commit: 81a7a6283ad967bb6610b45ea347a3ff8b43d178
Author: Aaron Bauman <bman <AT> gentoo <DOT> org>
AuthorDate: Tue Sep 29 13:50:29 2020 +0000
Commit: Aaron Bauman <bman <AT> gentoo <DOT> org>
CommitDate: Tue Sep 29 13:50:40 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81a7a628
Revert "net-dns/opendnssec: remove unused patches"
This reverts commit ac80ac59b84559e6217bb4047e65918313887d00.
* I dropped LTS releases. Let's restore them
Signed-off-by: Aaron Bauman <bman <AT> gentoo.org>
.../files/opendnssec-1.3.14-drop-privileges.patch | 43 +++++++
.../files/opendnssec-1.3.14-use-system-trang.patch | 21 ++++
...nssec-1.3.18-eppclient-curl-CVE-2012-5582.patch | 12 ++
.../files/opendnssec-drop-privileges.patch | 28 +++++
.../files/opendnssec-fix-localstatedir.patch | 32 ++++++
.../opendnssec/files/opendnssec-fix-run-dir.patch | 26 +++++
net-dns/opendnssec/files/opendnssec.confd-1.3.x | 13 +++
net-dns/opendnssec/files/opendnssec.initd-1.3.x | 123 +++++++++++++++++++++
8 files changed, 298 insertions(+)
diff --git a/net-dns/opendnssec/files/opendnssec-1.3.14-drop-privileges.patch
b/net-dns/opendnssec/files/opendnssec-1.3.14-drop-privileges.patch
new file mode 100644
index 00000000000..7c9f72355d2
--- /dev/null
+++ b/net-dns/opendnssec/files/opendnssec-1.3.14-drop-privileges.patch
@@ -0,0 +1,43 @@
+Index: conf/conf.xml.in
+===================================================================
+--- conf/conf.xml.in (revision 3022)
++++ conf/conf.xml.in (working copy)
+@@ -38,12 +38,10 @@
+ </Common>
+
+ <Enforcer>
+-<!--
+ <Privileges>
+ <User>opendnssec</User>
+ <Group>opendnssec</Group>
+ </Privileges>
+--->
+
+
<Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
+ <Interval>PT3600S</Interval>
+@@ -56,12 +54,10 @@
+ </Enforcer>
+
+ <Signer>
+-<!--
+ <Privileges>
+ <User>opendnssec</User>
+ <Group>opendnssec</Group>
+ </Privileges>
+--->
+
+ <WorkingDirectory>@OPENDNSSEC_STATE_DIR@/tmp</WorkingDirectory>
+ <WorkerThreads>8</WorkerThreads>
+@@ -80,12 +76,10 @@
+ </Signer>
+
+ <Auditor>
+-<!--
+ <Privileges>
+ <User>opendnssec</User>
+ <Group>opendnssec</Group>
+ </Privileges>
+--->
+
+ <WorkingDirectory>@OPENDNSSEC_STATE_DIR@/tmp</WorkingDirectory>
+ </Auditor>
diff --git a/net-dns/opendnssec/files/opendnssec-1.3.14-use-system-trang.patch
b/net-dns/opendnssec/files/opendnssec-1.3.14-use-system-trang.patch
new file mode 100644
index 00000000000..39678408264
--- /dev/null
+++ b/net-dns/opendnssec/files/opendnssec-1.3.14-use-system-trang.patch
@@ -0,0 +1,21 @@
+diff -urN opendnssec-1.3.0rc3.old/conf/Makefile.am
opendnssec-1.3.0rc3/conf/Makefile.am
+--- opendnssec-1.3.0rc3.old/conf/Makefile.am 2011-07-01 21:15:25.000000000
+0200
++++ opendnssec-1.3.0rc3/conf/Makefile.am 2011-07-01 21:17:00.000000000
+0200
+@@ -7,7 +7,7 @@
+ XML = conf.xml kasp.xml zonelist.xml signconf.xml zonefetch.xml
+ XSL= kasp2html.xsl
+
+-TRANG= $(srcdir)/trang/trang.jar
++TRANG= /usr/bin/trang
+
+ sysconfdir = @sysconfdir@/opendnssec
+ datadir = @datadir@/opendnssec
+@@ -25,7 +25,7 @@
+ .rnc.rng:
+ @test -x "${JAVA}" || \
+ (echo "java is required for converting RelaxNG Compact to
RelaxNG"; false)
+- ${JAVA} -jar ${TRANG} $< $@
++ ${TRANG} $< $@
+
+ regress: $(RNG)
+ @test -x "${XMLLINT}" || \
diff --git
a/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch
b/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch
new file mode 100644
index 00000000000..a0676dd091b
