Adapt a fix for SA59651, similar to CVE-2014-3209 from the

code branch fro SoftHSMv2: ensure created pkcs8 file is not
group- or world-readable.
Rename patch-aa to patch-Makefile.in, and add a comment.
Bump PKGREVISION.

4 files changed, 43 insertions, 5 deletions

diff --git a/security/softhsm/Makefile b/security/softhsm/Makefile
index f901d7fcdfe..f9f911361fd 100644
--- a/security/softhsm/Makefile
+++ b/security/softhsm/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.26 2014/10/07 16:47:14 adam Exp $
+# $NetBSD: Makefile,v 1.27 2014/11/18 13:40:56 he Exp $
 #
 
 DISTNAME=	softhsm-1.3.7
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	http://www.opendnssec.org/files/source/
 
diff --git a/security/softhsm/distinfo b/security/softhsm/distinfo
index e0f9ac4509d..a2893448348 100644
--- a/security/softhsm/distinfo
+++ b/security/softhsm/distinfo
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.12 2014/06/07 20:37:25 pettai Exp $
+$NetBSD: distinfo,v 1.13 2014/11/18 13:40:56 he Exp $
 
 SHA1 (softhsm-1.3.7.tar.gz) = e8bf4269472f9e63d1dfeda238b1d542d6c036f2
 RMD160 (softhsm-1.3.7.tar.gz) = bb11177520ca2fd62200a9b23d66c1b32eeb5104
 Size (softhsm-1.3.7.tar.gz) = 438437 bytes
-SHA1 (patch-aa) = 480865e0a50759d582380573c0254bcdb517ddfe
+SHA1 (patch-Makefile.in) = ab9a9db898e4c1600bf9d5b28b27759e33c204b3
+SHA1 (patch-src_bin_softhsm-keyconv.cpp) = 07f7ebe070047cfbbee461595effe2c7de9caef6
diff --git a/security/softhsm/patches/patch-aa b/security/softhsm/patches/patch-Makefile.in
index a5b477f4bd6..9fabf1bdf9a 100644
--- a/security/softhsm/patches/patch-aa
+++ b/security/softhsm/patches/patch-Makefile.in
@@ -1,4 +1,6 @@
-$NetBSD: patch-aa,v 1.3 2012/05/23 10:05:44 pettai Exp $
+$NetBSD: patch-Makefile.in,v 1.1 2014/11/18 13:40:57 he Exp $
+
+Tweak install-data-hook target.
 
 --- Makefile.in.orig	2012-05-09 18:41:49.000000000 +0000
 +++ Makefile.in
diff --git a/security/softhsm/patches/patch-src_bin_softhsm-keyconv.cpp b/security/softhsm/patches/patch-src_bin_softhsm-keyconv.cpp
new file mode 100644
index 00000000000..372b12cab2e
--- /dev/null
+++ b/security/softhsm/patches/patch-src_bin_softhsm-keyconv.cpp
@@ -0,0 +1,35 @@
+$NetBSD: patch-src_bin_softhsm-keyconv.cpp,v 1.1 2014/11/18 13:40:57 he Exp $
+
+Adapt fix for SA59651, similar to CVE-2014-3209, from
+https://github.com/bellgrim/SoftHSMv2/commit/492447cd4a2be449e99fb9ad2519ea3277aaad28
+Ensure created pkcs8 file is not group- or world-readable.
+
+--- src/bin/softhsm-keyconv.cpp.orig	2014-05-28 05:59:14.000000000 +0000
++++ src/bin/softhsm-keyconv.cpp
+@@ -48,6 +48,10 @@
+ #include <iostream>
+ #include <fstream>
+ #include <stdint.h>
++#include <errno.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
+ 
+ void usage() {
+   printf("Converting between BIND .private-key format and PKCS#8 key file format.\n");
+@@ -391,6 +395,15 @@ int to_pkcs8(char *in_path, char *out_pa
+     return 1;
+   }
+ 
++  // Create and set file permissions if the file does not exist.
++  int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR);
++  if (fd == -1) {
++    fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++	    out_path, errno);
++    return 1;
++  }
++  ::close(fd);
++
+   // Save the the key to the disk
+   switch(algorithm) {
+     case DNS_KEYALG_ERROR: