Compile ldns 1.6.16/unbound 1.4.19 on Solaris 10

Simon-Bernard_Drole1 · December 14, 2012, 9:52pm

Hello,

I'm trying to update my libevent, ldns and unbound package.

I'm configuring the compile like this: (because of default ssl in Solaris 10).

# ./configure --disable-sha2 --disable-gost --disable-ecdsa

While trying to compile ldns, I get this:

# gmake
./libtool --tag=CC --quiet --mode=compile gcc -I. -I. -DHAVE_CONFIG_H
-Wwrite-strings -W -Wall -O2 -g -std=c99 -D__EXTENSIONS__
-D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
-D_ALL_SOURCE -I/usr/sfw/include -c ./dane.c -o dane.lo
./dane.c: In function `ldns_dane_cert2rdf':
./dane.c:122: error: `SHA256_DIGEST_LENGTH' undeclared (first use in
this function)
./dane.c:122: error: (Each undeclared identifier is reported only once
./dane.c:122: error: for each function it appears in.)
./dane.c:137: error: `SHA512_DIGEST_LENGTH' undeclared (first use in
this function)
./dane.c: In function `ldns_dane_get_nth_cert_from_validation_chain':
./dane.c:293: warning: implicit declaration of function `X509_check_ca'
gmake: *** [dane.lo] Error 1

Any pointers ?

It was ok in 1.6.13... But I get the same error with 1.6.14, 1.6.15
and 1.6.16... With the dane.c file...

Miek_Gieben · December 14, 2012, 10:52pm

[ Quoting <simon.bernard.drolet@gmai> in "[Unbound-users] Compile ldns 1.6.16..." ]

Hello,

I'm trying to update my libevent, ldns and unbound package.

I'm configuring the compile like this: (because of default ssl in
Solaris 10).

# ./configure --disable-sha2 --disable-gost --disable-ecdsa

# ./configure --disable-gost --disable-ecdsa

should work...?

# gmake
./libtool --tag=CC --quiet --mode=compile gcc -I. -I. -DHAVE_CONFIG_H
-Wwrite-strings -W -Wall -O2 -g -std=c99 -D__EXTENSIONS__
-D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
-D_ALL_SOURCE -I/usr/sfw/include -c ./dane.c -o dane.lo
./dane.c: In function `ldns_dane_cert2rdf':
./dane.c:122: error: `SHA256_DIGEST_LENGTH' undeclared (first use in
this function)
./dane.c:122: error: (Each undeclared identifier is reported only once
./dane.c:122: error: for each function it appears in.)
./dane.c:137: error: `SHA512_DIGEST_LENGTH' undeclared (first use in

Looks like an #ifdef probem, as SHA512 is a hash from the sha2 family.

grtz Miek

Luther_Dan · December 15, 2012, 6:49pm

Simon,

Compiling with default SSL under Solaris can be tricky, and rather than let Oracle keep up with patches, I downloaded and used my own OpenSSL. I *almost* got a 64-bit compile to work with OpenSSL and GCC, but failed and had to settle with 32 bit (BTW, if anyone has had success compiling OpenSSL with GCC on a Solaris10/Sparc architecture *and* make it work, I'd like to talk with you!)

To get around the default SSL and make sure I didn't break anything in production, I downloaded and installed OpenSSL to a separate directory:

$ ./Configure --openssldir=/usr/local/openssl shared threads solaris-sparcv9-gcc

(Note -- if you're not using Sparc/sun4u/sun4v architecture, you'll need to fix that last bit to match your architecture)

I downloaded "libevent-2.0.20-stable" and configured with:

$ ./configure --with-openssl=/usr/local/openssl

And of course, "ldns":

$ ./configure --with-ssl=/usr/local/openssl

Finally unbound-1.4.18:

   $ ./configure --prefix=/usr/local/dns --with-ssl=/usr/local/openssl --with-solaris-threads \
                 --with-username=dns --disable-rpath --with-libevent --with-chroot-dir= \
                 --enable-shared --enable-largefile

The only bad part of this is you must specify the "LD_LIBRARY_PATH" so unbound knows where the new OpenSSL libraries are:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/openssl/lib

Hope this helps.

Dan Luther
Operations Engineer
Systems Operation Engineering
Level 3 Communications
One Technology Center, Tulsa OK 74103
p: 918-547-4370
e: dan.luther@level3.com

Robert_Edmonds · December 15, 2012, 7:53pm

Luther, Dan wrote:

   $ ./configure --prefix=/usr/local/dns --with-ssl=/usr/local/openssl --with-solaris-threads \
                 --with-username=dns --disable-rpath --with-libevent --with-chroot-dir= \
                 --enable-shared --enable-largefile

The only bad part of this is you must specify the "LD_LIBRARY_PATH" so unbound knows where the new OpenSSL libraries are:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/openssl/lib

this is probably because you passed --disable-rpath to configure?

Simon-Bernard_Drole1 · December 15, 2012, 9:10pm

Hi Dan,

Thank's for the infos.

But my goal here is to get unbound and drill to compile with the stock openssl from Solaris just like in previous version.

And because there is still a configure option to compile without sha2, it should work...

