From: Stuart Henderson Subject: Re: UPDATE: net/validns 0.9.0 To: Caspar Schutijser Cc: ports@openbsd.org Date: Sun, 8 Feb 2026 15:42:03 +0000 On 2026/02/08 14:56, Caspar Schutijser wrote: > Hi, > > After more than a decade, a new version of validns is available. > It's now hosted with and maintained by DNS-OARC. The build system > has changed and all patches can go since they're incorporated in > the main branch. > > I can become MAINTAINER of this tool. > > Did I do the DISTFILES part right? (I think so, because it works and > produces the desired file name in the distfiles directory.) > Comments or OKs? DIST_TUPLE= codeberg DNS-OARC validns v0.9.0 . > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/validns/Makefile,v > diff -u -p -r1.6 Makefile > --- Makefile 27 Sep 2023 14:18:39 -0000 1.6 > +++ Makefile 8 Feb 2026 13:42:33 -0000 > @@ -1,29 +1,34 @@ > COMMENT = DNS and DNSSEC zone file validator > > -DISTNAME = validns-0.8 > -REVISION = 1 > +V = 0.9.0 > +PKGNAME = validns-${V} > > CATEGORIES = net > > -HOMEPAGE = http://www.validns.net/ > +HOMEPAGE = https://codeberg.org/DNS-OARC/validns > + > +MAINTAINER = Caspar Schutijser > > # BSD > PERMIT_PACKAGE = Yes > > WANTLIB += Judy c crypto pthread > > -SITES = ${HOMEPAGE}download/ > +SITES = https://codeberg.org/DNS-OARC/validns/archive/ > + > +DISTFILES = validns-{v}${V}${EXTRACT_SUFX} > > LIB_DEPENDS = devel/libJudy > > TEST_DEPENDS = devel/p5-Test-Command-Simple > > -MAKE_ENV = CC="${CC}" CFLAGS="${CFLAGS}" > +CONFIGURE_STYLE = autoreconf > +AUTOCONF_VERSION = 2.69 > +AUTOMAKE_VERSION = 1.18 > +AUTORECONF = ./autogen.sh > > -ALL_TARGET = validns > +CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" LDFLAGS="-L${LOCALBASE}/lib" > > -do-install: > - ${INSTALL_PROGRAM} ${WRKSRC}/validns ${PREFIX}/bin > - ${INSTALL_MAN} ${WRKSRC}/validns.1 ${PREFIX}/man/man1 > +WRKSRC = ${WRKDIR}/validns > > .include > Index: distinfo > =================================================================== > RCS file: /cvs/ports/net/validns/distinfo,v > diff -u -p -r1.1.1.1 distinfo > --- distinfo 6 May 2017 15:52:24 -0000 1.1.1.1 > +++ distinfo 8 Feb 2026 13:42:33 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (validns-0.8.tar.gz) = 3y2w6qmYoEEf9MHE5BfrgtMq7Eg1+S9F8mxmyNHVvSI= > -SIZE (validns-0.8.tar.gz) = 190325 > +SHA256 (validns-0.9.0.tar.gz) = ZwxAIgTewZUbIMTKP171KXYszs4Lu5eWlZzJ/alJ61M= > +SIZE (validns-0.9.0.tar.gz) = 253152 > Index: patches/patch-Makefile > =================================================================== > RCS file: patches/patch-Makefile > diff -N patches/patch-Makefile > --- patches/patch-Makefile 11 Mar 2022 19:48:04 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,11 +0,0 @@ > -Index: Makefile > ---- Makefile.orig > -+++ Makefile > -@@ -1,6 +1,5 @@ > - # The following options seem to work fine on Linux, FreeBSD, and Darwin > --OPTIMIZE=-O2 -g > --CFLAGS=-Wall -Werror -pthread -fno-strict-aliasing > -+CFLAGS+=-Wall -Werror -pthread -fno-strict-aliasing > - INCPATH=-I/usr/local/include -I/opt/local/include -I/usr/local/ssl/include > - CC?=cc > - > Index: patches/patch-carp_c > =================================================================== > RCS file: patches/patch-carp_c > diff -N patches/patch-carp_c > --- patches/patch-carp_c 11 Mar 2022 19:48:04 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,12 +0,0 @@ > -Index: carp.c > ---- carp.c.orig > -+++ carp.c > -@@ -102,7 +102,7 @@ static char proggy[MAXPATHLEN]; > - > - const char *thisprogname(void) > - { > --#if defined(__FreeBSD__) > -+#if defined(__FreeBSD__) || defined(__OpenBSD__) > - return getprogname(); > - #elif defined(__APPLE__) > - return getprogname(); > Index: patches/patch-dnskey_c > =================================================================== > RCS file: patches/patch-dnskey_c > diff -N patches/patch-dnskey_c > --- patches/patch-dnskey_c 11 Mar 2022 19:48:04 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,31 +0,0 @@ > -https://github.com/tobez/validns/pull/71 > - > -Index: dnskey.c > ---- dnskey.c.orig > -+++ dnskey.c > -@@ -145,6 +145,7 @@ int dnskey_build_pkey(struct