From owner-freebsd-hackers@freebsd.org  Fri Jul 29 17:00:56 2016
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 950E9BA808B
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Fri, 29 Jul 2016 17:00:56 +0000 (UTC)
 (envelope-from kpaasial@gmail.com)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com
 [IPv6:2607:f8b0:4003:c06::232])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 55DD81ACA
 for <freebsd-hackers@freebsd.org>; Fri, 29 Jul 2016 17:00:56 +0000 (UTC)
 (envelope-from kpaasial@gmail.com)
Received: by mail-oi0-x232.google.com with SMTP id l65so114216279oib.1
 for <freebsd-hackers@freebsd.org>; Fri, 29 Jul 2016 10:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
 bh=th++wD/9kEemCDycPu0qN6pNfnpMqCx9xGFN4xbnXW0=;
 b=eXM+q7xj16MWdyq1P9KPRdadEK9UZU3MYlwAVbcQlLUxRsboP5bL+nLagmgrxe3dgO
 MVMud7mYS2f8MhynBmzK4NugPPm1nmQmQ82+2KCBs5jFZ0wiV0A+zxJhONCTjQdlh9GC
 zvlIdzdcSG+Q/GS3XHzeBxu/D9ubwePi6nVxQqe7JDCp/40NpfpL1y46fhfirhffOYXQ
 2LZiC9wa5HlGRROtPP3msXkjzFOLLaN3+sdZtytqmdrvrnO1tbmnVCez3lAnq5rDDFey
 jDp0+7ac62ZkuB8Ni4RzSKCTevWKm7R9hLSz+hL02ZkIfeZNaTIEXLpgKavNkrjKfJly
 DOaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to;
 bh=th++wD/9kEemCDycPu0qN6pNfnpMqCx9xGFN4xbnXW0=;
 b=THUAo39hZ3lmP3XKfHuowRPL3QJZWIK8EuneCU8qDluSFOIY9hdYsV6M47E6wSb9tx
 Smykom/1A2HeIXpCgM+hydF97xLfuONKuJkikO9ljcXVw1k+ECBxvH9QbbjEXG0oSQlt
 cEv2yXvuxKgjfaSPar9usrudQSLNHM3Yj9hHCBonHVgjI3rwmt89fQDNwUrUErrbsWSw
 CDJArQCBki1B70GSiMUDFb/v0sLDjjb+Y21zQknJH5EpAS3AUiP/2c9eqaK7d28mFwYe
 lJbM8+rXp7FRe5l3ztUzuK6XttneVm/+b8ZdxcqIgTioihkuiIsryVSRP6O8gf/iuOoR
 3jKg==
X-Gm-Message-State: AEkoouuBOJIUG2Too36fkpvc4M68kIBLkTkL6UnRYbnR4GIFo2Zd07pIeXJN1/fb6Prusf8i/gtkESwh92Ae2Q==
X-Received: by 10.202.193.195 with SMTP id r186mr24167780oif.109.1469811654896; 
 Fri, 29 Jul 2016 10:00:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.22.234 with HTTP; Fri, 29 Jul 2016 10:00:54 -0700 (PDT)
In-Reply-To: <20160729100952.GA4967@becker.bs.l>
References: <20160728180255.GA79509@becker.bs.l>
 <599ca93e-31ed-fcb4-75de-7d05667d928e@FreeBSD.org>
 <20160728205516.GA94239@becker.bs.l>
 <b88fc3be-c10a-70b1-c985-f560ad86ecc0@FreeBSD.org>
 <20160728213717.GA98586@becker.bs.l>
 <7483738d-01e7-0bb2-81e9-9c26d8ef8c9f@FreeBSD.org>
 <20160729100952.GA4967@becker.bs.l>
From: Kimmo Paasiala <kpaasial@gmail.com>
Date: Fri, 29 Jul 2016 20:00:54 +0300
Message-ID: <CA+7WWScxvZ-2L-Wf0QXSFb9qTr0sUAx6-oncBhjqrgaLxB-zWw@mail.gmail.com>
Subject: Re: Segfault in OpenSSL even though GnuTLS demanded
To: FreeBSD Hackers <freebsd-hackers@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2016 17:00:56 -0000

