diff options
-rw-r--r-- | src/lib/tls/info.txt | 1 | ||||
-rw-r--r-- | src/lib/tls/tls_cbc/info.txt | 5 | ||||
-rw-r--r-- | src/lib/tls/tls_cbc/tls_cbc.cpp (renamed from src/lib/tls/tls_cbc.cpp) | 0 | ||||
-rw-r--r-- | src/lib/tls/tls_cbc/tls_cbc.h (renamed from src/lib/tls/tls_cbc.h) | 0 | ||||
-rw-r--r-- | src/lib/tls/tls_ciphersuite.cpp | 5 | ||||
-rw-r--r-- | src/lib/tls/tls_record.cpp | 9 | ||||
-rw-r--r-- | src/tests/unit_tls.cpp | 5 |
7 files changed, 23 insertions, 2 deletions
diff --git a/src/lib/tls/info.txt b/src/lib/tls/info.txt index ad0d266fa..667726318 100644 --- a/src/lib/tls/info.txt +++ b/src/lib/tls/info.txt @@ -22,7 +22,6 @@ tls_version.h </header:public> <header:internal> -tls_cbc.h tls_extensions.h tls_handshake_hash.h tls_handshake_io.h diff --git a/src/lib/tls/tls_cbc/info.txt b/src/lib/tls/tls_cbc/info.txt new file mode 100644 index 000000000..0a2827e71 --- /dev/null +++ b/src/lib/tls/tls_cbc/info.txt @@ -0,0 +1,5 @@ +define TLS_CBC 20161008 + +<header:internal> +tls_cbc.h +</header:internal> diff --git a/src/lib/tls/tls_cbc.cpp b/src/lib/tls/tls_cbc/tls_cbc.cpp index c7203003b..c7203003b 100644 --- a/src/lib/tls/tls_cbc.cpp +++ b/src/lib/tls/tls_cbc/tls_cbc.cpp diff --git a/src/lib/tls/tls_cbc.h b/src/lib/tls/tls_cbc/tls_cbc.h index 90b54bb5a..90b54bb5a 100644 --- a/src/lib/tls/tls_cbc.h +++ b/src/lib/tls/tls_cbc/tls_cbc.h diff --git a/src/lib/tls/tls_ciphersuite.cpp b/src/lib/tls/tls_ciphersuite.cpp index 9a52e0e0e..aa00334c5 100644 --- a/src/lib/tls/tls_ciphersuite.cpp +++ b/src/lib/tls/tls_ciphersuite.cpp @@ -78,6 +78,11 @@ bool Ciphersuite::is_usable() const if(!have_hash(prf_algo())) return false; +#if !defined(BOTAN_HAS_TLS_CBC) + if(cbc_ciphersuite()) + return false; +#endif + if(mac_algo() == "AEAD") { if(cipher_algo() == "ChaCha20Poly1305") diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp index 0bee24e34..5eef2b4e2 100644 --- a/src/lib/tls/tls_record.cpp +++ b/src/lib/tls/tls_record.cpp @@ -13,11 +13,14 @@ #include <botan/loadstor.h> #include <botan/internal/tls_seq_numbers.h> #include <botan/internal/tls_session_key.h> -#include <botan/internal/tls_cbc.h> #include <botan/internal/rounding.h> #include <botan/internal/ct_utils.h> #include <botan/rng.h> +#if defined(BOTAN_HAS_TLS_CBC) + #include <botan/internal/tls_cbc.h> +#endif + namespace Botan { namespace TLS { @@ -70,6 +73,7 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version, } else { +#if defined(BOTAN_HAS_TLS_CBC) // legacy CBC+HMAC mode if(our_side) { @@ -99,6 +103,9 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version, m_nonce_bytes_from_record = m_nonce_bytes_from_handshake; else if(our_side == false) m_aead->start(iv.bits_of()); +#else + throw Exception("Negotiated disabled TLS CBC+HMAC ciphersuite"); +#endif } } diff --git a/src/tests/unit_tls.cpp b/src/tests/unit_tls.cpp index f869f426b..49fb07131 100644 --- a/src/tests/unit_tls.cpp +++ b/src/tests/unit_tls.cpp @@ -880,6 +880,7 @@ class TLS_Unit_Tests : public Test std::unique_ptr<Botan::Credentials_Manager> creds(create_creds(rng)); std::vector<Test::Result> results; +#if defined(BOTAN_HAS_TLS_CBC) for(std::string etm_setting : { "true", "false" }) { test_all_versions(results, *creds, "RSA", "AES-128", "SHA-256 SHA-1", etm_setting); @@ -904,6 +905,8 @@ class TLS_Unit_Tests : public Test } test_modern_versions(results, *creds, "DH", "AES-128", "SHA-256"); +#endif + test_modern_versions(results, *creds, "RSA", "AES-128/GCM"); test_modern_versions(results, *creds, "ECDH", "AES-128/GCM"); test_modern_versions(results, *creds, "ECDH", "AES-128/GCM", "AEAD", @@ -927,9 +930,11 @@ class TLS_Unit_Tests : public Test test_modern_versions(results, *creds, "PSK", "AES-128/CCM(8)"); #endif +#if defined(BOTAN_HAS_TLS_CBC) // For whatever reason no (EC)DHE_PSK GCM ciphersuites are defined test_modern_versions(results, *creds, "ECDHE_PSK", "AES-128", "SHA-256"); test_modern_versions(results, *creds, "DHE_PSK", "AES-128", "SHA-1"); +#endif return results; } |