From 1ceb4fb4efb37aa05477aff9ce3e6c06157ea7ab Mon Sep 17 00:00:00 2001
From: Stefan Becker <chemobejk@gmail.com>
Date: Sat, 16 Nov 2013 14:30:04 +0200
Subject: [PATCH] contrib: add SSL BEAST mitigation patch for Adium

Improved version of the patch from the bug ticket discussion:

   http://sourceforge.net/p/sipe/bugs/216/

(cherry picked from commit 051f516f39fb099f58f6f6911f7151ed96560756)
---
 contrib/adium-patches/README.txt                   | 38 ++++++++++++++++++++++
 .../adium-1.5.8-disable-ssl-mitigation.patch       | 32 ++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 contrib/adium-patches/README.txt
 create mode 100644 contrib/adium-patches/adium-1.5.8-disable-ssl-mitigation.patch

diff --git a/contrib/adium-patches/README.txt b/contrib/adium-patches/README.txt
new file mode 100644
index 00000000..fc316d94
--- /dev/null
+++ b/contrib/adium-patches/README.txt
@@ -0,0 +1,38 @@
+After upgrading to Mavericks SIPE always fails with "Read Error"
+================================================================
+
+Apple enabled SSL BEAST mitigation by default in Mac OS X 10.9 (Mavericks):
+
+   <https://community.qualys.com/blogs/securitylabs/2013/10/31/apple-enabled-beast-mitigations-in-os-x-109-mavericks>
+
+This causes an interoperability problem for SIPE, because there are are still
+Microsoft servers out there whose SSL stacks drop connections when the SSL
+stack on the client implements the standard 1/N-1 packet split to mitigate
+against SSL BEAST attacks:
+
+    <http://sourceforge.net/p/sipe/wiki/Frequently%20Asked%20Questions/#connection-problems>
+
+There is a system preference option in Mac OS X 10.9 to disable SSL BEAST
+mitigation for all SSL connections:
+
+   $ sudo defaults write /Library/Preferences/com.apple.security SSLWriteSplit -integer 0
+
+Unfortnately there is a bug in Mac OS X 10.9 which causes the SSL stack to
+ignore this setting:
+
+   <rdar://15432593>
+
+The only known working fix is to patch the SSL CDSA module in the Adium source
+tree to disable the SSL BEAST mitigation for all SSL connection create by the
+"prpl-sipe" plugin. Download the Adium source code, unpack it and then apply
+the patch to it:
+
+   $ cd adium-1.5.8
+   $ patch -p1 </path/to/sipe/source/contrib/adium-patches/adium-1.5.8-disable-ssl-mitigation.patch
+
+Then follow the standard Adium instruction to build it.
+
+
+Detailed discussion about the SSL BEAST mitigation problem on Mac OS X 10.9:
+
+   http://sourceforge.net/p/sipe/bugs/216
diff --git a/contrib/adium-patches/adium-1.5.8-disable-ssl-mitigation.patch b/contrib/adium-patches/adium-1.5.8-disable-ssl-mitigation.patch
new file mode 100644
index 00000000..007a6a9e
--- /dev/null
+++ b/contrib/adium-patches/adium-1.5.8-disable-ssl-mitigation.patch
@@ -0,0 +1,32 @@
+diff -r 9c8daca7bb8b Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c
+--- a/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c	Wed Oct 23 16:08:03 2013 +0200
++++ b/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c	Sat Nov 16 14:28:04 2013 +0200
+@@ -37,6 +37,7 @@
+ 
+ //#define CDSA_DEBUG
+ 
++#import <Availability.h>
+ #import <Security/Security.h>
+ #import <unistd.h>
+ 
+@@ -504,6 +505,20 @@
+         protoErr = SSLSetProtocolVersionEnabled(cdsa_data->ssl_ctx, kTLSProtocol1, true);
+     }
+     
++    if (!strcmp(purple_account_get_protocol_id(account),"prpl-sipe")) {
++        purple_debug_info("cdsa", "Explicitly disabling SSL BEAST mitigation for Microsoft Lync 2010 connections\n");
++
++        OSStatus protoErr;
++#if __MAC_OS_X_VERSION_MAX_ALLOWED <= 1090
++#define kSSLSessionOptionSendOneByteRecord 4 /* appears in 10.9 */
++#endif
++
++        protoErr = SSLSetSessionOption(cdsa_data->ssl_ctx, kSSLSessionOptionSendOneByteRecord, false);
++        if (protoErr != noErr) {
++            purple_debug_info("cdsa", "SSLSetSessionOption failed to disable SSL BEAST mitigation\n");
++        }
++    }
++
+     if(gsc->host) {
+         /*
+          * Set the peer's domain name so CDSA can check the certificate's CN
-- 
2.11.4.GIT