openssl/compression_methods_switch.patch

Index: openssl-1.0.2b/doc/ssl/SSL_COMP_add_compression_method.pod
===================================================================
--- openssl-1.0.2b.orig/doc/ssl/SSL_COMP_add_compression_method.pod	2015-06-11 20:11:49.353667505 +0200
+++ openssl-1.0.2b/doc/ssl/SSL_COMP_add_compression_method.pod	2015-06-11 20:11:51.183689314 +0200
@@ -47,6 +47,24 @@ of compression methods supported on a pe
 If enabled during compilation, the OpenSSL library will have the
 COMP_zlib() compression method available.
 
+And, there is an environment variable to switch the compression
+methods off and on. In default the compression is off to mitigate 
+the so called CRIME attack ( CVE-2012-4929). If you want to enable 
+compression again set OPENSSL_NO_DEFAULT_ZLIB to "no".
+
+The variable can be switched on and off at runtime; when this variable
+is set "no" compression is enabled, otherwise no, for example:
+
+in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no'
+or in C to call
+int setenv(const char *name, const char *value, int overwrite); and
+int unsetenv(const char *name);
+
+Note: This reverts the behavior of the variable as it was before!
+
+And pay attention that this freaure is temporary, it maybe changed by
+the following updates.
+
 =head1 WARNINGS
 
 Once the identities of the compression methods for the TLS protocol have
Index: openssl-1.0.2b/ssl/ssl_ciph.c
===================================================================
--- openssl-1.0.2b.orig/ssl/ssl_ciph.c	2015-06-11 20:11:49.353667505 +0200
+++ openssl-1.0.2b/ssl/ssl_ciph.c	2015-06-11 20:11:51.183689314 +0200
@@ -478,10 +478,16 @@ static void load_builtin_compressions(vo
 
         if (ssl_comp_methods == NULL) {
             SSL_COMP *comp = NULL;
+            const char *nodefaultzlib;
 
             MemCheck_off();
             ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
-            if (ssl_comp_methods != NULL) {
+		/* The default is "no" compression to avoid CRIME/BEAST */
+	nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB");
+	if (	ssl_comp_methods != NULL &&
+			nodefaultzlib &&
+			strncmp( nodefaultzlib, "no", 2) == 0)
+		{
                 comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
                 if (comp != NULL) {
                     comp->method = COMP_zlib();
Accepting request 315685 from Base:System - update to 1.0.2d * fixes CVE-2015-1793 (bsc#936746) Alternate chains certificate forgery During certificate verfification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. - drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/315685 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128 2015-07-12 22:51:54 +02:00			`Index: openssl-1.0.2b/doc/ssl/SSL_COMP_add_compression_method.pod`
Accepting request 184582 from Base:System - compression_methods_switch.patch: Disable compression by default to avoid the CRIME attack (CVE-2012-4929 bnc#793420) Can be override by setting environment variable OPENSSL_NO_DEFAULT_ZLIB=no OBS-URL: https://build.opensuse.org/request/show/184582 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=92 2013-07-30 18:42:57 +02:00			`===================================================================`
Accepting request 315685 from Base:System - update to 1.0.2d * fixes CVE-2015-1793 (bsc#936746) Alternate chains certificate forgery During certificate verfification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. - drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/315685 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128 2015-07-12 22:51:54 +02:00			`--- openssl-1.0.2b.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2015-06-11 20:11:49.353667505 +0200`
			`+++ openssl-1.0.2b/doc/ssl/SSL_COMP_add_compression_method.pod 2015-06-11 20:11:51.183689314 +0200`
			`@@ -47,6 +47,24 @@ of compression methods supported on a pe`
			`If enabled during compilation, the OpenSSL library will have the`
			`COMP_zlib() compression method available.`
Accepting request 184582 from Base:System - compression_methods_switch.patch: Disable compression by default to avoid the CRIME attack (CVE-2012-4929 bnc#793420) Can be override by setting environment variable OPENSSL_NO_DEFAULT_ZLIB=no OBS-URL: https://build.opensuse.org/request/show/184582 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=92 2013-07-30 18:42:57 +02:00
			`+And, there is an environment variable to switch the compression`
			`+methods off and on. In default the compression is off to mitigate`
			`+the so called CRIME attack ( CVE-2012-4929). If you want to enable`
			`+compression again set OPENSSL_NO_DEFAULT_ZLIB to "no".`
			`+`
			`+The variable can be switched on and off at runtime; when this variable`
			`+is set "no" compression is enabled, otherwise no, for example:`
			`+`
			`+in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no'`
			`+or in C to call`
			`+int setenv(const char name, const char value, int overwrite); and`
			`+int unsetenv(const char *name);`
			`+`
			`+Note: This reverts the behavior of the variable as it was before!`
			`+`
			`+And pay attention that this freaure is temporary, it maybe changed by`
			`+the following updates.`
			`+`
			`=head1 WARNINGS`

