[PATCH] irc/hexchat: Add SSL certificate verification

ashish at FreeBSD.org ashish at FreeBSD.org
Sat Apr 12 12:00:00 UTC 2014 

>Submitter-Id:	current-users
>Originator:	Ashish SHUKLA
>Organization:	The FreeBSD Project
>Confidential:	no
>Synopsis:	[PATCH] irc/hexchat: Add SSL certificate verification
>Severity:	serious
>Priority:	low
>Category:	ports
>Class:		sw-bug
>Release:	FreeBSD 9.2-RELEASE-p4 amd64
>Environment:
System: FreeBSD chateau.d.if 9.2-RELEASE-p4 FreeBSD 9.2-RELEASE-p4 #1: Wed Apr 9 06:41:45 IST 2014 root at chateau.d.if:/usr/obj/usr/src/sys/CHATEAU amd64


>Description:

Hexchat, currently does not verify SSL certificates. It's the code but it's commented since revision 2 (of xchat codebase), this patch just enables the commented code.

This diff makes the irc/hexchat port use ca_root_nss CA bundle.

This diff could also be used by irc/xchat port (maintainer Cc'ed) with some trivial changes to irc/xchat Makefile.

Thanks in advance!
>How-To-Repeat:
>Fix:
diff -urN /usr/ports/irc/hexchat/Makefile hexchat/Makefile
--- /usr/ports/irc/hexchat/Makefile	2014-04-01 23:24:02.000000000 +0530
+++ hexchat/Makefile	2014-04-12 17:10:26.681891279 +0530
@@ -3,7 +3,7 @@
 
 PORTNAME=	hexchat
 PORTVERSION=	2.9.6.1
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	irc gnome ipv6
 MASTER_SITES=	http://dl.hexchat.org/${PORTNAME}/
 
@@ -30,12 +30,12 @@
 PORTDOCS=	*
 
 OPTIONS_DEFINE=		CANBERRA DBUS DOAT DOCS FISHLIM NLS NOTIFY PERL \
-			PYTHON SOCKS TEXTFE XFT
+			PYTHON SOCKS TEXTFE XFT CA_BUNDLE
 
 OPTIONS_RADIO=		SPELL
 OPTIONS_RADIO_SPELL=	GTKSPELL LIBSEXY STATIC
 
-OPTIONS_DEFAULT=	CANBERRA DBUS NOTIFY LIBSEXY PERL PYTHON SOCKS XFT
+OPTIONS_DEFAULT=	CANBERRA DBUS NOTIFY LIBSEXY PERL PYTHON SOCKS XFT CA_BUNDLE
 
 OPTIONS_SUB=	yes
 
@@ -46,6 +46,7 @@
 LIBSEXY_DESC=		Spell checking support via Libsexy
 STATIC_DESC=		Spell checking embedded in the binary
 TEXTFE_DESC=		Text frontend
+CA_BUNDLE_DESC=		Install CA bundle for SSL verification
 
 CANBERRA_LIB_DEPENDS=	libcanberra.so:${PORTSDIR}/audio/libcanberra
 CANBERRA_CONFIGURE_ENABLE=	libcanberra
@@ -65,6 +66,7 @@
 XFT_CONFIGURE_ENABLE=	xft
 GTKSPELL_LIB_DEPENDS=	libgtkspell.so:${PORTSDIR}/textproc/gtkspell
 LIBSEXY_LIB_DEPENDS=	libsexy.so:${PORTSDIR}/x11-toolkits/libsexy
+CA_BUNDLE_RUN_DEPENDS=  ${LOCALBASE}/share/certs/ca-root-nss.crt:${PORTSDIR}/security/ca_root_nss
 
 .include <bsd.port.options.mk>
 
@@ -100,10 +102,18 @@
 USE_GNOME+=	gconf2
 .endif
 
+.if ${PORT_OPTIONS:MCA_BUNDLE}
+CA_BUNDLE=	"${LOCALBASE}/share/certs/ca-root-nss.crt"
+.else
+CA_BUNDLE=	NULL
+.endif
+
 post-patch:
 	@${REINPLACE_CMD} -e 's|/bin/bash|/bin/sh|g' ${WRKSRC}/autogen.sh
 	@${REINPLACE_CMD} -e '/^appdata_DATA/s|hexchat.appdata.xml||' \
 		${WRKSRC}/share/misc/Makefile.am ${WRKSRC}/share/misc/Makefile.in
+	@${REINPLACE_CMD} -e 's,%%PATH_TO_CA_BUNDLE%%,${CA_BUNDLE},g' \
+		${WRKSRC}/src/common/server.c
 
 pre-configure:
 	@(cd ${WRKSRC} && ${SETENV} ${CONFIGURE_ENV} ./autogen.sh)
diff -urN /usr/ports/irc/hexchat/files/patch-src_common_server.c hexchat/files/patch-src_common_server.c
--- /usr/ports/irc/hexchat/files/patch-src_common_server.c	1970-01-01 05:30:00.000000000 +0530
+++ hexchat/files/patch-src_common_server.c	2014-04-12 17:03:53.361891004 +0530
@@ -0,0 +1,14 @@
+
+$FreeBSD$
+
+--- src/common/server.c.orig
++++ src/common/server.c
+@@ -862,7 +862,7 @@
+ 		/* it'll be a memory leak, if connection isn't terminated by
+ 		   server_cleanup() */
+ 		serv->ssl = _SSL_socket (ctx, serv->sok);
+-		if ((err = _SSL_set_verify (ctx, ssl_cb_verify, NULL)))
++		if ((err = _SSL_set_verify (ctx, ssl_cb_verify, %%PATH_TO_CA_BUNDLE%%)))
+ 		{
+ 			EMIT_SIGNAL (XP_TE_CONNFAIL, serv->server_session, err, NULL,
+ 							 NULL, NULL, 0);
diff -urN /usr/ports/irc/hexchat/files/patch-src_common_ssl.c hexchat/files/patch-src_common_ssl.c
--- /usr/ports/irc/hexchat/files/patch-src_common_ssl.c	1970-01-01 05:30:00.000000000 +0530
+++ hexchat/files/patch-src_common_ssl.c	2014-04-12 17:03:50.448891728 +0530
@@ -0,0 +1,23 @@
+
+$FreeBSD$
+
+--- src/common/ssl.c.orig
++++ src/common/ssl.c
+@@ -305,7 +305,7 @@
+ 		__SSL_fill_err_buf ("SSL_CTX_set_default_verify_paths");
+ 		return (err_buf);
+ 	}
+-/*
++
+ 	if (cacert)
+ 	{
+ 		if (!SSL_CTX_load_verify_locations (ctx, cacert, NULL))
+@@ -314,7 +314,7 @@
+ 			return (err_buf);
+ 		}
+ 	}
+-*/
++
+ 	SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, verify_callback);
+ 
+ 	return (NULL);

More information about the freebsd-gnome mailing list