Allow BIND 9.10 users to select the old key format when using GOST.[1]

While there, reword the options a bit, and the pkg-help files.

PR:		200031 [1]
Submitted by:	 Leo Vandewoestijne [1]
Sponsored by:	Absolight

2 files changed, 32 insertions, 22 deletions

diff --git a/dns/bind910/Makefile b/dns/bind910/Makefile
index f2c3d9f46ef3..0aade19dc289 100644
--- a/dns/bind910/Makefile
+++ b/dns/bind910/Makefile
@@ -1,4 +1,5 @@
 # $FreeBSD$
+# pkg-help formatted with fmt 59 63
 
 PORTNAME=	bind
 PORTVERSION=	${ISCVERSION:S/-P/P/}
@@ -7,7 +8,7 @@ PORTVERSION=	${ISCVERSION:S/-P/P/}
 PORTREVISION=	0
 .else
 # dns/bind910 here
-PORTREVISION=	3
+PORTREVISION=	4
 .endif
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	ISC/bind9/${ISCVERSION}
@@ -49,10 +50,11 @@ SUB_FILES=	pkg-message
 .endif
 
 OPTIONS_DEFAULT=	IPV6 SSL THREADS SIGCHASE IDN GSSAPI_NONE
-OPTIONS_DEFINE=		IDN LARGE_FILE GOST PYTHON \
+OPTIONS_DEFINE=		IDN LARGE_FILE PYTHON \
 			FIXED_RRSET SIGCHASE IPV6 THREADS FILTER_AAAA
-OPTIONS_RADIO=	CRYPTO
+OPTIONS_RADIO=	CRYPTO GOSTDEF
 OPTIONS_RADIO_CRYPTO=	SSL NATIVE_PKCS11
+OPTIONS_RADIO_GOSTDEF=	GOST GOST_ASN1
 
 .if !defined(BIND_TOOLS_SLAVE)
 OPTIONS_DEFAULT+=	RRL
@@ -74,7 +76,9 @@ FILTER_AAAA_DESC=	Enable filtering of AAAA records
 CRYPTO_DESC=		Choose which crypto engine to use
 NATIVE_PKCS11_DESC=	Use PKCS\#11 native API (**READ HELP**)
 GEOIP_DESC=		Allow geographically based ACL.
-GOST_DESC=		Enable GOST ciphers, needs SSL (see help)
+GOSTDEF_DESC=		Enable GOST ciphers, needs SSL (see help on 8 and 9)
+GOST_DESC=		GOST raw keys (new default)
+GOST_ASN1_DESC=		GOST using ASN.1
 PYTHON_DESC=		Build with Python utilities
 
 LINKS_DESC=		Create conf file symlinks in ${PREFIX}
@@ -89,10 +93,10 @@ DLZ_BDB_DESC=		DLZ BDB driver
 DLZ_LDAP_DESC=		DLZ LDAP driver
 DLZ_FILESYSTEM_DESC=	DLZ filesystem driver
 DLZ_STUB_DESC=		DLZ stub driver
-GSSAPI_BASE_DESC=	${GSSAPI_DESC} (Heimdal in base)
-GSSAPI_HEIMDAL_DESC=	${GSSAPI_DESC} (security/heimdal)
-GSSAPI_MIT_DESC=	${GSSAPI_DESC} (security/krb5)
-GSSAPI_NONE_DESC=	No ${GSSAPI_DESC}
+GSSAPI_BASE_DESC=	Using Heimdal in base
+GSSAPI_HEIMDAL_DESC=	Using security/heimdal
+GSSAPI_MIT_DESC=	Using security/krb5
+GSSAPI_NONE_DESC=	Disable
 
 .if !defined(BIND_TOOLS_SLAVE)
 CONFLICTS+=		bind-tools-9.*
@@ -122,7 +126,8 @@ NATIVE_PKCS11_CONFIGURE_ENABLE=	native-pkcs11
 GEOIP_CONFIGURE_WITH=	geoip
 GEOIP_LIB_DEPENDS=	libGeoIP.so:${PORTSDIR}/net/GeoIP
 
-GOST_CONFIGURE_WITH=	gost
+GOST_CONFIGURE_ON=	--with-gost
+GOST_ASN1_CONFIGURE_ON=	--with-gost=asn1
 
 PYTHON_CONFIGURE_WITH=	python
 PYTHON_USES=	python
@@ -164,6 +169,10 @@ GSSAPI_NONE_CONFIGURE_ON=	--without-gssapi
 
 .include <bsd.port.options.mk>
 
+.if !${PORT_OPTIONS:MGOST} && !${PORT_OPTIONS:MGOST_ASN1}
+CONFIGURE_ARGS+==	--without-gost
+.endif
+
 .if !${PORT_OPTIONS:MLINKS}
 PKGINSTALL=${NONEXISTENT}
 .endif
@@ -182,7 +191,7 @@ SUB_LIST+=	NOBASE="" BASE="@comment "
 USE_RC_SUBR+=	named
 SUB_FILES+=	named.conf
 .endif # !defined(BIND_TOOLS_SLAVE)
-.if ${PORT_OPTIONS:MGOST}
+.if ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1}
 WITH_OPENSSL_PORT=yes
 .endif
 .else
diff --git a/dns/bind910/pkg-help b/dns/bind910/pkg-help
index c6c4a4ac20e6..2b1f1ee0eb8d 100644
--- a/dns/bind910/pkg-help
+++ b/dns/bind910/pkg-help
@@ -1,3 +1,4 @@
+                       NATIVE_PKCS11
 When using the NATIVE_PKCS11 option, BIND will use the PKCS#11
 engine specified by the named_pkcss11_engine variable in
 /etc/rc.conf for *all* crypto operations.
@@ -5,19 +6,19 @@ engine specified by the named_pkcss11_engine variable in
 This is primarily intended to be used in an authoritative
 case.
 
-If BIND will also be operating as a validating resolver,
+If BIND is also operating as a validating resolver,
 NATIVE_PKCS11 should not be used, because the HSM will be
-used for DNSSEC validations, and the HSM is likely to be
-slower than the CPU for this purpose.  Additionally, the HSM
-might not support all of the PKCS#11 API functions needed
-for signature verification.
+used for all crypto, including DNSSEC validations, and the
+HSM is likely to be slower than the CPU for this purpose.
+Additionally, the HSM might not support all of the PKCS#11
+API functions needed for signature verification.
 
 
-                              GOST
-If using a chrooted instance of BIND, the OpenSSL engines
-need to be accessible from within the chroot.  If BIND
-is chrooted in /var/named, this can be achieved by either
-copying content of /usr/local/lib/engines into
-/var/named/usr/local/lib/engines, or by creating that
-directory and adding this line to /etc/fstab:
+                            GOST
+If using a chrooted instance of BIND on FreeBSD 8.x and 9.x,
+the OpenSSL engines MUST be accessible from within the chroot.
+If BIND is chrooted in /var/named, this can be achieved by
+either copying content of /usr/local/lib/engines into
+/var/named/usr/local/lib/engines, or by creating that directory
+and adding this line to /etc/fstab:
 /usr/local/lib/engines  /var/named/usr/local/lib/engines nullfs ro 0 0