From owner-svn-ports-all@freebsd.org  Mon Aug 24 17:50:40 2020
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0EA8D3C92C8;
 Mon, 24 Aug 2020 17:50:40 +0000 (UTC)
 (envelope-from swills@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Bb05q6hK8z41TG;
 Mon, 24 Aug 2020 17:50:39 +0000 (UTC)
 (envelope-from swills@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CA1311C6FB;
 Mon, 24 Aug 2020 17:50:39 +0000 (UTC)
 (envelope-from swills@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 07OHodgL025070;
 Mon, 24 Aug 2020 17:50:39 GMT (envelope-from swills@FreeBSD.org)
Received: (from swills@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 07OHocIa025065;
 Mon, 24 Aug 2020 17:50:38 GMT (envelope-from swills@FreeBSD.org)
Message-Id: <202008241750.07OHocIa025065@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: swills set sender to
 swills@FreeBSD.org using -f
From: Steve Wills <swills@FreeBSD.org>
Date: Mon, 24 Aug 2020 17:50:38 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r546103 - in head/net/syncthing: . files
X-SVN-Group: ports-head
X-SVN-Commit-Author: swills
X-SVN-Commit-Paths: in head/net/syncthing: . files
X-SVN-Commit-Revision: 546103
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2020 17:50:40 -0000

Author: swills
Date: Mon Aug 24 17:50:38 2020
New Revision: 546103
URL: https://svnweb.freebsd.org/changeset/ports/546103

Log:
  net/syncthing: fix SSL errors due to Go 1.15 behaviour change
  
  PR:		248867
  Submitted by:	James French <james@french.id.au>

Added:
  head/net/syncthing/files/patch-syncthing_lib_api_api.go   (contents, props changed)
  head/net/syncthing/files/patch-syncthing_lib_api_api__test.go   (contents, props changed)
  head/net/syncthing/files/patch-syncthing_lib_connections_service.go   (contents, props changed)
  head/net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go   (contents, props changed)
Modified:
  head/net/syncthing/Makefile   (contents, props changed)

Modified: head/net/syncthing/Makefile
==============================================================================
--- head/net/syncthing/Makefile	Mon Aug 24 17:40:54 2020	(r546102)
+++ head/net/syncthing/Makefile	Mon Aug 24 17:50:38 2020	(r546103)
@@ -2,6 +2,7 @@
 
 PORTNAME=	syncthing
 PORTVERSION=	1.8.0
+PORTREVISION=	1
 DISTVERSIONPREFIX=	v
 CATEGORIES=	net
 MASTER_SITES=	https://github.com/syncthing/syncthing/releases/download/v${PORTVERSION}/

Added: head/net/syncthing/files/patch-syncthing_lib_api_api.go
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/syncthing/files/patch-syncthing_lib_api_api.go	Mon Aug 24 17:50:38 2020	(r546103)
@@ -0,0 +1,47 @@
+--- syncthing/lib/api/api.go.orig	2020-08-11 08:56:46 UTC
++++ syncthing/lib/api/api.go
+@@ -149,7 +149,7 @@ func (s *service) getListener(guiCfg config.GUIConfigu
+ 	// If the certificate has expired or will expire in the next month, fail
+ 	// it and generate a new one.
+ 	if err == nil {
+-		err = checkExpiry(cert)
++		err = shouldRegenerateCertificate(cert)
+ 	}
+ 	if err != nil {
+ 		l.Infoln("Loading HTTPS certificate:", err)
+@@ -1736,7 +1736,11 @@ func addressIsLocalhost(addr string) bool {
+ 	}
+ }
+ 
+-func checkExpiry(cert tls.Certificate) error {
++// shouldRegenerateCertificate checks for certificate expiry or other known
++// issues with our API/GUI certificate and returns either nil (leave the
++// certificate alone) or an error describing the reason the certificate
++// should be regenerated.
++func shouldRegenerateCertificate(cert tls.Certificate) error {
+ 	leaf := cert.Leaf
+ 	if leaf == nil {
+ 		// Leaf can be nil or not, depending on how parsed the certificate
+@@ -1752,10 +1756,19 @@ func checkExpiry(cert tls.Certificate) error {
+ 		}
+ 	}
+ 
+-	if leaf.Subject.String() != leaf.Issuer.String() ||
+-		len(leaf.DNSNames) != 0 || len(leaf.IPAddresses) != 0 {
+-		// The certificate is not self signed, or has DNS/IP attributes we don't
++	if leaf.Subject.String() != leaf.Issuer.String() || len(leaf.IPAddresses) != 0 {
++		// The certificate is not self signed, or has IP attributes we don't
+ 		// add, so we leave it alone.
++		return nil
++	}
++	if len(leaf.DNSNames) > 1 {
++		// The certificate has more DNS SANs attributes than we ever add, so
++		// we leave it alone.
++		return nil
++	}
++	if len(leaf.DNSNames) == 1 && leaf.DNSNames[0] != leaf.Issuer.CommonName {
++		// The one SAN is different from the issuer, so it's not one of our
++		// newer self signed certificates.
+ 		return nil
+ 	}
+ 

