[geary] Disable SSLv3 (POODLE attack) in GnuTLS: Bug #739019

[Jim Nelson <jnelson src gnome org>]

commit 8e272f3f15f3828631fb274b37e534c0c3e545d6
Author: Jim Nelson <jim yorba org>
Date:   Wed Oct 22 17:01:31 2014 -0700

    Disable SSLv3 (POODLE attack) in GnuTLS: Bug #739019
    
    This disables SSLv3 in GnuTLS (and therefore WebKit) to avoid
    susceptibility to the POODLE attack vector.  This is an extremely
    unlikely vector for Geary as Javascript is disabled for all WebKit
    views.

 configure                        |    6 ++++++
 src/CMakeLists.txt               |   10 ++++++++++
 src/client/application/main.vala |   15 +++++++++++++++
 3 files changed, 31 insertions(+), 0 deletions(-)
---
diff --git a/configure b/configure
index 3fbbdbf..e8c45b2 100755
--- a/configure
+++ b/configure
@@ -40,6 +40,8 @@ configure_help() {
                                Disable generating and installing translated help documentation.
          --disable-contractor
                                Disable installing Contractor files.
+         --disable-poodle-ssl3
+                               Disable POODLE SSLv3 GnuTLS priority fix. (Not recommended.)
 
        Some influential environment variables:
          PKG_CONFIG_PATH       Adds directories to pkg-config's search path.
@@ -123,6 +125,10 @@ do
                             CMDLINE="${CMDLINE} -DDISABLE_CONTRACT=ON"
                             ;;
         
+        --disable-poodle-ssl3)
+                            CMDLINE="${CMDLINE} -DDISABLE_POODLE=ON"
+                            ;;
+        
         VALAC)              [ ! $value ] && abort $1
                             VALAC=$value
                             ;;
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 5579bcb..dbae9fe 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -592,6 +592,16 @@ else ()
     message(STATUS "Unity interface changes: OFF")
 endif ()
 
+if (DISABLE_POODLE)
+    message(STATUS "POODLE SSLv3 fix: OFF")
+    set(EXTRA_VALA_OPTIONS
+        ${EXTRA_VALA_OPTIONS}
+        --define=DISABLE_POODLE
+    )
+else ()
+    message(STATUS "POODLE SSLv3 fix: ON")
+endif ()
+
 set(LIB_PATHS ${DEPS_LIBRARY_DIRS})
 link_directories(${LIB_PATHS})
 add_definitions(${CFLAGS})
diff --git a/src/client/application/main.vala b/src/client/application/main.vala
index f782f1f..c0a4dd7 100644
--- a/src/client/application/main.vala
+++ b/src/client/application/main.vala
@@ -5,6 +5,21 @@
  */
 
 int main(string[] args) {
+    // POODLE SSLv3: This disables SSLv3 inside of GnuTLS preventing the exploit described at:
+    // http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
+    // Although it's extremely unlikely Geary presents an open attack vector (because Javascript
+    // must be enabled in WebKit), it still makes sense to disable this version of SSL.  See more
+    // at https://bugzilla.gnome.org/show_bug.cgi?id=738633
+    //
+    // This *must* be done before any threads are created, as their copy of the envvars is not
+    // updated with this call.  overwrite is set to false to allow the user to override the priority
+    // string if they need to.
+    //
+    // Packages can disable this fix with the --disable-poodle-ssl3 configure option.
+#if !DISABLE_POODLE
+    Environment.set_variable("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", false);
+#endif
+    
     GearyApplication app = new GearyApplication();
     
     int ec = app.run(args);