diff options
Diffstat (limited to 'www/curl/patches/patch-bf')
-rw-r--r-- | www/curl/patches/patch-bf | 46 |
1 files changed, 0 insertions, 46 deletions
diff --git a/www/curl/patches/patch-bf b/www/curl/patches/patch-bf deleted file mode 100644 index faac69c000d..00000000000 --- a/www/curl/patches/patch-bf +++ /dev/null @@ -1,46 +0,0 @@ -$NetBSD: patch-bf,v 1.1 2012/01/26 11:25:55 drochner Exp $ - -CVE-2011-3389 - ---- lib/ssluse.c.orig 2011-11-06 15:58:24.000000000 +0000 -+++ lib/ssluse.c -@@ -1420,6 +1420,7 @@ ossl_connect_step1(struct connectdata *c - X509_LOOKUP *lookup=NULL; - curl_socket_t sockfd = conn->sock[sockindex]; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; -+ long ctx_options; - #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - bool sni; - #ifdef ENABLE_IPV6 -@@ -1525,16 +1526,27 @@ ossl_connect_step1(struct connectdata *c - If someone writes an application with libcurl and openssl who wants to - enable the feature, one can do this in the SSL callback. - -+ OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability -+ (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to -+ SSL_OP_ALL that _disables_ that work-around despite the fact that -+ SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to -+ keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit -+ must not be set. -+ - */ -+ -+ ctx_options = SSL_OP_ALL; -+ - #ifdef SSL_OP_NO_TICKET - /* expect older openssl releases to not have this define so only use it if - present */ --#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET --#else --#define CURL_CTX_OPTIONS SSL_OP_ALL -+ ctx_options |= SSL_OP_NO_TICKET; -+#endif -+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS -+ ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; - #endif - -- SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS); -+ SSL_CTX_set_options(connssl->ctx, ctx_options); - - /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ - if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) |