From owner-freebsd-current@FreeBSD.ORG  Tue Jul  6 14:14:31 2010
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 89B2A106564A;
	Tue,  6 Jul 2010 14:14:31 +0000 (UTC)
	(envelope-from areilly@bigpond.net.au)
Received: from nskntmtas01p.mx.bigpond.com (nskntmtas01p.mx.bigpond.com
	[61.9.168.137])
	by mx1.freebsd.org (Postfix) with ESMTP id E74A58FC12;
	Tue,  6 Jul 2010 14:14:30 +0000 (UTC)
Received: from nskntotgx03p.mx.bigpond.com ([124.188.161.100])
	by nskntmtas01p.mx.bigpond.com with ESMTP id
	<20100706141429.WEEB13611.nskntmtas01p.mx.bigpond.com@nskntotgx03p.mx.bigpond.com>;
	Tue, 6 Jul 2010 14:14:29 +0000
Received: from ghanamia.reilly.home ([124.188.161.100])
	by nskntotgx03p.mx.bigpond.com with ESMTP id
	<20100706141429.XNUM13584.nskntotgx03p.mx.bigpond.com@ghanamia.reilly.home>;
	Tue, 6 Jul 2010 14:14:29 +0000
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset=us-ascii
From: Andrew Reilly <areilly@bigpond.net.au>
In-Reply-To: <20100706134636.GG13238@deviant.kiev.zoral.com.ua>
Date: Wed, 7 Jul 2010 00:14:28 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <9BB48431-AF0F-4DEA-8F9F-35830E147E68@bigpond.net.au>
References: <op.vfexgepa1e62zd@merlin.emma.line.org>
	<20100706085435.GC13238@deviant.kiev.zoral.com.ua>
	<4C3317C6.3020009@FreeBSD.org>
	<20100706123325.GF13238@deviant.kiev.zoral.com.ua>
	<457406E5-0E8C-4DB0-97B3-C8CAA7DD3AD0@bigpond.net.au>
	<20100706134636.GG13238@deviant.kiev.zoral.com.ua>
To: Kostik Belousov <kostikbel@gmail.com>
X-Mailer: Apple Mail (2.1081)
X-Authentication-Info: Submitted using SMTP AUTH PLAIN at
	nskntotgx03p.mx.bigpond.com from [124.188.161.100] using ID
	areilly@bigpond.net.au at Tue, 6 Jul 2010 14:14:29 +0000
X-RPD-ScanID: Class unknown; VirusThreatLevel unknown, RefID
	str=0001.0A090209.4C333A45.0116,ss=1,fgs=0
X-SIH-MSG-ID: rR4zFdH2TAD0zmQs0WyzOwJxyArnqyN48Z4QX81loRIGTUDCp8DeQ9rHNvZRu8u6xC5KJhuBNGAkaa7tTY3Rs9mK
Cc: freebsd-current@freebsd.org, Matthias Andree <mandree@freebsd.org>
Subject: Re: Regression in GSSAPI/libxh509 linking? [PR bin/147175]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 14:14:31 -0000

Hi Kostik,

Thanks for looking at this,

On 06/07/2010, at 23:46 , Kostik Belousov wrote:
> Ok, this is useful. But, on the HEAD from Jul 2, I cannot reproduce =
it,
> with conftest.c and command line above. As well as on the stable/8 =
that
> is approx. one month old.
>=20
> On both systems, MD2_* symbols are resolved by libcrypto.so. Check
> your instance, do the symbols appear in the library ?

On both my 8- and -current (Jul 3) base systems, libcrypto.so has the =
MD2_* symbols, and libhx509.so doesn't (but requires to them).  =
/usr/local/lib/libcrpto.a does *not* have the MD2 symbols.

> As a long shot, do you have openssl 1.0 installed from ports ?

My -current box does.  My 8.1-RC doesn't.

> Note the -L /usr/local/lib switch, that causes -lcrypto to be resolved
> from /usr/local/lib, if present. AFAIR, 1.0 removed MD2.

Ah-ha.  So I guess the situation properly is:

Not having heimdal installed from ports, the ones that look for gssapi =
libs use the base system, and the /usr/bin/krb5-config gssapi --libs =
includes -lhx509, which has unresolved MD2_* symbols.  The =
-L/usr/local/lib on the command line (presumably for other ports =
dependencies) makes the linker look in /usr/local/lib/libcrypto, which =
is there because of the openssl-1.0 port, and which doesn't have the =
MD2_ sybmols.  My two "fixes" both kind of work: removing the MD2 =
references from the base system's libhx509 make it compatible with the =
-lcrypto in ports; adding an explicit dependency on the base system's =
libcrypto also works, because that does have the MD2 references.  My =
8-stable system presumably works because it doesn't have openssl-1.0 =
installed from ports.

So: how should I "fix" this, properly, on my -current system?  Is it as =
simple as installing heimdal from ports?  I can't remove openssl-1.0: =
that has 191 ports listed in its REQUIRED_BY file.

Should ports/security/heimdal be listed as a dependency of the ports =
that use GSSAPI?

Is it OK for the base system libhx509.so to *not* have an explicit =
dependency on libcrypto, even though there seems to be one, and adding =
such a dependency seems to "fix" this problem?

Cheers,

--=20
Andrew