/soc/2013/ankitkv/gobjectification: 87898632ad06: Merged default...
Ankit Vani
a at nevitus.org
Mon Oct 6 15:27:41 EDT 2014
Changeset: 87898632ad068f0dee892c87c4c663a71d74f890
Author: Ankit Vani <a at nevitus.org>
Date: 2014-10-07 00:57 +0530
Branch: soc.2013.gobjectification.plugins
URL: https://hg.pidgin.im/soc/2013/ankitkv/gobjectification/rev/87898632ad06
Description:
Merged default branch
diffstat:
ChangeLog | 33 ++++++---
Makefile.mingw | 9 ++
libpurple/plugins/ssl/ssl-gnutls.c | 132 +++++++++++++++++++++++++++++++-----
libpurple/plugins/ssl/ssl-nss.c | 34 +++++++++
libpurple/win32/global.mak | 2 +-
5 files changed, 179 insertions(+), 31 deletions(-)
diffs (truncated from 333 to 300 lines):
diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,22 @@
Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
version 3.0.0 (??/??/????):
+ General:
+ * Various core components of libpurple are now GObjects (Ankit Vani).
+ * Ciphers are now built from the libpurple directory.
+ * Doxygen has been replaced by gtk-doc for generating documentation (Ankit
+ Vani).
+ * Added dependency GPlugin, which is now required to build libpurple with
+ plugins support.
+ * Added dependency gobject-introspection, which is now required to enable
+ non-native plugin support.
+
+ libpurple:
+ * Specify a different set of encryption ciphers for TLS connections when
+ using GnuTLS. (elrond, belmyst, and Mark Doliner) (#8061)
+ * Don't allow SSL 3.0 (only TLS 1.0 and newer) for TLS connections when
+ using either GnuTLS or NSS.
+
Pidgin:
* Support building with the GTK+ 3.x toolkit. When configuring the
build, use --with-gtk=<2|3> to determine which toolkit to use. Using
@@ -76,23 +92,18 @@ version 3.0.0 (??/??/????):
* A single jabber plugin provides XMPP, GTalk and Facebook protocols.
* A single yahoo plugin provides both Yahoo and Yahoo JAPAN protocols.
+version 2.10.10 (?/?/?):
General:
- * Various core components of libpurple are now GObjects.
- * Ciphers are now built from the libpurple directory.
- * Added dependency GPlugin, which is now required to build libpurple with
- plugins support.
- * Added dependency gobject-introspection, which is now required to enable
- non-native plugin support.
- * Doxygen has been replaced by gtk-doc for generating documentation.
-
-version 2.10.10 (?/?/?):
+ * Allow and prefer TLS 1.2 and 1.1 when using libnss. (Elrond and
+ Ashish Gupta) (#15909)
+
libpurple3 compatibility:
* Encrypted account passwords are preserved until the new one is set.
* Fix loading Google Talk and Facebook XMPP accounts.
Windows-Specific Changes:
* Updates to dependencies:
- * NSS 3.16 and NSPR 4.10.4
+ * NSS 3.17.1 and NSPR 4.10.7
Finch:
* Fix build against Python 3. (Ed Catmur) (#15969)
@@ -319,7 +330,7 @@ version 2.10.7 (02/13/2013):
this issue and suggesting solutions. (#15277)
* Updates to a number of dependencies, some of which have security
related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen
- for identifying the vulnerable libraries and to Dieter Verfaillie
+ for identifying the vulnerable libraries and to Dieter Verfaillie
for helping getting the libraries updated. (#14571, #15285, #15286)
* ATK 1.32.0-2
* Cyrus SASL 2.1.25
diff --git a/Makefile.mingw b/Makefile.mingw
--- a/Makefile.mingw
+++ b/Makefile.mingw
@@ -33,12 +33,21 @@ awk 'BEGIN {FS="."} { \
GTK_INSTALL_VERSION = 2.24.18.0
+ifdef SIGNTOOL
+authenticode_sign = $(SIGNTOOL) sign \
+ /fd SHA256 \
+ /f "$(SIGNTOOL_PFX)" /p "$(SIGNTOOL_PASSWORD)" \
+ /d $(2) /du "https://pidgin.im" \
+ /tr "http://timestamp.comodoca.com/rfc3161" /td SHA256 \
+ $(1)
+else
authenticode_sign = $(MONO_SIGNCODE) \
-spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \
-a sha1 -$$ commercial \
-n "$(2)" -i "https://pidgin.im" \
-t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \
$(1) && rm -f $(1).bak
+endif
gpg_sign = $(GPG_SIGN) -ab $(1) && $(GPG_SIGN) --verify $(1).asc
diff --git a/libpurple/plugins/ssl/ssl-gnutls.c b/libpurple/plugins/ssl/ssl-gnutls.c
--- a/libpurple/plugins/ssl/ssl-gnutls.c
+++ b/libpurple/plugins/ssl/ssl-gnutls.c
@@ -44,7 +44,69 @@ typedef struct
static gnutls_certificate_client_credentials xcred = NULL;
#ifdef HAVE_GNUTLS_PRIORITY_FUNCS
-/* Priority strings. The default one is, well, the default (and is always
+
+/**
+ * This string tells GnuTLS the list of ciphers we're ok with using. The goal
+ * is to disable weaker ciphers while remaining compatible with almost all
+ * servers.
