diff options
author | csmk <csmk@cmsrv.org> | 2016-04-22 21:53:19 +0900 |
---|---|---|
committer | csmk <csmk@cmsrv.org> | 2016-04-22 21:53:19 +0900 |
commit | e0b456e9449e252f5cf44661be4171b9397ade07 (patch) | |
tree | dc8ec92ed0c99167afd23242fb968eda5f0e76c0 /net-dns | |
parent | Update dev-qt/qtcore:4 (diff) | |
download | libressl-e0b456e9449e252f5cf44661be4171b9397ade07.tar.gz libressl-e0b456e9449e252f5cf44661be4171b9397ade07.tar.bz2 libressl-e0b456e9449e252f5cf44661be4171b9397ade07.zip |
Add net-dns/unbound for LibreSSL >= 2.3.0
Diffstat (limited to 'net-dns')
-rw-r--r-- | net-dns/unbound/Manifest | 1 | ||||
-rw-r--r-- | net-dns/unbound/files/unbound-1.5.7-no-ssl3.patch | 108 | ||||
-rw-r--r-- | net-dns/unbound/files/unbound-1.5.7-trust-anchor-file.patch | 12 | ||||
-rw-r--r-- | net-dns/unbound/files/unbound-anchor.service | 13 | ||||
-rw-r--r-- | net-dns/unbound/files/unbound.confd | 4 | ||||
-rw-r--r-- | net-dns/unbound/files/unbound.initd | 56 | ||||
-rw-r--r-- | net-dns/unbound/files/unbound.service | 12 | ||||
-rw-r--r-- | net-dns/unbound/files/unbound_at.service | 13 | ||||
-rw-r--r-- | net-dns/unbound/metadata.xml | 33 | ||||
-rw-r--r-- | net-dns/unbound/unbound-1.5.7.ebuild | 128 |
10 files changed, 380 insertions, 0 deletions
diff --git a/net-dns/unbound/Manifest b/net-dns/unbound/Manifest new file mode 100644 index 0000000..3e15943 --- /dev/null +++ b/net-dns/unbound/Manifest @@ -0,0 +1 @@ +DIST unbound-1.5.7.tar.gz 4859573 SHA256 4b2088e5aa81a2d48f6337c30c1cf7e99b2e2dc4f92e463b3bee626eee731ca8 SHA512 7fc000364139519ed837ef9883f2e8a684b5ac19f2d3343626ab0a4c3459a7c3ccf2c79e9d992d82b123c6a38245fc286994365b427145d218e0b3c645c4dc4f WHIRLPOOL 9b2d18f09f46bed5da9818f5df0acbcc6d4a166943bbdb617494081614aa9b75a03ed0425679f40265f70e34ed66e01302182ec4050f0bb1f034fa5db28340f3 diff --git a/net-dns/unbound/files/unbound-1.5.7-no-ssl3.patch b/net-dns/unbound/files/unbound-1.5.7-no-ssl3.patch new file mode 100644 index 0000000..6416a41 --- /dev/null +++ b/net-dns/unbound/files/unbound-1.5.7-no-ssl3.patch @@ -0,0 +1,108 @@ +--- a/daemon/remote.c 2015-10-29 17:32:58.000000000 +0000 ++++ b/daemon/remote.c 2015-12-31 11:09:50.433457006 +0000 +@@ -208,18 +208,22 @@ + return NULL; + } + /* no SSLv2, SSLv3 because has defects */ ++#ifndef OPENSSL_NO_SSL2 + if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) + != SSL_OP_NO_SSLv2){ + log_crypto_err("could not set SSL_OP_NO_SSLv2"); + daemon_remote_delete(rc); + return NULL; + } ++#endif ++#ifndef OPENSSL_NO_SSL3 + if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) + != SSL_OP_NO_SSLv3){ + log_crypto_err("could not set SSL_OP_NO_SSLv3"); + daemon_remote_delete(rc); + return NULL; + } ++#endif + + if (cfg->remote_control_use_cert == 0) { + /* No certificates are requested */ +--- a/smallapp/unbound-control.c 2015-12-08 17:15:55.000000000 +0000 ++++ b/smallapp/unbound-control.c 2015-12-31 11:14:04.887942219 +0000 +@@ -156,13 +156,17 @@ + ctx = SSL_CTX_new(SSLv23_client_method()); + if(!ctx) + ssl_err("could not allocate SSL_CTX pointer"); ++#ifndef OPENSSL_NO_SSL2 + if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) + != SSL_OP_NO_SSLv2) + ssl_err("could not set SSL_OP_NO_SSLv2"); ++#endif + if(cfg->remote_control_use_cert) { ++#ifndef OPENSSL_NO_SSL3 + if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) + != SSL_OP_NO_SSLv3) + ssl_err("could not set SSL_OP_NO_SSLv3"); ++#endif + if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) || + !