So there is an issue with some ifdefs...

Simon.

Wouter · December 17, 2012, 8:05am

Hi Dan,

Wouter · December 17, 2012, 8:13am

Hi Simon-Bernard,

Simon-Bernard_Drole1 · December 18, 2012, 1:23am

Hi Wouter,

Thank's.

This is compiling now, thank's.

A simple ifdef !

Simon-Bernard_Drole1 · January 11, 2013, 3:41am

HI again,

Sorry to get back at this... I wrongly said it was all ok...

I did the change, recompile, and got it working, but on Solaris 11... Not 10...

So on Solaris 11, with these options :

./configure --prefix=/opt/unbound --disable-gost --disable-sha2 --disable-ecdsa

and the fixed #ifdefs in dane.c. It works... (Compiles, run, all ok)_.

But on Solaris 10, with the same options to configure, I get an error for X509_check_ca used in dane.c :

./libtool --tag=CC --quiet --mode=compile cc -I. -I. -DHAVE_CONFIG_H -O2 -g -xc99 -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE -I/usr/sfw/include -c ./dane.c -o dane.lo
"./dane.c", line 295: warning: implicit function declaration: X509_check_ca

and at the end:

./libtool --tag=CC --quiet --mode=link cc -O2 -g -xc99 -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE -lnsl -lsocket -version-number 1:6:16 -no-undefined -L/usr/sfw/lib -lcrypto -export-symbols-regex '^(ldns_|b32_[pn]to[pn]|mktime_from_utc|qsort_rr_compare_nsec3)' -o libldns.la buffer.lo dane.lo dname.lo dnssec.lo dnssec_sign.lo dnssec_verify.lo dnssec_zone.lo duration.lo error.lo higher.lo host2str.lo host2wire.lo keys.lo net.lo packet.lo parse.lo rbtree.lo rdata.lo resolver.lo rr.lo rr_functions.lo sha1.lo sha2.lo str2host.lo tsig.lo update.lo util.lo wire2host.lo zone.lo compat/b64_pton.lo compat/b64_ntop.lo compat/b32_pton.lo compat/b32_ntop.lo compat/timegm.lo -rpath /opt/unbound/lib
Undefined first referenced
symbol in file
X509_check_ca .libs/dane.o
ld: fatal: symbol referencing errors. No output written to .libs/libldns.so.1.6.16
gmake: *** [libldns.la] Error 2

So, again, any help, some ifdef missing ?

IN dane.c, I can see two calls to X509_check_ca,

    281 /* Pop n+1 certs and return the last popped.
    282 */
    283 static ldns_status
    284 ldns_dane_get_nth_cert_from_validation_chain(
    285 X509** cert, STACK_OF(X509)* chain, int n, bool ca)
    286 {
    287 if (n >= sk_X509_num(chain) || n < 0) {
    288 return LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE;
    289 }
    290 *cert = sk_X509_pop(chain);
    291 while (n-- > 0) {
    292 X509_free(*cert);
    293 *cert = sk_X509_pop(chain);
    294 }
    295 if (ca && ! X509_check_ca(*cert)) {
    296 return LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
    297 }
    298 return LDNS_STATUS_OK;
    299 }

And:

    555 /* Return whether any certificate from the chain with selector/matching_type
    556 * matches data.
    557 * ca should be true if the certificate has to be a CA certificate too.
    558 */
    559 static ldns_status
    560 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
    561 ldns_tlsa_selector selector,
    562 ldns_tlsa_matching_type matching_type,
    563 ldns_rdf* data, bool ca)
    564 {
    565 ldns_status s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
    566 size_t n, i;
    567 X509* cert;
    568
    569 n = (size_t)sk_X509_num(chain);
    570 for (i = 0; i < n; i++) {
    571 cert = sk_X509_pop(chain);
    572 if (! cert) {
    573 s = LDNS_STATUS_SSL_ERR;
    574 break;
    575 }
    576 s = ldns_dane_match_cert_with_data(cert,
    577 selector, matching_type, data);
    578 if (ca && s == LDNS_STATUS_OK && ! X509_check_ca(cert)) {
    579 s = LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
    580 }
    581 X509_free(cert);
    582 if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) {
    583 break;
    584 }
    585 /* when s == LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH,
    586 * try to match the next certificate
    587 */
    588 }
    589 return s;
    590 }
    591

Thank's.

wtoorop · January 11, 2013, 10:13am

Hi Simon-Bernard,

X509_check_ca became available in openssl-0.9.7f. I will alter ldns
configure such that it will disable dane altogether when X509_check_ca
is unavailable. I will supply you with a patch when I have done it.
Alternatively you could try to compile with openssl-0.9.7f or higher.

Best regards,

-- Willem

Op 11-01-13 04:41, Simon-Bernard Drolet schreef:

wtoorop · January 15, 2013, 12:25pm

Hi Simon-Bernard,

Find attached the patch that modifies ldns to check for X509_check_ca in
openssl and has a configure option that allows you to disable dane
altogether.

Best regards,

-- Willem

Op 11-01-13 11:13, Willem Toorop schreef:

(attachments)

ldns_check4check_ca.patch (5.05 KB)