net/validns: move to OpenSSL 1.1 API in preparation for upcoming

libcrypto bump. Apparently the random NSEC3 validation failures are
similar with or without this patch. Upstream seems to have lost
interest in maintaining this project.

tested/ok fcambus
This commit is contained in:
tb 2021-11-17 14:54:47 +00:00
parent 6211dbd343
commit 3b5bb1ab26
4 changed files with 241 additions and 2 deletions

View File

@ -1,9 +1,9 @@
# $OpenBSD: Makefile,v 1.3 2020/04/15 14:34:50 fcambus Exp $ # $OpenBSD: Makefile,v 1.4 2021/11/17 14:54:47 tb Exp $
COMMENT = DNS and DNSSEC zone file validator COMMENT = DNS and DNSSEC zone file validator
DISTNAME = validns-0.8 DISTNAME = validns-0.8
REVISION = 0 REVISION = 1
CATEGORIES = net CATEGORIES = net

View File

@ -0,0 +1,33 @@
$OpenBSD: patch-dnskey_c,v 1.1 2021/11/17 14:54:47 tb Exp $
https://github.com/tobez/validns/pull/71
Index: dnskey.c
--- dnskey.c.orig
+++ dnskey.c
@@ -145,6 +145,7 @@ int dnskey_build_pkey(struct rr_dnskey *rr)
unsigned int e_bytes;
unsigned char *pk;
int l;
+ BIGNUM *n, *e;
rsa = RSA_new();
if (!rsa)
@@ -165,11 +166,15 @@ int dnskey_build_pkey(struct rr_dnskey *rr)
if (l < e_bytes) /* public key is too short */
goto done;
- rsa->e = BN_bin2bn(pk, e_bytes, NULL);
+ e = BN_bin2bn(pk, e_bytes, NULL);
pk += e_bytes;
l -= e_bytes;
- rsa->n = BN_bin2bn(pk, l, NULL);
+ n = BN_bin2bn(pk, l, NULL);
+ if (!e || !n)
+ goto done;
+
+ RSA_set0_key(rsa, n, e, NULL);
pkey = EVP_PKEY_new();
if (!pkey)

View File

@ -0,0 +1,59 @@
$OpenBSD: patch-nsec3checks_c,v 1.1 2021/11/17 14:54:47 tb Exp $
https://github.com/tobez/validns/pull/71
Index: nsec3checks.c
--- nsec3checks.c.orig
+++ nsec3checks.c
@@ -28,7 +28,7 @@
static struct binary_data name2hash(char *name, struct rr *param)
{
struct rr_nsec3param *p = (struct rr_nsec3param *)param;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
unsigned char md0[EVP_MAX_MD_SIZE];
unsigned char md1[EVP_MAX_MD_SIZE];
unsigned char *md[2];
@@ -45,26 +45,31 @@ static struct binary_data name2hash(char *name, struct
/* XXX Maybe use Init_ex and Final_ex for speed? */
- EVP_MD_CTX_init(&ctx);
- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL)
return r;
- digest_size = EVP_MD_CTX_size(&ctx);
- EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length);
- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
- EVP_DigestFinal(&ctx, md[mdi], NULL);
+ if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
+ goto out;
+ digest_size = EVP_MD_CTX_size(ctx);
+ EVP_DigestUpdate(ctx, wire_name.data, wire_name.length);
+ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
+ EVP_DigestFinal(ctx, md[mdi], NULL);
for (i = 0; i < p->iterations; i++) {
- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
- return r;
- EVP_DigestUpdate(&ctx, md[mdi], digest_size);
+ if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
+ goto out;
+
+ EVP_DigestUpdate(ctx, md[mdi], digest_size);
mdi = (mdi + 1) % 2;
- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
- EVP_DigestFinal(&ctx, md[mdi], NULL);
+ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
+ EVP_DigestFinal(ctx, md[mdi], NULL);
}
r.length = digest_size;
r.data = getmem(digest_size);
memcpy(r.data, md[mdi], digest_size);
+out:
+ EVP_MD_CTX_free(ctx);
return r;
}

