net/validns: move to OpenSSL 1.1 API in preparation for upcoming

libcrypto bump. Apparently the random NSEC3 validation failures are
similar with or without this patch. Upstream seems to have lost
interest in maintaining this project.

tested/ok fcambus

net/validns/Makefile

@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.3 2020/04/15 14:34:50 fcambus Exp $
+# $OpenBSD: Makefile,v 1.4 2021/11/17 14:54:47 tb Exp $
 
 COMMENT =	DNS and DNSSEC zone file validator
 
 DISTNAME =	validns-0.8
-REVISION =	0
+REVISION =	1
 
 CATEGORIES =	net
 

net/validns/patches/patch-dnskey_c

@@ -0,0 +1,33 @@
+$OpenBSD: patch-dnskey_c,v 1.1 2021/11/17 14:54:47 tb Exp $
+
+https://github.com/tobez/validns/pull/71
+
+Index: dnskey.c
+--- dnskey.c.orig
++++ dnskey.c
+@@ -145,6 +145,7 @@ int dnskey_build_pkey(struct rr_dnskey *rr)
+ 		unsigned int e_bytes;
+ 		unsigned char *pk;
+ 		int l;
++		BIGNUM *n, *e;
+ 
+ 		rsa = RSA_new();
+ 		if (!rsa)
+@@ -165,11 +166,15 @@ int dnskey_build_pkey(struct rr_dnskey *rr)
+ 		if (l < e_bytes) /* public key is too short */
+ 			goto done;
+ 
+-		rsa->e = BN_bin2bn(pk, e_bytes, NULL);
++		e = BN_bin2bn(pk, e_bytes, NULL);
+ 		pk += e_bytes;
+ 		l -= e_bytes;
+ 
+-		rsa->n = BN_bin2bn(pk, l, NULL);
++		n = BN_bin2bn(pk, l, NULL);
++		if (!e || !n)
++			goto done;
++
++		RSA_set0_key(rsa, n, e, NULL);
+ 
+ 		pkey = EVP_PKEY_new();
+ 		if (!pkey)

net/validns/patches/patch-nsec3checks_c

@@ -0,0 +1,59 @@
+$OpenBSD: patch-nsec3checks_c,v 1.1 2021/11/17 14:54:47 tb Exp $
+
+https://github.com/tobez/validns/pull/71
+
+Index: nsec3checks.c
+--- nsec3checks.c.orig
++++ nsec3checks.c
+@@ -28,7 +28,7 @@
+ static struct binary_data name2hash(char *name, struct rr *param)
+ {
+     struct rr_nsec3param *p = (struct rr_nsec3param *)param;
+-	EVP_MD_CTX ctx;
++	EVP_MD_CTX *ctx;
+ 	unsigned char md0[EVP_MAX_MD_SIZE];
+ 	unsigned char md1[EVP_MAX_MD_SIZE];
+ 	unsigned char *md[2];
+@@ -45,26 +45,31 @@ static struct binary_data name2hash(char *name, struct
+ 
+ 	/* XXX Maybe use Init_ex and Final_ex for speed? */
+ 
+-	EVP_MD_CTX_init(&ctx);
+-	if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
++	ctx = EVP_MD_CTX_new();
++	if (ctx == NULL)
+ 		return r;
+-	digest_size = EVP_MD_CTX_size(&ctx);
+-	EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length);
+-	EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
+-	EVP_DigestFinal(&ctx, md[mdi], NULL);
++	if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
++		goto out;
++	digest_size = EVP_MD_CTX_size(ctx);
++	EVP_DigestUpdate(ctx, wire_name.data, wire_name.length);
++	EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
++	EVP_DigestFinal(ctx, md[mdi], NULL);
+ 
+ 	for (i = 0; i < p->iterations; i++) {
+-		if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
+-			return r;
+-		EVP_DigestUpdate(&ctx, md[mdi], digest_size);
++	if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
++		goto out;
++
++	EVP_DigestUpdate(ctx, md[mdi], digest_size);
+ 		mdi = (mdi + 1) % 2;
+-		EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
+-		EVP_DigestFinal(&ctx, md[mdi], NULL);
++		EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
++		EVP_DigestFinal(ctx, md[mdi], NULL);
+ 	}
+ 
+ 	r.length = digest_size;
+ 	r.data = getmem(digest_size);
+ 	memcpy(r.data, md[mdi], digest_size);
++out:
++	EVP_MD_CTX_free(ctx);
+ 	return r;
+ }
+ 

