Bug 788 - Fails to build with Nettle >= 3.0 and --with-libunbound-only --with-nettle
Fails to build with Nettle >= 3.0 and --with-libunbound-only --with-nettle
Product: unbound
Classification: Unclassified
Component: server
x86_64 Linux
: P5 minor
Assigned To: unbound team
Depends on:
  Show dependency treegraph
Reported: 2016-07-05 00:15 CEST by Robert Edmonds
Modified: 2016-07-05 16:02 CEST (History)
2 users (show)

See Also:

Support nettle >= 3.0 by conditionally including dsa-compat.h (1.22 KB, patch)
2016-07-05 00:15 CEST, Robert Edmonds
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Edmonds 2016-07-05 00:15:13 CEST
Created attachment 336 [details]
Support nettle >= 3.0 by conditionally including dsa-compat.h


libunbound fails to build with Nettle >= 3.0. The compile fails with the following messages:

validator/val_secalgo.c: In function ‘_verify_nettle_dsa’:
validator/val_secalgo.c:1378:24: error: storage size of ‘pubkey’ isn’t known
  struct dsa_public_key pubkey;
validator/val_secalgo.c:1434:2: warning: implicit declaration of function ‘nettle_dsa_public_key_init’ [-Wimplicit-function-declaration]
validator/val_secalgo.c:1447:9: warning: implicit declaration of function ‘dsa_sha1_verify_digest’ [-Wimplicit-function-declaration]
  res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
validator/val_secalgo.c:1451:2: warning: implicit declaration of function ‘nettle_dsa_public_key_clear’ [-Wimplicit-function-declaration]
Makefile:267: recipe for target 'val_secalgo.lo' failed

The root cause is that these function and structure declarations were moved from dsa.h to dsa-compat.h for the Nettle 3.0 release:

        * New DSA interface, with a separate struct dsa_param to
          represent the underlying group, and generalized dsa_sign and
          dsa_verify functions which don't care about the hash
          function used. Limited backwards compatibility provided in

          INCOMPATIBLE CHANGE: Declarations of the old interface,
          e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to

          INCOMPATIBLE CHANGE: The various key conversion functions,
          e.g., dsa_keypair_to_sexp, all use the new DSA interface, with
          no backwards compatible functions.

          INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new
          interface. dsa-compat.h declares a function
          dsa_compat_generate_keypair, implementing the old
          interface, and #defines dsa_generate_keypair to refer to
          this backwards compatible function.


Nettle 2.x is still fairly common in released distro versions, so it would be good to support both Nettle 2.x and 3.x by conditionally including the compatibility header dsa-compat.h instead of porting to the new interface.

The attached patch fixes this issue.
Comment 1 Wouter Wijngaards 2016-07-05 16:02:02 CEST
Hi Robert,

Thank you for the patch.  Integrated the patch.

Note there is also a new --disable-dsa, if DSA functionality becomes deprecated for some reason in nettle, that might be used to avoid having to port to the new API (in the future, perhaps).

Best regards, Wouter