Adium

Opened 18 months ago

Last modified 9 months ago

#16611 new defect

Regression of #16550 for Mountain Lion (Mac OS 10.8.5 - Security Update 2014-001 applied)

Reported by: mlamb Owned by:
Milestone: Adium 1.5.11 Component: Adium Core
Version: Severity: normal
Keywords: cdsa SIPE Cc:
Patch Status: Needs Dev Review

Description (last modified by Robby)

Summary

The BEAST SSL attack mitigations introduced in Mavericks (see ​https://trac.adium.im/ticket/16550) have been back-ported to Mountain Lion (10.8.5) in the latest Security Update (2014-001).

Unfortunately, the code introduced in the resolution to issue 16550 did not take into account that the kSSLSessionOptionSendOneByteRecord option is defined differently for 10.8.5, and therefore the value is incorrect when compiled on a 10.8.5 machine.

Steps to reproduce

  1. Download Adium 1.5.10hg branch
  2. Build
  3. Install latest SIPE plugin
  4. Attempt a connection and conversation

Expected results

Expected results are to see the following in the Adium log:

13:17:33: (GLib): (13:17:33) cdsa: Explicitly disabling SSL BEAST mitigation for broken server implementations
13:17:33: (Libpurple: cdsa) Explicitly disabling SSL BEAST mitigation for broken server implementations`

And to have continued connectivity.

Actual results

Actually see the following in the Adium log:

01:00:36: (GLib): (01:00:36) cdsa: Explicitly disabling SSL BEAST mitigation for broken server implementations
01:00:36: (Libpurple: cdsa) Explicitly disabling SSL BEAST mitigation for broken server implementations
01:00:36: (GLib): (01:00:36) cdsa: SSLSetSessionOption failed to disable SSL BEAST mitigation
01:00:36: (Libpurple: cdsa) SSLSetSessionOption failed to disable SSL BEAST mitigation

And connections are dropped upon any inbound/outbound message.

Regression

This only occurs with Adium running on Mountain Lion (10.8.5) with the 2014-001 Security Update applied, due to the mitigations implemented in that OS version.

Notes

See related bug #16550

In order to fix this the #define section in ssl-cdsa.c::ssl_cdsa_create_context() needs to be updated to be:

#ifndef kSSLSessionOptionSendOneByteRecord
    // Defined in 10.9 SDK, but not in 10.8 SDK
    #if __MAC_OS_X_VERSION_MAX_ALLOWED > 1080
        #define kSSLSessionOptionSendOneByteRecord 4 /* Appears in 10.9 as 4 */
    #else
        #define kSSLSessionOptionSendOneByteRecord -1 /* Appears in 10.8.5 as -1 */
    #endif
#endif

Change History (13)

comment:1 Changed 46 years ago by mlamb

  • Status changed from pending to new

comment:1 Changed 18 months ago by Robby

  • Description modified (diff)
  • Patch Status changed from Initially Included to Needs Dev Review

comment:2 Changed 18 months ago by firesignth

Has this patch been put into a build anywhere? My current version is 1.5.10b1r5848.

comment:3 Changed 18 months ago by Robby

Nope, it's pending review.

comment:4 Changed 18 months ago by mlamb

firesignth@,

You can replace lines 518-520 of the Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c file with the lines mentioned in the "Notes:" section above.

That *should* work (I've tested it), and it would be additional verification that the fix is appropriate.

comment:5 Changed 18 months ago by sphynx

  • Status changed from new to pending

I'm a bit confused by the patch on this ticket. Shouldn't the value used for kSSLSessionOptionSendOneByteRecord depend on the OS Adium is running on? Right now it depends on the maximum allowed version of OS X Adium is set to be built for. I'd expect it to be a run-time check instead of a pre-processor check.

comment:6 Changed 18 months ago by mlamb

I had considered that.

However, the Security.framework versions between 10.9 and 10.8 are significantly different (55471 vs 55179 respectively), and I was worried about binary compatibility issues for users that were running an Adium binary built on an OS version different than theirs. I wasn't sure what Apple had changed, that might break. :| And, I don't have a 10.8 host to test it against.

Also, the header that defines kSSLSessionOptionSendOneByteRecord in 10.8.5... is actually a "Private" header, so I wasn't even sure it was a good idea to use it at all, since it could change in a future release.

I assumed that the whole thing would become a support nightmare for you and the SIPE maintainers, so I went with the straightforward pre-processor solution... that way we could just tell our users "Build Adium/SIPE on your own box, and it will just work(tm)" :)

If you'd like, I can modify it to be a run-time check.

comment:7 Changed 17 months ago by mlamb

So I looked into how to do a run-time check, and it requires access to NSApplication's NSAppKitVersionNumber.

However, when I added the NSAppkit/NSApplication.h header to the cdsa plugin I got a bunch of compiler issues... probably because this is straight C code, not Objective-C code.

Does someone with more experience with this code want to take a crack at it? Or do you want to just go with the #define solution?

comment:8 Changed 17 months ago by bertocci

cc

comment:9 Changed 16 months ago by firesignth

Any ETA on a build with this fix? Or instructions on how to start from 0 and make a build for myself?

comment:10 Changed 16 months ago by mlamb

See https://trac.adium.im/ticket/16611#comment:4 above for what is required...

comment:11 Changed 16 months ago by Robby

  • Milestone changed from Adium 1.5.10 to Adium 1.5.11

Adium 1.5.10 was released last week.

comment:12 Changed 9 months ago by mlamb

Ping.

Note: See TracTickets for help on using tickets.