On Sun, 18 Aug 2019 05:54:56 +0200 Joost van =?utf-8?Q?Baal-Ili=C4=87?= <joos...@debian.org> wrote: > Package: validns > Version: 0.8+git20160720-3.1 > Severity: normal > > Prof. Ernesto Hernández-Novich (emhn-guest) offered help in private > communication, and donated a patch in private communication. > (Thanks!) His patch, which builds a current upstream, should get > applied.
Attached you'll find the patch mentioned. This patch provides updated `quilt` patches so upstream `validns` commit f423245b9867359398f83e8a60fea167ad7694ca Author: Anton Berezin <to...@tobez.org> Date: Fri Aug 4 16:27:44 2017 +0200 builds against OpenSSL 1.1. I've been using this patch for over a month with a Debian 9 targeted package, and no issues. I wrote upstream asking whether or not they would update their code to work with OpenSSL 1.1 but haven't gotten an answer. Regards, -- Prof. Ernesto Hernández-Novich - MYS-220C - @iamemhn Geek by nature, Linux by choice, Debian of course. If you can't aptitude it, it isn't useful or doesn't exist. GPG Key Fingerprint = 0064 ADF5 EB5C DE16 99C1 6C56 F2A3 86B5 A757 E5A1
From bc36d7d8b48874199118f786060a117a208c1f9e Mon Sep 17 00:00:00 2001 From: Ernesto Hernández-Novich <e...@ubs.ve> Date: Thu, 18 Jul 2019 16:00:44 -0700 Subject: Make latest `validns` build on Debian 9 (and later) --- .../patches/fix-compilation-on-openssl-1.1.patch | 441 +++++++++++---------- debian/patches/fix-dont-overwrite-cflags.patch | 12 +- debian/patches/fix-makefile-clean.patch | 4 +- ...ddress-possible-string-truncation-warning.patch | 37 +- 4 files changed, 256 insertions(+), 238 deletions(-) diff --git a/debian/patches/fix-compilation-on-openssl-1.1.patch b/debian/patches/fix-compilation-on-openssl-1.1.patch index f20384c..45d815a 100644 --- a/debian/patches/fix-compilation-on-openssl-1.1.patch +++ b/debian/patches/fix-compilation-on-openssl-1.1.patch @@ -11,182 +11,129 @@ Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> rrsig.c | 69 ++++++++++++++------------------------------------- 3 files changed, 42 insertions(+), 65 deletions(-) -diff --git a/dnskey.c b/dnskey.c -index fecc62abfd21..fda220c14d08 100644 ---- a/dnskey.c -+++ b/dnskey.c -@@ -154,6 +154,7 @@ int dnskey_build_pkey(struct rr_dnskey *rr) - unsigned int e_bytes; - unsigned char *pk; - int l; -+ BIGNUM *n, *e; - - rsa = RSA_new(); - if (!rsa) -@@ -174,11 +175,15 @@ int dnskey_build_pkey(struct rr_dnskey *rr) - if (l < e_bytes) /* public key is too short */ - goto done; - -- rsa->e = BN_bin2bn(pk, e_bytes, NULL); -+ e = BN_bin2bn(pk, e_bytes, NULL); - pk += e_bytes; - l -= e_bytes; - -- rsa->n = BN_bin2bn(pk, l, NULL); -+ n = BN_bin2bn(pk, l, NULL); -+ if (!e || !n) -+ goto done; -+ -+ RSA_set0_key(rsa, n, e, NULL); - - pkey = EVP_PKEY_new(); - if (!pkey) -diff --git a/nsec3checks.c b/nsec3checks.c -index 69c655345bad..2abac9efa1bf 100644 ---- a/nsec3checks.c -+++ b/nsec3checks.c -@@ -28,7 +28,7 @@ - static struct binary_data name2hash(char *name, struct rr *param) - { - struct rr_nsec3param *p = (struct rr_nsec3param *)param; -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - unsigned char md0[EVP_MAX_MD_SIZE]; - unsigned char md1[EVP_MAX_MD_SIZE]; - unsigned char *md[2]; -@@ -45,26 +45,31 @@ static struct binary_data name2hash(char *name, struct rr *param) - - /* XXX Maybe use Init_ex and Final_ex for speed? */ - -- EVP_MD_CTX_init(&ctx); -- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) - return