ktls: Reject attempts to enable AES-CBC with TLS 1.3.
AES-CBC cipher suites are not supported in TLS 1.3. Reported by: syzbot+ab501c50033ec01d53c6@syzkaller.appspotmail.com Reviewed by: tuexen, markj Differential Revision: https://reviews.freebsd.org/D32404
This commit is contained in:
parent
2144431c11
commit
a63752cce6
@ -560,6 +560,10 @@ ktls_create_session(struct socket *so, struct tls_enable *en,
|
||||
}
|
||||
if (en->auth_key_len == 0)
|
||||
return (EINVAL);
|
||||
if (en->tls_vminor != TLS_MINOR_VER_ZERO &&
|
||||
en->tls_vminor != TLS_MINOR_VER_ONE &&
|
||||
en->tls_vminor != TLS_MINOR_VER_TWO)
|
||||
return (EINVAL);
|
||||
break;
|
||||
case CRYPTO_CHACHA20_POLY1305:
|
||||
if (en->auth_algorithm != 0 || en->auth_key_len != 0)
|
||||
|
Loading…
Reference in New Issue
Block a user