From e15320f652ef0d8eac29c8115a9c4bfd4376663b Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 14 Nov 2010 17:47:45 +0000 Subject: [PATCH] Only use explicit IV if cipher is in CBC mode. --- ssl/s3_pkt.c | 3 ++- ssl/t1_enc.c | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 8f08c16510..a168f934a9 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -741,7 +741,8 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, plen=p; p+=2; /* Explicit IV length, block ciphers and TLS version 1.1 or later */ - if (s->enc_write_ctx && s->version >= TLS1_1_VERSION) + if (s->enc_write_ctx && s->version >= TLS1_1_VERSION + && EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE) { eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); if (eivlen <= 1) diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 3614b8a30e..34b300161d 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -661,7 +661,8 @@ int tls1_enc(SSL *s, int send) int ivlen; enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); /* For TLSv1.1 and later explicit IV */ - if (s->version >= TLS1_1_VERSION) + if (s->version >= TLS1_1_VERSION + && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) ivlen = EVP_CIPHER_iv_length(enc); else ivlen = 0; @@ -807,7 +808,8 @@ int tls1_enc(SSL *s, int send) } } rec->length -=i; - if (s->version >= TLS1_1_VERSION) + if (s->version >= TLS1_1_VERSION + && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE) { rec->data += bs; /* skip the explicit IV */ rec->input += bs; -- 2.40.0