Maintained by: NLnet Labs

[Unbound-users] Compile ldns 1.6.16/unbound 1.4.19 on Solaris 10.

Willem Toorop
Fri Jan 11 11:13:03 CET 2013


Hi Simon-Bernard,

X509_check_ca became available in openssl-0.9.7f. I will alter ldns
configure such that it will disable dane altogether when X509_check_ca
is unavailable. I will supply you with a patch when I have done it.
Alternatively you could try to compile with openssl-0.9.7f or higher.

Best regards,

-- Willem

Op 11-01-13 04:41, Simon-Bernard Drolet schreef:
> HI again,
> 
> Sorry to get back at this... I wrongly said it was all ok...
> 
> I did the change, recompile, and got it working, but on Solaris 11...
> Not 10...
> 
> So on Solaris 11, with these options :
> 
> ./configure --prefix=/opt/unbound --disable-gost --disable-sha2
> --disable-ecdsa
> 
>  and the fixed #ifdefs in dane.c. It works... (Compiles, run, all ok)_.
> 
> 
> But on Solaris 10, with the same options to configure, I get an error
> for X509_check_ca used in dane.c :
> 
> ./libtool --tag=CC --quiet --mode=compile cc -I. -I. -DHAVE_CONFIG_H -O2
> -g -xc99 -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112
> -D_XOPEN_SOURCE=600 -D_ALL_SOURCE -I/usr/sfw/include -c ./dane.c -o dane.lo
> "./dane.c", line 295: warning: implicit function declaration: X509_check_ca
> 
> and at the end:
> 
> ./libtool --tag=CC --quiet --mode=link cc -O2 -g -xc99 -D__EXTENSIONS__
> -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
> -D_ALL_SOURCE  -lnsl -lsocket  -version-number 1:6:16 -no-undefined
> -L/usr/sfw/lib -lcrypto -export-symbols-regex
> '^(ldns_|b32_[pn]to[pn]|mktime_from_utc|qsort_rr_compare_nsec3)' -o
> libldns.la buffer.lo dane.lo dname.lo dnssec.lo dnssec_sign.lo
> dnssec_verify.lo dnssec_zone.lo duration.lo error.lo higher.lo
> host2str.lo host2wire.lo keys.lo net.lo packet.lo parse.lo rbtree.lo
> rdata.lo resolver.lo rr.lo rr_functions.lo sha1.lo sha2.lo str2host.lo
> tsig.lo update.lo util.lo wire2host.lo zone.lo  compat/b64_pton.lo
> compat/b64_ntop.lo compat/b32_pton.lo compat/b32_ntop.lo
> compat/timegm.lo -rpath /opt/unbound/lib
> Undefined            first referenced
>  symbol                  in file
> X509_check_ca                       .libs/dane.o
> ld: fatal: symbol referencing errors. No output written to
> .libs/libldns.so.1.6.16
> gmake: *** [libldns.la] Error 2
> 
> So, again, any help, some ifdef missing  ?
> 
> IN dane.c, I can see two calls to X509_check_ca,
> 
>    281    /* Pop n+1 certs and return the last popped.
>    282     */
>    283    static ldns_status
>    284    ldns_dane_get_nth_cert_from_validation_chain(
>    285            X509** cert, STACK_OF(X509)* chain, int n, bool ca)
>    286    {
>    287        if (n >= sk_X509_num(chain) || n < 0) {
>    288            return LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE;
>    289        }
>    290        *cert = sk_X509_pop(chain);
>    291        while (n-- > 0) {
>    292            X509_free(*cert);
>    293            *cert = sk_X509_pop(chain);
>    294        }
>    295        if (ca && ! X509_check_ca(*cert)) {
>    296            return LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
>    297        }
>    298        return LDNS_STATUS_OK;
>    299    }
> 
> And:
> 
>    555    /* Return whether any certificate from the chain with
> selector/matching_type
>    556     * matches data.
>    557     * ca should be true if the certificate has to be a CA
> certificate too.
>    558     */
>    559    static ldns_status
>    560    ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
>    561            ldns_tlsa_selector    selector,
>    562            ldns_tlsa_matching_type matching_type,
>    563            ldns_rdf* data, bool ca)
>    564    {
>    565        ldns_status s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