			`Once the identities of the compression methods for the TLS protocol have`
Accepting request 315685 from Base:System - update to 1.0.2d * fixes CVE-2015-1793 (bsc#936746) Alternate chains certificate forgery During certificate verfification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. - drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/315685 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128 2015-07-12 22:51:54 +02:00			`Index: openssl-1.0.2b/ssl/ssl_ciph.c`
Accepting request 184582 from Base:System - compression_methods_switch.patch: Disable compression by default to avoid the CRIME attack (CVE-2012-4929 bnc#793420) Can be override by setting environment variable OPENSSL_NO_DEFAULT_ZLIB=no OBS-URL: https://build.opensuse.org/request/show/184582 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=92 2013-07-30 18:42:57 +02:00			`===================================================================`
Accepting request 315685 from Base:System - update to 1.0.2d * fixes CVE-2015-1793 (bsc#936746) Alternate chains certificate forgery During certificate verfification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. - drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/315685 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128 2015-07-12 22:51:54 +02:00			`--- openssl-1.0.2b.orig/ssl/ssl_ciph.c 2015-06-11 20:11:49.353667505 +0200`
			`+++ openssl-1.0.2b/ssl/ssl_ciph.c 2015-06-11 20:11:51.183689314 +0200`
Accepting request 310849 from Base:System - update to 1.0.2a * Major changes since 1.0.1: - Suite B support for TLS 1.2 and DTLS 1.2 - Support for DTLS 1.2 - TLS automatic EC curve selection. - API to set TLS supported signature algorithms and curves - SSL_CONF configuration API. - TLS Brainpool support. - ALPN support. - CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH. - packaging changes: * merged patches modifying CIPHER_LIST into one, dropping: - openssl-1.0.1e-add-suse-default-cipher-header.patch - openssl-libssl-noweakciphers.patch * fix a manpage with invalid name - added openssl-fix_invalid_manpage_name.patch * remove a missing fips function - openssl-missing_FIPS_ec_group_new_by_curve_name.patch * reimported patches from Fedora dropped patches: - openssl-1.0.1c-default-paths.patch - openssl-1.0.1c-ipv6-apps.patch - openssl-1.0.1e-fips-ctor.patch - openssl-1.0.1e-fips-ec.patch - openssl-1.0.1e-fips.patch - openssl-1.0.1e-new-fips-reqs.patch - VIA_padlock_support_on_64systems.patch added patches: - openssl-1.0.2a-default-paths.patch - openssl-1.0.2a-fips-ctor.patch (forwarded request 309611 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/310849 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=127 2015-06-08 08:25:56 +02:00			`@@ -478,10 +478,16 @@ static void load_builtin_compressions(vo`
Accepting request 184582 from Base:System - compression_methods_switch.patch: Disable compression by default to avoid the CRIME attack (CVE-2012-4929 bnc#793420) Can be override by setting environment variable OPENSSL_NO_DEFAULT_ZLIB=no OBS-URL: https://build.opensuse.org/request/show/184582 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=92 2013-07-30 18:42:57 +02:00
Accepting request 310849 from Base:System - update to 1.0.2a * Major changes since 1.0.1: - Suite B support for TLS 1.2 and DTLS 1.2 - Support for DTLS 1.2 - TLS automatic EC curve selection. - API to set TLS supported signature algorithms and curves - SSL_CONF configuration API. - TLS Brainpool support. - ALPN support. - CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH. - packaging changes: * merged patches modifying CIPHER_LIST into one, dropping: - openssl-1.0.1e-add-suse-default-cipher-header.patch - openssl-libssl-noweakciphers.patch * fix a manpage with invalid name - added openssl-fix_invalid_manpage_name.patch * remove a missing fips function - openssl-missing_FIPS_ec_group_new_by_curve_name.patch * reimported patches from Fedora dropped patches: - openssl-1.0.1c-default-paths.patch - openssl-1.0.1c-ipv6-apps.patch - openssl-1.0.1e-fips-ctor.patch - openssl-1.0.1e-fips-ec.patch - openssl-1.0.1e-fips.patch - openssl-1.0.1e-new-fips-reqs.patch - VIA_padlock_support_on_64systems.patch added patches: - openssl-1.0.2a-default-paths.patch - openssl-1.0.2a-fips-ctor.patch (forwarded request 309611 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/310849 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=127 2015-06-08 08:25:56 +02:00			`if (ssl_comp_methods == NULL) {`
			`SSL_COMP *comp = NULL;`
			`+ const char *nodefaultzlib;`

			`MemCheck_off();`
			`ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);`
			`- if (ssl_comp_methods != NULL) {`
			`+ /* The default is "no" compression to avoid CRIME/BEAST */`
			`+ nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB");`
			`+ if ( ssl_comp_methods != NULL &&`
			`+ nodefaultzlib &&`
			`+ strncmp( nodefaultzlib, "no", 2) == 0)`
			`+ {`
			`comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));`
			`if (comp != NULL) {`
			`comp->method = COMP_zlib();`