aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls
diff options
context:
space:
mode:
authorJack Lloyd <lloyd@randombit.net>2016-10-08 23:40:33 -0400
committerJack Lloyd <lloyd@randombit.net>2016-10-08 23:40:33 -0400
commit4d1f71b1aa66ec915dd7ce7eab462f1a1faa17b2 (patch)
treef5572e9db93c8ef51bee535a732885fbecbf1832 /src/lib/tls
parent62cd6e3651711f759f870460599596ff5be904a5 (diff)
Make TLS CBC optional
Diffstat (limited to 'src/lib/tls')
-rw-r--r--src/lib/tls/info.txt1
-rw-r--r--src/lib/tls/tls_cbc/info.txt5
-rw-r--r--src/lib/tls/tls_cbc/tls_cbc.cpp (renamed from src/lib/tls/tls_cbc.cpp)0
-rw-r--r--src/lib/tls/tls_cbc/tls_cbc.h (renamed from src/lib/tls/tls_cbc.h)0
-rw-r--r--src/lib/tls/tls_ciphersuite.cpp5
-rw-r--r--src/lib/tls/tls_record.cpp9
6 files changed, 18 insertions, 2 deletions
diff --git a/src/lib/tls/info.txt b/src/lib/tls/info.txt
index ad0d266fa..667726318 100644
--- a/src/lib/tls/info.txt
+++ b/src/lib/tls/info.txt
@@ -22,7 +22,6 @@ tls_version.h
</header:public>
<header:internal>
-tls_cbc.h
tls_extensions.h
tls_handshake_hash.h
tls_handshake_io.h
diff --git a/src/lib/tls/tls_cbc/info.txt b/src/lib/tls/tls_cbc/info.txt
new file mode 100644
index 000000000..0a2827e71
--- /dev/null
+++ b/src/lib/tls/tls_cbc/info.txt
@@ -0,0 +1,5 @@
+define TLS_CBC 20161008
+
+<header:internal>
+tls_cbc.h
+</header:internal>
diff --git a/src/lib/tls/tls_cbc.cpp b/src/lib/tls/tls_cbc/tls_cbc.cpp
index c7203003b..c7203003b 100644
--- a/src/lib/tls/tls_cbc.cpp
+++ b/src/lib/tls/tls_cbc/tls_cbc.cpp
diff --git a/src/lib/tls/tls_cbc.h b/src/lib/tls/tls_cbc/tls_cbc.h
index 90b54bb5a..90b54bb5a 100644
--- a/src/lib/tls/tls_cbc.h
+++ b/src/lib/tls/tls_cbc/tls_cbc.h
diff --git a/src/lib/tls/tls_ciphersuite.cpp b/src/lib/tls/tls_ciphersuite.cpp
index 9a52e0e0e..aa00334c5 100644
--- a/src/lib/tls/tls_ciphersuite.cpp
+++ b/src/lib/tls/tls_ciphersuite.cpp
@@ -78,6 +78,11 @@ bool Ciphersuite::is_usable() const
if(!have_hash(prf_algo()))
return false;
+#if !defined(BOTAN_HAS_TLS_CBC)
+ if(cbc_ciphersuite())
+ return false;
+#endif
+
if(mac_algo() == "AEAD")
{
if(cipher_algo() == "ChaCha20Poly1305")
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp
index 0bee24e34..5eef2b4e2 100644
--- a/src/lib/tls/tls_record.cpp
+++ b/src/lib/tls/tls_record.cpp
@@ -13,11 +13,14 @@
#include <botan/loadstor.h>
#include <botan/internal/tls_seq_numbers.h>
#include <botan/internal/tls_session_key.h>
-#include <botan/internal/tls_cbc.h>
#include <botan/internal/rounding.h>
#include <botan/internal/ct_utils.h>
#include <botan/rng.h>
+#if defined(BOTAN_HAS_TLS_CBC)
+ #include <botan/internal/tls_cbc.h>
+#endif
+
namespace Botan {
namespace TLS {
@@ -70,6 +73,7 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
}
else
{
+#if defined(BOTAN_HAS_TLS_CBC)
// legacy CBC+HMAC mode
if(our_side)
{
@@ -99,6 +103,9 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
m_nonce_bytes_from_record = m_nonce_bytes_from_handshake;
else if(our_side == false)
m_aead->start(iv.bits_of());
+#else
+ throw Exception("Negotiated disabled TLS CBC+HMAC ciphersuite");
+#endif
}
}