CVS commit: pkgsrc/security/gnutls

["Taylor R Campbell" <riastradh%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   riastradh
Date:           Tue Jan  7 19:19:34 UTC 2025

Modified Files:
        pkgsrc/security/gnutls: Makefile

Log Message:
security/gnutls: Use system TLS trust anchors.

Until 2018, gnutls would search at _build-time_ for one of various
files /etc/ssl/ca-bundle.pem, /etc/ssl/certs/ca-certificates.crt,
/etc/pki/tls/cert.pem, &c., for trust anchors, and bake that path
into the build product -- or, if none of those existed at build-time,
it would bake _nothing_ into the build product and require programs
doing TLS to specify trust anchors explicitly; the gnutls function
gnutls_x509_trust_list_add_system_trust would fail with
GNUTLS_E_UNIMPLEMENTED_FEATURE.

In 2018, gnutls was changed to depend on mozilla-rootcerts and use
${PREFIX}/share/mozilla-rootcerts/cacert.pem.  This was expedient for
NetBSD which (a) had no trust anchors shipped out of the box until
10.0 but (b) would usually be configured with mozilla-rootcerts
anyway, but wrong, because:

1. The system may manage TLS trust anchors differently, e.g. on
   Fedora they're somewhere in /etc/pki/tls, or even if you install
   trust anchors from pkgsrc you might use security/ca-certificates
   instead of security/mozilla-rootcerts.

2. Even if the system uses Mozilla's trust anchors, there is no way
   for an operator to safely selectively override individual CA
   certificates, like nixing Digi-Notar after their compromise --
   ${PREFIX}/share/mozilla-rootcerts/cacert.pem is a static file that
   is not allowed to change, not an editable configuration file.

With this change, on platforms where mk/ssl.mk defines SSLCERTBUNDLE,
gnutls will look there; on platforms without it, gnutls will revert
to its original default of checking various paths at build-time.  For
systems where the binary packages are built without trust anchors at
build-time, but where there is a fixed path known at build-time where
the trust anchors will be at run-time, mk/ssl.mk should be adapted to
set SSLCERTBUNDLE.

PR pkg/58143: security/gnutls uses wrong trust anchors


To generate a diff of this commit:
cvs rdiff -u -r1.262 -r1.263 pkgsrc/security/gnutls/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/gnutls/Makefile
diff -u pkgsrc/security/gnutls/Makefile:1.262 pkgsrc/security/gnutls/Makefile:1.263
--- pkgsrc/security/gnutls/Makefile:1.262       Thu Nov 14 22:21:29 2024
+++ pkgsrc/security/gnutls/Makefile     Tue Jan  7 19:19:33 2025
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.262 2024/11/14 22:21:29 wiz Exp $
+# $NetBSD: Makefile,v 1.263 2025/01/07 19:19:33 riastradh Exp $
 
 DISTNAME=      gnutls-3.8.8
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    security devel
 MASTER_SITES=  https://www.gnupg.org/ftp/gcrypt/gnutls/v${PKGVERSION_NOREV:R}/
 EXTRACT_SUFX=  .tar.xz
@@ -11,7 +11,7 @@ HOMEPAGE=     https://www.gnutls.org/
 COMMENT=       Transport Layer Security library
 LICENSE=       gnu-gpl-v3 AND gnu-lgpl-v2.1
 
-DEPENDS+=      mozilla-rootcerts-[0-9]*:../../security/mozilla-rootcerts
+.include "../../mk/ssl.mk"
 
 PLIST_SRC=     PLIST
 
@@ -28,7 +28,7 @@ CONFIGURE_ARGS+=      --disable-openssl-compa
 CONFIGURE_ARGS+=       --without-idn
 CONFIGURE_ARGS+=       --without-tpm
 CONFIGURE_ARGS+=       --disable-valgrind-tests
-CONFIGURE_ARGS+=       --with-default-trust-store-file=${PREFIX}/share/mozilla-rootcerts/cacert.pem
+CONFIGURE_ARGS+=       ${empty(SSLCERTBUNDLE):?:--with-default-trust-store-file=${SSLCERTBUNDLE:Q}}
 CONFIGURE_ARGS+=       --with-libintl-prefix=${BUILDLINK_PREFIX.gettext}
 
 # Assembler support is broken for SunOS in 3.2.9.