tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

gnutls/p11-kit incompatible with Apache?

Hello

I noticed that the on the machines where php74-imageck was installed, 
apache did not survie a SIGUSR1 or SIGHUP. The master would still 
be alive, but children would quickly SIGSEGV on startup.

php74-imageck depends on ImageMagick, which dependends on ghostscript,
which depends on CUPS, which depends on GnuTLS, which depends on 
p11-kit. p11-kit sets a count_forks() callback using pthread_atfork(), but 
after that, it gets unloaded, leaving a callback on unmapped memory.

I did not figure yet what component decides to unload it, but given
that p11-kit is generally dangerous to unload before a fork, I think
it would be reasonable to make p11 an option to gnutls. Is the
patch below worth a commit?

Index: security/gnutls/Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/security/gnutls/Makefile,v
retrieving revision 1.222
diff -U4 -r1.222 Makefile
--- security/gnutls/Makefile    31 May 2021 11:08:45 -0000      1.222
+++ security/gnutls/Makefile    16 Aug 2021 12:44:06 -0000
@@ -1,7 +1,8 @@
 # $NetBSD: Makefile,v 1.222 2021/05/31 11:08:45 wiz Exp $
 
 DISTNAME=      gnutls-3.7.2
+PKGREVISION=   1
 CATEGORIES=    security devel
 MASTER_SITES=  https://www.gnupg.org/ftp/gcrypt/gnutls/v${PKGVERSION_NOREV:R}/
 EXTRACT_SUFX=  .tar.xz
 
@@ -108,9 +109,7 @@
 BUILDLINK_API_DEPENDS.libtasn1+=       libtasn1>=4.9
 .include "../../security/libtasn1/buildlink3.mk"
 BUILDLINK_API_DEPENDS.nettle+=         nettle>=3.6
 .include "../../security/nettle/buildlink3.mk"
-BUILDLINK_API_DEPENDS.p11-kit+=        p11-kit>=0.23.1
-.include "../../security/p11-kit/buildlink3.mk"
 .include "../../textproc/libunistring/buildlink3.mk"
 .include "../../mk/readline.buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
Index: security/gnutls/PLIST
===================================================================
RCS file: /cvsroot/pkgsrc/security/gnutls/PLIST,v
retrieving revision 1.73
diff -U4 -r1.73 PLIST
--- security/gnutls/PLIST       31 May 2021 11:08:45 -0000      1.73
+++ security/gnutls/PLIST       16 Aug 2021 12:44:06 -0000
@@ -3,9 +3,8 @@
 bin/gnutls-cli
 bin/gnutls-cli-debug
 bin/gnutls-serv
 bin/ocsptool
-bin/p11tool
 bin/psktool
 bin/srptool
 include/gnutls/abstract.h
 include/gnutls/compat.h
Index: security/gnutls/buildlink3.mk
===================================================================
RCS file: /cvsroot/pkgsrc/security/gnutls/buildlink3.mk,v
retrieving revision 1.40
diff -U4 -r1.40 buildlink3.mk
--- security/gnutls/buildlink3.mk       21 Apr 2021 13:24:15 -0000      1.40
+++ security/gnutls/buildlink3.mk       16 Aug 2021 12:44:06 -0000
@@ -15,9 +15,8 @@
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../security/libtasn1/buildlink3.mk"
 BUILDLINK_API_DEPENDS.nettle+=         nettle>=3.4.1
 .include "../../security/nettle/buildlink3.mk"
-.include "../../security/p11-kit/buildlink3.mk"
 .include "../../textproc/libunistring/buildlink3.mk"
 pkgbase := gnutls
 .include "../../mk/pkg-build-options.mk"
 .if ${PKG_BUILD_OPTIONS.gnutls:Mdane}
@@ -25,7 +24,11 @@
 .endif
 .if ${PKG_BUILD_OPTIONS.gnutls:Mguile}
 .include "../../lang/guile22/buildlink3.mk"
 .endif
+.if ${PKG_BUILD_OPTIONS.gnutls:Mp11}
+BUILDLINK_API_DEPENDS.p11-kit+= p11-kit>=0.23.1
+.include "../../security/p11-kit/buildlink3.mk"
+.endif
 .endif # GNUTLS_BUILDLINK3_MK
 
 BUILDLINK_TREE+=       -gnutls
Index: security/gnutls/options.mk
===================================================================
RCS file: /cvsroot/pkgsrc/security/gnutls/options.mk,v
retrieving revision 1.3
diff -U4 -r1.3 options.mk
--- security/gnutls/options.mk  14 May 2020 14:30:02 -0000      1.3
+++ security/gnutls/options.mk  16 Aug 2021 12:44:06 -0000
@@ -1,8 +1,8 @@
 # $NetBSD: options.mk,v 1.3 2020/05/14 14:30:02 nikita Exp $
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.gnutls
-PKG_SUPPORTED_OPTIONS= dane guile
+PKG_SUPPORTED_OPTIONS= dane guile p11
 
 .include "../../mk/bsd.options.mk"
 
 .if !empty(PKG_OPTIONS:Mdane)
@@ -19,4 +19,15 @@
 PLIST_SRC+=            PLIST.guile
 .else
 CONFIGURE_ARGS+=       --disable-guile
 .endif
+
+.if !empty(PKG_OPTIONS:Mp11)
+.error test ${PKG_OPTIONS}
+BUILDLINK_API_DEPENDS.p11-kit+= p11-kit>=0.23.1
+.include "../../security/p11-kit/buildlink3.mk" 
+CONFIGURE_ARGS+=       --with-p11-kit
+PLIST_SRC+=            PLIST.p11
+.else
+CONFIGURE_ARGS+=       --without-p11-kit
+.endif
+
--- /dev/null   2021-08-16 14:43:33.626594850 +0200
+++ security/gnutls/PLIST.p11   2021-08-16 11:16:16.714460039 +0200
@@ -0,0 +1,2 @@
+@comment $NetBSD$
+bin/p11tool


-- 
Emmanuel Dreyfus
manu%netbsd.org@localhost
Home | Main Index | Thread Index | Old Index