From b924d1b6e1b66def84979dbbf3c79059cff1d554 Mon Sep 17 00:00:00 2001 From: Pauli Date: Sun, 6 Sep 2020 13:44:08 +1000 Subject: TLS: remove legacy code path supporting special CBC mode Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11961) --- ssl/record/ssl3_record.c | 4 ++++ ssl/s3_cbc.c | 4 ++++ 2 files changed, 8 insertions(+) (limited to 'ssl') diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index baa4f239bf..a45e5ee9cb 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1335,6 +1335,9 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) if (!sending && EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && ssl3_cbc_record_digest_supported(hash)) { +#ifdef OPENSSL_NO_DEPRECATED_3_0 + return 0; +#else /* * This is a CBC-encrypted record. We must avoid leaking any * timing-side channel information about how many blocks of data we @@ -1368,6 +1371,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) rec->length, rec->orig_len, mac_sec, md_size, 1) <= 0) return 0; +#endif } else { unsigned int md_size_u; /* Chop the digest off the end :-) */ diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 4895f43568..59e4178636 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -31,6 +31,7 @@ #include char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); +#ifndef OPENSSL_NO_DEPRECATED_3_0 int ssl3_cbc_digest_record(const EVP_MD *md, unsigned char *md_out, size_t *md_out_size, @@ -128,6 +129,7 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out) l2n8(sha512->h[i], md_out); } } +#endif #undef LARGEST_DIGEST_CTX #define LARGEST_DIGEST_CTX SHA512_CTX @@ -151,6 +153,7 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) } } +#ifndef OPENSSL_NO_DEPRECATED_3_0 /*- * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS * record. @@ -523,3 +526,4 @@ int ssl3_cbc_digest_record(const EVP_MD *md, EVP_MD_CTX_free(md_ctx); return ret; } +#endif -- cgit v1.2.3