Re: security/gnutls: link against libunbound for DANE support (patch)

To: tech-pkg%NetBSD.org@localhost
Subject: Re: security/gnutls: link against libunbound for DANE support (patch)
From: ng0 <ng0%n0.is@localhost>
Date: Tue, 17 Sep 2019 10:24:52 +0000

A clarification, as I was asked by leot@ between the lines
to be more specific.

Christian Grothoff (maintainer of both libmicrohttpd and GNUnet):
  We need DANE from GnuTLS as otherwise we cannot validate TLSA records from GNS.                                                                               
  Basically, GnuTLS does TLS termination in the gnunet-gns-proxy,
  and GNS provides TLSA records.
  So if GnuTLS doesn't support TLSA records, we could not use
  those to improve security.
  MHD (libmicrohttpd) doesn't care about what GnuTLS does,
  it only uses it for unit testing.
  But obviously some applications that use MHD might require
  those TLS features as well.
  So MHD should fully work with GnuTLS *without* DANE support.


ng0 transcribed 3.3K bytes:
> Hi,
> 
> I have not really maintained wip/gnutls, back when I added it
> someone proposed I try and get this into security/gnutls proper.
> 
> In a set of software I work on, we highly prefer GnuTLS built
> against libunbound to get DANE functionality. Right now this
> pulls in at least unbound (and flex via unbound).
> There are plans to eventually not depend on unbound for this
> in GnuTLS itself.
> 
> Would we as pkgsrc prefer for this to be opt-in or opt-out?
> My patch is opt-in but adds a keyword.
> 
> Replies welcome, cvs diff pasted in.
> 
> This is required at least for (as far as I am aware of, the
> projects I work on): gnurl, gnunet, some parts of the software
> suite of Taler maybe, libmicrohttpd. curl can make use of it
> as well (gnurl is a curl micro'ish fork).
> 
> 
> security/gnutls: Add ability to link against libunbound for DANE
> support.
> 
> Index: Makefile
> ===================================================================
> RCS file: /cvsroot/pkgsrc/security/gnutls/Makefile,v
> retrieving revision 1.199
> diff -u -p -r1.199 Makefile
> --- Makefile	16 Sep 2019 00:28:48 -0000	1.199
> +++ Makefile	16 Sep 2019 14:36:00 -0000
> @@ -1,6 +1,7 @@
>  # $NetBSD: Makefile,v 1.199 2019/09/16 00:28:48 nia Exp $
>  
>  DISTNAME=	gnutls-3.6.9
> +PKGREVISION=	1
>  CATEGORIES=	security devel
>  MASTER_SITES=	https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/
>  EXTRACT_SUFX=	.tar.xz
> @@ -31,6 +32,8 @@ CONFIGURE_ARGS+=		--enable-local-libopts
>  CONFIGURE_ARGS.SunOS+=		--disable-hardware-acceleration
>  CONFIGURE_ARGS.FreeBSD+=	ac_cv_type_max_align_t=yes
>  
> +.include "options.mk"
> +
>  TEST_TARGET=		check
>  
>  INFO_FILES=		yes
> Index: PLIST
> ===================================================================
> RCS file: /cvsroot/pkgsrc/security/gnutls/PLIST,v
> retrieving revision 1.65
> diff -u -p -r1.65 PLIST
> --- PLIST	16 Sep 2019 00:28:48 -0000	1.65
> +++ PLIST	16 Sep 2019 14:36:00 -0000
> @@ -1,5 +1,6 @@
>  @comment $NetBSD: PLIST,v 1.65 2019/09/16 00:28:48 nia Exp $
>  bin/certtool
> +${PLIST.unbound}bin/danetool
>  bin/gnutls-cli
>  bin/gnutls-cli-debug
>  bin/gnutls-serv
> @@ -10,6 +11,7 @@ bin/srptool
>  include/gnutls/abstract.h
>  include/gnutls/compat.h
>  include/gnutls/crypto.h
> +${PLIST.unbound}include/gnutls/dane.h
>  include/gnutls/dtls.h
>  include/gnutls/gnutls.h
>  include/gnutls/gnutlsxx.h
> @@ -36,10 +38,17 @@ info/gnutls-modauth.png
>  info/gnutls-x509.png
>  info/gnutls.info
>  info/pkcs11-vision.png
> +${PLIST.unbound}lib/libgnutls-dane.a
> +${PLIST.unbound}lib/libgnutls-dane.la
> +${PLIST.unbound}lib/libgnutls-dane.so
> +${PLIST.unbound}lib/libgnutls-dane.so.0
> +${PLIST.unbound}lib/libgnutls-dane.so.0.4.1
>  lib/libgnutls.la
>  lib/libgnutlsxx.la
> +${PLIST.unbound}lib/pkgconfig/gnutls-dane.pc
>  lib/pkgconfig/gnutls.pc
>  man/man1/certtool.1
> +${PLIST.unbound}man/man1/danetool.1
>  man/man1/gnutls-cli-debug.1
>  man/man1/gnutls-cli.1
>  man/man1/gnutls-serv.1
> Index: options.mk
> ===================================================================
> RCS file: options.mk
> diff -N options.mk
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ options.mk	16 Sep 2019 14:36:00 -0000
> @@ -0,0 +1,15 @@
> +# $NetBSD$
> +
> +PKG_OPTIONS_VAR=	PKG_OPTIONS.gnutls
> +PKG_SUPPORTED_OPTIONS=	unbound
> +PLIST_VARS+=		unbound
> +
> +.include "../../mk/bsd.options.mk"
> +
> +.if !empty(PKG_OPTIONS:Munbound)
> +.include "../../net/unbound/buildlink3.mk"
> +CONFIGURE_ARGS+=	--enable-libdane
> +PLIST.unbound=		yes
> +.else
> +CONFIGURE_ARGS+=	--disable-libdane
> +.endif

References:
- security/gnutls: link against libunbound for DANE support (patch)
  - From: ng0

Prev by Date: Re: security/gnutls: link against libunbound for DANE support (patch)
Next by Date: Re: UTF-8 cleanliness
Previous by Thread: Re: security/gnutls: link against libunbound for DANE support (patch)
Next by Thread: Re: security/gnutls: link against libunbound for DANE support (patch)
Indexes:

Home | Main Index | Thread Index | Old Index