34 lines
1.2 KiB
Plaintext
34 lines
1.2 KiB
Plaintext
$OpenBSD: patch-socket_c,v 1.6 2012/06/26 10:10:20 jasper Exp $
|
|
|
|
- Fix potential for information disclosure under active attack. CVE-2011-3389
|
|
- Build with OpenSSL without SSLv2 support.
|
|
|
|
--- socket.c.orig Sun Aug 21 09:34:58 2011
|
|
+++ socket.c Tue Jun 19 20:48:04 2012
|
|
@@ -874,7 +874,12 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
|
|
_ssl_context[sock] = NULL;
|
|
if(myproto) {
|
|
if(!strcasecmp("ssl2",myproto)) {
|
|
+#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
|
|
_ctx[sock] = SSL_CTX_new(SSLv2_client_method());
|
|
+#else
|
|
+ report(stderr, GT_("Your operating system does not support SSLv2.\n"));
|
|
+ return -1;
|
|
+#endif
|
|
} else if(!strcasecmp("ssl3",myproto)) {
|
|
_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
|
|
} else if(!strcasecmp("tls1",myproto)) {
|
|
@@ -895,6 +900,12 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
|
|
}
|
|
|
|
SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL);
|
|
+
|
|
+ {
|
|
+ char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE");
|
|
+ if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp))
|
|
+ SSL_CTX_clear_options(_ctx[sock], SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
|
|
+ }
|
|
|
|
if (certck) {
|
|
SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
|