[PATCH] irc/hexchat: Add SSL certificate verification
ashish at FreeBSD.org
ashish at FreeBSD.org
Sat Apr 12 12:00:00 UTC 2014
>Submitter-Id: current-users
>Originator: Ashish SHUKLA
>Organization: The FreeBSD Project
>Confidential: no
>Synopsis: [PATCH] irc/hexchat: Add SSL certificate verification
>Severity: serious
>Priority: low
>Category: ports
>Class: sw-bug
>Release: FreeBSD 9.2-RELEASE-p4 amd64
>Environment:
System: FreeBSD chateau.d.if 9.2-RELEASE-p4 FreeBSD 9.2-RELEASE-p4 #1: Wed Apr 9 06:41:45 IST 2014 root at chateau.d.if:/usr/obj/usr/src/sys/CHATEAU amd64
>Description:
Hexchat, currently does not verify SSL certificates. It's the code but it's commented since revision 2 (of xchat codebase), this patch just enables the commented code.
This diff makes the irc/hexchat port use ca_root_nss CA bundle.
This diff could also be used by irc/xchat port (maintainer Cc'ed) with some trivial changes to irc/xchat Makefile.
Thanks in advance!
>How-To-Repeat:
>Fix:
diff -urN /usr/ports/irc/hexchat/Makefile hexchat/Makefile
--- /usr/ports/irc/hexchat/Makefile 2014-04-01 23:24:02.000000000 +0530
+++ hexchat/Makefile 2014-04-12 17:10:26.681891279 +0530
@@ -3,7 +3,7 @@
PORTNAME= hexchat
PORTVERSION= 2.9.6.1
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= irc gnome ipv6
MASTER_SITES= http://dl.hexchat.org/${PORTNAME}/
@@ -30,12 +30,12 @@
PORTDOCS= *
OPTIONS_DEFINE= CANBERRA DBUS DOAT DOCS FISHLIM NLS NOTIFY PERL \
- PYTHON SOCKS TEXTFE XFT
+ PYTHON SOCKS TEXTFE XFT CA_BUNDLE
OPTIONS_RADIO= SPELL
OPTIONS_RADIO_SPELL= GTKSPELL LIBSEXY STATIC
-OPTIONS_DEFAULT= CANBERRA DBUS NOTIFY LIBSEXY PERL PYTHON SOCKS XFT
+OPTIONS_DEFAULT= CANBERRA DBUS NOTIFY LIBSEXY PERL PYTHON SOCKS XFT CA_BUNDLE
OPTIONS_SUB= yes
@@ -46,6 +46,7 @@
LIBSEXY_DESC= Spell checking support via Libsexy
STATIC_DESC= Spell checking embedded in the binary
TEXTFE_DESC= Text frontend
+CA_BUNDLE_DESC= Install CA bundle for SSL verification
CANBERRA_LIB_DEPENDS= libcanberra.so:${PORTSDIR}/audio/libcanberra
CANBERRA_CONFIGURE_ENABLE= libcanberra
@@ -65,6 +66,7 @@
XFT_CONFIGURE_ENABLE= xft
GTKSPELL_LIB_DEPENDS= libgtkspell.so:${PORTSDIR}/textproc/gtkspell
LIBSEXY_LIB_DEPENDS= libsexy.so:${PORTSDIR}/x11-toolkits/libsexy
+CA_BUNDLE_RUN_DEPENDS= ${LOCALBASE}/share/certs/ca-root-nss.crt:${PORTSDIR}/security/ca_root_nss
.include <bsd.port.options.mk>
@@ -100,10 +102,18 @@
USE_GNOME+= gconf2
.endif
+.if ${PORT_OPTIONS:MCA_BUNDLE}
+CA_BUNDLE= "${LOCALBASE}/share/certs/ca-root-nss.crt"
+.else
+CA_BUNDLE= NULL
+.endif
+
post-patch:
@${REINPLACE_CMD} -e 's|/bin/bash|/bin/sh|g' ${WRKSRC}/autogen.sh
@${REINPLACE_CMD} -e '/^appdata_DATA/s|hexchat.appdata.xml||' \
${WRKSRC}/share/misc/Makefile.am ${WRKSRC}/share/misc/Makefile.in
+ @${REINPLACE_CMD} -e 's,%%PATH_TO_CA_BUNDLE%%,${CA_BUNDLE},g' \
+ ${WRKSRC}/src/common/server.c
pre-configure:
@(cd ${WRKSRC} && ${SETENV} ${CONFIGURE_ENV} ./autogen.sh)
diff -urN /usr/ports/irc/hexchat/files/patch-src_common_server.c hexchat/files/patch-src_common_server.c
--- /usr/ports/irc/hexchat/files/patch-src_common_server.c 1970-01-01 05:30:00.000000000 +0530
+++ hexchat/files/patch-src_common_server.c 2014-04-12 17:03:53.361891004 +0530
@@ -0,0 +1,14 @@
+
+$FreeBSD$
+
+--- src/common/server.c.orig
++++ src/common/server.c
+@@ -862,7 +862,7 @@
+ /* it'll be a memory leak, if connection isn't terminated by
+ server_cleanup() */
+ serv->ssl = _SSL_socket (ctx, serv->sok);
+- if ((err = _SSL_set_verify (ctx, ssl_cb_verify, NULL)))
++ if ((err = _SSL_set_verify (ctx, ssl_cb_verify, %%PATH_TO_CA_BUNDLE%%)))
+ {
+ EMIT_SIGNAL (XP_TE_CONNFAIL, serv->server_session, err, NULL,
+ NULL, NULL, 0);
diff -urN /usr/ports/irc/hexchat/files/patch-src_common_ssl.c hexchat/files/patch-src_common_ssl.c
--- /usr/ports/irc/hexchat/files/patch-src_common_ssl.c 1970-01-01 05:30:00.000000000 +0530
+++ hexchat/files/patch-src_common_ssl.c 2014-04-12 17:03:50.448891728 +0530
@@ -0,0 +1,23 @@
+
+$FreeBSD$
+
+--- src/common/ssl.c.orig
++++ src/common/ssl.c
+@@ -305,7 +305,7 @@
+ __SSL_fill_err_buf ("SSL_CTX_set_default_verify_paths");
+ return (err_buf);
+ }
+-/*
++
+ if (cacert)
+ {
+ if (!SSL_CTX_load_verify_locations (ctx, cacert, NULL))
+@@ -314,7 +314,7 @@
+ return (err_buf);
+ }
+ }
+-*/
++
+ SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, verify_callback);
+
+ return (NULL);
More information about the freebsd-gnome
mailing list