Fix databases/mariadb* hostname verification when building against LibreSSL

LibreSSL imported X509_check_host from BoringSSL. Unlike OpenSSL, it doesn't calculate the length of the hostname passed in case chklen/namelen == 0. This means that the check in MariaDB always fails if built against LibreSSL. This forces adminstrators to disable hostname verification, which weakens security (hence the MFH request below). Note that the fix has no negative implications if built against OpenSSL, as its implementation calls strlen(hostname) in case namelen == 0. See also https://github.com/MariaDB/server/pull/562 Approved by: ssl blanket MFH: 2018Q1
svn path=/head/; revision=459808
2025-07-18 09:49:18 -04:00 · 2018-01-24 01:03:03 +00:00 · 2018-01-24 01:03:03 +00:00 · bee1386bfa · 2021-03-31 03:12:20 +00:00
commit bee1386bfa
parent bea45e4207
7 changed files with 63 additions and 6 deletions
--- a/databases/mariadb101-client/files/patch-sql-common_client.c
+++ b/databases/mariadb101-client/files/patch-sql-common_client.c
@ -0,0 +1,12 @@
+--- sql-common/client.c.orig	2018-01-24 00:36:45.520273000 +0100
+++ sql-common/client.c	2018-01-24 00:37:57.536367000 +0100
+@@ -1821,7 +1821,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
+  ret_validation= X509_check_host(server_cert, server_hostname,
+                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
--- a/databases/mariadb101-server/Makefile
+++ b/databases/mariadb101-server/Makefile
@ -2,7 +2,7 @@

 PORTNAME?=	mariadb
 PORTVERSION=	10.1.30
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES=	databases ipv6
 MASTER_SITES=	http://ftp.osuosl.org/pub/${SITESDIR}/ \
 		http://mirrors.supportex.net/${SITESDIR}/ \
--- a/databases/mariadb101-server/files/patch-sql-common_client.c
+++ b/databases/mariadb101-server/files/patch-sql-common_client.c
@ -0,0 +1,12 @@
+--- sql-common/client.c.orig	2018-01-24 00:36:45.520273000 +0100
+++ sql-common/client.c	2018-01-24 00:37:57.536367000 +0100
+@@ -1821,7 +1821,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
+  ret_validation= X509_check_host(server_cert, server_hostname,
+                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
--- a/databases/mariadb102-client/Makefile
+++ b/databases/mariadb102-client/Makefile
@ -1,7 +1,7 @@
 # $FreeBSD$

 PORTNAME=	mariadb
-PORTREVISION=	0
+PORTREVISION=	1
 PKGNAMESUFFIX=	102-client

 COMMENT=	Multithreaded SQL database (client)
--- a/databases/mariadb102-client/files/patch-sql-common_client.c
+++ b/databases/mariadb102-client/files/patch-sql-common_client.c
@ -0,0 +1,23 @@
+--- sql-common/client.c.orig	2018-01-03 14:48:29.000000000 +0100
+++ sql-common/client.c	2018-01-24 00:45:11.194419000 +0100
+@@ -104,6 +104,10 @@
+ #define CONNECT_TIMEOUT 0
+ #endif
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) || defined(HAVE_YASSL)
+#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X)
+#endif
+
+ #include "client_settings.h"
+ #include <ssl_compat.h>
+ #include <sql_common.h>
+@@ -1822,7 +1826,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
+  ret_validation= X509_check_host(server_cert, server_hostname,
+                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
--- a/databases/mariadb102-server/Makefile
+++ b/databases/mariadb102-server/Makefile
@ -2,7 +2,7 @@

 PORTNAME?=	mariadb
 PORTVERSION=	10.2.12
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES=	databases ipv6
 MASTER_SITES=	http://mirrors.supportex.net/${SITESDIR}/ \
 		http://mirror2.hs-esslingen.de/pub/Mirrors/${SITESDIR}/ \
--- a/databases/mariadb102-server/files/patch-sql-common_client.c
+++ b/databases/mariadb102-server/files/patch-sql-common_client.c
@ -1,6 +1,6 @@
--- sql-common/client.c.orig	2017-05-14 23:13:18 UTC
-+++ sql-common/client.c
-@@ -104,6 +104,10 @@ my_bool	net_flush(NET *net);
+--- sql-common/client.c.orig	2018-01-03 14:48:29.000000000 +0100
+++ sql-common/client.c	2018-01-24 00:45:11.194419000 +0100
+@@ -104,6 +104,10 @@
 #define CONNECT_TIMEOUT 0
 #endif
 
@ -11,3 +11,13 @@
 #include "client_settings.h"
 #include <ssl_compat.h>
 #include <sql_common.h>
+@@ -1822,7 +1826,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
+  ret_validation= X509_check_host(server_cert, server_hostname,
+                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);