- Unbreak the build against contemporary versions of OpenSSL

- Hook provided test suite to our framework, respect CFLAGS
svn path=/head/; revision=547967
2020-09-08 07:30:59 +00:00 · 2020-09-08 07:30:59 +00:00 · 53e017295e · 2021-03-31 03:12:20 +00:00
commit 53e017295e
parent 1c2c1553a1
5 changed files with 176 additions and 14 deletions
--- a/dns/validns/Makefile
+++ b/dns/validns/Makefile
@ -12,13 +12,13 @@ COMMENT=	High performance DNS/DNSSEC zone validator

 LICENSE=	BSD2CLAUSE

-BROKEN_SSL=	openssl
-
 LIB_DEPENDS=	libJudy.so:devel/judy
+TEST_DEPENDS=	p5-Test-Command-Simple>=0:devel/p5-Test-Command-Simple

 USES=		ssl

-ALL_TARGET=
+ALL_TARGET=	${PORTNAME}
+TEST_TARGET=	test

 PLIST_FILES=	bin/${PORTNAME} \
 		man/man1/${PORTNAME}.1.gz
@ -26,22 +26,12 @@ PLIST_FILES=	bin/${PORTNAME} \
 PORTDOCS=	Changes README installation.mdwn notes.mdwn \
 		technical-notes.mdwn todo.mdwn usage.mdwn

-MAKE_ARGS+=	INCPATH=-I${LOCALBASE}/include
-MAKE_ARGS+=	EXTRALPATH=-L${LOCALBASE}/lib
-
 OPTIONS_DEFINE=	DOCS

-.include <bsd.port.pre.mk>
-
-.if ${SSL_DEFAULT} == base
-BROKEN_FreeBSD_12=	field has incomplete type 'EVP_MD_CTX' (aka 'struct evp_md_ctx_st')
-BROKEN_FreeBSD_13=	field has incomplete type 'EVP_MD_CTX' (aka 'struct evp_md_ctx_st')
-.endif
-
 do-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/${PORTNAME} ${STAGEDIR}${PREFIX}/bin
 	${INSTALL_DATA} ${WRKSRC}/*.1 ${STAGEDIR}${MAN1PREFIX}/man/man1/
 	@${MKDIR} ${STAGEDIR}${DOCSDIR}
 	@${INSTALL_DATA} ${PORTDOCS:S,^,${WRKSRC}/,} ${STAGEDIR}${DOCSDIR}/