Added: head/net/syncthing/files/patch-syncthing_lib_api_api__test.go
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/syncthing/files/patch-syncthing_lib_api_api__test.go	Mon Aug 24 17:50:38 2020	(r546103)
@@ -0,0 +1,38 @@
+--- syncthing/lib/api/api_test.go.orig	2020-08-11 08:56:46 UTC
++++ syncthing/lib/api/api_test.go
+@@ -1136,7 +1136,7 @@ func TestPrefixMatch(t *testing.T) {
+ 	}
+ }
+ 
+-func TestCheckExpiry(t *testing.T) {
++func TestShouldRegenerateCertificate(t *testing.T) {
+ 	dir, err := ioutil.TempDir("", "syncthing-test")
+ 	if err != nil {
+ 		t.Fatal(err)
+@@ -1149,7 +1149,7 @@ func TestCheckExpiry(t *testing.T) {
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+-	if err := checkExpiry(crt); err == nil {
++	if err := shouldRegenerateCertificate(crt); err == nil {
+ 		t.Error("expected expiry error")
+ 	}
+ 
+@@ -1158,7 +1158,7 @@ func TestCheckExpiry(t *testing.T) {
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+-	if err := checkExpiry(crt); err != nil {
++	if err := shouldRegenerateCertificate(crt); err != nil {
+ 		t.Error("expected no error:", err)
+ 	}
+ 
+@@ -1168,7 +1168,7 @@ func TestCheckExpiry(t *testing.T) {
+ 		if err != nil {
+ 			t.Fatal(err)
+ 		}
+-		if err := checkExpiry(crt); err == nil {
++		if err := shouldRegenerateCertificate(crt); err == nil {
+ 			t.Error("expected expiry error")
+ 		}
+ 	}

Added: head/net/syncthing/files/patch-syncthing_lib_connections_service.go
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/syncthing/files/patch-syncthing_lib_connections_service.go	Mon Aug 24 17:50:38 2020	(r546103)
@@ -0,0 +1,15 @@
+--- syncthing/lib/connections/service.go.orig	2020-08-11 08:56:46 UTC
++++ syncthing/lib/connections/service.go
+@@ -305,7 +305,11 @@ func (s *service) handle(ctx context.Context) {
+ 		if certName == "" {
+ 			certName = s.tlsDefaultCommonName
+ 		}
+-		if err := remoteCert.VerifyHostname(certName); err != nil {
++		if remoteCert.Subject.CommonName == certName {
++			// All good. We do this check because our old style certificates
++			// have "syncthing" in the CommonName field and no SANs, which
++			// is not accepted by VerifyHostname() any more as of Go 1.15.
++		} else if err := remoteCert.VerifyHostname(certName); err != nil {
+ 			// Incorrect certificate name is something the user most
+ 			// likely wants to know about, since it's an advanced
+ 			// config. Warn instead of Info.

Added: head/net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/syncthing/files/patch-syncthing_lib_tlsutil_tlsutil.go	Mon Aug 24 17:50:38 2020	(r546103)
@@ -0,0 +1,10 @@
+--- syncthing/lib/tlsutil/tlsutil.go.orig	2020-08-11 08:56:46 UTC
++++ syncthing/lib/tlsutil/tlsutil.go
+@@ -106,6 +106,7 @@ func NewCertificate(certFile, keyFile, commonName stri
+ 		Subject: pkix.Name{
+ 			CommonName: commonName,
+ 		},
++		DNSNames:              []string{commonName},
+ 		NotBefore:             notBefore,
+ 		NotAfter:              notAfter,
+ 		SignatureAlgorithm:    x509.ECDSAWithSHA256,