cmake cannot find gnutls library (-DUSE_GNUTLS=ON)

[kometchtech]

Even though the gnutls-dev package is installed, it seems that cmake fails to find the gnutls library.

-- Found Threads: TRUE
-- Found Libidn2: /usr/lib/libidn2.so (found suitable version "2.3.0", minimum required is "2.0.0")
CMake Error at /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:137 (message):
  Could NOT find GnuTLS (missing: GNUTLS_LIBRARIES) (Required is at least
  version "3.5.0")
Call Stack (most recent call first):
  /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:378 (_FPHSA_FAILURE_MESSAGE)
  cmake/modules/FindGnuTLS.cmake:80 (find_package_handle_standard_args)
  CMakeLists.txt:367 (find_package)

Options when executed

cmake \
       -DCMAKE_BUILD_TYPE=Release \
       -DENABLE_STATIC=OFF \
       -DBUILD_STUBBY=ON \
       -DSTUB_NATIVE_DNSSEC=ON \
       -DEDNS_COOKIES=ON \
       -DBUILD_LIBEV=ON \
       -DBUILD_LIBEVENT2=ON \
       -DBUILD_LIBUV=ON \
       -DUSE_LIBIDN2=ON \
       -DUSE_GNUTLS=ON \
       -DCMAKE_INSTALL_PREFIX=/usr/local \
       ..

The gnutls-dev package is installed as follows.

/usr/src/build # apk info | grep gnutls
WARNING: Ignoring APKINDEX.70f61090.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.ca2fea5b.tar.gz: No such file or directory
gnutls
gnutls-c++
gnutls-dev

I expect it to be a problem on the cmake side, but I have no knowledge of cmake.

environment

• alpine linux 3.11.3 aarch64
• 1.6.0-rc.1

[hanvinke]

The error is not solely related to Alpine linux. On Arch linux I get the same error. What is probably missing is the gnutls-openssl package. You need to install that first, otherwise openssl can't use the gnutls libraries.

[hanvinke]

Installed version 3.6.9 manually on Arch, because it is deprecated.

The library is now found:
-- Found GnuTLS: /lib/libgnutls.so;/lib/libgnutls-dane.so (found suitable version "3.6.9c", minimum required is "3.5.0")

But.. I get another error: "CMake Error at /usr/share/cmake-3.16/Modules/FindPackageHandleStandardArgs.cmake:146 (message):
Could NOT find Check (missing: CHECK_LIBRARIES CHECK_INCLUDE_DIR) (Required
is at least version "0.9.6")"

[hanvinke]

This latest error has been solved under Gentoo:
https://bugs.gentoo.org/703886

[hanvinke]

After installing "check 0.14.0-1" the problem was solved:

Make Warning:
No source or binary directory provided. Both will be assumed to be the
same as the current working directory, but note that this warning will
become a fatal error in future CMake releases.

-- Found OpenSSL: /usr/lib/libcrypto.so (found suitable version "1.1.1d", minimum required is "1.0.2")
CMake Warning at CMakeLists.txt:393 (message):
ED448 enabled and Nettle does not support it. Disabled.

-- Found OpenSSL: /usr/lib/libcrypto.so (found version "1.1.1d")
-- Found Check: /usr/lib/libm.so;/usr/lib/librt.so;/lib/libcheck.so (found suitable version "1.1.4", minimum required is "0.9.6")
-- Found Libsystemd: /lib/libsystemd.so
-- Found Libyaml: /lib/libyaml.so
-- Looking for os/log.h
-- Looking for os/log.h - not found
-- Looking for getopt
-- Looking for getopt - found
-- Configuring done
-- Generating done
-- Build files have been written to: /home/han/Downloads/getdns-1.6.0-rc.1

[hanvinke]

Maybe there is an even better solution for this problem (at least in Arch linux): installing the package libcurl-gnutls 7.65.0-2 ?

