Make libssl start using the TLS provider CBC support

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12288)

1 files changed, 32 insertions, 0 deletions

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index e929121cd2..9a6c1799f7 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -396,6 +396,38 @@ int tls1_change_cipher_state(SSL *s, int which)
                  ERR_R_INTERNAL_ERROR);
         goto err;
     }
+    if (EVP_CIPHER_provider(c) != NULL) {
+        /*
+         * Provided cipher, the TLS padding/MAC removal is performed provider
+         * side so we need to tell the ctx about our TLS version and mac size
+         */
+        OSSL_PARAM params[3], *pprm = params;
+        size_t macsize = 0;
+        int imacsize = -1;
+
+        if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
+                   /*
+                    * We look at s->ext.use_etm instead of SSL_READ_ETM() or
+                    * SSL_WRITE_ETM() because this test applies to both reading
+                    * and writing.
+                    */
+                && !s->ext.use_etm)
+            imacsize = EVP_MD_size(m);
+        if (imacsize >= 0)
+            macsize = (size_t)imacsize;
+
+        *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
+                                           &s->version);
+        *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
+                                              &macsize);
+        *pprm = OSSL_PARAM_construct_end();
+
+        if (!EVP_CIPHER_CTX_set_params(dd, params)) {
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
+                     ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+    }
 #ifndef OPENSSL_NO_KTLS
     if (s->compress)
         goto skip_ktls;