From owner-svn-ports-head@freebsd.org  Sat Sep 15 15:30:24 2018
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AFE7310A87DC;
 Sat, 15 Sep 2018 15:30:24 +0000 (UTC)
 (envelope-from mandree@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 6153C8F6E8;
 Sat, 15 Sep 2018 15:30:24 +0000 (UTC)
 (envelope-from mandree@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5AA1A1538D;
 Sat, 15 Sep 2018 15:30:24 +0000 (UTC)
 (envelope-from mandree@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8FFUOHn063891;
 Sat, 15 Sep 2018 15:30:24 GMT (envelope-from mandree@FreeBSD.org)
Received: (from mandree@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8FFUNWn063888;
 Sat, 15 Sep 2018 15:30:23 GMT (envelope-from mandree@FreeBSD.org)
Message-Id: <201809151530.w8FFUNWn063888@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: mandree set sender to
 mandree@FreeBSD.org using -f
From: Matthias Andree <mandree@FreeBSD.org>
Date: Sat, 15 Sep 2018 15:30:23 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r479838 - in head/security/easy-rsa: . files
X-SVN-Group: ports-head
X-SVN-Commit-Author: mandree
X-SVN-Commit-Paths: in head/security/easy-rsa: . files
X-SVN-Commit-Revision: 479838
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Sep 2018 15:30:25 -0000

Author: mandree
Date: Sat Sep 15 15:30:23 2018
New Revision: 479838
URL: https://svnweb.freebsd.org/changeset/ports/479838

Log:
  Fix security/easy-rsa regression that broke bootstrapping.
  
  v3.0.5 added code that expanded variables, for compatibility with LibreSSL.
  This code assumed that the source configuration file could be variable-
  expanded and the result could be saved next to the source - which it
  cannot, since the latter is under ${PREFIX} where the unprivileged users
  should not be able to write.
  
  Add a patch provided by Eric Crist, and rename another file to keep
  a sane patch order.

Added:
  head/security/easy-rsa/files/patch-easyrsa   (contents, props changed)
  head/security/easy-rsa/files/patch-zgit-c5ff31e8
     - copied unchanged from r479837, head/security/easy-rsa/files/patch-c5ff31e8
Deleted:
  head/security/easy-rsa/files/patch-c5ff31e8
Modified:
  head/security/easy-rsa/Makefile

Modified: head/security/easy-rsa/Makefile
==============================================================================
--- head/security/easy-rsa/Makefile	Sat Sep 15 14:55:54 2018	(r479837)
+++ head/security/easy-rsa/Makefile	Sat Sep 15 15:30:23 2018	(r479838)
@@ -2,6 +2,7 @@
 
 PORTNAME=	easy-rsa
 DISTVERSION=	3.0.5
+PORTREVISION=	1
 CATEGORIES=	security net-mgmt
 MASTER_SITES=	https://github.com/OpenVPN/easy-rsa/releases/download/v${DISTVERSION}/
 DISTNAME=	EasyRSA-nix-${DISTVERSION}
@@ -14,8 +15,6 @@ COMMENT=	Small RSA key management package based on ope
 LICENSE=	GPLv2
 
 CONFLICTS_INSTALL=easy-rsa2-*
-
-BROKEN=		regression for common configurations, patch in a few hours
 
 USES=		tar:tgz
 NO_BUILD=	yes

Added: head/security/easy-rsa/files/patch-easyrsa
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/easy-rsa/files/patch-easyrsa	Sat Sep 15 15:30:23 2018	(r479838)
@@ -0,0 +1,46 @@
+--- easyrsa~	2018-09-14 23:21:19.000000000 -0500
++++ easyrsa	2018-09-15 10:21:49.241886000 -0500
+@@ -415,7 +415,6 @@
+ 
+ # init-pki backend:
+ init_pki() {
+-	vars_source_check
+ 
+ 	# If EASYRSA_PKI exists, confirm before we rm -rf (skiped with EASYRSA_BATCH)
+ 	if [ -e "$EASYRSA_PKI" ]; then
+@@ -432,6 +431,11 @@
+ 	for i in private reqs; do
+ 		mkdir -p "$EASYRSA_PKI/$i" || die "Failed to create PKI file structure (permissions?)"
+ 	done
++	
++	if [ ! -f "$EASYRSA_PKI/openssl-easyrsa.cnf" -a -f "$EASYRSA/openssl-easyrsa.cnf" ];
++	then
++		cp "$EASYRSA/openssl-easyrsa.cnf" "$EASYRSA_PKI/openssl-easyrsa.cnf"
++	fi
+ 
+ 	notice "\
+ init-pki complete; you may now create a CA or requests.
+@@ -1180,18 +1184,15 @@
+ 	set_var EASYRSA_REQ_CN		ChangeMe
+ 	set_var EASYRSA_DIGEST		sha256
+ 
+-	# Detect openssl config, preferring EASYRSA_PKI over EASYRSA
+-	if [ -f "$EASYRSA_PKI/openssl-easyrsa.cnf" ]; then
+-		set_var EASYRSA_SSL_CONF	"$EASYRSA_PKI/openssl-easyrsa.cnf"
+-		set_var EASYRSA_SAFE_CONF	"$EASYRSA_PKI/safessl-easyrsa.cnf"
+-	else	set_var EASYRSA_SSL_CONF	"$EASYRSA/openssl-easyrsa.cnf"
+-		set_var EASYRSA_SAFE_CONF	"$EASYRSA/safessl-easyrsa.cnf"
+-	fi
++	set_var EASYRSA_SSL_CONF	"$EASYRSA_PKI/openssl-easyrsa.cnf"
++	set_var EASYRSA_SAFE_CONF	"$EASYRSA_PKI/safessl-easyrsa.cnf"
+ 
+ 	# Same as above for the x509-types extensions dir
+ 	if [ -d "$EASYRSA_PKI/x509-types" ]; then
+ 		set_var EASYRSA_EXT_DIR		"$EASYRSA_PKI/x509-types"
+-	else	set_var EASYRSA_EXT_DIR		"$EASYRSA/x509-types"
++	else	
++		#TODO: This should be removed.  Not really suitable for packaging.
++		set_var EASYRSA_EXT_DIR		"$EASYRSA/x509-types"
+ 	fi
+ 
+ 	# EASYRSA_ALGO_PARAMS must be set depending on selected algo

Copied: head/security/easy-rsa/files/patch-zgit-c5ff31e8 (from r479837, head/security/easy-rsa/files/patch-c5ff31e8)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/easy-rsa/files/patch-zgit-c5ff31e8	Sat Sep 15 15:30:23 2018	(r479838, copy of r479837, head/security/easy-rsa/files/patch-c5ff31e8)
@@ -0,0 +1,11 @@
+--- easyrsa
++++ easyrsa
+@@ -546,7 +546,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
+ 	if [ $sub_ca ]; then
+ 		notice "\
+ NOTE: Your sub-CA request is at $out_file
+-and now must be sent to you parent CA for signing. Place your resulting cert
++and now must be sent to your parent CA for signing. Place your resulting cert
+ at $EASYRSA_PKI/ca.crt prior to signing operations.
+ "
+ 	else	notice "\