Hi Simon-Bernard,
Find attached the patch that modifies ldns to check for X509_check_ca in
openssl and has a configure option that allows you to disable dane
altogether.
Best regards,
-- Willem
Op 11-01-13 11:13, Willem Toorop schreef:
> Hi Simon-Bernard,
>
> X509_check_ca became available in openssl-0.9.7f. I will alter ldns
> configure such that it will disable dane altogether when X509_check_ca
> is unavailable. I will supply you with a patch when I have done it.
> Alternatively you could try to compile with openssl-0.9.7f or higher.
>
> Best regards,
>
> -- Willem
>
> Op 11-01-13 04:41, Simon-Bernard Drolet schreef:
>> HI again,
>>
>> Sorry to get back at this... I wrongly said it was all ok...
>>
>> I did the change, recompile, and got it working, but on Solaris 11...
>> Not 10...
>>
>> So on Solaris 11, with these options :
>>
>> ./configure --prefix=/opt/unbound --disable-gost --disable-sha2
>> --disable-ecdsa
>>
>> and the fixed #ifdefs in dane.c. It works... (Compiles, run, all ok)_.
>>
>>
>> But on Solaris 10, with the same options to configure, I get an error
>> for X509_check_ca used in dane.c :
>>
>> ./libtool --tag=CC --quiet --mode=compile cc -I. -I. -DHAVE_CONFIG_H -O2
>> -g -xc99 -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112
>> -D_XOPEN_SOURCE=600 -D_ALL_SOURCE -I/usr/sfw/include -c ./dane.c -o dane.lo
>> "./dane.c", line 295: warning: implicit function declaration: X509_check_ca
>>
>> and at the end:
>>
>> ./libtool --tag=CC --quiet --mode=link cc -O2 -g -xc99 -D__EXTENSIONS__
>> -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
>> -D_ALL_SOURCE -lnsl -lsocket -version-number 1:6:16 -no-undefined
>> -L/usr/sfw/lib -lcrypto -export-symbols-regex
>> '^(ldns_|b32_[pn]to[pn]|mktime_from_utc|qsort_rr_compare_nsec3)' -o
>> libldns.la buffer.lo dane.lo dname.lo dnssec.lo dnssec_sign.lo
>> dnssec_verify.lo dnssec_zone.lo duration.lo error.lo higher.lo
>> host2str.lo host2wire.lo keys.lo net.lo packet.lo parse.lo rbtree.lo
>> rdata.lo resolver.lo rr.lo rr_functions.lo sha1.lo sha2.lo str2host.lo
>> tsig.lo update.lo util.lo wire2host.lo zone.lo compat/b64_pton.lo
>> compat/b64_ntop.lo compat/b32_pton.lo compat/b32_ntop.lo
>> compat/timegm.lo -rpath /opt/unbound/lib
>> Undefined first referenced
>> symbol in file
>> X509_check_ca .libs/dane.o
>> ld: fatal: symbol referencing errors. No output written to
>> .libs/libldns.so.1.6.16
>> gmake: *** [libldns.la] Error 2
>>
>> So, again, any help, some ifdef missing ?
>>
>> IN dane.c, I can see two calls to X509_check_ca,
>>
>> 281 /* Pop n+1 certs and return the last popped.
>> 282 */
>> 283 static ldns_status
>> 284 ldns_dane_get_nth_cert_from_validation_chain(
>> 285 X509** cert, STACK_OF(X509)* chain, int n, bool ca)
>> 286 {
>> 287 if (n >= sk_X509_num(chain) || n < 0) {
>> 288 return LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE;
>> 289 }
>> 290 *cert = sk_X509_pop(chain);
>> 291 while (n-- > 0) {
>> 292 X509_free(*cert);
>> 293 *cert = sk_X509_pop(chain);
>> 294 }
>> 295 if (ca && ! X509_check_ca(*cert)) {
>> 296 return LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
>> 297 }
>> 298 return LDNS_STATUS_OK;
>> 299 }
>>
>> And:
>>
>> 555 /* Return whether any certificate from the chain with
>> selector/matching_type
>> 556 * matches data.
>> 557 * ca should be true if the certificate has to be a CA
>> certificate too.
>> 558 */
>> 559 static ldns_status
>> 560 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
>> 561 ldns_tlsa_selector selector,
>> 562 ldns_tlsa_matching_type matching_type,
>> 563 ldns_rdf* data, bool ca)
>> 564 {
>> 565 ldns_status s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
>> 566 size_t n, i;
>> 567 X509* cert;
>> 568
>> 569 n = (size_t)sk_X509_num(chain);
>> 570 for (i = 0; i < n; i++) {
>> 571 cert = sk_X509_pop(chain);
>> 572 if (! cert) {
>> 573 s = LDNS_STATUS_SSL_ERR;
>> 574 break;
>> 575 }
>> 576 s = ldns_dane_match_cert_with_data(cert,
>> 577 selector, matching_type, data);
>> 578 if (ca && s == LDNS_STATUS_OK && ! X509_check_ca(cert)) {
>> 579 s = LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
>> 580 }
>> 581 X509_free(cert);
>> 582 if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) {
>> 583 break;
>> 584 }
>> 585 /* when s == LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH,
>> 586 * try to match the next certificate
>> 587 */
>> 588 }
>> 589 return s;
>> 590 }
>> 591
>>
>>
>> Thank's.
>>
>> On 12/17/12 08:23 PM, Simon-Bernard Drolet wrote:
>>> Hi Wouter,
>>>
>>> Thank's.
>>>
>>> This is compiling now, thank's.
>>>
>>> A simple ifdef !
>>>
>>>> Hi Simon-Bernard,
>>>>
>>>> On 12/15/2012 10:10 PM, Simon-Bernard Drolet wrote:
>>>>> Hi Dan,
>>>>>
>>>>> Thank's for the infos.
>>>>>
>>>>> But my goal here is to get unbound and drill to compile with the
>>>>> stock openssl from Solaris just like in previous version.
>>>>>
>>>>> And because there is still a configure option to compile without
>>>>> sha2, it should work...
>>>>>
>>>>> So there is an issue with some ifdefs...
>>>> Yes, they are fixed, below the patch for it if you want it. The patch
>>>> is also applied for the next release of ldns.
>>>>
>>>> Best regards,
>>>> Wouter
>>>>
>>>> Index: dane.c
>>>> ===================================================================
>>>> - --- dane.c (revision 3810)
>>>> +++ dane.c (working copy)
>>>> @@ -121,6 +121,7 @@
>>>> return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
>>>> break;
>>>>
>>>> +#ifdef USE_SHA2
>>>> case LDNS_TLSA_MATCHING_TYPE_SHA256:
>>>>
>>>> digest = LDNS_XMALLOC(unsigned char, SHA256_DIGEST_LENGTH);
>>>> @@ -150,6 +151,7 @@
>>>>
>>>> return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
>>>> break;
>>>> +#endif /* USE_SHA2 */
>>>>
>>>> default:
>>>> LDNS_FREE(buf);
>>>>
>>>
>>>
>>> On 12/14/12 04:50 PM, Simon-Bernard Drolet wrote:
>>>> Hello,
>>>>
>>>> I'm trying to update my libevent, ldns and unbound package.
>>>>
>>>> I'm configuring the compile like this: (because of default ssl in
>>>> Solaris 10).
>>>>
>>>> # ./configure --disable-sha2 --disable-gost --disable-ecdsa
>>>>
>>>> While trying to compile ldns, I get this:
>>>>
>>>> # gmake
>>>> ./libtool --tag=CC --quiet --mode=compile gcc -I. -I. -DHAVE_CONFIG_H
>>>> -Wwrite-strings -W -Wall -O2 -g -std=c99 -D__EXTENSIONS__
>>>> -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
>>>> -D_ALL_SOURCE -I/usr/sfw/include -c ./dane.c -o dane.lo
>>>> ./dane.c: In function `ldns_dane_cert2rdf':
>>>> ./dane.c:122: error: `SHA256_DIGEST_LENGTH' undeclared (first use in
>>>> this function)
>>>> ./dane.c:122: error: (Each undeclared identifier is reported only once
>>>> ./dane.c:122: error: for each function it appears in.)
>>>> ./dane.c:137: error: `SHA512_DIGEST_LENGTH' undeclared (first use in
>>>> this function)
>>>> ./dane.c: In function `ldns_dane_get_nth_cert_from_validation_chain':
>>>> ./dane.c:293: warning: implicit declaration of function `X509_check_ca'
>>>> gmake: *** [dane.lo] Error 1
>>>>
>>>>
>>>> Any pointers ?
>>>>
>>>> It was ok in 1.6.13... But I get the same error with 1.6.14, 1.6.15
>>>> and 1.6.16... With the dane.c file...
>>>>
>>>
>>>
>>
>>
>
> _______________________________________________
> Unbound-users mailing list
> [email protected]
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
Index: examples/ldns-dane.c
===================================================================
--- examples/ldns-dane.c (revision 3812)
+++ examples/ldns-dane.c (working copy)
@@ -22,6 +22,7 @@
#include <errno.h>
+#ifdef USE_DANE
#ifdef HAVE_SSL
#include <openssl/ssl.h>
#include <openssl/err.h>
@@ -1710,7 +1711,7 @@
exit(EXIT_FAILURE);
}
}
-#else
+#else /* HAVE_SSL */
int
main(int argc, char **argv)
@@ -1720,3 +1721,15 @@
return 1;
}
#endif /* HAVE_SSL */
+
+#else /* USE_DANE */
+
+int
+main(int argc, char **argv)
+{
+ fprintf(stderr, "dane support was disabled with this build of ldns, "
+ "and has not been compiled in\n");
+ return 1;
+}
+
+#endif /* USE_DANE */
Index: examples/configure.ac
===================================================================
--- examples/configure.ac (revision 3812)
+++ examples/configure.ac (working copy)
@@ -176,21 +176,37 @@
;;
esac
-AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--enable-ecdsa], [Enable ECDSA support, experimental]))
+AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
case "$enable_ecdsa" in
- yes)
- AC_CHECK_FUNC(ECDSA_sign,,[AC_MSG_ERROR([OpenSSL does not support ECDSA])])
- AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.])
