nss: add support for the CURLSSLOPT_ALLOW_BEAST option

... and fix some typos from the 62d15f1 commit.
2024-11-21 01:16:58 +08:00 · 2012-02-08 13:36:36 +01:00 · 2012-02-08 13:36:36 +01:00 · ebf3138992
commit ebf3138992
parent 8ef8a2b5ac
3 changed files with 15 additions and 2 deletions
--- a/lib/nss.c
+++ b/lib/nss.c
@ -1158,6 +1158,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
  PRBool ssl3 = PR_FALSE;
  PRBool tlsv1 = PR_FALSE;
  PRBool ssl_no_cache;
+  PRBool ssl_cbc_random_iv;
  struct SessionHandle *data = conn->data;
  curl_socket_t sockfd = conn->sock[sockindex];
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
@ -1266,6 +1267,18 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
  if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
    goto error;

+  ssl_cbc_random_iv = !data->set.ssl_enable_beast;
+#ifdef SSL_CBC_RANDOM_IV
+  /* unless the user explicitly asks to allow the protocol vulnerability, we
+     use the work-around */
+  if(SSL_OptionSet(model, SSL_CBC_RANDOM_IV, ssl_cbc_random_iv) != SECSuccess)
+    infof(data, "warning: failed to set SSL_CBC_RANDOM_IV = %d\n",
+          ssl_cbc_random_iv);
+#else
+  if(ssl_cbc_random_iv)
+    infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");
+#endif
+
  /* reset the flag to avoid an infinite loop */
  data->state.ssl_connect_retry = FALSE;

--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@ -202,7 +202,7 @@ static const struct LongShort aliases[]= {
  {"Ek", "tlsuser",                  TRUE},
  {"El", "tlspassword",              TRUE},
  {"Em", "tlsauthtype",              TRUE},
-  {"En", "ssl-no-empty-fragments",   FALSE},
+  {"En", "ssl-allow-beast",          FALSE},
  {"f",  "fail",                     FALSE},
  {"F",  "form",                     TRUE},
  {"Fs", "form-string",              TRUE},
--- a/src/tool_help.c
+++ b/src/tool_help.c
@ -187,7 +187,7 @@ static const char *const helptext[] = {
  "     --ssl-reqd      Require SSL/TLS (FTP, IMAP, POP3, SMTP)",
  " -2, --sslv2         Use SSLv2 (SSL)",
  " -3, --sslv3         Use SSLv3 (SSL)",
-  "     --ssl-allow-below Allow security flaw to improve interop (SSL)",
+  "     --ssl-allow-beast Allow security flaw to improve interop (SSL)",
  "     --stderr FILE   Where to redirect stderr. - means stdout",
  "     --tcp-nodelay   Use the TCP_NODELAY option",
  " -t, --telnet-option OPT=VAL  Set telnet option",