From 48809c5b9f6c9081f4031fa938dd63b060c18a4b Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 6 Apr 2012 21:31:53 +0200 Subject: Fix CVE-2011-3389 by clearing SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS... ...from SSL options, unless FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE is a non-empty environment variable. Suggested by Apple. --- socket.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'socket.c') diff --git a/socket.c b/socket.c index 260b0aa3..5f168b5b 100644 --- a/socket.c +++ b/socket.c @@ -901,6 +901,12 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL); + { + char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE"); + if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp)) + SSL_CTX_clear_options(_ctx[sock], SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); + } + if (certck) { SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); } else { -- cgit v1.2.3