From owner-freebsd-gnome@FreeBSD.ORG  Sat Apr 12 12:00:00 2014
Return-Path: <owner-freebsd-gnome@FreeBSD.ORG>
Delivered-To: gnome@FreeBSD.org
Received: from chateau.d.if (localhost [IPv6:::1])
 by hub.freebsd.org (Postfix) with ESMTP id 06201B4C;
 Sat, 12 Apr 2014 11:59:58 +0000 (UTC)
Received: from localhost (1001@localhost [local]);
 by localhost (OpenSMTPD) with ESMTPA id d8f54001;
 Sat, 12 Apr 2014 17:29:57 +0530 (IST)
Date: Sat, 12 Apr 2014 17:29:57 +0530 (IST)
Message-Id: <6019563330596331976.enqueue@chateau.d.if>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] irc/hexchat: Add SSL certificate verification
X-send-pr-version: 3.114
X-GNATS-Notify: 
From: ashish@FreeBSD.org
Cc: gnome@FreeBSD.org, nemysis@FreeBSD.org
X-BeenThere: freebsd-gnome@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Ashish SHUKLA <ashish@FreeBSD.org>
List-Id: GNOME for FreeBSD -- porting and maintaining
 <freebsd-gnome.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-gnome>,
 <mailto:freebsd-gnome-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-gnome/>
List-Post: <mailto:freebsd-gnome@freebsd.org>
List-Help: <mailto:freebsd-gnome-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-gnome>,
 <mailto:freebsd-gnome-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Apr 2014 12:00:00 -0000


>Submitter-Id:	current-users
>Originator:	Ashish SHUKLA
>Organization:	The FreeBSD Project
>Confidential:	no
>Synopsis:	[PATCH] irc/hexchat: Add SSL certificate verification
>Severity:	serious
>Priority:	low
>Category:	ports
>Class:		sw-bug
>Release:	FreeBSD 9.2-RELEASE-p4 amd64
>Environment:
System: FreeBSD chateau.d.if 9.2-RELEASE-p4 FreeBSD 9.2-RELEASE-p4 #1: Wed Apr 9 06:41:45 IST 2014 root@chateau.d.if:/usr/obj/usr/src/sys/CHATEAU amd64


>Description:

Hexchat, currently does not verify SSL certificates. It's the code but it's commented since revision 2 (of xchat codebase), this patch just enables the commented code.

This diff makes the irc/hexchat port use ca_root_nss CA bundle.

This diff could also be used by irc/xchat port (maintainer Cc'ed) with some trivial changes to irc/xchat Makefile.

Thanks in advance!
>How-To-Repeat:
>Fix:
diff -urN /usr/ports/irc/hexchat/Makefile hexchat/Makefile
--- /usr/ports/irc/hexchat/Makefile	2014-04-01 23:24:02.000000000 +0530
+++ hexchat/Makefile	2014-04-12 17:10:26.681891279 +0530
@@ -3,7 +3,7 @@
 
 PORTNAME=	hexchat
 PORTVERSION=	2.9.6.1
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	irc gnome ipv6
 MASTER_SITES=	http://dl.hexchat.org/${PORTNAME}/
 
@@ -30,12 +30,12 @@
 PORTDOCS=	*
 
 OPTIONS_DEFINE=		CANBERRA DBUS DOAT DOCS FISHLIM NLS NOTIFY PERL \
-			PYTHON SOCKS TEXTFE XFT
+			PYTHON SOCKS TEXTFE XFT CA_BUNDLE
 
 OPTIONS_RADIO=		SPELL
 OPTIONS_RADIO_SPELL=	GTKSPELL LIBSEXY STATIC
 
-OPTIONS_DEFAULT=	CANBERRA DBUS NOTIFY LIBSEXY PERL PYTHON SOCKS XFT
+OPTIONS_DEFAULT=	CANBERRA DBUS NOTIFY LIBSEXY PERL PYTHON SOCKS XFT CA_BUNDLE
 
 OPTIONS_SUB=	yes
 
@@ -46,6 +46,7 @@
 LIBSEXY_DESC=		Spell checking support via Libsexy
 STATIC_DESC=		Spell checking embedded in the binary
 TEXTFE_DESC=		Text frontend
+CA_BUNDLE_DESC=		Install CA bundle for SSL verification
 
