On Sun, 18 Aug 2019 05:54:56 +0200 Joost van =?utf-8?Q?Baal-Ili=C4=87?=
<joos...@debian.org> wrote:
> Package: validns
> Version: 0.8+git20160720-3.1
> Severity: normal
>
> Prof. Ernesto Hernández-Novich (emhn-guest) offered help in private
> communication, and donated a patch in private communication.
> (Thanks!) His patch, which builds a current upstream, should get
> applied.
Attached you'll find the patch mentioned.
This patch provides updated `quilt` patches so upstream `validns`
commit f423245b9867359398f83e8a60fea167ad7694ca
Author: Anton Berezin <to...@tobez.org>
Date: Fri Aug 4 16:27:44 2017 +0200
builds against OpenSSL 1.1. I've been using this patch for over a
month with a Debian 9 targeted package, and no issues.
I wrote upstream asking whether or not they would update their code to
work with OpenSSL 1.1 but haven't gotten an answer.
Regards,
--
Prof. Ernesto Hernández-Novich - MYS-220C - @iamemhn
Geek by nature, Linux by choice, Debian of course.
If you can't aptitude it, it isn't useful or doesn't exist.
GPG Key Fingerprint = 0064 ADF5 EB5C DE16 99C1 6C56 F2A3 86B5 A757 E5A1
From bc36d7d8b48874199118f786060a117a208c1f9e Mon Sep 17 00:00:00 2001
From: Ernesto Hernández-Novich <e...@ubs.ve>
Date: Thu, 18 Jul 2019 16:00:44 -0700
Subject: Make latest `validns` build on Debian 9 (and later)
---
.../patches/fix-compilation-on-openssl-1.1.patch | 441 +++++++++++----------
debian/patches/fix-dont-overwrite-cflags.patch | 12 +-
debian/patches/fix-makefile-clean.patch | 4 +-
...ddress-possible-string-truncation-warning.patch | 37 +-
4 files changed, 256 insertions(+), 238 deletions(-)
diff --git a/debian/patches/fix-compilation-on-openssl-1.1.patch b/debian/patches/fix-compilation-on-openssl-1.1.patch
index f20384c..45d815a 100644
--- a/debian/patches/fix-compilation-on-openssl-1.1.patch
+++ b/debian/patches/fix-compilation-on-openssl-1.1.patch
@@ -11,182 +11,129 @@ Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
rrsig.c | 69 ++++++++++++++-------------------------------------
3 files changed, 42 insertions(+), 65 deletions(-)
-diff --git a/dnskey.c b/dnskey.c
-index fecc62abfd21..fda220c14d08 100644
---- a/dnskey.c
-+++ b/dnskey.c
-@@ -154,6 +154,7 @@ int dnskey_build_pkey(struct rr_dnskey *rr)
- unsigned int e_bytes;
- unsigned char *pk;
- int l;
-+ BIGNUM *n, *e;
-
- rsa = RSA_new();
- if (!rsa)
-@@ -174,11 +175,15 @@ int dnskey_build_pkey(struct rr_dnskey *rr)
- if (l < e_bytes) /* public key is too short */
- goto done;
-
-- rsa->e = BN_bin2bn(pk, e_bytes, NULL);
-+ e = BN_bin2bn(pk, e_bytes, NULL);
- pk += e_bytes;
- l -= e_bytes;
-
-- rsa->n = BN_bin2bn(pk, l, NULL);
-+ n = BN_bin2bn(pk, l, NULL);
-+ if (!e || !n)
-+ goto done;
-+
-+ RSA_set0_key(rsa, n, e, NULL);
-
- pkey = EVP_PKEY_new();
- if (!pkey)
-diff --git a/nsec3checks.c b/nsec3checks.c
-index 69c655345bad..2abac9efa1bf 100644
---- a/nsec3checks.c
-+++ b/nsec3checks.c
-@@ -28,7 +28,7 @@
- static struct binary_data name2hash(char *name, struct rr *param)
- {
- struct rr_nsec3param *p = (struct rr_nsec3param *)param;
-- EVP_MD_CTX ctx;
-+ EVP_MD_CTX *ctx;
- unsigned char md0[EVP_MAX_MD_SIZE];
- unsigned char md1[EVP_MAX_MD_SIZE];
- unsigned char *md[2];
-@@ -45,26 +45,31 @@ static struct binary_data name2hash(char *name, struct rr *param)
-
- /* XXX Maybe use Init_ex and Final_ex for speed? */
-
-- EVP_MD_CTX_init(&ctx);
-- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
-+ ctx = EVP_MD_CTX_new();
-+ if (ctx == NULL)
- return r;
-- digest_size = EVP_MD_CTX_size(&ctx);
-- EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length);
-- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
-- EVP_DigestFinal(&ctx, md[mdi], NULL);
-+ if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
-+ goto out;
-+ digest_size = EVP_MD_CTX_size(ctx);
-+ EVP_DigestUpdate(ctx, wire_name.data, wire_name.length);
-+ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
-+ EVP_DigestFinal(ctx, md[mdi], NULL);
-
- for (i = 0; i < p->iterations; i++) {
-- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
-- return r;
-- EVP_DigestUpdate(&ctx, md[mdi], digest_size);
-+ if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
-+ goto out;
-+
-+ EVP_DigestUpdate(ctx, md[mdi], digest_size);
- mdi = (mdi + 1) % 2;
-- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
-- EVP_DigestFinal(&ctx, md[mdi], NULL);
-+ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
-+ EVP_DigestFinal(ctx, md[mdi], NULL);
- }
-
- r.length = digest_size;
- r.data = getmem(digest_size);
- memcpy(r.data, md[mdi], digest_size);
-+out:
-+ EVP_MD_CTX_free(ctx);
- return r;
- }
-
-diff --git a/rrsig.c b/rrsig.c
-index 81f24b4c49da..0a9e864285d0 100644
--- a/rrsig.c
+++ b/rrsig.c
-@@ -26,7 +26,7 @@
+@@ -27,7 +27,7 @@
struct verification_data
{
- struct verification_data *next;
-- EVP_MD_CTX ctx;
-+ EVP_MD_CTX *ctx;
- struct rr_dnskey *key;
- struct rr_rrsig *rr;
- int ok;
-@@ -180,7 +180,7 @@ void *verification_thread(void *dummy)
- if (d) {
- int r;
- d->next = NULL;
-- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
-+ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
- if (r == 1) {
- d->ok = 1;
- } else {
-@@ -232,7 +232,7 @@ static void schedule_verification(struct verification_data *d)
- } else {
- int r;
- G.stats.signatures_verified++;
-- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
-+ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
- if (r == 1) {
- d->ok = 1;
- } else {
-@@ -250,21 +250,24 @@ static int verify_signature(struct verification_data *d, struct rr_set *signed_s
- struct rr *signed_rr;
- int i;
-
-- EVP_MD_CTX_init(&d->ctx);
-+ d->ctx = EVP_MD_CTX_new();
-+ if (!d->ctx)
-+ return 0;
+ struct verification_data *next;
+- EVP_MD_CTX ctx;
++ EVP_MD_CTX *ctx;
+ struct rr_dnskey *key;
+ struct rr_rrsig *rr;
+ int ok;
+@@ -96,16 +96,22 @@ static struct rr* rrsig_parse(char *name
+ * Transform ECDSA signatures from DNSSEC vanilla binary
+ * representation (r || s) into OpenSSL ASN.1 DER format
+ */
++ BIGNUM *r0 = BN_new(),
++ *s0 = BN_new();
++
+ ECDSA_SIG *ecdsa_sig = ECDSA_SIG_new();
+ int l = sig.length / 2;
+- if ((BN_bin2bn((unsigned char *)sig.data, l, ecdsa_sig->r) == NULL) ||
+- (BN_bin2bn(((unsigned char *)sig.data) + l, l, ecdsa_sig->s) == NULL))
++ if ((BN_bin2bn((unsigned char *)sig.data, l, r0) == NULL) ||
++ (BN_bin2bn(((unsigned char *)sig.data) + l, l, s0) == NULL))
+ return NULL;
++ ECDSA_SIG_set0( ecdsa_sig, r0, s0 );
+ sig.length = i2d_ECDSA_SIG(ecdsa_sig, NULL);
+ sig.data = getmem(sig.length); /* reallocate larger mempool chunk */
+ unsigned char *sig_ptr = (unsigned char *)sig.data;
+ sig.length = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
+ ECDSA_SIG_free(ecdsa_sig);
++ BN_clear_free( r0 );
++ BN_clear_free( s0 );
+ }
+ rr->signature = sig;
+
+@@ -197,7 +203,7 @@ void *verification_thread(void *dummy)
+ if (d) {
+ int r;
+ d->next = NULL;
+- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
++ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
+ if (r == 1) {
+ d->ok = 1;
+ } else {
+@@ -249,7 +255,7 @@ static void schedule_verification(struct
