Update to the -P1 versions of the current BIND ports which contain

the fix for the following vulnerability: https://www.isc.org/node/373

Description:
Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.

Impact:
It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).

In short, if you're not using DNSSEC to verify signatures you have
nothing to worry about.

While I'm here, address the issues raised in the PR by adding a knob
to disable building with OpenSSL altogether (which eliminates DNSSEC
capability), and fix the configure arguments to better deal with the
situation where the user has ssl bits in both the base and LOCALBASE.

PR:		ports/126297
Submitted by:	Ronald F.Guilmette <rfg@tristatelogic.com>

8 files changed, 69 insertions, 56 deletions

diff --git a/dns/bind9/Makefile b/dns/bind9/Makefile
index 2b122e063e28..58f67dc29c60 100644
--- a/dns/bind9/Makefile
+++ b/dns/bind9/Makefile
@@ -12,7 +12,7 @@
 # release you can generally build it cleanly from the source - Doug
 
 PORTNAME=	bind9
-PORTVERSION=	9.3.6
+PORTVERSION=	9.3.6.1
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	${MASTER_SITE_ISC} \
 		http://dougbarton.us/Downloads/%SUBDIR%/
@@ -25,25 +25,28 @@ MAINTAINER=	DougB@FreeBSD.org
 COMMENT=	Completely new version of the BIND DNS suite with updated DNSSEC
 
 # ISC releases things like 9.3.0rc1, which our versioning doesn't like
-ISCVERSION=	9.3.6
+ISCVERSION=	9.3.6-P1
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var --disable-linux-caps \
 		--with-randomdev=/dev/random
 
-USE_OPENSSL=	yes
-
 CONFLICTS=	bind9-9.[456].* bind9-sdb-* host-*
 
-OPTIONS=	REPLACE_BASE "Replace base BIND with this version" off \
+OPTIONS=	SSL "Building without OpenSSL removes DNSSEC" on \
+		REPLACE_BASE "Replace base BIND with this version" off \
 		THREADS	"Compile with thread support (NOT RECOMMENDED!)" off
 
+# Just in case
+USE_OPENSSL=	yes
+
 .include <bsd.port.pre.mk>
 
-.if defined(WITH_OPENSSL_PORT)
-CONFIGURE_ARGS+=	--with-openssl=${LOCALBASE}
+.if !defined(WITHOUT_SSL)
+CONFIGURE_ARGS+=	--with-openssl=${OPENSSLBASE}
 .else
-CONFIGURE_ARGS+=	--with-openssl
+CONFIGURE_ARGS+=	--disable-openssl-version-check
+CONFIGURE_ARGS+=	--without-openssl
 .endif
 
 # ISC staff has informed me that for 9.3.x, threads are always a bad idea.
diff --git a/dns/bind9/distinfo b/dns/bind9/distinfo
index 4baac53a7423..296e1bf11875 100644
--- a/dns/bind9/distinfo
+++ b/dns/bind9/distinfo
@@ -1,6 +1,6 @@
-MD5 (bind-9.3.6.tar.gz) = 58ea86efa5d20ffc282ef2e1690dc484
-SHA256 (bind-9.3.6.tar.gz) = 275f4d19b8af8bbc93eda9d8532c21d32cd30195db82f15f10916c02416f9f03
-SIZE (bind-9.3.6.tar.gz) = 5717096
-MD5 (bind-9.3.6.tar.gz.asc) = 58a2244cf46d3b1b9caeef6e7c59883c
-SHA256 (bind-9.3.6.tar.gz.asc) = 87d0ea9bf6fa4576fbba198805a4d323c255ceddfed059898293ebec98be19de
-SIZE (bind-9.3.6.tar.gz.asc) = 479
+MD5 (bind-9.3.6-P1.tar.gz) = 8ad020e0857ddef49de39c54b456eac9
+SHA256 (bind-9.3.6-P1.tar.gz) = 7c38fee2e9729360be7bc35f07713ab96152350ab2eb4f3c5b249948e366c8f8
+SIZE (bind-9.3.6-P1.tar.gz) = 5717426
+MD5 (bind-9.3.6-P1.tar.gz.asc) = e5de7bbe55e4f63c86c6f4f3fd0c8b44
+SHA256 (bind-9.3.6-P1.tar.gz.asc) = f1cf957430fe18c810d1916ddb8069a2e7881346cdecca161918aaa7f1b678c0
+SIZE (bind-9.3.6-P1.tar.gz.asc) = 479
diff --git a/dns/bind94/Makefile b/dns/bind94/Makefile
index 5fdff93b0c92..9d582e20737e 100644
--- a/dns/bind94/Makefile
+++ b/dns/bind94/Makefile
@@ -12,7 +12,7 @@
 # release you can generally build it cleanly from the source - Doug
 
