Hello community, here is the log from the commit of package knot for openSUSE:Factory checked in at 2018-01-13 21:47:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/knot (Old) and /work/SRC/openSUSE:Factory/.knot.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "knot" Sat Jan 13 21:47:21 2018 rev:31 rq:563527 version:1.6.8 Changes: -------- --- /work/SRC/openSUSE:Factory/knot/knot.changes 2017-06-13 16:08:44.665273189 +0200 +++ /work/SRC/openSUSE:Factory/.knot.new/knot.changes 2018-01-13 21:47:25.314705803 +0100 @@ -1,0 +2,6 @@ +Mon Jan 8 12:38:53 UTC 2018 - [email protected] + +- add knot-openssl-1.1+.patch + * fix build with openssl 1.1+ + +------------------------------------------------------------------- New: ---- knot-openssl-1.1+.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ knot.spec ++++++ --- /var/tmp/diff_new_pack.mpvh90/_old 2018-01-13 21:47:26.158666458 +0100 +++ /var/tmp/diff_new_pack.mpvh90/_new 2018-01-13 21:47:26.170665899 +0100 @@ -1,7 +1,7 @@ # # spec file for package knot # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -47,6 +47,8 @@ Source2: knot.service Patch0: 0001-loosen-openssl-dependency.patch Patch1: 0002-make-configure.ac-compatible-with-old-tools.patch +#PATCH-FIX-UPSTREAM fix openssl 1.1+ build +Patch2: knot-openssl-1.1+.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison @@ -85,6 +87,7 @@ %setup -q -n %{pkg_name}-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build autoreconf -fvi ++++++ knot-openssl-1.1+.patch ++++++ Index: knot-1.6.8/src/libknot/tsig-op.c =================================================================== --- knot-1.6.8.orig/src/libknot/tsig-op.c +++ knot-1.6.8/src/libknot/tsig-op.c @@ -111,43 +111,81 @@ static int knot_tsig_compute_digest(cons dbg_tsig_detail("Wire for signing is %zu bytes long.\n", wire_len); /* Compute digest. */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_CTX *ctx; + ctx = HMAC_CTX_new(); +#else HMAC_CTX ctx; +#endif switch (tsig_alg) { case KNOT_TSIG_ALG_HMAC_MD5: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_md5(), NULL); +#else HMAC_Init(&ctx, key->secret.data, key->secret.size, EVP_md5()); +#endif break; case KNOT_TSIG_ALG_HMAC_SHA1: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_sha1(), NULL); +#else HMAC_Init(&ctx, key->secret.data, key->secret.size, EVP_sha1()); +#endif break; case KNOT_TSIG_ALG_HMAC_SHA224: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_sha224(), NULL); +#else HMAC_Init(&ctx, key->secret.data, key->secret.size, EVP_sha224()); +#endif break; case KNOT_TSIG_ALG_HMAC_SHA256: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_sha256(), NULL); +#else HMAC_Init(&ctx, key->secret.data, key->secret.size, EVP_sha256()); +#endif break; case KNOT_TSIG_ALG_HMAC_SHA384: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_sha384(), NULL); +#else HMAC_Init(&ctx, key->secret.data, key->secret.size, EVP_sha384()); +#endif break; case KNOT_TSIG_ALG_HMAC_SHA512: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_sha512(), NULL); +#else HMAC_Init(&ctx, key->secret.data, key->secret.size, EVP_sha512()); +#endif break; default: return KNOT_ENOTSUP; } /* switch */ unsigned tmp_dig_len = *digest_len; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_Update(ctx, (const unsigned char *)wire, wire_len); + HMAC_Final(ctx, digest, &tmp_dig_len); +#else HMAC_Update(&ctx, (const unsigned char *)wire, wire_len); HMAC_Final(&ctx, digest, &tmp_dig_len); +#endif *digest_len = tmp_dig_len; - HMAC_CTX_cleanup(&ctx); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + HMAC_CTX_free(ctx); +#else + HMAC_CTX_cleanup(&ctx); +#endif return KNOT_EOK; } Index: knot-1.6.8/src/libknot/dnssec/sign.c =================================================================== --- knot-1.6.8.orig/src/libknot/dnssec/sign.c +++ knot-1.6.8/src/libknot/dnssec/sign.c @@ -307,6 +307,19 @@ static int rsa_create_pkey(const knot_ke return KNOT_ENOMEM; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM *rsa_n = binary_to_bn(¶ms->modulus); + BIGNUM *rsa_e = binary_to_bn(¶ms->public_exponent); + BIGNUM *rsa_d = binary_to_bn(¶ms->private_exponent); + BIGNUM *rsa_p = binary_to_bn(¶ms->prime_one); + BIGNUM *rsa_q = binary_to_bn(¶ms->prime_two); + BIGNUM *rsa_dmp1 = binary_to_bn(¶ms->exponent_one); + BIGNUM *rsa_dmq1 = binary_to_bn(¶ms->exponent_two); + BIGNUM *rsa_iqmp = binary_to_bn(¶ms->coefficient); + RSA_set0_key(rsa, rsa_n, rsa_e, rsa_d); + RSA_set0_factors(rsa, rsa_p, rsa_q); + RSA_set0_crt_params(rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp); +#else rsa->n = binary_to_bn(¶ms->modulus); rsa->e = binary_to_bn(¶ms->public_exponent); rsa->d = binary_to_bn(¶ms->private_exponent); @@ -315,6 +328,7 @@ static int rsa_create_pkey(const knot_ke rsa->dmp1 = binary_to_bn(¶ms->exponent_one); rsa->dmq1 = binary_to_bn(¶ms->exponent_two); rsa->iqmp = binary_to_bn(¶ms->coefficient); +#endif if (RSA_check_key(rsa) != 1) { RSA_free(rsa); @@ -345,11 +359,21 @@ static int dsa_create_pkey(const knot_ke return KNOT_ENOMEM; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM *dsa_p = binary_to_bn(¶ms->prime); + BIGNUM *dsa_q = binary_to_bn(¶ms->subprime); + BIGNUM *dsa_g = binary_to_bn(¶ms->base); + BIGNUM *dsa_priv_key = binary_to_bn(¶ms->private_value); + BIGNUM *dsa_pub_key = binary_to_bn(¶ms->public_value); + DSA_set0_pqg(dsa, dsa_p, dsa_q, dsa_g); + DSA_set0_key(dsa, dsa_pub_key, dsa_priv_key); +#else dsa->p = binary_to_bn(¶ms->prime); dsa->q = binary_to_bn(¶ms->subprime); dsa->g = binary_to_bn(¶ms->base); dsa->priv_key = binary_to_bn(¶ms->private_value); dsa->pub_key = binary_to_bn(¶ms->public_value); +#endif if (!EVP_PKEY_assign_DSA(key, dsa)) { DSA_free(dsa); @@ -402,6 +426,12 @@ static int dsa_sign_write(const knot_dns return KNOT_ENOMEM; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const BIGNUM **decoded_r; + const BIGNUM **decoded_s; + DSA_SIG_get0(decoded, decoded_r, decoded_s); +#endif + const uint8_t *decode_scan = raw_signature; if (!d2i_DSA_SIG(&decoded, &decode_scan, (long)raw_size)) { DSA_SIG_free(decoded); @@ -415,13 +445,23 @@ static int dsa_sign_write(const knot_dns // T (1 byte), R (20 bytes), S (20 bytes) uint8_t *signature_t = signature; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + uint8_t *signature_r = signature + 21 - BN_num_bytes(*decoded_r); + uint8_t *signature_s = signature + 41 - BN_num_bytes(*decoded_s); +#else uint8_t *signature_r = signature + 21 - BN_num_bytes(decoded->r); uint8_t *signature_s = signature + 41 - BN_num_bytes(decoded->s); +#endif memset(signature, '\0', output_size); *signature_t = 0x00; //! \todo Take from public key. Only recommended. +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BN_bn2bin(*decoded_r, signature_r); + BN_bn2bin(*decoded_s, signature_s); +#else BN_bn2bin(decoded->r, signature_r); BN_bn2bin(decoded->s, signature_s); +#endif DSA_SIG_free(decoded); @@ -453,8 +493,15 @@ static int dsa_sign_verify(const knot_dn return KNOT_ENOMEM; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM **decoded_r; + BIGNUM **decoded_s; + DSA_SIG_get0(decoded, (const BIGNUM **)decoded_r, (const BIGNUM **)decoded_s); + DSA_SIG_set0(decoded, BN_bin2bn(signature_r, 20, *decoded_r), BN_bin2bn(signature_s, 20, *decoded_s)); +#else decoded->r = BN_bin2bn(signature_r, 20, decoded->r); decoded->s = BN_bin2bn(signature_s, 20, decoded->s); +#endif size_t max_size = EVP_PKEY_size(context->key->data->private_key); uint8_t *raw_signature = malloc(max_size); @@ -631,6 +678,12 @@ static int ecdsa_sign_write(const knot_d return KNOT_ENOMEM; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const BIGNUM **decoded_r; + const BIGNUM **decoded_s; + ECDSA_SIG_get0(decoded, decoded_r, decoded_s); +#endif + const uint8_t *decode_scan = raw_signature; if (!d2i_ECDSA_SIG(&decoded, &decode_scan, (long)raw_size)) { ECDSA_SIG_free(decoded); @@ -640,6 +693,7 @@ static int ecdsa_sign_write(const knot_d free(raw_signature); + // convert to format defined by RFC 