Only use explicit IV if cipher is in CBC mode.

2 files changed, 6 insertions, 3 deletions

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 8f08c16510..a168f934a9 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -741,7 +741,8 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 	plen=p; 
 	p+=2;
 	/* Explicit IV length, block ciphers and TLS version 1.1 or later */
-	if (s->enc_write_ctx && s->version >= TLS1_1_VERSION)
+	if (s->enc_write_ctx && s->version >= TLS1_1_VERSION
+		&& EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE)
 		{
 		eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
 		if (eivlen <= 1)
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 3614b8a30e..34b300161d 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -661,7 +661,8 @@ int tls1_enc(SSL *s, int send)
 			int ivlen;
 			enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
 			/* For TLSv1.1 and later explicit IV */
-			if (s->version >= TLS1_1_VERSION)
+			if (s->version >= TLS1_1_VERSION
+				&& EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
 				ivlen = EVP_CIPHER_iv_length(enc);
 			else
 				ivlen = 0;
@@ -807,7 +808,8 @@ int tls1_enc(SSL *s, int send)
 					}
 				}
 			rec->length -=i;
-			if (s->version >= TLS1_1_VERSION)
+			if (s->version >= TLS1_1_VERSION
+				&& EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE)
 				{
 				rec->data += bs;    /* skip the explicit IV */
 				rec->input += bs;