From 5cb6d9b484250bf77a12d19c053be2c536ce0313 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 11 2022 18:10:20 +0000 Subject: import ldns-1.7.1-8.el9 --- diff --git a/SOURCES/ldns-1.7.1-openssl-build.patch b/SOURCES/ldns-1.7.1-openssl-build.patch new file mode 100644 index 0000000..41834ad --- /dev/null +++ b/SOURCES/ldns-1.7.1-openssl-build.patch @@ -0,0 +1,369 @@ +--- a/ldns-1.7.1/acx_nlnetlabs.m4 ++++ b/ldns-1.7.1/acx_nlnetlabs.m4 +@@ -2,7 +2,15 @@ + # Copyright 2009, Wouter Wijngaards, NLnet Labs. + # BSD licensed. + # +-# Version 34 ++# Version 41 ++# 2021-07-30 fix for openssl use of lib64 directory. ++# 2021-06-14 fix nonblocking test to use host instead of target for mingw test. ++# 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for ++# 64bit compatibility. ++# 2021-03-24 fix ACX_FUNC_DEPRECATED to use CPPFLAGS and CFLAGS. ++# 2021-01-05 fix defun for aclocal ++# 2021-01-05 autoconf 2.70 autoupdate and fixes, no AC_TRY_COMPILE ++# 2020-08-24 Use EVP_sha256 instead of HMAC_Update (for openssl-3.0.0). + # 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0. + # 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0). + # 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20 +@@ -446,15 +454,12 @@ + AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "format" attribute) + AC_CACHE_VAL(ac_cv_c_format_attribute, + [ac_cv_c_format_attribute=no +-AC_TRY_COMPILE( +-[#include ++AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include + void f (char *format, ...) __attribute__ ((format (printf, 1, 2))); + void (*pf) (char *format, ...) __attribute__ ((format (printf, 1, 2))); +-], [ ++]], [[ + f ("%s", "str"); +-], +-[ac_cv_c_format_attribute="yes"], +-[ac_cv_c_format_attribute="no"]) ++]])],[ac_cv_c_format_attribute="yes"],[ac_cv_c_format_attribute="no"]) + ]) + + AC_MSG_RESULT($ac_cv_c_format_attribute) +@@ -483,14 +488,11 @@ + AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "unused" attribute) + AC_CACHE_VAL(ac_cv_c_unused_attribute, + [ac_cv_c_unused_attribute=no +-AC_TRY_COMPILE( +-[#include ++AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include + void f (char *u __attribute__((unused))); +-], [ ++]], [[ + f ("x"); +-], +-[ac_cv_c_unused_attribute="yes"], +-[ac_cv_c_unused_attribute="no"]) ++]])],[ac_cv_c_unused_attribute="yes"],[ac_cv_c_unused_attribute="no"]) + ]) + + dnl Setup ATTR_UNUSED config.h parts. +@@ -547,7 +549,7 @@ + dnl because libtools 'AC_REQUIRE' names are right after this one, before + dnl this function contents. + AC_REQUIRE([ACX_LIBTOOL_C_PRE]) +-AC_PROG_LIBTOOL ++LT_INIT + ]) + + dnl Detect if u_char type is defined, otherwise define it. +@@ -646,7 +648,7 @@ + if test x_$withval != x_no; then + AC_MSG_CHECKING(for SSL) + if test x_$withval = x_ -o x_$withval = x_yes; then +- withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/local/opt/openssl /usr/sfw /usr" ++ withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr" + fi + for dir in $withval; do + ssldir="$dir" +@@ -668,22 +670,28 @@ + HAVE_SSL=yes + dnl assume /usr is already in the lib and dynlib paths. + if test "$ssldir" != "/usr" -a "$ssldir" != ""; then +- LDFLAGS="$LDFLAGS -L$ssldir/lib" +- LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" +- ACX_RUNTIME_PATH_ADD([$ssldir/lib]) ++ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then ++ LDFLAGS="$LDFLAGS -L$ssldir/lib64" ++ LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64" ++ ACX_RUNTIME_PATH_ADD([$ssldir/lib64]) ++ else ++ LDFLAGS="$LDFLAGS -L$ssldir/lib" ++ LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" ++ ACX_RUNTIME_PATH_ADD([$ssldir/lib]) ++ fi + fi + +- AC_MSG_CHECKING([for HMAC_Update in -lcrypto]) ++ AC_MSG_CHECKING([for EVP_sha256 in -lcrypto]) + LIBS="$LIBS -lcrypto" + LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto" +- AC_TRY_LINK(, [ +- int HMAC_Update(void); +- (void)HMAC_Update(); +- ], [ ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ ++ int EVP_sha256(void); ++ (void)EVP_sha256(); ++ ]])],[ + AC_MSG_RESULT(yes) +- AC_DEFINE([HAVE_HMAC_UPDATE], 1, +- [If you have HMAC_Update]) +- ], [ ++ AC_DEFINE([HAVE_EVP_SHA256], 1, ++ [If you have EVP_sha256]) ++ ],[ + AC_MSG_RESULT(no) + # check if -lwsock32 or -lgdi32 are needed. + BAKLIBS="$LIBS" +@@ -691,12 +699,12 @@ + LIBS="$LIBS -lgdi32 -lws2_32" + LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32" + AC_MSG_CHECKING([if -lcrypto needs -lgdi32]) +- AC_TRY_LINK([], [ +- int HMAC_Update(void); +- (void)HMAC_Update(); +- ],[ +- AC_DEFINE([HAVE_HMAC_UPDATE], 1, +- [If you have HMAC_Update]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ ++ int EVP_sha256(void); ++ (void)EVP_sha256(); ++ ]])],[ ++ AC_DEFINE([HAVE_EVP_SHA256], 1, ++ [If you have EVP_sha256]) + AC_MSG_RESULT(yes) + ],[ + AC_MSG_RESULT(no) +@@ -705,12 +713,12 @@ + LIBS="$LIBS -ldl" + LIBSSL_LIBS="$LIBSSL_LIBS -ldl" + AC_MSG_CHECKING([if -lcrypto needs -ldl]) +- AC_TRY_LINK([], [ +- int HMAC_Update(void); +- (void)HMAC_Update(); +- ],[ +- AC_DEFINE([HAVE_HMAC_UPDATE], 1, +- [If you have HMAC_Update]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ ++ int EVP_sha256(void); ++ (void)EVP_sha256(); ++ ]])],[ ++ AC_DEFINE([HAVE_EVP_SHA256], 1, ++ [If you have EVP_sha256]) + AC_MSG_RESULT(yes) + ],[ + AC_MSG_RESULT(no) +@@ -719,12 +727,12 @@ + LIBS="$LIBS -ldl -pthread" + LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread" + AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread]) +- AC_TRY_LINK([], [ +- int HMAC_Update(void); +- (void)HMAC_Update(); +- ],[ +- AC_DEFINE([HAVE_HMAC_UPDATE], 1, +- [If you have HMAC_Update]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ ++ int EVP_sha256(void); ++ (void)EVP_sha256(); ++ ]])],[ ++ AC_DEFINE([HAVE_EVP_SHA256], 1, ++ [If you have EVP_sha256]) + AC_MSG_RESULT(yes) + ],[ + AC_MSG_RESULT(no) +@@ -749,9 +757,8 @@ + dnl + AC_DEFUN([ACX_WITH_SSL], + [ +-AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname], +- [enable SSL (will check /usr/local/ssl +- /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/local/opt/openssl /usr/sfw /usr)]),[ ++AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl ++ /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[ + ],[ + withval="yes" + ]) +@@ -768,9 +775,8 @@ + dnl + AC_DEFUN([ACX_WITH_SSL_OPTIONAL], + [ +-AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname], +- [enable SSL (will check /usr/local/ssl +- /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/local/opt/openssl /usr/sfw /usr)]),[ ++AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl ++ /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[ + ],[ + withval="yes" + ]) +@@ -893,7 +899,7 @@ + [ + echo '$3' >conftest.c + echo 'void f(){ $2 }' >>conftest.c +-if test -z "`$CC -c conftest.c 2>&1 | grep deprecated`"; then ++if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then + eval "cv_cc_deprecated_$cache=no" + else + eval "cv_cc_deprecated_$cache=yes" +@@ -919,7 +925,7 @@ + AC_DEFUN([ACX_CHECK_NONBLOCKING_BROKEN], + [ + AC_MSG_CHECKING([if nonblocking sockets work]) +-if echo $target | grep mingw32 >/dev/null; then ++if echo $host | grep mingw >/dev/null; then + AC_MSG_RESULT([no (windows)]) + AC_DEFINE([NONBLOCKING_IS_BROKEN], 1, [Define if the network stack does not fully support nonblocking io (causes lower performance).]) + else +@@ -1061,7 +1067,7 @@ + AC_DEFUN([ACX_MKDIR_ONE_ARG], + [ + AC_MSG_CHECKING([whether mkdir has one arg]) +-AC_TRY_COMPILE([ ++AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include + #include + #ifdef HAVE_WINSOCK2_H +@@ -1070,14 +1076,12 @@ + #ifdef HAVE_SYS_STAT_H + #include + #endif +-], [ ++]], [[ + (void)mkdir("directory"); +-], +-AC_MSG_RESULT(yes) ++]])],[AC_MSG_RESULT(yes) + AC_DEFINE(MKDIR_HAS_ONE_ARG, 1, [Define if mkdir has one argument.]) +-, +-AC_MSG_RESULT(no) +-) ++],[AC_MSG_RESULT(no) ++]) + ])dnl end of ACX_MKDIR_ONE_ARG + + dnl Check for ioctlsocket function. works on mingw32 too. + +--- a/ldns-1.7.1/dnssec_sign.c ++++ b/ldns-1.7.1/dnssec_sign.c + +@@ -413,11 +416,14 @@ + { + EC_KEY* ec; + const EC_GROUP* g; +-#ifdef HAVE_EVP_PKEY_BASE_ID ++#ifdef HAVE_EVP_PKEY_GET_BASE_ID ++ if(EVP_PKEY_get_base_id(pkey) != EVP_PKEY_EC) ++ return 0; ++#elif defined(HAVE_EVP_PKEY_BASE_ID) + if(EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) + return 0; + #else +- if(EVP_PKEY_type(key->type) != EVP_PKEY_EC) ++ if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) + return 0; + #endif + ec = EVP_PKEY_get1_EC_KEY(pkey); +@@ -529,7 +535,9 @@ + #ifdef USE_DSA + #ifndef S_SPLINT_S + /* unfortunately, OpenSSL output is different from DNS DSA format */ +-# ifdef HAVE_EVP_PKEY_BASE_ID ++# ifdef HAVE_EVP_PKEY_GET_BASE_ID ++ if (EVP_PKEY_get_base_id(key) == EVP_PKEY_DSA) { ++# elif defined(HAVE_EVP_PKEY_BASE_ID) + if (EVP_PKEY_base_id(key) == EVP_PKEY_DSA) { + # else + if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) { +@@ -541,7 +549,9 @@ + #endif + #if defined(USE_ECDSA) + if( +-# ifdef HAVE_EVP_PKEY_BASE_ID ++# ifdef HAVE_EVP_PKEY_GET_BASE_ID ++ EVP_PKEY_get_base_id(key) ++# elif defined(HAVE_EVP_PKEY_BASE_ID) + EVP_PKEY_base_id(key) + # else + EVP_PKEY_type(key->type) + +--- a/ldns-1.7.1/configure.ac ++++ b/ldns-1.7.1/configure.ac +@@ -332,7 +356,8 @@ + else + AC_MSG_RESULT([no]) + fi +-AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id DSA_SIG_set0 DSA_SIG_get0 EVP_dss1 DSA_get0_pqg DSA_get0_key OPENSSL_init_ssl OPENSSL_init_crypto ERR_load_crypto_strings]) ++AC_CHECK_HEADERS([openssl/ssl.h openssl/evp.h openssl/engine.h openssl/conf.h]) ++AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id DSA_SIG_set0 DSA_SIG_get0 EVP_dss1 DSA_get0_pqg DSA_get0_key EVP_cleanup ENGINE_cleanup ENGINE_free CRYPTO_cleanup_all_ex_data ERR_free_strings CONF_modules_unload OPENSSL_init_ssl OPENSSL_init_crypto ERR_load_crypto_strings CRYPTO_memcmp EVP_PKEY_get_base_id]) + + # for macosx, see if glibtool exists and use that + # BSD's need to know the version... +@@ -355,21 +380,33 @@ + ;; + esac + +-# check wether gost also works ++# check whether gost also works + AC_DEFUN([AC_CHECK_GOST_WORKS], + [AC_REQUIRE([AC_PROG_CC]) + AC_MSG_CHECKING([if GOST works]) + if test c${cross_compiling} = cno; then + BAKCFLAGS="$CFLAGS" + if test -n "$ssldir"; then ++ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then ++ CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib64" ++ else + CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib" ++ fi + fi + AC_RUN_IFELSE([AC_LANG_SOURCE([[ + #include ++#ifdef HAVE_OPENSSL_SSL_H + #include ++#endif ++#ifdef HAVE_OPENSSL_EVP_H + #include ++#endif ++#ifdef HAVE_OPENSSL_ENGINE_H + #include ++#endif ++#ifdef HAVE_OPENSSL_CONF_H + #include ++#endif + /* routine to load gost (from sldns) */ + int load_gost_id(void) + { +@@ -464,7 +501,7 @@ + AC_CHECK_FUNC(EVP_PKEY_set_type_str, [],[AC_MSG_ERROR([OpenSSL >= 1.0.0 is needed for GOST support or rerun with --disable-gost])]) + AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([No ECC functions found in OpenSSL: please upgrade OpenSSL or rerun with --disable-gost])]) + AC_CHECK_GOST_WORKS +- AC_ARG_ENABLE(gost-anyway, AC_HELP_STRING([--enable-gost-anyway], [Enable GOST even whithout a GOST engine installed])) ++ AC_ARG_ENABLE(gost-anyway, AC_HELP_STRING([--enable-gost-anyway], [Enable GOST even without a GOST engine installed])) + if test "$ac_cv_c_gost_works" != "no" -o "$enable_gost_anyway" = "yes"; then + if test "$ac_cv_c_gost_works" = "no"; then + AC_MSG_RESULT([no, but compiling with GOST support anyway]) +@@ -584,9 +621,11 @@ + AC_SUBST(ldns_build_config_use_dane_ta_usage, 0) + ;; + *) dnl default +- LIBS="-lssl $LIBS" ++ danetmpLIBS="$LIBS" ++ LIBS="-lssl -lcrypto $LIBS" + AC_CHECK_FUNC(SSL_get0_dane, [], [AC_MSG_ERROR([OpenSSL does not support offline DANE verification (Needed for the DANE-TA usage type). Please upgrade OpenSSL to version >= 1.1.0 or rerun with --disable-dane-verify or --disable-dane-ta-usage])]) + LIBSSL_LIBS="-lssl $LIBSSL_LIBS" ++ LIBS="$danetmpLIBS" + AC_SUBST(ldns_build_config_use_dane_ta_usage, 1) + AC_DEFINE_UNQUOTED([USE_DANE_TA_USAGE], [1], [Define this to enable DANE-TA usage type support.]) + ;; +@@ -658,7 +697,12 @@ + AC_SUBST(LIBSSL_LDFLAGS) + AC_SUBST(LIBSSL_LIBS) + if test "x$HAVE_SSL" = "xyes"; then +-AC_SUBST(LIBSSL_SSL_LIBS, ["-lssl $LIBSSL_LIBS"]) ++ if echo "$LIBSSL_LIBS" | grep -- "-lssl" >/dev/null 2>&1; then ++ LIBSSL_SSL_LIBS="$LIBSSL_LIBS" ++ else ++ LIBSSL_SSL_LIBS="-lssl $LIBSSL_LIBS" ++ fi ++ AC_SUBST(LIBSSL_SSL_LIBS, "$LIBSSL_SSL_LIBS") + fi + CPPFLAGS=$tmp_CPPFLAGS + LDFLAGS=$tmp_LDFLAGS + diff --git a/SPECS/ldns.spec b/SPECS/ldns.spec index d868052..25a1579 100644 --- a/SPECS/ldns.spec +++ b/SPECS/ldns.spec @@ -18,7 +18,7 @@ # GOST is not allowed in Fedora/RHEL due to legal reasons (not NIST ECC) %bcond_with gost -%{?!snapshot: %global snapshot 0} +%{?!snapshot: %global snapshot 1} %if %{with python2} || %{with python3} %{?filter_setup: @@ -39,7 +39,7 @@ Summary: Low-level DNS(SEC) library with API Name: ldns Version: 1.7.1 -Release: 7%{?dist} +Release: 8%{?dist} License: BSD Url: https://www.nlnetlabs.nl/%{name}/ @@ -48,6 +48,8 @@ Source1: https://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz.as # Willem Toorop, https://www.nlnetlabs.nl/people/ Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/DC34EE5DB2417BCC151E5100E5F8F8212F77A498#/wtoorop.asc Patch1: ldns-1.7.0-multilib.patch +# 2008445 - https://github.com/NLnetLabs/ldns/commit/12ab6f7a408cd99e9b43b7db86724c2ee66bc36e +Patch2: ldns-1.7.1-openssl-build.patch # Only needed for builds from svn snapshot %if 0%{snapshot} @@ -349,6 +351,9 @@ rm -rf doc/man %doc doc %changelog +* Wed Oct 13 2021 Richard Lescak - 1.7.1-8 +- Added patch for failing rebuild with OpenSSL 3.0.0 (#2008445) + * Mon Aug 09 2021 Mohan Boddu - 1.7.1-7 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688