+ *
+ * Ideally this is something we wouldn't do. Ideally the system-wide GnuTLS
+ * library would use good defaults. But for now I think we can safely be more
+ * restrictive than the GnuTLS defaults. --Mark Doliner
+ *
+ * You can test the priority string using this command:
+ * > gnutls-cli --priority "<SIGNATURE STRING>" <HOSTNAME>
+ * Note that on Ubuntu 14.04 gnutls-cli is linked against the older GnuTLS
+ * 2.12.23, which might be different than what Pidgin is linked against.
+ *
+ * Rationale for this string:
+ * - Start with the SECURE192 keyword and add the SECURE128 keyword. This
+ * includes both 128 and 192 bit ciphers, giving priority to the 192 bit
+ * ciphers. We're not too picky about the order... people generally think
+ * 128 bit ciphers are sufficient for now and 192 bit ciphers are overkill
+ * (and slower), but the speed impact shouldn't matter much for us and we
+ * prefer to be resilient into the distant future.
+ *
+ * - Remove and re-add RSA ciphers. This gives them a lower priority. We do
+ * this because they don't support perfect forward secrecy (PFS) and we want
+ * ciphers that DO support PFS to have a higher priority. An alternate way
+ * to do this is to add +PFS to the front of the string, but the PFS keyword
+ * was only added in 3.2.4 and attempting to use it with older GnuTLS causes
+ * the entire priority string to be discarded.
+ *
+ * - Add SIGN-RSA-SHA1. SHA-1 is a weaker hashing algorithm that's not
+ * included in SECURE128. We'd prefer not to include it, but unfortunately
+ * as of 2014-09-10 it is required by login.live.com (used by the MSN PRPL).
+ *
+ * - Remove DHE-DSS ciphers. This is kind of arbitrary. We think maybe nobody
+ * uses these and all things being equal a shorter cipher list is preferred.
+ *
+ * - Disable SSL 3.0. Everyone should be using at least TLS 1.0 by now.
+ *
+ * We only use this string for GnuTLS 3.2.2 and newer. For older versions we
+ * use NORMAL. Over time the GnuTLS library has changed how it parses priority
+ * strings and there are some unfortunate quirks:
+ * - 128 bit ciphers stopped being included in the SECURE256 keyword in 3.0.9.
+ * - 256 bit ciphers started being included in the SECURE128 keyword in 3.0.12.
+ * - Support for combining priority string keywords wasn't added until 3.1.0.
+ * - Adding/removing items from the priority string using plus and minus is
+ * buggy in GnuTLS 3.2.2 and older. See this commit for details:
+ * https://gitorious.org/gnutls/gnutls/commit/913f03ccfafc37277f0a88287d02cdbb9bbfb652
+ *
+ * These quirks make it difficult to find a single priority string that works
+ * well for all versions of GnuTLS that enables 128 and 256 bit ciphers while
+ * disabling less secure ciphers. In fact it's difficult to come up with ANY
+ * string that accomplishes this for 3.0.9, 3.0.10, and 3.0.11. And the bug
+ * with adding/removing items from the priority string means we might get
+ * unexpected results when using a complicated string, and so we're better off
+ * just sticking with the default.
+ *
+ * For more discussion about this change see bug #8061.
+ */
+#define GNUTLS_DEFAULT_PRIORITY "SECURE192:+SECURE128:-RSA:+RSA:+SIGN-RSA-SHA1:-DHE-DSS:-VERS-SSL3.0"
+
+/*
+ * Priority strings. The default one is, well, the default (and is always
* set). The hash table is of the form hostname => priority (both
* char *).
*
@@ -63,6 +125,43 @@ ssl_gnutls_log(int level, const char *st
purple_debug_misc("gnutls", "lvl %d: %s", level, str);
}
+/**
+ * set_cipher_priorities:
+ * @priority_cache: A pointer to a gnutls_priority_t. This will be initialized
+ * using the given priorities.
+ * @priorities: A GnuTLS priority string.
+ *
+ * A simple convenience wrapper around gnutls_priority_init(). The wrapper
+ * does a few things:
+ * - Logs a helpful message if initialization fails.