--- /dev/null
+++
b/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch
@@ -0,0 +1,12 @@
+diff -urN opendnssec-1.3.18.orig/plugins/eppclient/src/epp.c
opendnssec-1.3.18/plugins/eppclient/src/epp.c
+--- opendnssec-1.3.18.orig/plugins/eppclient/src/epp.c 2014-07-21
11:16:10.000000000 +0200
++++ opendnssec-1.3.18/plugins/eppclient/src/epp.c 2016-03-23
22:25:18.679354984 +0100
+@@ -390,7 +390,7 @@
+ curl_easy_setopt(curl, CURLOPT_URL, url);
+ curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 1L);
+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
+- curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L);
++ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L);
+ curl_easy_setopt(curl, CURLOPT_USE_SSL, CURLUSESSL_ALL);
+ curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, curlerr);
+ curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L);
diff --git a/net-dns/opendnssec/files/opendnssec-drop-privileges.patch
b/net-dns/opendnssec/files/opendnssec-drop-privileges.patch
new file mode 100644
index 00000000000..c1972bbc3d1
--- /dev/null
+++ b/net-dns/opendnssec/files/opendnssec-drop-privileges.patch
@@ -0,0 +1,28 @@
+--- conf/conf.xml.in.orig 2013-05-12 22:36:47.530988182 +0200
++++ conf/conf.xml.in 2013-05-12 22:37:56.459817918 +0200
+@@ -38,12 +38,10 @@
+ </Common>
+
+ <Enforcer>
+-<!--
+ <Privileges>
+ <User>opendnssec</User>
+ <Group>opendnssec</Group>
+ </Privileges>
+--->
+ <!-- NOTE: Enforcer worker threads are not used; this option is ignored -->
+ <!--
+ <WorkerThreads>4</WorkerThreads>
+@@ -60,12 +58,10 @@
+ </Enforcer>
+
+ <Signer>
+-<!--
+ <Privileges>
+ <User>opendnssec</User>
+ <Group>opendnssec</Group>
+ </Privileges>
+--->
+
+ <WorkingDirectory>@OPENDNSSEC_STATE_DIR@/tmp</WorkingDirectory>
+ <WorkerThreads>4</WorkerThreads>
diff --git a/net-dns/opendnssec/files/opendnssec-fix-localstatedir.patch
b/net-dns/opendnssec/files/opendnssec-fix-localstatedir.patch
new file mode 100644
index 00000000000..3958c6c70cc
--- /dev/null
+++ b/net-dns/opendnssec/files/opendnssec-fix-localstatedir.patch
@@ -0,0 +1,32 @@
+diff -urN opendnssec-1.3.0rc2.old/Makefile.am opendnssec-1.3.0rc2/Makefile.am
+--- opendnssec-1.3.0rc2.old/Makefile.am 2011-06-02 13:48:56.000000000
+0200
++++ opendnssec-1.3.0rc2/Makefile.am 2011-06-02 13:49:19.000000000 +0200
+@@ -31,11 +31,11 @@
+
+ install-data-hook:
+ $(INSTALL) -d $(DESTDIR)$(localstatedir)
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/tmp
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/signconf
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/unsigned
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/signed
++ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec
++ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/tmp
++ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/signconf
++ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/unsigned
++ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/signed
+ $(INSTALL) -d $(DESTDIR)$(localstatedir)/run
+ $(INSTALL) -d $(DESTDIR)$(localstatedir)/run/opendnssec
+
+diff -urN opendnssec-1.3.0rc2.old/m4/opendnssec_common.m4
opendnssec-1.3.0rc2/m4/opendnssec_common.m4
+--- opendnssec-1.3.0rc2.old/m4/opendnssec_common.m4 2011-06-02
13:48:56.000000000 +0200
++++ opendnssec-1.3.0rc2/m4/opendnssec_common.m4 2011-06-02
13:49:36.000000000 +0200
+@@ -18,7 +18,7 @@
