Add 1/n-1 record splitting
diff --git a/include/polarssl/check_config.h b/include/polarssl/check_config.h
index 328b881..38d63fb 100644
--- a/include/polarssl/check_config.h
+++ b/include/polarssl/check_config.h
@@ -263,6 +263,11 @@
#error "POLARSSL_SSL_SESSION_TICKETS_C defined, but not all prerequisites"
#endif
+#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING) && \
+ !defined(POLARSSL_SSL_PROTO_SSL3) && !defined(POLARSSL_SSL_PROTO_TLS1)
+#error "POLARSSL_SSL_CBC_RECORD_SPLITTING defined, but not all prerequisites"
+#endif
+
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) && \
!defined(POLARSSL_X509_CRT_PARSE_C)
#error "POLARSSL_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 50b4e33..5843192 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -822,6 +822,18 @@
//#define POLARSSL_SSL_HW_RECORD_ACCEL
/**
+ * \def POLARSSL_SSL_CBC_RECORD_SPLITTING
+ *
+ * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
+ *
+ * This is a countermeasure to the BEAST attack, which also minimizes the risk
+ * of interoperability issues compared to sending 0-length records.
+ *
+ * Comment this macro to disable 1/n-1 record splitting.
+ */
+#define POLARSSL_SSL_CBC_RECORD_SPLITTING
+
+/**
* \def POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
*
* Enable support for receiving and parsing SSLv2 Client Hello messages for the
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 4310ed6..718e6d5 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -784,6 +784,9 @@
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
unsigned char mfl_code; /*!< MaxFragmentLength chosen by us */
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
+#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
+ unsigned char split_done; /*!< flag for record splitting */
+#endif
/*
* PKI layer