Add net-dns/unbound for LibreSSL >= 2.3.0

10 files changed, 380 insertions, 0 deletions

diff --git a/net-dns/unbound/Manifest b/net-dns/unbound/Manifest
new file mode 100644
index 0000000..3e15943
--- /dev/null
+++ b/net-dns/unbound/Manifest
@@ -0,0 +1 @@
+DIST unbound-1.5.7.tar.gz 4859573 SHA256 4b2088e5aa81a2d48f6337c30c1cf7e99b2e2dc4f92e463b3bee626eee731ca8 SHA512 7fc000364139519ed837ef9883f2e8a684b5ac19f2d3343626ab0a4c3459a7c3ccf2c79e9d992d82b123c6a38245fc286994365b427145d218e0b3c645c4dc4f WHIRLPOOL 9b2d18f09f46bed5da9818f5df0acbcc6d4a166943bbdb617494081614aa9b75a03ed0425679f40265f70e34ed66e01302182ec4050f0bb1f034fa5db28340f3
diff --git a/net-dns/unbound/files/unbound-1.5.7-no-ssl3.patch b/net-dns/unbound/files/unbound-1.5.7-no-ssl3.patch
new file mode 100644
index 0000000..6416a41
--- /dev/null
+++ b/net-dns/unbound/files/unbound-1.5.7-no-ssl3.patch
@@ -0,0 +1,108 @@
+--- a/daemon/remote.c	2015-10-29 17:32:58.000000000 +0000
++++ b/daemon/remote.c	2015-12-31 11:09:50.433457006 +0000
+@@ -208,18 +208,22 @@
+ 		return NULL;
+ 	}
+ 	/* no SSLv2, SSLv3 because has defects */
++#ifndef OPENSSL_NO_SSL2
+ 	if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+ 		!= SSL_OP_NO_SSLv2){
+ 		log_crypto_err("could not set SSL_OP_NO_SSLv2");
+ 		daemon_remote_delete(rc);
+ 		return NULL;
+ 	}
++#endif
++#ifndef OPENSSL_NO_SSL3
+ 	if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+ 		!= SSL_OP_NO_SSLv3){
+ 		log_crypto_err("could not set SSL_OP_NO_SSLv3");
+ 		daemon_remote_delete(rc);
+ 		return NULL;
+ 	}
++#endif
+ 
+ 	if (cfg->remote_control_use_cert == 0) {
+ 		/* No certificates are requested */
+--- a/smallapp/unbound-control.c	2015-12-08 17:15:55.000000000 +0000
++++ b/smallapp/unbound-control.c	2015-12-31 11:14:04.887942219 +0000
+@@ -156,13 +156,17 @@
+         ctx = SSL_CTX_new(SSLv23_client_method());
+ 	if(!ctx)
+ 		ssl_err("could not allocate SSL_CTX pointer");
++#ifndef OPENSSL_NO_SSL2
+         if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+ 		!= SSL_OP_NO_SSLv2)
+ 		ssl_err("could not set SSL_OP_NO_SSLv2");
++#endif
+         if(cfg->remote_control_use_cert) {
++#ifndef OPENSSL_NO_SSL3
+ 		if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+ 			!= SSL_OP_NO_SSLv3)
+ 			ssl_err("could not set SSL_OP_NO_SSLv3");
++#endif
+ 		if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
+ 		    !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
+ 		    || !SSL_CTX_check_private_key(ctx))
+--- a/testcode/petal.c	2015-07-21 23:37:15.000000000 +0000
++++ b/testcode/petal.c	2015-12-31 11:16:42.451194022 +0000
+@@ -234,8 +234,12 @@
+ {
+ 	SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
+ 	if(!ctx) print_exit("out of memory");
++#ifndef OPENSSL_NO_SSL2
+ 	(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
++#endif
++#ifndef OPENSSL_NO_SSL3
+ 	(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
++#endif
+ 	if(!SSL_CTX_use_certificate_chain_file(ctx, cert))
+ 		print_exit("cannot read cert");
+ 	if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))
+--- a/util/net_help.c	2015-10-29 17:32:58.000000000 +0000
++++ b/util/net_help.c	2015-12-31 11:21:47.057925619 +0000
+@@ -619,18 +619,22 @@
+ 		return NULL;
+ 	}
+ 	/* no SSLv2, SSLv3 because has defects */
++#ifndef OPENSSL_NO_SSL2
+ 	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+ 		!= SSL_OP_NO_SSLv2){
+ 		log_crypto_err("could not set SSL_OP_NO_SSLv2");
+ 		SSL_CTX_free(ctx);
+ 		return NULL;
+ 	}
++#endif
