git: a63752cce646 - main - ktls: Reject attempts to enable AES-CBC with TLS 1.3.

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Wed, 13 Oct 2021 19:14:30 UTC
The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=a63752cce6462d08bbec08cad931d70dec2f5b4c

commit a63752cce6462d08bbec08cad931d70dec2f5b4c
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-10-13 19:12:58 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-10-13 19:12:58 +0000

    ktls: Reject attempts to enable AES-CBC with TLS 1.3.
    
    AES-CBC cipher suites are not supported in TLS 1.3.
    
    Reported by:    syzbot+ab501c50033ec01d53c6@syzkaller.appspotmail.com
    Reviewed by:    tuexen, markj
    Differential Revision:  https://reviews.freebsd.org/D32404
---
 sys/kern/uipc_ktls.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index bc21e6fe2493..12bb02876083 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -560,6 +560,10 @@ ktls_create_session(struct socket *so, struct tls_enable *en,
 		}
 		if (en->auth_key_len == 0)
 			return (EINVAL);
+		if (en->tls_vminor != TLS_MINOR_VER_ZERO &&
+		    en->tls_vminor != TLS_MINOR_VER_ONE &&
+		    en->tls_vminor != TLS_MINOR_VER_TWO)
+			return (EINVAL);
 		break;
 	case CRYPTO_CHACHA20_POLY1305:
 		if (en->auth_algorithm != 0 || en->auth_key_len != 0)