Regression in GSSAPI/libxh509 linking? [PR bin/147175]
areilly at bigpond.net.au
Tue Jul 6 14:14:31 UTC 2010
Thanks for looking at this,
On 06/07/2010, at 23:46 , Kostik Belousov wrote:
> Ok, this is useful. But, on the HEAD from Jul 2, I cannot reproduce it,
> with conftest.c and command line above. As well as on the stable/8 that
> is approx. one month old.
> On both systems, MD2_* symbols are resolved by libcrypto.so. Check
> your instance, do the symbols appear in the library ?
On both my 8- and -current (Jul 3) base systems, libcrypto.so has the MD2_* symbols, and libhx509.so doesn't (but requires to them). /usr/local/lib/libcrpto.a does *not* have the MD2 symbols.
> As a long shot, do you have openssl 1.0 installed from ports ?
My -current box does. My 8.1-RC doesn't.
> Note the -L /usr/local/lib switch, that causes -lcrypto to be resolved
> from /usr/local/lib, if present. AFAIR, 1.0 removed MD2.
Ah-ha. So I guess the situation properly is:
Not having heimdal installed from ports, the ones that look for gssapi libs use the base system, and the /usr/bin/krb5-config gssapi --libs includes -lhx509, which has unresolved MD2_* symbols. The -L/usr/local/lib on the command line (presumably for other ports dependencies) makes the linker look in /usr/local/lib/libcrypto, which is there because of the openssl-1.0 port, and which doesn't have the MD2_ sybmols. My two "fixes" both kind of work: removing the MD2 references from the base system's libhx509 make it compatible with the -lcrypto in ports; adding an explicit dependency on the base system's libcrypto also works, because that does have the MD2 references. My 8-stable system presumably works because it doesn't have openssl-1.0 installed from ports.
So: how should I "fix" this, properly, on my -current system? Is it as simple as installing heimdal from ports? I can't remove openssl-1.0: that has 191 ports listed in its REQUIRED_BY file.
Should ports/security/heimdal be listed as a dependency of the ports that use GSSAPI?
Is it OK for the base system libhx509.so to *not* have an explicit dependency on libcrypto, even though there seems to be one, and adding such a dependency seems to "fix" this problem?
More information about the freebsd-current