++#ifndef OPENSSL_NO_SSL3
+ 	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+ 		!= SSL_OP_NO_SSLv3){
+ 		log_crypto_err("could not set SSL_OP_NO_SSLv3");
+ 		SSL_CTX_free(ctx);
+ 		return NULL;
+ 	}
++#endif
+ 	if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
+ 		log_err("error for cert file: %s", pem);
+ 		log_crypto_err("error in SSL_CTX use_certificate_chain_file");
+@@ -692,18 +696,22 @@
+ 		log_crypto_err("could not allocate SSL_CTX pointer");
+ 		return NULL;
+ 	}
++#ifndef OPENSSL_NO_SSL2
+ 	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+ 		!= SSL_OP_NO_SSLv2) {
+ 		log_crypto_err("could not set SSL_OP_NO_SSLv2");
+ 		SSL_CTX_free(ctx);
+ 		return NULL;
+ 	}
++#endif
++#ifndef OPENSSL_NO_SSL3
+ 	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+ 		!= SSL_OP_NO_SSLv3) {
+ 		log_crypto_err("could not set SSL_OP_NO_SSLv3");
+ 		SSL_CTX_free(ctx);
+ 		return NULL;
+ 	}
++#endif
+ 	if(key && key[0]) {
+ 		if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
+ 			log_err("error in client certificate %s", pem);
diff --git a/net-dns/unbound/files/unbound-1.5.7-trust-anchor-file.patch b/net-dns/unbound/files/unbound-1.5.7-trust-anchor-file.patch
new file mode 100644
index 0000000..c4c0ffa
--- /dev/null
+++ b/net-dns/unbound/files/unbound-1.5.7-trust-anchor-file.patch
@@ -0,0 +1,12 @@
+diff -ur unbound-1.5.7.orig/doc/example.conf.in unbound-1.5.7/doc/example.conf.in
+--- unbound-1.5.7.orig/doc/example.conf.in	2015-12-10 08:59:18.000000000 +0100
++++ unbound-1.5.7/doc/example.conf.in	2016-01-05 04:08:01.666760015 +0100
+@@ -378,7 +378,7 @@
+ 	# with several entries, one file per entry.
+ 	# Zone file format, with DS and DNSKEY entries.
+ 	# Note this gets out of date, use auto-trust-anchor-file please.
+-	# trust-anchor-file: ""
++	# trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+ 
+ 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
+ 	# single line, surrounded by "". TTL is ignored. class is IN default.
diff --git a/net-dns/unbound/files/unbound-anchor.service b/net-dns/unbound/files/unbound-anchor.service
new file mode 100644
index 0000000..f55cf9d
--- /dev/null
+++ b/net-dns/unbound/files/unbound-anchor.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Update of the root trust anchor for DNSSEC validation
+After=network.target
+Before=nss-lookup.target
+Wants=nss-lookup.target
+Before=unbound.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/unbound-anchor
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-dns/unbound/files/unbound.confd b/net-dns/unbound/files/unbound.confd
new file mode 100644
index 0000000..b4de7cf
--- /dev/null
+++ b/net-dns/unbound/files/unbound.confd
@@ -0,0 +1,4 @@
+# Settings should normally not need any changes.
+
+# Location of the unbound configuration file. Leave empty for the default.
+#UNBOUND_CONFFILE="/etc/unbound/unbound.conf"
diff --git a/net-dns/unbound/files/unbound.initd b/net-dns/unbound/files/unbound.initd
new file mode 100644
index 0000000..f17d072
--- /dev/null
+++ b/net-dns/unbound/files/unbound.initd
@@ -0,0 +1,56 @@
+#!/sbin/runscript
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+name="unbound daemon"
+extra_commands="configtest"
+extra_started_commands="reload"
+description="unbound is a Domain Name Server (DNS) that is used to resolve host names to IP address."
+description_configtest="Run syntax tests for configuration files only."
+description_reload="Kills all children and reloads the configuration."
