Remove |need_record_splitting| from |SSL3_STATE|.
It is redundant given the other state in the connection.
Change-Id: I5dc71627132659ab4316a5ea360c9ca480fb7c6c
Reviewed-on: https://boringssl-review.googlesource.com/6646
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 65fc56e..58a32bb 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3918,9 +3918,6 @@
uint8_t server_random[SSL3_RANDOM_SIZE];
uint8_t client_random[SSL3_RANDOM_SIZE];
- /* flags for countermeasure against known-IV weakness */
- int need_record_splitting;
-
/* have_version is true if the connection's final version is known. Otherwise
* the version has not been negotiated yet. */
char have_version;
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 51b7082..8119025 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -369,19 +369,7 @@
evp_aead_seal, ssl3_version_from_wire(s, s->version),
s->s3->tmp.new_cipher, key, key_len, mac_secret, mac_secret_len, iv,
iv_len);
- if (s->aead_write_ctx == NULL) {
- return 0;
- }
-
- s->s3->need_record_splitting = 0;
- if (!SSL_USE_EXPLICIT_IV(s) &&
- (s->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 &&
- SSL_CIPHER_is_block_cipher(s->s3->tmp.new_cipher)) {
- /* Enable 1/n-1 record-splitting to randomize the IV. See
- * https://www.openssl.org/~bodo/tls-cbc.txt and the BEAST attack. */
- s->s3->need_record_splitting = 1;
- }
- return 1;
+ return s->aead_write_ctx != NULL;
}
int tls1_setup_key_block(SSL *s) {
diff --git a/ssl/tls_record.c b/ssl/tls_record.c
index e3eccd7..3381eae 100644
--- a/ssl/tls_record.c
+++ b/ssl/tls_record.c
@@ -122,6 +122,14 @@
* forever. */
static const uint8_t kMaxEmptyRecords = 32;
+/* ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
+ * state needs record-splitting and zero otherwise. */
+static int ssl_needs_record_splitting(const SSL *ssl) {
+ return !SSL_USE_EXPLICIT_IV(ssl) && ssl->aead_write_ctx != NULL &&
+ (ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 &&
+ SSL_CIPHER_is_block_cipher(ssl->aead_write_ctx->cipher);
+}
+
size_t ssl_record_prefix_len(const SSL *ssl) {
if (SSL_IS_DTLS(ssl)) {
return DTLS1_RT_HEADER_LENGTH +
@@ -139,7 +147,7 @@
} else {
size_t ret = SSL3_RT_HEADER_LENGTH +
SSL_AEAD_CTX_explicit_nonce_len(ssl->aead_write_ctx);
- if (ssl->s3->need_record_splitting) {
+ if (ssl_needs_record_splitting(ssl)) {
ret += SSL3_RT_HEADER_LENGTH;
ret += ssl_cipher_get_record_split_len(ssl->aead_write_ctx->cipher);
}
@@ -154,7 +162,7 @@
} else {
size_t ret = SSL3_RT_HEADER_LENGTH +
SSL_AEAD_CTX_max_overhead(ssl->aead_write_ctx);
- if (ssl->s3->need_record_splitting) {
+ if (ssl_needs_record_splitting(ssl)) {
ret *= 2;
}
return ret;
@@ -300,8 +308,8 @@
int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
uint8_t type, const uint8_t *in, size_t in_len) {
size_t frag_len = 0;
- if (ssl->s3->need_record_splitting && type == SSL3_RT_APPLICATION_DATA &&
- in_len > 1) {
+ if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
+ ssl_needs_record_splitting(ssl)) {
/* |do_seal_record| will notice if it clobbers |in[0]|, but not if it
* aliases the rest of |in|. */
if (in + 1 <= out && out < in + in_len) {
