CVS commit: pkgsrc/mk

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/mk
From: "Taylor R Campbell" <riastradh%netbsd.org@localhost>
Date: Tue, 7 Jan 2025 19:18:08 +0000

Module Name:    pkgsrc
Committed By:   riastradh
Date:           Tue Jan  7 19:18:08 UTC 2025

Added Files:
        pkgsrc/mk: ssl.mk ssldir.mk

Log Message:
mk/ssl.mk, mk/ssldir.mk: New files to define some TLS-related paths.

Nothing uses these new files yet, so this cannot break anything.
Packages should opt into using this as they are tested with it -- in
particular, www/curl may need some care because on NetBSD this
changes SSLCERTBUNDLE from undefined (and functionally empty) to a
path, which affects how www/curl builds (but only www/curl as far as
I can tell).

Packages can include "../../mk/ssl.mk" to get at the following
variables for TLS-related paths, with the following current values:

SSLDIR          directory where TLS-related files live
                NetBSD: /etc/openssl (even for, say, gnutls)
                Fedora: /etc/pki/tls
                Haiku: /boot/system/data/ssl or /boot/common/data/ssl
                Others: /etc/ssl

SSLCERTS        TLS trust anchors in OpenSSL hashed cert directory
                Everywhere: ${SSLDIR}/certs

SSLCERTBUNDLE   TLS trust anchors in single-file concatenated PEM
                NetBSD: ${SSLDIR}/certs/ca-certificates.crt (*)
                Others: ${SSLDIR}/certs/ca-bundle.crt if exists

SSLKEYS         directory of per-service TLS private keys
                Everywhere: ${SSLDIR}/private

This logic is extracted almost verbatim (modulo indentation) from
security/openssl/builtin.mk, split into two files because of how SSLDIR
is conditional on builtin vs non-builtin OpenSSL.

(*) The one difference is: On NetBSD, SSLCERTBUNDLE is
/etc/openssl/certs/ca-certificates.crt, not undefined.

Why /etc/openssl on NetBSD, even though it is used by
non-OpenSSL applications?

=> Upstream OpenSSL uses /etc/ssl by default, but NetBSD's OpenSSL
   has been built to use /etc/openssl for decades.  Other systems
   have expanded the domain of the path /etc/ssl to non-OpenSSL
   software, or changed it to /etc/pki/tls, but the name stuck as
   /etc/openssl on NetBSD, and it has carried over to any systems
   using security/mozilla-rootcerts or security/ca-certificates.

   To keep this change narrowly scoped to what I can test, I'm
   limiting it to NetBSD for now -- but this is worth revisiting for
   other operating systems if pkgsrc has traditionally been used on
   those systems with security/mozilla-rootcerts instead of
   OS-provided trust anchors.

=> In NetBSD>=10, certctl(8) manages trust anchors under
   /etc/openssl/certs out of the box -- this was chosen to match
   existing practice on NetBSD so most existing applications would
   continue to work unmodified.

Why ${SSLDIR}/certs/ca-certificates.crt instead of
${SSLDIR}/certs/ca-bundle.crt on NetBSD?

=> The security/mozilla-rootcerts `mozilla-rootcerts install' command
   has used the file name `ca-certificate.crt' for over a decade,
   since mozilla-rootcerts-1.0.20121229nb1 back in 2013; likewise the
   security/mozilla-rootcerts-openssl package since it was introduced
   in 2015.

   (Originally it put this in /etc/ssl/certs/ca-certificates.crt
   instead of /etc/openssl/certs/ca-certificates.crt, but that was
   changed in mozilla-rootcerts-1.0.20170121nb3 back in 2017,
   presumably so it would match how NetBSD ships OpenSSL (except when
   using pkgsrc OpenSSL, in which case it uses
   ${PKG_SYSCONFDIR}/openssl/certs/ca-certificates.crt).  That
   compatibility break happened long enough ago that I don't think
   it's worth trying to restore anything about it -- and we can
   probably safely ditch any patches that point, e.g., Go at
   /etc/ssl/certs/ca-certificates.crt at this point.)

=> In NetBSD>=10, certctl(8) puts this file at
   /etc/openssl/certs/ca-certificates.crt out of the box -- this was
   chosen to match existing practice on NetBSD so most existing
   applications would continue to work unmodified.

