aboutsummaryrefslogtreecommitdiffstats
path: root/main/openssl/0010-ssl-env-zlib.patch
blob: 9eae15d727af45d7b023ea3d6ff10ea6a7059815 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
diff -ru openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
--- openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod	2015-01-15 16:43:14.000000000 -0200
+++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod	2015-03-27 15:18:47.280054883 -0200
@@ -47,6 +47,13 @@
 been standardized, the compression API will most likely be changed. Using
 it in the current state is not recommended.
 
+It is also not recommended to use compression if data transfered contain
+untrusted parts that can be manipulated by an attacker as he could then
+get information about the encrypted data. See the CRIME attack. For
+that reason the default loading of the zlib compression method is
+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
+is present during the library initialization.
+
 =head1 RETURN VALUES
 
 SSL_COMP_add_compression_method() may return the following values:
diff -ru openssl-1.0.2a.orig/ssl/ssl_ciph.c openssl-1.0.2a/ssl/ssl_ciph.c
--- openssl-1.0.2a.orig/ssl/ssl_ciph.c	2015-03-19 15:30:36.000000000 -0200
+++ openssl-1.0.2a/ssl/ssl_ciph.c	2015-03-27 15:23:05.960057092 -0200
@@ -141,6 +141,8 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
+#include <sys/auxv.h>
 #include <openssl/objects.h>
 #ifndef OPENSSL_NO_COMP
 # include <openssl/comp.h>
@@ -481,7 +483,7 @@
 
             MemCheck_off();
             ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
-            if (ssl_comp_methods != NULL) {
+            if (ssl_comp_methods != NULL && getauxval(AT_SECURE) == 0 && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
                 comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
                 if (comp != NULL) {
                     comp->method = COMP_zlib();