1 |
commit: 81a7a6283ad967bb6610b45ea347a3ff8b43d178 |
2 |
Author: Aaron Bauman <bman <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Sep 29 13:50:29 2020 +0000 |
4 |
Commit: Aaron Bauman <bman <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Sep 29 13:50:40 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81a7a628 |
7 |
|
8 |
Revert "net-dns/opendnssec: remove unused patches" |
9 |
|
10 |
This reverts commit ac80ac59b84559e6217bb4047e65918313887d00. |
11 |
|
12 |
* I dropped LTS releases. Let's restore them |
13 |
|
14 |
Signed-off-by: Aaron Bauman <bman <AT> gentoo.org> |
15 |
|
16 |
.../files/opendnssec-1.3.14-drop-privileges.patch | 43 +++++++ |
17 |
.../files/opendnssec-1.3.14-use-system-trang.patch | 21 ++++ |
18 |
...nssec-1.3.18-eppclient-curl-CVE-2012-5582.patch | 12 ++ |
19 |
.../files/opendnssec-drop-privileges.patch | 28 +++++ |
20 |
.../files/opendnssec-fix-localstatedir.patch | 32 ++++++ |
21 |
.../opendnssec/files/opendnssec-fix-run-dir.patch | 26 +++++ |
22 |
net-dns/opendnssec/files/opendnssec.confd-1.3.x | 13 +++ |
23 |
net-dns/opendnssec/files/opendnssec.initd-1.3.x | 123 +++++++++++++++++++++ |
24 |
8 files changed, 298 insertions(+) |
25 |
|
26 |
diff --git a/net-dns/opendnssec/files/opendnssec-1.3.14-drop-privileges.patch b/net-dns/opendnssec/files/opendnssec-1.3.14-drop-privileges.patch |
27 |
new file mode 100644 |
28 |
index 00000000000..7c9f72355d2 |
29 |
--- /dev/null |
30 |
+++ b/net-dns/opendnssec/files/opendnssec-1.3.14-drop-privileges.patch |
31 |
@@ -0,0 +1,43 @@ |
32 |
+Index: conf/conf.xml.in |
33 |
+=================================================================== |
34 |
+--- conf/conf.xml.in (revision 3022) |
35 |
++++ conf/conf.xml.in (working copy) |
36 |
+@@ -38,12 +38,10 @@ |
37 |
+ </Common> |
38 |
+ |
39 |
+ <Enforcer> |
40 |
+-<!-- |
41 |
+ <Privileges> |
42 |
+ <User>opendnssec</User> |
43 |
+ <Group>opendnssec</Group> |
44 |
+ </Privileges> |
45 |
+---> |
46 |
+ |
47 |
+ <Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore> |
48 |
+ <Interval>PT3600S</Interval> |
49 |
+@@ -56,12 +54,10 @@ |
50 |
+ </Enforcer> |
51 |
+ |
52 |
+ <Signer> |
53 |
+-<!-- |
54 |
+ <Privileges> |
55 |
+ <User>opendnssec</User> |
56 |
+ <Group>opendnssec</Group> |
57 |
+ </Privileges> |
58 |
+---> |
59 |
+ |
60 |
+ <WorkingDirectory>@OPENDNSSEC_STATE_DIR@/tmp</WorkingDirectory> |
61 |
+ <WorkerThreads>8</WorkerThreads> |
62 |
+@@ -80,12 +76,10 @@ |
63 |
+ </Signer> |
64 |
+ |
65 |
+ <Auditor> |
66 |
+-<!-- |
67 |
+ <Privileges> |
68 |
+ <User>opendnssec</User> |
69 |
+ <Group>opendnssec</Group> |
70 |
+ </Privileges> |
71 |
+---> |
72 |
+ |
73 |
+ <WorkingDirectory>@OPENDNSSEC_STATE_DIR@/tmp</WorkingDirectory> |
74 |
+ </Auditor> |
75 |
|
76 |
diff --git a/net-dns/opendnssec/files/opendnssec-1.3.14-use-system-trang.patch b/net-dns/opendnssec/files/opendnssec-1.3.14-use-system-trang.patch |
77 |
new file mode 100644 |
78 |
index 00000000000..39678408264 |
79 |
--- /dev/null |
80 |
+++ b/net-dns/opendnssec/files/opendnssec-1.3.14-use-system-trang.patch |
81 |
@@ -0,0 +1,21 @@ |
82 |
+diff -urN opendnssec-1.3.0rc3.old/conf/Makefile.am opendnssec-1.3.0rc3/conf/Makefile.am |
83 |
+--- opendnssec-1.3.0rc3.old/conf/Makefile.am 2011-07-01 21:15:25.000000000 +0200 |
84 |
++++ opendnssec-1.3.0rc3/conf/Makefile.am 2011-07-01 21:17:00.000000000 +0200 |
85 |
+@@ -7,7 +7,7 @@ |
86 |
+ XML = conf.xml kasp.xml zonelist.xml signconf.xml zonefetch.xml |
87 |
+ XSL= kasp2html.xsl |
88 |
+ |
89 |
+-TRANG= $(srcdir)/trang/trang.jar |
90 |
++TRANG= /usr/bin/trang |
91 |
+ |
92 |
+ sysconfdir = @sysconfdir@/opendnssec |
93 |
+ datadir = @datadir@/opendnssec |
94 |
+@@ -25,7 +25,7 @@ |
95 |
+ .rnc.rng: |
96 |
+ @test -x "${JAVA}" || \ |
97 |
+ (echo "java is required for converting RelaxNG Compact to RelaxNG"; false) |
98 |
+- ${JAVA} -jar ${TRANG} $< $@ |
99 |
++ ${TRANG} $< $@ |
100 |
+ |
101 |
+ regress: $(RNG) |
102 |
+ @test -x "${XMLLINT}" || \ |
103 |
|
104 |
diff --git a/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch b/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch |
105 |
new file mode 100644 |
106 |
index 00000000000..a0676dd091b |
107 |
--- /dev/null |
108 |
+++ b/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch |
109 |
@@ -0,0 +1,12 @@ |
110 |
+diff -urN opendnssec-1.3.18.orig/plugins/eppclient/src/epp.c opendnssec-1.3.18/plugins/eppclient/src/epp.c |
111 |
+--- opendnssec-1.3.18.orig/plugins/eppclient/src/epp.c 2014-07-21 11:16:10.000000000 +0200 |
112 |
++++ opendnssec-1.3.18/plugins/eppclient/src/epp.c 2016-03-23 22:25:18.679354984 +0100 |
113 |
+@@ -390,7 +390,7 @@ |
114 |
+ curl_easy_setopt(curl, CURLOPT_URL, url); |
115 |
+ curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 1L); |
116 |
+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); |
117 |
+- curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L); |
118 |
++ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L); |
119 |
+ curl_easy_setopt(curl, CURLOPT_USE_SSL, CURLUSESSL_ALL); |
120 |
+ curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, curlerr); |
121 |
+ curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L); |
122 |
|
123 |
diff --git a/net-dns/opendnssec/files/opendnssec-drop-privileges.patch b/net-dns/opendnssec/files/opendnssec-drop-privileges.patch |
124 |
new file mode 100644 |
125 |
index 00000000000..c1972bbc3d1 |
126 |
--- /dev/null |
127 |
+++ b/net-dns/opendnssec/files/opendnssec-drop-privileges.patch |
128 |
@@ -0,0 +1,28 @@ |
129 |
+--- conf/conf.xml.in.orig 2013-05-12 22:36:47.530988182 +0200 |
130 |
++++ conf/conf.xml.in 2013-05-12 22:37:56.459817918 +0200 |
131 |
+@@ -38,12 +38,10 @@ |
132 |
+ </Common> |
133 |
+ |
134 |
+ <Enforcer> |
135 |
+-<!-- |
136 |
+ <Privileges> |
137 |
+ <User>opendnssec</User> |
138 |
+ <Group>opendnssec</Group> |
139 |
+ </Privileges> |
140 |
+---> |
141 |
+ <!-- NOTE: Enforcer worker threads are not used; this option is ignored --> |
142 |
+ <!-- |
143 |
+ <WorkerThreads>4</WorkerThreads> |
144 |
+@@ -60,12 +58,10 @@ |
145 |
+ </Enforcer> |
146 |
+ |
147 |
+ <Signer> |
148 |
+-<!-- |
149 |
+ <Privileges> |
150 |
+ <User>opendnssec</User> |
151 |
+ <Group>opendnssec</Group> |
152 |
+ </Privileges> |
153 |
+---> |
154 |
+ |
155 |
+ <WorkingDirectory>@OPENDNSSEC_STATE_DIR@/tmp</WorkingDirectory> |
156 |
+ <WorkerThreads>4</WorkerThreads> |
157 |
|
158 |
diff --git a/net-dns/opendnssec/files/opendnssec-fix-localstatedir.patch b/net-dns/opendnssec/files/opendnssec-fix-localstatedir.patch |
159 |
new file mode 100644 |
160 |
index 00000000000..3958c6c70cc |
161 |
--- /dev/null |
162 |
+++ b/net-dns/opendnssec/files/opendnssec-fix-localstatedir.patch |
163 |
@@ -0,0 +1,32 @@ |
164 |
+diff -urN opendnssec-1.3.0rc2.old/Makefile.am opendnssec-1.3.0rc2/Makefile.am |
165 |
+--- opendnssec-1.3.0rc2.old/Makefile.am 2011-06-02 13:48:56.000000000 +0200 |
166 |
++++ opendnssec-1.3.0rc2/Makefile.am 2011-06-02 13:49:19.000000000 +0200 |
167 |
+@@ -31,11 +31,11 @@ |
168 |
+ |
169 |
+ install-data-hook: |
170 |
+ $(INSTALL) -d $(DESTDIR)$(localstatedir) |
171 |
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec |
172 |
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/tmp |
173 |
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/signconf |
174 |
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/unsigned |
175 |
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/signed |
176 |
++ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec |
177 |
++ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/tmp |
178 |
++ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/signconf |
179 |
++ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/unsigned |
180 |
++ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/signed |
181 |
+ $(INSTALL) -d $(DESTDIR)$(localstatedir)/run |
182 |
+ $(INSTALL) -d $(DESTDIR)$(localstatedir)/run/opendnssec |
183 |
+ |
184 |
+diff -urN opendnssec-1.3.0rc2.old/m4/opendnssec_common.m4 opendnssec-1.3.0rc2/m4/opendnssec_common.m4 |
185 |
+--- opendnssec-1.3.0rc2.old/m4/opendnssec_common.m4 2011-06-02 13:48:56.000000000 +0200 |
186 |
++++ opendnssec-1.3.0rc2/m4/opendnssec_common.m4 2011-06-02 13:49:36.000000000 +0200 |
187 |
+@@ -18,7 +18,7 @@ |
188 |
+ OPENDNSSEC_LIBEXEC_DIR=$full_libexecdir/opendnssec |
189 |
+ OPENDNSSEC_DATA_DIR=$full_datadir/opendnssec |
190 |
+ OPENDNSSEC_SYSCONF_DIR=$full_sysconfdir/opendnssec |
191 |
+-OPENDNSSEC_LOCALSTATE_DIR="$full_localstatedir/opendnssec" |
192 |
++OPENDNSSEC_LOCALSTATE_DIR="$full_localstatedir/lib/opendnssec" |
193 |
+ OPENDNSSEC_PID_DIR="$full_localstatedir/run/opendnssec" |
194 |
+ |
195 |
+ AC_SUBST([OPENDNSSEC_BIN_DIR]) |
196 |
|
197 |
diff --git a/net-dns/opendnssec/files/opendnssec-fix-run-dir.patch b/net-dns/opendnssec/files/opendnssec-fix-run-dir.patch |
198 |
new file mode 100644 |
199 |
index 00000000000..fe5b504344c |
200 |
--- /dev/null |
201 |
+++ b/net-dns/opendnssec/files/opendnssec-fix-run-dir.patch |
202 |
@@ -0,0 +1,26 @@ |
203 |
+diff -ur opendnssec-1.3.12.orig/m4/opendnssec_common.m4 opendnssec-1.3.12/m4/opendnssec_common.m4 |
204 |
+--- opendnssec-1.3.12.orig/m4/opendnssec_common.m4 2013-01-31 13:46:01.122201232 +0100 |
205 |
++++ opendnssec-1.3.12/m4/opendnssec_common.m4 2013-01-31 13:54:47.648861211 +0100 |
206 |
+@@ -19,7 +19,7 @@ |
207 |