Preparation for (among other fixes):

PR pkg/58143: security/gnutls uses wrong trust anchors


To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 pkgsrc/mk/ssl.mk pkgsrc/mk/ssldir.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Added files:

Index: pkgsrc/mk/ssl.mk
diff -u /dev/null pkgsrc/mk/ssl.mk:1.1
--- /dev/null   Tue Jan  7 19:18:08 2025
+++ pkgsrc/mk/ssl.mk    Tue Jan  7 19:18:07 2025
@@ -0,0 +1,49 @@
+#      $NetBSD: ssl.mk,v 1.1 2025/01/07 19:18:07 riastradh Exp $
+
+# SSL/TLS-related paths for trust anchors, certificates, private keys.
+#
+# Packages should normally include security/openssl/buildlink3.mk or
+# similar, not mk/ssl.mk, for these variables.
+#
+# System-defined variables:
+#
+# SSLDIR
+#      Path to directory where TLS-related files, including trust
+#      anchors (CA certificates) and sometimes private keys, are
+#      stored.
+#
+#      Normally SSLDIR is defined by mk/ssldir.mk, but it may be
+#      defined differently by security/openssl/builtin.mk when using
+#      OpenSSL from pkgsrc instead of builtin.
+#
+# SSLCERTS
+#      Path to directory of TLS trust anchors in OpenSSL hashed
+#      certificate format (see openssl_rehash(1)).
+#
+# SSLCERTBUNDLE
+#      Path to file of TLS trust anchors in concatenated PEM bundle
+#      format.  Undefined or empty if the host OS does not ship one.
+#
+# SSLKEYS
+#      Path to directory of per-service TLS private keys.
+#
+
+.ifndef SSLDIR
+.  include "ssldir.mk"
+.endif
+
+.include "bsd.fast.prefs.mk"
+
+SSLCERTS=      ${SSLDIR}/certs
+# Some systems use CA bundles instead of files and hashed symlinks.
+# Continue to define SSLCERTS because it's unclear if that's the
+# directory that has one file per cert, or the directory that contains
+# trust anchor config in some fortm.
+.if ${OPSYS} == "NetBSD"
+SSLCERTBUNDLE= ${SSLDIR}/certs/ca-certificates.crt
+.elif exists(${_CROSS_DESTDIR:U}${SSLDIR}/certs/ca-bundle.crt)
+SSLCERTBUNDLE= ${SSLDIR}/certs/ca-bundle.crt
+.endif
+SSLKEYS=       ${SSLDIR}/private
+
+BUILD_DEFS+=   SSLDIR SSLCERTS SSLCERTBUNDLE SSLKEYS
Index: pkgsrc/mk/ssldir.mk
diff -u /dev/null pkgsrc/mk/ssldir.mk:1.1
--- /dev/null   Tue Jan  7 19:18:08 2025
+++ pkgsrc/mk/ssldir.mk Tue Jan  7 19:18:07 2025
@@ -0,0 +1,29 @@
+#      $NetBSD: ssldir.mk,v 1.1 2025/01/07 19:18:07 riastradh Exp $
+
+# used by ssl.mk
+# used by ../security/openssl/builtin.mk
+#
+# Packages should not include this file directly.  Instead, they should
+# include either security/openssl/buildlink3.mk or mk/ssl.mk.
+
+.include "bsd.fast.prefs.mk"
+
+.if ${OPSYS} == "NetBSD"
+SSLDIR=        /etc/openssl
+.elif ${OPSYS} == "Linux"
+.  if exists(${_CROSS_DESTDIR:U}/etc/pki/tls)
+# Some distributions have moved to /etc/pki/tls, with incomplete
+# symlinks from /etc/ssl.  Prefer the new location if it exists
+SSLDIR=        /etc/pki/tls
+.  else
+SSLDIR=        /etc/ssl                # standard location
+.  endif
+.elif ${OPSYS} == "Haiku"
+.  if exists(${_CROSS_DESTDIR:U}/boot/system/data/ssl)
+SSLDIR=        /boot/system/data/ssl
+.  else
+SSLDIR=        /boot/common/data/ssl
+.  endif
+.else
+SSLDIR=        /etc/ssl                # most likely place
+.endif

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/security/gnutls
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/security/gnutls
Indexes:

Home | Main Index | Thread Index | Old Index