Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 19 Feb 2000 09:42:53 -0500 (EST)
From:      Robert Watson <robert@cyrus.watson.org>
To:        Kris Kennaway <kris@FreeBSD.org>
Cc:        freebsd-current@FreeBSD.org
Subject:   Re: Supported ways to do RSA/OpenSSL on 4.0?
Message-ID:  <Pine.NEB.3.96L.1000219092406.655A-100000@fledge.watson.org>
In-Reply-To: <Pine.BSF.4.21.0002182010580.58012-100000@freefall.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Feb 2000, Kris Kennaway wrote:

> All of the ports which explicitly depend on openssl should be working on
> all supported versions of FreeBSD, modulo screwups :) Jim Bloom has been
> putting a lot of work into getting these working - I have a couple of
> patches to commit, but they mostly seem to work fine as far as I've
> heard.
> 
> However, Jordan mailed me this morning about a build problem with openssh
> on a fresh installation which looks very strange - it's like the test for
> a RSA-enabled openssl is falsely passing, which causes the build to die.
> This may be the problem you're seeing - as yet I don't have any real clues
> about why. Could you send me a build log from one of the failing ports as
> well as the output of 'nm /usr/lib/libcrypto.a | grep RSA_free'? Is this a
> fresh installation, i.e. with no older cruft possibly lying around?

Here's the build dying:

cumin# pwd
/usr/ports/security/openssh
cumin# make
===>  Patching for OpenSSH-1.2.2
===>  Applying FreeBSD patches for OpenSSH-1.2.2
===>  Configuring for OpenSSH-1.2.2
===>  Building for OpenSSH-1.2.2
===> lib
Warning: Object directory not changed from original
/usr/ports/security/openssh/
work/ssh/lib
cc -O -pipe -I/usr/ports/security/openssh/work/ssh/lib/.. -I/usr/include
-DINET6
 -I/usr/ports/security/openssh/work/ssh/lib/.. -I/usr/local/usr/include -c
/usr/
ports/security/openssh/work/ssh/lib/../authfd.c -o authfd.o
In file included from
/usr/ports/security/openssh/work/ssh/lib/../ssh.h:21,
                 from
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:19:
/usr/ports/security/openssh/work/ssh/lib/../rsa.h:22: openssl/rsa.h: No
such fil
e or directory
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:27: openssl/rsa.h: No
such 
file or directory
In file included from
/usr/ports/security/openssh/work/ssh/lib/../ssh.h:21,
                 from
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:19:
/usr/ports/security/openssh/work/ssh/lib/../rsa.h:25: syntax error before
`*'
/usr/ports/security/openssh/work/ssh/lib/../rsa.h:35: syntax error before
`RSA'
/usr/ports/security/openssh/work/ssh/lib/../rsa.h:36: syntax error before
`RSA'
In file included from
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:19:
/usr/ports/security/openssh/work/ssh/lib/../ssh.h:299: syntax error before
`RSA'
/usr/ports/security/openssh/work/ssh/lib/../ssh.h:416: syntax error before
`RSA'
/usr/ports/security/openssh/work/ssh/lib/../ssh.h:425: syntax error before
`RSA'
/usr/ports/security/openssh/work/ssh/lib/../ssh.h:437: syntax error before
`RSA'
In file included from
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:21:
/usr/ports/security/openssh/work/ssh/lib/../authfd.h:99: syntax error
before `RS
A'
/usr/ports/security/openssh/work/ssh/lib/../authfd.h:107: syntax error
before `R
SA'
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:343: syntax error
before `R
SA'
/usr/ports/security/openssh/work/ssh/lib/../authfd.c: In function
`ssh_add_ident
ity':
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:352: `key' undeclared
(firs
t use in this function)
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:352: (Each undeclared
ident
ifier is reported only once
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:352: for each
function it a
ppears in.)
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:360: `comment'
undeclared (
first use in this function)
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:367: `auth'
undeclared (fir
st use in this function)
/usr/ports/security/openssh/work/ssh/lib/../authfd.c: At top level:
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:430: syntax error
before `R
SA'
/usr/ports/security/openssh/work/ssh/lib/../authfd.c: In function
`ssh_remove_id
entity':
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:439: `key' undeclared
(firs
t use in this function)
/usr/ports/security/openssh/work/ssh/lib/../authfd.c:448: `auth'
undeclared (fir
st use in this function)
*** Error code 1

Stop in /usr/ports/security/openssh/work/ssh/lib.
*** Error code 1

Stop in /usr/ports/security/openssh/work/ssh.
*** Error code 1

Stop in /usr/ports/security/openssh.
*** Error code 1

Stop in /usr/ports/security/openssh.
*** Error code 1

Stop in /usr/ports/security/openssh.
cumin#

Here's the output of nm on the default installed /usr/lib/libcrypto.a:

cumin#  nm /usr/lib/libcrypto.a | grep RSA_free
cumin# 

This was installed from the 02-14-2000 snapshot a day or two ago, and I
have not upgraded world since then.


