CVS commit: pkgsrc/net/libfetch

["Taylor R Campbell" <riastradh%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   riastradh
Date:           Wed Jan  3 03:54:46 UTC 2024

Modified Files:
        pkgsrc/net/libfetch: Makefile
        pkgsrc/net/libfetch/files: common.c fetch.3

Log Message:
net/libfetch: update to 2.40

Validate HTTPS by default, unless environment variable
SSL_NO_VERIFY_PEER is set (from FreeBSD).

WARNING: This changes the semantics of the library in ways that may
break the functionality of existing callers, even callers that don't
ask to fetch HTTPS URLs -- because HTTP may redirect to HTTPS.

WARNING: This does not guarantee fetching HTTPS URLs will return only
authenticated data from the named host.  If the host redirects to
HTTP or FTP, libfetch will follow the redirect and return
unauthenticated data with no way for the caller to know this has
happened (short of disabling redirects altogether -- including
HTTPS-to-HTTPS redirects -- with the undocumented `A' flag).

That's OK for pkgsrc distfile fetch, since we have checksums stored
in pkgsrc for the distfiles, but makes a simple server
misconfiguration a security vulnerability with pkg_add or pkgin (even
with signed packages, because there's a lot of attack surface between
the transport layer and the package signatures).

Discussion on tech-pkg:
https://mail-index.netbsd.org/tech-pkg/2023/12/09/msg028590.html
https://mail-index.netbsd.org/tech-pkg/2023/12/22/msg028654.html

ok gdt (https://mail-index.netbsd.org/tech-pkg/2023/12/31/msg028733.html)


To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.65 pkgsrc/net/libfetch/Makefile
cvs rdiff -u -r1.31 -r1.32 pkgsrc/net/libfetch/files/common.c
cvs rdiff -u -r1.17 -r1.18 pkgsrc/net/libfetch/files/fetch.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/libfetch/Makefile
diff -u pkgsrc/net/libfetch/Makefile:1.64 pkgsrc/net/libfetch/Makefile:1.65
--- pkgsrc/net/libfetch/Makefile:1.64   Tue Oct 24 22:10:22 2023
+++ pkgsrc/net/libfetch/Makefile        Wed Jan  3 03:54:46 2024
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.64 2023/10/24 22:10:22 wiz Exp $
+# $NetBSD: Makefile,v 1.65 2024/01/03 03:54:46 riastradh Exp $
 
-DISTNAME=      libfetch-2.39
-PKGREVISION=   2
+DISTNAME=      libfetch-2.40
 CATEGORIES=    net
 MASTER_SITES=  # empty
 DISTFILES=     # empty

Index: pkgsrc/net/libfetch/files/common.c
diff -u pkgsrc/net/libfetch/files/common.c:1.31 pkgsrc/net/libfetch/files/common.c:1.32
--- pkgsrc/net/libfetch/files/common.c:1.31     Thu Oct 20 21:25:57 2016
+++ pkgsrc/net/libfetch/files/common.c  Wed Jan  3 03:54:46 2024
@@ -1,4 +1,4 @@
-/*     $NetBSD: common.c,v 1.31 2016/10/20 21:25:57 joerg Exp $        */
+/*     $NetBSD: common.c,v 1.32 2024/01/03 03:54:46 riastradh Exp $    */
 /*-
  * Copyright (c) 1998-2004 Dag-Erling Co�dan Sm�rgrav
  * Copyright (c) 2008, 2010 Joerg Sonnenberger <joerg%NetBSD.org@localhost>
@@ -451,6 +451,10 @@ fetch_ssl(conn_t *conn, const struct url
        conn->ssl_meth = SSLv23_client_method();
        conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
        SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
+       if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
+               SSL_CTX_set_default_verify_paths(conn->ssl_ctx);
+               SSL_CTX_set_verify(conn->ssl_ctx, SSL_VERIFY_PEER, NULL);
+       }
 
        conn->ssl = SSL_new(conn->ssl_ctx);
        if (conn->ssl == NULL){

Index: pkgsrc/net/libfetch/files/fetch.3
diff -u pkgsrc/net/libfetch/files/fetch.3:1.17 pkgsrc/net/libfetch/files/fetch.3:1.18
--- pkgsrc/net/libfetch/files/fetch.3:1.17      Tue May 31 18:02:36 2016
+++ pkgsrc/net/libfetch/files/fetch.3   Wed Jan  3 03:54:46 2024
@@ -25,9 +25,9 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD: fetch.3,v 1.64 2007/12/18 11:03:26 des Exp $
-.\" $NetBSD: fetch.3,v 1.17 2016/05/31 18:02:36 abhinav Exp $
+.\" $NetBSD: fetch.3,v 1.18 2024/01/03 03:54:46 riastradh Exp $
 .\"
-.Dd January 22, 2010
+.Dd December 22, 2023
 .Dt FETCH 3
 .Os
 .Sh NAME
@@ -638,6 +638,10 @@ which proxies should not be used.
 Same as
 .Ev NO_PROXY ,
 for compatibility.
+.It Ev SSL_NO_VERIFY_PEER
+If defined,
+.Nm
+will skip validating certificates when fetching HTTPS URLs.
 .El
 .Sh EXAMPLES
 To access a proxy server on