Attachment 1448 Details for Bug 4307 – re-diffed curl-dont-insert-empty-fragments.patch

[patch] re-diffed curl-dont-insert-empty-fragments.patch

curl-7.21.5-dont-insert-empty-fragments.patch (text/plain), 1.54 KB, created by David Walser on 2012-01-28 04:30:03 CET

(hide)

Description:

Filename:

MIME Type:

Creator: David Walser

Created: 2012-01-28 04:30:03 CET

Size: 1.54 KB

patch

obsolete

>--- lib/ssluse.c~	2011-04-14 17:02:29.000000000 -0400
>+++ lib/ssluse.c	2012-01-27 22:26:21.100765497 -0500
>@@ -1422,6 +1422,7 @@
>   X509_LOOKUP *lookup=NULL;
>   curl_socket_t sockfd = conn->sock[sockindex];
>   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
>+  long ctx_options;
> #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
>   bool sni;
> #ifdef ENABLE_IPV6
>@@ -1522,16 +1523,27 @@
>      If someone writes an application with libcurl and openssl who wants to
>      enable the feature, one can do this in the SSL callback.
> 
>+     OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
>+     (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
>+     SSL_OP_ALL that _disables_ that work-around despite the fact that
>+     SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
>+     keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
>+     must not be set.
>+
>   */
>+
>+  ctx_options = SSL_OP_ALL;
>+
> #ifdef SSL_OP_NO_TICKET
>   /* expect older openssl releases to not have this define so only use it if
>      present */
>-#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET
>-#else
>-#define CURL_CTX_OPTIONS SSL_OP_ALL
>+  ctx_options |= SSL_OP_NO_TICKET;
>+#endif
>+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
>+  ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
> #endif
> 
>-  SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS);
>+  SSL_CTX_set_options(connssl->ctx, ctx_options);
> 
>   /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
>   if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)

--- lib/ssluse.c~	2011-04-14 17:02:29.000000000 -0400
+++ lib/ssluse.c	2012-01-27 22:26:21.100765497 -0500
@@ -1422,6 +1422,7 @@
   X509_LOOKUP *lookup=NULL;
   curl_socket_t sockfd = conn->sock[sockindex];
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+  long ctx_options;
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
   bool sni;
 #ifdef ENABLE_IPV6
@@ -1522,16 +1523,27 @@
      If someone writes an application with libcurl and openssl who wants to
      enable the feature, one can do this in the SSL callback.
 
+     OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
+     (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
+     SSL_OP_ALL that _disables_ that work-around despite the fact that
+     SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
+     keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
+     must not be set.
+
   */
+
+  ctx_options = SSL_OP_ALL;
+
 #ifdef SSL_OP_NO_TICKET
   /* expect older openssl releases to not have this define so only use it if
      present */
-#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET
-#else
-#define CURL_CTX_OPTIONS SSL_OP_ALL
+  ctx_options |= SSL_OP_NO_TICKET;
+#endif
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+  ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 #endif
 
-  SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS);
+  SSL_CTX_set_options(connssl->ctx, ctx_options);
 
   /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
   if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)

Actions: View | Diff

Attachments on bug 4307: 1447 | 1448 | 1449