Fix CVE-2011-3389 by clearing SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS...

...from SSL options, unless FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE is a non-empty environment variable. Suggested by Apple.
author: Matthias Andree <matthias.andree@gmx.de> 2012-04-06 21:31:53 +0200
committer: Matthias Andree <matthias.andree@gmx.de> 2012-05-03 08:13:13 +0200
commit: 48809c5b9f6c9081f4031fa938dd63b060c18a4b (patch)
tree: 3b454a5bcdaa175b2b8b2b3c455b9a3e7336e8af /socket.c
parent: e4ef077fdad22286502ae485b7b8f7ca88fd49dd (diff)
download: fetchmail-48809c5b9f6c9081f4031fa938dd63b060c18a4b.tar.gz
fetchmail-48809c5b9f6c9081f4031fa938dd63b060c18a4b.tar.bz2
fetchmail-48809c5b9f6c9081f4031fa938dd63b060c18a4b.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/socket.c b/socket.c
index 260b0aa3..5f168b5b 100644
--- a/socket.c
+++ b/socket.c
@@ -901,6 +901,12 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 
 	SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL);
 
+	{
+	    char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE");
+	    if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp))
+		SSL_CTX_clear_options(_ctx[sock], SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+	}
+
 	if (certck) {
 		SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
 	} else {
author	Matthias Andree <matthias.andree@gmx.de>	2012-04-06 21:31:53 +0200
committer	Matthias Andree <matthias.andree@gmx.de>	2012-05-03 08:13:13 +0200
commit	48809c5b9f6c9081f4031fa938dd63b060c18a4b (patch)
tree	3b454a5bcdaa175b2b8b2b3c455b9a3e7336e8af /socket.c
parent	e4ef077fdad22286502ae485b7b8f7ca88fd49dd (diff)
download	fetchmail-48809c5b9f6c9081f4031fa938dd63b060c18a4b.tar.gz fetchmail-48809c5b9f6c9081f4031fa938dd63b060c18a4b.tar.bz2 fetchmail-48809c5b9f6c9081f4031fa938dd63b060c18a4b.zip