adium/adium

Instead of using a bad, fixed list of ciphers, check what's supported and then enable only those we also want, similar to how Chromium used to work.
adium-1.5.8
2013-08-03, Thijs Alkemade
b505bbf8f879
Parents c42492b37be7
Children 7af7624d7f0b
Instead of using a bad, fixed list of ciphers, check what's supported and then enable only those we also want, similar to how Chromium used to work.

This means that Apple can disable ciphers by default in the future, new ciphers are initially disabled and the order Apple specifies is maintained.
1 files changed, 92 insertions(+), 28 deletions(-)
  • +92 -28
    Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c
    • --- a/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c Thu Jul 25 12:18:48 2013 +0200
    +++ b/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c Sat Aug 03 15:36:33 2013 +0200
    @@ -196,6 +196,11 @@
    /* SSL connected now */
    gsc->connect_cb(gsc->connect_cb_data, gsc, cond);
    }
    +
    + SSLCipherSuite suite;
    + SSLGetNegotiatedCipher(cdsa_data->ssl_ctx, &suite);
    +
    + purple_debug_info("cdsa", "Using cipher %x.\n", suite);
    }
    /*
    @@ -304,6 +309,51 @@
    return ortn;
    }
    +static gboolean
    +ssl_cdsa_use_cipher(SSLCipherSuite suite) {
    + switch (suite) {
    + case SSL_RSA_WITH_3DES_EDE_CBC_MD5:
    + case SSL_RSA_WITH_RC2_CBC_MD5:
    + case SSL_RSA_WITH_3DES_EDE_CBC_SHA:
    + case SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA:
    + case SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA:
    + case SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
    + case SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    + case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
    + case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
    + case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
    + case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
    + case SSL_RSA_WITH_RC4_128_MD5:
    + case SSL_RSA_WITH_RC4_128_SHA:
    + case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
    + case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
    + case TLS_ECDH_RSA_WITH_RC4_128_SHA:
    + case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
    + case TLS_RSA_WITH_AES_128_CBC_SHA:
    + case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
    + case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
    + case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
    + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
    + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
    + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
    + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
    + case TLS_RSA_WITH_AES_256_CBC_SHA:
    + case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
    + case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
    + case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
    + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
    + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
    + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
    + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
    + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
    + return TRUE;
    +
    + default:
    + return FALSE;
    + }
    +}
    +
    static void
    ssl_cdsa_create_context(gpointer data) {
    PurpleSslConnection *gsc = (PurpleSslConnection *)data;
    @@ -351,9 +401,9 @@
    /*
    * Pass the connection information to the connection to be used by our callbacks
    */
    - err = (OSStatus)SSLSetConnection(cdsa_data->ssl_ctx, (SSLConnectionRef)(intptr_t)gsc->fd);
    + err = SSLSetConnection(cdsa_data->ssl_ctx, (SSLConnectionRef)(intptr_t)gsc->fd);
    if (err != noErr) {
    - purple_debug_error("cdsa", "SSLSetConnection failed\n");
    + purple_debug_error("cdsa", "SSLSetConnection failed: %d\n", err);
    if (gsc->error_cb != NULL)
    gsc->error_cb(gsc, PURPLE_SSL_HANDSHAKE_FAILED,
    gsc->connect_cb_data);
    @@ -361,34 +411,48 @@
    purple_ssl_close(gsc);
    return;
    }
    +
    + size_t numCiphers = 0;
    +
    + err = SSLGetNumberSupportedCiphers(cdsa_data->ssl_ctx, &numCiphers);
    +
    + if (err != noErr) {
    + purple_debug_error("cdsa", "SSLGetNumberEnabledCiphers failed: %d\n", err);
    + if (gsc->error_cb != NULL)
    + gsc->error_cb(gsc, PURPLE_SSL_HANDSHAKE_FAILED,
    + gsc->connect_cb_data);
    +
    + purple_ssl_close(gsc);
    + return;
    + }
    +
    + SSLCipherSuite ciphers[numCiphers];
    - /*
    - * Disable ciphers that confuse some servers
    - */
    - SSLCipherSuite ciphers[] = {
    - TLS_RSA_WITH_AES_128_CBC_SHA,
    - SSL_RSA_WITH_RC4_128_SHA,
    - SSL_RSA_WITH_RC4_128_MD5,
    - TLS_RSA_WITH_AES_256_CBC_SHA,
    - SSL_RSA_WITH_3DES_EDE_CBC_SHA,
    - SSL_RSA_WITH_3DES_EDE_CBC_MD5,
    - SSL_RSA_WITH_DES_CBC_SHA,
    - SSL_RSA_EXPORT_WITH_RC4_40_MD5,
    - SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
    - SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
    - TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
    - TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    - TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
    - TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
    - SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
    - SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
    - SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
    - SSL_DHE_DSS_WITH_DES_CBC_SHA,
    - SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    - };
    - err = (OSStatus)SSLSetEnabledCiphers(cdsa_data->ssl_ctx, ciphers, sizeof(ciphers) / sizeof(SSLCipherSuite));
    + err = SSLGetSupportedCiphers(cdsa_data->ssl_ctx, ciphers, &numCiphers);
    + if (err != noErr) {
    + purple_debug_error("cdsa", "SSLGetSupportedCiphers failed: %d\n", err);
    + if (gsc->error_cb != NULL)
    + gsc->error_cb(gsc, PURPLE_SSL_HANDSHAKE_FAILED,
    + gsc->connect_cb_data);
    +
    + purple_ssl_close(gsc);
    + return;
    + }
    +
    + SSLCipherSuite enabledCiphers[numCiphers];
    + size_t numEnabledCiphers = 0;
    + int i;
    +
    + for (i = 0; i < numCiphers; i++) {
    + if (ssl_cdsa_use_cipher(ciphers[i])) {
    + enabledCiphers[numEnabledCiphers] = ciphers[i];
    + numEnabledCiphers++;
    + }
    + }
    +
    + err = SSLSetEnabledCiphers(cdsa_data->ssl_ctx, enabledCiphers, numEnabledCiphers);
    if (err != noErr) {
    - purple_debug_error("cdsa", "SSLSetEnabledCiphers failed\n");
    + purple_debug_error("cdsa", "SSLSetEnabledCiphers failed: %d\n", err);
    if (gsc->error_cb != NULL)
    gsc->error_cb(gsc, PURPLE_SSL_HANDSHAKE_FAILED,
    gsc->connect_cb_data);