HGKeeper

Fix basic constraints checking for both our SSL plugins.
release-2.x.y
2014-10-12, Mark Doliner

2e4475087f04

Fix basic constraints checking for both our SSL plugins.

This was reported to our private security@pidgin.im mailing list
by an anonymous person and Jacob Appelbaum of the Tor project.

The general problem is described by Moxie Marlinspike here:
http://www.thoughtcrime.org/ie-ssl-chain.txt

Turns out BOTH of our SSL/TLS plugins are vulnerable to this. It allows
a malicious man-in-the-middle to impersonate an https server accessed by
Pidgin.

The fix for this was difficult. We'd really like to just delegate all cert
validate to the NSS or GnuTLS plugins and not do any of it ourselves, because
they're experts and we're not. And this is essentially the change we made for
NSS. However, this was difficult for GnuTLS because we need a context that we
don't have access to in the right function. We could have done it, but it
would have been a little hacky. So for our GnuTLS plugin we added basic
constraints checking ourselves. In Pidgin 3.0.0 would should clean this up
and remove a lot of internal cert validation and ALWAYS delegate to the
SSL/TLS library.

The NSS parts of this patch were written by Kai Engert and Daniel Atallah.
I wrote the GnuTLS parts.

We'll be requesting a CVE number for this.

Also, my thanks to Jacob Appelbaum and Moxie Marlinspike for their efforts
over many years to improve the security of the software that we use on a
daily basis. They are both stand-out citizens who have made contributions
to protect the privacy of all internet users. Thanks, guys!

If you plan to use Pidgin, Finch and libpurple from our Mercurial repository,

PLEASE read this message in its entirety!

Pidgin, Finch, and libpurple are a fast-moving project with a somewhat regular

release schedule. Due to the rate of development, the code in our Mercurial

repository undergoes frequent bursts of massive changes, often leaving behind

brokenness and partial functionality while the responsible developers rewrite

some portion of code or seek to add new features.

What this all boils down to is that the code in our Mercurial repository _WILL_

sometimes be broken. Because of this, we ask that users who are not interested

in personally tracking down bugs and fixing them (without a lot of

assistance from the developers!) use only released versions. Since releases

will be made often, this should not prevent anyone from using the newest,

shiniest features -- but it will prevent users from having to deal with ugly

development bugs that we already know about but haven't gotten around to fixing.

If you are interested in hacking on Pidgin, Finch, and/or libpurple, please

check out the information available at: http://developer.pidgin.im

By far the best documentation, however, is the documented code. If you have

doxygen, you can run "make docs" in the toplevel directory to generate pretty

documentation. Otherwise (or even if you do!), the header files for each

subsystem contain documentation for the functions they contain. For instance,

conversation.h contains documentation for the entire purple_conversation_*

API, and account.h contains documentation for the purple_account_* API.

If you have questions, please feel free to contact the Pidgin, Finch, and

libpurple developers by email at devel@pidgin.im or on IRC at irc.freenode.net

in #pidgin. Please do as much homework as you can before contacting us; the

more you know about your question, the faster and more effectively we can help!

Patches should be posted as Trac tickets at: http://developer.pidgin.im

qulogic/pidgin