Dear maintainer, I've prepared an NMU for validns (versioned as 0.8+git20160720-3.1) and uploaded it to DELAYED/1. Please feel free to tell me if I should delay it longer.
Regards. Sebastian
diff -Nru validns-0.8+git20160720/debian/changelog validns-0.8+git20160720/debian/changelog --- validns-0.8+git20160720/debian/changelog 2016-12-14 16:01:55.000000000 +0100 +++ validns-0.8+git20160720/debian/changelog 2019-02-22 23:52:58.000000000 +0100 @@ -1,3 +1,12 @@ +validns (0.8+git20160720-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Avoid a warning regarding string truncation (Closes: #897882). + * Get it compiled against OpenSSL 1.1+ (Closes: #859784). + * Use priority optional instead of extra. + + -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Fri, 22 Feb 2019 23:52:58 +0100 + validns (0.8+git20160720-3) unstable; urgency=medium * debian/copyright Add License: statement. diff -Nru validns-0.8+git20160720/debian/control validns-0.8+git20160720/debian/control --- validns-0.8+git20160720/debian/control 2016-12-14 16:01:55.000000000 +0100 +++ validns-0.8+git20160720/debian/control 2019-02-22 23:52:58.000000000 +0100 @@ -1,9 +1,9 @@ Source: validns Section: net -Priority: extra +Priority: optional Maintainer: Casper Gielen <casper-ali...@gielen.name> Uploaders: Joost van Baal-Ilić <joos...@debian.org> -Build-Depends: debhelper (>= 9), libssl1.0-dev, libjudy-dev, libtest-command-simple-perl, dpkg-dev (>= 1.16.1~) +Build-Depends: debhelper (>= 9), libssl-dev, libjudy-dev, libtest-command-simple-perl, dpkg-dev (>= 1.16.1~) Standards-Version: 3.9.8 Homepage: http://www.validns.net/ Vcs-Git: https://anonscm.debian.org/git/collab-maint/validns.git diff -Nru validns-0.8+git20160720/debian/patches/fix-compilation-on-openssl-1.1.patch validns-0.8+git20160720/debian/patches/fix-compilation-on-openssl-1.1.patch --- validns-0.8+git20160720/debian/patches/fix-compilation-on-openssl-1.1.patch 1970-01-01 01:00:00.000000000 +0100 +++ validns-0.8+git20160720/debian/patches/fix-compilation-on-openssl-1.1.patch 2019-02-22 23:50:11.000000000 +0100 @@ -0,0 +1,248 @@ +From: Author: "Chris West (Faux)" <g...@goeswhere.com> +Date: Fri, 22 Feb 2019 23:39:34 +0100 +Subject: [PATCH] fix compilation on openssl 1.1 + +BTS: https://bugs.debian.org/859784 +bigeasy: drop locking, check for OOM during allocation. +Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> +--- + dnskey.c | 9 +++++-- + nsec3checks.c | 29 +++++++++++++--------- + rrsig.c | 69 ++++++++++++++------------------------------------- + 3 files changed, 42 insertions(+), 65 deletions(-) + +diff --git a/dnskey.c b/dnskey.c +index fecc62abfd21..fda220c14d08 100644 +--- a/dnskey.c ++++ b/dnskey.c +@@ -154,6 +154,7 @@ int dnskey_build_pkey(struct rr_dnskey *rr) + unsigned int e_bytes; + unsigned char *pk; + int l; ++ BIGNUM *n, *e; + + rsa = RSA_new(); + if (!rsa) +@@ -174,11 +175,15 @@ int dnskey_build_pkey(struct rr_dnskey *rr) + if (l < e_bytes) /* public key is too short */ + goto done; + +- rsa->e = BN_bin2bn(pk, e_bytes, NULL); ++ e = BN_bin2bn(pk, e_bytes, NULL); + pk += e_bytes; + l -= e_bytes; + +- rsa->n = BN_bin2bn(pk, l, NULL); ++ n = BN_bin2bn(pk, l, NULL); ++ if (!e || !n) ++ goto done; ++ ++ RSA_set0_key(rsa, n, e, NULL); + + pkey = EVP_PKEY_new(); + if (!pkey) +diff --git a/nsec3checks.c b/nsec3checks.c +index 69c655345bad..2abac9efa1bf 100644 +--- a/nsec3checks.c ++++ b/nsec3checks.c +@@ -28,7 +28,7 @@ + static struct binary_data name2hash(char *name, struct rr *param) + { + struct rr_nsec3param *p = (struct rr_nsec3param *)param; +- EVP_MD_CTX ctx; ++ EVP_MD_CTX *ctx; + unsigned char md0[EVP_MAX_MD_SIZE]; + unsigned char md1[EVP_MAX_MD_SIZE]; + unsigned char *md[2]; +@@ -45,26 +45,31 @@ static struct binary_data name2hash(char *name, struct rr *param) + + /* XXX Maybe use Init_ex and Final_ex for speed? */ + +- EVP_MD_CTX_init(&ctx); +- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) ++ ctx = EVP_MD_CTX_new(); ++ if (ctx == NULL) + return r; +- digest_size = EVP_MD_CTX_size(&ctx); +- EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length); +- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); +- EVP_DigestFinal(&ctx, md[mdi], NULL); ++ if (EVP_DigestInit(ctx, EVP_sha1()) != 1) ++ goto out; ++ digest_size = EVP_MD_CTX_size(ctx); ++ EVP_DigestUpdate(ctx, wire_name.data, wire_name.length); ++ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length); ++ EVP_DigestFinal(ctx, md[mdi], NULL); + + for (i = 0; i < p->iterations; i++) { +- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) +- return r; +- EVP_DigestUpdate(&ctx, md[mdi], digest_size); ++ if (EVP_DigestInit(ctx, EVP_sha1()) != 1) ++ goto out; ++ ++ EVP_DigestUpdate(ctx, md[mdi], digest_size); + mdi = (mdi + 1) % 2; +- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); +- EVP_DigestFinal(&ctx, md[mdi], NULL); ++ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length); ++ EVP_DigestFinal(ctx, md[mdi], NULL); + } + + r.length = digest_size; + r.data = getmem(digest_size); + memcpy(r.data, md[mdi], digest_size); ++out: ++ EVP_MD_CTX_free(ctx); + return r; + } + +diff --git a/rrsig.c b/rrsig.c +index 81f24b4c49da..0a9e864285d0 100644 +--- a/rrsig.c ++++ b/rrsig.c +@@ -26,7 +26,7 @@ + struct verification_data + { + struct verification_data *next; +- EVP_MD_CTX ctx; ++ EVP_MD_CTX *ctx; + struct rr_dnskey *key; + struct rr_rrsig *rr; + int ok; +@@ -180,7 +180,7 @@ void *verification_thread(void *dummy) + if (d) { + int r; + d->next = NULL; +- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); ++ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); + if (r == 1) { + d->ok = 1; + } else { +@@ -232,7 +232,7 @@ static void schedule_verification(struct verification_data *d) + } else { + int r; + G.stats.signatures_verified++; +- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); ++ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); + if (r == 1) { + d->ok = 1; + } else { +@@ -250,21 +250,24 @@ static int verify_signature(struct verification_data *d, struct rr_set *signed_s + struct rr *signed_rr; + int i; + +- EVP_MD_CTX_init(&d->ctx); ++ d->ctx = EVP_MD_CTX_new(); ++ if (!d->ctx) ++ return 0; ++ + switch (d->rr->algorithm) { + case ALG_DSA: + case ALG_RSASHA1: + case ALG_DSA_NSEC3_SHA1: + case ALG_RSASHA1_NSEC3_SHA1: +- if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1) ++ if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1) + return 0; + break; + case ALG_RSASHA256: +- if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1) ++ if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1) + return 0; + break; + case ALG_RSASHA512: +- if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1) ++ if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1) + return 0; + break; + default: +@@ -274,7 +277,7 @@ static int verify_signature(struct verification_data *d, struct rr_set *signed_s + chunk = rrsig_wirerdata_ex(&d->rr->rr, 0); + if (chunk.length < 0) + return 0; +- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); ++ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); + + set = getmem_temp(sizeof(*set) * signed_set->count); + +@@ -294,12 +297,12 @@ static int verify_signature(struct verification_data *d, struct rr_set *signed_s + chunk = name2wire_name(signed_set->named_rr->name); + if (chunk.length < 0) + return 0; +- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); +- b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(&d->ctx, &b2, 2); +- b2 = htons(1); /* class IN */ EVP_VerifyUpdate(&d->ctx, &b2, 2); +- b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(&d->ctx, &b4, 4); +- b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2); +- EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length); ++ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); ++ b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(d->ctx, &b2, 2); ++ b2 = htons(1); /* class IN */ EVP_VerifyUpdate(d->ctx, &b2, 2); ++ b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(d->ctx, &b4, 