r; -- digest_size = EVP_MD_CTX_size(&ctx); -- EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length); -- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); -- EVP_DigestFinal(&ctx, md[mdi], NULL); -+ if (EVP_DigestInit(ctx, EVP_sha1()) != 1) -+ goto out; -+ digest_size = EVP_MD_CTX_size(ctx); -+ EVP_DigestUpdate(ctx, wire_name.data, wire_name.length); -+ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length); -+ EVP_DigestFinal(ctx, md[mdi], NULL); - - for (i = 0; i < p->iterations; i++) { -- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) -- return r; -- EVP_DigestUpdate(&ctx, md[mdi], digest_size); -+ if (EVP_DigestInit(ctx, EVP_sha1()) != 1) -+ goto out; -+ -+ EVP_DigestUpdate(ctx, md[mdi], digest_size); - mdi = (mdi + 1) % 2; -- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); -- EVP_DigestFinal(&ctx, md[mdi], NULL); -+ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length); -+ EVP_DigestFinal(ctx, md[mdi], NULL); - } - - r.length = digest_size; - r.data = getmem(digest_size); - memcpy(r.data, md[mdi], digest_size); -+out: -+ EVP_MD_CTX_free(ctx); - return r; - } - -diff --git a/rrsig.c b/rrsig.c -index 81f24b4c49da..0a9e864285d0 100644 --- a/rrsig.c +++ b/rrsig.c -@@ -26,7 +26,7 @@ +@@ -27,7 +27,7 @@ struct verification_data { - struct verification_data *next; -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - struct rr_dnskey *key; - struct rr_rrsig *rr; - int ok; -@@ -180,7 +180,7 @@ void *verification_thread(void *dummy) - if (d) { - int r; - d->next = NULL; -- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); -+ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); - if (r == 1) { - d->ok = 1; - } else { -@@ -232,7 +232,7 @@ static void schedule_verification(struct verification_data *d) - } else { - int r; - G.stats.signatures_verified++; -- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); -+ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); - if (r == 1) { - d->ok = 1; - } else { -@@ -250,21 +250,24 @@ static int verify_signature(struct verification_data *d, struct rr_set *signed_s - struct rr *signed_rr; - int i; - -- EVP_MD_CTX_init(&d->ctx); -+ d->ctx = EVP_MD_CTX_new(); -+ if (!d->ctx) -+ return 0; + struct verification_data *next; +- EVP_MD_CTX ctx; ++ EVP_MD_CTX *ctx; + struct rr_dnskey *key; + struct rr_rrsig *rr; + int ok; +@@ -96,16 +96,22 @@ static struct rr* rrsig_parse(char *name + * Transform ECDSA signatures from DNSSEC vanilla binary + * representation (r || s) into OpenSSL ASN.1 DER format + */ ++ BIGNUM *r0 = BN_new(), ++ *s0 = BN_new(); ++ + ECDSA_SIG *ecdsa_sig = ECDSA_SIG_new(); + int l = sig.length / 2; +- if ((BN_bin2bn((unsigned char *)sig.data, l, ecdsa_sig->r) == NULL) || +- (BN_bin2bn(((unsigned char *)sig.data) + l, l, ecdsa_sig->s) == NULL)) ++ if ((BN_bin2bn((unsigned char *)sig.data, l, r0) == NULL) || ++ (BN_bin2bn(((unsigned char *)sig.data) + l, l, s0) == NULL)) + return NULL; ++ ECDSA_SIG_set0( ecdsa_sig, r0, s0 ); + sig.length = i2d_ECDSA_SIG(ecdsa_sig, NULL); + sig.data = getmem(sig.length); /* reallocate larger mempool chunk */ + unsigned char *sig_ptr = (unsigned char *)sig.data; + sig.length = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr); + ECDSA_SIG_free(ecdsa_sig); ++ BN_clear_free( r0 ); ++ BN_clear_free( s0 ); + } + rr->signature = sig; + +@@ -197,7 +203,7 @@ void *verification_thread(void *dummy) + if (d) { + int r; + d->next = NULL; +- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); ++ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); + if (r == 1) { + d->ok = 1; + } else { +@@ -249,7 +255,7 @@ static void schedule_verification(struct + } else { + int r; + G.stats.signatures_verified++; +- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); ++ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); + if (r == 1) { + d->ok = 1; + } else { +@@ -267,29 +273,32 @@ static int verify_signature(struct verif + struct rr *signed_rr; + int i; + +- EVP_MD_CTX_init(&d->ctx); ++ d->ctx = EVP_MD_CTX_new(); ++ if (!d->ctx) ++ return 0; + - switch (d->rr->algorithm) { - case ALG_DSA: - case ALG_RSASHA1: - case ALG_DSA_NSEC3_SHA1: - case ALG_RSASHA1_NSEC3_SHA1: -- if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1) -+ if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1) - return 0; - break; - case ALG_RSASHA256: -- if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1) -+ if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1) - return 0; - break; - case ALG_RSASHA512: -- if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1) -+ if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1) - return 0; - break; - default: -@@ -274,7 +277,7 @@ static int verify_signature(struct verification_data *d, struct rr_set *signed_s - chunk = rrsig_wirerdata_ex(&d->rr->rr, 0); - if (chunk.length < 0) - return 0; -- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); -+ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); - - set = getmem_temp(sizeof(*set) * signed_set->count); - -@@ -294,12 +297,12 @@ static int verify_signature(struct verification_data *d, struct rr_set *signed_s - chunk = name2wire_name(signed_set->named_rr->name); - if (chunk.length < 0) - return 0; -- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); -- b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(&d->ctx, &b2, 2); -- b2 = htons(1); /* class IN */ EVP_VerifyUpdate(&d->ctx, &b2, 2); -- b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(&d->ctx, &b4, 4); -- b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2); -- EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length); -+ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); -+ b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(d->ctx, &b2, 2); -+ b2 = htons(1); /* class IN */ EVP_VerifyUpdate(d->ctx, &b2, 2); -+ b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(d->ctx, &b4, 4); -+ b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2); -+ EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length); - } - - schedule_verification(d); -@@ -371,49 +374,12 @@ static void *rrsig_validate(struct rr *rrv) - return rr; + switch (d->rr->algorithm) { + case ALG_DSA: + case ALG_RSASHA1: + case ALG_DSA_NSEC3_SHA1: + case ALG_RSASHA1_NSEC3_SHA1: +- if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1) ++ if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1) + return 0; + break; + case ALG_RSASHA256: +- if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1) ++ if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1) + return 0; + break; + case ALG_RSASHA512: +- if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1) ++ if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1) + return 0; + break; + case ALG_ECDSAP256SHA256: +- if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1) ++ if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1) + return 0; + break; + case