Subject: Re: libcrypt vs. libcrypto
To: Quentin Garnier <>
From: Johnny C. Lam <>
List: tech-pkg
Date: 01/24/2004 17:38:02
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sat, Jan 24, 2004 at 01:29:00PM +0100, Quentin Garnier wrote:
> There is a problem, though, when it is considered that libldap is linked
> against libcrypto, thus the crypt() from libcrypto takes precedence over
> the one from libcrypt because the order of the libs is '-lldap -lcrypt'
> (the test for libcrypt is made after the one for libldap in configure).
> But in NetBSD 1.6.2, well, in openssl 0.9.6 I might guess, the crypt()
> from libcrypto doesn't know about the "$1$" trick to have MD5 password.
> Thus, it fails at ciphering correctly the password given by the POP3 user.

There is an open PR (pkg/23027) in the database that describes this
exact problem.  It describes one possibility, which is to not build
the crypt() routine into OpenSSL, but as we don't already do that in
the OpenSSL that we have the NetBSD base system (at least on netbsd-1-6),
I don't believe that we should apply that fix.

> Re-ordering the libs solves the issue, but dovecot might not be the only
> package potentially affected.  Also, it seems that the crypt from
> libcrypto in NetBSD-current does the expected thing, therefore the issue
> shouldn't happen on -current.

Ah, I see that crypt() routine is indeed not built into the OpenSSL
on NetBSD-current, so future versions of NetBSD aren't affected by
this problem.

> I will probably commit the fix for dovecot (along with trivial ldaps
> support addition), but maybe it should be worth it to investigate a
> solution using buildlink.  Is there a way to re-order libraries with
> buildlink?

I recently patched up print/cups because of this exact problem.  I
was unhappy with having to submit patches for potentially very many
packages due to this problem, simply because a lot of Linux systems
already don't build the crypt() routine for OpenSSL, so I expect most
software authors simply aren't even aware of the problem.

I haven't implemented argument-reordering in the wrapper scripts,
although it's a near-future project of mine.  In the meantime, you
could try the attached patch.  This uses a new feature only available
in buildlink3.  It causes the wrapper scripts to change "-lcrypto" into
"-lcrypt -lcrypto", which should have the same effect as reordering so
that -lcrypt appears before -lcrypto.


	-- Johnny Lam <>

Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="openssl.diff"

Index: security/openssl/
RCS file: /cvsroot/pkgsrc/security/openssl/,v
retrieving revision 1.7
diff -u -r1.7
--- security/openssl/	24 Jan 2004 03:12:32 -0000	1.7
+++ security/openssl/	24 Jan 2004 17:36:45 -0000
@@ -169,6 +169,16 @@
 .      include "../../security/rsaref/"
 .    endif
 .  endif
+.  for _platform_ in ${_OPENSSL_USE_CRYPT_PLATFORMS}
+.    if !empty(MACHINE_PLATFORM:M${_platform_})
+BUILDLINK_TRANSFORM+=	l:crypto:crypt:crypto
+.    endif
+.  endfor