Created attachment 157318 [details] patch to make security/nmap fully obey WITH_OPENSSL_PORT=yes If security/nmap is build with WITH_OPENSSL_PORT=yes on FreeBSD 8 (and probably 9), nping and ncat are linked to the base openssl libraries. % ldd /usr/local/bin/nmap /usr/local/bin/nmap: libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x33dae000) libpcap.so.7 => /lib/libpcap.so.7 (0x33e1a000) libssl.so.8 => /usr/local/lib/libssl.so.8 (0x33e48000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x33eaa000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x34038000) libm.so.5 => /lib/libm.so.5 (0x34127000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x34141000) libc.so.7 => /lib/libc.so.7 (0x3414c000) libthr.so.3 => /lib/libthr.so.3 (0x34268000) % ldd /usr/local/bin/ncat /usr/local/bin/ncat: libssl.so.6 => /usr/lib/libssl.so.6 (0x33cd5000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x33d21000) libpcap.so.7 => /lib/libpcap.so.7 (0x33e7d000) libm.so.5 => /lib/libm.so.5 (0x33eab000) libc.so.7 => /lib/libc.so.7 (0x33ec5000) ldd /usr/local/bin/nping /usr/local/bin/nping: libssl.so.6 => /usr/lib/libssl.so.6 (0x33ced000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x33d39000) libpcap.so.7 => /lib/libpcap.so.7 (0x33e95000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x33ec3000) libm.so.5 => /lib/libm.so.5 (0x33fb2000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x33fcc000) libc.so.7 => /lib/libc.so.7 (0x33fd7000) The culprit appears to be this code in Makefile: # fix for gcc from ports .if ${CHOSEN_COMPILER_TYPE} == gcc GCCLIBDIR_CMDS= ${CC} -print-file-name=libstdc++.so | ${SED} -e 's/libstdc++.so//' CONFIGURE_ARGS+=LDFLAGS="-L$$(${GCCLIBDIR_CMDS})" NOT_BASE_CC= true .endif There is nothing in this Makefile that causes anything other than the base compiler to be used. On FreeBSD 8 and 9, the base compiler is gcc, so the .if condition is satisfied. The code inside the conditional block then causes LDFLAGS=-L/usr/lib to be added to CONFIGURE_ARGS. When configure is run for ncat and nping, this directory is prepended to the directory specified by the --with-openssl=DIR option, so libssl and libcrypto from base get linked into these applications. *If* gcc from ports is somehow selected by USES=compiler:something or USE_GCC=yes, then the ports frameworks adds the necessary stuff to find the proper version of libstdc++ to LDFLAGS, which gets included in CONFIGURE_ENV. If passing this as an argument to configure turns out to be necessary, then it could be done like this: CONFIGURE_ARGS+=LDFLAGS=${LDFLAGS} Further down there is the code fragment: # gcc from ports is in use .if defined(NOT_BASE_CC) @${ECHO_MSG} do not forget to adjust libnmap.conf .endif In addition to the problem of of CHOSEN_COMPILER_TYPE==gcc not indicating that gcc from ports is in use, this message should probably go into pkg-message instead of being echoed during the build. Also, I have found no documentation about libnmap.conf. Is this supposed to be libmap.conf? If so, this should not be necessary because the base compiler is always used, and even if ports gcc is used, the executables will be built with the necessary rpath to find the correct libstdc++. I think all this extra stuff in the Makefile is unnecessary.
