Bug 274753

Summary: security/sudo fails to build on poudriere due to OpenSSL linker error
Product: Ports & Packages Reporter: tburns
Component: Individual Port(s)Assignee: Renato Botelho <garga>
Status: Closed FIXED    
Severity: Affects Some People CC: chris
Priority: --- Flags: bugzilla: maintainer-feedback? (garga)
Version: Latest   
Hardware: amd64   
OS: Any   
Attachments:
Description Flags
Fix build with ports openssl none

Description tburns 2023-10-27 10:57:22 UTC 
This is failing to build for me on amd64 FreeBSD 13.2 using Poudriere. It appears to be related to OpenSSL 3 being pulled in from a dependency. Most likely sssd or OpenLDAP.

Relevant build log output:

[00:04:07] /bin/sh ../libtool --tag=disable-static --mode=link cc -o sudo_sendlog logsrv_util.o sendlog.o tls_client.o tls_init.o -lgcc -fstack-protector-strong  -Wl,--enable-new-dtags -Wl,--allow-multiple-definition  -Wc,-fstack-protector-strong -Wc,-fstack-clash-protection -Wc,-fcf-protection -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack ../lib/iolog/libsudo_iolog.la  ../lib/eventlog/libsudo_eventlog.la  ../lib/logsrv/liblogsrv.la  ../lib/protobuf-c/libprotobuf-c.la  -lssl -lcrypto
[00:04:09] libtool: link: cc -o .libs/sudo_sendlog logsrv_util.o sendlog.o tls_client.o tls_init.o -fstack-protector-strong -Wl,--enable-new-dtags -Wl,--allow-multiple-definition -fstack-protector-strong -fstack-clash-protection -fcf-protection -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,-z -Wl,noexecstack  ../lib/iolog/.libs/libsudo_iolog.a -lz ../lib/eventlog/.libs/libsudo_eventlog.a /wrkdirs/usr/ports/security/sudo/work/sudo-1.9.14p3/lib/util/.libs/libsudo_util.so ../lib/logsrv/.libs/liblogsrv.a ../lib/protobuf-c/.libs/libprotobuf-c.a -lssl -lgcc -lcrypto -Wl,-rpath -Wl,/usr/local/libexec/sudo
[00:04:09] ld: error: /wrkdirs/usr/ports/security/sudo/work/sudo-1.9.14p3/lib/util/.libs/libsudo_util.so: undefined reference to EVP_MD_get_size [--no-allow-shlib-undefined]
[00:04:09] cc: error: linker command failed with exit code 1 (use -v to see invocation)

Compile time option file:

# This file is auto-generated by 'make config'.
# Options for sudo-1.9.14p2
_OPTIONS_READ=sudo-1.9.14p2
_FILE_COMPLETE_OPTIONS_LIST=AUDIT DISABLE_AUTH DISABLE_ROOT_SUDO DOCS EXAMPLES INSULTS LDAP NLS NOARGS_SHELL OPIE PAM PYTHON GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT SSSD SSSD_DEVEL
OPTIONS_FILE_SET+=AUDIT
OPTIONS_FILE_UNSET+=DISABLE_AUTH
OPTIONS_FILE_UNSET+=DISABLE_ROOT_SUDO
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=EXAMPLES
OPTIONS_FILE_UNSET+=INSULTS
OPTIONS_FILE_SET+=LDAP
OPTIONS_FILE_UNSET+=NLS
OPTIONS_FILE_UNSET+=NOARGS_SHELL
OPTIONS_FILE_UNSET+=OPIE
OPTIONS_FILE_SET+=PAM
OPTIONS_FILE_UNSET+=PYTHON
OPTIONS_FILE_UNSET+=GSSAPI_BASE
OPTIONS_FILE_UNSET+=GSSAPI_HEIMDAL
OPTIONS_FILE_UNSET+=GSSAPI_MIT
OPTIONS_FILE_SET+=SSSD
OPTIONS_FILE_UNSET+=SSSD_DEVEL
Comment 1 Renato Botelho freebsd_committer freebsd_triage 2023-10-27 11:24:56 UTC 
(In reply to tburns from comment #0)
Are you building sudo 1.9.14p3?

I tried the OPTIONS combination you mentioned and it built fine without installing openssl as a dependency

https://idaho.arrakis.com.br/build.html?mastername=13-amd64-default&build=2023-10-27_08h22m36s
Comment 2 tburns 2023-10-27 11:39:28 UTC 
(In reply to Renato Botelho from comment #1)

WOW! Thanks for the fast response! Yes 1.9.14p3.

Here is the poudriere build environment:

