Differential D32842

ktls: Reject some invalid cipher suites.
ClosedPublic
Actions

Authored by jhb on Nov 5 2021, 12:04 AM.

Details

Reviewers

markj

Commits

rG94280c58116f: ktls: Reject some invalid cipher suites.
rG900a28fe33ef: ktls: Reject some invalid cipher suites.

Summary

Reject AES-CBC cipher suites for TLS 1.0 and TLS 1.1 using auth algorithms other than SHA1-HMAC.

Reject AES-GCM cipher suites for TLS versions older than 1.2.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 42592
Build 39480: arc lint + arc unit

Event Timeline

jhb created this revision.Nov 5 2021, 12:04 AM

Herald added a subscriber: imp. · View Herald TranscriptNov 5 2021, 12:04 AM

jhb requested review of this revision.Nov 5 2021, 12:04 AM

Harbormaster completed remote builds in B42592: Diff 98040.Nov 5 2021, 12:04 AM

jhb added a parent revision: D32841: ktls: Add tests for sending empty fragments for TLS 1.0 connections..Nov 5 2021, 12:04 AM

jhb added a child revision: D32843: ktls: Add tests ensuring various invalid cipher suites are rejected..

markj accepted this revision.Nov 13 2021, 2:47 AM

markj added inline comments.

sys/kern/uipc_ktls.c
584	Maybe s/1.1+/1.1 and 1.2/.

This revision is now accepted and ready to land.Nov 13 2021, 2:47 AM

jhb marked an inline comment as done.Nov 15 2021, 7:30 PM

Closed by commit rG900a28fe33ef: ktls: Reject some invalid cipher suites. (authored by jhb). · Explain WhyNov 15 2021, 8:03 PM

This revision was automatically updated to reflect the committed changes.

jhb added a commit: rG900a28fe33ef: ktls: Reject some invalid cipher suites..

jhb added a commit: rG94280c58116f: ktls: Reject some invalid cipher suites..Nov 23 2021, 11:14 PM

Revision Contents
Changeset List

Path

Size

sys/

kern/

uipc_ktls.c

53 lines

Diff 98040

View Options

ktls: Reject some invalid cipher suites.ClosedPublicActions