En/wine gnutls

Revision as of 17:07, 26 March 2018 by Wikiuser (talk | contribs)

Welcome to Simone Giustetti's wiki pages.


Languages: English - Italiano


Slackware Linux and WINE Multi-lib Support for Cryptography

WINE runs programs designed and written for Windows on Linux and other operating systems of the UNIX family. The list of supported software is vast and includes the most diverse programs: applications for personal and office productivity, games, multimedia software, web browsers, utilities and much more. Every project with a scope so wide and ambitious cannot hope to thrive relying on its own strength alone and in fact WINE links to a large set of libraries including their functionality. Some of the included libraries rely in turn on other ones forming a chain of dependencies. The dependency chain can prove hard to decipher at times especially on multi-lib systems where 64 bit packages cohabit with 32 bit ones.

In an earlier paper I discussed WINE and the packages required to use to its full potential GStreamer: a modular software platform aimed to multimedia included in many popular multimedia applications. The officially released Slackware packages include only some of the many GStreamer plug-ins and modules while the other ones require building and installing in order for multimedia software to read and play all of the supported audio and video formats. The present paper is about GnuTLS: a library implementing cryptography functions used by many applications like web browsers, useful to surf the Internet, or e-book readers. Just like GStreamer, GnuTLS requires its dependencies to be installed in order to work properly.

WINE, TLS and Cryptography

Transport Layer Security, TLS in short, is a cryptographic communication protocol used in telecommunications and information technology. TLS provide communications security between two end points of a TCP/IP network, internet for example, providing privacy, data integrity and obviously ciphers. The HTTPS protocol used by many web sites to share their pages is perhaps the best known example of TLS use.

Linux offers many web browsers, e-mail clients and, in lesser number, software to read e-books and organize your personal collection. There are still web sites out there which work exclusively with a browser not supported by Linux or on-line shops not supporting e-book readers running on Linux or again perhaps you need to use a plug-in developed for another platform. There are still reasons that force to fall back to Windows software and consequently WINE.

Windows programs could require the use of cryptography. That is a certainty for web browsers given the rising number of sites going HTTPS only to transfer web pages. E-mail clients use secure channels to connect to remote servers granting privacy to their users. E-book readers use cryptographic functions to read books in compliance with copyright, to save them in the cloud or to buy and download them from on-line stores. To provide the listed services Linux and, consequently, WINE require GnuTLS. To ensure for software run through WINE to work correctly the GnuTLS package for the platform of choice should be installed together with all of its dependencies.


Updating Libraries and Their Dependencies

Cryptography is part of the broader field of information security. Given the topic importance the related modules are highly regarded by developers: patches and updates are released constantly, usually faster than other operating system parts. A common good practice consist of periodically upgrade your system and to always install the latest available release of the cryptographic libraries, among them GnuTLS, to avoid incurring in known and solved bugs. Every time you update your Linux box you should check for new dependencies introduced by the updated packages. If you don't, some programs could behave abnormally after the upgrade or stop working altogether.

The chance of a library going missing in an official Slackware release is very remote as developers work hard to provide a system consistent as a whole. The same care is put in patch releases: when a package upgrade requires new dependencies the related packages are added to the release. Sadly the same rule is not true for multi-lib systems. The compat32 packages are not meant to be satisfying all possible library dependencies. They are meant to get your proprietary 32bit programs running and those programs will not tap into all the functionality.

This unfortunately happened with the update released on January 12th. To solve some security issues the Slackware team introduced the 3.5.x branch of GnuTLS in place of the older and outdated 3.4.x. When released Slackware 14.2 included:

  • gnutls-3.4.13-i586-1.txz for 32 bit.
  • gnutls-3.4.13-x86_64-1.txz for 64 bit.

The 12th of January the packages where updated and replaced by:

  • gnutls-3.5.8-i586-1_slack14.2.txz for 32 bit.
  • gnutls-3.5.8-x86_64-1_slack14.2.txz for 64 bit.

The substitute packages introduced three new dependencies:

  • Gc: A Garbage Collector for the C and C++ programming language.
  • Guile: A library providing a Scheme interpreter.
  • Libunistring: A library of functions useful to work with Unicode strings of text.