4); ++ b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2); ++ EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length); + } + + schedule_verification(d); +@@ -371,49 +374,12 @@ static void *rrsig_validate(struct rr *rrv) + return rr; + } + +-static pthread_mutex_t *lock_cs; +-static long *lock_count; +- +-static unsigned long pthreads_thread_id(void) +-{ +- unsigned long ret; +- +- ret=(unsigned long)pthread_self(); +- return(ret); +-} +- +-static void pthreads_locking_callback(int mode, int type, char *file, int line) +-{ +- if (mode & CRYPTO_LOCK) { +- pthread_mutex_lock(&(lock_cs[type])); +- lock_count[type]++; +- } else { +- pthread_mutex_unlock(&(lock_cs[type])); +- } +-} +- + void verify_all_keys(void) + { + struct keys_to_verify *k = all_keys_to_verify; + int i; + struct timespec sleep_time; + +- ERR_load_crypto_strings(); +- if (G.opt.n_threads > 1) { +- lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); +- lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); +- for (i = 0; i < CRYPTO_num_locks(); i++) { +- lock_count[i] = 0; +- pthread_mutex_init(&lock_cs[i],NULL); +- } +- +- CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id); +- CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback); +- +- if (pthread_mutex_init(&queue_lock, NULL) != 0) +- croak(1, "pthread_mutex_init"); +- } +- + while (k) { + freeall_temp(); + for (i = 0; i < k->n_keys; i++) { +@@ -446,6 +412,7 @@ void verify_all_keys(void) + if (k->to_verify[i].openssl_error != 0) + e = k->to_verify[i].openssl_error; + } ++ EVP_MD_CTX_free(k->to_verify[i].ctx); + } + if (!ok) { + struct named_rr *named_rr; +-- +2.20.1 + diff -Nru validns-0.8+git20160720/debian/patches/ipseckey-address-possible-string-truncation-warning.patch validns-0.8+git20160720/debian/patches/ipseckey-address-possible-string-truncation-warning.patch --- validns-0.8+git20160720/debian/patches/ipseckey-address-possible-string-truncation-warning.patch 1970-01-01 01:00:00.000000000 +0100 +++ validns-0.8+git20160720/debian/patches/ipseckey-address-possible-string-truncation-warning.patch 2019-02-22 23:52:07.000000000 +0100 @@ -0,0 +1,44 @@ +From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> +Date: Fri, 22 Feb 2019 23:36:17 +0100 +Subject: [PATCH] ipseckey: address possible string truncation warning + +gcc-8 creates this: +|ipseckey.c: In function 'ipseckey_human': +|ipseckey.c:114:35: error: '%s' directive output may be truncated writing up to 1023 bytes into a region of size between 1010 and 1016 [-Werror=format-truncation=] + +Avoid the warning by limiting the length of the string. + +BTS: https://bugs.debian.org/897882 +Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> +--- + ipseckey.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ipseckey.c b/ipseckey.c +index c5bdf947fad2..0b7946a15432 100644 +--- a/ipseckey.c ++++ b/ipseckey.c +@@ -93,17 +93,17 @@ static struct rr *ipseckey_parse(char *name, long ttl, int type, char *s) + static char* ipseckey_human(struct rr *rrv) + { + RRCAST(ipseckey); +- char s[1024], gw[1024]; ++ char s[1024], gw[1000]; + + switch (rr->gateway_type) { + case 0: + strcpy(gw, rr->gateway.gateway_none); + break; + case 1: +- inet_ntop(AF_INET, &rr->gateway.gateway_ipv4, gw, 1024); ++ inet_ntop(AF_INET, &rr->gateway.gateway_ipv4, gw, sizeof(gw)); + break; + case 2: +- inet_ntop(AF_INET6, &rr->gateway.gateway_ipv6, gw, 1024); ++ inet_ntop(AF_INET6, &rr->gateway.gateway_ipv6, gw, sizeof(gw)); + break; + case 3: + strcpy(gw, rr->gateway.gateway_name); +-- +2.20.1 + diff -Nru validns-0.8+git20160720/debian/patches/series validns-0.8+git20160720/debian/patches/series --- validns-0.8+git20160720/debian/patches/series 2016-12-14 16:01:55.000000000 +0100 +++ validns-0.8+git20160720/debian/patches/series 2019-02-22 23:50:28.000000000 +0100 @@ -1,3 +1,5 @@ fix-makefile-clean.patch fix-dont-overwrite-cflags.patch ignoreQuilt.patch +ipseckey-address-possible-string-truncation-warning.patch +fix-compilation-on-openssl-1.1.patch
