New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling CBC

     By default, clients may request session resumption even during

     renegotiation (if session ID contexts permit); with this option,

     session resumption is possible only in the first handshake.

     SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL.  This makes

     more bits available for options that should not be part of

     SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION).

     [Bodo Moeller]

  *) Add some demos for certificate and certificate request creation.

  *) Fix EVP_dsa_sha macro.

     [Nils Larsch]

  *) New option

          SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

     for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure

     that was added in OpenSSL 0.9.6d.

     As the countermeasure turned out to be incompatible with some

     broken SSL implementations, the new option is part of SSL_OP_ALL.

     SSL_OP_ALL is usually employed when compatibility with weird SSL

     implementations is desired (e.g. '-bugs' option to 's_client' and

     's_server'), so the new option is automatically set in many

     applications.

     [Bodo Moeller]

 Changes between 0.9.6c and 0.9.6d  [9 May 2002]

  *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not

...

=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol

vulnerability affecting CBC ciphers, which cannot be handled by some

broken SSL implementations.  This option has no effect for connections

using other ciphers.

=item SSL_OP_ALL

All of the above bug workarounds.

=back

It is safe and recommended to use B<SSL_OP_ALL> to enable the bug workaround

options.

It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround

options if compatibility with somewhat broken implementations is

desired.

The following B<modifying> options are available:

enabled with B<SSL_OP_ALL>. As of 0.9.7, it is no longer included in B<SSL_OP_ALL>

and must be explicitly set.

B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS> has been added in OpenSSL 0.9.6e.

Versions up to OpenSSL 0.9.6c do not include the countermeasure that

can be disabled with this option (in OpenSSL 0.9.6d, it was always

enabled).

=cut

	ret = ssl3_generate_key_block(s,p,num);

	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))

		{

		/* enable vulnerability countermeasure for CBC ciphers with

	 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */

		 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)

		 */

		s->s3->need_empty_fragments = 1;

#ifndef OPENSSL_NO_RC4

		if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))

			s->s3->need_empty_fragments = 0;

#endif

		}

	return ret;

	struct ssl_session_st *prev,*next;

	} SSL_SESSION;

#define SSL_OP_MICROSOFT_SESS_ID_BUG			0x00000001L

#define SSL_OP_NETSCAPE_CHALLENGE_BUG			0x00000002L

#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L

#define SSL_OP_TLS_D5_BUG				0x00000100L

#define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L

/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added

 * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)

 * the workaround is not needed.  Unfortunately some broken SSL/TLS

 * implementations cannot handle it at all, which is why we include

 * it in SSL_OP_ALL. */

#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800L /* added in 0.9.6e */

/* SSL_OP_ALL: various bug workarounds that should be rather harmless.

 *             This used to be 0x000FFFFFL before 0.9.7. */

#define SSL_OP_ALL					0x00000FFFL

/* As server, disallow session resumption on renegotiation */

#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	0x00010000L

/* If set, always create a new key when using tmp_dh parameters */

#define SSL_OP_SINGLE_DH_USE				0x00100000L

/* Set to always use the tmp_rsa key when doing RSA operations,

 * (version 3.1) was announced in the client hello. Normally this is

 * forbidden to prevent version rollback attacks. */

#define SSL_OP_TLS_ROLLBACK_BUG				0x00800000L

/* As server, disallow session resumption on renegotiation */

#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	0x01000000L

#define SSL_OP_NO_SSLv2					0x01000000L

#define SSL_OP_NO_SSLv3					0x02000000L

#define SSL_OP_NO_TLSv1					0x04000000L

/* The next flag deliberately changes the ciphertest, this is a check

 * for the PKCS#1 attack */

#define SSL_OP_PKCS1_CHECK_2				0x10000000L

#define SSL_OP_NETSCAPE_CA_DN_BUG			0x20000000L

#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG		0x40000000L

#define SSL_OP_ALL					0x000FFFFFL

#define SSL_OP_NO_SSLv2					0x01000000L

#define SSL_OP_NO_SSLv3					0x02000000L

#define SSL_OP_NO_TLSv1					0x04000000L

/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success

 * when just a single record has been written): */

 * is blocking: */

#define SSL_MODE_AUTO_RETRY 0x00000004L

/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,

 * they cannot be used to clear bits. */

{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }

#endif

	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))

		{

		/* enable vulnerability countermeasure for CBC ciphers with

	 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */

		 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)

		 */

		s->s3->need_empty_fragments = 1;

#ifndef NO_RC4

		if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))

			s->s3->need_empty_fragments = 0;

#endif

		}

	return(1);

err: