Skip to content

Commit

Permalink
ktls: Reject some invalid cipher suites.
Browse files Browse the repository at this point in the history 
- Reject AES-CBC cipher suites for TLS 1.0 and TLS 1.1 using auth
  algorithms other than SHA1-HMAC.

- Reject AES-GCM cipher suites for TLS versions older than 1.2.

Reviewed by:	markj
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D32842

(cherry picked from commit 900a28f)
  • Loading branch information
@bsdjhb
bsdjhb committed Nov 23, 2021
1 parent 27d29db commit 94280c5
Showing 1 changed file with 31 additions and 20 deletions.
51 changes: 31 additions & 20 deletions sys/kern/uipc_ktls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -497,40 +497,51 @@ ktls_create_session(struct socket *so, struct tls_enable *en,
}
if (en->auth_key_len != 0)
return (EINVAL);
if ((en->tls_vminor == TLS_MINOR_VER_TWO &&
en->iv_len != TLS_AEAD_GCM_LEN) ||
(en->tls_vminor == TLS_MINOR_VER_THREE &&
en->iv_len != TLS_1_3_GCM_IV_LEN))
switch (en->tls_vminor) {
case TLS_MINOR_VER_TWO:
if (en->iv_len != TLS_AEAD_GCM_LEN)
return (EINVAL);
break;
case TLS_MINOR_VER_THREE:
if (en->iv_len != TLS_1_3_GCM_IV_LEN)
return (EINVAL);
break;
default:
return (EINVAL);
}
break;
case CRYPTO_AES_CBC:
switch (en->auth_algorithm) {
case CRYPTO_SHA1_HMAC:
/*
* TLS 1.0 requires an implicit IV. TLS 1.1+
* all use explicit IVs.
*/
if (en->tls_vminor == TLS_MINOR_VER_ZERO) {
if (en->iv_len != TLS_CBC_IMPLICIT_IV_LEN)
return (EINVAL);
break;
}

/* FALLTHROUGH */
break;
case CRYPTO_SHA2_256_HMAC:
case CRYPTO_SHA2_384_HMAC:
/* Ignore any supplied IV. */
en->iv_len = 0;
if (en->tls_vminor != TLS_MINOR_VER_TWO)
return (EINVAL);
break;
default:
return (EINVAL);
}
if (en->auth_key_len == 0)
return (EINVAL);
if (en->tls_vminor != TLS_MINOR_VER_ZERO &&
en->tls_vminor != TLS_MINOR_VER_ONE &&
en->tls_vminor != TLS_MINOR_VER_TWO)

/*
* TLS 1.0 requires an implicit IV. TLS 1.1 and 1.2
* use explicit IVs.
*/
switch (en->tls_vminor) {
case TLS_MINOR_VER_ZERO:
if (en->iv_len != TLS_CBC_IMPLICIT_IV_LEN)
return (EINVAL);
break;
case TLS_MINOR_VER_ONE:
case TLS_MINOR_VER_TWO:
/* Ignore any supplied IV. */
en->iv_len = 0;
break;
default:
return (EINVAL);
}
break;
case CRYPTO_CHACHA20_POLY1305:
if (en->auth_algorithm != 0 || en->auth_key_len != 0)
Expand Down

0 comments on commit 94280c5

Please sign in to comment.