New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling CBC

vulnerability workaround (included in SSL_OP_ALL). PR: #90
author: Bodo Möller <bodo@openssl.org> 2002-06-14 12:21:11 +0000
committer: Bodo Möller <bodo@openssl.org> 2002-06-14 12:21:11 +0000
commit: c21506ba024adb6d5655a92d61c1d3824e5dedcf (patch)
tree: 96e66d9bbbab85cf0a0a317d051156e26df0386d /ssl/s3_enc.c
parent: 00f1628eaccac9be1f3941d20f387fa9a7063b30 (diff)
1 files changed, 10 insertions, 5 deletions
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 6dfef5caaf..72ac8b6913 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -378,13 +378,18 @@ int ssl3_setup_key_block(SSL *s)
 
 	ret = ssl3_generate_key_block(s,p,num);
 
-	/* enable vulnerability countermeasure for CBC ciphers with
-	 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */
-	s->s3->need_empty_fragments = 1;
+	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
+		{
+		/* enable vulnerability countermeasure for CBC ciphers with
+		 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
+		 */
+		s->s3->need_empty_fragments = 1;
+
 #ifndef OPENSSL_NO_RC4
-	if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
-		s->s3->need_empty_fragments = 0;
+		if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
+			s->s3->need_empty_fragments = 0;
 #endif
+		}
 
 	return ret;
author	Bodo Möller <bodo@openssl.org>	2002-06-14 12:21:11 +0000
committer	Bodo Möller <bodo@openssl.org>	2002-06-14 12:21:11 +0000
commit	c21506ba024adb6d5655a92d61c1d3824e5dedcf (patch)
tree	96e66d9bbbab85cf0a0a317d051156e26df0386d /ssl/s3_enc.c
parent	00f1628eaccac9be1f3941d20f387fa9a7063b30 (diff)