+ OPENDNSSEC_DATA_DIR=$full_datadir/opendnssec |
208 |
+ OPENDNSSEC_SYSCONF_DIR=$full_sysconfdir/opendnssec |
209 |
+ OPENDNSSEC_LOCALSTATE_DIR="$full_localstatedir/lib/opendnssec" |
210 |
+-OPENDNSSEC_PID_DIR="$full_localstatedir/run/opendnssec" |
211 |
++OPENDNSSEC_PID_DIR="${destdir}/run/opendnssec" |
212 |
+ |
213 |
+ AC_SUBST([OPENDNSSEC_BIN_DIR]) |
214 |
+ AC_SUBST([OPENDNSSEC_SBIN_DIR]) |
215 |
+diff -ur opendnssec-1.3.12.orig/Makefile.am opendnssec-1.3.12/Makefile.am |
216 |
+--- opendnssec-1.3.12.orig/Makefile.am 2013-01-31 13:46:01.122201232 +0100 |
217 |
++++ opendnssec-1.3.12/Makefile.am 2013-01-31 13:47:08.569951675 +0100 |
218 |
+@@ -37,8 +37,8 @@ |
219 |
+ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/signconf |
220 |
+ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/unsigned |
221 |
+ $(INSTALL) -d $(DESTDIR)$(localstatedir)/lib/opendnssec/signed |
222 |
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/run |
223 |
+- $(INSTALL) -d $(DESTDIR)$(localstatedir)/run/opendnssec |
224 |
++ |
225 |
++ |
226 |
+ |
227 |
+ docs: |
228 |
+ (cd libhsm; $(MAKE) doxygen) |
229 |
|
230 |
diff --git a/net-dns/opendnssec/files/opendnssec.confd-1.3.x b/net-dns/opendnssec/files/opendnssec.confd-1.3.x |
231 |
new file mode 100644 |
232 |
index 00000000000..63121af7f0c |
233 |
--- /dev/null |
234 |
+++ b/net-dns/opendnssec/files/opendnssec.confd-1.3.x |
235 |
@@ -0,0 +1,13 @@ |
236 |
+# Copyright 1999-2013 Gentoo Foundation |
237 |
+# Distributed under the terms of the GNU General Public License v2 |
238 |
+ |
239 |
+# Variables containing default binaries used in the opendnssec |
240 |
+# initscript. You can alter them to another applications/paths |
241 |
+# if required. |
242 |
+ |
243 |
+CHECKCONFIG_BIN=/usr/bin/ods-kaspcheck |
244 |
+CONTROL_BIN=/usr/sbin/ods-control |
245 |
+ENFORCER_BIN=/usr/sbin/ods-enforcerd |
246 |
+SIGNER_BIN=/usr/sbin/ods-signerd |
247 |
+EPPCLIENT_BIN=/usr/sbin/eppclientd |
248 |
+EPPCLIENT_PIDFILE=/run/opendnssec/eppclientd.pid |
249 |
|
250 |
diff --git a/net-dns/opendnssec/files/opendnssec.initd-1.3.x b/net-dns/opendnssec/files/opendnssec.initd-1.3.x |
251 |
new file mode 100644 |
252 |
index 00000000000..9f4adbd184a |
253 |
--- /dev/null |
254 |
+++ b/net-dns/opendnssec/files/opendnssec.initd-1.3.x |
255 |
@@ -0,0 +1,123 @@ |
256 |
+#!/sbin/openrc-run |
257 |
+# Copyright 1999-2014 Gentoo Foundation |
258 |
+# Distributed under the terms of the GNU General Public License v2 |
259 |
+ |
260 |
+description="An open-source turn-key solution for DNSSEC" |
261 |
+ |
262 |
+depend() { |
263 |
+ use logger |
264 |
+} |
265 |
+ |
266 |
+checkconfig() { |
267 |
+ if [ -z "${CHECKCONFIG_BIN}" ]; then |
268 |
+ # no config checker configured, skip config check |
269 |
+ return 0 |
270 |
+ fi |
271 |
+ if [ -x "${CHECKCONFIG_BIN}" ]; then |
272 |
+ output=$(${CHECKCONFIG_BIN} 2>&1| grep -v -E "^/etc/opendnssec/(conf|kasp).xml validates") |
273 |
+ if [ -n "$output" ]; then |
274 |
+ echo $output |
275 |
+ fi |
276 |
+ |
277 |
+ errors=$(echo $output | grep ERROR | wc -l) |
278 |
+ if [ $errors -gt 0 ]; then |
279 |
