Date: Wed, 24 Jan 2018 01:03:03 +0000 (UTC) From: Michael Gmelin <grembo@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r459808 - in head/databases: mariadb101-client/files mariadb101-server mariadb101-server/files mariadb102-client mariadb102-client/files mariadb102-server mariadb102-server/files Message-ID: <201801240103.w0O133Ef061205@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: grembo Date: Wed Jan 24 01:03:03 2018 New Revision: 459808 URL: https://svnweb.freebsd.org/changeset/ports/459808 Log: Fix databases/mariadb* hostname verification when building against LibreSSL LibreSSL imported X509_check_host from BoringSSL. Unlike OpenSSL, it doesn't calculate the length of the hostname passed in case chklen/namelen == 0. This means that the check in MariaDB always fails if built against LibreSSL. This forces adminstrators to disable hostname verification, which weakens security (hence the MFH request below). Note that the fix has no negative implications if built against OpenSSL, as its implementation calls strlen(hostname) in case namelen == 0. See also https://github.com/MariaDB/server/pull/562 Approved by: ssl blanket MFH: 2018Q1 Added: head/databases/mariadb101-client/files/patch-sql-common_client.c (contents, props changed) head/databases/mariadb101-server/files/patch-sql-common_client.c (contents, props changed) head/databases/mariadb102-client/files/patch-sql-common_client.c (contents, props changed) Modified: head/databases/mariadb101-server/Makefile head/databases/mariadb102-client/Makefile head/databases/mariadb102-server/Makefile head/databases/mariadb102-server/files/patch-sql-common_client.c Added: head/databases/mariadb101-client/files/patch-sql-common_client.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/databases/mariadb101-client/files/patch-sql-common_client.c Wed Jan 24 01:03:03 2018 (r459808) @@ -0,0 +1,12 @@ +--- sql-common/client.c.orig 2018-01-24 00:36:45.520273000 +0100 ++++ sql-common/client.c 2018-01-24 00:37:57.536367000 +0100 +@@ -1821,7 +1821,8 @@ + */ + + #ifdef HAVE_X509_check_host +- ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; ++ ret_validation= X509_check_host(server_cert, server_hostname, ++ strlen(server_hostname), 0, 0) != 1; + #else + subject= X509_get_subject_name(server_cert); + cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); Modified: head/databases/mariadb101-server/Makefile ============================================================================== --- head/databases/mariadb101-server/Makefile Wed Jan 24 00:55:09 2018 (r459807) +++ head/databases/mariadb101-server/Makefile Wed Jan 24 01:03:03 2018 (r459808) @@ -2,7 +2,7 @@ PORTNAME?= mariadb PORTVERSION= 10.1.30 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES= databases ipv6 MASTER_SITES= http://ftp.osuosl.org/pub/${SITESDIR}/ \ http://mirrors.supportex.net/${SITESDIR}/ \ Added: head/databases/mariadb101-server/files/patch-sql-common_client.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/databases/mariadb101-server/files/patch-sql-common_client.c Wed Jan 24 01:03:03 2018 (r459808) @@ -0,0 +1,12 @@ +--- sql-common/client.c.orig 2018-01-24 00:36:45.520273000 +0100 ++++ sql-common/client.c 2018-01-24 00:37:57.536367000 +0100 +@@ -1821,7 +1821,8 @@ + */ + + #ifdef HAVE_X509_check_host +- ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; ++ ret_validation= X509_check_host(server_cert, server_hostname, ++ strlen(server_hostname), 0, 0) != 1; + #else + subject= X509_get_subject_name(server_cert); + cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); Modified: head/databases/mariadb102-client/Makefile ============================================================================== --- head/databases/mariadb102-client/Makefile Wed Jan 24 00:55:09 2018 (r459807) +++ head/databases/mariadb102-client/Makefile Wed Jan 24 01:03:03 2018 (r459808) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= mariadb -PORTREVISION= 0 +PORTREVISION= 1 PKGNAMESUFFIX= 102-client COMMENT= Multithreaded SQL database (client) Added: head/databases/mariadb102-client/files/patch-sql-common_client.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/databases/mariadb102-client/files/patch-sql-common_client.c Wed Jan 24 01:03:03 2018 (r459808) @@ -0,0 +1,23 @@ +--- sql-common/client.c.orig 2018-01-03 14:48:29.000000000 +0100 ++++ sql-common/client.c 2018-01-24 00:45:11.194419000 +0100 +@@ -104,6 +104,10 @@ + #define CONNECT_TIMEOUT 0 + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) || defined(HAVE_YASSL) ++#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) ++#endif ++ + #include "client_settings.h" + #include <ssl_compat.h> + #include <sql_common.h> +@@ -1822,7 +1826,8 @@ + */ + + #ifdef HAVE_X509_check_host +- ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; ++ ret_validation= X509_check_host(server_cert, server_hostname, ++ strlen(server_hostname), 0, 0) != 1; + #else + subject= X509_get_subject_name(server_cert); + cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); Modified: head/databases/mariadb102-server/Makefile ============================================================================== --- head/databases/mariadb102-server/Makefile Wed Jan 24 00:55:09 2018 (r459807) +++ head/databases/mariadb102-server/Makefile Wed Jan 24 01:03:03 2018 (r459808) @@ -2,7 +2,7 @@ PORTNAME?= mariadb PORTVERSION= 10.2.12 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES= databases ipv6 MASTER_SITES= http://mirrors.supportex.net/${SITESDIR}/ \ http://mirror2.hs-esslingen.de/pub/Mirrors/${SITESDIR}/ \ Modified: head/databases/mariadb102-server/files/patch-sql-common_client.c ============================================================================== --- head/databases/mariadb102-server/files/patch-sql-common_client.c Wed Jan 24 00:55:09 2018 (r459807) +++ head/databases/mariadb102-server/files/patch-sql-common_client.c Wed Jan 24 01:03:03 2018 (r459808) @@ -1,6 +1,6 @@ ---- sql-common/client.c.orig 2017-05-14 23:13:18 UTC -+++ sql-common/client.c -@@ -104,6 +104,10 @@ my_bool net_flush(NET *net); +--- sql-common/client.c.orig 2018-01-03 14:48:29.000000000 +0100 ++++ sql-common/client.c 2018-01-24 00:45:11.194419000 +0100 +@@ -104,6 +104,10 @@ #define CONNECT_TIMEOUT 0 #endif @@ -11,3 +11,13 @@ #include "client_settings.h" #include <ssl_compat.h> #include <sql_common.h> +@@ -1822,7 +1826,8 @@ + */ + + #ifdef HAVE_X509_check_host +- ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; ++ ret_validation= X509_check_host(server_cert, server_hostname, ++ strlen(server_hostname), 0, 0) != 1; + #else + subject= X509_get_subject_name(server_cert); + cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801240103.w0O133Ef061205>