From owner-freebsd-ports-bugs@FreeBSD.ORG  Sat Apr 12 12:10:01 2014
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A164B3DB
 for <freebsd-ports-bugs@smarthost.ysv.freebsd.org>;
 Sat, 12 Apr 2014 12:10:01 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 835B9107E
 for <freebsd-ports-bugs@smarthost.ysv.freebsd.org>;
 Sat, 12 Apr 2014 12:10:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3CCA1hZ037834
 for <freebsd-ports-bugs@freefall.freebsd.org>; Sat, 12 Apr 2014 12:10:01 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3CCA1EP037833;
 Sat, 12 Apr 2014 12:10:01 GMT (envelope-from gnats)
Resent-Date: Sat, 12 Apr 2014 12:10:01 GMT
Resent-Message-Id: <201404121210.s3CCA1EP037833@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Ashish SHUKLA <ashish@FreeBSD.org>
Received: from chateau.d.if (localhost [IPv6:::1])
 by hub.freebsd.org (Postfix) with ESMTP id 06201B4C;
 Sat, 12 Apr 2014 11:59:58 +0000 (UTC)
Received: from localhost (1001@localhost [local]);
 by localhost (OpenSMTPD) with ESMTPA id d8f54001;
 Sat, 12 Apr 2014 17:29:57 +0530 (IST)
Message-Id: <6019563330596331976.enqueue@chateau.d.if>
Date: Sat, 12 Apr 2014 17:29:57 +0530 (IST)
From: ashish@FreeBSD.org
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.114
Subject: ports/188508: [PATCH] irc/hexchat: Add SSL certificate verification
Cc: gnome@FreeBSD.org, nemysis@FreeBSD.org
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Ashish SHUKLA <ashish@FreeBSD.org>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs/>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Apr 2014 12:10:01 -0000


>Number:         188508
>Category:       ports
>Synopsis:       [PATCH] irc/hexchat: Add SSL certificate verification
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 12 12:10:01 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Ashish SHUKLA
>Release:        FreeBSD 9.2-RELEASE-p4 amd64
>Organization:
The FreeBSD Project
>Environment:
System: FreeBSD chateau.d.if 9.2-RELEASE-p4 FreeBSD 9.2-RELEASE-p4 #1: Wed Apr 9 06:41:45 IST 2014 root@chateau.d.if:/usr/obj/usr/src/sys/CHATEAU amd64


>Description:

Hexchat, currently does not verify SSL certificates. It's the code but it's commented since revision 2 (of xchat codebase), this patch just enables the commented code.

This diff makes the irc/hexchat port use ca_root_nss CA bundle.

This diff could also be used by irc/xchat port (maintainer Cc'ed) with some trivial changes to irc/xchat Makefile.

Thanks in advance!
>How-To-Repeat:
>Fix:
diff -urN /usr/ports/irc/hexchat/Makefile hexchat/Makefile
--- /usr/ports/irc/hexchat/Makefile	2014-04-01 23:24:02.000000000 +0530
+++ hexchat/Makefile	2014-04-12 17:10:26.681891279 +0530
@@ -3,7 +3,7 @@
 
 PORTNAME=	hexchat
 PORTVERSION=	2.9.6.1
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	irc gnome ipv6
 MASTER_SITES=	http://dl.hexchat.org/${PORTNAME}/
 
@@ -30,12 +30,12 @@
 PORTDOCS=	*
 
 OPTIONS_DEFINE=		CANBERRA DBUS DOAT DOCS FISHLIM NLS NOTIFY PERL \
-			PYTHON SOCKS TEXTFE XFT
+			PYTHON SOCKS TEXTFE XFT CA_BUNDLE
 
 OPTIONS_RADIO=		SPELL
 OPTIONS_RADIO_SPELL=	GTKSPELL LIBSEXY STATIC
 
-OPTIONS_DEFAULT=	CANBERRA DBUS NOTIFY LIBSEXY PERL PYTHON SOCKS XFT
+OPTIONS_DEFAULT=	CANBERRA DBUS NOTIFY LIBSEXY PERL PYTHON SOCKS XFT CA_BUNDLE
 
