From: Caspar Schutijser Subject: Re: UPDATE: net/validns 0.9.0 To: ports@openbsd.org Date: Sun, 8 Feb 2026 17:23:38 +0100 On Sun, Feb 08, 2026 at 03:42:03PM +0000, Stuart Henderson wrote: > On 2026/02/08 14:56, Caspar Schutijser wrote: > > Hi, > > > > After more than a decade, a new version of validns is available. > > It's now hosted with and maintained by DNS-OARC. The build system > > has changed and all patches can go since they're incorporated in > > the main branch. > > > > I can become MAINTAINER of this tool. > > > > Did I do the DISTFILES part right? (I think so, because it works and > > produces the desired file name in the distfiles directory.) > > Comments or OKs? > > DIST_TUPLE= codeberg DNS-OARC validns v0.9.0 . Thanks, incorporated that in the diff below. Caspar Index: Makefile =================================================================== RCS file: /cvs/ports/net/validns/Makefile,v diff -u -p -r1.6 Makefile --- Makefile 27 Sep 2023 14:18:39 -0000 1.6 +++ Makefile 8 Feb 2026 16:20:45 -0000 @@ -1,29 +1,30 @@ COMMENT = DNS and DNSSEC zone file validator -DISTNAME = validns-0.8 -REVISION = 1 +V = 0.9.0 +PKGNAME = validns-${V} CATEGORIES = net -HOMEPAGE = http://www.validns.net/ +DIST_TUPLE = codeberg DNS-OARC validns v${V} . + +MAINTAINER = Caspar Schutijser # BSD PERMIT_PACKAGE = Yes WANTLIB += Judy c crypto pthread -SITES = ${HOMEPAGE}download/ - LIB_DEPENDS = devel/libJudy TEST_DEPENDS = devel/p5-Test-Command-Simple -MAKE_ENV = CC="${CC}" CFLAGS="${CFLAGS}" +CONFIGURE_STYLE = autoreconf +AUTOCONF_VERSION = 2.69 +AUTOMAKE_VERSION = 1.18 +AUTORECONF = ./autogen.sh -ALL_TARGET = validns +CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" LDFLAGS="-L${LOCALBASE}/lib" -do-install: - ${INSTALL_PROGRAM} ${WRKSRC}/validns ${PREFIX}/bin - ${INSTALL_MAN} ${WRKSRC}/validns.1 ${PREFIX}/man/man1 +WRKSRC = ${WRKDIR}/validns .include Index: distinfo =================================================================== RCS file: /cvs/ports/net/validns/distinfo,v diff -u -p -r1.1.1.1 distinfo --- distinfo 6 May 2017 15:52:24 -0000 1.1.1.1 +++ distinfo 8 Feb 2026 16:20:45 -0000 @@ -1,2 +1,2 @@ -SHA256 (validns-0.8.tar.gz) = 3y2w6qmYoEEf9MHE5BfrgtMq7Eg1+S9F8mxmyNHVvSI= -SIZE (validns-0.8.tar.gz) = 190325 +SHA256 (DNS-OARC-validns-v0.9.0.tar.gz) = ZwxAIgTewZUbIMTKP171KXYszs4Lu5eWlZzJ/alJ61M= +SIZE (DNS-OARC-validns-v0.9.0.tar.gz) = 253152 Index: patches/patch-Makefile =================================================================== RCS file: patches/patch-Makefile diff -N patches/patch-Makefile --- patches/patch-Makefile 11 Mar 2022 19:48:04 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,11 +0,0 @@ -Index: Makefile ---- Makefile.orig -+++ Makefile -@@ -1,6 +1,5 @@ - # The following options seem to work fine on Linux, FreeBSD, and Darwin --OPTIMIZE=-O2 -g --CFLAGS=-Wall -Werror -pthread -fno-strict-aliasing -+CFLAGS+=-Wall -Werror -pthread -fno-strict-aliasing - INCPATH=-I/usr/local/include -I/opt/local/include -I/usr/local/ssl/include - CC?=cc - Index: patches/patch-carp_c =================================================================== RCS file: patches/patch-carp_c diff -N patches/patch-carp_c --- patches/patch-carp_c 11 Mar 2022 19:48:04 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: carp.c ---- carp.c.orig -+++ carp.c -@@ -102,7 +102,7 @@ static char proggy[MAXPATHLEN]; - - const char *thisprogname(void) - { --#if defined(__FreeBSD__) -+#if defined(__FreeBSD__) || defined(__OpenBSD__) - return getprogname(); - #elif defined(__APPLE__) - return getprogname(); Index: patches/patch-dnskey_c =================================================================== RCS file: patches/patch-dnskey_c diff -N patches/patch-dnskey_c --- patches/patch-dnskey_c 11 Mar 2022 19:48:04 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,31 +0,0 @@ -https://github.com/tobez/validns/pull/71 - -Index: dnskey.c ---- dnskey.c.orig -+++ dnskey.c -@@ -145,6 +145,7 @@ int dnskey_build_pkey(struct rr_dnskey *rr) - unsigned int e_bytes; - unsigned char *pk; - int l; -+ BIGNUM *n, *e; - - rsa = RSA_new(); - if (!rsa) -@@ -165,11 +166,15 @@ int dnskey_build_pkey(struct rr_dnskey *rr) - if (l < e_bytes) /* public key is too short */ - goto done; - -- rsa->e = BN_bin2bn(pk, e_bytes, NULL); -+ e = BN_bin2bn(pk, e_bytes, NULL); - pk += e_bytes; - l -= e_bytes; - -- rsa->n = BN_bin2bn(pk, l, NULL); -+ n = BN_bin2bn(pk, l, NULL); -+ if (!e || !n) -+ goto done; -+ -+ RSA_set0_key(rsa, n, e, NULL); - - pkey = EVP_PKEY_new(); - if (!pkey) Index: patches/patch-nsec3checks_c =================================================================== RCS file: patches/patch-nsec3checks_c diff -N patches/patch-nsec3checks_c --- patches/patch-nsec3checks_c 11 Mar 2022 19:48:04 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,57 +0,0 @@ -https://github.com/tobez/validns/pull/71 - -Index: nsec3checks.c ---- nsec3checks.c.orig -+++ nsec3checks.c -@@ -28,7 +28,7 @@ - static struct binary_data name2hash(char *name, struct rr *param) - { - struct rr_nsec3param *p = (struct rr_nsec3param *)param; -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - unsigned char md0[EVP_MAX_MD_SIZE]; - unsigned char md1[EVP_MAX_MD_SIZE]; - unsigned char *md[2]; -@@ -45,26 +45,31 @@ static struct binary_data name2hash(char *name, struct - - /* XXX Maybe use Init_ex and Final_ex for speed? */ - -- EVP_MD_CTX_init(&ctx); -- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) - return r; -- digest_size = EVP_MD_CTX_size(&ctx); -- EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length); -- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); -- EVP_DigestFinal(&ctx, md[mdi], NULL); -+ if (EVP_DigestInit(ctx, EVP_sha1()) != 1) -+ goto out; -+ digest_size = EVP_MD_CTX_size(ctx); -+ EVP_DigestUpdate(ctx, wire_name.data, wire_name.length); -+ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length); -+ EVP_DigestFinal(ctx, md[mdi], NULL); - - for (i = 0; i < p->iterations; i++) { -- if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) -- return r; -- EVP_DigestUpdate(&ctx, md[mdi], digest_size); -+ if (EVP_DigestInit(ctx, EVP_sha1()) != 1) -+ goto out; -+ -+ EVP_DigestUpdate(ctx, md[mdi], digest_size); - mdi = (mdi + 1) % 2; -- EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); -- EVP_DigestFinal(&ctx, md[mdi], NULL); -+ EVP_DigestUpdate(ctx, p->salt.data, p->salt.length); -+ EVP_DigestFinal(ctx, md[mdi], NULL); - } - - r.length = digest_size; - r.data = getmem(digest_size); - memcpy(r.data, md[mdi], digest_size); -+out: -+ EVP_MD_CTX_free(ctx); - return r; - } - Index: patches/patch-rrsig_c =================================================================== RCS file: patches/patch-rrsig_c diff -N patches/patch-rrsig_c --- patches/patch-rrsig_c 11 Mar 2022 19:48:04 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,145 +0,0 @@ -https://github.com/tobez/validns/pull/71 - -Index: rrsig.c ---- rrsig.c.orig -+++ rrsig.c -@@ -26,7 +26,7 @@ - struct verification_data - { - struct verification_data *next; -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - struct rr_dnskey *key; - struct rr_rrsig *rr; - int ok; -@@ -180,7 +180,7 @@ void *verification_thread(void *dummy) - if (d) { - int r; - d->next = NULL; -- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); -+ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); - if (r == 1) { - d->ok = 1; - } else { -@@ -232,7 +232,7 @@ static void schedule_verification(struct verification_ - } else { - int r; - G.stats.signatures_verified++; -- r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); -+ r = EVP_VerifyFinal(d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); - if (r == 1) { - d->ok = 1; - } else { -@@ -250,21 +250,22 @@ static int verify_signature(struct verification_data * - struct