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) + || !SSL_CTX_check_private_key(ctx)) +--- a/testcode/petal.c 2015-07-21 23:37:15.000000000 +0000 ++++ b/testcode/petal.c 2015-12-31 11:16:42.451194022 +0000 +@@ -234,8 +234,12 @@ + { + SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); + if(!ctx) print_exit("out of memory"); ++#ifndef OPENSSL_NO_SSL2 + (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); ++#endif ++#ifndef OPENSSL_NO_SSL3 + (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); ++#endif + if(!SSL_CTX_use_certificate_chain_file(ctx, cert)) + print_exit("cannot read cert"); + if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) +--- a/util/net_help.c 2015-10-29 17:32:58.000000000 +0000 ++++ b/util/net_help.c 2015-12-31 11:21:47.057925619 +0000 +@@ -619,18 +619,22 @@ + return NULL; + } + /* no SSLv2, SSLv3 because has defects */ ++#ifndef OPENSSL_NO_SSL2 + if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) + != SSL_OP_NO_SSLv2){ + log_crypto_err("could not set SSL_OP_NO_SSLv2"); + SSL_CTX_free(ctx); + return NULL; + } ++#endif ++#ifndef OPENSSL_NO_SSL3 + if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) + != SSL_OP_NO_SSLv3){ + log_crypto_err("could not set SSL_OP_NO_SSLv3"); + SSL_CTX_free(ctx); + return NULL; + } ++#endif + if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { + log_err("error for cert file: %s", pem); + log_crypto_err("error in SSL_CTX use_certificate_chain_file"); +@@ -692,18 +696,22 @@ + log_crypto_err("could not allocate SSL_CTX pointer"); + return NULL; + } ++#ifndef OPENSSL_NO_SSL2 + if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) + != SSL_OP_NO_SSLv2) { + log_crypto_err("could not set SSL_OP_NO_SSLv2"); + SSL_CTX_free(ctx); + return NULL; + } ++#endif ++#ifndef OPENSSL_NO_SSL3 + if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) + != SSL_OP_NO_SSLv3) { + log_crypto_err("could not set SSL_OP_NO_SSLv3"); + SSL_CTX_free(ctx); + return NULL; + } ++#endif + if(key && key[0]) { + if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { + log_err("error in client certificate %s", pem); diff --git a/net-dns/unbound/files/unbound-1.5.7-trust-anchor-file.patch b/net-dns/unbound/files/unbound-1.5.7-trust-anchor-file.patch new file mode 100644 index 0000000..c4c0ffa --- /dev/null +++ b/net-dns/unbound/files/unbound-1.5.7-trust-anchor-file.patch @@ -0,0 +1,12 @@ +diff -ur unbound-1.5.7.orig/doc/example.conf.in unbound-1.5.7/doc/example.conf.in +--- unbound-1.5.7.orig/doc/example.conf.in 2015-12-10 08:59:18.000000000 +0100 ++++ unbound-1.5.7/doc/example.conf.in 2016-01-05 04:08:01.666760015 +0100 +@@ -378,7 +378,7 @@ + # with several entries, one file per entry. + # Zone file format, with DS and DNSKEY entries. + # Note this gets out of date, use auto-trust-anchor-file please. +- # trust-anchor-file: "" ++ # trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + + # Trusted key for validation. DS or DNSKEY. specify the RR on a + # single line, surrounded by "". TTL is ignored. class is IN default. diff --git a/net-dns/unbound/files/unbound-anchor.service b/net-dns/unbound/files/unbound-anchor.service new file mode 100644 index 0000000..f55cf9d --- /dev/null +++ b/net-dns/unbound/files/unbound-anchor.service @@ -0,0 +1,13 @@ +[Unit] +Description=Update of the root trust anchor for DNSSEC validation +After=network.target +Before=nss-lookup.target +Wants=nss-lookup.target +Before=unbound.service + +[Service] +Type=oneshot +ExecStart=/usr/sbin/unbound-anchor + +[Install] +WantedBy=multi-user.target diff --git a/net-dns/unbound/files/unbound.confd b/net-dns/unbound/files/unbound.confd new file mode 100644 index 0000000..b4de7cf --- /dev/null +++ b/net-dns/unbound/files/unbound.confd @@ -0,0 +1,4 @@ +# Settings should normally not need any changes. + +# Location of the unbound configuration file. Leave empty for the default. +#UNBOUND_CONFFILE="/etc/unbound/unbound.conf" diff --git a/net-dns/unbound/files/unbound.initd b/net-dns/unbound/files/unbound.initd new file mode 100644 index 