-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
--- a/dns/validns/files/patch-Makefile
+++ b/dns/validns/files/patch-Makefile
@ -0,0 +1,13 @@
+--- Makefile.orig	2014-02-11 20:08:39 UTC
+++ Makefile
+@@ -1,7 +1,7 @@
+ # The following options seem to work fine on Linux, FreeBSD, and Darwin
+-OPTIMIZE=-O2 -g
+-CFLAGS=-Wall -Werror -pthread -fno-strict-aliasing
+-INCPATH=-I/usr/local/include -I/opt/local/include -I/usr/local/ssl/include
+#OPTIMIZE=-O2 -g
+CFLAGS+=-Wall -Wno-unused-function -Werror -pthread
+INCPATH=-I$(LOCALBASE)/include -I$(OPENSSLINC)
+ CC?=cc
+ 
+ # These additional options work on Solaris/gcc to which I have an access
--- a/dns/validns/files/patch-dnskey.c
+++ b/dns/validns/files/patch-dnskey.c
@ -0,0 +1,22 @@
+--- dnskey.c.orig	2014-02-11 20:45:11 UTC
+++ dnskey.c
+@@ -165,11 +165,17 @@ int dnskey_build_pkey(struct rr_dnskey *rr)
+ 		if (l < e_bytes) /* public key is too short */
+ 			goto done;
+ 
+-		rsa->e = BN_bin2bn(pk, e_bytes, NULL);
+		BIGNUM *e = BN_bin2bn(pk, e_bytes, NULL);
+ 		pk += e_bytes;
+ 		l -= e_bytes;
+		BIGNUM *n = BN_bin2bn(pk, l, NULL);
+ 
+-		rsa->n = BN_bin2bn(pk, l, NULL);
+#if OPENSSL_VERSION_NUMBER < 0x10100005L
+		rsa->e = e;
+		rsa->n = n;
+#else
+		RSA_set0_key(rsa, n, e, NULL);
+#endif
+ 
+ 		pkey = EVP_PKEY_new();
+ 		if (!pkey)
--- a/dns/validns/files/patch-nsec3checks.c
+++ b/dns/validns/files/patch-nsec3checks.c
@ -0,0 +1,52 @@
+--- nsec3checks.c.orig	2014-02-11 20:46:07 UTC
+++ nsec3checks.c
+@@ -28,7 +28,7 @@
+ static struct binary_data name2hash(char *name, struct rr *param)
+ {
+     struct rr_nsec3param *p = (struct rr_nsec3param *)param;
+-	EVP_MD_CTX ctx;
+	EVP_MD_CTX *ctx;
+ 	unsigned char md0[EVP_MAX_MD_SIZE];
+ 	unsigned char md1[EVP_MAX_MD_SIZE];
+ 	unsigned char *md[2];
+@@ -45,26 +45,28 @@ static struct binary_data name2hash(char *name, struct
+ 
+ 	/* XXX Maybe use Init_ex and Final_ex for speed? */
+ 
+-	EVP_MD_CTX_init(&ctx);
+-	if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
+-		return r;
+-	digest_size = EVP_MD_CTX_size(&ctx);
+-	EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length);
+-	EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
+-	EVP_DigestFinal(&ctx, md[mdi], NULL);
+	ctx = EVP_MD_CTX_create();
+	if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
+		goto out;
+	digest_size = EVP_MD_CTX_size(ctx);
+	EVP_DigestUpdate(ctx, wire_name.data, wire_name.length);
+	EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
+	EVP_DigestFinal(ctx, md[mdi], NULL);
+ 
+ 	for (i = 0; i < p->iterations; i++) {
+-		if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
+-			return r;
+-		EVP_DigestUpdate(&ctx, md[mdi], digest_size);
+		if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
+			goto out;
+		EVP_DigestUpdate(ctx, md[mdi], digest_size);
+ 		mdi = (mdi + 1) % 2;
+-		EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
+-		EVP_DigestFinal(&ctx, md[mdi], NULL);
+		EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
+		EVP_DigestFinal(ctx, md[mdi], NULL);
+ 	}
+ 
+ 	r.length = digest_size;
+ 	r.data = getmem(digest_size);
+ 	memcpy(r.data, md[mdi], digest_size);
+ out:
+	EVP_MD_CTX_destroy(ctx);
+ 	return r;
+ }
+ 
--- a/dns/validns/files/patch-rrsig.c
+++ b/dns/validns/files/patch-rrsig.c
@ -0,0 +1,85 @@
+--- rrsig.c.orig	2014-02-11 20:45:39 UTC
+++ rrsig.c
+@@ -26,7 +26,7 @@
+ struct verification_data
+ {
+ 	struct verification_data *next;
+-	EVP_MD_CTX ctx;
+	EVP_MD_CTX *ctx;
+ 	struct rr_dnskey *key;
+ 	struct rr_rrsig *rr;
+ 	int ok;
+@@ -180,7 +180,8 @@ void *verification_thread(void *dummy)
+ 		if (d) {
+ 			int r;
+ 			d->next = NULL;
+-			r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
+			r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
+			EVP_MD_CTX_destroy(d->ctx);
+ 			if (r == 1) {
+ 				d->ok = 1;
+ 			} else {
+@@ -232,7 +233,8 @@ static void schedule_verification(struct verification_
+ 	} else {
+ 		int r;
+ 		G.stats.signatures_verified++;
+-		r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
+		r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
+		EVP_MD_CTX_destroy(d->ctx);
+ 		if (r == 1) {
+ 			d->ok = 1;
+ 		} else {
+@@ -250,21 +252,21 @@ static int verify_signature(struct verification_data *
+ 	struct rr *signed_rr;
+ 	int i;
+ 
+-	EVP_MD_CTX_init(&d->ctx);
+	d->ctx = EVP_MD_CTX_create();
+ 	switch (d->rr->algorithm) {
+ 	case ALG_DSA:
+ 	case ALG_RSASHA1:
+ 	case ALG_DSA_NSEC3_SHA1:
+ 	case ALG_RSASHA1_NSEC3_SHA1:
+-		if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1)
+		if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1)
+ 			return 0;
+ 		break;
+ 	case ALG_RSASHA256:
+-		if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1)
+		if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1)
+ 			return 0;
+ 		break;
+ 	case ALG_RSASHA512:
+-		if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1)
+		if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1)
+ 			return 0;
+ 		break;
+ 	default:
+@@ -274,7 +276,7 @@ static int verify_signature(struct verification_data *
+ 	chunk = rrsig_wirerdata_ex(&d->rr->rr, 0);
+ 	if (chunk.length < 0)
+ 		return 0;
+-	EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
+	EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
+ 
+ 	set = getmem_temp(sizeof(*set) * signed_set->count);
+ 
+@@ -294,12 +296,12 @@ static int verify_signature(struct verification_data *
+ 		chunk = name2wire_name(signed_set->named_rr->name);
+ 		if (chunk.length < 0)
+ 			return 0;
+-		EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
+-		b2 = htons(set[i].rr->rdtype);    EVP_VerifyUpdate(&d->ctx, &b2, 2);
+-		b2 = htons(1);  /* class IN */   EVP_VerifyUpdate(&d->ctx, &b2, 2);
+-		b4 = htonl(set[i].rr->ttl);       EVP_VerifyUpdate(&d->ctx, &b4, 4);
+-		b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2);
+-		EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length);
+		EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
+		b2 = htons(set[i].rr->rdtype);    EVP_VerifyUpdate(d->ctx, &b2, 2);
+		b2 = htons(1);  /* class IN */   EVP_VerifyUpdate(d->ctx, &b2, 2);
+		b4 = htonl(set[i].rr->ttl);       EVP_VerifyUpdate(d->ctx, &b4, 4);
+		b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2);
+		EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length);
+ 	}
+ 
+ 	schedule_verification(d);