+ } else {
+ int r;
+ G.stats.signatures_verified++;
+- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
++ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey);
+ if (r == 1) {
+ d->ok = 1;
+ } else {
+@@ -267,29 +273,32 @@ static int verify_signature(struct verif
+ struct rr *signed_rr;
+ int i;
+
+- EVP_MD_CTX_init(&d->ctx);
++ d->ctx = EVP_MD_CTX_new();
++ if (!d->ctx)
++ return 0;
+
- switch (d->rr->algorithm) {
- case ALG_DSA:
- case ALG_RSASHA1:
- case ALG_DSA_NSEC3_SHA1:
- case ALG_RSASHA1_NSEC3_SHA1:
-- if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1)
-+ if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1)
- return 0;
- break;
- case ALG_RSASHA256:
-- if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1)
-+ if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1)
- return 0;
- break;
- case ALG_RSASHA512:
-- if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1)
-+ if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1)
- return 0;
- break;
- default:
-@@ -274,7 +277,7 @@ static int verify_signature(struct verification_data *d, struct rr_set *signed_s
- chunk = rrsig_wirerdata_ex(&d->rr->rr, 0);
- if (chunk.length < 0)
- return 0;
-- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
-+ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
-
- set = getmem_temp(sizeof(*set) * signed_set->count);
-
-@@ -294,12 +297,12 @@ static int verify_signature(struct verification_data *d, struct rr_set *signed_s
- chunk = name2wire_name(signed_set->named_rr->name);
- if (chunk.length < 0)
- return 0;
-- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
-- b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(&d->ctx, &b2, 2);
-- b2 = htons(1); /* class IN */ EVP_VerifyUpdate(&d->ctx, &b2, 2);
-- b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(&d->ctx, &b4, 4);
-- b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2);
-- EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length);
-+ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
-+ b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(d->ctx, &b2, 2);
-+ b2 = htons(1); /* class IN */ EVP_VerifyUpdate(d->ctx, &b2, 2);
-+ b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(d->ctx, &b4, 4);
-+ b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2);
-+ EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length);
- }
-
- schedule_verification(d);
-@@ -371,49 +374,12 @@ static void *rrsig_validate(struct rr *rrv)
- return rr;
+ switch (d->rr->algorithm) {
+ case ALG_DSA:
+ case ALG_RSASHA1:
+ case ALG_DSA_NSEC3_SHA1:
+ case ALG_RSASHA1_NSEC3_SHA1:
+- if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1)
++ if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1)
+ return 0;
+ break;
+ case ALG_RSASHA256:
+- if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1)
++ if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1)
+ return 0;
+ break;
+ case ALG_RSASHA512:
+- if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1)
++ if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1)
+ return 0;
+ break;
+ case ALG_ECDSAP256SHA256:
+- if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1)
++ if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1)
+ return 0;
+ break;
+ case ALG_ECDSAP384SHA384:
+- if (EVP_VerifyInit(&d->ctx, EVP_sha384()) != 1)
++ if (EVP_VerifyInit(d->ctx, EVP_sha384()) != 1)
+ return 0;
+ break;
+ default:
+@@ -299,7 +308,7 @@ static int verify_signature(struct verif
+ chunk = rrsig_wirerdata_ex(&d->rr->rr, 0);
+ if (chunk.length < 0)