0000000..f17d072 --- /dev/null +++ b/net-dns/unbound/files/unbound.initd @@ -0,0 +1,56 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +name="unbound daemon" +extra_commands="configtest" +extra_started_commands="reload" +description="unbound is a Domain Name Server (DNS) that is used to resolve host names to IP address." +description_configtest="Run syntax tests for configuration files only." +description_reload="Kills all children and reloads the configuration." + + +UNBOUND_BINARY=${UNBOUND_BINARY:-/usr/sbin/unbound} +UNBOUND_CHECKCONF=${UNBOUND_CHECKCONF:-/usr/sbin/unbound-checkconf} +UNBOUND_CONFFILE=${UNBOUND_CONFFILE:-/etc/unbound/${SVCNAME}.conf} + +depend() { + need net + use logger + provide dns + after auth-dns +} + +checkconfig() { + UNBOUND_PIDFILE=$("${UNBOUND_CHECKCONF}" -o pidfile "${UNBOUND_CONFFILE}") + return $? +} + +configtest() { + ebegin "Checking ${SVCNAME} configuration" + checkconfig + eend $? +} + +start() { + checkconfig || return $? + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --pidfile "${UNBOUND_PIDFILE}" \ + --exec "${UNBOUND_BINARY}" -- -c "${UNBOUND_CONFFILE}" + eend $? +} + +stop() { + checkconfig || return $? + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --pidfile "${UNBOUND_PIDFILE}" + eend $? +} + +reload() { + checkconfig || return $? + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP --pidfile "${UNBOUND_PIDFILE}" + eend $? +} diff --git a/net-dns/unbound/files/unbound.service b/net-dns/unbound/files/unbound.service new file mode 100644 index 0000000..41dd6fa --- /dev/null +++ b/net-dns/unbound/files/unbound.service @@ -0,0 +1,12 @@ +[Unit] +Description=Unbound recursive Domain Name Server +After=network.target +Before=nss-lookup.target +Wants=nss-lookup.target + +[Service] +ExecStartPre=/usr/sbin/unbound-checkconf +ExecStart=/usr/sbin/unbound -d + +[Install] +WantedBy=multi-user.target diff --git a/net-dns/unbound/files/unbound_at.service b/net-dns/unbound/files/unbound_at.service new file mode 100644 index 0000000..84b34af --- /dev/null +++ b/net-dns/unbound/files/unbound_at.service @@ -0,0 +1,13 @@ +[Unit] +Description=Unbound recursive Domain Name Server +After=network.target +Before=nss-lookup.target +Wants=nss-lookup.target + +[Service] +Type=simple +ExecStartPre=/usr/sbin/unbound-checkconf /etc/unbound/%i.conf +ExecStart=/usr/sbin/unbound -d -c /etc/unbound/%i.conf + +[Install] +WantedBy=multi-user.target diff --git a/net-dns/unbound/metadata.xml b/net-dns/unbound/metadata.xml new file mode 100644 index 0000000..272bb98 --- /dev/null +++ b/net-dns/unbound/metadata.xml @@ -0,0 +1,33 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer type="person"> + <email>mschiff@gentoo.org</email> + <name>Marc Schiffbauer</name> + </maintainer> + <maintainer type="person"> + <email>nabeken@tknetworks.org</email> + <description>Proxied developer. Please CC on bugs.</description> + <name>TANABE Ken-ichi</name> + </maintainer> + <maintainer type="project"> + <email>proxy-maint@gentoo.org</email> + <name>Proxy Maintainers</name> + </maintainer> + <longdescription lang="en"> + Unbound is a validating, recursive, and caching DNS resolver. + + The C implementation of Unbound is developed and maintained by NLnet + Labs. It is based on ideas and algorithms taken from a java prototype + developed by Verisign labs, Nominet, Kirei and ep.net. + + Unbound is designed as a set of modular components, so that also + DNSSEC (secure DNS) validation and stub-resolvers (that do not run + as a server, but are linked into an application) are easily possible. + </longdescription> + <use> + <flag name="dnstap">Enable dnstap support</flag> + <flag name="ecdsa">Enable ECDSA support</flag> + <flag name="gost">Enable GOST support</flag> + </use> +</pkgmetadata> diff --git a/net-dns/unbound/unbound-1.5.7.ebuild b/net-dns/unbound/unbound-1.5.7.ebuild new file mode 100644 index 0000000..ca2646e --- /dev/null +++ b/net-dns/unbound/unbound-1.5.7.ebuild @@ -0,0 +1,128 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) + +inherit eutils flag-o-matic multilib-minimal python-single-r1 systemd user + +MY_P=${PN}-${PV/_/} +DESCRIPTION="A validating, recursive and caching DNS resolver" +HOMEPAGE="http://unbound.net/" +SRC_URI="http://unbound.net/downloads/${MY_P}.tar.gz" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~x86" +IUSE="debug dnstap +ecdsa gost libressl python selinux static-libs test threads" +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" + +# Note: expat is needed by executable only but the Makefile is custom +# and doesn't make it possible to easily install the library without +# the executables. MULTILIB_USEDEP may be dropped once build system +# is fixed. + +CDEPEND=">=dev-libs/expat-2.1.0-r3[${MULTILIB_USEDEP}] + >=dev-libs/libevent-2.0.21[${MULTILIB_USEDEP}] + libressl? ( >=dev-libs/libressl-2.2.4:0[${MULTILIB_USEDEP}] ) + !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0[${MULTILIB_USEDEP}] ) + dnstap? ( + dev-libs/fstrm[${MULTILIB_USEDEP}] + >=dev-libs/protobuf-c-1.0.2-r1[${MULTILIB_USEDEP}] + ) + ecdsa? ( + !libressl? ( dev-libs/openssl:0[-bindist] ) + ) + python? ( ${PYTHON_DEPS} )" + +DEPEND="${CDEPEND} + python? ( dev-lang/swig ) + test? ( + net-dns/ldns-utils[examples] + dev-util/splint + app-text/wdiff + )" + +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-bind )" + +# bug #347415 +RDEPEND="${RDEPEND} + net-dns/dnssec-root" + +S=${WORKDIR}/${MY_P} + +pkg_setup() { + enewgroup unbound + enewuser unbound -1 -1 /etc/unbound unbound + + use python && python-single-r1_pkg_setup +} + +src_prepare() { + # Fix for LibreSSL >= 2.3.0 + epatch "${FILESDIR}"/${P}-no-ssl3.patch + + # To avoid below error messages, set 'trust-anchor-file' to same value in + # 'auto-trust-anchor-file'. + # [23109:0] error: Could not open autotrust file for writing, + # /etc/dnssec/root-anchors.txt: Permission denied + epatch "${FILESDIR}"/${P}-trust-anchor-file.patch + + # required for the python part + multilib_copy_sources +} + +src_configure() { + [[ ${CHOST} == *-darwin* ]] || append-ldflags -Wl,-z,noexecstack + multilib-minimal_src_configure +} + +multilib_src_configure() { + econf \ + $(use_enable debug) \ + $(use_enable gost) \ + $(use_enable dnstap) \ + $(use_enable ecdsa) \ + $(use_enable static-libs static) \ + $(multilib_native_use_with python pythonmodule) \ + $(multilib_native_use_with python pyunbound) \ + $(use_with threads pthreads) \ + --disable-flto \ + --disable-rpath \ + --with-libevent="${EPREFIX}"/usr \ + --with-pidfile="${EPREFIX}"/var/run/unbound.pid \ + --with-rootkey-file="${EPREFIX}"/etc/dnssec/root-anchors.txt \ + --with-ssl="${EPREFIX}"/usr \ + --with-libexpat="${EPREFIX}"/usr + + # http://unbound.nlnetlabs.nl/pipermail/unbound-users/2011-April/001801.html + # $(use_enable debug lock-checks) \ + # $(use_enable debug alloc-checks) \ + # $(use_enable debug alloc-lite) \ + # $(use_enable debug alloc-nonregional) \ +} + +multilib_src_install_all() { + prune_libtool_files --modules + use python && python_optimize + + newinitd "${FILESDIR}"/unbound.initd unbound + newconfd "${FILESDIR}"/unbound.confd unbound + + systemd_dounit "${FILESDIR}"/unbound.service + systemd_newunit "${FILESDIR}"/unbound_at.service "unbound@.service" + systemd_dounit "${FILESDIR}"/unbound-anchor.service + + dodoc doc/{README,CREDITS,TODO,Changelog,FEATURES} + + # bug #315519 + dodoc contrib/unbound_munin_ + + docinto selinux + dodoc contrib/selinux/* + + exeinto /usr/share/${PN} + doexe contrib/update-anchor.sh +} |