 OPTIONS_SUB=	yes
 
@@ -46,6 +46,7 @@
 LIBSEXY_DESC=		Spell checking support via Libsexy
 STATIC_DESC=		Spell checking embedded in the binary
 TEXTFE_DESC=		Text frontend
+CA_BUNDLE_DESC=		Install CA bundle for SSL verification
 
 CANBERRA_LIB_DEPENDS=	libcanberra.so:${PORTSDIR}/audio/libcanberra
 CANBERRA_CONFIGURE_ENABLE=	libcanberra
@@ -65,6 +66,7 @@
 XFT_CONFIGURE_ENABLE=	xft
 GTKSPELL_LIB_DEPENDS=	libgtkspell.so:${PORTSDIR}/textproc/gtkspell
 LIBSEXY_LIB_DEPENDS=	libsexy.so:${PORTSDIR}/x11-toolkits/libsexy
+CA_BUNDLE_RUN_DEPENDS=  ${LOCALBASE}/share/certs/ca-root-nss.crt:${PORTSDIR}/security/ca_root_nss
 
 .include <bsd.port.options.mk>
 
@@ -100,10 +102,18 @@
 USE_GNOME+=	gconf2
 .endif
 
+.if ${PORT_OPTIONS:MCA_BUNDLE}
+CA_BUNDLE=	"${LOCALBASE}/share/certs/ca-root-nss.crt"
+.else
+CA_BUNDLE=	NULL
+.endif
+
 post-patch:
 	@${REINPLACE_CMD} -e 's|/bin/bash|/bin/sh|g' ${WRKSRC}/autogen.sh
 	@${REINPLACE_CMD} -e '/^appdata_DATA/s|hexchat.appdata.xml||' \
 		${WRKSRC}/share/misc/Makefile.am ${WRKSRC}/share/misc/Makefile.in
+	@${REINPLACE_CMD} -e 's,%%PATH_TO_CA_BUNDLE%%,${CA_BUNDLE},g' \
+		${WRKSRC}/src/common/server.c
 
 pre-configure:
 	@(cd ${WRKSRC} && ${SETENV} ${CONFIGURE_ENV} ./autogen.sh)
diff -urN /usr/ports/irc/hexchat/files/patch-src_common_server.c hexchat/files/patch-src_common_server.c
--- /usr/ports/irc/hexchat/files/patch-src_common_server.c	1970-01-01 05:30:00.000000000 +0530
+++ hexchat/files/patch-src_common_server.c	2014-04-12 17:03:53.361891004 +0530
@@ -0,0 +1,14 @@
+
+$FreeBSD$
+
+--- src/common/server.c.orig
++++ src/common/server.c
+@@ -862,7 +862,7 @@
+ 		/* it'll be a memory leak, if connection isn't terminated by
+ 		   server_cleanup() */
+ 		serv->ssl = _SSL_socket (ctx, serv->sok);
+-		if ((err = _SSL_set_verify (ctx, ssl_cb_verify, NULL)))
++		if ((err = _SSL_set_verify (ctx, ssl_cb_verify, %%PATH_TO_CA_BUNDLE%%)))
+ 		{
+ 			EMIT_SIGNAL (XP_TE_CONNFAIL, serv->server_session, err, NULL,
+ 							 NULL, NULL, 0);
diff -urN /usr/ports/irc/hexchat/files/patch-src_common_ssl.c hexchat/files/patch-src_common_ssl.c
--- /usr/ports/irc/hexchat/files/patch-src_common_ssl.c	1970-01-01 05:30:00.000000000 +0530
+++ hexchat/files/patch-src_common_ssl.c	2014-04-12 17:03:50.448891728 +0530
@@ -0,0 +1,23 @@
+
+$FreeBSD$
+
+--- src/common/ssl.c.orig
++++ src/common/ssl.c
+@@ -305,7 +305,7 @@
+ 		__SSL_fill_err_buf ("SSL_CTX_set_default_verify_paths");
+ 		return (err_buf);
+ 	}
+-/*
++
+ 	if (cacert)
+ 	{
+ 		if (!SSL_CTX_load_verify_locations (ctx, cacert, NULL))
+@@ -314,7 +314,7 @@
+ 			return (err_buf);
+ 		}
+ 	}
+-*/
++
+ 	SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, verify_callback);
+ 
+ 	return (NULL);

>Release-Note:
>Audit-Trail:
>Unformatted: