Date: Thu, 25 Jan 2018 15:47:01 +0000 (UTC) From: Michael Gmelin <grembo@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r459949 - in branches/2018Q1/databases: mariadb101-client/files mariadb101-server mariadb101-server/files mariadb102-client mariadb102-client/files mariadb102-server mariadb102-server/f... Message-ID: <201801251547.w0PFl192023939@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: grembo Date: Thu Jan 25 15:47:01 2018 New Revision: 459949 URL: https://svnweb.freebsd.org/changeset/ports/459949 Log: MFH: r459808 Fix databases/mariadb* hostname verification when building against LibreSSL LibreSSL imported X509_check_host from BoringSSL. Unlike OpenSSL, it doesn't calculate the length of the hostname passed in case chklen/namelen == 0. This means that the check in MariaDB always fails if built against LibreSSL. This forces adminstrators to disable hostname verification, which weakens security (hence the MFH request below). Note that the fix has no negative implications if built against OpenSSL, as its implementation calls strlen(hostname) in case namelen == 0. See also https://github.com/MariaDB/server/pull/562 Approved by: portmgr Added: branches/2018Q1/databases/mariadb101-client/files/patch-sql-common_client.c - copied unchanged from r459808, head/databases/mariadb101-client/files/patch-sql-common_client.c branches/2018Q1/databases/mariadb101-server/files/patch-sql-common_client.c - copied unchanged from r459808, head/databases/mariadb101-server/files/patch-sql-common_client.c branches/2018Q1/databases/mariadb102-client/files/patch-sql-common_client.c - copied unchanged from r459808, head/databases/mariadb102-client/files/patch-sql-common_client.c Modified: branches/2018Q1/databases/mariadb101-server/Makefile branches/2018Q1/databases/mariadb102-client/Makefile branches/2018Q1/databases/mariadb102-server/Makefile branches/2018Q1/databases/mariadb102-server/files/patch-sql-common_client.c Directory Properties: branches/2018Q1/ (props changed) Copied: branches/2018Q1/databases/mariadb101-client/files/patch-sql-common_client.c (from r459808, head/databases/mariadb101-client/files/patch-sql-common_client.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2018Q1/databases/mariadb101-client/files/patch-sql-common_client.c Thu Jan 25 15:47:01 2018 (r459949, copy of r459808, head/databases/mariadb101-client/files/patch-sql-common_client.c) @@ -0,0 +1,12 @@ +--- sql-common/client.c.orig 2018-01-24 00:36:45.520273000 +0100 ++++ sql-common/client.c 2018-01-24 00:37:57.536367000 +0100 +@@ -1821,7 +1821,8 @@ + */ + + #ifdef HAVE_X509_check_host +- ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; ++ ret_validation= X509_check_host(server_cert, server_hostname, ++ strlen(server_hostname), 0, 0) != 1; + #else + subject= X509_get_subject_name(server_cert); + cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); Modified: branches/2018Q1/databases/mariadb101-server/Makefile ============================================================================== --- branches/2018Q1/databases/mariadb101-server/Makefile Thu Jan 25 15:06:00 2018 (r459948) +++ branches/2018Q1/databases/mariadb101-server/Makefile Thu Jan 25 15:47:01 2018 (r459949) @@ -2,7 +2,7 @@ PORTNAME?= mariadb PORTVERSION= 10.1.30 -PORTREVISION?= 0 +PORTREVISION?= 2 CATEGORIES= databases ipv6 MASTER_SITES= http://ftp.osuosl.org/pub/${SITESDIR}/ \ http://mirrors.supportex.net/${SITESDIR}/ \ Copied: branches/2018Q1/databases/mariadb101-server/files/patch-sql-common_client.c (from r459808, head/databases/mariadb101-server/files/patch-sql-common_client.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2018Q1/databases/mariadb101-server/files/patch-sql-common_client.c Thu Jan 25 15:47:01 2018 (r459949, copy of r459808, head/databases/mariadb101-server/files/patch-sql-common_client.c) @@ -0,0 +1,12 @@ +--- sql-common/client.c.orig 2018-01-24 00:36:45.520273000 +0100 ++++ sql-common/client.c 2018-01-24 00:37:57.536367000 +0100 +@@ -1821,7 +1821,8 @@ + */ + + #ifdef HAVE_X509_check_host +- ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; ++ ret_validation= X509_check_host(server_cert, server_hostname, ++ strlen(server_hostname), 0, 0) != 1; + #else + subject= X509_get_subject_name(server_cert); + cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); Modified: branches/2018Q1/databases/mariadb102-client/Makefile ============================================================================== --- branches/2018Q1/databases/mariadb102-client/Makefile Thu Jan 25 15:06:00 2018 (r459948) +++ branches/2018Q1/databases/mariadb102-client/Makefile Thu Jan 25 15:47:01 2018 (r459949) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= mariadb -PORTREVISION= 0 +PORTREVISION= 1 PKGNAMESUFFIX= 102-client COMMENT= Multithreaded SQL database (client) Copied: branches/2018Q1/databases/mariadb102-client/files/patch-sql-common_client.c (from r459808, head/databases/mariadb102-client/files/patch-sql-common_client.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2018Q1/databases/mariadb102-client/files/patch-sql-common_client.c Thu Jan 25 15:47:01 2018 (r459949, copy of r459808, head/databases/mariadb102-client/files/patch-sql-common_client.c) @@ -0,0 +1,23 @@ +--- sql-common/client.c.orig 2018-01-03 14:48:29.000000000 +0100 ++++ sql-common/client.c 2018-01-24 00:45:11.194419000 +0100 +@@ -104,6 +104,10 @@ + #define CONNECT_TIMEOUT 0 + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) || defined(HAVE_YASSL) ++#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) ++#endif ++ + #include "client_settings.h" + #include <ssl_compat.h> + #include <sql_common.h> +@@ -1822,7 +1826,8 @@ + */ + + #ifdef HAVE_X509_check_host +- ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; ++ ret_validation= X509_check_host(server_cert, server_hostname, ++ strlen(server_hostname), 0, 0) != 1; + #else + subject= X509_get_subject_name(server_cert); + cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); Modified: branches/2018Q1/databases/mariadb102-server/Makefile ============================================================================== --- branches/2018Q1/databases/mariadb102-server/Makefile Thu Jan 25 15:06:00 2018 (r459948) +++ branches/2018Q1/databases/mariadb102-server/Makefile Thu Jan 25 15:47:01 2018 (r459949) @@ -2,7 +2,7 @@ PORTNAME?= mariadb PORTVERSION= 10.2.11 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES= databases ipv6 MASTER_SITES= http://mirrors.supportex.net/${SITESDIR}/ \ http://mirror2.hs-esslingen.de/pub/Mirrors/${SITESDIR}/ \ Modified: branches/2018Q1/databases/mariadb102-server/files/patch-sql-common_client.c ============================================================================== --- branches/2018Q1/databases/mariadb102-server/files/patch-sql-common_client.c Thu Jan 25 15:06:00 2018 (r459948) +++ branches/2018Q1/databases/mariadb102-server/files/patch-sql-common_client.c Thu Jan 25 15:47:01 2018 (r459949) @@ -1,6 +1,6 @@ ---- sql-common/client.c.orig 2017-05-14 23:13:18 UTC -+++ sql-common/client.c -@@ -104,6 +104,10 @@ my_bool net_flush(NET *net); +--- sql-common/client.c.orig 2018-01-03 14:48:29.000000000 +0100 ++++ sql-common/client.c 2018-01-24 00:45:11.194419000 +0100 +@@ -104,6 +104,10 @@ #define CONNECT_TIMEOUT 0 #endif @@ -11,3 +11,13 @@ #include "client_settings.h" #include <ssl_compat.h> #include <sql_common.h> +@@ -1822,7 +1826,8 @@ + */ + + #ifdef HAVE_X509_check_host +- ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; ++ ret_validation= X509_check_host(server_cert, server_hostname, ++ strlen(server_hostname), 0, 0) != 1; + #else + subject= X509_get_subject_name(server_cert); + cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801251547.w0PFl192023939>