rr_dnskey *rr) > - unsigned int e_bytes; > - unsigned char *pk; > - int l; > -+ BIGNUM *n, *e; > - > - rsa = RSA_new(); > - if (!rsa) > -@@ -165,11 +166,15 @@ int dnskey_build_pkey(struct rr_dnskey *rr) > - if (l < e_bytes) /* public key is too short */ > - goto done; > - > -- rsa->e = BN_bin2bn(pk, e_bytes, NULL); > -+ e = BN_bin2bn(pk, e_bytes, NULL); > - pk += e_bytes; > - l -= e_bytes; > - > -- rsa->n = BN_bin2bn(pk, l, NULL); > -+ n = BN_bin2bn(pk, l, NULL); > -+ if (!e || !n) > -+ goto done; > -+ > -+ RSA_set0_key(rsa, n, e, NULL); > - > - pkey = EVP_PKEY_new(); > - if (!pkey) > Index: patches/patch-nsec3checks_c > =================================================================== > RCS file: patches/patch-nsec3checks_c > diff -N patches/patch-nsec3checks_c > --- patches/patch-nsec3checks_c 11 Mar 2022 19:48:04 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,57 +0,0 @@ > -https://github.com/tobez/validns/pull/71 > - > -Index: nsec3checks.c > ---- nsec3checks.c.orig > -+++ nsec3checks.c > -@@ -28,7 +28,7 @@ > - static struct binary_data name2hash(char *name, struct rr *param) > - { > - struct rr_nsec3param *p = (struct rr_nsec3param *)param; > -- EVP_MD_CTX ctx; > -+ EVP_MD_CTX *ctx; > - unsigned char md0[EVP_MAX_MD_SIZE]; > - unsigned char md1[EVP_MAX_MD_SIZE]; > - unsigned char *md[2]; > -@@ -45,26 +45,31 @@ static struct binary_data name2hash(char *name, struct > - > - /* XXX Maybe use Init_ex and Final_ex for speed? */ > - > -- EVP_MD_CTX_init(&ctx); > -- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) > -+ ctx = EVP_MD_CTX_new(); > -+ if (ctx == NULL) > - return r; > -- digest_size = EVP_MD_CTX_size(&ctx); > -- EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length); > -- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); > -- EVP_DigestFinal(&ctx, md[mdi], NULL); > -+ if (EVP_DigestInit(ctx, EVP_sha1()) != 1) > -+ goto out; > -+ digest_size = EVP_MD_CTX_size(ctx); > -+ EVP_DigestUpdate(ctx, wire_name.data, wire_name.length); > -+ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length); > -+ EVP_DigestFinal(ctx, md[mdi], NULL); > - > - for (i = 0; i < p->iterations; i++) { > -- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) > -- return r; > -- EVP_DigestUpdate(&ctx, md[mdi], digest_size); > -+ if (EVP_DigestInit(ctx, EVP_sha1()) != 1) > -+ goto out; > -+ > -+ EVP_DigestUpdate(ctx, md[mdi], digest_size); > - mdi = (mdi + 1) % 2; > -- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); > -- EVP_DigestFinal(&ctx, md[mdi], NULL); > -+ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length); > -+ EVP_DigestFinal(ctx, md[mdi], NULL); > - } > - > - r.length = digest_size; > - r.data = getmem(digest_size); > - memcpy(r.data, md[mdi], digest_size); > -+out: > -+ EVP_MD_CTX_free(ctx); > - return r; > - } > - > Index: patches/patch-rrsig_c > =================================================================== > RCS file: patches/patch-rrsig_c > diff -N patches/patch-rrsig_c > --- patches/patch-rrsig_c 11 Mar 2022 19:48:04 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,145 +0,0 @@ > -https://github.com/tobez/validns/pull/71 > - > -Index: rrsig.c > ---- rrsig.c.orig > -+++ rrsig.c > -@@ -26,7 +26,7 @@ > - struct verification_data > - { > - struct verification_data *next; > -- EVP_MD_CTX ctx; > -+ EVP_MD_CTX *ctx; > - struct rr_dnskey *key; > - struct rr_rrsig *rr; > - int ok; > -@@ -180,7 +180,7 @@ void *verification_thread(void *dummy) > - if (d) { > - int r; > - d->next = NULL; > -- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); > -+ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); > - if (r == 1) { > - d->ok = 1; > - } else { > -@@ -232,7 +232,7 @@ static void schedule_verification(struct verification_ > - } else { > - int r; > - G.stats.signatures_verified++; > -- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); > -+ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); > - if (r == 1) { > - d->ok = 1; > - } else { > -@@ -250,21 +250,22 @@ static int verify_signature(struct verification_data * > - struct rr *signed_rr; > - int i; > - > -- EVP_MD_CTX_init(&d->ctx); > -+ if ((d->ctx = EVP_MD_CTX_new()) == NULL) > -+ return 0; > - switch (d->rr->algorithm) { > - case ALG_DSA: > - case ALG_RSASHA1: > - case ALG_DSA_NSEC3_SHA1: > - case ALG_RSASHA1_NSEC3_SHA1: > -- if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1) > -+ if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1) > - return 0; > - break; > - case ALG_RSASHA256: > -- if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1) > -+ if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1) > - return 0; > - break; > - case ALG_RSASHA512: > -- if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1) > -+ if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1) > - return 0; > - break; > - default: > -@@ -274,7 +275,7 @@ static int verify_signature(struct verification_data * > - chunk = rrsig_wirerdata_ex(&d->rr->rr, 0); > - if (chunk.length < 0) > - return 0; > -- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); > -+ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); > - > - set = getmem_temp(sizeof(*set) * signed_set->count); > - > -@@ -294,12 +295,12 @@ static int verify_signature(struct verification_data * > - chunk = name2wire_name(signed_set->named_rr->name); > - if (chunk.length < 0) > - return 0; > -- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); > -- b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(&d->ctx, &b2, 2); > -- b2 = htons(1); /* class IN */ EVP_VerifyUpdate(&d->ctx, &b2, 2); > -- b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(&d->ctx, &b4, 4); > -- b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2); > -- EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length); > -+ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); > -+ b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(d->ctx, &b2, 2); > -+ b2 = htons(1); /* class IN */ EVP_VerifyUpdate(d->ctx, &b2, 2); > -+ b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(d->ctx, &b4, 4); > -+ b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2); > -+ EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length); > - } > - > - schedule_verification(d); > -@@ -371,49 +372,12 @@ static void *rrsig_validate(struct rr *rrv) > - return rr; > - } > - > --static pthread_mutex_t *lock_cs; > --static long *lock_count; > -- > --static unsigned long pthreads_thread_id(void) > --{ > -- unsigned long ret; > -- > -- ret=(unsigned long)pthread_self(); > -- return(ret); > --} > -- > --static void pthreads_locking_callback(int mode, int type, char *file, int line) > --{ > -- if (mode & CRYPTO_LOCK) { > -- pthread_mutex_lock(&(lock_cs[type])); > -- lock_count[type]++; > -- } else { > -- pthread_mutex_unlock(&(lock_cs[type])); > -- } > --} > -- > - void verify_all_keys(void) > - { > - struct keys_to_verify *k = all_keys_to_verify; > - int i; > - struct timespec sleep_time; > - > -- ERR_load_crypto_strings(); > -- if (G.opt.n_threads > 1) { > -- lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); > -- lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); > -- for (i = 0; i < CRYPTO_num_locks(); i++) { > -- lock_count[i] = 0; > -- pthread_mutex_init(&lock_cs[i],NULL); > -- } > -- > -- CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id); > -- CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback); > -- > -- if (pthread_mutex_init(&queue_lock, NULL) != 0) > -- croak(1, "pthread_mutex_init"); > -- } > -- > - while (k) { > - freeall_temp(); > - for (i = 0; i < k->n_keys; i++) { > -@@ -440,6 +404,7 @@ void verify_all_keys(void) > - if (k->to_verify[i].openssl_error != 0) > - e = k->to_verify[i].openssl_error; > - } > -+ EVP_MD_CTX_free(k->to_verify[i].ctx); > - } > - if (!ok) { > - struct named_rr *named_rr; > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/net/validns/pkg/PLIST,v > diff -u -p -r1.2 PLIST > --- pkg/PLIST 11 Mar 2022 19:48:04 -0000 1.2 > +++ pkg/PLIST 8 Feb 2026 13:42:33 -0000 > @@ -1,2 +1,7 @@ > @bin bin/validns > @man man/man1/validns.1 > +share/doc/validns/ > +share/doc/validns/CHANGELOG.md > +share/doc/validns/LICENSE > +share/doc/validns/README.md > +share/doc/validns/TECHNICAL.md >