Implement known-IV countermeasure.

 Changes between 0.9.6c and 0.9.6d  [XX xxx 2002]

  *) Implement a countermeasure against a vulnerability recently found

     in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment

     before application data chunks to avoid the use of known IVs

     with data potentially chosen by the attacker.

     [Bodo Moeller]

  *) Fix length checks in ssl3_get_client_hello().

     [Bodo Moeller]

  *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently

     to prevent ssl3_read_internal() from incorrectly assuming that

     ssl3_read_bytes() found application data while handshake

     processing was enabled when in fact s->s3->in_read_app_data was

     merely automatically cleared during the initial handshake.

     [Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>]

  *) Fix object definitions for Private and Enterprise: they were not

     recognized in their shortname (=lowercase) representation. Extend

     obj_dat.pl to issue an error when using undefined keywords instead

  OpenSSL STATUS                           Last modified at

  ______________                           $Date: 2002/03/11 09:36:04 $

  ______________                           $Date: 2002/04/13 22:47:04 $

  DEVELOPMENT STATE

  NEEDS PATCH

    o  An (optional) countermeasure against the predictable-IV CBC

       weakness in SSL/TLS should be added; see

       http://www.openssl.org/~bodo/tls-cbc.txt

    o  apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file

    o  "OpenSSL STATUS" is never up-to-date.

 * [including the GNU Public Licence.]

 */

/* ====================================================================

 * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.

 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

	{

	unsigned char *p;

	unsigned int extra;

	size_t len;

	if (s->s3->rbuf.buf == NULL)

		{

			extra=SSL3_RT_MAX_EXTRA;

		else

			extra=0;

		if ((p=OPENSSL_malloc(SSL3_RT_MAX_PACKET_SIZE+extra))

			== NULL)

		len = SSL3_RT_MAX_PACKET_SIZE + extra;

		if ((p=OPENSSL_malloc(len)) == NULL)

			goto err;

		s->s3->rbuf.buf = p;

		s->s3->rbuf.len = len;

		}

	if (s->s3->wbuf.buf == NULL)

		{

		if ((p=OPENSSL_malloc(SSL3_RT_MAX_PACKET_SIZE))

			== NULL)

		len = SSL3_RT_MAX_PACKET_SIZE;

		len += SSL3_RT_HEADER_LENGTH + 256; /* extra space for empty fragment */

		if ((p=OPENSSL_malloc(len)) == NULL)

			goto err;

		s->s3->wbuf.buf = p;

		s->s3->wbuf.len = len;

		}

	s->packet= &(s->s3->rbuf.buf[0]);

	return(1);

 * copied and put under another distribution licence

 * [including the GNU Public Licence.]

 */

/* ====================================================================

 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 *

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer. 

 *

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in

 *    the documentation and/or other materials provided with the

 *    distribution.

 *

 * 3. All advertising materials mentioning features or use of this

 *    software must display the following acknowledgment:

 *    "This product includes software developed by the OpenSSL Project

 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

 *

 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

 *    endorse or promote products derived from this software without

 *    prior written permission. For written permission, please contact

 *    openssl-core@openssl.org.

 *

 * 5. Products derived from this software may not be called "OpenSSL"

 *    nor may "OpenSSL" appear in their names without prior written

 *    permission of the OpenSSL Project.

 *

 * 6. Redistributions of any form whatsoever must retain the following

 *    acknowledgment:

 *    "This product includes software developed by the OpenSSL Project

 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

 *

 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

 * OF THE POSSIBILITY OF SUCH DAMAGE.

 * ====================================================================

 *

 * This product includes cryptographic software written by Eric Young

 * (eay@cryptsoft.com).  This product includes software written by Tim

 * Hudson (tjh@cryptsoft.com).

 *

 */

#include <stdio.h>

#include <openssl/evp.h>

	const EVP_CIPHER *c;

	const EVP_MD *hash;

	int num;

	int ret = 0;

	SSL_COMP *comp;

	if (s->s3->tmp.key_block_length != 0)

	s->s3->tmp.key_block_length=num;

	s->s3->tmp.key_block=p;

	return ssl3_generate_key_block(s,p,num);

	ret = ssl3_generate_key_block(s,p,num);

	/* enable vulnerability countermeasure for CBC ciphers with

	 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */

	s->s3->need_empty_fragments = 1;

#ifndef OPENSSL_NO_RC4

	if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))

		s->s3->need_empty_fragments = 0;

#endif

	return ret;

err:

	SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);

void ssl3_clear(SSL *s)

	{

	unsigned char *rp,*wp;

	size_t rlen, wlen;

	ssl3_cleanup_key_block(s);

	if (s->s3->tmp.ca_names != NULL)

	rp = s->s3->rbuf.buf;

	wp = s->s3->wbuf.buf;

	rlen = s->s3->rbuf.len;

 	wlen = s->s3->wbuf.len;

	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);

	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);

	memset(s->s3,0,sizeof *s->s3);

	if (rp != NULL) s->s3->rbuf.buf=rp;

	if (wp != NULL) s->s3->wbuf.buf=wp;

	s->s3->rbuf.buf = rp;

	s->s3->wbuf.buf = wp;

	s->s3->rbuf.len = rlen;

 	s->s3->wbuf.len = wlen;

	ssl_free_wbio_buffer(s);

	if (s->s3->renegotiate) ssl3_renegotiate_check(s);

	s->s3->in_read_app_data=1;

	ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);

	if ((ret == -1) && (s->s3->in_read_app_data == 0))

	if ((ret == -1) && (s->s3->in_read_app_data == 2))

		{

		/* ssl3_read_bytes decided to call s->handshake_func, which

		 * called ssl3_read_bytes to read handshake data.

		 * However, ssl3_read_bytes actually found application data

		 * and thinks that application data makes sense here (signalled

		 * by resetting 'in_read_app_data', strangely); so disable

		 * and thinks that application data makes sense here; so disable

		 * handshake processing and try to read application data again. */

		s->in_handshake++;

		ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);