[PHP-CVS] svn: /php/php-src/trunk/ext/ ftp/ftp.c openssl/xp_ssl.c

Thu, 19 Jan 2012 21:32:19 -0800 

scottmac                                 Fri, 20 Jan 2012 05:31:53 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=322485

Log:
Fix CVE-2011-3389. Possible attack on CBC mode with TLS 1.0.

See http://www.openssl.org/~bodo/tls-cbc.txt

The biggest reason for this mode being in SSL_OP_ALL was older versions
of IE (2002) talking to servers using OpenSSL.

Can hopefully get this into 5.4.

Changed paths:
    U   php/php-src/trunk/ext/ftp/ftp.c
    U   php/php-src/trunk/ext/openssl/xp_ssl.c

Modified: php/php-src/trunk/ext/ftp/ftp.c
===================================================================
--- php/php-src/trunk/ext/ftp/ftp.c     2012-01-20 05:16:03 UTC (rev 322484)
+++ php/php-src/trunk/ext/ftp/ftp.c     2012-01-20 05:31:53 UTC (rev 322485)
@@ -243,6 +243,7 @@
 {
 #if HAVE_OPENSSL_EXT
        SSL_CTX *ctx = NULL;
+       long ssl_ctx_options = SSL_OP_ALL;
 #endif
        if (ftp == NULL) {
                return 0;
@@ -279,7 +280,10 @@
                        return 0;
                }

-               SSL_CTX_set_options(ctx, SSL_OP_ALL);
+#if OPENSSL_VERSION_NUMBER >= 0x0090605fL
+               ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#endif
+               SSL_CTX_set_options(ctx, ssl_ctx_options);

                ftp->ssl_handle = SSL_new(ctx);
                if (ftp->ssl_handle == NULL) {
@@ -1495,6 +1499,7 @@

 #if HAVE_OPENSSL_EXT
        SSL_CTX         *ctx;
+       long ssl_ctx_options = SSL_OP_ALL;
 #endif

        if (data->fd != -1) {
@@ -1521,7 +1526,10 @@
                        return 0;
                }

-               SSL_CTX_set_options(ctx, SSL_OP_ALL);
+#if OPENSSL_VERSION_NUMBER >= 0x0090605fL
+               ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#endif
+               SSL_CTX_set_options(ctx, ssl_ctx_options);

                data->ssl_handle = SSL_new(ctx);
                if (data->ssl_handle == NULL) {

Modified: php/php-src/trunk/ext/openssl/xp_ssl.c
===================================================================
--- php/php-src/trunk/ext/openssl/xp_ssl.c      2012-01-20 05:16:03 UTC (rev 
322484)
+++ php/php-src/trunk/ext/openssl/xp_ssl.c      2012-01-20 05:31:53 UTC (rev 
322485)
@@ -310,6 +310,7 @@
                TSRMLS_DC)
 {
        SSL_METHOD *method;
+       long ssl_ctx_options = SSL_OP_ALL;

        if (sslsock->ssl_handle) {
                if (sslsock->s.is_blocked) {
@@ -377,7 +378,10 @@
                return -1;
        }

-       SSL_CTX_set_options(sslsock->ctx, SSL_OP_ALL);
+#if OPENSSL_VERSION_NUMBER >= 0x0090605fL
+       ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#endif
+       SSL_CTX_set_options(sslsock->ctx, ssl_ctx_options);

 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL
        {


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to