generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling CBC

Browse Source 
vulnerability workaround (included in SSL_OP_ALL).

PR: #90
This commit is contained in:
Bodo Möller
2002-06-14 12:20:27 +00:00
parent 39ebb51bba
commit 2f8275c52d
5 changed files with 71 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
ssl/s3_enc.c
View File

@@ -378,13 +378,18 @@ int ssl3_setup_key_block(SSL *s)
ret = ssl3_generate_key_block(s,p,num);
/* enable vulnerability countermeasure for CBC ciphers with
* known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */
s->s3->need_empty_fragments = 1;
if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
{
/* enable vulnerability countermeasure for CBC ciphers with
* known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
*/
s->s3->need_empty_fragments = 1;
#ifndef OPENSSL_NO_RC4
if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
s->s3->need_empty_fragments = 0;
if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
s->s3->need_empty_fragments = 0;
#endif
}
return ret;