On Fri, Jul 29, 2016 at 1:09 PM, Bertram Scharpf
<lists@bertram-scharpf.de> wrote:
> On Thursday, 28. Jul 2016, 17:56:46 -0400, Jung-uk Kim wrote:
>> On 07/28/16 05:37 PM, Bertram Scharpf wrote:
>> > On Thursday, 28. Jul 2016, 17:25:50 -0400, Jung-uk Kim wrote:
>> >> On 07/28/16 04:55 PM, Bertram Scharpf wrote:
>> >>> On Thursday, 28. Jul 2016, 15:37:00 -0400, Jung-uk Kim wrote:
>> >>>> On 07/28/16 02:02 PM, Bertram Scharpf wrote:
>> >>>>>
>> >>>>>   Program received signal SIGSEGV, Segmentation fault.
>> >>>>>   [Switching to Thread 29403080 (LWP 101275/mcabber)]
>> >>>>>   0x285c1245 in OPENSSL_ia32_cpuid () from /usr/local/lib/libcrypto.so.8
>> >>>>
>> >>>> Try "ldd /usr/local/lib/libloudmouth-1.so.0.1.0".  It looks like a
>> >>>> Kerberos issue.
>> >>>
>> >>> No errors. They do all exist. I double-checked it:
>> >>>
>> >>>   $ ldd /usr/local/lib/libloudmouth-1.so.0.1.0 | perl -lne '/=>\s*(\S+)/ and not -e $1 and print $1'
>> >>
>> >> I guess you misunderstood.  I didn't mean you have a missing library.  I
>> >> believe it links *two* libcrypto.so's, i.e., one from base and one from
>> >> ports.
>> >
>> > Indeed:
>> >
>> >   # ldd /usr/local/lib/libloudmouth-1.so.0.1.0 | grep libcrypto
>> >         libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x28d00000)
>> >         libcrypto.so.7 => /lib/libcrypto.so.7 (0x2925b000)
>> >
>> > So, how could I resolve this?
>> You may ask its maintainer (gnome@FreeBSD.org) to add USES+=gssapi and
>> add an option to select GSS-API from ports.  Another solution may be
>> removing all packages depending on /usr/local/lib/libcrypto.8 and
>> rebuilding them with base OpenSSL.
>
> I cannot remove _all_ packages that depend on OpenSSL.
>
>   # pkg info -qr openssl-1.0.2_14 | wc -l
>         38
>
>
> The first thing I do not understand is why it is so
> important for so many packages to pull in the package.
>
>   # openssl version
>   OpenSSL 1.0.1t-freebsd  3 May 2016
>   # /usr/local/bin/openssl version
>   WARNING: can't open config file: /usr/local/openssl/openssl.cnf
>   OpenSSL 1.0.2h  3 May 2016
>
>
> The second thing I do not understand is why GSS-API should
> help. I searched for USES+=gssapi and did find only four
> projects that really have it. None of them is installed
> here.
>
>   $ rbfind /usr/ports 'prune if name == "work" ; name == "Makefile" and grep /\bUSES.*gssapi/'
>
> Many ports have GSSAPI disabled here and they do not
> segfault because of an OpenSSL conflict. Example:
>
>   # grep -h 'SET.*GSS' /var/db/ports/databases_postgresql95-*/options
>   OPTIONS_FILE_UNSET+=GSSAPI
>   OPTIONS_FILE_UNSET+=GSSAPI
>
>
> The third thing I do not understand is why there is an
> OpenSSL conflict at all. I definitely told loudmouth to use
> GnuTLS.
>
>   # grep SSL\\\|TLS /var/db/ports/net-im_loudmouth/options
>   _FILE_COMPLETE_OPTIONS_LIST=DOCS GNUTLS OPENSSL
>   OPTIONS_FILE_SET+=GNUTLS
>   OPTIONS_FILE_UNSET+=OPENSSL
>
>   # cd net-im/loudmouth
>   # make run-depends-list build-depends-list | grep ssl\\\|tls
>   /usr/ports/security/gnutls
>   /usr/ports/security/gnutls
>
>
> This appears to be a real port bug to me.
>
> Bertram
>
>
> --
> Bertram Scharpf
> Stuttgart, Deutschland/Germany
> http://www.bertram-scharpf.de

It's not exactly a port bug, it's a consequence of how dynamic linking
works. If you link against the base system GSSAPI you will pull in the
base system OpenSSL as well and that can't be avoided regardless of
which version of OpenSSL your port links against. The situation is
exactly the same with for example ftp/curl, see this discussion from
last year:

https://lists.freebsd.org/pipermail/freebsd-ports/2015-April/098651.html

-Kimmo