+ * - Frees priority_cache if needed if initialization fails.
+ * - Set priority_cache to NULL if needed if initialization fails.
+ */
+static void
+set_cipher_priorities(gnutls_priority_t *priority_cache, const char *priorities)
+{
+ int ret;
+
+ ret = gnutls_priority_init(priority_cache, priorities, NULL);
+ if (ret != GNUTLS_E_SUCCESS) {
+ purple_debug_warning("gnutls", "Unable to set cipher priorities to %s. "
+ "Error code %d: %s\n", priorities, ret, gnutls_strerror(ret));
+
+ /* Versions of GnuTLS before 2.9.10 allocate but don't free priority_cache
+ if there's an error. We free it here to avoid a mem leak. */
+ if (!gnutls_check_version("2.9.10")) {
+ gnutls_free(*priority_cache);
+ }
+
+ /* Versions of GnuTLS before 3.2.9 leave priority_cache pointing to
+ freed memory if there's an error. We want our callers to be able to
+ depend on this being NULL, so set it to NULL ourselves. */
+ if (!gnutls_check_version("3.2.9")) {
+ *priority_cache = NULL;
+ }
+ }
+}
+
static void
ssl_gnutls_init_gnutls(void)
{
@@ -143,16 +242,9 @@ ssl_gnutls_init_gnutls(void)
}
if (default_priority_str) {
- if (gnutls_priority_init(&default_priority, default_priority_str, NULL)) {
- purple_debug_warning("gnutls", "Unable to set default priority to %s\n",
- default_priority_str);
- /* Versions of GnuTLS as of 2.8.6 (2010-03-31) don't free/NULL
- * this on error.
- */
- gnutls_free(default_priority);
- default_priority = NULL;
- }
-
+ /* Note: If the string is invalid then this call will fail and
+ we'll try again with our default priority string later. */
+ set_cipher_priorities(&default_priority, default_priority_str);
g_free(default_priority_str);
}
@@ -161,12 +253,14 @@ ssl_gnutls_init_gnutls(void)
}
#ifdef HAVE_GNUTLS_PRIORITY_FUNCS
- /* Make sure we set have a default priority! */
+ /* Set a default priority string if we didn't do it above */
if (!default_priority) {
- if (gnutls_priority_init(&default_priority, "NORMAL:%SSL3_RECORD_VERSION", NULL)) {
- /* See comment above about memory leak */
- gnutls_free(default_priority);
- gnutls_priority_init(&default_priority, "NORMAL", NULL);
+ if (gnutls_check_version("3.2.2")) {
+ set_cipher_priorities(&default_priority, GNUTLS_DEFAULT_PRIORITY);
+ }
+ if (!default_priority) {
+ /* Try again with an extremely simple priority string. */
+ set_cipher_priorities(&default_priority, "NORMAL");
}
}
#endif /* HAVE_GNUTLS_PRIORITY_FUNCS */
@@ -242,12 +336,12 @@ static void ssl_gnutls_handshake_cb(gpoi
gnutls_data->handshake_handler = 0;
if(ret != 0) {
- purple_debug_error("gnutls", "Handshake failed. Error %s\n",
- gnutls_strerror(ret));
+ purple_debug_error("gnutls", "Handshake failed: %s\n",
+ gnutls_strerror(ret));
if(gsc->error_cb != NULL)
gsc->error_cb(gsc, PURPLE_SSL_HANDSHAKE_FAILED,
- gsc->connect_cb_data);
+ gsc->connect_cb_data);
purple_ssl_close(gsc);
} else {
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -32,6 +32,9 @@
#ifdef _WIN32
# ifndef HAVE_LONG_LONG
#define HAVE_LONG_LONG
+/* WINDDK_BUILD is defined because the checks around usage of
+ * intrisic functions are wrong in nspr */
+#define WINDDK_BUILD
# endif
#else
/* TODO: Why is this done?
@@ -133,6 +136,10 @@ static gchar *get_error_text(void)
static void
ssl_nss_init_nss(void)
{
+#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 )
+ SSLVersionRange supported, enabled;
+#endif /* NSS >= 3.14 */
+
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
NSS_NoDB_Init(".");
NSS_SetDomesticPolicy();
@@ -150,6 +157,33 @@ ssl_nss_init_nss(void)
SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
+#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 )
+ /* Get the ranges of supported and enabled SSL versions */
+ if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) &&
+ (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) {
+ purple_debug_info("nss", "TLS supported versions: "
+ "0x%04hx through 0x%04hx\n", supported.min, supported.max);
+ purple_debug_info("nss", "TLS versions allowed by default: "
+ "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
+
More information about the Commits
mailing list