From areilly@bigpond.net.au Sat May 29 06:24:50 2010 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F7E91065674 for ; Sat, 29 May 2010 06:24:50 +0000 (UTC) (envelope-from areilly@bigpond.net.au) Received: from nschwmtas04p.mx.bigpond.com (nschwmtas04p.mx.bigpond.com [61.9.189.146]) by mx1.freebsd.org (Postfix) with ESMTP id CB49D8FC14 for ; Sat, 29 May 2010 06:24:49 +0000 (UTC) Received: from nschwotgx01p.mx.bigpond.com ([124.188.161.100]) by nschwmtas04p.mx.bigpond.com with ESMTP id <20100529062447.NBPW11569.nschwmtas04p.mx.bigpond.com@nschwotgx01p.mx.bigpond.com> for ; Sat, 29 May 2010 06:24:47 +0000 Received: from duncan.reilly.home ([124.188.161.100]) by nschwotgx01p.mx.bigpond.com with ESMTP id <20100529062447.MRHM3673.nschwotgx01p.mx.bigpond.com@duncan.reilly.home> for ; Sat, 29 May 2010 06:24:47 +0000 Message-Id: <1275114287.82624@duncan.reilly.home> Date: Sat, 29 May 2010 16:24:47 +1000 From: Andrew Reilly Reply-To: Andrew Reilly To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: libhx509.so containes references to MD2_* but doesn't reference libcrypto.so, which has them X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 147175 >Category: bin >Synopsis: [kerberos] [patch] libhx509.so containes references to MD2_* but doesn't reference libcrypto.so, which has them >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat May 29 06:30:07 UTC 2010 >Closed-Date: >Last-Modified: Sun Jul 17 14:30:11 UTC 2011 >Originator: Andrew Reilly >Release: FreeBSD 9.0-CURRENT amd64 >Organization: >Environment: System: FreeBSD duncan.reilly.home 9.0-CURRENT FreeBSD 9.0-CURRENT #6: Sat May 22 10:57:32 EST 2010 root@duncan.reilly.home:/nb/obj/nb/src/sys/DUNCAN amd64 >Description: When trying to build evolution-data-server (for example: fetchmail also has this problem), or anything that depends on libhx509.so, the build stops thusly: /usr/lib/libhx509.so: undefined reference to `MD2_Init' /usr/lib/libhx509.so: undefined reference to `MD2_Final' /usr/lib/libhx509.so: undefined reference to `MD2_Update' because libhx509.so does have undefined references to those functions. Previously, I've worked around this by nuking reference to MD2 from libhx509, on the grounds that it is obsolete anyway. However I have noticed that libcrypto does provide these functions, and the library config line from krb5-config includes it. So why are they not being picked up? I don't know much about shared libraries, but I ran ldd on /usr/lib/libhx509.so, and it says only: libhx509.so: libc.so.7 => /lib/libc.so.7 (0x800648000) could it be that the shared lib version of libhx509.so needs to refer to /lib/libcrypto.so.6 explicitly, even though it is listed on the compiler command line like this? cc -o conftest -O2 -pipe -g -DLDAP_DEPRECATED -fno-strict-aliasing -I/usr/local/include -I/usr/local/include/db41 -L/usr/local/lib -pthread conftest.c -L/usr/local/lib -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt >How-To-Repeat: Compile databases/evolution-data-server with "NO_KERBEROS" defined in make.conf and line 16071 of ports/databases/work/evolution-data-server-2.30.1/config changed thusly: heimlibs="`/usr/bin/krb5-config gssapi --libs`" and the next few lines changed thusly (I haven't figured out which is the "right" one): mitlibs="$heimlibs" sunlibs="$heimlibs" Plenty of other builds that depend on gssapi fail the same way, though. Fetchmail is the example I used in PR: ports/145769. >Fix: Working on it. Trying to figure out how to add dependencies to shared libraries... >Release-Note: >Audit-Trail: From: Andrew Reilly To: bug-followup@FreeBSD.org, areilly@bigpond.net.au Cc: Subject: Re: bin/147175: libhx509.so containes references to MD2_* but doesn't reference libcrypto.so, which has them Date: Sun, 4 Jul 2010 12:41:16 +1000 --MP_/GDaVaIp3j5kTHLp_jjRC=av Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline Fixed! Patch attached. Turns out that to tell a shared lib about its dependencies, you need to add a DPADD and LDADD (perhaps only the latter) to the Makefile, as shown in the attached patch. Evolution-data-server and other ports that link against the gssapi-related libs now configure and build OK. Yay! -- Andrew --MP_/GDaVaIp3j5kTHLp_jjRC=av Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=libhx509.patch --- Makefile.orig 2008-05-07 23:53:04.000000000 +1000 +++ Makefile 2010-07-04 10:05:58.000000000 +1000 @@ -82,6 +82,9 @@ SRCS+=${GEN_ASN1} INCS+=${GEN_ASN1} +DPADD+= ${LIBCRYPTO} +LDADD+= -lcrypto + .ORDER: ${GEN} ${GEN_ASN1} ${GEN_OCSP} ocsp_asn1.h: ocsp.asn1 ../../tools/asn1_compile/asn1_compile --MP_/GDaVaIp3j5kTHLp_jjRC=av-- From: Andrew Reilly To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/147175: libhx509.so containes references to MD2_* but doesn't reference libcrypto.so, which has them Date: Tue, 6 Jul 2010 10:45:27 +1000 The makefile in the patch in the previous message applies to /usr/src/kerberos5/lib/libhx509/Makefile. Sorry for patch-making in haste! Cheers, -- Andrew From: "Matthias Andree" To: "Andrew Reilly" Cc: bug-followup@freebsd.org Subject: Re: bin/147175: final link of mail/fetchmail fails libhx509.so undefined reference to MD2_Init etc Date: Tue, 06 Jul 2010 10:14:06 +0200 In concur with your assessments. Let's get this on the FreeBSD-current@ list. -- Matthias Andree From: "Schweigert, Udo CERT" To: bug-followup@FreeBSD.org, areilly@bigpond.net.au Cc: Subject: Re: bin/147175: [kerberos] [patch] libhx509.so containes references to MD2_* but doesn't reference libcrypto.so, which has them Date: Tue, 20 Jul 2010 10:54:41 +0200 I think the problem is not related to the base system but to an incorrect installation of the openssl port. Please try to build openssl from the ports again with MD2 option enabled (an option which is per default set to "off"). That solved the same issue I had with the mutt-devel port under 8.1-R. (Having installed openssl from the ports results in two different versions of libcrypto to be available. The "-lcypto" flag to cc/ld then results in loading that from /usr/local/lib, which may not have the MD2-bits enabled if openssl was installed with the default options.) Regards Udo From: Matthias Andree To: bug-followup@FreeBSD.org, freebsd-current@freebsd.org Cc: re@freebsd.org, portmgr@freebsd.org Subject: Re: bin/147175: [kerberos] [patch] libhx509.so contains references to MD2_* but doesn't reference libcrypto.so, which has them Date: Sun, 17 Jul 2011 16:21:51 +0200 This (GSSAPI linker failure on 9-CURRENT because its libhx509 needs MD2 but libcrypto doesn't provide it) affects security/putty 0.6.1 as well now. There is now lots of stuff on the web on this incompatibility. *Someone needs to fix the GSSAPI-Kerberos/MD2 conflict before the 9-release cycle!* >Unformatted: