summaryrefslogtreecommitdiff
blob: f52b47df5f15a0037bbbfddff454f1d1a4815a17 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-dns/opendnssec/opendnssec-1.3.7.ebuild,v 1.2 2012/06/14 02:15:19 zmedico Exp $

EAPI=4

MY_P="${P/_}"
PKCS11_IUSE="+softhsm opensc external-hsm"
inherit base autotools multilib user

DESCRIPTION="An open-source turn-key solution for DNSSEC"
HOMEPAGE="http://www.opendnssec.org/"
SRC_URI="http://www.${PN}.org/files/source/${MY_P}.tar.gz"

LICENSE="BSD"
SLOT="0"
KEYWORDS="~amd64 ~x86"
IUSE="auditor +curl debug doc eppclient mysql +signer +sqlite test ${PKCS11_IUSE}"

RDEPEND="
	dev-lang/perl
	dev-libs/libxml2
	dev-libs/libxslt
	>=net-libs/ldns-1.6.12
	auditor? ( dev-lang/ruby[ssl] >=dev-ruby/dnsruby-1.53 )
	curl? ( net-misc/curl )
	mysql? (
		virtual/mysql
		dev-perl/DBD-mysql
	)
	opensc? ( dev-libs/opensc )
	softhsm? ( dev-libs/softhsm )
	sqlite? (
		dev-db/sqlite:3
		dev-perl/DBD-SQLite
	)
"
DEPEND="${RDEPEND}
	doc? ( app-doc/doxygen )
	test? (
		app-text/trang
	)
"
# test? dev-util/cunit # Requires running test DB

REQUIRED_USE="
	^^ ( mysql sqlite )
	^^ ( softhsm opensc external-hsm )
	eppclient? ( curl )
"

PATCHES=(
	"${FILESDIR}/${PN}-fix-localstatedir.patch"
	"${FILESDIR}/${PN}-drop-privileges.patch"
	"${FILESDIR}/${PN}-use-system-trang.patch"
)

S="${WORKDIR}/${MY_P}"

DOCS=( MIGRATION NEWS README )

check_pkcs11_setup() {
	# PKCS#11 HSM's are often only available with proprietary drivers not
	# available in portage tree.

	if use softhsm; then
		PKCS11_LIB=softhsm
		if has_version ">=dev-libs/softhsm-1.3.1"; then
			PKCS11_PATH=/usr/$(get_libdir)/softhsm/libsofthsm.so
		else
			PKCS11_PATH=/usr/$(get_libdir)/libsofthsm.so
		fi
		elog "Building with SoftHSM PKCS#11 library support."
	fi
	if use opensc; then
		PKCS11_LIB=opensc
		PKCS11_PATH=/usr/$(get_libdir)/opensc-pkcs11.so
		elog "Building with OpenSC PKCS#11 library support."
	fi
	if use external-hsm; then
		if [[ -n ${PKCS11_SCA6000} ]]; then
			PKCS11_LIB=sca6000
			PKCS11_PATH=${PKCS11_SCA6000}
		elif [[ -n ${PKCS11_ETOKEN} ]]; then
			PKCS11_LIB=etoken
			PKCS11_PATH=${PKCS11_ETOKEN}
		elif [[ -n ${PKCS11_NCIPHER} ]]; then
			PKCS11_LIB=ncipher
			PKCS11_PATH=${PKCS11_NCIPHER}
		elif [[ -n ${PKCS11_AEPKEYPER} ]]; then
			PKCS11_LIB=aepkeyper
			PKCS11_PATH=${PKCS11_AEPKEYPER}
		else
			ewarn "You enabled USE flag 'external-hsm' but did not specify a path to a PKCS#11"
			ewarn "library. To set a path, set one of the following environment variables:"
			ewarn "  for Sun Crypto Accelerator 6000, set: PKCS11_SCA6000=<path>"
			ewarn "  for Aladdin eToken, set: PKCS11_ETOKEN=<path>"
			ewarn "  for Thales/nCipher netHSM, set: PKCS11_NCIPHER=<path>"
			ewarn "  for AEP Keyper, set: PKCS11_AEPKEYPER=<path>"
			ewarn "Example:"
			ewarn "  PKCS11_ETOKEN=\"/opt/etoken/lib/libeTPkcs11.so\" emerge -pv opendnssec"
			ewarn "or store the variable into /etc/make.conf"
			die "USE flag 'external-hsm' set but no PKCS#11 library path specified."
		fi
		elog "Building with external PKCS#11 library support ($PKCS11_LIB): ${PKCS11_PATH}"
	fi
}

