Bug 126297 - build of dns/bind95 port dies with link-time errors
Summary: build of dns/bind95 port dies with link-time errors
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Doug Barton
Depends on:
Reported: 2008-08-06 10:00 UTC by Ronald F. Guilmette
Modified: 2009-03-25 17:16 UTC (History)
0 users

See Also:

file.diff (244 bytes, patch)
2008-08-06 10:00 UTC, Ronald F. Guilmette
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ronald F. Guilmette 2008-08-06 10:00:07 UTC
If one has the openssl port (version openssl-0.9.8h_1) installed and one tries
to build & install the bind 9.5.0 port, the build of bind will die in the
following horrible way:

cc -O2 -fno-strict-aliasing -pipe -rpath=/usr/local/lib -o named  builtin.o clie
nt.o config.o control.o  controlconf.o interfacemgr.o  listenlist.o log.o logcon
f.o main.o notify.o  query.o server.o sortlist.o statschannel.o  tkeyconf.o tsig
conf.o update.o xfrout.o  zoneconf.o  lwaddr.o lwresd.o lwdclient.o lwderror.o l
wdgabn.o  lwdgnba.o lwdgrbn.o lwdnoop.o lwsearch.o    unix/os.o ../../lib/lwres/
liblwres.a ../../lib/dns/libdns.a  -lcrypto ../../lib/bind9/libbind9.a  ../../li
b/isccfg/libisccfg.a ../../lib/isccc/libisccc.a ../../lib/isc/libisc.a
../../lib/dns/libdns.a(openssldh_link.o)(.text+0x23d): In function `openssldh_ge
: undefined reference to `DH_generate_parameters_ex'
../../lib/dns/libdns.a(openssldsa_link.o)(.text+0x365): In function `openssldsa_
: undefined reference to `DSA_generate_parameters_ex'
../../lib/dns/libdns.a(opensslrsa_link.o)(.text+0x4e0): In function `opensslrsa_
: undefined reference to `RSA_generate_key_ex'
*** Error code 1
Stop in /usr/ports/dns/bind95/work/bind-9.5.0-P2/bin/named.
*** Error code 1
Stop in /usr/ports/dns/bind95/work/bind-9.5.0-P2/bin.
*** Error code 1
Stop in /usr/ports/dns/bind95/work/bind-9.5.0-P2.
*** Error code 1
Stop in /usr/ports/dns/bind95.

The problem is caused by the fact that (a) there is no port config option
for the bind95 port which would allow the user to select or not select
whether bind should be configured --with-openssl or not (it always _is_
configured that way in the current freebsd port, whether the installer
wantss it that way or not) and also (b) unfortunately
when bind gets configured --with-openssl but with no path arg specified 
for the --with-openssl ./configure option, then the build of bind9.5.0
will use the openssl include files from the port (/usr/local/include/openssl/)
which can be one version, but then later on, an attempt is made to link
*not* against the corresponding openssl libraries (in /usr/local/lib) but
rather against, e.g. the libcrypto.so that's in /usr/lib.  Result:  Version
skew/mismatch between the headers & librarys used duing the build of bind95
and a failed link of named.

Fix: This is *not* a proper solution, but is rather a quick and dirty work-around.
Just a one line hack to the bind95 port top-level Makefile.

I validated that this made the linking errors go away.
How-To-Repeat: 	install 6.3_RELEASE
	portsnap fetch
	portsnap extract
	portinstall openssl
	portinstall bind95
Comment 1 Edwin Groothuis freebsd_committer 2008-08-06 12:56:52 UTC
Responsible Changed
From-To: freebsd-ports-bugs->dougb

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer 2009-01-08 08:18:54 UTC
dougb       2009-01-08 08:18:45 UTC

  FreeBSD ports repository

  Modified files:
    dns/bind9            Makefile distinfo 
    dns/bind94           Makefile distinfo 
    dns/bind95           Makefile distinfo 
    dns/bind96           Makefile distinfo 
  Update to the -P1 versions of the current BIND ports which contain
  the fix for the following vulnerability: https://www.isc.org/node/373
  Return values from OpenSSL library functions EVP_VerifyFinal()
  and DSA_do_verify() were not checked properly.
  It is theoretically possible to spoof answers returned from
  zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).
  In short, if you're not using DNSSEC to verify signatures you have
  nothing to worry about.
  While I'm here, address the issues raised in the PR by adding a knob
  to disable building with OpenSSL altogether (which eliminates DNSSEC
  capability), and fix the configure arguments to better deal with the
  situation where the user has ssl bits in both the base and LOCALBASE.
  PR:             ports/126297
  Submitted by:   Ronald F.Guilmette <rfg@tristatelogic.com>
  Revision  Changes    Path
  1.86      +11 -8     ports/dns/bind9/Makefile
  1.48      +6 -6      ports/dns/bind9/distinfo
  1.91      +11 -8     ports/dns/bind94/Makefile
  1.51      +6 -6      ports/dns/bind94/distinfo
  1.93      +12 -8     ports/dns/bind95/Makefile
  1.53      +6 -6      ports/dns/bind95/distinfo
  1.95      +11 -8     ports/dns/bind96/Makefile
  1.55      +6 -6      ports/dns/bind96/distinfo
cvs-all@freebsd.org mailing list
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Doug Barton freebsd_committer 2009-01-08 08:35:51 UTC
State Changed
From-To: open->feedback

What I believe to be an appropriate fix has been committed. Please 
test again with 9.5.1-P1 and let me know if it works for you.  

Thanks for bringing this to my attention, 

Comment 4 Pav Lucistnik freebsd_committer 2009-03-25 17:15:23 UTC
State Changed
From-To: feedback->closed

Feedback timeout