qulogic/pidgin

Fix basic constraints checking for both our SSL plugins.
release-2.x.y
2014-10-12, Mark Doliner
2e4475087f04
Fix basic constraints checking for both our SSL plugins.

This was reported to our private security@pidgin.im mailing list
by an anonymous person and Jacob Appelbaum of the Tor project.

The general problem is described by Moxie Marlinspike here:
http://www.thoughtcrime.org/ie-ssl-chain.txt

Turns out BOTH of our SSL/TLS plugins are vulnerable to this. It allows
a malicious man-in-the-middle to impersonate an https server accessed by
Pidgin.

The fix for this was difficult. We'd really like to just delegate all cert
validate to the NSS or GnuTLS plugins and not do any of it ourselves, because
they're experts and we're not. And this is essentially the change we made for
NSS. However, this was difficult for GnuTLS because we need a context that we
don't have access to in the right function. We could have done it, but it
would have been a little hacky. So for our GnuTLS plugin we added basic
constraints checking ourselves. In Pidgin 3.0.0 would should clean this up
and remove a lot of internal cert validation and ALWAYS delegate to the
SSL/TLS library.

The NSS parts of this patch were written by Kai Engert and Daniel Atallah.
I wrote the GnuTLS parts.

We'll be requesting a CVE number for this.

Also, my thanks to Jacob Appelbaum and Moxie Marlinspike for their efforts
over many years to improve the security of the software that we use on a
daily basis. They are both stand-out citizens who have made contributions
to protect the privacy of all internet users. Thanks, guys!
Purple, Pidgin and Finch
========================
See AUTHORS and COPYRIGHT for the list of contributors.
libpurple is a library intended to be used by programmers seeking
to write an IM client that connects to many IM networks. It supports
AIM, ICQ, XMPP, MSN and Yahoo!, among others.
Pidgin is a graphical IM client written in C which uses the GTK+
toolkit.
Finch is a text-based IM client written in C which uses the ncurses
toolkit.
These programs are not endorsed by, nor affiliated with, AOL nor any
other company in any way.
BUILD
=====
Read the 'INSTALL' file for more detailed directions.
These programs use the standard ./configure ; make. You need to use
gmake, BSD make probably won't work. Remember, run ./configure --help
to see what build options are available.
In order to compile Pidgin you need to have GTK+ 2.0 installed (as
well as the development files!). The configure script will fail if you
don't. If you don't have GTK+ 2.0 installed, you should install it
using your distribution's package management tools.
For sound support, you also need gstreamer 0.10 or higher. For
spellchecking support, you need libgtkspell (http://gtkspell.sf.net/).
Your distro of choice probably already includes these, just be sure to
install the development packages.
RUN
===
You should run 'make install' as root to make sure plugins and other files
get installed into locations they want to be in. Once you've done that,
you only need to run 'pidgin' or 'finch'.
To get started, simply add a new account.
If you come across a bug, please report it at: http://developer.pidgin.im
PLUGINS
=======
If you do not wish to enable the plugin support within Purple, run the
./configure script with the --disable-plugins option and recompile your
source code. This will prevent the ability to load plugins.
'make install' puts the plugins in $PREFIX/lib/purple (PREFIX being what
you specified when you ./configure'd - it defaults to /usr/local). Purple
looks for the plugins in that directory by default. Plugins can be installed
per-user in ~/.purple/plugins as well. Pidgin and Finch also look in
$PREFIX/lib/pidgin and $PREFIX/lib/finch for UI-specific, respectively.
To build a plugin from a .c file, put it in the plugins/ directory in
the source and run 'make filename.so', e.g. if you have the .c file
'kickass.c', put it in the plugins/ directory, and from that directory,
run 'make kickass.so'.