You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 lines
1.7 KiB
38 lines
1.7 KiB
diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod |
|
--- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2013-02-11 16:02:48.000000000 +0100 |
|
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-19 16:32:51.000000000 +0100 |
|
@@ -47,6 +47,13 @@ Once the identities of the compression m |
|
been standardized, the compression API will most likely be changed. Using |
|
it in the current state is not recommended. |
|
|
|
+It is also not recommended to use compression if data transfered contain |
|
+untrusted parts that can be manipulated by an attacker as he could then |
|
+get information about the encrypted data. See the CRIME attack. For |
|
+that reason the default loading of the zlib compression method is |
|
+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB> |
|
+is present during the library initialization. |
|
+ |
|
=head1 RETURN VALUES |
|
|
|
SSL_COMP_add_compression_method() may return the following values: |
|
diff -up openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib openssl-1.0.1e/ssl/ssl_ciph.c |
|
--- openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib 2013-02-11 16:26:04.000000000 +0100 |
|
+++ openssl-1.0.1e/ssl/ssl_ciph.c 2013-02-19 16:37:36.163545085 +0100 |
|
@@ -140,6 +140,8 @@ |
|
* OTHERWISE. |
|
*/ |
|
|
|
+/* for secure_getenv */ |
|
+#define _GNU_SOURCE |
|
#include <stdio.h> |
|
#include <openssl/objects.h> |
|
#ifndef OPENSSL_NO_COMP |
|
@@ -455,7 +457,7 @@ static void load_builtin_compressions(vo |
|
|
|
MemCheck_off(); |
|
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); |
|
- if (ssl_comp_methods != NULL) |
|
+ if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) |
|
{ |
|
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); |
|
if (comp != NULL)
|
|
|