From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] nettle: Update to 3.6
Date: Thu, 14 May 2020 13:35:45 +0200
Message-ID: <92953306-e798-33fd-dd4c-558ce4dea90f@ipfire.org>
In-Reply-To: <1D56C174-9A43-4686-BC1E-744ECA0153E6@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1481162186526951994=="
List-Id: <development.lists.ipfire.org>

--===============1481162186526951994==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

cachemgr.cgi is in fact an ELF binary.

I don't know why it was named 'cgi'.

Best,
Matthias

On 14.05.2020 12:43, Michael Tremer wrote:
> Hi,
>=20
> Oh. This is indeed a very long list of files.
>=20
> Since we are already shipping quite a bit of them, I would urge Arne to mer=
ge this into c145.
>=20
> Most of the files listed below are from add-ons (libvirt, Qemu, cups, squid=
).
>=20
> I have no idea why cachemgr.cgi matches though.
>=20
> Best,
> -Michael
>=20
>> On 13 May 2020, at 22:37, Matthias Fischer <matthias.fischer(a)ipfire.org>=
 wrote:
>>=20
>> Hi,
>>=20
>> On 13.05.2020 12:55, Michael Tremer wrote:
>>> Hi,
>>>=20
>>> I found my script!
>>=20
>> YES! ;-)
>>=20
>>> I have committed it to the repository and sent a patch. Please have a loo=
k.
>>=20
>> Looked. Seems to work.
>>=20
>> And it would have taken me much longer to write such a script. Great
>> you've found it.
>>=20
>>> I have also added a simple shortcut for make.sh.
>>>=20
>>> So that ./make.sh find-dependencies libtinfo.so.6 will now show you which=
 binary links to this library.
>>>=20
>>> You can also pass multiple libraries at once.
>>=20
>> I took a ride on a Core144 build with:
>>=20
>> ./make.sh find-dependencies libhogweed.so.5 libnettle.so.7
>>=20
>> I wanted to know which libraries would be affected by the nettle 3.6 updat=
e.
>>=20
>> Result (I cut '/git/ipfire.../build/'):
>>=20
>> /usr/bin/virt-admin
>> /usr/bin/ivshmem-server
>> /usr/bin/bsdtar
>> /usr/bin/nettle-lfib-stream
>> /usr/bin/qemu-i386
>> /usr/bin/qemu-edid
>> /usr/bin/squidclient
>> /usr/bin/qemu-system-arm
>> /usr/bin/qemu-arm
>> /usr/bin/virt-host-validate
>> /usr/bin/danetool
>> /usr/bin/certtool
>> /usr/bin/bsdcat
>> /usr/bin/qemu-pr-helper
>> /usr/bin/bsdcpio
>> /usr/bin/qemu-system-x86_64
>> /usr/bin/qemu-img
>> /usr/bin/ping
>> /usr/bin/ivshmem-client
>> /usr/bin/nettle-pbkdf2
>> /usr/bin/pkcs1-conv
>> /usr/bin/sexp-conv
>> /usr/bin/qemu-io
>> /usr/bin/dnsdist
>> /usr/bin/qemu-x86_64
>> /usr/bin/kdig
>> /usr/bin/qemu-nbd
>> /usr/bin/elf2dmp
>> /usr/bin/qemu-system-i386
>> /usr/bin/nettle-hash
>> /usr/bin/virsh
>> /usr/libexec/qemu-bridge-helper
>> /usr/libexec/libvirt_iohelper
>> /usr/sbin/libvirtd
>> /usr/sbin/virtlockd
>> /usr/sbin/virtlogd
>> /usr/sbin/cups-genppd.5.2
>> /usr/sbin/squid
>> /usr/lib/libvirt.so.0.5006.0
>> /usr/lib/libvirt-admin.so.0.5006.0
>> /usr/lib/libhogweed.so.5.0
>> /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so
>> /usr/lib/libvirt/connection-driver/libvirt_driver_secret.so
>> /usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so
>> /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
>> /usr/lib/libvirt/connection-driver/libvirt_driver_nodedev.so
>> /usr/lib/libvirt/connection-driver/libvirt_driver_interface.so
>> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_logical.so
>> /usr/lib/libvirt/storage-backend/libvirt_storage_backend_fs.so
>> /usr/lib/libvirt/lock-driver/lockd.so
>> /usr/lib/libvirt/storage-file/libvirt_storage_file_fs.so
>> /usr/lib/libvirt-qemu.so.0.5006.0
>> /usr/lib/cups/filter/commandtocanon
>> /usr/lib/cups/filter/rastertogutenprint.5.2
>> /usr/lib/cups/filter/commandtoepson
>> /usr/lib/cups/driver/gutenprint.5.2
>> /usr/lib/squid/negotiate_wrapper_auth
>> /usr/lib/squid/digest_ldap_auth
>> /usr/lib/squid/ntlm_fake_auth
>> /usr/lib/squid/basic_radius_auth
>> /usr/lib/squid/digest_file_auth
>> /usr/lib/squid/basic_ncsa_auth
