Closed kometchtech closed 4 years ago
hanvinke
commented
4 years ago The error is not solely related to Alpine linux. On Arch linux I get the same error. What is probably missing is the gnutls-openssl package. You need to install that first, otherwise openssl can't use the gnutls libraries.
hanvinke
commented
4 years ago Installed version 3.6.9 manually on Arch, because it is deprecated.
The library is now found: -- Found GnuTLS: /lib/libgnutls.so;/lib/libgnutls-dane.so (found suitable version "3.6.9c", minimum required is "3.5.0")
But.. I get another error: "CMake Error at /usr/share/cmake-3.16/Modules/FindPackageHandleStandardArgs.cmake:146 (message): Could NOT find Check (missing: CHECK_LIBRARIES CHECK_INCLUDE_DIR) (Required is at least version "0.9.6")"
hanvinke
commented
4 years ago This latest error has been solved under Gentoo: https://bugs.gentoo.org/703886
hanvinke
commented
4 years ago After installing "check 0.14.0-1" the problem was solved:
Make Warning: No source or binary directory provided. Both will be assumed to be the same as the current working directory, but note that this warning will become a fatal error in future CMake releases.
-- Found OpenSSL: /usr/lib/libcrypto.so (found suitable version "1.1.1d", minimum required is "1.0.2")
CMake Warning at CMakeLists.txt:393 (message):
ED448 enabled and Nettle does not support it. Disabled.
-- Found OpenSSL: /usr/lib/libcrypto.so (found version "1.1.1d")
-- Found Check: /usr/lib/libm.so;/usr/lib/librt.so;/lib/libcheck.so (found suitable version "1.1.4", minimum required is "0.9.6")
-- Found Libsystemd: /lib/libsystemd.so
-- Found Libyaml: /lib/libyaml.so
-- Looking for os/log.h
-- Looking for os/log.h - not found
-- Looking for getopt
-- Looking for getopt - found
-- Configuring done
-- Generating done
-- Build files have been written to: /home/han/Downloads/getdns-1.6.0-rc.1
hanvinke
commented
4 years ago Maybe there is an even better solution for this problem (at least in Arch linux): installing the package libcurl-gnutls 7.65.0-2 ?
kometchtech
commented
4 years ago @hanvinke
Thank you for a lot of information and verification.
The gnutls-openssl and libcurl-gnutls like packages you pointed out are unlikely to be on Alpine Linux.
I wondered if curl-dev or openssl-dev would be the case, and installed it, but the situation did not change.
kometchtech
commented
4 years ago In cmake's find_package, I tried as follows because it can also be searched with PkgConfig.
--- CMakeLists.txt.bak 2020-02-23 19:59:37.269365250 +0900
+++ CMakeLists.txt 2020-02-24 08:02:46.312423454 +0900
@@ -364,7 +364,8 @@
# GnuTLS and Nettle. If using GnuTLS, we need the Nettle dev stuff to
# handle digital signature algorithms. GnuTLS uses Nettle internally.
if (USE_GNUTLS)
- find_package(GnuTLS "3.5.0" REQUIRED)
+ find_package(PkgConfig REQUIRED)
+ pkg_check_modules(GnuTLS REQUIRED gnutls>=3.5)
find_package(Nettle REQUIRED)
set(tlsdir "gnutls")The gnutls package can now be searched.
Found Threads: TRUE
Found Libidn2: /usr/lib/libidn2.so (found suitable version "2.3.0", minimum required is "2.0.0")
Found PkgConfig: /usr/bin/pkg-config (found version "1.6.3")
Checking for module 'gnutls>=3.5'
Found gnutls, version 3.6.10
Found Nettle: /usr/lib/libgmp.so;/usr/lib/libnettle.so;/usr/lib/libhogweed.so (found version "3.5") However, the error seems to follow. (Can't find GnuTLS::GnuTLS target?)
I think this is an error related to cmake, but I didn't know how to do it.
wtoorop
commented
4 years ago Thanks, I'll have a look!
banburybill
commented
4 years ago As others have found, the fundamental problem here is that we expect to find the GnuTLS DANE library (used for certificate validation), and this is not included in the Alpine GnuTLS package build. Furthermore, as we note in the README:
A project to allow user selection of either OpenSSL or GnuTLS is currently a work in progress. At present a user may select to use GnuTLS for the majority of the supported functionality, however, OpenSSL is still required for some cryptographic functions.
So, enabling GnuTLS will NOT currently remove the requirement to link against OpenSSL. At present, therefore, I would suggest that packagers should not be using GnuTLS.
Finally, I've avoided using the cmake PkgConfig module, for the simple reason that the primary goal of moving to a cmake build is to enable building on Windows natively (i.e. without MinGW or other Unixy environment).
kometchtech
commented
4 years ago @banburybill Thank you for the information.
The GnuTLS package on Alpine Linux lacks functional requirements. I also lacked documentation checking. At least on Alpine Linux I will not install GnuTLS.
hanvinke
commented
4 years ago @kometchtech
Since there is no package gnuTLS-openssl on Alpine you can try to rebuild gnutTLS. Basically you get probably the same result when building gnuTLS with the switch --enable-openssl-compatibility. Unfortunately both Arch and Alpine linux do not have that switch default enabled in their packages.
If you wish you can add "--enable-openssl-compatibility" to the configure script of gnuTLS, so the API will automatically be installed.
kometchtech
commented
4 years ago @hanvinke
Thank you for the good information. I tried building only gnutls with the following options.
./configure \
--with-gnu-ld \
--disable-doc \
--disable-tests \
--enable-shared \
--enable-openssl-compatibilityIn this case, we confirmed that gnutls was recognized.
Found Threads: TRUE
Found Libidn2: /usr/lib/libidn2.so (found suitable version "2.3.0", minimum required is "2.0.0")
Found GnuTLS: /usr/local/lib/libgnutls.so;/usr/local/lib/libgnutls-dane.so (found suitable version "3.6.1
2c", minimum required is "3.5.0")
Found Nettle: /usr/lib/libgmp.so;/usr/lib/libnettle.so;/usr/lib/libhogweed.so (found version "3.5") However, build of getdns fails in the middle as follows. Now it looks like there is an error related to nettle.
[ 35%] Building C object CMakeFiles/getdns_objects.dir/src/jsmn/jsmn.c.o
[ 36%] Building C object CMakeFiles/getdns_objects.dir/src/yxml/yxml.c.o
[ 37%] Building C object CMakeFiles/getdns_objects.dir/src/tls/val_secalgo.c.o
/usr/src/src/tls/val_secalgo.c: In function '_verify_nettle_ecdsa':
/usr/src/src/tls/val_secalgo.c:1729:36: error: 'nettle_secp_256r1' undeclared (first use in this function);
did you mean 'nettle_get_secp_256r1'?
1729 | nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
| ^~~~~~~~~~~~~~~~~
| nettle_get_secp_256r1
/usr/src/src/tls/val_secalgo.c:1729:36: note: each undeclared identifier is reported only once for each func
tion it appears in
/usr/src/src/tls/val_secalgo.c:1746:36: error: 'nettle_secp_384r1' undeclared (first use in this function);
did you mean 'nettle_get_secp_384r1'?
1746 | nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
| ^~~~~~~~~~~~~~~~~
| nettle_get_secp_384r1
make[2]: *** [CMakeFiles/getdns_objects.dir/build.make:492: CMakeFiles/getdns_objects.dir/src/tls/val_secalg
o.c.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [CMakeFiles/Makefile2:1087: CMakeFiles/getdns_objects.dir/all] Error 2
make: *** [Makefile:141: all] Error 2 I'll try to find out if this is an error related to Alpine Linux.
hanvinke
commented
4 years ago Hi, you are almost there! Luckily the nettle errors are not related to Alpine Linux. To solve them I would advice first to install the newest version of nettle (v3.6) through git:
Then you have to change in the folder '/getdns-1.6.0-rc.1/src/tls/' the file "val_secalgo.c' for line 1729 as suggested into 'nettle_ecc_point_init(&pubkey, &nettle_get_secp_256r1);' The same with line 1746 'nettle_get_secp_384r1'
banburybill
commented
4 years ago I've submitted a PR fixing #458. Note that the suggested fix above is incorrect - the use of e.g. &nettle_secp_256r1 needs to be replaced by nettle_get_secp_256r1(), not &nettle_get_secp_256r1.
kometchtech
commented
4 years ago @hanvinke @banburybill
Thank you for letting us know the specifics. For the time being, I was able to confirm that the following patches could be prepared and built.
--- val_secalgo.c.org 2020-02-25 18:58:55.952479729 +0900
+++ val_secalgo.c 2020-02-25 19:00:03.316578892 +0900
@@ -1726,7 +1726,7 @@
{
uint8_t digest[SHA256_DIGEST_SIZE];
mpz_t x, y;
- nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
+ nettle_ecc_point_init(&pubkey, nettle_get_secp_256r1);
nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
@@ -1743,7 +1743,7 @@
{
uint8_t digest[SHA384_DIGEST_SIZE];
mpz_t x, y;
- nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
+ nettle_ecc_point_init(&pubkey, nettle_get_secp_384r1);
nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);Thank you for your support. Thank you also for PR.
banburybill
commented
4 years ago I found your patch builds, but with warnings. And I'm pretty sure it at worst it's going to lead to memory corruption. The correct fix I noted above is now merged into the release branch.
Thanks for reporting!
kometchtech
commented
4 years ago @banburybill
Oops, my temporary response has such a problem. You should use the one that was merged into the release branch.
Thanks for your response.
Even though the
gnutls-devpackage is installed, it seems that cmake fails to find the gnutls library.Options when executed
The gnutls-dev package is installed as follows.
I expect it to be a problem on the cmake side, but I have no knowledge of cmake.
environment