- AC_WARN([
- *****************************************************************
- *** YOU HAVE ENABLED ECDSA WHICH IS EXPERIMENTAL AT THIS TIME ***
- *** PLEASE DO NOT USE THIS ON THE PUBLIC INTERNET ***
- *****************************************************************])
+ no)
;;
- no|*)
+ *) dnl default
+ if test "x$HAVE_SSL" != "xyes"; then
+ AC_MSG_ERROR([ECDSA enabled, but no SSL support])
+ fi
+ AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade OpenSSL or rerun with --disable-ecdsa])])
+ AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade OpenSSL or rerun with --disable-ecdsa])])
+ AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade OpenSSL or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
+#include <openssl/evp.h>
+ ])
+ # we now know we have ECDSA and the required curves.
+ AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.])
;;
esac
+AC_ARG_ENABLE(dane, AC_HELP_STRING([--disable-dane], [Disable DANE support]))
+case "$enable_dane" in
+ no)
+ ;;
+ *) dnl default
+ if test "x$HAVE_SSL" != "xyes"; then
+ AC_MSG_ERROR([DANE enabled, but no SSL support])
+ fi
+ AC_CHECK_FUNC(X509_check_ca, [], [AC_MSG_ERROR([OpenSSL does not support DANE: please upgrade OpenSSL or rerun with --disable-dane])])
+ AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.])
+ ;;
+esac
+
LDFLAGS="$tmp_LDFLAGS"
LIBS="$tmp_LIBS"
Index: configure.ac
===================================================================
--- configure.ac (revision 3812)
+++ configure.ac (working copy)
@@ -320,6 +320,21 @@
;;
esac
+AC_ARG_ENABLE(dane, AC_HELP_STRING([--disable-dane], [Disable DANE support]))
+case "$enable_dane" in
+ no)
+ AC_SUBST(ldns_build_config_use_dane, 0)
+ ;;
+ *) dnl default
+ if test "x$HAVE_SSL" != "xyes"; then
+ AC_MSG_ERROR([DANE enabled, but no SSL support])
+ fi
+ AC_CHECK_FUNC(X509_check_ca, [], [AC_MSG_ERROR([OpenSSL does not support DANE: please upgrade OpenSSL or rerun with --disable-dane])])
+ AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.])
+ AC_SUBST(ldns_build_config_use_dane, 1)
+ ;;
+esac
+
AC_SUBST(LIBSSL_CPPFLAGS)
AC_SUBST(LIBSSL_LDFLAGS)
AC_SUBST(LIBSSL_LIBS)
Index: dane.c
===================================================================
--- dane.c (revision 3812)
+++ dane.c (working copy)
@@ -8,6 +8,7 @@
*/
#include <ldns/config.h>
+#ifdef USE_DANE
#include <ldns/ldns.h>
#include <ldns/dane.h>
@@ -744,3 +745,4 @@
return s;
}
#endif /* HAVE_SSL */
+#endif /* USE_DANE */
Index: ldns/common.h.in
===================================================================
--- ldns/common.h.in (revision 3812)
+++ ldns/common.h.in (working copy)
@@ -24,6 +24,7 @@
#define LDNS_BUILD_CONFIG_HAVE_ATTR_FORMAT @ldns_build_config_have_attr_format@
#define LDNS_BUILD_CONFIG_HAVE_ATTR_UNUSED @ldns_build_config_have_attr_unused@
#define LDNS_BUILD_CONFIG_HAVE_SOCKLEN_T @ldns_build_config_have_socklen_t@
+#define LDNS_BUILD_CONFIG_USE_DANE @ldns_build_config_use_dane@
/*
* HAVE_STDBOOL_H is not available when distributed as a library, but no build
Index: ldns/dane.h
===================================================================
--- ldns/dane.h (revision 3812)
+++ ldns/dane.h (working copy)
@@ -22,6 +22,7 @@
#ifndef LDNS_DANE_H
#define LDNS_DANE_H
+#if LDNS_BUILD_CONFIG_USE_DANE
#include <ldns/common.h>
#include <ldns/rdata.h>
@@ -240,5 +241,6 @@
}
#endif
+#endif /* LDNS_BUILD_CONFIG_USE_DANE */
#endif /* LDNS_DANE_H */
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