+
+
+UNBOUND_BINARY=${UNBOUND_BINARY:-/usr/sbin/unbound}
+UNBOUND_CHECKCONF=${UNBOUND_CHECKCONF:-/usr/sbin/unbound-checkconf}
+UNBOUND_CONFFILE=${UNBOUND_CONFFILE:-/etc/unbound/${SVCNAME}.conf}
+
+depend() {
+	need net
+	use logger
+	provide dns
+	after auth-dns
+}
+
+checkconfig() {
+	UNBOUND_PIDFILE=$("${UNBOUND_CHECKCONF}" -o pidfile "${UNBOUND_CONFFILE}")
+	return $?
+}
+
+configtest() {
+	ebegin "Checking ${SVCNAME} configuration"
+	checkconfig
+	eend $?
+}
+
+start() {
+	checkconfig || return $?
+	ebegin "Starting ${SVCNAME}"
+	start-stop-daemon --start --pidfile "${UNBOUND_PIDFILE}" \
+		--exec "${UNBOUND_BINARY}" -- -c "${UNBOUND_CONFFILE}"
+	eend $?
+}
+
+stop() {
+	checkconfig || return $?
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --pidfile "${UNBOUND_PIDFILE}"
+	eend $?
+}
+
+reload() {
+	checkconfig || return $?
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP --pidfile "${UNBOUND_PIDFILE}"
+	eend $?
+}
diff --git a/net-dns/unbound/files/unbound.service b/net-dns/unbound/files/unbound.service
new file mode 100644
index 0000000..41dd6fa
--- /dev/null
+++ b/net-dns/unbound/files/unbound.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Unbound recursive Domain Name Server
+After=network.target
+Before=nss-lookup.target
+Wants=nss-lookup.target
+
+[Service]
+ExecStartPre=/usr/sbin/unbound-checkconf
+ExecStart=/usr/sbin/unbound -d
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-dns/unbound/files/unbound_at.service b/net-dns/unbound/files/unbound_at.service
new file mode 100644
index 0000000..84b34af
--- /dev/null
+++ b/net-dns/unbound/files/unbound_at.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Unbound recursive Domain Name Server
+After=network.target
+Before=nss-lookup.target
+Wants=nss-lookup.target
+
+[Service]
+Type=simple
+ExecStartPre=/usr/sbin/unbound-checkconf /etc/unbound/%i.conf
+ExecStart=/usr/sbin/unbound -d -c /etc/unbound/%i.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-dns/unbound/metadata.xml b/net-dns/unbound/metadata.xml
new file mode 100644
index 0000000..272bb98
--- /dev/null
+++ b/net-dns/unbound/metadata.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="person">
+    <email>mschiff@gentoo.org</email>
+    <name>Marc Schiffbauer</name>
+  </maintainer>
+  <maintainer type="person">
+    <email>nabeken@tknetworks.org</email>
+    <description>Proxied developer. Please CC on bugs.</description>
+    <name>TANABE Ken-ichi</name>
+  </maintainer>
+  <maintainer type="project">
+    <email>proxy-maint@gentoo.org</email>
+    <name>Proxy Maintainers</name>
+  </maintainer>
+  <longdescription lang="en">
+  Unbound is a validating, recursive, and caching DNS resolver.
+
+  The C implementation of Unbound is developed and maintained by NLnet
+  Labs. It is based on ideas and algorithms taken from a java prototype
+  developed by Verisign labs, Nominet, Kirei and ep.net.
+
+  Unbound is designed as a set of modular components, so that also
+  DNSSEC (secure DNS) validation and stub-resolvers (that do not run
+  as a server, but are linked into an application) are easily possible.
+  </longdescription>
+  <use>
+    <flag name="dnstap">Enable dnstap support</flag>
+	<flag name="ecdsa">Enable ECDSA support</flag>
+    <flag name="gost">Enable GOST support</flag>
+  </use>
+</pkgmetadata>
diff --git a/net-dns/unbound/unbound-1.5.7.ebuild b/net-dns/unbound/unbound-1.5.7.ebuild
new file mode 100644
index 0000000..ca2646e
--- /dev/null
+++ b/net-dns/unbound/unbound-1.5.7.ebuild
@@ -0,0 +1,128 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 )
+
+inherit eutils flag-o-matic multilib-minimal python-single-r1 systemd user
+
+MY_P=${PN}-${PV/_/}
+DESCRIPTION="A validating, recursive and caching DNS resolver"
+HOMEPAGE="http://unbound.net/"
+SRC_URI="http://unbound.net/downloads/${MY_P}.tar.gz"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~x86"
+IUSE="debug dnstap +ecdsa gost libressl python selinux static-libs test threads"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+
+# Note: expat is needed by executable only but the Makefile is custom
+# and doesn't make it possible to easily install the library without
+# the executables. MULTILIB_USEDEP may be dropped once build system
+# is fixed.