+ OPENDNSSEC_LIBEXEC_DIR=$full_libexecdir/opendnssec
+ OPENDNSSEC_DATA_DIR=$full_datadir/opendnssec
+ OPENDNSSEC_SYSCONF_DIR=$full_sysconfdir/opendnssec
+-OPENDNSSEC_LOCALSTATE_DIR="$full_localstatedir/opendnssec"
++OPENDNSSEC_LOCALSTATE_DIR="$full_localstatedir/lib/opendnssec"
+ OPENDNSSEC_PID_DIR="$full_localstatedir/run/opendnssec"
+
+ AC_SUBST([OPENDNSSEC_BIN_DIR])
diff --git a/net-dns/opendnssec/files/opendnssec-fix-run-dir.patch
b/net-dns/opendnssec/files/opendnssec-fix-run-dir.patch
new file mode 100644
index 00000000000..fe5b504344c
--- /dev/null
+++ b/net-dns/opendnssec/files/opendnssec-fix-run-dir.patch
@@ -0,0 +1,26 @@
+diff -ur opendnssec-1.3.12.orig/m4/opendnssec_common.m4
opendnssec-1.3.12/m4/opendnssec_common.m4
+--- opendnssec-1.3.12.orig/m4/opendnssec_common.m4 2013-01-31
13:46:01.122201232 +0100
++++ opendnssec-1.3.12/m4/opendnssec_common.m4 2013-01-31 13:54:47.648861211
+0100
+@@ -19,7 +19,7 @@
+ OPENDNSSEC_DATA_DIR=$full_datadir/opendnssec
+ OPENDNSSEC_SYSCONF_DIR=$full_sysconfdir/opendnssec
+ OPENDNSSEC_LOCALSTATE_DIR="$full_localstatedir/lib/opendnssec"
+-OPENDNSSEC_PID_DIR="$full_localstatedir/run/opendnssec"
++OPENDNSSEC_PID_DIR="${destdir}/run/opendnssec"
+
+ AC_SUBST([OPENDNSSEC_BIN_DIR])
+ AC_SUBST([OPENDNSSEC_SBIN_DIR])
+diff -ur opendnssec-1.3.12.orig/Makefile.am opendnssec-1.3.12/Makefile.am
+--- opendnssec-1.3.12.orig/Makefile.am 2013-01-31 13:46:01.122201232 +0100
++++ opendnssec-1.3.12/Makefile.am 2013-01-31 13:47:08.569951675 +0100
+@@ -37,8 +37,8 @@
+ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/signconf
+ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/unsigned
+ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/signed
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/run
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/run/opendnssec
++
++
+
+ docs:
+ (cd libhsm; $(MAKE) doxygen)
diff --git a/net-dns/opendnssec/files/opendnssec.confd-1.3.x
b/net-dns/opendnssec/files/opendnssec.confd-1.3.x
new file mode 100644
index 00000000000..63121af7f0c
--- /dev/null
+++ b/net-dns/opendnssec/files/opendnssec.confd-1.3.x
@@ -0,0 +1,13 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Variables containing default binaries used in the opendnssec
+# initscript. You can alter them to another applications/paths
+# if required.
+
+CHECKCONFIG_BIN=/usr/bin/ods-kaspcheck
+CONTROL_BIN=/usr/sbin/ods-control
+ENFORCER_BIN=/usr/sbin/ods-enforcerd
+SIGNER_BIN=/usr/sbin/ods-signerd
+EPPCLIENT_BIN=/usr/sbin/eppclientd
+EPPCLIENT_PIDFILE=/run/opendnssec/eppclientd.pid
diff --git a/net-dns/opendnssec/files/opendnssec.initd-1.3.x
b/net-dns/opendnssec/files/opendnssec.initd-1.3.x
new file mode 100644
index 00000000000..9f4adbd184a
--- /dev/null
+++ b/net-dns/opendnssec/files/opendnssec.initd-1.3.x
@@ -0,0 +1,123 @@
+#!/sbin/openrc-run
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+description="An open-source turn-key solution for DNSSEC"
+
+depend() {
+ use logger
+}
+
+checkconfig() {
+ if [ -z "${CHECKCONFIG_BIN}" ]; then
+ # no config checker configured, skip config check
+ return 0
+ fi
+ if [ -x "${CHECKCONFIG_BIN}" ]; then
+ output=$(${CHECKCONFIG_BIN} 2>&1| grep -v -E
"^/etc/opendnssec/(conf|kasp).xml validates")
+ if [ -n "$output" ]; then
+ echo $output
+ fi
+
+ errors=$(echo $output | grep ERROR | wc -l)
+ if [ $errors -gt 0 ]; then
+ ewarn "$errors error(s) found in OpenDNSSEC
configuration."