>> /usr/lib/squid/cachemgr.cgi
>> /usr/lib/squid/digest_edirectory_auth
>> /usr/lib/libgnutls.so.30.23.2
>> /usr/lib/libvirt-lxc.so.0.5006.0
>> /usr/lib/libarchive.so.13.4.0
>> /srv/web/ipfire/cgi-bin/cachemgr.cgi
>>=20
>> Looks like we would need a compat version?
>>=20
>> Best,
>> Matthias
>>=20
>>> Best,
>>> -Michael
>>>=20
>>>> On 4 May 2020, at 15:32, Michael Tremer <michael.tremer(a)ipfire.org> wr=
ote:
>>>>=20
>>>> Hi,
>>>>=20
>>>> Yes, I think that it would be a good idea to add a script to tools/ that=
 takes a library name and returns a list of all files (with potentially even =
the package name) so that we can quickly find out what linked against it.
>>>>=20
>>>> I would recommend the following:
>>>>=20
>>>> 1) Have a function that takes a binary name and returns whether it match=
es or not.
>>>>=20
>>>> 2) Have a second function that finds all binary files and calls the func=
tion from 1).
>>>>=20
>>>> You can then either collect the file list and scan the root files later =
to find what package that file is in and simply list the package names in the=
 end. But I guess that is probably already a stretch goal and a first version=
 of the script does not need it.
>>>>=20
>>>> I would recommend using readelf instead of ldd, because ldd runs the run=
time linker and lists all libraries that were pulled in. That means that if y=
ou have a command /bin/command which links again liba.so and liba.so links ag=
ainst libb.so, then ldd lists both libraries. We might ship more files then t=
han we need to.
>>>>=20
>>>> You can run this instead:
>>>>=20
>>>> root(a)michael:/build/ipfire-2.x# readelf --dynamic /bin/bash | grep NEE=
DED
>>>> 0x0000000000000001 (NEEDED)             Shared library: [libtinfo.so.6]
>>>> 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
>>>> 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
>>>>=20
>>>> These are all libraries that /bin/bash needs directly on my system, and =
that is what we want to know.
>>>>=20
>>>> readelf is in the binutils package.
>>>>=20
>>>> We could later add a command to make.sh that mounts the chroot environme=
nt and then runs the script inside it.
>>>>=20
>>>> For performance I would recommend using find to search for binary files.=
 You will probably have to scan everything, but should only consider files th=
at are executable. We should not have any binaries that are not executable. T=
he script might indeed run for a little moment, but readelf should already be=
 much quicker than ldd, because it will only parse one file and not all linke=
d libraries as well.
>>>>=20
>>>> Please feel free to ask questions :)
>>>>=20
>>>>> On 2 May 2020, at 09:53, Matthias Fischer <matthias.fischer(a)ipfire.or=
g> wrote:
>>>>>=20
>>>>> Hi,
>>>>>=20
>>>>> On 01.05.2020 15:17, Michael Tremer wrote:
>>>>>> Hi,
>>>>>>=20
>>>>>> Do we know if anything else but gnutls links against this?
>>>>>=20
>>>>> Me: no =3D> Please don't merge this patch.
>>>>>=20
>>>>>> The library so version has been bumped, and we might need a compat-ver=
sion if we can. Or potentially symlinks.
>>>>>=20
>>>>> You're right. IIRC, I read about a similiar problem a while ago. And it
>>>>> sucks...
>>>>>=20
>>>>> What I'm not sure about:
>>>>> Would testing all binaries one by one with 'ldd' be sufficient enough?
>>>>>=20
>>>>> ToDo:
>>>>> I thought about it. I'll try to write a script that loops through (all)
>>>>> binaries and throws a message if an appropriate - missing - library (in
>>>>> this case: libhogweed or libnettle) was found.
>>>>>=20
>>>>> I'm thinking about something with a "for-while-do-loop", using 'ldd
>>>>> [PROGRAM_NAME]', filtering the output.
>>>>>=20
>>>>> And just in case: has anyone here ever programmed anything like this
>>>>> already?
>>>>=20
>>>> I wrote such a script when we migrated OpenSSL, but I do not have it any=
