diff options
author | Bodo Möller <bodo@openssl.org> | 2002-06-14 12:21:11 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2002-06-14 12:21:11 +0000 |
commit | c21506ba024adb6d5655a92d61c1d3824e5dedcf (patch) | |
tree | 96e66d9bbbab85cf0a0a317d051156e26df0386d /ssl/s3_enc.c | |
parent | 00f1628eaccac9be1f3941d20f387fa9a7063b30 (diff) |
New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling CBC
vulnerability workaround (included in SSL_OP_ALL).
PR: #90
Diffstat (limited to 'ssl/s3_enc.c')
-rw-r--r-- | ssl/s3_enc.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 6dfef5caaf..72ac8b6913 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -378,13 +378,18 @@ int ssl3_setup_key_block(SSL *s) ret = ssl3_generate_key_block(s,p,num); - /* enable vulnerability countermeasure for CBC ciphers with - * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ - s->s3->need_empty_fragments = 1; + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + { + /* enable vulnerability countermeasure for CBC ciphers with + * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) + */ + s->s3->need_empty_fragments = 1; + #ifndef OPENSSL_NO_RC4 - if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)) - s->s3->need_empty_fragments = 0; + if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)) + s->s3->need_empty_fragments = 0; #endif + } return ret; |