From 129370fc1900bc981d529ab7d4a82b6668c72183 Mon Sep 17 00:00:00 2001
From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
Date: Tue, 20 Feb 2018 22:03:34 -0600
Subject: system/openssl: prepare for a new OpenSSL

---
 system/openssl/0010-ssl-env-zlib.patch | 38 ++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 system/openssl/0010-ssl-env-zlib.patch

(limited to 'system/openssl/0010-ssl-env-zlib.patch')

diff --git a/system/openssl/0010-ssl-env-zlib.patch b/system/openssl/0010-ssl-env-zlib.patch
new file mode 100644
index 000000000..9eae15d72
--- /dev/null
+++ b/system/openssl/0010-ssl-env-zlib.patch
@@ -0,0 +1,38 @@
+diff -ru openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
+--- openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod	2015-01-15 16:43:14.000000000 -0200
++++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod	2015-03-27 15:18:47.280054883 -0200
+@@ -47,6 +47,13 @@
+ been standardized, the compression API will most likely be changed. Using
+ it in the current state is not recommended.
+ 
++It is also not recommended to use compression if data transfered contain
++untrusted parts that can be manipulated by an attacker as he could then
++get information about the encrypted data. See the CRIME attack. For
++that reason the default loading of the zlib compression method is
++disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
++is present during the library initialization.
++
+ =head1 RETURN VALUES
+ 
+ SSL_COMP_add_compression_method() may return the following values:
+diff -ru openssl-1.0.2a.orig/ssl/ssl_ciph.c openssl-1.0.2a/ssl/ssl_ciph.c
+--- openssl-1.0.2a.orig/ssl/ssl_ciph.c	2015-03-19 15:30:36.000000000 -0200
++++ openssl-1.0.2a/ssl/ssl_ciph.c	2015-03-27 15:23:05.960057092 -0200
+@@ -141,6 +141,8 @@
+  */
+ 
+ #include <stdio.h>
++#include <stdlib.h>
++#include <sys/auxv.h>
+ #include <openssl/objects.h>
+ #ifndef OPENSSL_NO_COMP
+ # include <openssl/comp.h>
+@@ -481,7 +483,7 @@
+ 
+             MemCheck_off();
+             ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
+-            if (ssl_comp_methods != NULL) {
++            if (ssl_comp_methods != NULL && getauxval(AT_SECURE) == 0 && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
+                 comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+                 if (comp != NULL) {
+                     comp->method = COMP_zlib();
-- 
cgit v1.2.3-60-g2f50