 CANBERRA_LIB_DEPENDS=	libcanberra.so:${PORTSDIR}/audio/libcanberra
 CANBERRA_CONFIGURE_ENABLE=	libcanberra
@@ -65,6 +66,7 @@
 XFT_CONFIGURE_ENABLE=	xft
 GTKSPELL_LIB_DEPENDS=	libgtkspell.so:${PORTSDIR}/textproc/gtkspell
 LIBSEXY_LIB_DEPENDS=	libsexy.so:${PORTSDIR}/x11-toolkits/libsexy
+CA_BUNDLE_RUN_DEPENDS=  ${LOCALBASE}/share/certs/ca-root-nss.crt:${PORTSDIR}/security/ca_root_nss
 
 .include <bsd.port.options.mk>
 
@@ -100,10 +102,18 @@
 USE_GNOME+=	gconf2
 .endif
 
+.if ${PORT_OPTIONS:MCA_BUNDLE}
+CA_BUNDLE=	"${LOCALBASE}/share/certs/ca-root-nss.crt"
+.else
+CA_BUNDLE=	NULL
+.endif
+
 post-patch:
 	@${REINPLACE_CMD} -e 's|/bin/bash|/bin/sh|g' ${WRKSRC}/autogen.sh
 	@${REINPLACE_CMD} -e '/^appdata_DATA/s|hexchat.appdata.xml||' \
 		${WRKSRC}/share/misc/Makefile.am ${WRKSRC}/share/misc/Makefile.in
+	@${REINPLACE_CMD} -e 's,%%PATH_TO_CA_BUNDLE%%,${CA_BUNDLE},g' \
+		${WRKSRC}/src/common/server.c
 
 pre-configure:
 	@(cd ${WRKSRC} && ${SETENV} ${CONFIGURE_ENV} ./autogen.sh)
diff -urN /usr/ports/irc/hexchat/files/patch-src_common_server.c hexchat/files/patch-src_common_server.c
--- /usr/ports/irc/hexchat/files/patch-src_common_server.c	1970-01-01 05:30:00.000000000 +0530
+++ hexchat/files/patch-src_common_server.c	2014-04-12 17:03:53.361891004 +0530
@@ -0,0 +1,14 @@
+
+$FreeBSD$
+
+--- src/common/server.c.orig
++++ src/common/server.c
+@@ -862,7 +862,7 @@
+ 		/* it'll be a memory leak, if connection isn't terminated by
+ 		   server_cleanup() */
+ 		serv->ssl = _SSL_socket (ctx, serv->sok);
+-		if ((err = _SSL_set_verify (ctx, ssl_cb_verify, NULL)))
++		if ((err = _SSL_set_verify (ctx, ssl_cb_verify, %%PATH_TO_CA_BUNDLE%%)))
+ 		{
+ 			EMIT_SIGNAL (XP_TE_CONNFAIL, serv->server_session, err, NULL,
+ 							 NULL, NULL, 0);
diff -urN /usr/ports/irc/hexchat/files/patch-src_common_ssl.c hexchat/files/patch-src_common_ssl.c
--- /usr/ports/irc/hexchat/files/patch-src_common_ssl.c	1970-01-01 05:30:00.000000000 +0530
+++ hexchat/files/patch-src_common_ssl.c	2014-04-12 17:03:50.448891728 +0530
@@ -0,0 +1,23 @@
+
+$FreeBSD$
+
+--- src/common/ssl.c.orig
++++ src/common/ssl.c
+@@ -305,7 +305,7 @@
+ 		__SSL_fill_err_buf ("SSL_CTX_set_default_verify_paths");
+ 		return (err_buf);
+ 	}
+-/*
++
+ 	if (cacert)
+ 	{
+ 		if (!SSL_CTX_load_verify_locations (ctx, cacert, NULL))
+@@ -314,7 +314,7 @@
+ 			return (err_buf);
+ 		}
+ 	}
+-*/
++
+ 	SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, verify_callback);
+ 
+ 	return (NULL);