adium 5777:78db6a0ed1c7: Patch from mlamb: Add a way for protoco...

commits at adium.im commits at adium.im
Wed Dec 4 16:57:06 UTC 2013 

details:	http://hg.adium.im/adium/rev/78db6a0ed1c7
revision:	5777:78db6a0ed1c7
branch:		adium-1.5.10
author:		Thijs Alkemade <me at thijsalkema.de>
date:		Wed Dec 04 17:56:32 2013 +0100

Patch from mlamb: Add a way for protocols to disable 1/n-1 record splitting on TLS (which is used to counter the BEAST attack) for protocols that might want it.

(We have no intention of turning this on for any official protocol, but apparently the SIPE plugin needs it).

Fixes #16550

diffs (33 lines):

diff -r b8acc0b7188c -r 78db6a0ed1c7 Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c
--- a/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c	Wed Dec 04 17:44:48 2013 +0100
+++ b/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c	Wed Dec 04 17:56:32 2013 +0100
@@ -52,6 +52,7 @@
 #define PURPLE_SSL_CONNECTION_IS_VALID(gsc) (g_list_find(connections, (gsc)) != NULL)
 
 #define PURPLE_SSL_CDSA_BUGGY_TLS_WORKAROUND "ssl_cdsa_buggy_tls_workaround"
+#define PURPLE_SSL_CDSA_BEAST_TLS_WORKAROUND "ssl_cdsa_beast_tls_workaround"
 
 /*
  * query_cert_chain - callback for letting the user review the certificate before accepting it
@@ -504,6 +505,21 @@
         protoErr = SSLSetProtocolVersionEnabled(cdsa_data->ssl_ctx, kTLSProtocol1, true);
     }
     
+#if MAC_OS_X_VERSION_MAX_ALLOWED <= MAC_OS_X_VERSION_10_9
+    #define kSSLSessionOptionSendOneByteRecord 4 /* Appears in 10.9 */
+#endif
+    
+    if (purple_account_get_bool(account, PURPLE_SSL_CDSA_BEAST_TLS_WORKAROUND, false)) {
+        purple_debug_info("cdsa", "Explicitly disabling SSL BEAST mitigation for broken server implementations\n");
+        
+        OSStatus protoErr;
+        protoErr = SSLSetSessionOption(cdsa_data->ssl_ctx, kSSLSessionOptionSendOneByteRecord, false);
+        if (protoErr != noErr) {
+            purple_debug_info("cdsa", "SSLSetSessionOption failed to disable SSL BEAST mitigation\n");
+        }
+    }
+    
+    
     if(gsc->host) {
         /*
          * Set the peer's domain name so CDSA can check the certificate's CN

More information about the commits mailing list