From areilly@bigpond.net.au  Sat May 29 06:24:50 2010
Return-Path: <areilly@bigpond.net.au>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3F7E91065674
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 29 May 2010 06:24:50 +0000 (UTC)
	(envelope-from areilly@bigpond.net.au)
Received: from nschwmtas04p.mx.bigpond.com (nschwmtas04p.mx.bigpond.com [61.9.189.146])
	by mx1.freebsd.org (Postfix) with ESMTP id CB49D8FC14
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 29 May 2010 06:24:49 +0000 (UTC)
Received: from nschwotgx01p.mx.bigpond.com ([124.188.161.100])
          by nschwmtas04p.mx.bigpond.com with ESMTP
          id <20100529062447.NBPW11569.nschwmtas04p.mx.bigpond.com@nschwotgx01p.mx.bigpond.com>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Sat, 29 May 2010 06:24:47 +0000
Received: from duncan.reilly.home ([124.188.161.100])
          by nschwotgx01p.mx.bigpond.com with ESMTP
          id <20100529062447.MRHM3673.nschwotgx01p.mx.bigpond.com@duncan.reilly.home>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Sat, 29 May 2010 06:24:47 +0000
Message-Id: <1275114287.82624@duncan.reilly.home>
Date: Sat, 29 May 2010 16:24:47 +1000
From: Andrew Reilly <areilly@bigpond.net.au>
Reply-To: Andrew Reilly <areilly@bigpond.net.au>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: libhx509.so containes references to MD2_* but doesn't reference libcrypto.so, which has them
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         147175
>Category:       bin
>Synopsis:       [kerberos] [patch] libhx509.so containes references to MD2_* but doesn't reference libcrypto.so, which has them
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 29 06:30:07 UTC 2010
>Closed-Date:    Fri Jan 24 23:36:10 UTC 2014
>Last-Modified:  Fri Jan 24 23:36:10 UTC 2014
>Originator:     Andrew Reilly
>Release:        FreeBSD 9.0-CURRENT amd64
>Organization:
>Environment:
System: FreeBSD duncan.reilly.home 9.0-CURRENT FreeBSD 9.0-CURRENT #6: Sat May 22 10:57:32 EST 2010 root@duncan.reilly.home:/nb/obj/nb/src/sys/DUNCAN amd64


	
>Description:
        When trying to build evolution-data-server (for example:
        fetchmail also has this problem), or anything that
        depends on libhx509.so, the build stops thusly:

/usr/lib/libhx509.so: undefined reference to `MD2_Init'
/usr/lib/libhx509.so: undefined reference to `MD2_Final'
/usr/lib/libhx509.so: undefined reference to `MD2_Update'

        because libhx509.so does have undefined references to
        those functions.  Previously, I've worked around this by
        nuking reference to MD2 from libhx509, on the grounds
        that it is obsolete anyway.  However I have noticed that
        libcrypto does provide these functions, and the library
        config line from krb5-config includes it.  So why are
        they not being picked up?  I don't know much about
        shared libraries, but I ran ldd on /usr/lib/libhx509.so,
        and it says only:

libhx509.so:
	libc.so.7 => /lib/libc.so.7 (0x800648000)

        could it be that the shared lib version of libhx509.so
        needs to refer to /lib/libcrypto.so.6 explicitly, even
        though it is listed on the compiler command line like
        this?

cc -o conftest -O2 -pipe -g -DLDAP_DEPRECATED -fno-strict-aliasing -I/usr/local/include -I/usr/local/include/db41 -L/usr/local/lib -pthread  conftest.c  -L/usr/local/lib -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt

>How-To-Repeat:
        Compile databases/evolution-data-server with
        "NO_KERBEROS" defined in make.conf and line 16071 of
        ports/databases/work/evolution-data-server-2.30.1/config
        changed thusly:

	heimlibs="`/usr/bin/krb5-config gssapi --libs`"

        and the next few lines changed thusly (I haven't figured
        out which is the "right" one):

        mitlibs="$heimlibs"
	sunlibs="$heimlibs"

        Plenty of other builds that depend on gssapi fail the
        same way, though.  Fetchmail is the example I used in
        PR: ports/145769.

>Fix:

        Working on it.  Trying to figure out how to add
        dependencies to shared libraries...


>Release-Note:
>Audit-Trail:

From: Andrew Reilly <areilly@bigpond.net.au>
To: bug-followup@FreeBSD.org, areilly@bigpond.net.au
Cc:  
Subject: Re: bin/147175: libhx509.so containes references to MD2_* but
 doesn't reference libcrypto.so, which has them
Date: Sun, 4 Jul 2010 12:41:16 +1000

 --MP_/GDaVaIp3j5kTHLp_jjRC=av
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 Fixed!  Patch attached.
 