+ return 0;
+- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
++ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
+
+ set = getmem_temp(sizeof(*set) * signed_set->count);
+
+@@ -319,12 +328,12 @@ static int verify_signature(struct verif
+ chunk = name2wire_name(signed_set->named_rr->name);
+ if (chunk.length < 0)
+ return 0;
+- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length);
+- b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(&d->ctx, &b2, 2);
+- b2 = htons(1); /* class IN */ EVP_VerifyUpdate(&d->ctx, &b2, 2);
+- b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(&d->ctx, &b4, 4);
+- b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2);
+- EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length);
++ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length);
++ b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(d->ctx, &b2, 2);
++ b2 = htons(1); /* class IN */ EVP_VerifyUpdate(d->ctx, &b2, 2);
++ b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(d->ctx, &b4, 4);
++ b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2);
++ EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length);
+ }
+
+ schedule_verification(d);
+@@ -396,49 +405,12 @@ static void *rrsig_validate(struct rr *r
+ return rr;
}
-static pthread_mutex_t *lock_cs;
@@ -194,55 +141,127 @@ index 81f24b4c49da..0a9e864285d0 100644
-
-static unsigned long pthreads_thread_id(void)
-{
-- unsigned long ret;
+- unsigned long ret;
-
-- ret=(unsigned long)pthread_self();
-- return(ret);
+- ret=(unsigned long)pthread_self();
+- return(ret);
-}
-
-static void pthreads_locking_callback(int mode, int type, char *file, int line)
-{
-- if (mode & CRYPTO_LOCK) {
-- pthread_mutex_lock(&(lock_cs[type]));
-- lock_count[type]++;
-- } else {
-- pthread_mutex_unlock(&(lock_cs[type]));
-- }
+- if (mode & CRYPTO_LOCK) {
+- pthread_mutex_lock(&(lock_cs[type]));
+- lock_count[type]++;
+- } else {
+- pthread_mutex_unlock(&(lock_cs[type]));
+- }
-}
-
void verify_all_keys(void)
{
- struct keys_to_verify *k = all_keys_to_verify;
- int i;
- struct timespec sleep_time;
-
-- ERR_load_crypto_strings();
-- if (G.opt.n_threads > 1) {
-- lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
-- lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
-- for (i = 0; i < CRYPTO_num_locks(); i++) {
-- lock_count[i] = 0;
-- pthread_mutex_init(&lock_cs[i],NULL);
-- }
+ struct keys_to_verify *k = all_keys_to_verify;
+ int i;
+ struct timespec sleep_time;
+
+- ERR_load_crypto_strings();
+- if (G.opt.n_threads > 1) {
+- lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
+- lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
+- for (i = 0; i < CRYPTO_num_locks(); i++) {
+- lock_count[i] = 0;
+- pthread_mutex_init(&lock_cs[i],NULL);
+- }
-
-- CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id);
-- CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback);
+- CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id);
+- CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback);
-
-- if (pthread_mutex_init(&queue_lock, NULL) != 0)
-- croak(1, "pthread_mutex_init");
-- }
+- if (pthread_mutex_init(&queue_lock, NULL) != 0)
+- croak(1, "pthread_mutex_init");
+- }
-
- while (k) {
- freeall_temp();
- for (i = 0; i < k->n_keys; i++) {
-@@ -446,6 +412,7 @@ void verify_all_keys(void)
- if (k->to_verify[i].openssl_error != 0)
- e = k->to_verify[i].openssl_error;
- }
-+ EVP_MD_CTX_free(k->to_verify[i].ctx);
- }
- if (!ok) {
- struct named_rr *named_rr;
---
-2.20.1
-
+ while (k) {
+ freeall_temp();
