1 files changed, 19 insertions, 8 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index b80525f3ba..5290bf6665 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -110,10 +110,10 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/comp.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
-#include "ssl_locl.h"
 #include <openssl/md5.h>
 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
@@ -483,14 +483,25 @@ printf("\nkey block\n");
 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
 #endif
-        /* enable vulnerability countermeasure for CBC ciphers with
+        if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
-         * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */
+                {
-        s->s3->need_empty_fragments = 1;
+                /* enable vulnerability countermeasure for CBC ciphers with
-#ifndef NO_RC4
+                 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
-        if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
+                 */
-                s->s3->need_empty_fragments = 0;
+                s->s3->need_empty_fragments = 1;
+                if (s->session->cipher != NULL)
+                        {
+                        if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
+                                s->s3->need_empty_fragments = 0;
+                        
+#ifndef OPENSSL_NO_RC4
+                        if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
+                                s->s3->need_empty_fragments = 0;
 #endif
-                
+                        }
+                }
        return(1);
 err:
        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index b80525f3ba..5290bf6665 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -110,10 +110,10 @@
110	*/	110	*/
111		111
112	#include <stdio.h>	112	#include <stdio.h>
		113	#include "ssl_locl.h"
113	#include <openssl/comp.h>	114	#include <openssl/comp.h>
114	#include <openssl/evp.h>	115	#include <openssl/evp.h>
115	#include <openssl/hmac.h>	116	#include <openssl/hmac.h>
116	#include "ssl_locl.h"
117	#include <openssl/md5.h>	117	#include <openssl/md5.h>
118		118
119	static void tls1_P_hash(const EVP_MD md, const unsigned char sec,	119	static void tls1_P_hash(const EVP_MD md, const unsigned char sec,
@@ -483,14 +483,25 @@ printf("\nkey block\n");
483	{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }	483	{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
484	#endif	484	#endif
485		485
486	/* enable vulnerability countermeasure for CBC ciphers with	486	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
487	* known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */	487	{
488	s->s3->need_empty_fragments = 1;	488	/* enable vulnerability countermeasure for CBC ciphers with
489	#ifndef NO_RC4	489	* known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
490	if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))	490	*/
491	s->s3->need_empty_fragments = 0;	491	s->s3->need_empty_fragments = 1;
		492
		493	if (s->session->cipher != NULL)
		494	{
		495	if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
		496	s->s3->need_empty_fragments = 0;
		497
		498	#ifndef OPENSSL_NO_RC4
		499	if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
		500	s->s3->need_empty_fragments = 0;
492	#endif	501	#endif
493		502	}
		503	}
		504
494	return(1);	505	return(1);
495	err:	506	err:
496	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);	507	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);