You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
39 lines
1.7 KiB
39 lines
1.7 KiB
7 years ago
|
diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
|
||
|
--- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2013-02-11 16:02:48.000000000 +0100
|
||
|
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-19 16:32:51.000000000 +0100
|
||
|
@@ -47,6 +47,13 @@ Once the identities of the compression m
|
||
|
been standardized, the compression API will most likely be changed. Using
|
||
|
it in the current state is not recommended.
|
||
|
|
||
|
+It is also not recommended to use compression if data transfered contain
|
||
|
+untrusted parts that can be manipulated by an attacker as he could then
|
||
|
+get information about the encrypted data. See the CRIME attack. For
|
||
|
+that reason the default loading of the zlib compression method is
|
||
|
+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
|
||
|
+is present during the library initialization.
|
||
|
+
|
||
|
=head1 RETURN VALUES
|
||
|
|
||
|
SSL_COMP_add_compression_method() may return the following values:
|
||
|
diff -up openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib openssl-1.0.1e/ssl/ssl_ciph.c
|
||
|
--- openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib 2013-02-11 16:26:04.000000000 +0100
|
||
|
+++ openssl-1.0.1e/ssl/ssl_ciph.c 2013-02-19 16:37:36.163545085 +0100
|
||
|
@@ -140,6 +140,8 @@
|
||
|
* OTHERWISE.
|
||
|
*/
|
||
|
|
||
|
+/* for secure_getenv */
|
||
|
+#define _GNU_SOURCE
|
||
|
#include <stdio.h>
|
||
|
#include <openssl/objects.h>
|
||
|
#ifndef OPENSSL_NO_COMP
|
||
|
@@ -455,7 +457,7 @@ static void load_builtin_compressions(vo
|
||
|
|
||
|
MemCheck_off();
|
||
|
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
|
||
|
- if (ssl_comp_methods != NULL)
|
||
|
+ if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
|
||
|
{
|
||
|
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
||
|
if (comp != NULL)
|