+ for (i = 0; i < k->n_keys; i++) {
+@@ -471,6 +443,7 @@ void verify_all_keys(void)
+ if (k->to_verify[i].openssl_error != 0)
+ e = k->to_verify[i].openssl_error;
+ }
++ EVP_MD_CTX_free(k->to_verify[i].ctx);
+ }
+ if (!ok) {
+ struct named_rr *named_rr;
+--- a/dnskey.c
++++ b/dnskey.c
+@@ -157,6 +157,8 @@ int dnskey_build_pkey(struct rr_dnskey *
+ unsigned int e_bytes;
+ unsigned char *pk;
+ int l;
++ BIGNUM *rsa_n = BN_new(),
++ *rsa_e = BN_new();
+
+ rsa = RSA_new();
+ if (!rsa)
+@@ -177,11 +179,13 @@ int dnskey_build_pkey(struct rr_dnskey *
+ if (l < e_bytes) /* public key is too short */
+ goto done;
+
+- rsa->e = BN_bin2bn(pk, e_bytes, NULL);
++ BN_bin2bn(pk, e_bytes, rsa_e);
+ pk += e_bytes;
+ l -= e_bytes;
+
+- rsa->n = BN_bin2bn(pk, l, NULL);
++ BN_bin2bn(pk, l, rsa_n);
++
++ RSA_set0_key( rsa, rsa_n, rsa_e, NULL );
+
+ pkey = EVP_PKEY_new();
+ if (!pkey)
+--- a/nsec3checks.c
++++ b/nsec3checks.c
+@@ -28,7 +28,7 @@
+ static struct binary_data name2hash(char *name, struct rr *param)
+ {
+ struct rr_nsec3param *p = (struct rr_nsec3param *)param;
+- EVP_MD_CTX ctx;
++ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ unsigned char md0[EVP_MAX_MD_SIZE];
+ unsigned char md1[EVP_MAX_MD_SIZE];
+ unsigned char *md[2];
+@@ -45,26 +45,26 @@ static struct binary_data name2hash(char
+
+ /* XXX Maybe use Init_ex and Final_ex for speed? */
+
+- EVP_MD_CTX_init(&ctx);
+- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
++ if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
+ return r;
+- digest_size = EVP_MD_CTX_size(&ctx);
+- EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length);
+- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
+- EVP_DigestFinal(&ctx, md[mdi], NULL);
++ digest_size = EVP_MD_CTX_size(ctx);
++ EVP_DigestUpdate(ctx, wire_name.data, wire_name.length);
++ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
++ EVP_DigestFinal(ctx, md[mdi], NULL);
+
+ for (i = 0; i < p->iterations; i++) {
+- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1)
++ if (EVP_DigestInit(ctx, EVP_sha1()) != 1)
+ return r;
+- EVP_DigestUpdate(&ctx, md[mdi], digest_size);
++ EVP_DigestUpdate(ctx, md[mdi], digest_size);
+ mdi = (mdi + 1) % 2;
+- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length);
+- EVP_DigestFinal(&ctx, md[mdi], NULL);
++ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length);
++ EVP_DigestFinal(ctx, md[mdi], NULL);
+ }
+
+ r.length = digest_size;
+ r.data = getmem(digest_size);
+ memcpy(r.data, md[mdi], digest_size);
++ EVP_MD_CTX_free(ctx);
+ return r;
+ }
+
diff --git a/debian/patches/fix-dont-overwrite-cflags.patch b/debian/patches/fix-dont-overwrite-cflags.patch
index b7fc38b..be276ed 100644
--- a/debian/patches/fix-dont-overwrite-cflags.patch
+++ b/debian/patches/fix-dont-overwrite-cflags.patch
@@ -14,16 +14,16 @@ Also respect LDFLAGS.
CC?=cc
# These additional options work on Solaris/gcc to which I have an access
-@@ -28,7 +28,7 @@
+@@ -28,7 +28,7 @@ validns: main.o carp.o mempool.o textpar
ipseckey.o cbtree.o mb.o mg.o mr.o minfo.o \
afsdb.o x25.o isdn.o rt.o px.o kx.o \
- dlv.o dhcid.o nsap.o
+ dlv.o dhcid.o nsap.o caa.o
- $(CC) $(CFLAGS) $(OPTIMIZE) -o validns \
+ $(CC) $(LDFLAGS) $(CPPFLAGS) $(CFLAGS) $(OPTIMIZE) -o validns \
main.o carp.o mempool.o textparse.o base64.o base32hex.o \
rr.o soa.o a.o cname.o mx.o ns.o \
rrsig.o nsec.o dnskey.o txt.o aaaa.o \
-@@ -58,160 +58,160 @@
+@@ -59,163 +59,163 @@ clean:
@echo ':-)'
main.o: main.c common.h carp.h mempool.h textparse.h rr.h
@@ -186,6 +186,10 @@ Also respect LDFLAGS.