6605 (EC DSA for DNSSEC) // R and S parameters are encoded in halves of the output signature @@ -648,12 +702,18 @@ static int ecdsa_sign_write(const knot_d size_t param_size = output_size / 2; memset(signature, '\0', output_size); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + signature_r = signature + param_size - BN_num_bytes(*decoded_r); + signature_s = signature + param_size - BN_num_bytes(*decoded_s); + BN_bn2bin(*decoded_r, signature_r); + BN_bn2bin(*decoded_s, signature_s); +#else signature_r = signature + param_size - BN_num_bytes(decoded->r); signature_s = signature + 2 * param_size - BN_num_bytes(decoded->s); BN_bn2bin(decoded->r, signature_r); BN_bn2bin(decoded->s, signature_s); - +#endif ECDSA_SIG_free(decoded); return KNOT_EOK; @@ -684,8 +744,15 @@ static int ecdsa_sign_verify(const knot_ return KNOT_ENOMEM; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM **decoded_r; + BIGNUM **decoded_s; + ECDSA_SIG_get0(decoded, (const BIGNUM **)decoded_r, (const BIGNUM **)decoded_s); + ECDSA_SIG_set0(decoded, BN_bin2bn(signature_r, parameter_size, *decoded_r), BN_bin2bn(signature_s, parameter_size, *decoded_s)); +#else decoded->r = BN_bin2bn(signature_r, parameter_size, decoded->r); decoded->s = BN_bin2bn(signature_s, parameter_size, decoded->s); +#endif size_t max_size = EVP_PKEY_size(context->key->data->private_key); uint8_t *raw_signature = malloc(max_size); Index: knot-1.6.8/src/libknot/dnssec/crypto.c =================================================================== --- knot-1.6.8.orig/src/libknot/dnssec/crypto.c +++ knot-1.6.8/src/libknot/dnssec/crypto.c @@ -123,10 +123,14 @@ static unsigned long openssl_threadid_cb /*- pluggable engines -------------------------------------------------------*/ #if KNOT_ENABLE_GOST && !defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define KNOT_LOAD_GOST 1 #else #undef KNOT_LOAD_GOST #endif +#else + #undef KNOT_LOAD_GOST +#endif #if KNOT_LOAD_GOST Index: knot-1.6.8/src/libknot/rrtype/nsec3.c =================================================================== --- knot-1.6.8.orig/src/libknot/rrtype/nsec3.c +++ knot-1.6.8/src/libknot/rrtype/nsec3.c @@ -47,20 +47,33 @@ static int nsec3_sha1(const uint8_t *sal return KNOT_EINVAL; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX *mdctx; + mdctx = EVP_MD_CTX_new(); +#else EVP_MD_CTX mdctx; EVP_MD_CTX_init(&mdctx); +#endif unsigned int result_size = 0; uint8_t *result = (uint8_t *)malloc(EVP_MD_size(EVP_sha1())); if (result == NULL) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX_free(mdctx); +#else EVP_MD_CTX_cleanup(&mdctx); +#endif return KNOT_ENOMEM; } uint8_t *data_low = knot_strtolower(data, data_size); if (data_low == NULL) { free(result); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX_free(mdctx); +#else EVP_MD_CTX_cleanup(&mdctx); +#endif return KNOT_ENOMEM; } @@ -68,15 +81,27 @@ static int nsec3_sha1(const uint8_t *sal unsigned int in_size = data_size; for (int i = 0; i <= iterations; i++) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_DigestInit_ex(mdctx, EVP_sha1(), NULL); +#else EVP_DigestInit_ex(&mdctx, EVP_sha1(), NULL); - +#endif int success_ops = - EVP_DigestUpdate(&mdctx, in, in_size) + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_DigestUpdate(mdctx, in, in_size) + + EVP_DigestUpdate(mdctx, salt, salt_length) + + EVP_DigestFinal_ex(mdctx, result, &result_size); +#else + EVP_DigestUpdate(&mdctx, in, in_size) + EVP_DigestUpdate(&mdctx, salt, salt_length) + EVP_DigestFinal_ex(&mdctx, result, &result_size); - +#endif if (success_ops != 3) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX_free(mdctx); +#else EVP_MD_CTX_cleanup(&mdctx); +#endif free(result); free(data_low); return KNOT_NSEC3_ECOMPUTE_HASH; @@ -85,8 +110,11 @@ static int nsec3_sha1(const uint8_t *sal in = result; in_size = result_size; } - +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX_free(mdctx); +#else EVP_MD_CTX_cleanup(&mdctx); +#endif free(data_low); *digest = result;