View File

@ -0,0 +1,147 @@
$OpenBSD: patch-rrsig_c,v 1.1 2021/11/17 14:54:47 tb Exp $
https://github.com/tobez/validns/pull/71
Index: rrsig.c
--- rrsig.c.orig
+++ rrsig.c
@@ -26,7 +26,7 @@
struct verification_data
{
struct verification_data *next;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
struct rr_dnskey *key;
struct rr_rrsig *rr;
int ok;
@@ -180,7 +180,7 @@ void *verification_thread(void *dummy)
if (d) {
int r;
d->next = NULL;
- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
+ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
if (r == 1) {
d->ok = 1;
} else {
@@ -232,7 +232,7 @@ static void schedule_verification(struct verification_
} else {
int r;
G.stats.signatures_verified++;
- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
+ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
if (r == 1) {
d->ok = 1;
} else {
@@ -250,21 +250,22 @@ static int verify_signature(struct verification_data *
struct rr *signed_rr;
int i;
- EVP_MD_CTX_init(&d->ctx);
+ if ((d->ctx = EVP_MD_CTX_new()) == NULL)
+ return 0;
switch (d->rr->algorithm) {
case ALG_DSA:
case ALG_RSASHA1:
case ALG_DSA_NSEC3_SHA1:
case ALG_RSASHA1_NSEC3_SHA1:
- if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1)
+ if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1)
return 0;
break;
case ALG_RSASHA256:
- if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1)
+ if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1)
return 0;
break;
case ALG_RSASHA512:
- if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1)
+ if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1)
return 0;
break;
default:
@@ -274,7 +275,7 @@ static int verify_signature(struct verification_data *
chunk = rrsig_wirerdata_ex(&d->rr->rr, 0);
if (chunk.length < 0)
return 0;
- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
+ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
set = getmem_temp(sizeof(*set) * signed_set->count);
@@ -294,12 +295,12 @@ static int verify_signature(struct verification_data *
chunk = name2wire_name(signed_set->named_rr->name);
if (chunk.length < 0)
return 0;
- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
- b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(&d->ctx, &b2, 2);
- b2 = htons(1); /* class IN */ EVP_VerifyUpdate(&d->ctx, &b2, 2);
- b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(&d->ctx, &b4, 4);
- b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2);
- EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length);
+ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
+ b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(d->ctx, &b2, 2);
+ b2 = htons(1); /* class IN */ EVP_VerifyUpdate(d->ctx, &b2, 2);
+ b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(d->ctx, &b4, 4);
+ b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2);
+ EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length);
}
schedule_verification(d);
@@ -371,49 +372,12 @@ static void *rrsig_validate(struct rr *rrv)
return rr;
}
-static pthread_mutex_t *lock_cs;
-static long *lock_count;
-
-static unsigned long pthreads_thread_id(void)
-{
- unsigned long ret;
-
- ret=(unsigned long)pthread_self();
- return(ret);
-}
-
-static void pthreads_locking_callback(int mode, int type, char *file, int line)
-{
- if (mode & CRYPTO_LOCK) {
- pthread_mutex_lock(&(lock_cs[type]));
- lock_count[type]++;
- } else {
- pthread_mutex_unlock(&(lock_cs[type]));
- }
-}
-
void verify_all_keys(void)
{
struct keys_to_verify *k = all_keys_to_verify;
int i;
struct timespec sleep_time;
- ERR_load_crypto_strings();
- if (G.opt.n_threads > 1) {
- lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
- lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
- for (i = 0; i < CRYPTO_num_locks(); i++) {
- lock_count[i] = 0;
- pthread_mutex_init(&lock_cs[i],NULL);
- }
-
- CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id);
- CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback);
-
- if (pthread_mutex_init(&queue_lock, NULL) != 0)
- croak(1, "pthread_mutex_init");
- }
-
while (k) {
freeall_temp();
for (i = 0; i < k->n_keys; i++) {
@@ -440,6 +404,7 @@ void verify_all_keys(void)
if (k->to_verify[i].openssl_error != 0)
e = k->to_verify[i].openssl_error;
}
+ EVP_MD_CTX_free(k->to_verify[i].ctx);
}
if (!ok) {
struct named_rr *named_rr;