Sat Jan 13 12:49:10 2024 UTC (155d)
Pullup ticket #6832 - requested by riastradh
net/libfetch: enable HTTPS cert validation on NetBSD 10
pkgtools/pkg_install, pkgtools/pkgin: revbump
(via patch)
net/libfetch: Enable HTTPS certificate validation, but limit it to
NetBSD>=10 for now.
The switch has been flipped on for all platforms in pkgsrc-current
with net/libfetch 2.40. To avoid trouble with future updates to
pkgsrc-2024Q1, the attached patch -- which is limited at
compile-time to NetBSD>=10 -- bumps the version to 2.39nb3 instead,
so that the version in pkgsrc-2024Q1 will appear newer.
See
https://mail-index.netbsd.org/pkgsrc-users/2023/12/31/msg038682.html
https://mail-index.netbsd.org/tech-pkg/2023/12/09/msg028590.html
for discussion. (A future pullup might rip off the NetBSD>=10
bandaid, but I'd like to get this part in ASAP.)
(bsiegert)
diff -r1.64 -r1.64.2.1 pkgsrc/net/libfetch/Makefile
diff -r1.31 -r1.31.58.1 pkgsrc/net/libfetch/files/common.c
diff -r1.17 -r1.17.62.1 pkgsrc/net/libfetch/files/fetch.3
diff -r1.237 -r1.237.2.1 pkgsrc/pkgtools/pkg_install/Makefile
diff -r1.128 -r1.128.2.1 pkgsrc/pkgtools/pkgin/Makefile
--- pkgsrc/net/libfetch/Makefile 2023/10/24 22:10:22 1.64
+++ pkgsrc/net/libfetch/Makefile 2024/01/13 12:49:09 1.64.2.1
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.64 2023/10/24 22:10:22 wiz Exp $
+# $NetBSD: Makefile,v 1.64.2.1 2024/01/13 12:49:09 bsiegert Exp $
DISTNAME= libfetch-2.39
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= net
MASTER_SITES= # empty
DISTFILES= # empty
--- pkgsrc/net/libfetch/files/common.c 2016/10/20 21:25:57 1.31
+++ pkgsrc/net/libfetch/files/common.c 2024/01/13 12:49:09 1.31.58.1
@@ -1,4 +1,4 @@
-/* $NetBSD: common.c,v 1.31 2016/10/20 21:25:57 joerg Exp $ */
+/* $NetBSD: common.c,v 1.31.58.1 2024/01/13 12:49:09 bsiegert Exp $ */
/*-
* Copyright (c) 1998-2004 Dag-Erling Coïdan Smørgrav
* Copyright (c) 2008, 2010 Joerg Sonnenberger <joerg@NetBSD.org>
@@ -37,6 +37,10 @@
#include <nbcompat.h>
#endif
+#ifdef __NetBSD__
+#include <sys/param.h> /* __NetBSD_Version__ */
+#endif
+
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
@@ -451,6 +455,12 @@
conn->ssl_meth = SSLv23_client_method();
conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
+#if defined(__NetBSD__) && __NetBSD_Version__ >= 1000000000
+ if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
+ SSL_CTX_set_default_verify_paths(conn->ssl_ctx);
+ SSL_CTX_set_verify(conn->ssl_ctx, SSL_VERIFY_PEER, NULL);
+ }
+#endif
conn->ssl = SSL_new(conn->ssl_ctx);
if (conn->ssl == NULL){
--- pkgsrc/net/libfetch/files/fetch.3 2016/05/31 18:02:36 1.17
+++ pkgsrc/net/libfetch/files/fetch.3 2024/01/13 12:49:09 1.17.62.1
@@ -25,9 +25,9 @@
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: fetch.3,v 1.64 2007/12/18 11:03:26 des Exp $
-.\" $NetBSD: fetch.3,v 1.17 2016/05/31 18:02:36 abhinav Exp $
+.\" $NetBSD: fetch.3,v 1.17.62.1 2024/01/13 12:49:09 bsiegert Exp $
.\"
-.Dd January 22, 2010
+.Dd December 22, 2023
.Dt FETCH 3
.Os
.Sh NAME
@@ -638,6 +638,10 @@
Same as
.Ev NO_PROXY ,
for compatibility.
+.It Ev SSL_NO_VERIFY_PEER
+If defined,
+.Nm
+will skip validating certificates when fetching HTTPS URLs.
.El
.Sh EXAMPLES
To access a proxy server on
--- pkgsrc/pkgtools/pkg_install/Makefile 2023/10/24 22:10:40 1.237
+++ pkgsrc/pkgtools/pkg_install/Makefile 2024/01/13 12:49:09 1.237.2.1
--- pkgsrc/pkgtools/pkgin/Makefile 2023/11/08 13:20:39 1.128
+++ pkgsrc/pkgtools/pkgin/Makefile 2024/01/13 12:49:09 1.128.2.1