ALG_ECDSAP384SHA384: +- if (EVP_VerifyInit(&d->ctx, EVP_sha384()) != 1) ++ if (EVP_VerifyInit(d->ctx, EVP_sha384()) != 1) + return 0; + break; + default: +@@ -299,7 +308,7 @@ static int verify_signature(struct verif + chunk = rrsig_wirerdata_ex(&d->rr->rr, 0); + if (chunk.length < 0) + return 0; +- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); ++ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); + + set = getmem_temp(sizeof(*set) * signed_set->count); + +@@ -319,12 +328,12 @@ static int verify_signature(struct verif + chunk = name2wire_name(signed_set->named_rr->name); + if (chunk.length < 0) + return 0; +- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); +- b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(&d->ctx, &b2, 2); +- b2 = htons(1); /* class IN */ EVP_VerifyUpdate(&d->ctx, &b2, 2); +- b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(&d->ctx, &b4, 4); +- b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2); +- EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length); ++ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); ++ b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(d->ctx, &b2, 2); ++ b2 = htons(1); /* class IN */ EVP_VerifyUpdate(d->ctx, &b2, 2); ++ b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(d->ctx, &b4, 4); ++ b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2); ++ EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length); + } + + schedule_verification(d); +@@ -396,49 +405,12 @@ static void *rrsig_validate(struct rr *r + return rr; } -static pthread_mutex_t *lock_cs; @@ -194,55 +141,127 @@ index 81f24b4c49da..0a9e864285d0 100644 - -static unsigned long pthreads_thread_id(void) -{ -- unsigned long ret; +- unsigned long ret; - -- ret=(unsigned long)pthread_self(); -- return(ret); +- ret=(unsigned long)pthread_self(); +- return(ret); -} - -static void pthreads_locking_callback(int mode, int type, char *file, int line) -{ -- if (mode & CRYPTO_LOCK) { -- pthread_mutex_lock(&(lock_cs[type])); -- lock_count[type]++; -- } else { -- pthread_mutex_unlock(&(lock_cs[type])); -- } +- if (mode & CRYPTO_LOCK) { +- pthread_mutex_lock(&(lock_cs[type])); +- lock_count[type]++; +- } else { +- pthread_mutex_unlock(&(lock_cs[type])); +- } -} - void verify_all_keys(void) { - struct keys_to_verify *k = all_keys_to_verify; - int i; - struct timespec sleep_time; - -- ERR_load_crypto_strings(); -- if (G.opt.n_threads > 1) { -- lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); -- lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); -- for (i = 0; i < CRYPTO_num_locks(); i++) { -- lock_count[i] = 0; -- pthread_mutex_init(&lock_cs[i],NULL); -- } + struct keys_to_verify *k = all_keys_to_verify; + int i; + struct timespec sleep_time; + +- ERR_load_crypto_strings(); +- if (G.opt.n_threads > 1) { +- lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); +- lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); +- for (i = 0; i < CRYPTO_num_locks(); i++) { +- lock_count[i] = 0; +- pthread_mutex_init(&lock_cs[i],NULL); +- } - -- CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id); -- CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback); +- CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id); +- CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback); - -- if (pthread_mutex_init(&queue_lock, NULL) != 0) -- croak(1, "pthread_mutex_init"); -- } +- if (pthread_mutex_init(&queue_lock, NULL) != 