+
+CDEPEND=">=dev-libs/expat-2.1.0-r3[${MULTILIB_USEDEP}]
+	>=dev-libs/libevent-2.0.21[${MULTILIB_USEDEP}]
+	libressl? ( >=dev-libs/libressl-2.2.4:0[${MULTILIB_USEDEP}] )
+	!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0[${MULTILIB_USEDEP}] )
+	dnstap? (
+		dev-libs/fstrm[${MULTILIB_USEDEP}]
+		>=dev-libs/protobuf-c-1.0.2-r1[${MULTILIB_USEDEP}]
+	)
+	ecdsa? (
+		!libressl? ( dev-libs/openssl:0[-bindist] )
+	)
+	python? ( ${PYTHON_DEPS} )"
+
+DEPEND="${CDEPEND}
+	python? ( dev-lang/swig )
+	test? (
+		net-dns/ldns-utils[examples]
+		dev-util/splint
+		app-text/wdiff
+	)"
+
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-bind )"
+
+# bug #347415
+RDEPEND="${RDEPEND}
+	net-dns/dnssec-root"
+
+S=${WORKDIR}/${MY_P}
+
+pkg_setup() {
+	enewgroup unbound
+	enewuser unbound -1 -1 /etc/unbound unbound
+
+	use python && python-single-r1_pkg_setup
+}
+
+src_prepare() {
+	# Fix for LibreSSL >= 2.3.0
+	epatch "${FILESDIR}"/${P}-no-ssl3.patch
+
+	# To avoid below error messages, set 'trust-anchor-file' to same value in
+	# 'auto-trust-anchor-file'.
+	# [23109:0] error: Could not open autotrust file for writing,
+	# /etc/dnssec/root-anchors.txt: Permission denied
+	epatch "${FILESDIR}"/${P}-trust-anchor-file.patch
+
+	# required for the python part
+	multilib_copy_sources
+}
+
+src_configure() {
+	[[ ${CHOST} == *-darwin* ]] || append-ldflags -Wl,-z,noexecstack
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	econf \
+		$(use_enable debug) \
+		$(use_enable gost) \
+		$(use_enable dnstap) \
+		$(use_enable ecdsa) \
+		$(use_enable static-libs static) \
+		$(multilib_native_use_with python pythonmodule) \
+		$(multilib_native_use_with python pyunbound) \
+		$(use_with threads pthreads) \
+		--disable-flto \
+		--disable-rpath \
+		--with-libevent="${EPREFIX}"/usr \
+		--with-pidfile="${EPREFIX}"/var/run/unbound.pid \
+		--with-rootkey-file="${EPREFIX}"/etc/dnssec/root-anchors.txt \
+		--with-ssl="${EPREFIX}"/usr \
+		--with-libexpat="${EPREFIX}"/usr
+
+		# http://unbound.nlnetlabs.nl/pipermail/unbound-users/2011-April/001801.html
+		# $(use_enable debug lock-checks) \
+		# $(use_enable debug alloc-checks) \
+		# $(use_enable debug alloc-lite) \
+		# $(use_enable debug alloc-nonregional) \
+}
+
+multilib_src_install_all() {
+	prune_libtool_files --modules
+	use python && python_optimize
+
+	newinitd "${FILESDIR}"/unbound.initd unbound
+	newconfd "${FILESDIR}"/unbound.confd unbound
+
+	systemd_dounit "${FILESDIR}"/unbound.service
+	systemd_newunit "${FILESDIR}"/unbound_at.service "unbound@.service"
+	systemd_dounit "${FILESDIR}"/unbound-anchor.service
+
+	dodoc doc/{README,CREDITS,TODO,Changelog,FEATURES}
+
+	# bug #315519
+	dodoc contrib/unbound_munin_
+
+	docinto selinux
+	dodoc contrib/selinux/*
+
+	exeinto /usr/share/${PN}
+	doexe contrib/update-anchor.sh
+}