All three libraries are included in Slackware. If they are not already installed, you can use command: installpkg <package> to install them. Software that stopped working will resume doing so immediately after installing the missing packages without any further update to the system configuration.

Multi-Lib Systems

Multi-lib systems are somewhat more complex because installing 64 bit missing packages is not enough. You need to install the 32 bit packages too otherwise some programs will not work after the update. To make things worse 32 bit packages, as stated above, are not a finite set, but lack some dependencies. In other words there is no guarantee that installing a package and its corresponding 32 bit one will be enough for a program to run with WINE. For GnuTLS, for example, installing package gnutls-compat32-3.5.8-x86_64-1_slack14.2compat32.txz is not enough; you have to install some other 32 bit packages to satisfy its dependencies. The dependency list includes Gc and its related package gc-compat32-7.4.2-x86_64-3compat32.txz, that can be found in the l-compat32 section of the install tree, Libunistring and package libunistring-compat32-0.9.3-x86_64-1compat32.txz that is located in the l-compat32 section too, and at last Guile whose 32 bit package is missing from the "offcial" repository. To install the first two packages of the list download them, then run the installpkg command as in the following example:

  installpkg gc-compat32-7.4.2-x86_64-3compat32.txz
  installpkg libunistring-compat32-0.9.3-x86_64-1compat32.txz

For the last of the three: Guile, you can follow some quick steps:

  • Download the 32 bit package from the following link.
  • Convert the downloaded package into a 32 bit compatibility one through the convertpkg-compat32 script found in the compat32-tools-3.7-noarch-15alien.tgz package:
  'convertpkg-compat32 -i guile-2.0.11-i486-2.txz -d /tmp
  • Install the resulting package with command:
  installpkg /tmp/guile-compat32-2.0.11-x86_64-2compat32.txz

When done all of the 32 bit GnuTLS functions that went missing after the upgrade will start working again. As a consequence all of the 32 bit Windows applications will start working again with WINE. Web browsers, e-mail clients and e-book readers will be able to connect to web sites through encrypted channels, to decipher books and documents, etc.

For detailed instructions about converting native 32 bit packages into compatibility ones aimed to a multi-lib system please consult the documentation provided by Alien Bob.

Some Notes about Building WINE

Missing dependency issues can manifest while building and packaging software too. A broken GnuTLS library will affect WINE building badly. Building WINE when some of its dependencies are missing can result in one out of two outcomes:

  1. The related functions will go missing from the resulting package. For example a web browser could prove unable to connect to a site using the HTTPS protocol, or an e-book reader could refuse to open and read books.
  2. When the --with-gnutls flag is set it forces linking to the TLS library, the build procedure will fail returning error:
  checking for gnutls/gnutls.h... yes
  checking for -lgnutls... not found
  checking for gnutls_hash... no
  configure: error: libgnutls 32-bit development files not found, no schannel support.
  This is an error since --with-gnutls was requested.

To solve the problem please install the GnuTLS package. If the package is installed please check for any missing dependency. Install all of the missing dependencies and the build procedure will run smoothly from start to finish.

You can use the ldd command to search for missing packages. Ldd prints a list of shared objects (libraries) required by each program or library passed through the command line. Suppose you want to search for GnuTLS dependencies. You can follow some quick steps:

