Fix databases/mariadb* hostname verification when building against LibreSSL

LibreSSL imported X509_check_host from BoringSSL. Unlike OpenSSL,
it doesn't calculate the length of the hostname passed in case
chklen/namelen == 0. This means that the check in MariaDB always
fails if built against LibreSSL. This forces adminstrators to disable
hostname verification, which weakens security (hence the MFH request below).

Note that the fix has no negative implications if built against OpenSSL,
as its implementation calls strlen(hostname) in case namelen == 0.

See also https://github.com/MariaDB/server/pull/562

Approved by:	ssl blanket
MFH:		2018Q1

1 files changed, 12 insertions, 0 deletions

diff --git a/databases/mariadb101-client/files/patch-sql-common_client.c b/databases/mariadb101-client/files/patch-sql-common_client.c
new file mode 100644
index 000000000000..85e857c65dc8
--- /dev/null
+++ b/databases/mariadb101-client/files/patch-sql-common_client.c
@@ -0,0 +1,12 @@
+--- sql-common/client.c.orig	2018-01-24 00:36:45.520273000 +0100
++++ sql-common/client.c	2018-01-24 00:37:57.536367000 +0100
+@@ -1821,7 +1821,8 @@
+   */
+ 
+ #ifdef HAVE_X509_check_host
+-  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
++  ret_validation= X509_check_host(server_cert, server_hostname,
++                                  strlen(server_hostname), 0, 0) != 1;
+ #else
+   subject= X509_get_subject_name(server_cert);
+   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);