Fix stitched ciphersuites in TLS1.0

TLS1.0 does not have an explicit IV in the record, and therefore we should
not attempt to remove it.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12670)

diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
index ae853b7eb97f2ee7f91cba9d09a763b230959ba1..9c927352a200f789ebbe7a6f989f5fc9c18d5211 100644 (file)
--- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
+++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
@@ -16,6 +16,8 @@
 
 /* Dispatch functions for AES_CBC_HMAC_SHA ciphers */
 
+/* Only for SSL3_VERSION and TLS1_VERSION */
+#include <openssl/ssl.h>
 #include "cipher_aes_cbc_hmac_sha.h"
 #include "prov/implementations.h"
 
@@ -172,6 +174,26 @@ static int aes_set_ctx_params(void *vctx, const OSSL_PARAM params[])
             return 0;
         }
     }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_VERSION);
+    if (p != NULL) {
+        if (!OSSL_PARAM_get_uint(p, &ctx->base.tlsversion)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        if (ctx->base.tlsversion == SSL3_VERSION
+                || ctx->base.tlsversion == TLS1_VERSION) {
+            if (!ossl_assert(ctx->base.removetlspad >= AES_BLOCK_SIZE)) {
+                ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
+                return 0;
+            }
+            /*
+             * There is no explicit IV with these TLS versions, so don't attempt
+             * to remove it.
+             */
+            ctx->base.removetlspad -= AES_BLOCK_SIZE;
+        }
+    }
     return ret;
 }