 PORTNAME=	bind94
-PORTVERSION=	9.4.3
+PORTVERSION=	9.4.3.1
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	${MASTER_SITE_ISC} \
 		http://dougbarton.us/Downloads/%SUBDIR%/
@@ -25,21 +25,23 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT=	The BIND DNS suite with updated DNSSEC and threads
 
 # ISC releases things like 9.4.0b3, which our versioning doesn't like
-ISCVERSION=	9.4.3
+ISCVERSION=	9.4.3-P1
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var --disable-linux-caps \
 		--with-randomdev=/dev/random
 
-USE_OPENSSL=	yes
-
 CONFLICTS=	bind9-9.[356].* bind9-sdb-* host-*
 
-OPTIONS=	REPLACE_BASE "Replace base BIND with this version" off \
+OPTIONS=	SSL "Building without OpenSSL removes DNSSEC" on \
+		REPLACE_BASE "Replace base BIND with this version" off \
 		LARGE_FILE "64-bit file support" off \
 		SIGCHASE "dig/host/nslookup will do DNSSEC validation" off \
 		IPV6 "IPv6 Support (autodetected by default)" off
 
+# Just in case
+USE_OPENSSL=	yes
+
 .include <bsd.port.pre.mk>
 
 # We are ok by default from 7.0-RELEASE on
@@ -49,10 +51,11 @@ OPTIONS+=	THREADS "Compile with thread support" on
 OPTIONS+=	THREADS "Compile w/threads (Not Recommended <FreeBSD-7)" off
 .endif
 
-.if defined(WITH_OPENSSL_PORT)
-CONFIGURE_ARGS+=	--with-openssl=${LOCALBASE}
+.if !defined(WITHOUT_SSL)
+CONFIGURE_ARGS+=	--with-openssl=${OPENSSLBASE}
 .else
-CONFIGURE_ARGS+=	--with-openssl
+CONFIGURE_ARGS+=	--disable-openssl-version-check
+CONFIGURE_ARGS+=	--without-openssl
 .endif
 
 .if defined(WITH_LARGE_FILE)
diff --git a/dns/bind94/distinfo b/dns/bind94/distinfo
index da53bce81fba..ba127ded9e78 100644
--- a/dns/bind94/distinfo
+++ b/dns/bind94/distinfo
@@ -1,6 +1,6 @@
-MD5 (bind-9.4.3.tar.gz) = 7a4690d2a1c4437578a2251b0c92f847
-SHA256 (bind-9.4.3.tar.gz) = f1b991947fe673310fa4c61b42723f4efb48ea5c24fb5b802bd66786ea660be6
-SIZE (bind-9.4.3.tar.gz) = 6543773
-MD5 (bind-9.4.3.tar.gz.asc) = 13d4f5ec191aebd75506486e30e0023c
-SHA256 (bind-9.4.3.tar.gz.asc) = df54939a87d84ccd5af9dfb60ec8ef1b84653a5c516b0c6826d381ec171f3f53
-SIZE (bind-9.4.3.tar.gz.asc) = 479
+MD5 (bind-9.4.3-P1.tar.gz) = 3cb525ad4f22315e23f08c8ce1e1d3d3
+SHA256 (bind-9.4.3-P1.tar.gz) = 6f4323db5b55105a83a71517f42c0e6f1defdeefa7156b5ebe035480e2755c8a
+SIZE (bind-9.4.3-P1.tar.gz) = 6544583
+MD5 (bind-9.4.3-P1.tar.gz.asc) = b0f6c208697755993966c9dca4c0e069
+SHA256 (bind-9.4.3-P1.tar.gz.asc) = e346a9169b9d30d47a709bb9c654d579c86b698531260bd81e526ff40d74cd5c
+SIZE (bind-9.4.3-P1.tar.gz.asc) = 479
diff --git a/dns/bind95/Makefile b/dns/bind95/Makefile
index 55b9de0552de..7c06720d297a 100644
--- a/dns/bind95/Makefile
+++ b/dns/bind95/Makefile
@@ -12,7 +12,7 @@
 # release you can generally build it cleanly from the source - Doug
 