> > Do we plan to provide a consistent and documented way for users of >
> FreeBSD to go from the RSA-disabled base library set to the >
> RSA-enabled set, and in a way that provides adequate instruction?  I >
> get rather uninformative errors when trying to compile
> 
> See chapter 6.5 in the handbook.

The handbook appears not to have been installed as part of the ``Novice''
install that I selected.  This suggests that the documentation is not
sufficiently accessible.

However, I did find the following:

  The OpenSSL package with RSAREF support for USA users which you can get
  from ftp.FreeBSD.org. 

     Note: Be sure to read the license before installing! This is NOT
     licensed for general-purpose use!

  The OpenSSL package for International (non-USA) users. This is not legal
  for general use in the USA, but international users should use this
  version because the RSA implementation is faster and more flexible. It
  is available from ftp.internat.FreeBSD.org. 

I was unable to build the OpenSSL port, and installing the RSAref port
didn't fix these build problems.  Also, these directions are pretty
non-specific--could you throw in URLs?  Also, as I mentioned for
auto-install, either building this into sysinstall as a specific install
stage would be a good idea.  Is the intent that we install the OpenSSL
package into /usr/local/lib, or will this stuff be dumped in /usr/lib?
Having two different instances of OpenSSL with different degrees of
breakage will be pretty confusing for developers and porters of SSL
applications, suggesting that the logical target is /usr/lib.  It also
might be good to have a /usr/include/openssl/README that says ``Looking
for rsa.h?  You need to read section 6.5 of the handbook''.

Also, I note that we don't include an OpenSSL man page:

cumin# man openssl
No manual entry for openssl
cumin# man ssl
No manual entry for ssl
cumin# man crypto
No manual entry for crypto

These logical sounding potential manpages would probably be a good place
to mirror the handbook information.  Are there OpenSSL man pages installed
somewhere in the base system?

> > OpenSSH, SSLproxy, and Apache13-modssl, none of which is discovered by the
> > ports mechanism, rather the application makefiles.  While I understand
> > that you are not the maintainer for these ports,... :-)
> > 
> > It might be nice, for example, to have a stage in sysinstall for
> > crypto-configuration--it would also be accessible post-install, and would
> > provide easy access to install via package the underlying RSA libraries,
> > with appropriate documentation of licensing issues and confirmation of
> > location, etc.  Presumably one could back-end this onto a set of ports or
> > packages, so there would be  more scalable command line/scriptable
> > interface.
> 
> The packages already exist and are described in the handbook, except they
> haven't yet made it onto the ftp site. You can pick them up from
> http://www.freebsd.org/~kris/openssl in the meantime. Sysinstall support
> is something I'd definitely like to see, but not something I have time (or
> knowledge) to do right now.

Is this an export-friendly location for non-USA folks?  Any chance Jordan
or someone wants to hack up an install stage?  I think this is
important--especially having it automated, as the automated one-step
install of crypto-based applications is important.  If we're willing to
pause the install to ask about X desktops, this sounds like a good
candidate also.  It also sounds like a good time to generate an initial
value for USA_RESIDENT in make.conf.

> I'll be adding some instructions to the release notes this weekend, and it
> should be giving a helpful error message if you try and install a port
> which requires RSA and you have a non-RSA library:
> 
> .if ${USE_OPENSSL} == RSA
> _HASRSA= "`/usr/bin/nm /usr/lib/libcrypto.a | /usr/bin/grep RSA_free`"
> .if empty(_HASRSA)
> .BEGIN:
>         @${ECHO} "This port requires RSA crypto, which is not present in
> your"
>         @${ECHO} "version of OpenSSL. Please see Chapter 6.5 in the
> handbook"
>         @${ECHO} "for a description of the problem and alternative
> solutions."
>         @${FALSE}
> .endif
> .endif

Sounds like a step in the right direction, but currently a no-start due to
lack of handbook in the install.  Although it's more work, I'd rather see
an OpenSSL manpage that includes this information, a sure-fire way to
check to see what's installed, a sysinstall-phase, etc.

Thanks!  Looks like all this will be great once it's working!

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000219092406.655A-100000>