pkg_install: Use libfetch certificate validation.

Patch from Taylor, imported early due to 2023Q4 freeze.

pkgtools/pkg_install/Makefile

@@ -7,7 +7,6 @@
 # change in the pkg_* tools that pkgsrc relies on for proper operation.
 
 PKGNAME=		pkg_install-${VERSION}
-PKGREVISION=		1
 CATEGORIES=		pkgtools
 
 MAINTAINER=		agc@NetBSD.org

pkgtools/pkg_install/files/admin/audit.c

@@ -318,12 +318,25 @@ fetch_pkg_vulnerabilities(int argc, char **argv)
 		    fetchLastErrString);
 
 	flags = fetch_flags;
+
+	/*
+	 * If the user specified PKGVULNURL=http://... or ftp://... (or
+	 * if that is the default), enable insecure transport to
+	 * download it -- this way we don't break existing setups that
+	 * never expected secure transport in the first place.
+	 *
+	 * If you want secure transport, use https or file URLs.
+	 */
+	if (strcasecmp(url->scheme, SCHEME_HTTP) == 0 ||
+	    strcasecmp(url->scheme, SCHEME_FTP))
+		flags = insecure_fetch_flags;
+
 	if (update_pkg_vuln) {
 		fd = open(pkg_vulnerabilities_file, O_RDONLY);
 		if (fd != -1 && fstat(fd, &sb) != -1) {
 			url->last_modified = sb.st_mtime;
 			snprintf(my_flags, sizeof(my_flags), "%si",
-			    fetch_flags);
+			    flags);
 			flags = my_flags;
 		} else
 			update_pkg_vuln = 0;

pkgtools/pkg_install/files/lib/lib.h

@@ -462,6 +462,7 @@ extern const char *gpg_keyring_sign;
 extern const char *gpg_keyring_verify;
 extern const char *gpg_sign_as;
 extern char fetch_flags[];
+extern char insecure_fetch_flags[];
 
 extern const char *pkg_vulnerabilities_dir;
 extern const char *pkg_vulnerabilities_file;

pkgtools/pkg_install/files/lib/parse-config.c

@@ -58,6 +58,7 @@ static int cache_connections_host = 4;
 const char     *config_file = SYSCONFDIR"/pkg_install.conf";
 
 char fetch_flags[10] = ""; /* Workaround Mac OS X linker issues with BSS */
+char insecure_fetch_flags[10] = "";
 static const char *active_ftp;
 static const char *verbose_netio;
 static const char *ignore_proxy;
@@ -84,6 +85,7 @@ const char *pkg_vulnerabilities_dir;
 const char *pkg_vulnerabilities_file;
 const char *pkg_vulnerabilities_url;
 const char *ignore_advisories = NULL;
+const char *insecure_transport = NULL;
 const char tnf_vulnerability_base[] = "http://cdn.NetBSD.org/pub/NetBSD/packages/vulns";
 const char *acceptable_licenses = NULL;
 
@@ -111,6 +113,7 @@ static struct config_variable {
 	{ "GPG_SIGN_AS", &gpg_sign_as },
 	{ "IGNORE_PROXY", &ignore_proxy },
 	{ "IGNORE_URL", &ignore_advisories },
+	{ "INSECURE_TRANSPORT", &insecure_transport },
 	{ "PKG_DBDIR", &config_pkg_dbdir },
 	{ "PKG_PATH", &config_pkg_path },
 	{ "PKG_REFCOUNT_DBDIR", &config_pkg_refcount_dbdir },
@@ -244,11 +247,15 @@ pkg_install_config(void)
 	fetchConnectionCacheInit(cache_connections, cache_connections_host);
 #endif
 
-	snprintf(fetch_flags, sizeof(fetch_flags), "%s%s%s%s",
+	snprintf(insecure_fetch_flags, sizeof(insecure_fetch_flags),
+	    "%s%s%s%s",
 	    (do_cache_index) ? "c" : "",
 	    (verbose_netio && *verbose_netio) ? "v" : "",
 	    (active_ftp && *active_ftp) ? "a" : "",
 	    (ignore_proxy && *ignore_proxy) ? "d" : "");
+	snprintf(fetch_flags, sizeof(fetch_flags), "%s%s",
+	    insecure_fetch_flags,
+	    (insecure_transport && *insecure_transport) ? "" : "V");
 }
 
 void

pkgtools/pkg_install/files/lib/pkg_install.conf.5.in

@@ -159,6 +159,15 @@ One line per advisory which should be ignored when running
 The URL from the
 .Pa pkg-vulnerabilities
 file should be used as value.
+.It Dv INSECURE_TRANSPORT
+Allow downloads over insecure transport, bypassing certificate
+validation, even if
+.Dv PKG_PATH
+or
+.Dv PKGVULNURL
+is set to an
+.Ql https://
+URL.
 .It Dv PKG_DBDIR (*)
 Location of the packages database.
 This option is always overriden by the argument of the

pkgtools/pkg_install/files/lib/pkg_io.c

@@ -65,6 +65,26 @@ struct pkg_path {
 static char *orig_cwd, *last_toplevel;
 static TAILQ_HEAD(, pkg_path) pkg_path = TAILQ_HEAD_INITIALIZER(pkg_path);
 
+static const char *
+pkg_fetch_flags(const struct url *url)
+{
+
+	/*
+	 * If the user specified PKG_PATH=http://... or ftp://..., or
+	 * passed an http/ftp URL on the command line of a package to
+	 * install, enable insecure transport to download it -- this
+	 * way we don't break existing setups that never expected
+	 * secure transport in the first place.
+	 *
+	 * If you want secure transport, use https or file URLs.
+	 */
+	if (strcasecmp(url->scheme, SCHEME_HTTP) == 0 ||
+	    strcasecmp(url->scheme, SCHEME_FTP) == 0)
+		return insecure_fetch_flags;
+
+	return fetch_flags;
+}
+
 #ifndef BOOTSTRAP
 struct fetch_archive {
 	struct url *url;
@@ -80,7 +100,7 @@ fetch_archive_open(struct archive *a, void *client_data)
 	struct fetch_archive *f = client_data;
 	struct url_stat us;
 
-	f->fetch = fetchXGet(f->url, &us, fetch_flags);
+	f->fetch = fetchXGet(f->url, &us, pkg_fetch_flags(f->url));
 	if (f->fetch == NULL)
 		return ENOENT;
 	f->size = us.size;
@@ -118,7 +138,7 @@ fetch_archive_read(struct archive *a, void *client_data,
 		free(url);
 	}
 	fetchIO_close(f->fetch);
-	f->fetch = fetchXGet(f->url, &us, fetch_flags);
+	f->fetch = fetchXGet(f->url, &us, pkg_fetch_flags(f->url));
 	if (f->fetch == NULL)
 		return -1;
 	if (us.size != f->size)
@@ -255,7 +275,7 @@ find_best_package_int(struct url *url, const char *pattern,
 	url_pattern = xasprintf("%*.*s*", (int)i, (int)i, pattern);
 
 	fetchInitURLList(&ue);
-	if (fetchList(&ue, url, url_pattern, fetch_flags)) {
+	if (fetchList(&ue, url, url_pattern, pkg_fetch_flags(url))) {
 		char *base_url;
 		base_url = fetchStringifyURL(url);
 		warnx("Can't process %s/%s: %s", base_url, url_pattern,

pkgtools/pkg_install/files/lib/version.h

@@ -27,6 +27,6 @@
 #ifndef _INST_LIB_VERSION_H_
 #define _INST_LIB_VERSION_H_
 
-#define PKGTOOLS_VERSION 20211115
+#define PKGTOOLS_VERSION 20231208
 
 #endif /* _INST_LIB_VERSION_H_ */