File 0004-OpenSSL-don-t-disable-security-work-around.patch of Package curl.import5737
From 261656dcfd35a2b048200f84f4a1c85c1a6c7769 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 19 Jan 2012 10:38:14 +0100
Subject: [PATCH] OpenSSL: don't disable security work-around
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
(http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
to SSL_OP_ALL that _disables_ that work-around despite the fact that
SSL_OP_ALL is documented to do "rather harmless" workarounds.
The libcurl code uses the SSL_OP_ALL define and thus logically always
disables the OpenSSL fix.
In order to keep the secure work-around workding, the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
makes sure of this.
Reported by: product-security at Apple
cherry-picked from commit 0158c2bdd51af5a7b334b4dd7360bbd7e3858409
---
 lib/ssluse.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 73fb8d3..c9dfc3a 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1513,6 +1513,13 @@ ossl_connect_step1(struct connectdata *conn,
      become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
      CVE-2010-4180 when using previous OpenSSL versions we no longer enable
      this option regardless of OpenSSL version and SSL_OP_ALL definition.
+
+     OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
+     (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
+     SSL_OP_ALL that _disables_ that work-around despite the fact that
+     SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
+     keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
+     must not be set.
   */
 
   ctx_options = SSL_OP_ALL;
@@ -1527,6 +1534,10 @@ ossl_connect_step1(struct connectdata *conn,
   ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
 #endif
 
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+  ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#endif
+
   /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
   if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
     ctx_options |= SSL_OP_NO_SSLv2;
-- 
1.7.7