0) +- croak(1, "pthread_mutex_init"); +- } - - while (k) { - freeall_temp(); - for (i = 0; i < k->n_keys; i++) { -@@ -446,6 +412,7 @@ void verify_all_keys(void) - if (k->to_verify[i].openssl_error != 0) - e = k->to_verify[i].openssl_error; - } -+ EVP_MD_CTX_free(k->to_verify[i].ctx); - } - if (!ok) { - struct named_rr *named_rr; --- -2.20.1 - + while (k) { + freeall_temp(); + for (i = 0; i < k->n_keys; i++) { +@@ -471,6 +443,7 @@ void verify_all_keys(void) + if (k->to_verify[i].openssl_error != 0) + e = k->to_verify[i].openssl_error; + } ++ EVP_MD_CTX_free(k->to_verify[i].ctx); + } + if (!ok) { + struct named_rr *named_rr; +--- a/dnskey.c ++++ b/dnskey.c +@@ -157,6 +157,8 @@ int dnskey_build_pkey(struct rr_dnskey * + unsigned int e_bytes; + unsigned char *pk; + int l; ++ BIGNUM *rsa_n = BN_new(), ++ *rsa_e = BN_new(); + + rsa = RSA_new(); + if (!rsa) +@@ -177,11 +179,13 @@ int dnskey_build_pkey(struct rr_dnskey * + if (l < e_bytes) /* public key is too short */ + goto done; + +- rsa->e = BN_bin2bn(pk, e_bytes, NULL); ++ BN_bin2bn(pk, e_bytes, rsa_e); + pk += e_bytes; + l -= e_bytes; + +- rsa->n = BN_bin2bn(pk, l, NULL); ++ BN_bin2bn(pk, l, rsa_n); ++ ++ RSA_set0_key( rsa, rsa_n, rsa_e, NULL ); + + pkey = EVP_PKEY_new(); + if (!pkey) +--- a/nsec3checks.c ++++ b/nsec3checks.c +@@ -28,7 +28,7 @@ + static struct binary_data name2hash(char *name, struct rr *param) + { + struct rr_nsec3param *p = (struct rr_nsec3param *)param; +- EVP_MD_CTX ctx; ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + unsigned char md0[EVP_MAX_MD_SIZE]; + unsigned char md1[EVP_MAX_MD_SIZE]; + unsigned char *md[2]; +@@ -45,26 +45,26 @@ static struct binary_data name2hash(char + + /* XXX Maybe use Init_ex and Final_ex for speed? */ + +- EVP_MD_CTX_init(&ctx); +- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) ++ if (EVP_DigestInit(ctx, EVP_sha1()) != 1) + return r; +- digest_size = EVP_MD_CTX_size(&ctx); +- EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length); +- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); +- EVP_DigestFinal(&ctx, md[mdi], NULL); ++ digest_size = EVP_MD_CTX_size(ctx); ++ EVP_DigestUpdate(ctx, wire_name.data, wire_name.length); ++ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length); ++ EVP_DigestFinal(ctx, md[mdi], NULL); + + for (i = 0; i < p->iterations; i++) { +- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) ++ if (EVP_DigestInit(ctx, EVP_sha1()) != 1) + return r; +- EVP_DigestUpdate(&ctx, md[mdi], digest_size); ++ EVP_DigestUpdate(ctx, md[mdi], digest_size); + mdi = (mdi + 1) % 2; +- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); +- EVP_DigestFinal(&ctx, md[mdi], NULL); ++ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length); ++ EVP_DigestFinal(ctx, md[mdi], NULL); + } + + r.length = digest_size; + r.data = getmem(digest_size); + memcpy(r.data, md[mdi], digest_size); ++ EVP_MD_CTX_free(ctx); + return r; + } + diff --git a/debian/patches/fix-dont-overwrite-cflags.patch b/debian/patches/fix-dont-overwrite-cflags.patch index b7fc38b..be276ed 100644 --- a/debian/patches/fix-dont-overwrite-cflags.patch +++ b/debian/patches/fix-dont-overwrite-cflags.patch @@ -14,16 +14,16 @@ Also respect LDFLAGS. CC?