aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-10-13 14:43:17 -0400
committerJack Lloyd <[email protected]>2016-10-13 14:43:17 -0400
commit79ea2dc44c2b0957b3cb262b46ed976d4ccc95a5 (patch)
tree8a79933f20c5056ac3899b58da1149d84185ef2e
parent9f7b4486e1015886638168f49673398bee7a71bf (diff)
parent4d1f71b1aa66ec915dd7ce7eab462f1a1faa17b2 (diff)
Merge GH #659 TLS CBC is optional
-rw-r--r--src/lib/tls/info.txt1
-rw-r--r--src/lib/tls/tls_cbc/info.txt5
-rw-r--r--src/lib/tls/tls_cbc/tls_cbc.cpp (renamed from src/lib/tls/tls_cbc.cpp)0
-rw-r--r--src/lib/tls/tls_cbc/tls_cbc.h (renamed from src/lib/tls/tls_cbc.h)0
-rw-r--r--src/lib/tls/tls_ciphersuite.cpp5
-rw-r--r--src/lib/tls/tls_record.cpp9
-rw-r--r--src/tests/unit_tls.cpp5
7 files changed, 23 insertions, 2 deletions
diff --git a/src/lib/tls/info.txt b/src/lib/tls/info.txt
index ad0d266fa..667726318 100644
--- a/src/lib/tls/info.txt
+++ b/src/lib/tls/info.txt
@@ -22,7 +22,6 @@ tls_version.h
</header:public>
<header:internal>
-tls_cbc.h
tls_extensions.h
tls_handshake_hash.h
tls_handshake_io.h
diff --git a/src/lib/tls/tls_cbc/info.txt b/src/lib/tls/tls_cbc/info.txt
new file mode 100644
index 000000000..0a2827e71
--- /dev/null
+++ b/src/lib/tls/tls_cbc/info.txt
@@ -0,0 +1,5 @@
+define TLS_CBC 20161008
+
+<header:internal>
+tls_cbc.h
+</header:internal>
diff --git a/src/lib/tls/tls_cbc.cpp b/src/lib/tls/tls_cbc/tls_cbc.cpp
index c7203003b..c7203003b 100644
--- a/src/lib/tls/tls_cbc.cpp
+++ b/src/lib/tls/tls_cbc/tls_cbc.cpp
diff --git a/src/lib/tls/tls_cbc.h b/src/lib/tls/tls_cbc/tls_cbc.h
index 90b54bb5a..90b54bb5a 100644
--- a/src/lib/tls/tls_cbc.h
+++ b/src/lib/tls/tls_cbc/tls_cbc.h
diff --git a/src/lib/tls/tls_ciphersuite.cpp b/src/lib/tls/tls_ciphersuite.cpp
index 9a52e0e0e..aa00334c5 100644
--- a/src/lib/tls/tls_ciphersuite.cpp
+++ b/src/lib/tls/tls_ciphersuite.cpp
@@ -78,6 +78,11 @@ bool Ciphersuite::is_usable() const
if(!have_hash(prf_algo()))
return false;
+#if !defined(BOTAN_HAS_TLS_CBC)
+ if(cbc_ciphersuite())
+ return false;
+#endif
+
if(mac_algo() == "AEAD")
{
if(cipher_algo() == "ChaCha20Poly1305")
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp
index 0bee24e34..5eef2b4e2 100644
--- a/src/lib/tls/tls_record.cpp
+++ b/src/lib/tls/tls_record.cpp
@@ -13,11 +13,14 @@
#include <botan/loadstor.h>
#include <botan/internal/tls_seq_numbers.h>
#include <botan/internal/tls_session_key.h>
-#include <botan/internal/tls_cbc.h>
#include <botan/internal/rounding.h>
#include <botan/internal/ct_utils.h>
#include <botan/rng.h>
+#if defined(BOTAN_HAS_TLS_CBC)
+ #include <botan/internal/tls_cbc.h>
+#endif
+
namespace Botan {
namespace TLS {
@@ -70,6 +73,7 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
}
else
{
+#if defined(BOTAN_HAS_TLS_CBC)
// legacy CBC+HMAC mode
if(our_side)
{
@@ -99,6 +103,9 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
m_nonce_bytes_from_record = m_nonce_bytes_from_handshake;
else if(our_side == false)
m_aead->start(iv.bits_of());
+#else
+ throw Exception("Negotiated disabled TLS CBC+HMAC ciphersuite");
+#endif
}
}
diff --git a/src/tests/unit_tls.cpp b/src/tests/unit_tls.cpp
index 28abe2d42..d52f17784 100644
--- a/src/tests/unit_tls.cpp
+++ b/src/tests/unit_tls.cpp
@@ -880,6 +880,7 @@ class TLS_Unit_Tests : public Test
std::unique_ptr<Botan::Credentials_Manager> creds(create_creds(rng));
std::vector<Test::Result> results;
+#if defined(BOTAN_HAS_TLS_CBC)
for(std::string etm_setting : { "true", "false" })
{
test_all_versions(results, *creds, "RSA", "AES-128", "SHA-256 SHA-1", etm_setting);
@@ -904,6 +905,8 @@ class TLS_Unit_Tests : public Test
}
test_modern_versions(results, *creds, "DH", "AES-128", "SHA-256");
+#endif
+
test_modern_versions(results, *creds, "RSA", "AES-128/GCM");
test_modern_versions(results, *creds, "ECDH", "AES-128/GCM");
test_modern_versions(results, *creds, "ECDH", "AES-128/GCM", "AEAD",
@@ -927,9 +930,11 @@ class TLS_Unit_Tests : public Test
test_modern_versions(results, *creds, "PSK", "AES-128/CCM(8)");
#endif
+#if defined(BOTAN_HAS_TLS_CBC)
// For whatever reason no (EC)DHE_PSK GCM ciphersuites are defined
test_modern_versions(results, *creds, "ECDHE_PSK", "AES-128", "SHA-256");
test_modern_versions(results, *creds, "DHE_PSK", "AES-128", "SHA-1");
+#endif
return results;
}