  • Search the list of files included into the package looking for programs or libraries:
  cat /var/log/packages/gnutls-compat32-3.5.8-x86_64-1_slack14.2compat32 | egrep "bin|lib" | grep -v ".la"
  usr/bin/32/certtool
  usr/bin/32/gnutls-cli
  usr/bin/32/gnutls-cli-debug
  usr/bin/32/gnutls-serv
  usr/bin/32/ocsptool
  usr/bin/32/p11tool
  usr/bin/32/psktool
  usr/bin/32/srptool
  usr/lib/guile/2.0/guile-gnutls-v-2.so.0.0.0
  usr/lib/guile/2.0/site-ccache/
  usr/lib/guile/2.0/site-ccache/gnutls.go
  usr/lib/guile/2.0/site-ccache/gnutls/
  usr/lib/guile/2.0/site-ccache/gnutls/extra.go
  usr/lib/libgnutls-openssl.so.27.0.2
  usr/lib/libgnutls.so.30.13.1
  usr/lib/libgnutlsxx.so.28.1.0
  usr/lib/pkgconfig/gnutls.pc
  • Query every object file in the list to ensure that all of the related dependencies are present:
  ldd /usr/lib/guile/2.0/guile-gnutls-v-2.so.0.0.0
       linux-gate.so.1 (0xf77db000)
       libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0xf75e5000)
       libguile-2.0.so.22 => /usr/lib/libguile-2.0.so.22 (0xf747d000)
       libgc.so.1 => /usr/lib/libgc.so.1 (0xf73c4000)
       libpthread.so.0 => /lib/libpthread.so.0 (0xf73a7000)
       libc.so.6 => /lib/libc.so.6 (0xf720e000)
       libz.so.1 => /lib/libz.so.1 (0xf71f8000)
       libp11-kit.so.0 => /usr/lib/libp11-kit.so.0 (0xf719f000)
       libidn.so.11 => /usr/lib/libidn.so.11 (0xf716b000)
       libunistring.so.0 => /usr/lib/libunistring.so.0 (0xf705a000)
       libnettle.so.6 => /usr/lib/libnettle.so.6 (0xf701a000)
       libhogweed.so.4 => /usr/lib/libhogweed.so.4 (0xf6fe7000)
       libgmp.so.10 => /usr/lib/libgmp.so.10 (0xf6f75000)
       libffi.so.6 => /usr/lib/libffi.so.6 (0xf6f6e000)
       libltdl.so.7 => /usr/lib/libltdl.so.7 (0xf6f63000)
       libdl.so.2 => /lib/libdl.so.2 (0xf6f5e000)
       libcrypt.so.1 => /lib/libcrypt.so.1 (0xf6f2a000)
       libm.so.6 => /lib/libm.so.6 (0xf6ed6000)
       /lib/ld-linux.so.2 (0x56640000)
  ldd /usr/lib/libgnutls.so.30.13.1
       linux-gate.so.1 (0xf7796000)
       libz.so.1 => /lib/libz.so.1 (0xf75b7000)
       libp11-kit.so.0 => /usr/lib/libp11-kit.so.0 (0xf755e000)
       libidn.so.11 => /usr/lib/libidn.so.11 (0xf752a000)
       libunistring.so.0 => /usr/lib/libunistring.so.0 (0xf7419000)
       libnettle.so.6 => /usr/lib/libnettle.so.6 (0xf73d9000)
       libhogweed.so.4 => /usr/lib/libhogweed.so.4 (0xf73a6000)
       libgmp.so.10 => /usr/lib/libgmp.so.10 (0xf7334000)
       libc.so.6 => /lib/libc.so.6 (0xf719c000)
       libffi.so.6 => /usr/lib/libffi.so.6 (0xf7195000)
       libdl.so.2 => /lib/libdl.so.2 (0xf7190000)
       libpthread.so.0 => /lib/libpthread.so.0 (0xf7172000)
       /lib/ld-linux.so.2 (0x5658b000)
  ...

When a library is missing the "not found" string is shown to the right of the "=>" operator instead of the pointed to file.

  • Download and install packages containing the missing libraries. There is no safe way to search for the exact package and you'll need some insight. The file name could provide useful clues to the package. You could search in the file list available in every Slackware Linux installation CDROM or DVD. You could search in the Slackware package finder available in the web site using the "content" search mode, that will target the package content instead of the package name. Both tips could help you when looking for official packages, but are pretty much useless for third party software and packages downloaded from custom repositories. In such eventuality perhaps the best solution is to query an Internet search engine.

Whatever the path followed, once all missing dependencies are installed building problems should disappear and you'll be able to successfully compile a working WINE package for Slackware Linux.


Conclusions

WINE is an excellent tool to run programs that use cryptography written for Windows on Linux / Unix systems provided you install all the necessary dependencies. Even a single missing library could mean a lot of trouble up to the apparently inexplicable crash of applications. This paper detailed some notions about GnuTLS whose last update in Slackware could result in issues with 32 bit software, when run on a multi-lib environment, and the WINE build procedure. The potential origin of the issues was diagnosed and exposed in missing 32 bit compatibility packages and their respective dependencies. I concluded discussing an easy procedure to solve such problems.


For any feedback, questions, errors and such, please e-mail me at studiosg [at] giustetti [dot] net


External links





Languages: English - Italiano