$OpenBSD: patch-socket_c,v 1.6 2012/06/26 10:10:20 jasper Exp $

- Fix potential for information disclosure under active attack. CVE-2011-3389
- Build with OpenSSL without SSLv2 support.

--- socket.c.orig	Sun Aug 21 09:34:58 2011
+++ socket.c	Tue Jun 19 20:48:04 2012
@@ -874,7 +874,12 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
 	_ssl_context[sock] = NULL;
 	if(myproto) {
 		if(!strcasecmp("ssl2",myproto)) {
+#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
 			_ctx[sock] = SSL_CTX_new(SSLv2_client_method());
+#else
+			report(stderr, GT_("Your operating system does not support SSLv2.\n"));
+			return -1;
+#endif
 		} else if(!strcasecmp("ssl3",myproto)) {
 			_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
 		} else if(!strcasecmp("tls1",myproto)) {
@@ -895,6 +900,12 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
 	}
 
 	SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL);
+
+	{
+	    char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE");
+	    if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp))
+		SSL_CTX_clear_options(_ctx[sock], SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+	}
 
 	if (certck) {
 		SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