 PORTNAME=	bind95
-PORTVERSION=	9.5.1
+PORTVERSION=	9.5.1.1
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	${MASTER_SITE_ISC} \
 		http://dougbarton.us/Downloads/%SUBDIR%/
@@ -25,23 +25,25 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT=	The BIND DNS suite with updated DNSSEC and threads
 
 # ISC releases things like 9.4.0b3, which our versioning doesn't like
-ISCVERSION=	9.5.1
+ISCVERSION=	9.5.1-P1
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var --disable-linux-caps \
 		--with-randomdev=/dev/random
 
-USE_OPENSSL=	yes
-
 CONFLICTS=	bind9-9.[346].* bind9-sdb-* host-*
 
-OPTIONS=	XML "Support for xml statistics output" on \
+OPTIONS=	SSL "Building without OpenSSL removes DNSSEC" on \
+		XML "Support for xml statistics output" on \
 		IDN "Add IDN support to dig, host, etc." off \
 		REPLACE_BASE "Replace base BIND with this version" off \
 		LARGE_FILE "64-bit file support" off \
 		SIGCHASE "dig/host/nslookup will do DNSSEC validation" off \
 		IPV6 "IPv6 Support (autodetected by default)" off
 
+# Just in case
+USE_OPENSSL=	yes
+
 .include <bsd.port.pre.mk>
 
 .if (${ARCH} == "amd64")
@@ -55,10 +57,12 @@ OPTIONS+=	THREADS	"Compile with thread support" on
 OPTIONS+=	THREADS	"Compile w/threads (Not Recommended <FreeBSD-7)" off
 .endif
 
-.if defined(WITH_OPENSSL_PORT)
-CONFIGURE_ARGS+=	--with-openssl=${LOCALBASE}
+
+.if !defined(WITHOUT_SSL)
+CONFIGURE_ARGS+=	--with-openssl=${OPENSSLBASE}
 .else
-CONFIGURE_ARGS+=	--with-openssl
+CONFIGURE_ARGS+=	--disable-openssl-version-check
+CONFIGURE_ARGS+=	--without-openssl
 .endif
 
 .if !defined(WITHOUT_XML)
diff --git a/dns/bind95/distinfo b/dns/bind95/distinfo
index f28094772877..0f803961ce6e 100644
--- a/dns/bind95/distinfo
+++ b/dns/bind95/distinfo
@@ -1,6 +1,6 @@
-MD5 (bind-9.5.1.tar.gz) = 66e577d9729206cd7377d4f9cf6b565c
-SHA256 (bind-9.5.1.tar.gz) = 320441f4297e4c5cea0c6026afb98d5d9a3c2ccfe05e46d68279218f73867d9a
-SIZE (bind-9.5.1.tar.gz) = 6690642
-MD5 (bind-9.5.1.tar.gz.asc) = 64a53b60ad36a3e60d266346b6d576b7
-SHA256 (bind-9.5.1.tar.gz.asc) = 81d95e6070825e40f430df4b1806c07679e8f35f7214e2156b1c34c74fb97b50
-SIZE (bind-9.5.1.tar.gz.asc) = 479
+MD5 (bind-9.5.1-P1.tar.gz) = 8afc7f95f4fad1eaaba09596617b8089
+SHA256 (bind-9.5.1-P1.tar.gz) = 31766a691e915a7553ece175970ca1cc000159025ffb1e903e1b99c22de9a4c7
+SIZE (bind-9.5.1-P1.tar.gz) = 6690710
+MD5 (bind-9.5.1-P1.tar.gz.asc) = ba0f5b279f2c4be6ada7ece0bc9683dc
+SHA256 (bind-9.5.1-P1.tar.gz.asc) = 85f13223575b8246666d6a225612f1e41f478e0e13c373c2ad36765118a898e1
+SIZE (bind-9.5.1-P1.tar.gz.asc) = 479
diff --git a/dns/bind96/Makefile b/dns/bind96/Makefile
index 7d225392b218..a3411a65fe07 100644
--- a/dns/bind96/Makefile
+++ b/dns/bind96/Makefile
@@ -12,7 +12,7 @@
 # release you can generally build it cleanly from the source - Doug
 
