validns: fix building with openssl 1.1

author: nia <nia@pkgsrc.org> 2021-04-10 08:16:09 +0000
committer: nia <nia@pkgsrc.org> 2021-04-10 08:16:09 +0000
commit: 0d54a976a706c20849e990c92765d3e338c73216 (patch)
tree: 78415f9b7aebaa08396e1c54fbe1c45e8f9fba20 /security/validns
parent: 205cab40f63aabeb76a50ff5cd4325f83ff605bf (diff)
download: pkgsrc-0d54a976a706c20849e990c92765d3e338c73216.tar.gz
6 files changed, 183 insertions, 9 deletions
diff --git a/security/validns/Makefile b/security/validns/Makefile
index 3cfc112990d..29117f0aefa 100644
--- a/security/validns/Makefile
+++ b/security/validns/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.18 2020/04/24 11:41:38 nia Exp $
+# $NetBSD: Makefile,v 1.19 2021/04/10 08:16:09 nia Exp $
 #
 
 DISTNAME=	validns-0.8
@@ -11,8 +11,6 @@ HOMEPAGE=	http://www.validns.net/
 COMMENT=	Validns, a high performance DNS/DNSSEC zone validator
 LICENSE=	2-clause-bsd
 
-BROKEN=		"Fails to build with OpenSSL 1.1"
-
 # Depends on perl for make tests
 
 #BUILD_DEPENDS+=	p5-Test-Command-Simple-[0-9]*:../../devel/p5-Test-Command-Simple
diff --git a/security/validns/distinfo b/security/validns/distinfo
index 8568778ff07..161ec466dfa 100644
--- a/security/validns/distinfo
+++ b/security/validns/distinfo
@@ -1,8 +1,11 @@
-$NetBSD: distinfo,v 1.8 2017/03/23 17:06:59 joerg Exp $
+$NetBSD: distinfo,v 1.9 2021/04/10 08:16:09 nia Exp $
 
 SHA1 (validns-0.8.tar.gz) = 1d9a233a1111a983d44ff6ccfb93d9308f12e90c
 RMD160 (validns-0.8.tar.gz) = 74204348e4478379f14eda129a8f045981e03829
 SHA512 (validns-0.8.tar.gz) = 2443bb8a7373f27d41ab3be1a92b61696d05b74afa42c19db54f6e999e4a634499faa44a5feefd3bc515bc677a8ef0a076092cf13316eff6d1cc504ff9702038
 Size (validns-0.8.tar.gz) = 190325 bytes
-SHA1 (patch-Makefile) = 638dc179f7f272873fabc7d7b46e2beb140e43bc
+SHA1 (patch-Makefile) = 7a83efee8f0771750aa2aac8f90bfafc8405cd2d
 SHA1 (patch-carp.c) = bbb750d013b751ca7994e32244c8865f8687ff1b
+SHA1 (patch-dnskey.c) = 7fa29ab6d53342b4686ac9906ec0c2b452620577
+SHA1 (patch-nsec3checks.c) = 39269b8d86bca7ff7ed04e380fa1516f9937dbda
+SHA1 (patch-rrsig.c) = a4e4be3b08d1aa4040b2f76cc6746d3cb878e1f8
diff --git a/security/validns/patches/patch-Makefile b/security/validns/patches/patch-Makefile
index 1f347bdd3f4..bdc0f15e7cd 100644
--- a/security/validns/patches/patch-Makefile
+++ b/security/validns/patches/patch-Makefile
@@ -1,15 +1,17 @@
-$NetBSD: patch-Makefile,v 1.6 2014/02/17 08:18:08 pettai Exp $
+$NetBSD: patch-Makefile,v 1.7 2021/04/10 08:16:09 nia Exp $
 
-Add (PKG_)PREFIX support
+- Honor CFLAGS.
+- Add (PKG_)PREFIX support.
 
