[gentoo-commits] repo/gentoo:master commit in: net-dns/opendnssec/, net-dns/opendnssec/files/

["Marc Schiffbauer" <mschiff@gentoo.org>]

commit:     56242b0f136e683c90c0fd1c704a39d1c2869366
Author:     Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 23 23:29:50 2016 +0000
Commit:     Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
CommitDate: Thu Mar 24 00:24:33 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56242b0f

net-dns/opendnssec: revbump 1.3.18-r1 to fix bug #445172

Package-Manager: portage-2.2.28

 ...nssec-1.3.18-eppclient-curl-CVE-2012-5582.patch |  12 ++
 net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild     | 204 +++++++++++++++++++++
 2 files changed, 216 insertions(+)

diff --git a/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch b/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch
new file mode 100644
index 0000000..a0676dd
--- /dev/null
+++ b/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch
@@ -0,0 +1,12 @@
+diff -urN opendnssec-1.3.18.orig/plugins/eppclient/src/epp.c opendnssec-1.3.18/plugins/eppclient/src/epp.c
+--- opendnssec-1.3.18.orig/plugins/eppclient/src/epp.c	2014-07-21 11:16:10.000000000 +0200
++++ opendnssec-1.3.18/plugins/eppclient/src/epp.c	2016-03-23 22:25:18.679354984 +0100
+@@ -390,7 +390,7 @@
+     curl_easy_setopt(curl, CURLOPT_URL, url);
+     curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 1L);
+     curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
+-    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L);
++    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L);
+     curl_easy_setopt(curl, CURLOPT_USE_SSL, CURLUSESSL_ALL);
+     curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, curlerr);
+     curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L);