+ fi
+ return $errors
+ fi
+ eerror "Unable to execute ${CHECKCONFIG_BIN:-config binary}"
+ # can't validate config, just die
+ return 1
+}
+
+start_enforcer() {
+ if [ -n "${ENFORCER_BIN}" ] && [ -x "${ENFORCER_BIN}" ]; then
+ ebegin "Starting OpenDNSSEC Enforcer"
+ ${CONTROL_BIN} enforcer start > /dev/null
+ eend $?
+ else
+ if [ -n "${ENFORCER_BIN}" ]; then
+ eerror "OpenDNSSEC Enforcer binary not executable"
+ return 1
+ fi
+ einfo "OpenDNSSEC Enforcer not used."
+ fi
+}
+
+stop_enforcer() {
+ if [ -x "${ENFORCER_BIN}" ]; then
+ ebegin "Stopping OpenDNSSEC Enforcer"
+ ${CONTROL_BIN} enforcer stop > /dev/null
+ eend $?
+ fi
+}
+
+start_signer() {
+ if [ -n "${SIGNER_BIN}" ] && [ -x "${SIGNER_BIN}" ]; then
+ ebegin "Starting OpenDNSSEC Signer"
+ ${CONTROL_BIN} signer start > /dev/null 2>&1
+ eend $?
+ else
+ if [ -n "${SIGNER_BIN}" ]; then
+ eerror "OpenDNSSEC Signer binary not executable"
+ return 1
+ fi
+ einfo "OpenDNSSEC Signer not used."
+ fi
+}
+
+stop_signer() {
+ if [ -x "${SIGNER_BIN}" ]; then
+ ebegin "Stopping OpenDNSSEC Signer"
+ ${CONTROL_BIN} signer stop > /dev/null 2>&1
+ eend $?
+ fi
+}
+
+start_eppclient() {
+ if [ -n "${EPPCLIENT_BIN}" ] && [ -x "${EPPCLIENT_BIN}" ]; then
+ ebegin "Starting OpenDNSSEC Eppclient"
+ start-stop-daemon \
+ --start \
+ --user opendnssec --group opendnssec \
+ --exec "${EPPCLIENT_BIN}" \
+ --pidfile "${EPPCLIENT_PIDFILE}" > /dev/null
+ eend $?
+ else
+ # eppclient is ofptional so if we use the default binary and it
+ # is not used we won't die
+ if [ -n "${EPPCLIENT_BIN}" ] && \
+ [ "${EPPCLIENT_BIN}" != "/usr/sbin/eppclientd"
]; then
+ eerror "OpenDNSSEC Eppclient binary not executable"
+ return 1
+ fi
+ einfo "OpenDNSSEC Eppclient not used."
+ fi
+}
+
+stop_eppclient() {
+ if [ -x "${EPPCLIENT_BIN}" ]; then
+ ebegin "Stopping OpenDNSSEC Eppclient"
+ start-stop-daemon \
+ --stop \
+ --exec "${EPPCLIENT_BIN}" \
+ --pidfile "${EPPCLIENT_PIDFILE}" > /dev/null
+ eend $?
+ fi
+}
+
+start() {
+ checkconfig || return $?
+ test -d /run/opendnssec || mkdir -p /run/opendnssec
+ chown opendnssec:opendnssec /run/opendnssec
+ start_enforcer || return $?
+ start_signer || return $?
+ start_eppclient || return $?
+}
+
+stop() {
+ stop_eppclient
+ stop_signer
+ stop_enforcer
+ sleep 5
+}
