git: 9a9cfc4efa56 - main - net-im/libpurple: use the SSL_PeerCertificateChain function, instead of SSL_PeerCertificate
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 29 Sep 2024 20:18:18 UTC
The branch main has been updated by marcus:
URL: https://cgit.FreeBSD.org/ports/commit/?id=9a9cfc4efa5690823dd0f0fafa5fd07d061e7e0c
commit 9a9cfc4efa5690823dd0f0fafa5fd07d061e7e0c
Author: Rodrigo Osorio <rodrigo@FreeBSD.org>
AuthorDate: 2024-09-29 20:15:59 +0000
Commit: Joe Marcus Clarke <marcus@FreeBSD.org>
CommitDate: 2024-09-29 20:15:59 +0000
net-im/libpurple: use the SSL_PeerCertificateChain function, instead of SSL_PeerCertificate
The ssl_nss_get_peer_certificates function in libpurple 2.x.y assumes that all intermediate certificates from the peer's presented chain can be found in the NSS certificate DB. This is not the case in NSS 3.103.
This patch is required in order to add a new port for *MS teams* support in pidgin.
This patch replaces a call to ssl_nss_get_peer_certificates by SSL_PeerCertificateChain who retrieves the certificates presented by the SSL peer.SSL_PeerCertificateChain has been in NSS since version 3.15.4 released in 2014.
Additional references: https://bugzilla.mozilla.org/show_bug.cgi?id=1913047
PR: 281761
---
net-im/libpurple/Makefile | 2 +-
.../files/patch-libpurple_plugins_ssl_ssl-nss.c | 54 ++++++++++++++++++++++
2 files changed, 55 insertions(+), 1 deletion(-)
diff --git a/net-im/libpurple/Makefile b/net-im/libpurple/Makefile
index 77470608fceb..6d50b3182468 100644
--- a/net-im/libpurple/Makefile
+++ b/net-im/libpurple/Makefile
@@ -1,6 +1,6 @@
PORTNAME?= libpurple
PORTVERSION= 2.14.13
-PORTREVISION?= 0
+PORTREVISION?= 1
CATEGORIES?= net-im
MASTER_SITES= SF/pidgin/Pidgin/${PORTVERSION}
DISTNAME= pidgin-${PORTVERSION}
diff --git a/net-im/libpurple/files/patch-libpurple_plugins_ssl_ssl-nss.c b/net-im/libpurple/files/patch-libpurple_plugins_ssl_ssl-nss.c
new file mode 100644
index 000000000000..a9e5703cbbc5
--- /dev/null
+++ b/net-im/libpurple/files/patch-libpurple_plugins_ssl_ssl-nss.c
@@ -0,0 +1,54 @@
+--- libpurple/plugins/ssl/ssl-nss.c
++++ libpurple/plugins/ssl/ssl-nss.c
+@@ -282,39 +282,32 @@ x509_import_from_nss(CERTCertificate* ce
+ static GList *
+ ssl_nss_get_peer_certificates(PRFileDesc *socket, PurpleSslConnection * gsc)
+ {
++ CERTCertList *peerChain;
++ CERTCertListNode *cursor;
+ CERTCertificate *curcert;
+- CERTCertificate *issuerCert;
+ PurpleCertificate * newcrt;
+
+ /* List of Certificate instances to return */
+ GList * peer_certs = NULL;
+- int count;
+- int64 now = PR_Now();
+
+- curcert = SSL_PeerCertificate(socket);
+- if (curcert == NULL) {
+- purple_debug_error("nss", "could not DupCertificate\n");
++ peerChain = SSL_PeerCertificateChain(socket);
++ if (peerChain == NULL) {
++ purple_debug_error("nss", "no peer certificates\n");
+ return NULL;
+ }
+
+- for (count = 0 ; count < CERT_MAX_CERT_CHAIN ; count++) {
++ for (cursor = CERT_LIST_HEAD(peerChain); !CERT_LIST_END(cursor, peerChain); cursor = CERT_LIST_NEXT(cursor)) {
++ curcert = cursor->cert;
++ if (!curcert) {
++ purple_debug_error("nss", "cursor->cert == NULL\n");
++ break;
++ }
+ purple_debug_info("nss", "subject=%s issuer=%s\n", curcert->subjectName,
+ curcert->issuerName ? curcert->issuerName : "(null)");
+ newcrt = x509_import_from_nss(curcert);
+ peer_certs = g_list_append(peer_certs, newcrt);
+-
+- if (curcert->isRoot) {
+- break;
+- }
+- issuerCert = CERT_FindCertIssuer(curcert, now, certUsageSSLServer);
+- if (!issuerCert) {
+- purple_debug_error("nss", "partial certificate chain\n");
+- break;
+- }
+- CERT_DestroyCertificate(curcert);
+- curcert = issuerCert;
+ }
+- CERT_DestroyCertificate(curcert);
++ CERT_DestroyCertList(peerChain);
+
+ return peer_certs;
+ }