 PORTNAME=	bind96
-PORTVERSION=	9.6.0
+PORTVERSION=	9.6.0.1
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	${MASTER_SITE_ISC} \
 		http://dougbarton.us/Downloads/%SUBDIR%/
@@ -25,23 +25,25 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT=	The BIND DNS suite with updated DNSSEC and threads
 
 # ISC releases things like 9.4.0b3, which our versioning doesn't like
-ISCVERSION=	9.6.0
+ISCVERSION=	9.6.0-P1
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var --disable-linux-caps \
 		--with-randomdev=/dev/random
 
-USE_OPENSSL=	yes
-
 CONFLICTS=	bind9-9.[345].* bind9-sdb-* host-*
 
-OPTIONS=	XML "Support for xml statistics output" on \
+OPTIONS=	SSL "Building without OpenSSL removes DNSSEC" on \
+		XML "Support for xml statistics output" on \
 		IDN "Add IDN support to dig, host, etc." off \
 		REPLACE_BASE "Replace base BIND with this version" off \
 		LARGE_FILE "64-bit file support" off \
 		SIGCHASE "dig/host/nslookup will do DNSSEC validation" off \
 		IPV6 "IPv6 Support (autodetected by default)" off
 
+# Just in case
+USE_OPENSSL=	yes
+
 .include <bsd.port.pre.mk>
 
 .if (${ARCH} == "amd64")
@@ -55,10 +57,11 @@ OPTIONS+=	THREADS	"Compile with thread support" on
 OPTIONS+=	THREADS	"Compile w/threads (Not Recommended <FreeBSD-7)" off
 .endif
 
-.if defined(WITH_OPENSSL_PORT)
-CONFIGURE_ARGS+=	--with-openssl=${LOCALBASE}
+.if !defined(WITHOUT_SSL)
+CONFIGURE_ARGS+=	--with-openssl=${OPENSSLBASE}
 .else
-CONFIGURE_ARGS+=	--with-openssl
+CONFIGURE_ARGS+=	--disable-openssl-version-check
+CONFIGURE_ARGS+=	--without-openssl
 .endif
 
 .if !defined(WITHOUT_XML)
diff --git a/dns/bind96/distinfo b/dns/bind96/distinfo
index bad825742ce7..01c66ef4e1a8 100644
--- a/dns/bind96/distinfo
+++ b/dns/bind96/distinfo
@@ -1,6 +1,6 @@
-MD5 (bind-9.6.0.tar.gz) = 287231d759ad83ed51f60f8a9f8176b9
-SHA256 (bind-9.6.0.tar.gz) = 2b13953224a066aa41797bbaace921f622f627184dca0360d662f9418a1acebb
-SIZE (bind-9.6.0.tar.gz) = 6525672
-MD5 (bind-9.6.0.tar.gz.asc) = c4b5eb7959d3d9a50084d47093a41334
-SHA256 (bind-9.6.0.tar.gz.asc) = 451e3dd1ef45b2a5e9c314ea1954facc2209ce110267ad3a11b2c10d0538f1e8
-SIZE (bind-9.6.0.tar.gz.asc) = 479
+MD5 (bind-9.6.0-P1.tar.gz) = 886b7eae55cfdc8cd8d2ca74a2f99c6e
+SHA256 (bind-9.6.0-P1.tar.gz) = 4ccbd33a5b5c974c2778d5e61eeb4841c04a40904db43ee1ad190c3ed82978a9
+SIZE (bind-9.6.0-P1.tar.gz) = 6526739
+MD5 (bind-9.6.0-P1.tar.gz.asc) = 45bdf652391fc47ae55903d208fa0616
+SHA256 (bind-9.6.0-P1.tar.gz.asc) = 560a34288a8946fec7ad2ebf06d7a98964b08772e8bda7a94a99783c79ec04c5
+SIZE (bind-9.6.0-P1.tar.gz.asc) = 479