From owner-svn-ports-all@freebsd.org  Wed Jan 24 01:03:04 2018
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9585CED7EE8;
 Wed, 24 Jan 2018 01:03:04 +0000 (UTC)
 (envelope-from grembo@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47978705C6;
 Wed, 24 Jan 2018 01:03:04 +0000 (UTC)
 (envelope-from grembo@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 429D116C45;
 Wed, 24 Jan 2018 01:03:04 +0000 (UTC)
 (envelope-from grembo@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w0O134wc061212;
 Wed, 24 Jan 2018 01:03:04 GMT (envelope-from grembo@FreeBSD.org)
Received: (from grembo@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w0O133Ef061205;
 Wed, 24 Jan 2018 01:03:03 GMT (envelope-from grembo@FreeBSD.org)
Message-Id: <201801240103.w0O133Ef061205@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: grembo set sender to
 grembo@FreeBSD.org using -f
From: Michael Gmelin <grembo@FreeBSD.org>
Date: Wed, 24 Jan 2018 01:03:03 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r459808 - in head/databases: mariadb101-client/files
 mariadb101-server mariadb101-server/files mariadb102-client
 mariadb102-client/files mariadb102-server mariadb102-server/files
X-SVN-Group: ports-head
X-SVN-Commit-Author: grembo
X-SVN-Commit-Paths: in head/databases: mariadb101-client/files
 mariadb101-server mariadb101-server/files mariadb102-client
 mariadb102-client/files mariadb102-server mariadb102-server/files
X-SVN-Commit-Revision: 459808
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 01:03:04 -0000

Author: grembo
Date: Wed Jan 24 01:03:03 2018
New Revision: 459808
URL: https://svnweb.freebsd.org/changeset/ports/459808

Log:
  Fix databases/mariadb* hostname verification when building against LibreSSL
  
  LibreSSL imported X509_check_host from BoringSSL. Unlike OpenSSL,
  it doesn't calculate the length of the hostname passed in case
  chklen/namelen == 0. This means that the check in MariaDB always
  fails if built against LibreSSL. This forces adminstrators to disable
  hostname verification, which weakens security (hence the MFH request below).
  
  Note that the fix has no negative implications if built against OpenSSL,
  as its implementation calls strlen(hostname) in case namelen == 0.
  
  See also https://github.com/MariaDB/server/pull/562
  
  Approved by:	ssl blanket
  MFH:		2018Q1

Added:
  head/databases/mariadb101-client/files/patch-sql-common_client.c   (contents, props changed)
  head/databases/mariadb101-server/files/patch-sql-common_client.c   (contents, props changed)
  head/databases/mariadb102-client/files/patch-sql-common_client.c   (contents, props changed)
Modified:
  head/databases/mariadb101-server/Makefile
  head/databases/mariadb102-client/Makefile
  head/databases/mariadb102-server/Makefile
  head/databases/mariadb102-server/files/patch-sql-common_client.c

Added: head/databases/mariadb101-client/files/patch-sql-common_client.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/databases/mariadb101-client/files/patch-sql-common_client.c	Wed Jan 24 01:03:03 2018	(r459808)
@@ -0,0 +1,12 @@
+--- sql-common/client.c.orig	2018-01-24 00:36:45.520273000 +0100
++++ sql-common/client.c	2018-01-24 00:37:57.536367000 +0100
+@@ -1821,7 +1821,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
++  ret_validation= X509_check_host(server_cert, server_hostname,
++                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);

Modified: head/databases/mariadb101-server/Makefile
==============================================================================
--- head/databases/mariadb101-server/Makefile	Wed Jan 24 00:55:09 2018	(r459807)
+++ head/databases/mariadb101-server/Makefile	Wed Jan 24 01:03:03 2018	(r459808)
@@ -2,7 +2,7 @@
 
 PORTNAME?=	mariadb
 PORTVERSION=	10.1.30
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES=	databases ipv6
 MASTER_SITES=	http://ftp.osuosl.org/pub/${SITESDIR}/ \
 		http://mirrors.supportex.net/${SITESDIR}/ \

Added: head/databases/mariadb101-server/files/patch-sql-common_client.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/databases/mariadb101-server/files/patch-sql-common_client.c	Wed Jan 24 01:03:03 2018	(r459808)
@@ -0,0 +1,12 @@
+--- sql-common/client.c.orig	2018-01-24 00:36:45.520273000 +0100
++++ sql-common/client.c	2018-01-24 00:37:57.536367000 +0100
+@@ -1821,7 +1821,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
++  ret_validation= X509_check_host(server_cert, server_hostname,
++                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);

Modified: head/databases/mariadb102-client/Makefile
==============================================================================
--- head/databases/mariadb102-client/Makefile	Wed Jan 24 00:55:09 2018	(r459807)
+++ head/databases/mariadb102-client/Makefile	Wed Jan 24 01:03:03 2018	(r459808)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	mariadb
-PORTREVISION=	0
+PORTREVISION=	1
 PKGNAMESUFFIX=	102-client
 
 COMMENT=	Multithreaded SQL database (client)

Added: head/databases/mariadb102-client/files/patch-sql-common_client.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/databases/mariadb102-client/files/patch-sql-common_client.c	Wed Jan 24 01:03:03 2018	(r459808)
@@ -0,0 +1,23 @@
+--- sql-common/client.c.orig	2018-01-03 14:48:29.000000000 +0100
++++ sql-common/client.c	2018-01-24 00:45:11.194419000 +0100
+@@ -104,6 +104,10 @@
+ #define CONNECT_TIMEOUT 0
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) || defined(HAVE_YASSL)
++#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X)
++#endif
++
+ #include "client_settings.h"
+ #include <ssl_compat.h>
+ #include <sql_common.h>
+@@ -1822,7 +1826,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
++  ret_validation= X509_check_host(server_cert, server_hostname,
++                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);

Modified: head/databases/mariadb102-server/Makefile
==============================================================================
--- head/databases/mariadb102-server/Makefile	Wed Jan 24 00:55:09 2018	(r459807)
+++ head/databases/mariadb102-server/Makefile	Wed Jan 24 01:03:03 2018	(r459808)
@@ -2,7 +2,7 @@
 
 PORTNAME?=	mariadb
 PORTVERSION=	10.2.12
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES=	databases ipv6
 MASTER_SITES=	http://mirrors.supportex.net/${SITESDIR}/ \
 		http://mirror2.hs-esslingen.de/pub/Mirrors/${SITESDIR}/ \

Modified: head/databases/mariadb102-server/files/patch-sql-common_client.c
==============================================================================
--- head/databases/mariadb102-server/files/patch-sql-common_client.c	Wed Jan 24 00:55:09 2018	(r459807)
+++ head/databases/mariadb102-server/files/patch-sql-common_client.c	Wed Jan 24 01:03:03 2018	(r459808)
@@ -1,6 +1,6 @@
---- sql-common/client.c.orig	2017-05-14 23:13:18 UTC
-+++ sql-common/client.c
-@@ -104,6 +104,10 @@ my_bool	net_flush(NET *net);
+--- sql-common/client.c.orig	2018-01-03 14:48:29.000000000 +0100
++++ sql-common/client.c	2018-01-24 00:45:11.194419000 +0100
+@@ -104,6 +104,10 @@
  #define CONNECT_TIMEOUT 0
  #endif
  
@@ -11,3 +11,13 @@
  #include "client_settings.h"
  #include <ssl_compat.h>
  #include <sql_common.h>
+@@ -1822,7 +1826,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
++  ret_validation= X509_check_host(server_cert, server_hostname,
++                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);