatically updated to reflect the committed changes.

jhb added a commit: rGa63752cce646: ktls: Reject attempts to enable AES-CBC with TLS 1.3..

jhb added a commit: rG0053fedc1b47: ktls: Reject attempts to enable AES-CBC with TLS 1.3..Nov 23 2021, 11:13 PM

Revision Contents
Changeset List

Path

Size

sys/

kern/

uipc_ktls.c

4 lines

Diff 96550

View Options

ktls: Reject attempts to enable AES-CBC with TLS 1.3.ClosedPublicActions