>    566        size_t n, i;
>    567        X509* cert;
>    568
>    569        n = (size_t)sk_X509_num(chain);
>    570        for (i = 0; i < n; i++) {
>    571            cert = sk_X509_pop(chain);
>    572            if (! cert) {
>    573                s = LDNS_STATUS_SSL_ERR;
>    574                break;
>    575            }
>    576            s = ldns_dane_match_cert_with_data(cert,
>    577                    selector, matching_type, data);
>    578            if (ca && s == LDNS_STATUS_OK && ! X509_check_ca(cert)) {
>    579                s = LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
>    580            }
>    581            X509_free(cert);
>    582            if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) {
>    583                break;
>    584            }
>    585            /* when s == LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH,
>    586             * try to match the next certificate
>    587             */
>    588        }
>    589        return s;
>    590    }
>    591
> 
> 
> Thank's.
> 
> On 12/17/12 08:23 PM, Simon-Bernard Drolet wrote:
>> Hi Wouter,
>>
>> Thank's.
>>
>> This is compiling now, thank's.
>>
>> A simple ifdef !
>>
>>> Hi Simon-Bernard,
>>>
>>> On 12/15/2012 10:10 PM, Simon-Bernard Drolet wrote:
>>>> Hi Dan,
>>>>
>>>> Thank's for the infos.
>>>>
>>>> But my goal here is to get unbound and drill to compile with the
>>>> stock openssl from Solaris just like in previous version.
>>>>
>>>> And because there is still a configure option to compile without
>>>> sha2, it should work...
>>>>
>>>> So there is an issue with some ifdefs...
>>> Yes, they are fixed, below the patch for it if you want it.  The patch
>>> is also applied for the next release of ldns.
>>>
>>> Best regards,
>>>     Wouter
>>>
>>> Index: dane.c
>>> ===================================================================
>>> - --- dane.c    (revision 3810)
>>> +++ dane.c    (working copy)
>>> @@ -121,6 +121,7 @@
>>>           return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
>>>           break;
>>>
>>> +#ifdef USE_SHA2
>>>       case LDNS_TLSA_MATCHING_TYPE_SHA256:
>>>
>>>           digest = LDNS_XMALLOC(unsigned char, SHA256_DIGEST_LENGTH);
>>> @@ -150,6 +151,7 @@
>>>
>>>           return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
>>>           break;
>>> +#endif /* USE_SHA2 */
>>>
>>>       default:
>>>           LDNS_FREE(buf);
>>>
>>
>>
>> On 12/14/12 04:50 PM, Simon-Bernard Drolet wrote:
>>> Hello,
>>>
>>> I'm trying to update my libevent, ldns and unbound package.
>>>
>>> I'm configuring the compile like this: (because of default ssl in
>>> Solaris 10).
>>>
>>> # ./configure --disable-sha2 --disable-gost --disable-ecdsa
>>>
>>> While trying to compile ldns, I get this:
>>>
>>> # gmake
>>> ./libtool --tag=CC --quiet --mode=compile gcc -I. -I. -DHAVE_CONFIG_H
>>> -Wwrite-strings -W -Wall -O2 -g -std=c99 -D__EXTENSIONS__
>>> -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
>>> -D_ALL_SOURCE -I/usr/sfw/include -c ./dane.c -o dane.lo
>>> ./dane.c: In function `ldns_dane_cert2rdf':
>>> ./dane.c:122: error: `SHA256_DIGEST_LENGTH' undeclared (first use in
>>> this function)
>>> ./dane.c:122: error: (Each undeclared identifier is reported only once
>>> ./dane.c:122: error: for each function it appears in.)
>>> ./dane.c:137: error: `SHA512_DIGEST_LENGTH' undeclared (first use in
>>> this function)
>>> ./dane.c: In function `ldns_dane_get_nth_cert_from_validation_chain':
>>> ./dane.c:293: warning: implicit declaration of function `X509_check_ca'
>>> gmake: *** [dane.lo] Error 1
>>>
>>>
>>> Any pointers ?
>>>
>>> It was ok in 1.6.13... But I get the same error with 1.6.14, 1.6.15
>>> and 1.6.16... With the dane.c file...
>>>
>>
>>
> 
>