I agree this piece of code looks really silly, however there are several reasons to add it. - support gcc from ports, therefore the libmap.conf(5) hint - support cross build for arm/mips (as far as I know there is no clang) I've done a build with OpenSSL from ports and it seems the correct OpenSSL version was used. $ uname -rmv 10.1-RELEASE-p10 FreeBSD 10.1-RELEASE-p10 #0: Wed May 13 06:54:13 UTC 2015 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 $ grep SSL /etc/make.conf WITH_OPENSSL_PORT=yes $ pkg info -x openssl openssl-1.0.2_1 $ cd security/nmap $ make -V CONFIGURE_ARGS --with-openssl=/usr/local --without-localdirs --without-zenmap --without-ndiff --with-libpcre=/usr/local --with-liblua=included --without-nmap-update --prefix=/usr/local ${_LATE_CONFIGURE_ARGS} $ make -V MAKE_ENV OPENSSLBASE=/usr/local OPENSSLDIR=/usr/local/openssl OPENSSLINC=/usr/local/include OPENSSLLIB=/usr/local/lib OPENSSLRPATH=/usr/local/lib XDG_DATA_HOME=/usr/ports/security/nmap/work XDG_CONFIG_HOME=/usr/ports/security/nmap/work HOME=/usr/ports/security/nmap/work NO_PIE=yes SHELL=/bin/sh NO_LINT=YES PREFIX=/usr/local LOCALBASE=/usr/local LIBDIR="/usr/lib" CC="cc" CFLAGS="-O2 -pipe -I/usr/local/include -fstack-protector -fno-strict-aliasing" CPP="cpp" CPPFLAGS="" LDFLAGS=" -Wl,-rpath,/usr/local/lib -fstack-protector" LIBS="" CXX="c++" CXXFLAGS="-O2 -pipe -I/usr/local/include -fstack-protector -fno-strict-aliasing " MANPREFIX="/usr/local" BSD_INSTALL_PROGRAM="install -s -m 555" BSD_INSTALL_LIB="install -s -m 444" BSD_INSTALL_SCRIPT="install -m 555" BSD_INSTALL_DATA="install -m 0644" BSD_INSTALL_MAN="install -m 444" $ make ... $ cd work/stage/usr/local $ ldd bin/* bin/ncat: libssl.so.8 => /usr/local/lib/libssl.so.8 (0x800876000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x800ae0000) libpcap.so.8 => /lib/libpcap.so.8 (0x800f34000) libm.so.5 => /lib/libm.so.5 (0x801177000) libc.so.7 => /lib/libc.so.7 (0x80139f000) libthr.so.3 => /lib/libthr.so.3 (0x801748000) bin/nmap: libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x800961000) libpcap.so.8 => /lib/libpcap.so.8 (0x800bd6000) libssl.so.8 => /usr/local/lib/libssl.so.8 (0x800e19000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x801083000) libc++.so.1 => /usr/lib/libc++.so.1 (0x8014d7000) libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x801797000) libm.so.5 => /lib/libm.so.5 (0x8019b3000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801bdb000) libc.so.7 => /lib/libc.so.7 (0x801de9000) libthr.so.3 => /lib/libthr.so.3 (0x802192000) bin/nping: libssl.so.8 => /usr/local/lib/libssl.so.8 (0x80088b000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x800af5000) libpcap.so.8 => /lib/libpcap.so.8 (0x800f49000) libc++.so.1 => /usr/lib/libc++.so.1 (0x80118c000) libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x80144c000) libm.so.5 => /lib/libm.so.5 (0x801668000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801890000) libc.so.7 => /lib/libc.so.7 (0x801a9e000) libthr.so.3 => /lib/libthr.so.3 (0x801e47000)
The bug is only triggered when gcc is the base compiler. On FreeBSD 10 and 11, i386 and amd64, where COMPILER_TYPE == clang, then the problematic code in the Makefile is skipped. If you do a native arm or mips build on 10 or 11, which still use gcc as the base compiler, I think you will see ncat and nping incorrectly pick up the base version of openssl. It should no longer be necessary to tweak libmap.conf for gcc from ports because the ports framework now adds the proper rpath info to LDFLAGS so that the runtime linker can find the proper version of libstdc++.so. Adding USE_GCC=yes to the Makefile to force the use of gcc from ports (and WITH_OPENSSL_PORT in /etc/make.conf): # Created by: David O'Brien (obrien@NUXI.com) # $FreeBSD: head/security/nmap/Makefile 375549 2014-12-25 13:29:28Z ohauer $ PORTNAME= nmap DISTVERSION= 6.47 CATEGORIES= security ipv6 MASTER_SITES= http://nmap.org/dist/ \ LOCAL/ohauer MAINTAINER= ohauer@FreeBSD.org COMMENT= Port scanning utility for large networks # nmap-6.47 => svn.nmap.org/nmap-releases/nmap-6.47 (r33605) # http://nmap.org/book/man-legal.html # Install the nmap modified license because of # http://insecure.org/news/download-com-fiasco.html LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYING LIB_DEPENDS= libpcre.so:${PORTSDIR}/devel/pcre USE_GCC= yes USES= tar:bzip2 gmake cpe GNU_CONFIGURE= yes