From 495ee91cbdbf2c34f6c133746fa272f18d0467f7 Mon Sep 17 00:00:00 2001
From: Dominyk Tiller <dominyktiller@gmail.com>
Date: Sat, 18 Oct 2014 00:48:57 +0100
Subject: [PATCH] polarssl: killing sslv3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Proposing we take a sharp axe to sslv3 in this PR. Reasons:

1) We want to do this with OpenSSL as soon as practical. PolarSSL works in a roughly similar way but is much less widely used, only having one Homebrew dependency (and even that is optional), which makes it a nice platform for testing.

2) PolarSSL has no mechanism to mitigate the SSLv3 POODLE mess in the manner OpenSSL has. That mechanism isn’t available to PolarSSL, and consequently upstream’s recommendation [here](https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-03-poodle-attack-on-ssl-v3) is just “feel free to kill sslv3 like this”.

3) If anything goes horribly wrong with this change, and I don’t think it will FWIW, it’s a 2 minute job to revert and rebuild to fix. That’s the kind of risk bracket I feel relatively comfortable jumping into for once.
---
 Formula/polarssl.rb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/Formula/polarssl.rb b/Formula/polarssl.rb
index 2f11050145..7e76c29b80 100644
--- a/Formula/polarssl.rb
+++ b/Formula/polarssl.rb
@@ -3,7 +3,9 @@ require "formula"
 class Polarssl < Formula
   homepage "https://polarssl.org/"
   url "https://polarssl.org/download/polarssl-1.3.8-gpl.tgz"
-  sha1 "82ed8ebcf3dd53621da5395b796fc0917083691d"
+  mirror "https://mirrors.kernel.org/debian/pool/main/p/polarssl/polarssl_1.3.8.orig.tar.gz"
+  sha256 "318171db41335cacbb5b0047c94f1faf91442ab70a223b5223436703c9406ff1"
+  revision 1
 
   head "https://github.com/polarssl/polarssl.git"
 
@@ -19,6 +21,13 @@ class Polarssl < Formula
   conflicts_with "md5sha1sum", :because => "both install conflicting binaries"
 
   def install
+  # Kills SSL2 Handshake & SSLv3 using upstream's recommended method.
+  # Upstream, can you make this less hacky please?
+  inreplace "include/polarssl/config.h" do |s|
+    s.gsub! "#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO", "//#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO"
+    s.gsub! "#define POLARSSL_SSL_PROTO_SSL3", "//#define POLARSSL_SSL_PROTO_SSL3"
+  end
+
     system "cmake", ".",  *std_cmake_args
     system "make"
     system "make", "install"