diff --git a/net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild b/net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild
new file mode 100644
index 0000000..0f38b64
--- /dev/null
+++ b/net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild
@@ -0,0 +1,204 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+MY_P="${P/_}"
+PKCS11_IUSE="+softhsm opensc external-hsm"
+inherit base autotools multilib user
+
+DESCRIPTION="An open-source turn-key solution for DNSSEC"
+HOMEPAGE="http://www.opendnssec.org/"
+SRC_URI="http://www.${PN}.org/files/source/${MY_P}.tar.gz"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="-auditor +curl debug doc eppclient mysql +signer +sqlite test ${PKCS11_IUSE}"
+
+RDEPEND="
+	dev-lang/perl
+	dev-libs/libxml2
+	dev-libs/libxslt
+	net-libs/ldns
+	curl? ( net-misc/curl )
+	mysql? (
+		virtual/mysql
+		dev-perl/DBD-mysql
+	)
+	opensc? ( dev-libs/opensc )
+	softhsm? ( dev-libs/softhsm )
+	sqlite? (
+		dev-db/sqlite:3
+		dev-perl/DBD-SQLite
+	)
+"
+DEPEND="${RDEPEND}
+	doc? ( app-doc/doxygen )
+	test? (
+		app-text/trang
+	)
+"
+# test? dev-util/cunit # Requires running test DB
+
+REQUIRED_USE="
+	^^ ( mysql sqlite )
+	^^ ( softhsm opensc external-hsm )
+	eppclient? ( curl )
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-fix-localstatedir.patch"
+	"${FILESDIR}/${PN}-fix-run-dir.patch"
+	"${FILESDIR}/${PN}-1.3.14-drop-privileges.patch"
+	"${FILESDIR}/${PN}-1.3.14-use-system-trang.patch"
+	"${FILESDIR}/${PN}-1.3.18-eppclient-curl-CVE-2012-5582.patch"
+)
+
+S="${WORKDIR}/${MY_P}"
+
+DOCS=( MIGRATION NEWS )
+
+check_pkcs11_setup() {
+	# PKCS#11 HSM's are often only available with proprietary drivers not
+	# available in portage tree.
+
+	if use softhsm; then
+		PKCS11_LIB=softhsm
+		if has_version ">=dev-libs/softhsm-1.3.1"; then
+			PKCS11_PATH=/usr/$(get_libdir)/softhsm/libsofthsm.so
+		else
+			PKCS11_PATH=/usr/$(get_libdir)/libsofthsm.so
+		fi
+		elog "Building with SoftHSM PKCS#11 library support."
+	fi
+	if use opensc; then
+		PKCS11_LIB=opensc
+		PKCS11_PATH=/usr/$(get_libdir)/opensc-pkcs11.so
+		elog "Building with OpenSC PKCS#11 library support."
+	fi
+	if use external-hsm; then
+		if [[ -n ${PKCS11_SCA6000} ]]; then
+			PKCS11_LIB=sca6000
+			PKCS11_PATH=${PKCS11_SCA6000}
+		elif [[ -n ${PKCS11_ETOKEN} ]]; then
+			PKCS11_LIB=etoken
+			PKCS11_PATH=${PKCS11_ETOKEN}
+		elif [[ -n ${PKCS11_NCIPHER} ]]; then
+			PKCS11_LIB=ncipher
+			PKCS11_PATH=${PKCS11_NCIPHER}
+		elif [[ -n ${PKCS11_AEPKEYPER} ]]; then
+			PKCS11_LIB=aepkeyper
+			PKCS11_PATH=${PKCS11_AEPKEYPER}
+		else
+			ewarn "You enabled USE flag 'external-hsm' but did not specify a path to a PKCS#11"
+			ewarn "library. To set a path, set one of the following environment variables:"
+			ewarn "  for Sun Crypto Accelerator 6000, set: PKCS11_SCA6000=<path>"
+			ewarn "  for Aladdin eToken, set: PKCS11_ETOKEN=<path>"
+			ewarn "  for Thales/nCipher netHSM, set: PKCS11_NCIPHER=<path>"
+			ewarn "  for AEP Keyper, set: PKCS11_AEPKEYPER=<path>"
+			ewarn "Example:"
+			ewarn "  PKCS11_ETOKEN=\"/opt/etoken/lib/libeTPkcs11.so\" emerge -pv opendnssec"
+			ewarn "or store the variable into /etc/make.conf"
+			die "USE flag 'external-hsm' set but no PKCS#11 library path specified."
+		fi
+		elog "Building with external PKCS#11 library support ($PKCS11_LIB): ${PKCS11_PATH}"
+	fi
+}
+
+pkg_pretend() {
+	local i
+
+	for i in eppclient mysql; do
+		if use ${i}; then
+			ewarn
+			ewarn "Usage of ${i} is considered experimental."
+			ewarn "Do not report bugs against this feature."
+			ewarn
+		fi
+	done
+
+	check_pkcs11_setup
+}
+
+pkg_setup() {
+	enewgroup opendnssec
+	enewuser opendnssec -1 -1 -1 opendnssec
+
+	# pretend does not preserve variables so we need to run this once more
+	check_pkcs11_setup
+}
+
+src_prepare() {
+	base_src_prepare
+	eautoreconf
+}
+
+src_configure() {
+	# $(use_with test cunit "${EPREFIX}/usr/") \
+	econf \
+		--without-cunit \
+		--localstatedir="${EPREFIX}/var/" \
+		--disable-static \
+		--with-database-backend=$(use mysql && echo "mysql")$(use sqlite && echo "sqlite3") \
+		--with-pkcs11-${PKCS11_LIB}=${PKCS11_PATH} \
+		--disable-auditor \
+		$(use_with curl) \
+		$(use_enable debug timeshift) \
+		$(use_enable eppclient) \
+		$(use_enable signer)
+}
+
+src_compile() {
+	default
+	use doc && emake docs
+}
+
+src_install() {
+	default
+
+	# remove useless .la files
+	find "${ED}" -name '*.la' -delete
+
+	# Remove subversion tags from config files to avoid useless config updates
+	sed -i \
+		-e '/<!-- \$Id:/ d' \
+		"${ED}"/etc/opendnssec/* || die
+
+	# install update scripts
+	insinto /usr/share/opendnssec
+	use sqlite && doins enforcer/utils/migrate_keyshare_sqlite3.pl
+	use mysql && doins enforcer/utils/migrate_keyshare_mysql.pl
+
+	# fix permissions
+	fowners root:opendnssec /etc/opendnssec
+	fowners root:opendnssec /etc/opendnssec/{conf,kasp,zonelist,zonefetch}.xml
+	use eppclient && fowners root:opendnssec /etc/opendnssec/eppclientd.conf
+
+	fowners opendnssec:opendnssec /var/lib/opendnssec/{,signconf,unsigned,signed,tmp}
+
+	# install conf/init script
+	newinitd "${FILESDIR}"/opendnssec.initd-1.3.x opendnssec
+	newconfd "${FILESDIR}"/opendnssec.confd-1.3.x opendnssec
+	use auditor || sed -i 's/^CHECKCONFIG_BIN=.*/CHECKCONFIG_BIN=/' "${D}"/etc/conf.d/opendnssec
+}
+
+pkg_postinst() {
+	if use softhsm; then
+		elog "Please make sure that you create your softhsm database in a location writeable"
+		elog "by the opendnssec user. You can set its location in /etc/softhsm.conf."
+		elog "Suggested configuration is:"
+		elog "    echo \"0:/var/lib/opendnssec/softhsm_slot0.db\" >> /etc/softhsm.conf"
+		elog "    softhsm --init-token --slot 0 --label OpenDNSSEC"
+		elog "    chown opendnssec:opendnssec /var/lib/opendnssec/softhsm_slot0.db"
+	fi
+	if use auditor; then
+		ewarn
+		ewarn "Please note that auditor support has been disabled in this version since it"
+		ewarn "it depends on ruby 1.8 which has been removed from the portage tree."
+		ewarn "USE=auditor is only provided for this warning but will not install the"
+		ewarn "auditor anymore."
+		ewarn
+	fi
+}