rr *signed_rr; - int i; - -- EVP_MD_CTX_init(&d->ctx); -+ if ((d->ctx = EVP_MD_CTX_new()) == NULL) -+ return 0; - switch (d->rr->algorithm) { - case ALG_DSA: - case ALG_RSASHA1: - case ALG_DSA_NSEC3_SHA1: - case ALG_RSASHA1_NSEC3_SHA1: -- if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1) -+ if (EVP_VerifyInit(d->ctx, EVP_sha1()) != 1) - return 0; - break; - case ALG_RSASHA256: -- if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1) -+ if (EVP_VerifyInit(d->ctx, EVP_sha256()) != 1) - return 0; - break; - case ALG_RSASHA512: -- if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1) -+ if (EVP_VerifyInit(d->ctx, EVP_sha512()) != 1) - return 0; - break; - default: -@@ -274,7 +275,7 @@ static int verify_signature(struct verification_data * - chunk = rrsig_wirerdata_ex(&d->rr->rr, 0); - if (chunk.length < 0) - return 0; -- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); -+ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); - - set = getmem_temp(sizeof(*set) * signed_set->count); - -@@ -294,12 +295,12 @@ static int verify_signature(struct verification_data * - chunk = name2wire_name(signed_set->named_rr->name); - if (chunk.length < 0) - return 0; -- EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); -- b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(&d->ctx, &b2, 2); -- b2 = htons(1); /* class IN */ EVP_VerifyUpdate(&d->ctx, &b2, 2); -- b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(&d->ctx, &b4, 4); -- b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2); -- EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length); -+ EVP_VerifyUpdate(d->ctx, chunk.data, chunk.length); -+ b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(d->ctx, &b2, 2); -+ b2 = htons(1); /* class IN */ EVP_VerifyUpdate(d->ctx, &b2, 2); -+ b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(d->ctx, &b4, 4); -+ b2 = htons(set[i].wired.length); EVP_VerifyUpdate(d->ctx, &b2, 2); -+ EVP_VerifyUpdate(d->ctx, set[i].wired.data, set[i].wired.length); - } - - schedule_verification(d); -@@ -371,49 +372,12 @@ static void *rrsig_validate(struct rr *rrv) - return rr; - } - --static pthread_mutex_t *lock_cs; --static long *lock_count; -- --static unsigned long pthreads_thread_id(void) --{ -- unsigned long ret; -- -- ret=(unsigned long)pthread_self(); -- return(ret); --} -- --static void pthreads_locking_callback(int mode, int type, char *file, int line) --{ -- if (mode & CRYPTO_LOCK) { -- pthread_mutex_lock(&(lock_cs[type])); -- lock_count[type]++; -- } else { -- pthread_mutex_unlock(&(lock_cs[type])); -- } --} -- - void verify_all_keys(void) - { - struct keys_to_verify *k = all_keys_to_verify; - int i; - struct timespec sleep_time; - -- ERR_load_crypto_strings(); -- if (G.opt.n_threads > 1) { -- lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); -- lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); -- for (i = 0; i < CRYPTO_num_locks(); i++) { -- lock_count[i] = 0; -- pthread_mutex_init(&lock_cs[i],NULL); -- } -- -- CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id); -- CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback); -- -- if (pthread_mutex_init(&queue_lock, NULL) != 0) -- croak(1, "pthread_mutex_init"); -- } -- - while (k) { - freeall_temp(); - for (i = 0; i < k->n_keys; i++) { -@@ -440,6 +404,7 @@ void verify_all_keys(void) - if (k->to_verify[i].openssl_error != 0) - e = k->to_verify[i].openssl_error; - } -+ EVP_MD_CTX_free(k->to_verify[i].ctx); - } - if (!ok) { - struct named_rr *named_rr; Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/validns/pkg/PLIST,v diff -u -p -r1.2 PLIST --- pkg/PLIST 11 Mar 2022 19:48:04 -0000 1.2 +++ pkg/PLIST 8 Feb 2026 16:20:45 -0000 @@ -1,2 +1,7 @@ @bin bin/validns @man man/man1/validns.1 +share/doc/validns/ +share/doc/validns/CHANGELOG.md +share/doc/validns/LICENSE +share/doc/validns/README.md +share/doc/validns/TECHNICAL.md