net/validns/patches/patch-rrsig_c

@@ -0,0 +1,147 @@
+$OpenBSD: patch-rrsig_c,v 1.1 2021/11/17 14:54:47 tb Exp $
+
+https://github.com/tobez/validns/pull/71
+
+Index: rrsig.c
+--- rrsig.c.orig
++++ rrsig.c
+@@ -26,7 +26,7 @@
+ struct verification_data
+ {
+ 	struct verification_data *next;
+-	EVP_MD_CTX ctx;
++	EVP_MD_CTX *ctx;
+ 	struct rr_dnskey *key;
+ 	struct rr_rrsig *rr;
+ 	int ok;
+@@ -180,7 +180,7 @@ void *verification_thread(void *dummy)
+ 		if (d) {
+ 			int r;
+ 			d->next = NULL;
+-			r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
++			r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
+ 			if (r == 1) {
+ 				d->ok = 1;
+ 			} else {
+@@ -232,7 +232,7 @@ static void schedule_verification(struct verification_
+ 	} else {
+ 		int r;
+ 		G.stats.signatures_verified++;
+-		r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
++		r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
+ 		if (r == 1) {
+ 			d->ok = 1;
+ 		} else {
+@@ -250,21 +250,22 @@ static int verify_signature(struct verification_data *
+ 	struct rr *signed_rr;
+ 	int i;
+ 
+-	EVP_MD_CTX_init(&d->ctx);
++	if ((d->ctx = EVP_MD_CTX_new()) == NULL)
++		return 0;
+ 	switch (d->rr->algorithm) {
+ 	case ALG_DSA:
+ 	case ALG_RSASHA1:
+ 	case ALG_DSA_NSEC3_SHA1:
+ 	case ALG_RSASHA1_NSEC3_SHA1:
+-		if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1)
++		if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1)
+ 			return 0;
+ 		break;
+ 	case ALG_RSASHA256:
+-		if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1)
++		if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1)
+ 			return 0;
+ 		break;
+ 	case ALG_RSASHA512:
+-		if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1)
++		if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1)
+ 			return 0;
+ 		break;
+ 	default:
+@@ -274,7 +275,7 @@ static int verify_signature(struct verification_data *
+ 	chunk = rrsig_wirerdata_ex(&d->rr->rr, 0);
+ 	if (chunk.length < 0)
+ 		return 0;
+-	EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
++	EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
+ 
+ 	set = getmem_temp(sizeof(*set) * signed_set->count);
+ 
+@@ -294,12 +295,12 @@ static int verify_signature(struct verification_data *
+ 		chunk = name2wire_name(signed_set->named_rr->name);
+ 		if (chunk.length < 0)
+ 			return 0;
+-		EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
+-		b2 = htons(set[i].rr->rdtype);    EVP_VerifyUpdate(&d->ctx, &b2, 2);
+-		b2 = htons(1);  /* class IN */   EVP_VerifyUpdate(&d->ctx, &b2, 2);
+-		b4 = htonl(set[i].rr->ttl);       EVP_VerifyUpdate(&d->ctx, &b4, 4);
+-		b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2);
+-		EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length);
++		EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
++		b2 = htons(set[i].rr->rdtype);    EVP_VerifyUpdate(d->ctx, &b2, 2);
++		b2 = htons(1);  /* class IN */   EVP_VerifyUpdate(d->ctx, &b2, 2);
++		b4 = htonl(set[i].rr->ttl);       EVP_VerifyUpdate(d->ctx, &b4, 4);
++		b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2);
++		EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length);
+ 	}
+ 
+ 	schedule_verification(d);
+@@ -371,49 +372,12 @@ static void *rrsig_validate(struct rr *rrv)
+ 	return rr;
+ }
+ 
+-static pthread_mutex_t *lock_cs;
+-static long *lock_count;
+-
+-static unsigned long pthreads_thread_id(void)
+-{
+-	unsigned long ret;
+-
+-	ret=(unsigned long)pthread_self();
+-	return(ret);
+-}
+-
+-static void pthreads_locking_callback(int mode, int type, char *file, int line)
+-{
+-	if (mode & CRYPTO_LOCK) {
+-		pthread_mutex_lock(&(lock_cs[type]));
+-		lock_count[type]++;
+-	} else {
+-		pthread_mutex_unlock(&(lock_cs[type]));
+-	}
+-}
+-
+ void verify_all_keys(void)
+ {
+ 	struct keys_to_verify *k = all_keys_to_verify;
+ 	int i;
+ 	struct timespec sleep_time;
+ 
+-	ERR_load_crypto_strings();
+-	if (G.opt.n_threads > 1) {
+-		lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
+-		lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
+-		for (i = 0; i < CRYPTO_num_locks(); i++) {
+-			lock_count[i] = 0;
+-			pthread_mutex_init(&lock_cs[i],NULL);
+-		}
+-
+-		CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id);
+-		CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback);
+-
+-		if (pthread_mutex_init(&queue_lock, NULL) != 0)
+-			croak(1, "pthread_mutex_init");
+-	}
+-
+ 	while (k) {
+ 		freeall_temp();
+ 		for (i = 0; i < k->n_keys; i++) {
+@@ -440,6 +404,7 @@ void verify_all_keys(void)
+ 				if (k->to_verify[i].openssl_error != 0)
+ 					e = k->to_verify[i].openssl_error;
+ 			}
++			EVP_MD_CTX_free(k->to_verify[i].ctx);
+ 		}
+ 		if (!ok) {
+ 			struct named_rr *named_rr;