 --- Makefile.orig	2014-02-11 20:08:39.000000000 +0000
 +++ Makefile
 @@ -1,7 +1,7 @@
  # The following options seem to work fine on Linux, FreeBSD, and Darwin
- OPTIMIZE=-O2 -g
+-OPTIMIZE=-O2 -g
 -CFLAGS=-Wall -Werror -pthread -fno-strict-aliasing
 -INCPATH=-I/usr/local/include -I/opt/local/include -I/usr/local/ssl/include
-+CFLAGS=-Wall -pthread -fno-strict-aliasing
++OPTIMIZE=
++CFLAGS+=-Wall -pthread -fno-strict-aliasing
 +INCPATH=-I/usr/include -I${PREFIX}/include
  CC?=cc
  
diff --git a/security/validns/patches/patch-dnskey.c b/security/validns/patches/patch-dnskey.c
new file mode 100644
index 00000000000..9e657a3abf4
--- /dev/null
+++ b/security/validns/patches/patch-dnskey.c
@@ -0,0 +1,26 @@
+$NetBSD: patch-dnskey.c,v 1.1 2021/04/10 08:16:09 nia Exp $
+
+Fix building with OpenSSL 1.1. From FreeBSD Ports.
+
+--- dnskey.c.orig	2014-02-11 20:45:11.000000000 +0000
++++ dnskey.c
+@@ -165,11 +165,17 @@ int dnskey_build_pkey(struct rr_dnskey *
+ 		if (l < e_bytes) /* public key is too short */
+ 			goto done;
+ 
+-		rsa->e = BN_bin2bn(pk, e_bytes, NULL);
++		BIGNUM *e = BN_bin2bn(pk, e_bytes, NULL);
+ 		pk += e_bytes;
+ 		l -= e_bytes;
++		BIGNUM *n = BN_bin2bn(pk, l, NULL);
+ 
+-		rsa->n = BN_bin2bn(pk, l, NULL);
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
++		rsa->e = e;
++		rsa->n = n;
++#else
++		RSA_set0_key(rsa, n, e, NULL);
++#endif
+ 
+ 		pkey = EVP_PKEY_new();
+ 		if (!pkey)
diff --git a/security/validns/patches/patch-nsec3checks.c b/security/validns/patches/patch-nsec3checks.c
new file mode 100644
index 00000000000..f501287c7a7
--- /dev/null
+++ b/security/validns/patches/patch-nsec3checks.c
@@ -0,0 +1,56 @@
+$NetBSD: patch-nsec3checks.c,v 1.1 2021/04/10 08:16:09 nia Exp $
+
+Fix building with OpenSSL 1.1. From FreeBSD Ports.
+
+--- nsec3checks.c.orig	2014-02-11 20:46:07.000000000 +0000
++++ nsec3checks.c
+@@ -28,7 +28,7 @@
+ static struct binary_data name2hash(char *name, struct rr *param)
+ {
+     struct rr_nsec3param *p = (struct rr_nsec3param *)param;
+-	EVP_MD_CTX ctx;
++	EVP_MD_CTX *ctx;
+ 	unsigned char md0[EVP_MAX_MD_SIZE];
+ 	unsigned char md1[EVP_MAX_MD_SIZE];
+ 	unsigned char *md[2];
+@@ -45,26 +45,28 @@ static struct binary_data name2hash(char
+ 
+ 	/* XXX Maybe use Init_ex and Final_ex for speed? */
+ 
+-	EVP_MD_CTX_init(&ctx);
+-	if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
+-		return r;
+-	digest_size = EVP_MD_CTX_size(&ctx);
+-	EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length);
+-	EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
+-	EVP_DigestFinal(&ctx, md[mdi], NULL);
++	ctx = EVP_MD_CTX_create();
++	if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
++		goto out;
++	digest_size = EVP_MD_CTX_size(ctx);
++	EVP_DigestUpdate(ctx, wire_name.data, wire_name.length);
++	EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
++	EVP_DigestFinal(ctx, md[mdi], NULL);
+ 
+ 	for (i = 0; i < p->iterations; i++) {
+-		if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
+-			return r;
+-		EVP_DigestUpdate(&ctx, md[mdi], digest_size);
++		if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
++			goto out;
++		EVP_DigestUpdate(ctx, md[mdi], digest_size);
+ 		mdi = (mdi + 1) % 2;
+-		EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
+-		EVP_DigestFinal(&ctx, md[mdi], NULL);
++		EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
++		EVP_DigestFinal(ctx, md[mdi], NULL);
+ 	}
+ 
+ 	r.length = digest_size;
+ 	r.data = getmem(digest_size);
+ 	memcpy(r.data, md[mdi], digest_size);
++ out:
++	EVP_MD_CTX_destroy(ctx);
+ 	return r;
+ }
+ 
diff --git a/security/validns/patches/patch-rrsig.c b/security/validns/patches/patch-rrsig.c
