Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.

3f366314 · Antoine Pitrou · 722db7bd · f2bf8a6a · 3f366314 · 3f366314
Commit 3f366314 authored Jan 27, 2012 by Antoine Pitrou
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

Misc/NEWS Misc/NEWS +3 -0

Modules/_ssl.c Modules/_ssl.c +4 -2

No files found.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -111,6 +111,9 @@ Core and Builtins
 Library
 -------

+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+  IV attack countermeasure.
+
 - Issue #13772: In os.symlink() under Windows, do not try to guess the link
  target's type (file or directory).  The detection was buggy and made the
  call non-atomic (therefore prone to race conditions).

--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1481,7 +1481,8 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
    self->ctx = ctx;
    /* Defaults */
    SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
-    SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+    SSL_CTX_set_options(self->ctx,
+                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);

 #define SID_CTX "Python"
    SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
@@ -2143,7 +2144,8 @@ PyInit__ssl(void)
                            PY_SSL_VERSION_TLS1);

    /* protocol options */
-    PyModule_AddIntConstant(m, "OP_ALL", SSL_OP_ALL);
+    PyModule_AddIntConstant(m, "OP_ALL",
+                            SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
    PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
    PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
    PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);