HI again,
Sorry to get back at this... I wrongly said it was all ok...
I did the change, recompile, and got it working, but on Solaris 11...
Not 10...
So on Solaris 11, with these options :
./configure --prefix=/opt/unbound --disable-gost --disable-sha2
--disable-ecdsa
and the fixed #ifdefs in dane.c. It works... (Compiles, run, all ok)_.
But on Solaris 10, with the same options to configure, I get an error
for X509_check_ca used in dane.c :
./libtool --tag=CC --quiet --mode=compile cc -I. -I. -DHAVE_CONFIG_H -O2
-g -xc99 -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112
-D_XOPEN_SOURCE=600 -D_ALL_SOURCE -I/usr/sfw/include -c ./dane.c -o dane.lo
"./dane.c", line 295: warning: implicit function declaration: X509_check_ca
and at the end:
./libtool --tag=CC --quiet --mode=link cc -O2 -g -xc99 -D__EXTENSIONS__
-D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
-D_ALL_SOURCE -lnsl -lsocket -version-number 1:6:16 -no-undefined
-L/usr/sfw/lib -lcrypto -export-symbols-regex
'^(ldns_|b32_[pn]to[pn]|mktime_from_utc|qsort_rr_compare_nsec3)' -o
libldns.la buffer.lo dane.lo dname.lo dnssec.lo dnssec_sign.lo
dnssec_verify.lo dnssec_zone.lo duration.lo error.lo higher.lo
host2str.lo host2wire.lo keys.lo net.lo packet.lo parse.lo rbtree.lo
rdata.lo resolver.lo rr.lo rr_functions.lo sha1.lo sha2.lo str2host.lo
tsig.lo update.lo util.lo wire2host.lo zone.lo compat/b64_pton.lo
compat/b64_ntop.lo compat/b32_pton.lo compat/b32_ntop.lo
compat/timegm.lo -rpath /opt/unbound/lib
Undefined first referenced
symbol in file
X509_check_ca .libs/dane.o
ld: fatal: symbol referencing errors. No output written to
.libs/libldns.so.1.6.16
gmake: *** [libldns.la] Error 2
So, again, any help, some ifdef missing ?
IN dane.c, I can see two calls to X509_check_ca,
281 /* Pop n+1 certs and return the last popped.
282 */
283 static ldns_status
284 ldns_dane_get_nth_cert_from_validation_chain(
285 X509** cert, STACK_OF(X509)* chain, int n, bool ca)
286 {
287 if (n >= sk_X509_num(chain) || n < 0) {
288 return LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE;
289 }
290 *cert = sk_X509_pop(chain);
291 while (n-- > 0) {
292 X509_free(*cert);
293 *cert = sk_X509_pop(chain);
294 }
295 if (ca && ! X509_check_ca(*cert)) {
296 return LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
297 }
298 return LDNS_STATUS_OK;
299 }
And:
555 /* Return whether any certificate from the chain with
selector/matching_type
556 * matches data.
557 * ca should be true if the certificate has to be a CA
certificate too.
558 */
559 static ldns_status
560 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
561 ldns_tlsa_selector selector,
562 ldns_tlsa_matching_type matching_type,
563 ldns_rdf* data, bool ca)
564 {
565 ldns_status s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
566 size_t n, i;
567 X509* cert;
568
569 n = (size_t)sk_X509_num(chain);
570 for (i = 0; i < n; i++) {
571 cert = sk_X509_pop(chain);
572 if (! cert) {
573 s = LDNS_STATUS_SSL_ERR;
574 break;
575 }
576 s = ldns_dane_match_cert_with_data(cert,
577 selector, matching_type, data);
578 if (ca && s == LDNS_STATUS_OK && !
X509_check_ca(cert)) {
579 s = LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
580 }
581 X509_free(cert);
582 if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) {
583 break;
584 }
585 /* when s == LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH,
586 * try to match the next certificate
587 */
588 }
589 return s;
590 }
591
Thank's.
On 12/17/12 08:23 PM, Simon-Bernard Drolet wrote:
Hi Wouter,
Thank's.
This is compiling now, thank's.
A simple ifdef !
Hi Simon-Bernard,
On 12/15/2012 10:10 PM, Simon-Bernard Drolet wrote:
Hi Dan,
Thank's for the infos.
But my goal here is to get unbound and drill to compile with the
stock openssl from Solaris just like in previous version.
And because there is still a configure option to compile without
sha2, it should work...
So there is an issue with some ifdefs...
Yes, they are fixed, below the patch for it if you want it. The patch
is also applied for the next release of ldns.
Best regards,
Wouter
Index: dane.c
===================================================================
- --- dane.c (revision 3810)
+++ dane.c (working copy)
@@ -121,6 +121,7 @@
return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
break;
+#ifdef USE_SHA2
case LDNS_TLSA_MATCHING_TYPE_SHA256:
digest = LDNS_XMALLOC(unsigned char, SHA256_DIGEST_LENGTH);
@@ -150,6 +151,7 @@
return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
break;
+#endif /* USE_SHA2 */
default:
LDNS_FREE(buf);
On 12/14/12 04:50 PM, Simon-Bernard Drolet wrote:
Hello,
I'm trying to update my libevent, ldns and unbound package.
I'm configuring the compile like this: (because of default ssl in
Solaris 10).
# ./configure --disable-sha2 --disable-gost --disable-ecdsa
While trying to compile ldns, I get this:
# gmake
./libtool --tag=CC --quiet --mode=compile gcc -I. -I. -DHAVE_CONFIG_H
-Wwrite-strings -W -Wall -O2 -g -std=c99 -D__EXTENSIONS__
-D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
-D_ALL_SOURCE -I/usr/sfw/include -c ./dane.c -o dane.lo
./dane.c: In function `ldns_dane_cert2rdf':
./dane.c:122: error: `SHA256_DIGEST_LENGTH' undeclared (first use in
this function)
./dane.c:122: error: (Each undeclared identifier is reported only once
./dane.c:122: error: for each function it appears in.)
./dane.c:137: error: `SHA512_DIGEST_LENGTH' undeclared (first use in
this function)
./dane.c: In function `ldns_dane_get_nth_cert_from_validation_chain':
./dane.c:293: warning: implicit declaration of function `X509_check_ca'
gmake: *** [dane.lo] Error 1
Any pointers ?
It was ok in 1.6.13... But I get the same error with 1.6.14, 1.6.15
and 1.6.16... With the dane.c file...
--
Simon-Bernard Drolet, SPecialiste X Inc., 514.247.6741
Simon.Bernard.Drolet<at>gmail(dot)com, Senior Solaris Contractor, Canada
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