 Turns out that to tell a shared lib about its dependencies, you
 need to add a DPADD and LDADD (perhaps only the latter) to the
 Makefile, as shown in the attached patch.
 
 Evolution-data-server and other ports that link against the
 gssapi-related libs now configure and build OK.  Yay!
 
 -- 
 Andrew
 
 --MP_/GDaVaIp3j5kTHLp_jjRC=av
 Content-Type: text/x-patch
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment; filename=libhx509.patch
 
 --- Makefile.orig	2008-05-07 23:53:04.000000000 +1000
 +++ Makefile	2010-07-04 10:05:58.000000000 +1000
 @@ -82,6 +82,9 @@
  SRCS+=${GEN_ASN1}
  INCS+=${GEN_ASN1}
  
 +DPADD+= ${LIBCRYPTO}
 +LDADD+= -lcrypto
 +
  .ORDER: ${GEN} ${GEN_ASN1}
  
  ${GEN_OCSP} ocsp_asn1.h: ocsp.asn1 ../../tools/asn1_compile/asn1_compile
 
 --MP_/GDaVaIp3j5kTHLp_jjRC=av--

From: Andrew Reilly <areilly@bigpond.net.au>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/147175: libhx509.so containes references to MD2_* but doesn't reference libcrypto.so, which has them
Date: Tue, 6 Jul 2010 10:45:27 +1000

 The makefile in the patch in the previous message applies to
 /usr/src/kerberos5/lib/libhx509/Makefile.
 
 Sorry for patch-making in haste!
 
 Cheers,
 
 -- 
 Andrew

From: "Matthias Andree" <matthias.andree@gmx.de>
To: "Andrew Reilly" <areilly@bigpond.net.au>
Cc: bug-followup@freebsd.org
Subject: Re: bin/147175: final link of mail/fetchmail fails libhx509.so
 undefined reference to MD2_Init etc
Date: Tue, 06 Jul 2010 10:14:06 +0200

 In concur with your assessments. Let's get this on the FreeBSD-current@  
 list.
 
 -- 
 Matthias Andree

From: "Schweigert, Udo CERT" <Udo.Schweigert@siemens.com>
To: bug-followup@FreeBSD.org, areilly@bigpond.net.au
Cc:  
Subject: Re: bin/147175: [kerberos] [patch] libhx509.so containes
 references to MD2_* but doesn't reference libcrypto.so, which has them
Date: Tue, 20 Jul 2010 10:54:41 +0200

 I think the problem is not related to the base system but to an incorrect
 installation of the openssl port. Please try to build openssl from the ports
 again with MD2 option enabled (an option which is per default set to "off").
 
 That solved the same issue I had with the mutt-devel port under 8.1-R.
 
 (Having installed openssl from the ports results in two different versions of
 libcrypto to be available. The "-lcypto" flag to cc/ld then results in
 loading that from /usr/local/lib, which may not have the MD2-bits enabled if
 openssl was installed with the default options.)
 
 Regards
 
 Udo

From: Matthias Andree <mandree@FreeBSD.org>
To: bug-followup@FreeBSD.org, freebsd-current@freebsd.org
Cc: re@freebsd.org, portmgr@freebsd.org
Subject: Re: bin/147175: [kerberos] [patch] libhx509.so contains references
 to MD2_* but doesn't reference libcrypto.so, which has them
Date: Sun, 17 Jul 2011 16:21:51 +0200

 This (GSSAPI linker failure on 9-CURRENT because its libhx509 needs MD2
 but libcrypto doesn't provide it) affects security/putty 0.6.1 as well
 now.   There is now lots of stuff on the web on this incompatibility.
 
 *Someone needs to fix the GSSAPI-Kerberos/MD2 conflict before the
 9-release cycle!*
State-Changed-From-To: open->feedback 
State-Changed-By: jmg 
State-Changed-When: Fri Jan 24 21:28:45 UTC 2014 
State-Changed-Why:  
Is this still needed?  HEAD's libhx509 does not reference MD2 anymore as 
MD2 was recently deprecated.. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147175 
State-Changed-From-To: feedback->closed 
State-Changed-By: jmg 
State-Changed-When: Fri Jan 24 23:35:15 UTC 2014 
State-Changed-Why:  
closed per submitter's reply...  we can reopen if this issue comes 
up again.. 

Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147175 
>Unformatted:
