Bug 247646 - security/nettle: build fails when security/openssl is built without RC4 Cipher
Summary: security/nettle: build fails when security/openssl is built without RC4 Cipher
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Sunpoet Po-Chuan Hsieh
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-29 21:06 UTC by Fabian Wenk
Modified: 2020-08-02 20:08 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Wenk 2020-06-29 21:06:42 UTC
Running on FreeBSD 11.3-RELEASE-p10.

security/openssl (openssl-1.1.1g,1) is built without the "RC4 (unsafe)" in "Block Cipher Support".

Build of nettle-3.6 fails with this errors (independent if DOCS and EXAMPLE is set or not):

cc -O2 -pipe  -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing  -ggdb3 -Wall -W -Wno-sign-compare   -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes   -Wpointer-arith -Wbad-function-cast -Wnested-externs -L.. -fstack-protector-strong  nettle-benchmark.o nettle-openssl.o ../getopt.o ../getopt1.o ../nettle-internal.o timing.o -lnettle -lgmp -L/usr/local/lib -lm -lcrypto -o nettle-benchmark
nettle-openssl.o: In function `openssl_arcfour128_set_encrypt_key':
/usr/ports/security/nettle/work/nettle-3.6/examples/nettle-openssl.c:298: undefined reference to `EVP_rc4'
nettle-openssl.o: In function `openssl_arcfour128_set_decrypt_key':
/usr/ports/security/nettle/work/nettle-3.6/examples/nettle-openssl.c:304: undefined reference to `EVP_rc4'
cc: error: linker command failed with exit code 1 (use -v to see invocation)
gmake[3]: *** [Makefile:100: nettle-benchmark] Error 1
gmake[3]: Leaving directory '/usr/ports/security/nettle/work/nettle-3.6/examples'
gmake[2]: *** [Makefile:47: all] Error 2
gmake[2]: Leaving directory '/usr/ports/security/nettle/work/nettle-3.6'

When security/openssl is built with RC4 enabled in "Block Cipher Support", then nettle can also be build.
Comment 1 Li-Wen Hsu freebsd_committer 2020-06-30 10:01:12 UTC
Over to maintainer.
Comment 2 Bernard Spil freebsd_committer 2020-06-30 16:32:11 UTC
The problem is in the examples. These are always built apparently, and lack detection of features.

Simplest change would be to no longer compile the examples in the build by patching https://git.lysator.liu.se/nettle/nettle/-/blob/nettle_3.6_release_20200429/Makefile.in#L20
Comment 3 Sunpoet Po-Chuan Hsieh freebsd_committer 2020-07-29 07:42:21 UTC
(In reply to Fabian Wenk from comment #0)

I've added checks for RC4 via OPENSSL_NO_RC4. Please try the patch [1].

[1] https://people.FreeBSD.org/~sunpoet/patch/security-nettle.txt
Comment 4 Fabian Wenk 2020-07-29 19:07:28 UTC
(In reply to Sunpoet Po-Chuan Hsieh from comment #3)

I tried and it failed with that:

cc -O2 -pipe  -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing  -ggdb3 -Wall -W -Wno-sign-compare   -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes   -Wpointer-arith -Wbad-function-cast -Wnested-externs -L.. -fstack-protector-strong  hogweed-benchmark.o timing.o \
-lhogweed -lnettle -lgmp -L/usr/local/lib -lm -lgmp -L/usr/local/lib -lcrypto \
-o hogweed-benchmark
cc -O2 -pipe  -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing  -ggdb3 -Wall -W -Wno-sign-compare   -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes   -Wpointer-arith -Wbad-function-cast -Wnested-externs -L.. -fstack-protector-strong  nettle-benchmark.o nettle-openssl.o ../getopt.o ../getopt1.o ../nettle-internal.o timing.o -lnettle -lgmp -L/usr/local/lib -lm -lcrypto -o nettle-benchmark
cc -O2 -pipe  -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing  -ggdb3 -Wall -W -Wno-sign-compare   -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes   -Wpointer-arith -Wbad-function-cast -Wnested-externs -L.. -fstack-protector-strong  ecc-benchmark.o timing.o -lhogweed -lnettle -lgmp -L/usr/local/lib -lm -lgmp -L/usr/local/lib \
-o ecc-benchmark
nettle-benchmark.o:(.rodata+0x158): undefined reference to `nettle_openssl_arcfour128'
cc: error: linker command failed with exit code 1 (use -v to see invocation)
gmake[3]: *** [Makefile:100: nettle-benchmark] Error 1
gmake[3]: Leaving directory '/usr/ports/security/nettle/work/nettle-3.6/examples'
gmake[2]: *** [Makefile:47: all] Error 2
gmake[2]: Leaving directory '/usr/ports/security/nettle/work/nettle-3.6'
===> Compilation failed unexpectedly.
Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
the maintainer.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/security/nettle
*** Error code 1