[kometchtech]

@hanvinke

Thank you for a lot of information and verification.
The gnutls-openssl and libcurl-gnutls like packages you pointed out are unlikely to be on Alpine Linux.

I wondered if curl-dev or openssl-dev would be the case, and installed it, but the situation did not change.

[kometchtech]

In cmake's find_package, I tried as follows because it can also be searched with PkgConfig.

--- CMakeLists.txt.bak  2020-02-23 19:59:37.269365250 +0900      
+++ CMakeLists.txt      2020-02-24 08:02:46.312423454 +0900       
@@ -364,7 +364,8 @@
 # GnuTLS and Nettle. If using GnuTLS, we need the Nettle dev stuff to    
 # handle digital signature algorithms. GnuTLS uses Nettle internally.   
 if (USE_GNUTLS)
-  find_package(GnuTLS "3.5.0" REQUIRED)
+  find_package(PkgConfig REQUIRED)
+  pkg_check_modules(GnuTLS REQUIRED gnutls>=3.5)
   find_package(Nettle REQUIRED)

   set(tlsdir "gnutls")

The gnutls package can now be searched.

Found Threads: TRUE                                                                                      
Found Libidn2: /usr/lib/libidn2.so (found suitable version "2.3.0", minimum required is "2.0.0")         
Found PkgConfig: /usr/bin/pkg-config (found version "1.6.3")                                             
Checking for module 'gnutls>=3.5'                                                                        
  Found gnutls, version 3.6.10                                                                           
Found Nettle: /usr/lib/libgmp.so;/usr/lib/libnettle.so;/usr/lib/libhogweed.so (found version "3.5")  

However, the error seems to follow. (Can't find GnuTLS::GnuTLS target?)
I think this is an error related to cmake, but I didn't know how to do it.

[wtoorop]

Thanks, I'll have a look!

[banburybill]

As others have found, the fundamental problem here is that we expect to find the GnuTLS DANE library (used for certificate validation), and this is not included in the Alpine GnuTLS package build. Furthermore, as we note in the README:

A project to allow user selection of either OpenSSL or GnuTLS is currently a work in progress.
At present a user may select to use GnuTLS for the majority of the supported functionality,
however, OpenSSL is still required for some cryptographic functions.

So, enabling GnuTLS will NOT currently remove the requirement to link against OpenSSL. At present, therefore, I would suggest that packagers should not be using GnuTLS.

Finally, I've avoided using the cmake PkgConfig module, for the simple reason that the primary goal of moving to a cmake build is to enable building on Windows natively (i.e. without MinGW or other Unixy environment).

[kometchtech]

@banburybill Thank you for the information.

The GnuTLS package on Alpine Linux lacks functional requirements.
I also lacked documentation checking.
At least on Alpine Linux I will not install GnuTLS.

[hanvinke]

@kometchtech

Since there is no package gnuTLS-openssl on Alpine you can try to rebuild gnutTLS.
Basically you get probably the same result when building gnuTLS with the switch --enable-openssl-compatibility. Unfortunately both Arch and Alpine linux do not have that switch default enabled in their packages.

If you wish you can add "--enable-openssl-compatibility" to the configure script of gnuTLS, so the API will automatically be installed.

[kometchtech]

@hanvinke

Thank you for the good information.
I tried building only gnutls with the following options.

./configure \                                                                             
       --with-gnu-ld \                                                                                               
       --disable-doc \
       --disable-tests \
       --enable-shared \
       --enable-openssl-compatibility

In this case, we confirmed that gnutls was recognized.

Found Threads: TRUE                                                                                      
Found Libidn2: /usr/lib/libidn2.so (found suitable version "2.3.0", minimum required is "2.0.0")        
Found GnuTLS: /usr/local/lib/libgnutls.so;/usr/local/lib/libgnutls-dane.so (found suitable version "3.6.1
2c", minimum required is "3.5.0")                                                                                    
Found Nettle: /usr/lib/libgmp.so;/usr/lib/libnettle.so;/usr/lib/libhogweed.so (found version "3.5")   

However, build of getdns fails in the middle as follows. Now it looks like there is an error related to nettle.

