Project

General

Profile

Issue #3349

Static build leads to charon unmet dependencies

Added by Glen Huang 6 months ago. Updated 6 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
build
Affected version:
5.8.2
Resolution:

Description

I'm using strongswan 5.8.2

Built with the following commands

export CFLAGS='-g -O2 -fdebug-prefix-map=/tmp/strongswan=. -fstack-protector-strong -Wformat -Werror=format-security' \
&& export CPPFLAGS='-Wdate-time -D_FORTIFY_SOURCE=2' \
&& export LDFLAGS='-Wl,-z,relro -Wl,-z,now' \
&& ./configure \
    --prefix=/usr \
    --sysconfdir=/etc \
    --libexecdir=/usr/lib \
    --with-ipsecdir=/usr/sbin \
    --with-ipseclibdir=/usr/lib/strongswan \
    --with-capabilities=native \
    --disable-defaults \
    --disable-shared \
    --enable-static \
    --enable-monolithic \
    --enable-nonce \
    --enable-openssl \
    --enable-x509 \
    --enable-pkcs1 \
    --enable-vici \
    --enable-charon \
    --enable-ikev2 \
    --enable-swanctl \
    --enable-kernel-netlink \
    --enable-socket-default

And it built successfully. When running charon, it failed with

00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 4.19.76-linuxkit, x86_64)
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1
00[LIB] failed to load 3 critical plugin features
00[DMN] initialization failed - aborting charon

If I'm not wrong, those dependencies should be met with nonce and openssl plugins. Does the CFLAGS and friends have anything to do with it? I'm trying to build a hardened version.

Associated revisions

Revision 1966f433 (diff)
Added by Tobias Brunner 6 months ago

configure: Make sure Python is available for static builds

We need Python to create files that reference the plugin constructors.
Without it, empty files are created and plugins can't be loaded.

Fixes #3349.

History

#1 Updated by Glen Huang 6 months ago

Forgot to say, building environment is Debian buster.

BTW, I sent an email to for a business inquiry a couple weeks ago, got no reply. Is the address correct?

#2 Updated by Tobias Brunner 6 months ago

  • Category set to build
  • Status changed from New to Feedback

If I'm not wrong, those dependencies should be met with nonce and openssl plugins.

If these plugins are actually loaded and the openssl plugin provides a SHA-1 implementation, sure. As mentioned on InstallationDocumentation, you still need the shared external libraries (e.g. libcrypto for the openssl plugin) as these are not statically linked.

Does the CFLAGS and friends have anything to do with it?

Don't know, but it's certainly possible.

I'm trying to build a hardened version.

You need a static build for that?

#3 Updated by Glen Huang 6 months ago

If these plugins are actually loaded and the openssl plugin provides a SHA-1 implementation, sure. As mentioned on InstallationDocumentation, you still need the shared external libraries (e.g. libcrypto for the openssl plugin) as these are not statically linked.

I'm pretty sure libcrypto is available, just checked the file system. Also ldd said charon depends on libcrypto's so file, if it weren't there, charon wouldn't run I believe.

I wonder if the charon binary can run correctly, and plugins are all compiled in, what can make it fail to access them?

My strongswan.conf is a very simple one:

charon {
    keep_alive = 0
    filelog {
        stderr {
            default = 1
        }
    }
}

Did I miss some options to enable loading plugins? According to the doc, they should auto load if I'm not wrong.

You need a static build for that?

To run in a minimal docker environment like https://github.com/GoogleContainerTools/distroless

#4 Updated by Glen Huang 6 months ago

I have one important discovery to report after experimenting for some more.

By removing --disable-shared, the problem goes away. What does it have to do with anything?

Forgot to say, I didn't build or run in distroless, everything happened in Debian buster. distroless is currently irrelevant information actually.

#5 Updated by Tobias Brunner 6 months ago

By removing --disable-shared, the problem goes away. What does it have to do with anything?

I think this doesn't result in a static build (i.e. libtool won't link our own libraries into the executables).

Did you use make clean when you changed the configure options before (e.g. after enabling the openssl plugin)?

#6 Updated by Glen Huang 6 months ago

I think this doesn't result in a static build (i.e. libtool won't link our own libraries into the executables).

Makes sense, I just tried copying charon to the distroless env, and the binary wouldn't start complaining missing libstrongswan.so.0

But the missing deps error happens when I run it in buster, where all libs file exists.

Did you use make clean when you changed the configure options before (e.g. after enabling the openssl plugin)?

I build using Dockerfile with docker, so each build start from a pristine state.

#7 Updated by Glen Huang 6 months ago

I built again, this time with CFLAGS and friend removed and --disable-shared added.

Same dependency unmet error.

So it wasn't a c flag issue.

#8 Updated by Tobias Brunner 6 months ago

Could you post a Dockerfile to replicate the issue?

#9 Updated by Glen Huang 6 months ago

Sure, here you go:

FROM debian:buster-slim

ARG STRONGSWAN_VERSION=5.8.2

RUN export DEBIAN_FRONTEND=noninteractive \
    && apt-get update \
    && apt-get install -y --no-install-recommends \
        ca-certificates \
        wget \
        bzip2 \
        file \
        build-essential \
        libssl-dev \
    && wget -O /tmp/strongswan.tar.bz2 https://download.strongswan.org/strongswan-$STRONGSWAN_VERSION.tar.bz2 \
    && mkdir /tmp/strongswan \
    && cd /tmp/strongswan \
    && tar -xjf /tmp/strongswan.tar.bz2 --strip-components=1 \
    && ./configure \
        --prefix=/usr \
        --sysconfdir=/etc \
        --libexecdir=/usr/lib \
        --with-ipsecdir=/usr/sbin \
        --with-ipseclibdir=/usr/lib/strongswan \
        --with-capabilities=native \
        --disable-defaults \
        --disable-shared \
        --enable-static \
        --enable-monolithic \
        --enable-nonce \
        --enable-openssl \
        --enable-x509 \
        --enable-pkcs1 \
        --enable-vici \
        --enable-charon \
        --enable-ikev2 \
        --enable-kernel-netlink \
        --enable-socket-default \
    && make install

ENTRYPOINT [ "charon" ]

#10 Updated by Tobias Brunner 6 months ago

Thanks.

The problem is that Python is not installed in the container. So if you add python to the list of installed packages in your Dockerfile, it should work.

In order to prevent the compiler from optimizing out statically linked, but seemingly unused plugin code (due to the dynamically resolved and never directly referenced plugin constructors), a Python script is used for such static builds in order to generate a code file that registers, and in doing so references, the constructors of all enabled plugins. We've made Python optional during the build (i.e. if the configure script doesn't find a Python interpreter, it sets PYTHON to :, which basically renders all invocations into no-ops), because it generally is not required when building from a tarball (Python is mainly used to generate man pages and config snippets but these are included in the tarball). I've now added a check for Python if a static build is attempted (currently in the 3349-check-python branch).

#11 Updated by Glen Huang 6 months ago

Thanks for the quick fix.

If I'm not wrong, python is only needed to generate the code file, thus it's only needed during building, and it should be safe to remove it once charon is built?

#12 Updated by Glen Huang 6 months ago

Also, could you comment on the unresponded business inquiry I was asking about?

#13 Updated by Tobias Brunner 6 months ago

If I'm not wrong, python is only needed to generate the code file, thus it's only needed during building, and it should be safe to remove it once charon is built?

Correct.

Also, could you comment on the unresponded business inquiry I was asking about?

I don't know anything about that, sorry.

Also available in: Atom PDF