- $(CC) $(CFLAGS) $(OPTIMIZE) -c -o sshfp.o sshfp.c $(INCPATH)
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(OPTIMIZE) -c -o sshfp.o sshfp.c $(INCPATH)
+ caa.o: caa.c common.h textparse.h mempool.h carp.h rr.h
+- $(CC) $(CFLAGS) $(OPTIMIZE) -c -o caa.o caa.c $(INCPATH)
++ $(CC) $(CPPFLAGS) $(CFLAGS) $(OPTIMIZE) -c -o caa.o caa.c $(INCPATH)
+
rp.o: rp.c common.h textparse.h mempool.h carp.h rr.h
- $(CC) $(CFLAGS) $(OPTIMIZE) -c -o rp.o rp.c $(INCPATH)
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(OPTIMIZE) -c -o rp.o rp.c $(INCPATH)
@@ -236,7 +240,7 @@ Also respect LDFLAGS.
test: validns
perl -MTest::Harness -e 'runtests("t/test.pl")'
-@@ -220,9 +220,9 @@
+@@ -224,9 +224,9 @@ test-details: validns
perl t/test.pl
test64:
diff --git a/debian/patches/fix-makefile-clean.patch b/debian/patches/fix-makefile-clean.patch
index 51e1c79..94ab70f 100644
--- a/debian/patches/fix-makefile-clean.patch
+++ b/debian/patches/fix-makefile-clean.patch
@@ -1,8 +1,8 @@
--- a/Makefile
+++ b/Makefile
-@@ -55,6 +55,7 @@
+@@ -55,6 +55,7 @@ clean:
-rm -f afsdb.o x25.o isdn.o rt.o px.o kx.o
- -rm -f dlv.o dhcid.o nsap.o
+ -rm -f dlv.o dhcid.o nsap.o caa.o
-rm -f validns.core core
+ -rm -f base32hex-test base64-test
@echo ':-)'
diff --git a/debian/patches/ipseckey-address-possible-string-truncation-warning.patch b/debian/patches/ipseckey-address-possible-string-truncation-warning.patch
index d6e1a70..8dbc118 100644
--- a/debian/patches/ipseckey-address-possible-string-truncation-warning.patch
+++ b/debian/patches/ipseckey-address-possible-string-truncation-warning.patch
@@ -14,31 +14,26 @@ Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
ipseckey.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
-diff --git a/ipseckey.c b/ipseckey.c
-index c5bdf947fad2..0b7946a15432 100644
--- a/ipseckey.c
+++ b/ipseckey.c
-@@ -93,17 +93,17 @@ static struct rr *ipseckey_parse(char *name, long ttl, int type, char *s)
+@@ -93,7 +93,7 @@ static struct rr *ipseckey_parse(char *n
static char* ipseckey_human(struct rr *rrv)
{
- RRCAST(ipseckey);
+ RRCAST(ipseckey);
- char s[1024], gw[1024];
+ char s[1024], gw[1000];
- switch (rr->gateway_type) {
- case 0:
- strcpy(gw, rr->gateway.gateway_none);
- break;
- case 1:
-- inet_ntop(AF_INET, &rr->gateway.gateway_ipv4, gw, 1024);
-+ inet_ntop(AF_INET, &rr->gateway.gateway_ipv4, gw, sizeof(gw));
- break;
- case 2:
-- inet_ntop(AF_INET6, &rr->gateway.gateway_ipv6, gw, 1024);
-+ inet_ntop(AF_INET6, &rr->gateway.gateway_ipv6, gw, sizeof(gw));
- break;
- case 3:
- strcpy(gw, rr->gateway.gateway_name);
---
-2.20.1
-
+ switch (rr->gateway_type) {
+ case 0:
+@@ -101,9 +101,11 @@ static char* ipseckey_human(struct rr *r
+ break;
+ case 1:
+ inet_ntop(AF_INET, &rr->gateway.gateway_ipv4, gw, 1024);
++ inet_ntop(AF_INET, &rr->gateway.gateway_ipv4, gw, sizeof(gw));
+ break;
+ case 2:
+ inet_ntop(AF_INET6, &rr->gateway.gateway_ipv6, gw, 1024);
++ inet_ntop(AF_INET6, &rr->gateway.gateway_ipv6, gw, sizeof(gw));
+ break;
+ case 3:
+ strcpy(gw, rr->gateway.gateway_name);
--
2.11.0
