svn commit: r479838 - in head/security/easy-rsa: . files
Matthias Andree
mandree at FreeBSD.org
Sat Sep 15 15:30:25 UTC 2018
Author: mandree
Date: Sat Sep 15 15:30:23 2018
New Revision: 479838
URL: https://svnweb.freebsd.org/changeset/ports/479838
Log:
Fix security/easy-rsa regression that broke bootstrapping.
v3.0.5 added code that expanded variables, for compatibility with LibreSSL.
This code assumed that the source configuration file could be variable-
expanded and the result could be saved next to the source - which it
cannot, since the latter is under ${PREFIX} where the unprivileged users
should not be able to write.
Add a patch provided by Eric Crist, and rename another file to keep
a sane patch order.
Added:
head/security/easy-rsa/files/patch-easyrsa (contents, props changed)
head/security/easy-rsa/files/patch-zgit-c5ff31e8
- copied unchanged from r479837, head/security/easy-rsa/files/patch-c5ff31e8
Deleted:
head/security/easy-rsa/files/patch-c5ff31e8
Modified:
head/security/easy-rsa/Makefile
Modified: head/security/easy-rsa/Makefile
==============================================================================
--- head/security/easy-rsa/Makefile Sat Sep 15 14:55:54 2018 (r479837)
+++ head/security/easy-rsa/Makefile Sat Sep 15 15:30:23 2018 (r479838)
@@ -2,6 +2,7 @@
PORTNAME= easy-rsa
DISTVERSION= 3.0.5
+PORTREVISION= 1
CATEGORIES= security net-mgmt
MASTER_SITES= https://github.com/OpenVPN/easy-rsa/releases/download/v${DISTVERSION}/
DISTNAME= EasyRSA-nix-${DISTVERSION}
@@ -14,8 +15,6 @@ COMMENT= Small RSA key management package based on ope
LICENSE= GPLv2
CONFLICTS_INSTALL=easy-rsa2-*
-
-BROKEN= regression for common configurations, patch in a few hours
USES= tar:tgz
NO_BUILD= yes
Added: head/security/easy-rsa/files/patch-easyrsa
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/easy-rsa/files/patch-easyrsa Sat Sep 15 15:30:23 2018 (r479838)
@@ -0,0 +1,46 @@
+--- easyrsa~ 2018-09-14 23:21:19.000000000 -0500
++++ easyrsa 2018-09-15 10:21:49.241886000 -0500
+@@ -415,7 +415,6 @@
+
+ # init-pki backend:
+ init_pki() {
+- vars_source_check
+
+ # If EASYRSA_PKI exists, confirm before we rm -rf (skiped with EASYRSA_BATCH)
+ if [ -e "$EASYRSA_PKI" ]; then
+@@ -432,6 +431,11 @@
+ for i in private reqs; do
+ mkdir -p "$EASYRSA_PKI/$i" || die "Failed to create PKI file structure (permissions?)"
+ done
++
++ if [ ! -f "$EASYRSA_PKI/openssl-easyrsa.cnf" -a -f "$EASYRSA/openssl-easyrsa.cnf" ];
++ then
++ cp "$EASYRSA/openssl-easyrsa.cnf" "$EASYRSA_PKI/openssl-easyrsa.cnf"
++ fi
+
+ notice "\
+ init-pki complete; you may now create a CA or requests.
+@@ -1180,18 +1184,15 @@
+ set_var EASYRSA_REQ_CN ChangeMe
+ set_var EASYRSA_DIGEST sha256
+
+- # Detect openssl config, preferring EASYRSA_PKI over EASYRSA
+- if [ -f "$EASYRSA_PKI/openssl-easyrsa.cnf" ]; then
+- set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf"
+- set_var EASYRSA_SAFE_CONF "$EASYRSA_PKI/safessl-easyrsa.cnf"
+- else set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
+- set_var EASYRSA_SAFE_CONF "$EASYRSA/safessl-easyrsa.cnf"
+- fi
++ set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf"
++ set_var EASYRSA_SAFE_CONF "$EASYRSA_PKI/safessl-easyrsa.cnf"
+
+ # Same as above for the x509-types extensions dir
+ if [ -d "$EASYRSA_PKI/x509-types" ]; then
+ set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types"
+- else set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
++ else
++ #TODO: This should be removed. Not really suitable for packaging.
++ set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
+ fi
+
+ # EASYRSA_ALGO_PARAMS must be set depending on selected algo
Copied: head/security/easy-rsa/files/patch-zgit-c5ff31e8 (from r479837, head/security/easy-rsa/files/patch-c5ff31e8)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/easy-rsa/files/patch-zgit-c5ff31e8 Sat Sep 15 15:30:23 2018 (r479838, copy of r479837, head/security/easy-rsa/files/patch-c5ff31e8)
@@ -0,0 +1,11 @@
+--- easyrsa
++++ easyrsa
+@@ -546,7 +546,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
+ if [ $sub_ca ]; then
+ notice "\
+ NOTE: Your sub-CA request is at $out_file
+-and now must be sent to you parent CA for signing. Place your resulting cert
++and now must be sent to your parent CA for signing. Place your resulting cert
+ at $EASYRSA_PKI/ca.crt prior to signing operations.
+ "
+ else notice "\
More information about the svn-ports-all
mailing list