git: 900a28fe33ef - main - ktls: Reject some invalid cipher suites.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 15 Nov 2021 20:03:52 UTC
The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=900a28fe33ef998aaee55cb243f4efa35471da07 commit 900a28fe33ef998aaee55cb243f4efa35471da07 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2021-11-15 19:28:56 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2021-11-15 19:30:12 +0000 ktls: Reject some invalid cipher suites. - Reject AES-CBC cipher suites for TLS 1.0 and TLS 1.1 using auth algorithms other than SHA1-HMAC. - Reject AES-GCM cipher suites for TLS versions older than 1.2. Reviewed by: markj Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D32842 --- sys/kern/uipc_ktls.c | 51 +++++++++++++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 20 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 4e14cee18c8a..07e5a4c8399f 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -551,40 +551,51 @@ ktls_create_session(struct socket *so, struct tls_enable *en, } if (en->auth_key_len != 0) return (EINVAL); - if ((en->tls_vminor == TLS_MINOR_VER_TWO && - en->iv_len != TLS_AEAD_GCM_LEN) || - (en->tls_vminor == TLS_MINOR_VER_THREE && - en->iv_len != TLS_1_3_GCM_IV_LEN)) + switch (en->tls_vminor) { + case TLS_MINOR_VER_TWO: + if (en->iv_len != TLS_AEAD_GCM_LEN) + return (EINVAL); + break; + case TLS_MINOR_VER_THREE: + if (en->iv_len != TLS_1_3_GCM_IV_LEN) + return (EINVAL); + break; + default: return (EINVAL); + } break; case CRYPTO_AES_CBC: switch (en->auth_algorithm) { case CRYPTO_SHA1_HMAC: - /* - * TLS 1.0 requires an implicit IV. TLS 1.1+ - * all use explicit IVs. - */ - if (en->tls_vminor == TLS_MINOR_VER_ZERO) { - if (en->iv_len != TLS_CBC_IMPLICIT_IV_LEN) - return (EINVAL); - break; - } - - /* FALLTHROUGH */ + break; case CRYPTO_SHA2_256_HMAC: case CRYPTO_SHA2_384_HMAC: - /* Ignore any supplied IV. */ - en->iv_len = 0; + if (en->tls_vminor != TLS_MINOR_VER_TWO) + return (EINVAL); break; default: return (EINVAL); } if (en->auth_key_len == 0) return (EINVAL); - if (en->tls_vminor != TLS_MINOR_VER_ZERO && - en->tls_vminor != TLS_MINOR_VER_ONE && - en->tls_vminor != TLS_MINOR_VER_TWO) + + /* + * TLS 1.0 requires an implicit IV. TLS 1.1 and 1.2 + * use explicit IVs. + */ + switch (en->tls_vminor) { + case TLS_MINOR_VER_ZERO: + if (en->iv_len != TLS_CBC_IMPLICIT_IV_LEN) + return (EINVAL); + break; + case TLS_MINOR_VER_ONE: + case TLS_MINOR_VER_TWO: + /* Ignore any supplied IV. */ + en->iv_len = 0; + break; + default: return (EINVAL); + } break; case CRYPTO_CHACHA20_POLY1305: if (en->auth_algorithm != 0 || en->auth_key_len != 0)