Date: Wed, 7 May 2014 14:59:27 +0100 (BST) From: Matthew Seaman <matthew@FreeBSD.org> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/189420: dns/bind99 -- WITH_OPENSSL_PORTS and chroot failure Message-ID: <201405071359.s47DxREW023306@lucid-nonsense.infracaninophile.co.uk> Resent-Message-ID: <201405071400.s47E00Kd038863@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 189420
>Category: ports
>Synopsis: dns/bind99 -- WITH_OPENSSL_PORTS and chroot failure
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed May 07 14:00:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Matthew Seaman
>Release: FreeBSD 10.0-STABLE amd64
>Organization:
>Environment:
System: FreeBSD lucid-nonsense.infracaninophile.co.uk 10.0-STABLE FreeBSD 10.0-STABLE #5 r265146: Wed Apr 30 15:39:56 BST 2014 root@lucid-nonsense.infracaninophile.co.uk:/usr/obj/usr/src/sys/LUCID-NONSENSE amd64
Runnning bind99 in a chroot when it is compiled against the ports
version of OpenSSL results in failure:
May 6 10:51:01 xxxxxx named[48623]: ENGINE_by_id failed (crypto failure)
May 6 10:51:01 xxxxxx named[48623]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
May 6 10:51:01 xxxxxx named[48623]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
May 6 10:51:01 xxxxxx named[48623]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:418:id=gost
May 6 10:51:01 xxxxxx named[48623]: initializing DST: crypto failure
May 6 10:51:01 xxxxxx kernel: May 6 10:51:01 xxxxxx named[48623]: initializing DST: crypto failure
May 6 10:51:01 xxxxxx named[48623]: exiting (due to fatal error)
The problem is that bind, by default, enables the GOST cipher loadable
module. This dso is attempted to be loaded /after/ named has chrooted
itself, which fails and causes named death.
I have had a fix for this in my own system for ages -- so long that I
forgot I had it, and consequently it bit me again at work. The
previous bind maintainer rejected my patch, so I've rewritten both
more cleanly and so that there's an option to turn this behaviour on
or off.
Similar fixes could be applied to the other bind9x ports.
>Description:
>How-To-Repeat:
>Fix:
--- bind99.diff begins here ---
Index: Makefile
===================================================================
--- Makefile (revision 352939)
+++ Makefile (working copy)
@@ -2,7 +2,7 @@
PORTNAME= bind
PORTVERSION= 9.9.5
-PORTREVISION= 12
+PORTREVISION= 13
CATEGORIES= dns net ipv6
MASTER_SITES= ${MASTER_SITE_ISC}
MASTER_SITE_SUBDIR= bind9/${ISCVERSION}
@@ -33,7 +33,8 @@
OPTIONS_DEFAULT= IPV6 SSL THREADS
OPTIONS_DEFINE= SSL IDN REPLACE_BASE LARGE_FILE \
- FIXED_RRSET SIGCHASE IPV6 THREADS GSSAPI FILTER_AAAA
+ FIXED_RRSET SIGCHASE IPV6 THREADS GSSAPI FILTER_AAAA \
+ GOST
.if !defined(BIND_TOOLS_SLAVE)
OPTIONS_DEFINE+= LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS RPZ_PATCH NEWSTATS
OPTIONS_GROUP= DLZ
@@ -47,6 +48,7 @@
FIXED_RRSET_DESC= Enable fixed rrset ordering
SIGCHASE_DESC= dig/host/nslookup will do DNSSEC validation
FILTER_AAAA_DESC= Enable filtering of AAAA records
+GOST_DESC= Enable GOST ciphers (DSO incompatible with chroot)
LINKS_DESC= Create conf file symlinks in ${PREFIX}
NEWSTATS_DESC= Enable alternate xml statistics channel format
@@ -85,6 +87,8 @@
FILTER_AAAA_CONFIGURE_ENABLE= filter-aaaa
+GOST_CONFIGURE_WITH= gost
+
DLZ_POSTGRESQL_CONFIGURE_ON= --with-dlz-postgres=yes
DLZ_POSTGRESQL_USE= pgsql=yes
--- bind99.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405071359.s47DxREW023306>