From owner-freebsd-ports-bugs@FreeBSD.ORG Wed May 7 14:00:00 2014 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A0D4F6DB for ; Wed, 7 May 2014 14:00:00 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7AD66BB9 for ; Wed, 7 May 2014 14:00:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s47E00CI038868 for ; Wed, 7 May 2014 14:00:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s47E00Kd038863; Wed, 7 May 2014 14:00:00 GMT (envelope-from gnats) Resent-Date: Wed, 7 May 2014 14:00:00 GMT Resent-Message-Id: <201405071400.s47E00Kd038863@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthew Seaman Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A0EA06D0 for ; Wed, 7 May 2014 13:59:34 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CB32BB1 for ; Wed, 7 May 2014 13:59:34 +0000 (UTC) Received: from lucid-nonsense.infracaninophile.co.uk (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.14.8/8.14.8) with ESMTP id s47DxRHh023307 for ; Wed, 7 May 2014 14:59:27 +0100 (BST) (envelope-from matthew@lucid-nonsense.infracaninophile.co.uk) Received: (from matthew@localhost) by lucid-nonsense.infracaninophile.co.uk (8.14.8/8.14.8/Submit) id s47DxREW023306; Wed, 7 May 2014 14:59:27 +0100 (BST) (envelope-from matthew) Message-Id: <201405071359.s47DxREW023306@lucid-nonsense.infracaninophile.co.uk> Date: Wed, 7 May 2014 14:59:27 +0100 (BST) From: Matthew Seaman Reply-To: Matthew Seaman To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.114 Subject: ports/189420: dns/bind99 -- WITH_OPENSSL_PORTS and chroot failure X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2014 14:00:00 -0000 >Number: 189420 >Category: ports >Synopsis: dns/bind99 -- WITH_OPENSSL_PORTS and chroot failure >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed May 07 14:00:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Matthew Seaman >Release: FreeBSD 10.0-STABLE amd64 >Organization: >Environment: System: FreeBSD lucid-nonsense.infracaninophile.co.uk 10.0-STABLE FreeBSD 10.0-STABLE #5 r265146: Wed Apr 30 15:39:56 BST 2014 root@lucid-nonsense.infracaninophile.co.uk:/usr/obj/usr/src/sys/LUCID-NONSENSE amd64 Runnning bind99 in a chroot when it is compiled against the ports version of OpenSSL results in failure: May 6 10:51:01 xxxxxx named[48623]: ENGINE_by_id failed (crypto failure) May 6 10:51:01 xxxxxx named[48623]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: May 6 10:51:01 xxxxxx named[48623]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: May 6 10:51:01 xxxxxx named[48623]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:418:id=gost May 6 10:51:01 xxxxxx named[48623]: initializing DST: crypto failure May 6 10:51:01 xxxxxx kernel: May 6 10:51:01 xxxxxx named[48623]: initializing DST: crypto failure May 6 10:51:01 xxxxxx named[48623]: exiting (due to fatal error) The problem is that bind, by default, enables the GOST cipher loadable module. This dso is attempted to be loaded /after/ named has chrooted itself, which fails and causes named death. I have had a fix for this in my own system for ages -- so long that I forgot I had it, and consequently it bit me again at work. The previous bind maintainer rejected my patch, so I've rewritten both more cleanly and so that there's an option to turn this behaviour on or off. Similar fixes could be applied to the other bind9x ports. >Description: >How-To-Repeat: >Fix: --- bind99.diff begins here --- Index: Makefile =================================================================== --- Makefile (revision 352939) +++ Makefile (working copy) @@ -2,7 +2,7 @@ PORTNAME= bind PORTVERSION= 9.9.5 -PORTREVISION= 12 +PORTREVISION= 13 CATEGORIES= dns net ipv6 MASTER_SITES= ${MASTER_SITE_ISC} MASTER_SITE_SUBDIR= bind9/${ISCVERSION} @@ -33,7 +33,8 @@ OPTIONS_DEFAULT= IPV6 SSL THREADS OPTIONS_DEFINE= SSL IDN REPLACE_BASE LARGE_FILE \ - FIXED_RRSET SIGCHASE IPV6 THREADS GSSAPI FILTER_AAAA + FIXED_RRSET SIGCHASE IPV6 THREADS GSSAPI FILTER_AAAA \ + GOST .if !defined(BIND_TOOLS_SLAVE) OPTIONS_DEFINE+= LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS RPZ_PATCH NEWSTATS OPTIONS_GROUP= DLZ @@ -47,6 +48,7 @@ FIXED_RRSET_DESC= Enable fixed rrset ordering SIGCHASE_DESC= dig/host/nslookup will do DNSSEC validation FILTER_AAAA_DESC= Enable filtering of AAAA records +GOST_DESC= Enable GOST ciphers (DSO incompatible with chroot) LINKS_DESC= Create conf file symlinks in ${PREFIX} NEWSTATS_DESC= Enable alternate xml statistics channel format @@ -85,6 +87,8 @@ FILTER_AAAA_CONFIGURE_ENABLE= filter-aaaa +GOST_CONFIGURE_WITH= gost + DLZ_POSTGRESQL_CONFIGURE_ON= --with-dlz-postgres=yes DLZ_POSTGRESQL_USE= pgsql=yes --- bind99.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: