unbreak opendnssec following ldns update, ok tb@ pvk@

opendnssec assumes that all ldns >=1.7 have Ed25519/Ed448 but this isn't correct. In ldns >= 1.8 the constants related to Ed25519/Ed448 are _not_ available unless those features are available, so builds trying to use them will fail (previously this was a runtime failure). opendnssec's autoconf script sets USE_ED25519/USE_ED448 (hardcoded to 1) but doesn't actually use them in code. Change the code to use them, and hardcode to 0 for now. Should check LDNS_BUILD_CONFIG_USE_ED25519 and LDNS_BUILD_CONFIG_USE_ED448 on 1.8+.
2021-11-28 10:37:04 +00:00 · 2021-11-28 10:37:04 +00:00 · e2df2949d2
commit e2df2949d2
parent 06a11e4edc
6 changed files with 168 additions and 1 deletions
--- a/security/opendnssec/Makefile
+++ b/security/opendnssec/Makefile
@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.26 2021/09/16 07:45:23 pvk Exp $
+# $OpenBSD: Makefile,v 1.27 2021/11/28 10:37:04 sthen Exp $

 COMMENT=	open-source turn-key solution for DNSSEC

 DISTNAME=	opendnssec-2.1.10
+REVISION=	0

 CATEGORIES=	security

--- a/security/opendnssec/patches/patch-configure
+++ b/security/opendnssec/patches/patch-configure
@ -0,0 +1,37 @@
+$OpenBSD: patch-configure,v 1.1 2021/11/28 10:37:04 sthen Exp $
+
+opendnssec assumes that all ldns >=1.7 have Ed25519/Ed448 but this isn't
+correct. In ldns >= 1.8 the macros LDNS_BUILD_CONFIG_USE_ED25519 and
+LDNS_BUILD_CONFIG_USE_ED448 are available in ldns/common.h to test,
+and should be used. In ldns >= 1.8 the constants related to Ed25519/Ed448
+are _not_ available so builds using them will fail.
+
+Hardcoded for now. Could maybe use something like this instead:
+
+#if (LDNS_REVISION >= ((1<<16)|(8<<8)|(0)))
+#  define USE_ED25519 LDNS_BUILD_CONFIG_USE_ED25519
+#  define USE_ED448 LDNS_BUILD_CONFIG_USE_ED448
+#elif (LDNS_REVISION >= ((1<<16)|(7<<8)|(0)))
+#  define USE_ED25519 1
+#  define USE_ED448 1
+#else
+#  define USE_ED25519 0
+#  define USE_ED448 0
+#endif
+
+Index: configure
+--- configure.orig
+++ configure
+@@ -22479,10 +22479,10 @@ fi
+ 
+ 
+ 
+-$as_echo "#define USE_ED25519 1" >>confdefs.h
+$as_echo "#define USE_ED25519 0" >>confdefs.h
+ 
+ 
+-$as_echo "#define USE_ED448 1" >>confdefs.h
+$as_echo "#define USE_ED448 0" >>confdefs.h
+ 
+ 
+ # cunit
--- a/security/opendnssec/patches/patch-enforcer_src_hsmkey_hsm_key_factory_c
+++ b/security/opendnssec/patches/patch-enforcer_src_hsmkey_hsm_key_factory_c
@ -0,0 +1,21 @@
+$OpenBSD: patch-enforcer_src_hsmkey_hsm_key_factory_c,v 1.1 2021/11/28 10:37:04 sthen Exp $
+
+Don't assume that LDNS >= 1.7 means that ed25519/ed448 support is present
+
+Index: enforcer/src/hsmkey/hsm_key_factory.c
+--- enforcer/src/hsmkey/hsm_key_factory.c.orig
+++ enforcer/src/hsmkey/hsm_key_factory.c
+@@ -264,10 +264,12 @@ hsm_key_factory_generate(engine_type* engine, const db
+             case LDNS_ECDSAP384SHA384:
+                 key = hsm_generate_ecdsa_key(hsm_ctx, policy_key_repository(policy_key), "P-384");
+                 break;
+-#if (LDNS_REVISION >= ((1<<16)|(7<<8)|(0)))
+#if USE_ED25519
+             case LDNS_ED25519:
+                 key = hsm_generate_eddsa_key(hsm_ctx, policy_key_repository(policy_key), "edwards25519");
+                 break;
+#endif
+#if USE_ED448
+             case LDNS_ED448:
+                 key = hsm_generate_eddsa_key(hsm_ctx, policy_key_repository(policy_key), "edwards448");
+                 break;
--- a/security/opendnssec/patches/patch-libhsm_src_bin_hsmtest_c
+++ b/security/opendnssec/patches/patch-libhsm_src_bin_hsmtest_c
@ -0,0 +1,48 @@
+$OpenBSD: patch-libhsm_src_bin_hsmtest_c,v 1.1 2021/11/28 10:37:04 sthen Exp $
+
+Don't assume that LDNS >= 1.7 means that ed25519/ed448 support is present
+
+Index: libhsm/src/bin/hsmtest.c
+--- libhsm/src/bin/hsmtest.c.orig
+++ libhsm/src/bin/hsmtest.c
+@@ -116,10 +116,14 @@ hsm_test (const char *repository, hsm_ctx_t* ctx)
+         LDNS_ECDSAP256SHA256,
+         LDNS_ECDSAP384SHA384
+     };
+-#if (LDNS_REVISION >= ((1<<16)|(7<<8)|(0)))
+#if USE_ED25519 || USE_ED448
+     const ldns_algorithm ed_curves[] = {
+#if USE_ED25519
+         LDNS_ED25519,
+#endif
+#if USE_ED448
+         LDNS_ED448,
+#endif
+     };
+ #endif
+     ldns_algorithm curve;
+@@ -367,19 +371,23 @@ hsm_test (const char *repository, hsm_ctx_t* ctx)
+         }
+     }
+ 
+-#if (LDNS_REVISION >= ((1<<16)|(7<<8)|(0)))
+#if USE_ED25519 || USE_ED448
+     for (i=0; i<(sizeof(ed_curves)/sizeof(ldns_algorithm)); i++) {
+         curve = ed_curves[i];
+ 
+         switch(curve) {
+#if USE_ED25519
+         case LDNS_ED25519:
+             printf("Generating ED25519 key... ");
+             key = hsm_generate_eddsa_key(ctx, repository, "edwards25519");
+             break;
+#endif
+#if USE_ED448
+          case LDNS_ED448:
+             printf("Generating ED448 key... ");
+             key = hsm_generate_eddsa_key(ctx, repository, "edwards448");
+             break;
+#endif
+         default:
+             continue;
+         }
--- a/security/opendnssec/patches/patch-libhsm_src_bin_hsmutil_c
+++ b/security/opendnssec/patches/patch-libhsm_src_bin_hsmutil_c
@ -0,0 +1,25 @@
+$OpenBSD: patch-libhsm_src_bin_hsmutil_c,v 1.1 2021/11/28 10:37:04 sthen Exp $
+
+Don't assume that LDNS >= 1.7 means that ed25519/ed448 support is present
+
+Index: libhsm/src/bin/hsmutil.c
+--- libhsm/src/bin/hsmutil.c.orig
+++ libhsm/src/bin/hsmutil.c
+@@ -502,7 +502,7 @@ cmd_dnskey (int argc, char *argv[])
+                 return -1;
+             }
+             break;
+-#if (LDNS_REVISION >= ((1<<16)|(7<<8)|(0)))
+#if USE_ED25519
+         case LDNS_SIGN_ED25519:
+             if (strcmp(key_info->algorithm_name, "EDDSA") != 0) {
+                 printf("Not an EDDSA key, the key is of algorithm %s.\n", key_info->algorithm_name);
+@@ -521,6 +521,8 @@ cmd_dnskey (int argc, char *argv[])
+                 return -1;
+             }
+             break;
+#endif
+#if USE_ED448
+         case LDNS_SIGN_ED448:
+             if (strcmp(key_info->algorithm_name, "EDDSA") != 0) {
+                 printf("Not an EDDSA key, the key is of algorithm %s.\n", key_info->algorithm_name);
--- a/security/opendnssec/patches/patch-libhsm_src_lib_libhsm_c
+++ b/security/opendnssec/patches/patch-libhsm_src_lib_libhsm_c
@ -0,0 +1,35 @@
+$OpenBSD: patch-libhsm_src_lib_libhsm_c,v 1.1 2021/11/28 10:37:04 sthen Exp $
+
+Don't assume that LDNS >= 1.7 means that ed25519/ed448 support is present
+
+Index: libhsm/src/lib/libhsm.c
+--- libhsm/src/lib/libhsm.c.orig
+++ libhsm/src/lib/libhsm.c
+@@ -2174,10 +2174,12 @@ hsm_sign_buffer(hsm_ctx_t *ctx,
+                                             CKM_GOSTR3411, digest_len,
+                                             sign_buf);
+             break;
+-#if (LDNS_REVISION >= ((1<<16)|(7<<8)|(0)))
+#if USE_ED25519
+         case LDNS_SIGN_ED25519:
+             data_direct = 1;
+             break;
+#endif
+#if USE_ED448
+         case LDNS_SIGN_ED448:
+             data_direct = 1;
+             break;
+@@ -2224,10 +2226,12 @@ hsm_sign_buffer(hsm_ctx_t *ctx,
+         case LDNS_SIGN_ECDSAP384SHA384:
+             sign_mechanism.mechanism = CKM_ECDSA;
+             break;
+-#if (LDNS_REVISION >= ((1<<16)|(7<<8)|(0)))
+#if USE_ED25519
+         case LDNS_SIGN_ED25519:
+             sign_mechanism.mechanism = CKM_EDDSA;
+             break;
+#endif
+#if USE_ED448
+         case LDNS_SIGN_ED448:
+             sign_mechanism.mechanism = CKM_EDDSA;
+             break;