[00:00:18] =>> Building security/sudo
[00:00:18] build started at Thu Oct 26 10:28:25 EDT 2023
[00:00:18] port directory: /usr/ports/security/sudo
[00:00:18] package name: sudo-1.9.14p3
[00:00:18] building for: FreeBSD repo2.hrsd.com 13.2-RELEASE-p4 FreeBSD 13.2-RELEASE-p4 amd64
[00:00:18] maintained by: garga@FreeBSD.org
[00:00:18] Makefile ident: 
[00:00:18] Poudriere version: 3.3.7_4
[00:00:18] Host OSVERSION: 1302001
[00:00:18] Jail OSVERSION: 1302001
[00:00:18] Job Id: 02
[00:00:18] 
[00:00:18] ---Begin Environment---
[00:00:18] SHELL=/bin/csh
[00:00:18] OSVERSION=1302001
[00:00:18] UNAME_v=FreeBSD 13.2-RELEASE-p4
[00:00:18] UNAME_r=13.2-RELEASE-p4
[00:00:18] BLOCKSIZE=K
[00:00:18] MAIL=/var/mail/root
[00:00:18] MM_CHARSET=UTF-8
[00:00:18] LANG=C.UTF-8
[00:00:18] STATUS=1
[00:00:18] HOME=/root
[00:00:18] PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
[00:00:18] LOCALBASE=/usr/local
[00:00:18] USER=root
[00:00:18] LIBEXECPREFIX=/usr/local/libexec/poudriere
[00:00:18] POUDRIERE_VERSION=3.3.7_4
[00:00:18] MASTERMNT=/repos/poudriere/data/.m/132-default/ref
[00:00:18] POUDRIERE_BUILD_TYPE=bulk
[00:00:18] PACKAGE_BUILDING=yes
[00:00:18] SAVED_TERM=xterm-256color
[00:00:18] GID=0
[00:00:18] UID=0
[00:00:18] PWD=/repos/poudriere/data/.m/132-default/ref/.p/pool
[00:00:18] P_PORTS_FEATURES=FLAVORS SELECTED_OPTIONS
[00:00:18] MASTERNAME=132-default
[00:00:18] SCRIPTPREFIX=/usr/local/share/poudriere
[00:00:18] OLDPWD=/repos/poudriere/data/.m/132-default/ref/.p
[00:00:18] SCRIPTPATH=/usr/local/share/poudriere/bulk.sh
[00:00:18] POUDRIEREPATH=/usr/local/bin/poudriere
[00:00:18] ---End Environment---
[00:00:18] 
[00:00:18] ---Begin Poudriere Port Flags/Env---
[00:00:18] PORT_FLAGS=
[00:00:18] PKGENV=
[00:00:18] FLAVOR=
[00:00:18] DEPENDS_ARGS=
[00:00:18] MAKE_ARGS=
[00:00:18] ---End Poudriere Port Flags/Env---


Here is my make.conf:

DEFAULT_VERSIONS= ssl=openssl pgsql=14 php=8.2 samba=4.13 python=3.9 python3=3.9 mysql=10.5m ruby=3.2
DEFAULT_SSL=openssl
SUDO_LDAP_CONF=sudo-ldap.conf
PYTHON_EXEC_PREFIX=/usr/local
DEFAULT_OPENLDAP_VER=26
ALLOW_UNSUPPORTED_SYSTEM=yes
Comment 3 Renato Botelho freebsd_committer freebsd_triage 2023-10-31 20:53:27 UTC 
(In reply to tburns from comment #2)
I managed to reproduce the problem.  sudo build scripts are linking binaries against openssl from base (1.1.1) instead of 3.x.  I started a discussion upstream about it
Comment 4 Renato Botelho freebsd_committer freebsd_triage 2023-10-31 22:12:07 UTC 
Created attachment 246031 [details]
Fix build with ports openssl

Can you please try attached patch?  It seems to work on my tests
Comment 5 tburns 2023-11-01 10:01:12 UTC 
(In reply to Renato Botelho from comment #4)

[00:00:06] [01] [00:00:00] Building security/sudo | sudo-1.9.14p3_1
[00:01:22] [01] [00:01:16] Finished security/sudo | sudo-1.9.14p3_1: Success


That worked. It seems to be integrating with sssd/ldap as expected too.

Thanks!
Comment 6 commit-hook freebsd_committer freebsd_triage 2023-11-01 12:01:18 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=dbc4e4daf752173acb868fc595ae9fa42f972aef

commit dbc4e4daf752173acb868fc595ae9fa42f972aef
Author:     Renato Botelho <garga@FreeBSD.org>
AuthorDate: 2023-10-31 22:07:56 +0000
Commit:     Renato Botelho <garga@FreeBSD.org>
CommitDate: 2023-11-01 12:00:24 +0000

    security/sudo: Fix build with openssl from ports

    Since SSL support is being changed and sudo can be built without it, add
    a new SSL option, on by default.

    When option is enabled, use --enable-openssl=${OPENSSLBASE} to make sure
    it consumes desired OpenSSL implementation.  Also add pkgconfig
    dependency because configure script rely on it to detect openssl
    details.

    PR:             274753
    Reported by:    tburns@hrsd.com
    Sponsored by:   Rubicon Communications, LLC ("Netgate")

 security/sudo/Makefile | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)
Comment 7 commit-hook freebsd_committer freebsd_triage 2023-11-01 12:09:20 UTC 
A commit in branch 2023Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=005d8c15b8027330dd27d66caaf97dc8a85f034a

commit 005d8c15b8027330dd27d66caaf97dc8a85f034a
Author:     Renato Botelho <garga@FreeBSD.org>
AuthorDate: 2023-10-31 22:07:56 +0000
Commit:     Renato Botelho <garga@FreeBSD.org>
CommitDate: 2023-11-01 12:08:44 +0000

    security/sudo: Fix build with openssl from ports

    Since SSL support is being changed and sudo can be built without it, add
    a new SSL option, on by default.

    When option is enabled, use --enable-openssl=${OPENSSLBASE} to make sure
    it consumes desired OpenSSL implementation.  Also add pkgconfig
    dependency because configure script rely on it to detect openssl
    details.

    PR:             274753
    Reported by:    tburns@hrsd.com
    Sponsored by:   Rubicon Communications, LLC ("Netgate")

    (cherry picked from commit dbc4e4daf752173acb868fc595ae9fa42f972aef)

 security/sudo/Makefile | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)