7 files changed, 23 insertions, 2 deletions

diff --git a/src/lib/tls/info.txt b/src/lib/tls/info.txt
index ad0d266fa..667726318 100644
--- a/src/lib/tls/info.txt
+++ b/src/lib/tls/info.txt
@@ -22,7 +22,6 @@ tls_version.h
 </header:public>
 
 <header:internal>
-tls_cbc.h
 tls_extensions.h
 tls_handshake_hash.h
 tls_handshake_io.h
diff --git a/src/lib/tls/tls_cbc/info.txt b/src/lib/tls/tls_cbc/info.txt
new file mode 100644
index 000000000..0a2827e71
--- /dev/null
+++ b/src/lib/tls/tls_cbc/info.txt
@@ -0,0 +1,5 @@
+define TLS_CBC 20161008
+
+<header:internal>
+tls_cbc.h
+</header:internal>
diff --git a/src/lib/tls/tls_cbc.cpp b/src/lib/tls/tls_cbc/tls_cbc.cpp
index c7203003b..c7203003b 100644
--- a/src/lib/tls/tls_cbc.cpp
+++ b/src/lib/tls/tls_cbc/tls_cbc.cpp
diff --git a/src/lib/tls/tls_cbc.h b/src/lib/tls/tls_cbc/tls_cbc.h
index 90b54bb5a..90b54bb5a 100644
--- a/src/lib/tls/tls_cbc.h
+++ b/src/lib/tls/tls_cbc/tls_cbc.h
diff --git a/src/lib/tls/tls_ciphersuite.cpp b/src/lib/tls/tls_ciphersuite.cpp
index 9a52e0e0e..aa00334c5 100644
--- a/src/lib/tls/tls_ciphersuite.cpp
+++ b/src/lib/tls/tls_ciphersuite.cpp
@@ -78,6 +78,11 @@ bool Ciphersuite::is_usable() const
    if(!have_hash(prf_algo()))
       return false;
 
+#if !defined(BOTAN_HAS_TLS_CBC)
+   if(cbc_ciphersuite())
+      return false;
+#endif
+
    if(mac_algo() == "AEAD")
       {
       if(cipher_algo() == "ChaCha20Poly1305")
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp
index 0bee24e34..5eef2b4e2 100644
--- a/src/lib/tls/tls_record.cpp
+++ b/src/lib/tls/tls_record.cpp
@@ -13,11 +13,14 @@
 #include <botan/loadstor.h>
 #include <botan/internal/tls_seq_numbers.h>
 #include <botan/internal/tls_session_key.h>
-#include <botan/internal/tls_cbc.h>
 #include <botan/internal/rounding.h>
 #include <botan/internal/ct_utils.h>
 #include <botan/rng.h>
 
+#if defined(BOTAN_HAS_TLS_CBC)
+  #include <botan/internal/tls_cbc.h>
+#endif
+
 namespace Botan {
 
 namespace TLS {
@@ -70,6 +73,7 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
       }
    else
       {
+#if defined(BOTAN_HAS_TLS_CBC)
       // legacy CBC+HMAC mode
       if(our_side)
          {
@@ -99,6 +103,9 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
          m_nonce_bytes_from_record = m_nonce_bytes_from_handshake;
       else if(our_side == false)
          m_aead->start(iv.bits_of());
+#else
+      throw Exception("Negotiated disabled TLS CBC+HMAC ciphersuite");
+#endif
       }
    }
 
diff --git a/src/tests/unit_tls.cpp b/src/tests/unit_tls.cpp
index 28abe2d42..d52f17784 100644
--- a/src/tests/unit_tls.cpp
+++ b/src/tests/unit_tls.cpp
@@ -880,6 +880,7 @@ class TLS_Unit_Tests : public Test
          std::unique_ptr<Botan::Credentials_Manager> creds(create_creds(rng));
          std::vector<Test::Result> results;
 
+#if defined(BOTAN_HAS_TLS_CBC)
          for(std::string etm_setting : { "true", "false" })
             {
             test_all_versions(results, *creds, "RSA", "AES-128", "SHA-256 SHA-1", etm_setting);
@@ -904,6 +905,8 @@ class TLS_Unit_Tests : public Test
             }
 
          test_modern_versions(results, *creds, "DH", "AES-128", "SHA-256");
+#endif
+
          test_modern_versions(results, *creds, "RSA", "AES-128/GCM");
          test_modern_versions(results, *creds, "ECDH", "AES-128/GCM");
          test_modern_versions(results, *creds, "ECDH", "AES-128/GCM", "AEAD",
@@ -927,9 +930,11 @@ class TLS_Unit_Tests : public Test
          test_modern_versions(results, *creds, "PSK", "AES-128/CCM(8)");
 #endif
 
+#if defined(BOTAN_HAS_TLS_CBC)
          // For whatever reason no (EC)DHE_PSK GCM ciphersuites are defined
          test_modern_versions(results, *creds, "ECDHE_PSK", "AES-128", "SHA-256");
          test_modern_versions(results, *creds, "DHE_PSK", "AES-128", "SHA-1");
+#endif
 
          return results;
          }