 more :)
>>>>=20
>>>> I should have kept it.
>>>>=20
>>>> -Michael
>>>>=20
>>>>>=20
>>>>> I don't want to "reinvent the wheel" unnecessarily... ;-)
>>>>>=20
>>>>> Opinions?
>>>>>=20
>>>>> Best,
>>>>> Matthias
>>>>>=20
>>>>=20
>>>> -Michael
>>>>=20
>>>>>> -Michael
>>>>>>=20
>>>>>>> On 1 May 2020, at 11:54, Matthias Fischer <matthias.fischer(a)ipfire.=
org> wrote:
>>>>>>>=20
>>>>>>> For details see:
>>>>>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ChangeLog
>>>>>>>=20
>>>>>>> This update also requires updating gnutls to '3.6.13'.
>>>>>>>=20
>>>>>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>>>>>> ---
>>>>>>> config/rootfiles/common/nettle | 11 +++++++----
>>>>>>> lfs/nettle                     |  6 +++---
>>>>>>> 2 files changed, 10 insertions(+), 7 deletions(-)
>>>>>>>=20
>>>>>>> diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common=
/nettle
>>>>>>> index 58e3f57a0..20a269a8b 100644
>>>>>>> --- a/config/rootfiles/common/nettle
>>>>>>> +++ b/config/rootfiles/common/nettle
>>>>>>> @@ -23,6 +23,7 @@
>>>>>>> #usr/include/nettle/cmac.h
>>>>>>> #usr/include/nettle/ctr.h
>>>>>>> #usr/include/nettle/curve25519.h
>>>>>>> +#usr/include/nettle/curve448.h
>>>>>>> #usr/include/nettle/des.h
>>>>>>> #usr/include/nettle/dsa-compat.h
>>>>>>> #usr/include/nettle/dsa.h
>>>>>>> @@ -32,6 +33,7 @@
>>>>>>> #usr/include/nettle/ecdsa.h
>>>>>>> #usr/include/nettle/eddsa.h
>>>>>>> #usr/include/nettle/gcm.h
>>>>>>> +#usr/include/nettle/gostdsa.h
>>>>>>> #usr/include/nettle/gosthash94.h
>>>>>>> #usr/include/nettle/hkdf.h
>>>>>>> #usr/include/nettle/hmac.h
>>>>>>> @@ -61,16 +63,17 @@
>>>>>>> #usr/include/nettle/sha1.h
>>>>>>> #usr/include/nettle/sha2.h
>>>>>>> #usr/include/nettle/sha3.h
>>>>>>> +#usr/include/nettle/siv-cmac.h
>>>>>>> #usr/include/nettle/twofish.h
>>>>>>> #usr/include/nettle/umac.h
>>>>>>> #usr/include/nettle/version.h
>>>>>>> #usr/include/nettle/xts.h
>>>>>>> #usr/include/nettle/yarrow.h
>>>>>>> usr/lib/libhogweed.so
>>>>>>> -usr/lib/libhogweed.so.5
>>>>>>> -usr/lib/libhogweed.so.5.0
>>>>>>> +usr/lib/libhogweed.so.6
>>>>>>> +usr/lib/libhogweed.so.6.0
>>>>>>> #usr/lib/libnettle.so
>>>>>>> -usr/lib/libnettle.so.7
>>>>>>> -usr/lib/libnettle.so.7.0
>>>>>>> +usr/lib/libnettle.so.8
>>>>>>> +usr/lib/libnettle.so.8.0
>>>>>>> #usr/lib/pkgconfig/hogweed.pc
>>>>>>> #usr/lib/pkgconfig/nettle.pc
>>>>>>> diff --git a/lfs/nettle b/lfs/nettle
>>>>>>> index cc34b1fad..de7428121 100644
>>>>>>> --- a/lfs/nettle
>>>>>>> +++ b/lfs/nettle
>>>>>>> @@ -1,7 +1,7 @@
>>>>>>> #####################################################################=
##########
>>>>>>> #                                                                    =
         #
>>>>>>> # IPFire.org - A linux based firewall                                =
         #
>>>>>>> -# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>         =
            #
>>>>>>> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>         =
            #
>>>>>>> #                                                                    =
         #
>>>>>>> # This program is free software: you can redistribute it and/or modif=
y        #
>>>>>>> # it under the terms of the GNU General Public License as published b=
y        #
>>>>>>> @@ -24,7 +24,7 @@
>>>>>>>=20
>>>>>>> include Config
>>>>>>>=20
>>>>>>> -VER        =3D 3.5.1
>>>>>>> +VER        =3D 3.6
>>>>>>>=20
>>>>>>> THISAPP    =3D nettle-$(VER)
>>>>>>> DL_FILE    =3D $(THISAPP).tar.gz
>>>>>>> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
>>>>>>>=20
>>>>>>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>>>>>>>=20
>>>>>>> -$(DL_FILE)_MD5 =3D 0e5707b418c3826768d41130fbe4ee86
>>>>>>> +$(DL_FILE)_MD5 =3D c45ee24ed7361dcda152a035d396fe8a
>>>>>>>=20
>>>>>>> install : $(TARGET)
>>>>>>>=20
>>>>>>> --=20
>>>>>>> 2.17.1
>>>=20
>>=20
>=20


--===============1481162186526951994==--