summaryrefslogtreecommitdiff
path: root/www/curl/patches/patch-bf
blob: faac69c000d6841bf64be4726d0c947c311ca729 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
$NetBSD: patch-bf,v 1.1 2012/01/26 11:25:55 drochner Exp $

CVE-2011-3389

--- lib/ssluse.c.orig	2011-11-06 15:58:24.000000000 +0000
+++ lib/ssluse.c
@@ -1420,6 +1420,7 @@ ossl_connect_step1(struct connectdata *c
   X509_LOOKUP *lookup=NULL;
   curl_socket_t sockfd = conn->sock[sockindex];
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+  long ctx_options;
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
   bool sni;
 #ifdef ENABLE_IPV6
@@ -1525,16 +1526,27 @@ ossl_connect_step1(struct connectdata *c
      If someone writes an application with libcurl and openssl who wants to
      enable the feature, one can do this in the SSL callback.
 
+     OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
+     (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
+     SSL_OP_ALL that _disables_ that work-around despite the fact that
+     SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
+     keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
+     must not be set.
+
   */
+
+  ctx_options = SSL_OP_ALL;
+
 #ifdef SSL_OP_NO_TICKET
   /* expect older openssl releases to not have this define so only use it if
      present */
-#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET
-#else
-#define CURL_CTX_OPTIONS SSL_OP_ALL
+  ctx_options |= SSL_OP_NO_TICKET;
+#endif
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+  ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 #endif
 
-  SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS);
+  SSL_CTX_set_options(connssl->ctx, ctx_options);
 
   /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
   if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)