OPTIONS_SUB= yes OPTIONS_DEFINE= DOCS IPV6 SSL OPTIONS_DEFAULT=IPV6 SSL SSL_USE= OPENSSL=yes SSL_CONFIGURE_ON= --with-openssl=${OPENSSLBASE} SSL_CONFIGURE_OFF= --without-openssl SSL_CFLAGS= -I${OPENSSLINC} IPV6_CONFIGURE_OFF= --with-libpcap=${LOCALBASE}/IPv6 .include <bsd.port.options.mk> # PR: ports/159376 Workaround if OS is build with WITHOUT_INET6 .if ! ${PORT_OPTIONS:MIPV6} LIB_DEPENDS+= libpcap.so:${PORTSDIR}/net/libpcap .endif PORTDOCS= CHANGELOG HACKING STRIP_FILES= nmap nping .if ${PORT_OPTIONS:MSSL} STRIP_FILES+= ncat .endif CONFIGURE_ARGS+=--without-localdirs \ --without-zenmap \ --without-ndiff \ --with-libpcre=${LOCALBASE} \ --with-liblua=included \ --without-nmap-update .include <bsd.port.pre.mk> # XXX limit results if we do a grep in the sources! post-extract: @${RM} -rf ${WRKSRC}/mswin32 post-configure: @${REINPLACE_CMD} -e "s|^DESTDIR *=|& ${DESTDIR}|" ${WRKSRC}/Makefile pre-install: ${FIND} ${WRKSRC} -type f \( -name \*.orig -o -name \*.bak \) -delete post-install: ${STRIP_CMD} ${STRIP_FILES:S|^|${STAGEDIR}${PREFIX}/bin/|} @${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${PORTDOCS:S|^|${WRKSRC}/|} ${STAGEDIR}${DOCSDIR} .include <bsd.port.post.mk> # uname -a FreeBSD 101amd64-default 10.1-RELEASE-p9 FreeBSD 10.1-RELEASE-p9 amd64 # ldd /usr/local/bin/nmap /usr/local/bin/nmap: libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x80095e000) libpcap.so.8 => /lib/libpcap.so.8 (0x800bd3000) libssl.so.8 => /usr/local/lib/libssl.so.8 (0x800e16000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x801089000) libstdc++.so.6 => /usr/local/lib/gcc48/libstdc++.so.6 (0x801494000) libm.so.5 => /lib/libm.so.5 (0x80179d000) libgcc_s.so.1 => /usr/local/lib/gcc48/libgcc_s.so.1 (0x8019c5000) libc.so.7 => /lib/libc.so.7 (0x801bdb000) libthr.so.3 => /lib/libthr.so.3 (0x801f84000) # ldd /usr/local/bin/ncat /usr/local/bin/ncat: libssl.so.8 => /usr/local/lib/libssl.so.8 (0x800874000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x800ae7000) libpcap.so.8 => /lib/libpcap.so.8 (0x800ef2000) libm.so.5 => /lib/libm.so.5 (0x801135000) libc.so.7 => /lib/libc.so.7 (0x80135d000) libthr.so.3 => /lib/libthr.so.3 (0x801706000) # ldd /usr/local/bin/nping /usr/local/bin/nping: libssl.so.8 => /usr/local/lib/libssl.so.8 (0x80088d000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x800b00000) libpcap.so.8 => /lib/libpcap.so.8 (0x800f0b000) libstdc++.so.6 => /usr/local/lib/gcc48/libstdc++.so.6 (0x80114e000) libm.so.5 => /lib/libm.so.5 (0x801457000) libgcc_s.so.1 => /usr/local/lib/gcc48/libgcc_s.so.1 (0x80167f000) libc.so.7 => /lib/libc.so.7 (0x801895000) libthr.so.3 => /lib/libthr.so.3 (0x801c3e000) # uname -a FreeBSD 84i386-default 8.4-RELEASE-p27 FreeBSD 8.4-RELEASE-p27 i386 # ldd /usr/local/bin/nmap /usr/local/bin/nmap: libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x281c1000) libpcap.so.7 => /lib/libpcap.so.7 (0x2822d000) libssl.so.8 => /usr/local/lib/libssl.so.8 (0x2825b000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x282bd000) libstdc++.so.6 => /usr/local/lib/gcc48/libstdc++.so.6 (0x28449000) libm.so.5 => /lib/libm.so.5 (0x28535000) libgcc_s.so.1 => /usr/local/lib/gcc48/libgcc_s.so.1 (0x2854f000) libc.so.7 => /lib/libc.so.7 (0x28569000) libthr.so.3 => /lib/libthr.so.3 (0x28685000) # ldd /usr/local/bin/ncat /usr/local/bin/ncat: libssl.so.8 => /usr/local/lib/libssl.so.8 (0x280e2000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x28144000) libpcap.so.7 => /lib/libpcap.so.7 (0x282d0000) libm.so.5 => /lib/libm.so.5 (0x282fe000) libc.so.7 => /lib/libc.so.7 (0x28318000) libthr.so.3 => /lib/libthr.so.3 (0x28434000) # ldd /usr/local/bin/nping /usr/local/bin/nping: libssl.so.8 => /usr/local/lib/libssl.so.8 (0x280fa000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x2815c000) libpcap.so.7 => /lib/libpcap.so.7 (0x282e8000) libstdc++.so.6 => /usr/local/lib/gcc48/libstdc++.so.6 (0x28316000) libm.so.5 => /lib/libm.so.5 (0x28402000) libgcc_s.so.1 => /usr/local/lib/gcc48/libgcc_s.so.1 (0x2841c000) libc.so.7 => /lib/libc.so.7 (0x28436000) libthr.so.3 => /lib/libthr.so.3 (0x28552000) I can't address cross-compiling since I haven't done that. If there are issues, they should be fixed in the ports infrastructure to the benefit all ports. BTW, it looks like bsd.port.pre.mk could now be changed to bsd.port.options.mk, and bsd.port.post.mk changed to bsd.port.mk. That is supposed to be more efficient.
