summaryrefslogtreecommitdiff
path: root/databases/mariadb101-client
diff options
context:
space:
mode:
authorMichael Gmelin <grembo@FreeBSD.org>2018-01-24 01:03:03 +0000
committerMichael Gmelin <grembo@FreeBSD.org>2018-01-24 01:03:03 +0000
commitbee1386bfaf50e8df30050a19b646ba3c33e689f (patch)
tree0f02297b493a9c0ff49c70420c02752e3522989b /databases/mariadb101-client
parentThis apparently links libunwind directly. (diff)
Fix databases/mariadb* hostname verification when building against LibreSSL
LibreSSL imported X509_check_host from BoringSSL. Unlike OpenSSL, it doesn't calculate the length of the hostname passed in case chklen/namelen == 0. This means that the check in MariaDB always fails if built against LibreSSL. This forces adminstrators to disable hostname verification, which weakens security (hence the MFH request below). Note that the fix has no negative implications if built against OpenSSL, as its implementation calls strlen(hostname) in case namelen == 0. See also https://github.com/MariaDB/server/pull/562 Approved by: ssl blanket MFH: 2018Q1
Notes
Notes: svn path=/head/; revision=459808
Diffstat (limited to 'databases/mariadb101-client')
-rw-r--r--databases/mariadb101-client/files/patch-sql-common_client.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/databases/mariadb101-client/files/patch-sql-common_client.c b/databases/mariadb101-client/files/patch-sql-common_client.c
new file mode 100644
index 000000000000..85e857c65dc8
--- /dev/null
+++ b/databases/mariadb101-client/files/patch-sql-common_client.c
@@ -0,0 +1,12 @@
+--- sql-common/client.c.orig 2018-01-24 00:36:45.520273000 +0100
++++ sql-common/client.c 2018-01-24 00:37:57.536367000 +0100
+@@ -1821,7 +1821,8 @@
+ */
+
+ #ifdef HAVE_X509_check_host
+- ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
++ ret_validation= X509_check_host(server_cert, server_hostname,
++ strlen(server_hostname), 0, 0) != 1;
+ #else
+ subject= X509_get_subject_name(server_cert);
+ cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);