pkg_pretend() {
	local i

	for i in eppclient mysql; do
		if use ${i}; then
			ewarn "Usage of ${i} is considered experimental."
			ewarn "Do not report bugs against this feature."
		fi
	done

	check_pkcs11_setup
}

pkg_setup() {
	enewgroup opendnssec
	enewuser opendnssec -1 -1 -1 opendnssec

	# pretend does not preserve variables so we need to run this once more
	check_pkcs11_setup
}

src_prepare() {
	base_src_prepare
	eautoreconf
}

src_configure() {
	# $(use_with test cunit "${EPREFIX}/usr/") \
	econf \
		--without-cunit \
		--localstatedir="${EPREFIX}/var/" \
		--disable-static \
		--with-database-backend=$(use mysql && echo "mysql")$(use sqlite && echo "sqlite3") \
		--with-pkcs11-${PKCS11_LIB}=${PKCS11_PATH} \
		$(use_with curl) \
		$(use_enable auditor) \
		$(use_enable debug timeshift) \
		$(use_enable eppclient) \
		$(use_enable signer)
}

src_compile() {
	default
	use doc && emake docs
}

src_install() {
	default

	# remove useless .la files
	find "${ED}" -name '*.la' -delete

	# Remove subversion tags from config files to avoid useless config updates
	sed -i \
		-e '/<!-- \$Id:/ d' \
		"${ED}"/etc/opendnssec/* || die

	# install update scripts
	insinto /usr/share/opendnssec
	use sqlite && doins enforcer/utils/migrate_keyshare_sqlite3.pl
	use mysql && doins enforcer/utils/migrate_keyshare_mysql.pl

	# fix permissions
	fowners root:opendnssec /etc/opendnssec
	fowners root:opendnssec /etc/opendnssec/{conf,kasp,zonelist,zonefetch}.xml
	use eppclient && fowners root:opendnssec /etc/opendnssec/eppclientd.conf

	fowners opendnssec:opendnssec /var/lib/opendnssec/{,signconf,unsigned,signed,tmp}
	fowners opendnssec:opendnssec /var/run/opendnssec

	# install conf/init script
	newinitd "${FILESDIR}"/opendnssec.initd opendnssec
	newconfd "${FILESDIR}"/opendnssec.confd opendnssec
}

pkg_postinst() {
	if use softhsm; then
		elog "Please make sure that you create your softhsm database in a location writeable"
		elog "by the opendnssec user. You can set its location in /etc/softhsm.conf."
		elog "Suggested configuration is:"
		elog "    echo \"0:/var/lib/opendnssec/softhsm_slot0.db\" >> /etc/softhsm.conf"
		elog "    softhsm --init-token --slot 0 --label OpenDNSSEC"
		elog "    chown opendnssec:opendnssec /var/lib/opendnssec/softhsm_slot0.db"
	fi

	# caution if upgrading to 1.3.7
	if [[ -d /var/lib/opencryptoki ]]; then
		ewarn
		ewarn "WARNING:"
		ewarn "It seems that you have dev-libs/opencryptoki installed."
		ewarn "If you are using a Sun Crypto Accelerator 6000 (SCA/6000):"
		ewarn
		ewarn "Press Ctrl-C now and read the following upstream message"
		ewarn "carefully before you continue:"
		ewarn
		ewarn "HSM SCA 6000 in combination with OpenCryptoki can return RSA key"
		ewarn "material with leading zeroes. DNSSEC does not allow leading zeroes"
		ewarn "in key data. You are affected by this bug if your DNSKEY RDATA e.g."
		ewarn "begins with 'BAABA'."
		ewarn "Normal keys begin with e.g. 'AwEAA'."
		ewarn "OpenDNSSEC will now sanitize incoming data before adding it to the"
		ewarn "DNSKEY. Do not upgrade to this version if you are affected by the bug."
		ewarn "You first need to go unsigned, then do the upgrade, and finally sign"
		ewarn "your zone again. SoftHSM and other HSM:s will not produce data with"
		ewarn "leading zeroes and the bug will thus not affect you."
		ewarn
		echo -n " * "
		for i in {10..1}; do echo -n "$i "; sleep 1; done
		echo
	fi
}