=cc # These additional options work on Solaris/gcc to which I have an access -@@ -28,7 +28,7 @@ +@@ -28,7 +28,7 @@ validns: main.o carp.o mempool.o textpar ipseckey.o cbtree.o mb.o mg.o mr.o minfo.o \ afsdb.o x25.o isdn.o rt.o px.o kx.o \ - dlv.o dhcid.o nsap.o + dlv.o dhcid.o nsap.o caa.o - $(CC) $(CFLAGS) $(OPTIMIZE) -o validns \ + $(CC) $(LDFLAGS) $(CPPFLAGS) $(CFLAGS) $(OPTIMIZE) -o validns \ main.o carp.o mempool.o textparse.o base64.o base32hex.o \ rr.o soa.o a.o cname.o mx.o ns.o \ rrsig.o nsec.o dnskey.o txt.o aaaa.o \ -@@ -58,160 +58,160 @@ +@@ -59,163 +59,163 @@ clean: @echo ':-)' main.o: main.c common.h carp.h mempool.h textparse.h rr.h @@ -186,6 +186,10 @@ Also respect LDFLAGS. - $(CC) $(CFLAGS) $(OPTIMIZE) -c -o sshfp.o sshfp.c $(INCPATH) + $(CC) $(CPPFLAGS) $(CFLAGS) $(OPTIMIZE) -c -o sshfp.o sshfp.c $(INCPATH) + caa.o: caa.c common.h textparse.h mempool.h carp.h rr.h +- $(CC) $(CFLAGS) $(OPTIMIZE) -c -o caa.o caa.c $(INCPATH) ++ $(CC) $(CPPFLAGS) $(CFLAGS) $(OPTIMIZE) -c -o caa.o caa.c $(INCPATH) + rp.o: rp.c common.h textparse.h mempool.h carp.h rr.h - $(CC) $(CFLAGS) $(OPTIMIZE) -c -o rp.o rp.c $(INCPATH) + $(CC) $(CPPFLAGS) $(CFLAGS) $(OPTIMIZE) -c -o rp.o rp.c $(INCPATH) @@ -236,7 +240,7 @@ Also respect LDFLAGS. test: validns perl -MTest::Harness -e 'runtests("t/test.pl")' -@@ -220,9 +220,9 @@ +@@ -224,9 +224,9 @@ test-details: validns perl t/test.pl test64: diff --git a/debian/patches/fix-makefile-clean.patch b/debian/patches/fix-makefile-clean.patch index 51e1c79..94ab70f 100644 --- a/debian/patches/fix-makefile-clean.patch +++ b/debian/patches/fix-makefile-clean.patch @@ -1,8 +1,8 @@ --- a/Makefile +++ b/Makefile -@@ -55,6 +55,7 @@ +@@ -55,6 +55,7 @@ clean: -rm -f afsdb.o x25.o isdn.o rt.o px.o kx.o - -rm -f dlv.o dhcid.o nsap.o + -rm -f dlv.o dhcid.o nsap.o caa.o -rm -f validns.core core + -rm -f base32hex-test base64-test @echo ':-)' diff --git a/debian/patches/ipseckey-address-possible-string-truncation-warning.patch b/debian/patches/ipseckey-address-possible-string-truncation-warning.patch index d6e1a70..8dbc118 100644 --- a/debian/patches/ipseckey-address-possible-string-truncation-warning.patch +++ b/debian/patches/ipseckey-address-possible-string-truncation-warning.patch @@ -14,31 +14,26 @@ Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> ipseckey.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -diff --git a/ipseckey.c b/ipseckey.c -index c5bdf947fad2..0b7946a15432 100644 --- a/ipseckey.c +++ b/ipseckey.c -@@ -93,17 +93,17 @@ static struct rr *ipseckey_parse(char *name, long ttl, int type, char *s) +@@ -93,7 +93,7 @@ static struct rr *ipseckey_parse(char *n static char* ipseckey_human(struct rr *rrv) { - RRCAST(ipseckey); + RRCAST(ipseckey); - char s[1024], gw[1024]; + char s[1024], gw[1000]; - switch (rr->gateway_type) { - case 0: - strcpy(gw, rr->gateway.gateway_none); - break; - case 1: -- inet_ntop(AF_INET, &rr->gateway.gateway_ipv4, gw, 1024); -+ inet_ntop(AF_INET, &rr->gateway.gateway_ipv4, gw, sizeof(gw)); - break; - case 2: -- inet_ntop(AF_INET6, &rr->gateway.gateway_ipv6, gw, 1024); -+ inet_ntop(AF_INET6, &rr->gateway.gateway_ipv6, gw, sizeof(gw)); - break; - case 3: - strcpy(gw, rr->gateway.gateway_name); --- -2.20.1 - + switch (rr->gateway_type) { + case 0: +@@ -101,9 +101,11 @@ static char* ipseckey_human(struct rr *r + break; + case 1: + inet_ntop(AF_INET, &rr->gateway.gateway_ipv4, gw, 1024); ++ inet_ntop(AF_INET, &rr->gateway.gateway_ipv4, gw, sizeof(gw)); + break; + case 2: + inet_ntop(AF_INET6, &rr->gateway.gateway_ipv6, gw, 1024); ++ inet_ntop(AF_INET6, &rr->gateway.gateway_ipv6, gw, sizeof(gw)); + break; + case 3: + strcpy(gw, rr->gateway.gateway_name); -- 2.11.0