new file mode 100644
index 00000000000..7cac8cdca6c
--- /dev/null
+++ b/security/validns/patches/patch-rrsig.c
@@ -0,0 +1,89 @@
+$NetBSD: patch-rrsig.c,v 1.1 2021/04/10 08:16:09 nia Exp $
+
+Fix building with OpenSSL 1.1. From FreeBSD Ports.
+
+--- rrsig.c.orig	2014-02-11 20:45:39.000000000 +0000
++++ rrsig.c
+@@ -26,7 +26,7 @@
+ struct verification_data
+ {
+ 	struct verification_data *next;
+-	EVP_MD_CTX ctx;
++	EVP_MD_CTX *ctx;
+ 	struct rr_dnskey *key;
+ 	struct rr_rrsig *rr;
+ 	int ok;
+@@ -180,7 +180,8 @@ void *verification_thread(void *dummy)
+ 		if (d) {
+ 			int r;
+ 			d->next = NULL;
+-			r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
++			r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
++			EVP_MD_CTX_destroy(d->ctx);
+ 			if (r == 1) {
+ 				d->ok = 1;
+ 			} else {
+@@ -232,7 +233,8 @@ static void schedule_verification(struct
+ 	} else {
+ 		int r;
+ 		G.stats.signatures_verified++;
+-		r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
++		r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
++		EVP_MD_CTX_destroy(d->ctx);
+ 		if (r == 1) {
+ 			d->ok = 1;
+ 		} else {
+@@ -250,21 +252,21 @@ static int verify_signature(struct verif
+ 	struct rr *signed_rr;
+ 	int i;
+ 
+-	EVP_MD_CTX_init(&d->ctx);
++	d->ctx = EVP_MD_CTX_create();
+ 	switch (d->rr->algorithm) {
+ 	case ALG_DSA:
+ 	case ALG_RSASHA1:
+ 	case ALG_DSA_NSEC3_SHA1:
+ 	case ALG_RSASHA1_NSEC3_SHA1:
+-		if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1)
++		if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1)
+ 			return 0;
+ 		break;
+ 	case ALG_RSASHA256:
+-		if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1)
++		if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1)
+ 			return 0;
+ 		break;
+ 	case ALG_RSASHA512:
+-		if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1)
++		if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1)
+ 			return 0;
+ 		break;
+ 	default:
+@@ -274,7 +276,7 @@ static int verify_signature(struct verif
+ 	chunk = rrsig_wirerdata_ex(&d->rr->rr, 0);
+ 	if (chunk.length < 0)
+ 		return 0;
+-	EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
++	EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
+ 
+ 	set = getmem_temp(sizeof(*set) * signed_set->count);
+ 
+@@ -294,12 +296,12 @@ static int verify_signature(struct verif
+ 		chunk = name2wire_name(signed_set->named_rr->name);
+ 		if (chunk.length < 0)
+ 			return 0;
+-		EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
+-		b2 = htons(set[i].rr->rdtype);    EVP_VerifyUpdate(&d->ctx, &b2, 2);
+-		b2 = htons(1);  /* class IN */   EVP_VerifyUpdate(&d->ctx, &b2, 2);
+-		b4 = htonl(set[i].rr->ttl);       EVP_VerifyUpdate(&d->ctx, &b4, 4);
+-		b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2);
+-		EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length);
++		EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
++		b2 = htons(set[i].rr->rdtype);    EVP_VerifyUpdate(d->ctx, &b2, 2);
++		b2 = htons(1);  /* class IN */   EVP_VerifyUpdate(d->ctx, &b2, 2);
++		b4 = htonl(set[i].rr->ttl);       EVP_VerifyUpdate(d->ctx, &b4, 4);
++		b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2);
++		EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length);
+ 	}
+ 
+ 	schedule_verification(d);
author	nia <nia@pkgsrc.org>	2021-04-10 08:16:09 +0000
committer	nia <nia@pkgsrc.org>	2021-04-10 08:16:09 +0000
commit	0d54a976a706c20849e990c92765d3e338c73216 (patch)
tree	78415f9b7aebaa08396e1c54fbe1c45e8f9fba20 /security/validns
parent	205cab40f63aabeb76a50ff5cd4325f83ff605bf (diff)
download	pkgsrc-0d54a976a706c20849e990c92765d3e338c73216.tar.gz