+ ewarn "$errors error(s) found in OpenDNSSEC configuration." |
280 |
+ fi |
281 |
+ return $errors |
282 |
+ fi |
283 |
+ eerror "Unable to execute ${CHECKCONFIG_BIN:-config binary}" |
284 |
+ # can't validate config, just die |
285 |
+ return 1 |
286 |
+} |
287 |
+ |
288 |
+start_enforcer() { |
289 |
+ if [ -n "${ENFORCER_BIN}" ] && [ -x "${ENFORCER_BIN}" ]; then |
290 |
+ ebegin "Starting OpenDNSSEC Enforcer" |
291 |
+ ${CONTROL_BIN} enforcer start > /dev/null |
292 |
+ eend $? |
293 |
+ else |
294 |
+ if [ -n "${ENFORCER_BIN}" ]; then |
295 |
+ eerror "OpenDNSSEC Enforcer binary not executable" |
296 |
+ return 1 |
297 |
+ fi |
298 |
+ einfo "OpenDNSSEC Enforcer not used." |
299 |
+ fi |
300 |
+} |
301 |
+ |
302 |
+stop_enforcer() { |
303 |
+ if [ -x "${ENFORCER_BIN}" ]; then |
304 |
+ ebegin "Stopping OpenDNSSEC Enforcer" |
305 |
+ ${CONTROL_BIN} enforcer stop > /dev/null |
306 |
+ eend $? |
307 |
+ fi |
308 |
+} |
309 |
+ |
310 |
+start_signer() { |
311 |
+ if [ -n "${SIGNER_BIN}" ] && [ -x "${SIGNER_BIN}" ]; then |
312 |
+ ebegin "Starting OpenDNSSEC Signer" |
313 |
+ ${CONTROL_BIN} signer start > /dev/null 2>&1 |
314 |
+ eend $? |
315 |
+ else |
316 |
+ if [ -n "${SIGNER_BIN}" ]; then |
317 |
+ eerror "OpenDNSSEC Signer binary not executable" |
318 |
+ return 1 |
319 |
+ fi |
320 |
+ einfo "OpenDNSSEC Signer not used." |
321 |
+ fi |
322 |
+} |
323 |
+ |
324 |
+stop_signer() { |
325 |
+ if [ -x "${SIGNER_BIN}" ]; then |
326 |
+ ebegin "Stopping OpenDNSSEC Signer" |
327 |
+ ${CONTROL_BIN} signer stop > /dev/null 2>&1 |
328 |
+ eend $? |
329 |
+ fi |
330 |
+} |
331 |
+ |
332 |
+start_eppclient() { |
333 |
+ if [ -n "${EPPCLIENT_BIN}" ] && [ -x "${EPPCLIENT_BIN}" ]; then |
334 |
+ ebegin "Starting OpenDNSSEC Eppclient" |
335 |
+ start-stop-daemon \ |
336 |
+ --start \ |
337 |
+ --user opendnssec --group opendnssec \ |
338 |
+ --exec "${EPPCLIENT_BIN}" \ |
339 |
+ --pidfile "${EPPCLIENT_PIDFILE}" > /dev/null |
340 |
+ eend $? |
341 |
+ else |
342 |
+ # eppclient is ofptional so if we use the default binary and it |
343 |
+ # is not used we won't die |
344 |
+ if [ -n "${EPPCLIENT_BIN}" ] && \ |
345 |
+ [ "${EPPCLIENT_BIN}" != "/usr/sbin/eppclientd" ]; then |
346 |
+ eerror "OpenDNSSEC Eppclient binary not executable" |
347 |
+ return 1 |
348 |
+ fi |
349 |
+ einfo "OpenDNSSEC Eppclient not used." |
350 |
+ fi |
351 |
+} |
352 |
+ |
353 |
+stop_eppclient() { |
354 |
+ if [ -x "${EPPCLIENT_BIN}" ]; then |
355 |
+ ebegin "Stopping OpenDNSSEC Eppclient" |
356 |
+ start-stop-daemon \ |
357 |
+ --stop \ |
358 |
+ --exec "${EPPCLIENT_BIN}" \ |
359 |
+ --pidfile "${EPPCLIENT_PIDFILE}" > /dev/null |
360 |
+ eend $? |
361 |
+ fi |
362 |
+} |
363 |
+ |
364 |
+start() { |
365 |
+ checkconfig || return $? |
366 |
+ test -d /run/opendnssec || mkdir -p /run/opendnssec |
367 |
+ chown opendnssec:opendnssec /run/opendnssec |
368 |
+ start_enforcer || return $? |
369 |
+ start_signer || return $? |
370 |
+ start_eppclient || return $? |
371 |
+} |
372 |
+ |
373 |
+stop() { |
374 |
+ stop_eppclient |
375 |
+ stop_signer |
376 |
+ stop_enforcer |
377 |
+ sleep 5 |
378 |
+} |