Stop.
make: stopped in /usr/ports/security/nettle
Comment 5 Sunpoet Po-Chuan Hsieh freebsd_committer 2020-07-30 07:17:20 UTC
(In reply to Fabian Wenk from comment #4)

I missed nettle-internal.h. Please try https://people.freebsd.org/~sunpoet/patch/security-nettle-v2.txt
Comment 6 Fabian Wenk 2020-07-30 19:20:24 UTC
(In reply to Sunpoet Po-Chuan Hsieh from comment #5)

I guess it just got one small step forward:

cc -O2 -pipe  -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing  -ggdb3 -Wall -W -Wno-sign-compare   -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes   -Wpointer-arith -Wbad-function-cast -Wnested-externs -L.. -fstack-protector-strong  hogweed-benchmark.o timing.o \
-lhogweed -lnettle -lgmp -L/usr/local/lib -lm -lgmp -L/usr/local/lib -lcrypto \
-o hogweed-benchmark
cc -O2 -pipe  -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing  -ggdb3 -Wall -W -Wno-sign-compare   -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes   -Wpointer-arith -Wbad-function-cast -Wnested-externs -L.. -fstack-protector-strong  ecc-benchmark.o timing.o -lhogweed -lnettle -lgmp -L/usr/local/lib -lm -lgmp -L/usr/local/lib \
-o ecc-benchmark
cc -O2 -pipe  -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing  -ggdb3 -Wall -W -Wno-sign-compare   -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes   -Wpointer-arith -Wbad-function-cast -Wnested-externs -L.. -fstack-protector-strong  nettle-benchmark.o nettle-openssl.o ../getopt.o ../getopt1.o ../nettle-internal.o timing.o -lnettle -lgmp -L/usr/local/lib -lm -lcrypto -o nettle-benchmark
nettle-benchmark.o:(.rodata+0x158): undefined reference to `nettle_openssl_arcfour128'
cc: error: linker command failed with exit code 1 (use -v to see invocation)
gmake[3]: *** [Makefile:100: nettle-benchmark] Error 1
gmake[3]: Leaving directory '/usr/ports/security/nettle/work/nettle-3.6/examples'
gmake[2]: *** [Makefile:47: all] Error 2
gmake[2]: Leaving directory '/usr/ports/security/nettle/work/nettle-3.6'
===> Compilation failed unexpectedly.
Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
the maintainer.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/security/nettle
*** Error code 1

Stop.
make: stopped in /usr/ports/security/nettle


I did also try with some other similar places in code to create the if / endif around, but did not really solve it.

Then I did also try the suggestion from Bernard Spil from comment #2, which does build. This would be fine with me, but I guess some developers using nettle would like to have the examples as well.
Could patching Makefile.in with removing examples be a ports option, e.g. with comment to only enable if OpenSSL does support RC4 (and maybe other weak) ciphers?
Comment 7 Fabian Wenk 2020-08-02 20:08:24 UTC
I did also mention this to Niels Möller (Developer of nettle) and got the following answer from him:

---8<-----------------------------------------------------------------
The easiest workaround is to configure nettle with --disable-openssl
(openssl is referenced only for comparative benchmarking).

Is there any really easy way, e.g., some #ifdef, to check if openssl
supports RC4? If not, it's probably better to just delete the code that
runs openssl rc4 from the benchmark program, rather than to have some
more sophisticated test for openssl features.

If there are repeated problems, maybe --disable-openssl should be the
default.
---8<-----------------------------------------------------------------

So I did look at 'make config' and realized, that there already is an option to build without examples, so this would be one option. But the probably nicer one would be to also have an on default turned off "with OpenSSL" option, as this is probably not really needed for most users. I my use cases, nettle is a dependency of GnuTLS.