Created attachment 157356 [details] patch to make security/nmap fully obey WITH_OPENSSL_PORT=yes and further Makefile simplification Fix the WITH_OPENSSL_PORT issue. Also eliminate now unneeded bsd.port.pre.mk and change bsd.port.post.mk to bsd.port.mk.
I finally had a chance to test the *unmodified* port on FreeBSD 9. It is broken the same as on FreeBSD 8, as I expected. # uname -a FreeBSD 93amd64-default 9.3-RELEASE-p13 FreeBSD 9.3-RELEASE-p13 amd64 This was done with poudriere, which add some extra stuff to make.conf ... # cat /etc/make.conf USE_PACKAGE_DEPENDS=yes BATCH=yes WRKDIRPREFIX=/wrkdirs PORTSDIR=/usr/ports PACKAGES=/packages DISTDIR=/distfiles #### /usr/local/etc/poudriere.d/93amd64-make.conf #### WITH_OPENSSL_PORT=yes DISTDIR=/portdistfiles PACKAGES=/.npkg PACKAGES=/packages # ldd /usr/local/bin/nmap /usr/local/bin/nmap: libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x80096c000) libpcap.so.8 => /lib/libpcap.so.8 (0x800bd5000) libssl.so.8 => /usr/local/lib/libssl.so.8 (0x800e0b000) libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x80107d000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x80145f000) libm.so.5 => /lib/libm.so.5 (0x801766000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801987000) libc.so.7 => /lib/libc.so.7 (0x801b95000) libthr.so.3 => /lib/libthr.so.3 (0x801ef0000) # ldd /usr/local/bin/ncat /usr/local/bin/ncat: libssl.so.6 => /usr/lib/libssl.so.6 (0x80086e000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x800ac5000) libpcap.so.8 => /lib/libpcap.so.8 (0x800e6d000) libm.so.5 => /lib/libm.so.5 (0x8010a3000) libc.so.7 => /lib/libc.so.7 (0x8012c4000) # ldd /usr/local/bin/nping /usr/local/bin/nping: libssl.so.6 => /usr/lib/libssl.so.6 (0x80088a000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x800ae1000) libpcap.so.8 => /lib/libpcap.so.8 (0x800e89000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x8010bf000) libm.so.5 => /lib/libm.so.5 (0x8013c6000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x8015e7000) libc.so.7 => /lib/libc.so.7 (0x8017f5000)
A commit references this bug: Author: ohauer Date: Sun Sep 27 10:32:33 UTC 2015 New revision: 398033 URL: https://svnweb.freebsd.org/changeset/ports/398033 Log: - update to 6.49BETA5 - use DOCS instead PORTDOCS - remove gcc workaround [1] - (hopefully) use the correct __FreeBSD_version for SOCK_RAW Changelog: https://nmap.org/changelog.html PR: 196065 [1] PR: 200558 [2] PR: 202139 [3] Submitted by: sbruno@ , mikael.urankar@gmail.com [1] Submitted by: truckman@ [2] Submitted by: trasz@ [3] Changes: head/security/nmap/Makefile head/security/nmap/distinfo head/security/nmap/files/patch-Makefile.in head/security/nmap/files/patch-configure head/security/nmap/files/patch-libdnet-stripped__configure head/security/nmap/files/patch-libdnet-stripped__src__eth-bsd.c head/security/nmap/files/patch-liblua-lua523 head/security/nmap/files/patch-liblua__Makefile head/security/nmap/files/patch-liblua__liolib.c head/security/nmap/files/patch-libnetutil_netutil.cc head/security/nmap/files/patch-nmap.cc head/security/nmap/files/patch-output.cc head/security/nmap/files/patch-tcpip.cc head/security/nmap/pkg-plist
Committed, Thanks!