Subject: pkg/9820: security/openssh doesn't build properly with openssl rsaref support
To: None <gnats-bugs@gnats.netbsd.org>
From: None <sysadmin@terc.edu>
List: netbsd-bugs
Date: 04/07/2000 11:36:44
>Number: 9820
>Category: pkg
>Synopsis: security/openssh doesn't build properly with openssl rsaref support
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Apr 07 08:51:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Robby Griffin
>Release: NetBSD-1.4.2
>Organization:
TERC
>Environment:
NetBSD khwarizmi 1.4.2 NetBSD 1.4.2 (GENERIC) #3: Wed Mar 15 23:41:54 PST 2000 toddpw@vader.toddpw.net:/usr/src/sys/arch/i386/compile/GENERIC i386
>Description:
This is really a bug in the openssh build process, not the pkg system.
security/openssl pays attention to USE_RSAREF2, in which case libcrypto
gets built with some code that calls librsaref functions.
security/openssh ignores USE_RSAREF2, tries to detect whether openssl
was built with rsaref support, and gets a false negative.
This causes the openssh binaries to be linked without
-lRSAglue -lrsaref, so for example sshd drops connections as soon as
it tries to RSA-encrypt anything.
>How-To-Repeat:
setenv USE_RSAREF2 YES
cd devel/openssh; make && make install
/usr/pkg/sbin/sshd
ssh localhost
>Fix:
Manually adding -lRSAglue -lrsaref to LIBS in the configure-generated
Makefile seemed like a good workaround at the time.
Having openssh check USE_RSAREF2 might be the wrong thing since openssl
might have been built in a different env, so I guess the configure
script for openssh should do a better job of detecting rsaref support
in openssl.
What it does now is to compile and run a test program linked with
libcrypto but not librsaref, which calls RSA_generate_key and tests
for a null result. This is inconclusive because RSA_generate_key
doesn't actually call any functions from librsaref. It would seem
necessary to actually try RSA_public_encrypt (a libcrypto function
which calls a librsaref function if so configured) in the test
program. I'm unfamiliar with this stuff but willing to write a
patch if nobody else knows what I'm talking about.
>Release-Note:
>Audit-Trail:
>Unformatted: