Bug#733295: gnutls-bin: please compile GnuTLS with DANE support

Cyril Brulebois Wed, 08 Apr 2015 12:15:55 -0700

Hello people,

Daniel Kahn Gillmor <d...@fifthhorseman.net> (2015-03-24):
> On Tue 2015-03-24 16:01:20 -0500, Cyril Brulebois wrote:
> > (Background: This issue has just been pointed out to me after a GNUnet
> > conference. At least one developer there is interested in seeing a fix
> > reach the archive.)
> >
> >  1. Not having looked too much at unbound yet, it seems to indeed
> >     support NSS instead of OpenSSL, so one might think about switching
> >     to it to get rid of (possible) OpenSSL license incompatibilities.
> >
> >  2. A softer way might be to build an NSS variant of the unbound library
> >     alongside with the OpenSSL (current/default) one, so that packages
> >     like GnuTLS can pull it instead, and deliver DANE support.
> >
> >  3. Yet another way might be to teach unbound to support GnuTLS in
> >     addition to OpenSSL and NSS, so that one can build a GnuTLS variant
> >     instead of an NSS one.
> >
> > Solution 1 seems harsh and could possibly break rdepends; solution 2
> > seems safer and only a (small?) matter of packaging; solution 3 might
> > involve some bits of coding, and might cause tests entanglements in
> > configure.ac.
> >
> > Thoughts? Should I look into patching unbound to support solution 2?
> 
> I think option 2 is the simplest, shortest-path option for now, though
> the idea that installing libgnutls28 brings in libnss3 as a dependency
> seems rather ugly to me.


so I've spent a few moments trying to get stuff to build and see how it
goes. I'm particularly unimpressed with the resulting patches, but they
might at least be useful to someone who would like to try a bit harder
to get stuff into shape, and/or who would like to toy around locally.

The unbound patch introduces an NSS variant of libunbound, which I didn't
try to make co-installable along with the regular one.

The gnutls28 patch enables libdane, which in turn depends on the NSS
variant of libunbound. I'm not sure how much it would take to make this
package optional (so that gnutls28 doesn't pull it and NSS along by
default, yet letting users install it if they so wish).

The end result is error messages while trying to validate the domain
mentioned at the beginning of this bug report (www.nic.cz)… at the
moment, besides installing the resulting binary packages, I had to copy
/usr/share/dns/root.key under /etc/unbound/
| $ danetool --check=www.nic.cz
| Querying DNS for www.nic.cz (tcp:443)...
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519379] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519379] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519379] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| [1428519379] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown 
code ___f 65
| dane_query_tlsa: The DNSSEC signature is invalid.
| Resolving 'www.nic.cz'...
| Obtaining certificate from '2001:1488:0:3::2:443'...

Since I really don't know anything on that topic, and since I'm running
out of free time I won't be looking more into it, or investigating
long(er)term plans which were mentioned by Robert.

Mraw,
KiBi.

diff -Nru unbound-1.4.22/debian/changelog unbound-1.4.22/debian/changelog
--- unbound-1.4.22/debian/changelog	2014-12-09 23:55:16.000000000 +0100
+++ unbound-1.4.22/debian/changelog	2015-04-08 20:10:16.000000000 +0200
@@ -1,3 +1,15 @@
+unbound (1.4.22-3.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Add libnss3-dev build-dep.
+  * Add a third build with nss.
+  * Drop hardcoded -lssl for libunbound.la in Makefile.in, and use an
+    extra SSL_LIBS variable set with this flag when openssl is used.
+  * Add libunbound2-nss and libunbound-nss-dev (conflicting against the
+    regular ones since the SONAME and the paths haven't been changed).
+
+ -- Cyril Brulebois <k...@debian.org>  Tue, 07 Apr 2015 03:05:10 +0200
+
 unbound (1.4.22-3) unstable; urgency=medium
 
   * Fix CVE-2014-8602: denial of service by making resolver chase endless
diff -Nru unbound-1.4.22/debian/control unbound-1.4.22/debian/control
--- unbound-1.4.22/debian/control	2014-12-09 23:55:16.000000000 +0100
+++ unbound-1.4.22/debian/control	2015-04-08 20:07:40.000000000 +0200
@@ -11,6 +11,7 @@
  libtool,
  flex,
  bison,
+ libnss3-dev,
  libssl-dev,
  libevent-dev,
  libexpat1-dev,
@@ -76,6 +77,35 @@
  hostnames to IP addresses and back and obtain other information from the
  DNS. Cryptographic validation of results is performed with DNSSEC.
 
+Package: libunbound2-nss
+Section: libs
+Architecture: any
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Pre-Depends: ${misc:Pre-Depends}
+Conflicts: libunbound2
+Multi-Arch: same
+Description: library implementing DNS resolution and validation
+ libunbound performs and validates DNS lookups; it can be used to convert
+ hostnames to IP addresses and back and obtain other information from the
+ DNS. Cryptographic validation of results is performed with DNSSEC.
+ .
+ This version is linked against the NSS library.
+
+Package: libunbound-nss-dev
+Section: libdevel
+Architecture: any
+Depends: ${misc:Depends}, libunbound2-nss (= ${binary:Version})
+Conflicts: libunbound-dev
+Multi-Arch: same
+Description: static library, header files, and docs for libunbound
+ Static library, header files, and documentation for libunbound.
+ .
+ libunbound performs and validates DNS lookups; it can be used to convert
+ hostnames to IP addresses and back and obtain other information from the
+ DNS. Cryptographic validation of results is performed with DNSSEC.
+ .
+ This version is linked against the NSS library.
+
 Package: python-unbound
 Section: python
 Architecture: any
diff -Nru unbound-1.4.22/debian/patches/debian-changes unbound-1.4.22/debian/patches/debian-changes
--- unbound-1.4.22/debian/patches/debian-changes	2014-12-09 23:58:56.000000000 +0100
+++ unbound-1.4.22/debian/patches/debian-changes	2015-04-08 20:10:44.000000000 +0200
@@ -238,3 +238,136 @@
  	cfg->control_ifs = NULL;
  	cfg->control_port = UNBOUND_CONTROL_PORT;
  	cfg->minimal_responses = 0;
+--- unbound-1.4.22.orig/Makefile.in
++++ unbound-1.4.22/Makefile.in
+@@ -52,6 +52,7 @@ CC=@CC@
+ CPPFLAGS=-I. @CPPFLAGS@
+ CFLAGS=@CFLAGS@
+ LDFLAGS=@LDFLAGS@
++SSL_LIBS=@SSL_LIBS@
+ LIBS=@LIBS@
+ LIBOBJS=@LIBOBJS@
+ # filter out ctime_r from compat obj.
+@@ -286,22 +287,22 @@ longtest:	tests
+ lib:	libunbound.la unbound.h
+ 
+ libunbound.la:	$(LIBUNBOUND_OBJ_LINK)
+-	$(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) -lssl $(LIBS)
++	$(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) $(SSL_LIBS) $(LIBS)
+ 
+ unbound$(EXEEXT):	$(DAEMON_OBJ_LINK) libunbound.la
+-	$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) $(SSL_LIBS) $(LIBS)
+ 
+ unbound-checkconf$(EXEEXT):	$(CHECKCONF_OBJ_LINK) libunbound.la
+-	$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSL_LIBS) $(LIBS)
+ 
+ unbound-control$(EXEEXT):	$(CONTROL_OBJ_LINK) libunbound.la
+-	$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSL_LIBS) $(LIBS)
+ 
+ unbound-host$(EXEEXT):	$(HOST_OBJ_LINK) libunbound.la
+ 	$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
+ 
+ unbound-anchor$(EXEEXT):	$(UBANCHOR_OBJ_LINK) libunbound.la
+-	$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat -lssl $(LIBS)
++	$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat $(SSL_LIBS) $(LIBS)
+ 
+ unbound-service-install$(EXEEXT):	$(SVCINST_OBJ_LINK)
+ 	$(LINK) -o $@ $(SVCINST_OBJ_LINK) $(LIBS)
+@@ -313,37 +314,37 @@ anchor-update$(EXEEXT):  $(ANCHORUPD_OBJ
+ 	$(LINK) -o $@ $(ANCHORUPD_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
+ 
+ unittest$(EXEEXT):	$(UNITTEST_OBJ_LINK)
+-	$(LINK) -o $@ $(UNITTEST_OBJ_LINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSL_LIBS) $(LIBS)
+ 
+ testbound$(EXEEXT):	$(TESTBOUND_OBJ_LINK)
+-	$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSL_LIBS) $(LIBS)
+ 
+ lock-verify$(EXEEXT):	$(LOCKVERIFY_OBJ_LINK)
+-	$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSL_LIBS) $(LIBS)
+ 
+ petal$(EXEEXT):	$(PETAL_OBJ_LINK)
+-	$(LINK) -o $@ $(PETAL_OBJ_LINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(PETAL_OBJ_LINK) $(SSL_LIBS) $(LIBS)
+ 
+ pktview$(EXEEXT):	$(PKTVIEW_OBJ_LINK)
+-	$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSL_LIBS) $(LIBS)
+ 
+ memstats$(EXEEXT):	$(MEMSTATS_OBJ_LINK)
+-	$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSL_LIBS) $(LIBS)
+ 
+ asynclook$(EXEEXT):	$(ASYNCLOOK_OBJ_LINK) libunbound.la
+ 	$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) $(LIBS) -L. -L.libs -lunbound
+ 
+ streamtcp$(EXEEXT):	$(STREAMTCP_OBJ_LINK)
+-	$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSL_LIBS) $(LIBS)
+ 
+ perf$(EXEEXT):	$(PERF_OBJ_LINK)
+-	$(LINK) -o $@ $(PERF_OBJ_LINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(PERF_OBJ_LINK) $(SSL_LIBS) $(LIBS)
+ 
+ delayer$(EXEEXT):	$(DELAYER_OBJ_LINK)
+-	$(LINK) -o $@ $(DELAYER_OBJ_LINK) -lssl $(LIBS)
++	$(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSL_LIBS) $(LIBS)
+ 
+ signit$(EXEEXT):	testcode/signit.c
+-	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ testcode/signit.c $(LDFLAGS) -lldns -lssl $(LIBS)
++	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ testcode/signit.c $(LDFLAGS) -lldns $(SSL_LIBS) $(LIBS)
+ 
+ unbound.h:	$(srcdir)/libunbound/unbound.h
+ 	sed -e 's/@''UNBOUND_VERSION_MAJOR@/$(UNBOUND_VERSION_MAJOR)/' -e 's/@''UNBOUND_VERSION_MINOR@/$(UNBOUND_VERSION_MINOR)/' -e 's/@''UNBOUND_VERSION_MICRO@/$(UNBOUND_VERSION_MICRO)/' < $(srcdir)/libunbound/unbound.h > $@
+--- unbound-1.4.22.orig/configure.ac
++++ unbound-1.4.22/configure.ac
+@@ -551,13 +551,13 @@ AC_ARG_WITH([nss], AC_HELP_STRING([--wit
+ 	USE_NSS="yes"
+ 	AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
+ 	if test "$withval" != "" -a "$withval" != "yes"; then
+-		CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
++		CPPFLAGS="$CPPFLAGS -I$withval/include/nss"
+ 		LDFLAGS="$LDFLAGS -L$withval/lib"
+ 		ACX_RUNTIME_PATH_ADD([$withval/lib])
+-		CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
++		CPPFLAGS="-I$withval/include/nspr $CPPFLAGS"
+ 	else
+-		CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
+-		CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
++		CPPFLAGS="$CPPFLAGS -I/usr/include/nss"
++		CPPFLAGS="-I/usr/include/nspr $CPPFLAGS"
+ 	fi
+         LIBS="$LIBS -lnss3 -lnspr4"
+ 	]
+@@ -590,6 +590,8 @@ AC_INCLUDES_DEFAULT
+ #include <openssl/ssl.h>
+ #include <openssl/evp.h>
+ ])
++SSL_LIBS="-lssl"
++AC_SUBST(SSL_LIBS)
+ fi
+ 
+ 
+--- unbound-1.4.22.orig/util/random.c
++++ unbound-1.4.22/util/random.c
+@@ -67,10 +67,12 @@
+ #include <openssl/err.h>
+ #elif defined(HAVE_NSS)
+ /* nspr4 */
+-#include "prerror.h"
++//#include "prerror.h"
++#include <nspr/prerror.h>
+ /* nss3 */
+-#include "secport.h"
+-#include "pk11pub.h"
++//#include "secport.h"
++//#include "pk11pub.h"
++#include <nss/pk11pub.h>
+ #endif
+ 
+ /** 
diff -Nru unbound-1.4.22/debian/rules unbound-1.4.22/debian/rules
--- unbound-1.4.22/debian/rules	2014-12-09 23:55:16.000000000 +0100
+++ unbound-1.4.22/debian/rules	2015-04-08 20:08:32.000000000 +0200
@@ -14,6 +14,7 @@
 include /usr/share/dpkg/buildflags.mk
 
 clean:
+	rm -rf debian/tmp-nss
 	dh_autotools-dev_restoreconfig
 	dh_autoreconf_clean
 	dh clean
@@ -66,6 +67,23 @@
 	$(MAKE)
 	$(MAKE) install DESTDIR="$(CURDIR)/debian/tmp"
 
+	$(MAKE) clean
+
+	# third build -- build libunbound against nss and utilities, without extra dependencies
+	CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure \
+		--prefix=/usr \
+		--sysconfdir=/etc \
+		--disable-rpath \
+		--without-libevent \
+		--without-pythonmodule \
+		--without-pyunbound \
+		--with-nss \
+		--with-libunbound-only \
+		--libdir=/usr/lib/$(DEB_HOST_MULTIARCH)
+
+	$(MAKE)
+	$(MAKE) install DESTDIR="$(CURDIR)/debian/tmp-nss"
+
 	dh_installdirs
 
 	dh_installinit --error-handler=true --restart-after-upgrade
@@ -74,6 +92,7 @@
 	install -m 0755 debian/resolvconf debian/unbound/etc/resolvconf/update.d/unbound
 	install -m 0644 doc/example.conf debian/unbound/usr/share/doc/unbound/examples/unbound.conf
 
+	# Regular library:
 	mkdir -p debian/libunbound-dev/usr/lib/$(DEB_HOST_MULTIARCH)
 	mv \
 		debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libunbound.a \
@@ -86,6 +105,19 @@
 		debian/$(LIBRARY)/usr/lib/$(DEB_HOST_MULTIARCH)
 	chmod 0644 debian/$(LIBRARY)/usr/lib/$(DEB_HOST_MULTIARCH)/*
 
+	# NSS variant:
+	mkdir -p debian/libunbound-nss-dev/usr/lib/$(DEB_HOST_MULTIARCH)
+	mv \
+		debian/tmp-nss/usr/lib/$(DEB_HOST_MULTIARCH)/libunbound.a \
+		debian/tmp-nss/usr/lib/$(DEB_HOST_MULTIARCH)/libunbound.so \
+		debian/libunbound-nss-dev/usr/lib/$(DEB_HOST_MULTIARCH)
+
+	mkdir -p debian/$(LIBRARY)-nss/usr/lib/$(DEB_HOST_MULTIARCH)
+	mv \
+		debian/tmp-nss/usr/lib/$(DEB_HOST_MULTIARCH)/*.so.* \
+		debian/$(LIBRARY)-nss/usr/lib/$(DEB_HOST_MULTIARCH)
+	chmod 0644 debian/$(LIBRARY)-nss/usr/lib/$(DEB_HOST_MULTIARCH)/*
+
 	dh_install
 	dh_installchangelogs
 	dh_installdocs

diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog	2015-02-28 14:24:37.000000000 +0100
+++ gnutls28-3.3.8/debian/changelog	2015-04-08 20:20:51.000000000 +0200
@@ -1,3 +1,13 @@
+gnutls28 (3.3.8-6.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * No idea what I'm doing but anyway:
+    + Enable libdane.
+    + Add a build-dep on libunbound-nss-dev.
+    + Ship an extra libgnutls-dane package.
+
+ -- Cyril Brulebois <k...@debian.org>  Wed, 08 Apr 2015 20:17:38 +0200
+
 gnutls28 (3.3.8-6) unstable; urgency=medium
 
   * 39_check-whether-the-two-signatur.patch: Pull and unfuzz
diff -Nru gnutls28-3.3.8/debian/control gnutls28-3.3.8/debian/control
--- gnutls28-3.3.8/debian/control	2015-02-28 14:12:46.000000000 +0100
+++ gnutls28-3.3.8/debian/control	2015-04-08 20:20:33.000000000 +0200
@@ -10,7 +10,7 @@
  libtasn1-6-dev (>= 3.9), autotools-dev, guile-2.0-dev [!ia64 !m68k], datefudge,
  libp11-kit-dev (>= 0.20.7), pkg-config, chrpath, libidn11-dev,
  autogen (>= 1:5.16-0), bison, dh-autoreconf, libgmp-dev (>= 2:6),
- libopts25-dev
+ libopts25-dev, libunbound-nss-dev
 # The b-d on libgmp-dev is not technically necessary, since nettle brings
 # it along. However we want to enforce that gnutls is only built if the
 # dual-licensed GMP is available, otherwise the resulting binary
@@ -84,6 +84,14 @@
  .
  This package contains the main runtime library.
 
+Package: libgnutls-dane
+Priority: extra
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends},
+Multi-Arch: same
+Description: GNU TLS library - DANE support
+ I have no idea what I'm doing.
+
 Package: libgnutls28-dbg
 Priority: extra
 Architecture: any
diff -Nru gnutls28-3.3.8/debian/libgnutls-dane.install gnutls28-3.3.8/debian/libgnutls-dane.install
--- gnutls28-3.3.8/debian/libgnutls-dane.install	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/libgnutls-dane.install	2015-04-07 05:00:54.000000000 +0200
@@ -0,0 +1 @@
+debian/tmp/usr/lib/*/libgnutls-dane.so.*
diff -Nru gnutls28-3.3.8/debian/rules gnutls28-3.3.8/debian/rules
--- gnutls28-3.3.8/debian/rules	2015-02-28 14:12:46.000000000 +0100
+++ gnutls28-3.3.8/debian/rules	2015-04-07 05:01:17.000000000 +0200
@@ -17,7 +17,7 @@
 	--enable-ld-version-script --enable-cxx \
 	--enable-static \
 	--without-lzo \
-	--disable-libdane --without-tpm \
+	--enable-libdane --without-tpm \
 	--disable-heartbeat-support \
 	-disable-silent-rules \
 	--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt \
@@ -32,6 +32,7 @@
 	dh_makeshlibs -p libgnutlsxx28 -V 'libgnutlsxx28 (>= 3.3.8-0)'
 	dh_makeshlibs -p libgnutls-deb0-28  -V 'libgnutls-deb0-28 (>= 3.3.8-0)' -- -c4
 	dh_makeshlibs -p libgnutls-openssl27 -V 'libgnutls-openssl27 (>= 3.0-0)'
+	dh_makeshlibs -p libgnutls-dane -V 'libgnutls-dane'
 	dh_makeshlibs --remaining-packages -Xguile/2.0/guile-gnutls-v-2.so

signature.asc
Description: Digital signature

Bug#733295: gnutls-bin: please compile GnuTLS with DANE support

Reply via email to