[ 35%] Building C object CMakeFiles/getdns_objects.dir/src/jsmn/jsmn.c.o                                    
[ 36%] Building C object CMakeFiles/getdns_objects.dir/src/yxml/yxml.c.o
[ 37%] Building C object CMakeFiles/getdns_objects.dir/src/tls/val_secalgo.c.o
/usr/src/src/tls/val_secalgo.c: In function '_verify_nettle_ecdsa':
/usr/src/src/tls/val_secalgo.c:1729:36: error: 'nettle_secp_256r1' undeclared (first use in this function); 
did you mean 'nettle_get_secp_256r1'?                      
 1729 |    nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);                                     
      |                                    ^~~~~~~~~~~~~~~~~                                                
      |                                    nettle_get_secp_256r1
/usr/src/src/tls/val_secalgo.c:1729:36: note: each undeclared identifier is reported only once for each func
tion it appears in                                                       
/usr/src/src/tls/val_secalgo.c:1746:36: error: 'nettle_secp_384r1' undeclared (first use in this function); 
did you mean 'nettle_get_secp_384r1'?                    
 1746 |    nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);                                              
      |                                    ^~~~~~~~~~~~~~~~~
      |                                    nettle_get_secp_384r1                                     
make[2]: *** [CMakeFiles/getdns_objects.dir/build.make:492: CMakeFiles/getdns_objects.dir/src/tls/val_secalg
o.c.o] Error 1                                                                                                        
make[2]: *** Waiting for unfinished jobs....                                
make[1]: *** [CMakeFiles/Makefile2:1087: CMakeFiles/getdns_objects.dir/all] Error 2    
make: *** [Makefile:141: all] Error 2     

I'll try to find out if this is an error related to Alpine Linux.

[hanvinke]

Hi,
you are almost there!
Luckily the nettle errors are not related to Alpine Linux.
To solve them I would advice first to install the newest version of nettle (v3.6) through git:

• git clone https://github.com/gnutls/nettle.git
  cd nettle
  ./.bootstrap
  ./configure
  and follow the README.md

Then you have to change in the folder '/getdns-1.6.0-rc.1/src/tls/' the file "val_secalgo.c' for line 1729 as suggested into 'nettle_ecc_point_init(&pubkey, &nettle_get_secp_256r1);'
The same with line 1746 'nettle_get_secp_384r1'

[banburybill]

I've submitted a PR fixing #458. Note that the suggested fix above is incorrect - the use of e.g. &nettle_secp_256r1 needs to be replaced by nettle_get_secp_256r1(), not &nettle_get_secp_256r1.

[kometchtech]

@hanvinke @banburybill

Thank you for letting us know the specifics.
For the time being, I was able to confirm that the following patches could be prepared and built.

--- val_secalgo.c.org   2020-02-25 18:58:55.952479729 +0900
+++ val_secalgo.c       2020-02-25 19:00:03.316578892 +0900
@@ -1726,7 +1726,7 @@
                {
                        uint8_t digest[SHA256_DIGEST_SIZE];
                        mpz_t x, y;
-                       nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
+                       nettle_ecc_point_init(&pubkey, nettle_get_secp_256r1);
                        nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
                        nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
                        nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
@@ -1743,7 +1743,7 @@
                {
                        uint8_t digest[SHA384_DIGEST_SIZE];
                        mpz_t x, y;
-                       nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
+                       nettle_ecc_point_init(&pubkey, nettle_get_secp_384r1);
                        nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
                        nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
                        nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);

Thank you for your support. Thank you also for PR.

[banburybill]

I found your patch builds, but with warnings. And I'm pretty sure it at worst it's going to lead to memory corruption. The correct fix I noted above is now merged into the release branch.

Thanks for reporting!

[kometchtech]

@banburybill

Oops, my temporary response has such a problem.
You should use the one that was merged into the release branch.

Thanks for your response.