TLS fixes for CBC mode and no-deprecated

Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11961)
2025-04-27 18:24:37 +00:00 · 2020-09-06 17:14:38 +10:00 · 2020-09-06 17:14:38 +10:00 · 5c97eeb726
commit 5c97eeb726
parent b924d1b6e1
3 changed files with 23 additions and 24 deletions
--- a/ssl/build.info
+++ b/ssl/build.info
@ -23,7 +23,7 @@ SOURCE[../libssl]=\
        pqueue.c ../crypto/packet.c \
        statem/statem_srvr.c statem/statem_clnt.c  s3_lib.c  s3_enc.c record/rec_layer_s3.c \
        statem/statem_lib.c statem/extensions.c statem/extensions_srvr.c \
-        statem/extensions_clnt.c statem/extensions_cust.c s3_cbc.c s3_msg.c \
+        statem/extensions_clnt.c statem/extensions_cust.c s3_msg.c \
        methods.c   t1_lib.c  t1_enc.c tls13_enc.c \
        d1_lib.c  record/rec_layer_d1.c d1_msg.c \
        statem/statem_dtls.c d1_srtp.c \
@ -34,6 +34,9 @@ SOURCE[../libssl]=\
        record/ssl3_buffer.c record/ssl3_record.c record/dtls1_bitmap.c \
        statem/statem.c record/ssl3_record_tls13.c record/tls_pad.c \
        $KTLSSRC
+IF[{- !$disabled{'deprecated-3.0'} -}]
+  SOURCE[../libssl]=s3_cbc.c
+ENDIF
 DEFINE[../libssl]=$AESDEF

 SOURCE[../providers/libcommon.a]=record/tls_pad.c
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@ -1307,6 +1307,25 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
    return 1;
 }

+/*
+ * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
+ * which ssl3_cbc_digest_record supports.
+ */
+char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
+{
+    switch (EVP_MD_CTX_type(ctx)) {
+    case NID_md5:
+    case NID_sha1:
+    case NID_sha224:
+    case NID_sha256:
+    case NID_sha384:
+    case NID_sha512:
+        return 1;
+    default:
+        return 0;
+    }
+}
+
 int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
 {
    unsigned char *mac_sec, *seq;
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@ -31,7 +31,6 @@
 #include <openssl/sha.h>

 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
-#ifndef OPENSSL_NO_DEPRECATED_3_0
 int ssl3_cbc_digest_record(const EVP_MD *md,
                           unsigned char *md_out,
                           size_t *md_out_size,
@ -129,31 +128,10 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
        l2n8(sha512->h[i], md_out);
    }
 }
-#endif

 #undef  LARGEST_DIGEST_CTX
 #define LARGEST_DIGEST_CTX SHA512_CTX

-/*
- * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
- * which ssl3_cbc_digest_record supports.
- */
-char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
-{
-    switch (EVP_MD_CTX_type(ctx)) {
-    case NID_md5:
-    case NID_sha1:
-    case NID_sha224:
-    case NID_sha256:
-    case NID_sha384:
-    case NID_sha512:
-        return 1;
-    default:
-        return 0;
-    }
-}
-
-#ifndef OPENSSL_NO_DEPRECATED_3_0
 /*-
 * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
 * record.
@ -526,4 +504,3 @@ int ssl3_cbc_digest_record(const EVP_MD *md,
    EVP_MD_CTX_free(md_ctx);
    return ret;
 }
-#endif