Date: Sat, 12 Apr 2014 17:29:57 +0530 (IST) From: ashish@FreeBSD.org To: FreeBSD-gnats-submit@freebsd.org Cc: gnome@FreeBSD.org, nemysis@FreeBSD.org Subject: [PATCH] irc/hexchat: Add SSL certificate verification Message-ID: <6019563330596331976.enqueue@chateau.d.if>
next in thread | raw e-mail | index | archive | help
>Submitter-Id: current-users >Originator: Ashish SHUKLA >Organization: The FreeBSD Project >Confidential: no >Synopsis: [PATCH] irc/hexchat: Add SSL certificate verification >Severity: serious >Priority: low >Category: ports >Class: sw-bug >Release: FreeBSD 9.2-RELEASE-p4 amd64 >Environment: System: FreeBSD chateau.d.if 9.2-RELEASE-p4 FreeBSD 9.2-RELEASE-p4 #1: Wed Apr 9 06:41:45 IST 2014 root@chateau.d.if:/usr/obj/usr/src/sys/CHATEAU amd64 >Description: Hexchat, currently does not verify SSL certificates. It's the code but it's commented since revision 2 (of xchat codebase), this patch just enables the commented code. This diff makes the irc/hexchat port use ca_root_nss CA bundle. This diff could also be used by irc/xchat port (maintainer Cc'ed) with some trivial changes to irc/xchat Makefile. Thanks in advance! >How-To-Repeat: >Fix: diff -urN /usr/ports/irc/hexchat/Makefile hexchat/Makefile --- /usr/ports/irc/hexchat/Makefile 2014-04-01 23:24:02.000000000 +0530 +++ hexchat/Makefile 2014-04-12 17:10:26.681891279 +0530 @@ -3,7 +3,7 @@ PORTNAME= hexchat PORTVERSION= 2.9.6.1 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= irc gnome ipv6 MASTER_SITES= http://dl.hexchat.org/${PORTNAME}/ @@ -30,12 +30,12 @@ PORTDOCS= * OPTIONS_DEFINE= CANBERRA DBUS DOAT DOCS FISHLIM NLS NOTIFY PERL \ - PYTHON SOCKS TEXTFE XFT + PYTHON SOCKS TEXTFE XFT CA_BUNDLE OPTIONS_RADIO= SPELL OPTIONS_RADIO_SPELL= GTKSPELL LIBSEXY STATIC -OPTIONS_DEFAULT= CANBERRA DBUS NOTIFY LIBSEXY PERL PYTHON SOCKS XFT +OPTIONS_DEFAULT= CANBERRA DBUS NOTIFY LIBSEXY PERL PYTHON SOCKS XFT CA_BUNDLE OPTIONS_SUB= yes @@ -46,6 +46,7 @@ LIBSEXY_DESC= Spell checking support via Libsexy STATIC_DESC= Spell checking embedded in the binary TEXTFE_DESC= Text frontend +CA_BUNDLE_DESC= Install CA bundle for SSL verification CANBERRA_LIB_DEPENDS= libcanberra.so:${PORTSDIR}/audio/libcanberra CANBERRA_CONFIGURE_ENABLE= libcanberra @@ -65,6 +66,7 @@ XFT_CONFIGURE_ENABLE= xft GTKSPELL_LIB_DEPENDS= libgtkspell.so:${PORTSDIR}/textproc/gtkspell LIBSEXY_LIB_DEPENDS= libsexy.so:${PORTSDIR}/x11-toolkits/libsexy +CA_BUNDLE_RUN_DEPENDS= ${LOCALBASE}/share/certs/ca-root-nss.crt:${PORTSDIR}/security/ca_root_nss .include <bsd.port.options.mk> @@ -100,10 +102,18 @@ USE_GNOME+= gconf2 .endif +.if ${PORT_OPTIONS:MCA_BUNDLE} +CA_BUNDLE= "${LOCALBASE}/share/certs/ca-root-nss.crt" +.else +CA_BUNDLE= NULL +.endif + post-patch: @${REINPLACE_CMD} -e 's|/bin/bash|/bin/sh|g' ${WRKSRC}/autogen.sh @${REINPLACE_CMD} -e '/^appdata_DATA/s|hexchat.appdata.xml||' \ ${WRKSRC}/share/misc/Makefile.am ${WRKSRC}/share/misc/Makefile.in + @${REINPLACE_CMD} -e 's,%%PATH_TO_CA_BUNDLE%%,${CA_BUNDLE},g' \ + ${WRKSRC}/src/common/server.c pre-configure: @(cd ${WRKSRC} && ${SETENV} ${CONFIGURE_ENV} ./autogen.sh) diff -urN /usr/ports/irc/hexchat/files/patch-src_common_server.c hexchat/files/patch-src_common_server.c --- /usr/ports/irc/hexchat/files/patch-src_common_server.c 1970-01-01 05:30:00.000000000 +0530 +++ hexchat/files/patch-src_common_server.c 2014-04-12 17:03:53.361891004 +0530 @@ -0,0 +1,14 @@ + +$FreeBSD$ + +--- src/common/server.c.orig ++++ src/common/server.c +@@ -862,7 +862,7 @@ + /* it'll be a memory leak, if connection isn't terminated by + server_cleanup() */ + serv->ssl = _SSL_socket (ctx, serv->sok); +- if ((err = _SSL_set_verify (ctx, ssl_cb_verify, NULL))) ++ if ((err = _SSL_set_verify (ctx, ssl_cb_verify, %%PATH_TO_CA_BUNDLE%%))) + { + EMIT_SIGNAL (XP_TE_CONNFAIL, serv->server_session, err, NULL, + NULL, NULL, 0); diff -urN /usr/ports/irc/hexchat/files/patch-src_common_ssl.c hexchat/files/patch-src_common_ssl.c --- /usr/ports/irc/hexchat/files/patch-src_common_ssl.c 1970-01-01 05:30:00.000000000 +0530 +++ hexchat/files/patch-src_common_ssl.c 2014-04-12 17:03:50.448891728 +0530 @@ -0,0 +1,23 @@ + +$FreeBSD$ + +--- src/common/ssl.c.orig ++++ src/common/ssl.c +@@ -305,7 +305,7 @@ + __SSL_fill_err_buf ("SSL_CTX_set_default_verify_paths"); + return (err_buf); + } +-/* ++ + if (cacert) + { + if (!SSL_CTX_load_verify_locations (ctx, cacert, NULL)) +@@ -314,7 +314,7 @@ + return (err_buf); + } + } +-*/ ++ + SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, verify_callback); + + return (NULL);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6019563330596331976.enqueue>