From: Travis Cross <tc@traviscross.com>
Date: Sun, 16 Mar 2014 16:07:02 +0000 (+0000)
Subject: Mitigate the CRIME TLS flaw
X-Git-Tag: v1.2.23~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b496f976ee6be13bbca79b95d6b640f7f231022;p=thirdparty%2Ffreeswitch.git

Mitigate the CRIME TLS flaw

If an attacker can cause a device to make an authenticated request to
a service via TLS while including a payload of the attacker's choice
in that request, and if TLS compression is enabled, the attacker can
uncover the plaintext authentication information by making a series of
guesses and observing changes in the length of the ciphertext.

This is CVE-2012-4929.

FS-6360 --resolve

Thanks-to: Brian West <brian@freeswitch.org>
---

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
index c466ae4080..74de1ed817 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
@@ -342,6 +342,10 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
 #endif
   SSL_CTX_sess_set_remove_cb(tls->ctx, NULL);
   SSL_CTX_set_timeout(tls->ctx, ti->timeout);
+#ifdef SSL_OP_NO_COMPRESSION
+  /* CRIME (CVE-2012-4929) mitigation */
+  SSL_CTX_set_options(tls->ctx, SSL_OP_NO_COMPRESSION);
+#endif
 
   /* Set callback if we have a passphrase */
   if (ti->passphrase != NULL) {