Created attachment 444468 [details] build.log See attached build.log file
http://mailman.mit.edu/pipermail/kerberos/2016-August/021411.html Eray Aslan <eraya at a21an.org> writes: > Trying to build krb5-1.14.3 with openssl-1.1.0 fails in at least pkinit > and k5tls modules. Hopefully, someone has enough cycles to hava a look. There is an open pull request for openssl-1.1 compatibility: https://github.com/krb5/krb5/pull/447 This support will probably be in the upcoming krb5-1.15 release. -Tom
Should be fixed with >=mit-krb5-1.15
Reopening. The package still fails whithout deprecated features from openssl: x86_64-pc-linux-gnu-gcc -m32 -fPIC -DSHARED -DHAVE_CONFIG_H -DPKINIT_DYNOBJEXT=\"""\" -I../../../include -I/var/tmp/portage/app-crypt/mit-krb5-1.15.1/work/krb5-1.15.1/src/include -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE -march=native -mtune=native -O2 -pipe -fno-strict-aliasing -fno-strict-overflow -pthread -c /var/tmp/portage/app-crypt/mit-krb5-1.15.1/work/krb5-1.15.1/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -o pkinit_crypto_openssl.so.o && mv -f pkinit_crypto_openssl.so.o pkinit_crypto_openssl.so /var/tmp/portage/app-crypt/mit-krb5-1.15.1/work/krb5-1.15.1/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c: In function ‘cms_signeddata_create’: /var/tmp/portage/app-crypt/mit-krb5-1.15.1/work/krb5-1.15.1/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1203:13: warning: implicit declaration of function ‘X509_STORE_CTX_trusted_stack’ [-Wimplicit-function-declaration] X509_STORE_CTX_trusted_stack(certctx, id_cryptoctx->trustedCAs); ^ /var/tmp/portage/app-crypt/mit-krb5-1.15.1/work/krb5-1.15.1/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c: In function ‘pkinit_openssl_init’: /var/tmp/portage/app-crypt/mit-krb5-1.15.1/work/krb5-1.15.1/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3011:5: warning: implicit declaration of function ‘ERR_load_crypto_strings’ [-Wimplicit-function-declaration] ERR_load_crypto_strings(); ^ /var/tmp/portage/app-crypt/mit-krb5-1.15.1/work/krb5-1.15.1/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3012:5: warning: implicit declaration of function ‘OpenSSL_add_all_algorithms’ [-Wimplicit-function-declaration] OpenSSL_add_all_algorithms(); ^ : updated OBJS.SH echo > binutils.versions "HIDDEN { local: __*; _rest*; _save*; *; };" echo >> binutils.versions "pkinit_0_MIT {" sed >> binutils.versions < /var/tmp/portage/app-crypt/mit-krb5-1.15.1/work/krb5-1.15.1/src/plugins/preauth/pkinit/pkinit.exports "s/$/;/" echo >> binutils.versions "};" rm -f pkinit.so building dynamic pkinit object set -x; objlist=`set -x && perl -p -e 'BEGIN { $SIG{__WARN__} = sub {die @_} }; $e=$ARGV; $e =~ s/OBJS\...$//; s/^/ /; s/ $//; s/ / $e/g;' OBJS.SH` && x86_64-pc-linux-gnu-gcc -m32 -shared -fPIC -Wl,-h,pkinit.so.0 -Wl,--no-undefined -o pkinit.so $objlist -L../../../lib -lkrb5 -lcom_err -lk5crypto -lcrypto -ldl -lkrb5support -lkeyutils -lresolv -Wl,-O1 -Wl,--hash-style=gnu -Wl,--sort-common -Wl,--as-needed -Wl,--version-script binutils.versions + set -x + perl -p -e BEGIN { $SIG{__WARN__} = sub {die @_} }; $e=$ARGV; $e =~ s/OBJS\...$//; s/^/ /; s/ $//; s/ / $e/g; OBJS.SH + objlist= pkinit_accessor.so pkinit_srv.so pkinit_lib.so pkinit_clnt.so pkinit_kdf_constants.so pkinit_profile.so pkinit_identity.so pkinit_matching.so pkinit_crypto_openssl.so + x86_64-pc-linux-gnu-gcc -m32 -shared -fPIC -Wl,-h,pkinit.so.0 -Wl,--no-undefined -o pkinit.so pkinit_accessor.so pkinit_srv.so pkinit_lib.so pkinit_clnt.so pkinit_kdf_constants.so pkinit_profile.so pkinit_identity.so pkinit_matching.so pkinit_crypto_openssl.so -L../../../lib -lkrb5 -lcom_err -lk5crypto -lcrypto -ldl -lkrb5support -lkeyutils -lresolv -Wl,-O1 -Wl,--hash-style=gnu -Wl,--sort-common -Wl,--as-needed -Wl,--version-script binutils.versions pkinit_crypto_openssl.so: In function `pkinit_openssl_init__aux': pkinit_crypto_openssl.c:(.text+0x22): undefined reference to `ERR_load_crypto_strings' pkinit_crypto_openssl.c:(.text+0x27): undefined reference to `OpenSSL_add_all_algorithms' pkinit_crypto_openssl.so: In function `cms_signeddata_create': pkinit_crypto_openssl.c:(.text+0x3482): undefined reference to `X509_STORE_CTX_trusted_stack' pkinit_crypto_openssl.so: In function `cms_signeddata_verify': pkinit_crypto_openssl.c:(.text+0x3eec): undefined reference to `X509_STORE_CTX_trusted_stack' collect2: error: ld returned 1 exit status make[1]: *** [Makefile:724: pkinit.so] Error 1
Works with this patch: https://github.com/gnu-andrew/crypto/blob/493a426ac7ecfe4f86f05cfc5ad83685de1a9bff/app-crypt/mit-krb5/files/mit-krb5-ssl11.patch I'm currently applying the patch conditionally: if has_version ">=dev-libs/openssl-1.1.0" ; then eapply -p2 "${FILESDIR}/${PN}-ssl11.patch" fi but a better solution would be to add #if OPENSSL_VERSION_NUMBER checks to the code and keep both initialisation blocks. Going on this and issues with other libraries, it seems most fixes for OpenSSL 1.1.0 have built OpenSSL with these deprecated functions still available.
Created attachment 498934 [details, diff] mit-krb5-1.15.2-openssl-1.1-p1.patch (In reply to Andrew John Hughes from comment #4) > Works with this patch: > > https://github.com/gnu-andrew/crypto/blob/ > 493a426ac7ecfe4f86f05cfc5ad83685de1a9bff/app-crypt/mit-krb5/files/mit-krb5- > ssl11.patch > > I'm currently applying the patch conditionally: > > > if has_version ">=dev-libs/openssl-1.1.0" ; then > eapply -p2 "${FILESDIR}/${PN}-ssl11.patch" > fi > > but a better solution would be to add #if OPENSSL_VERSION_NUMBER checks to > the code and keep both initialisation blocks. > > Going on this and issues with other libraries, it seems most fixes for > OpenSSL 1.1.0 have built OpenSSL with these deprecated functions still > available. Thanks, this is the same patch with only the slight change to the directories in the first 2 lines so that it applies when copied to /etc/portage/patches/app-crypt/mit-krb5-1.15.2
Created attachment 498936 [details, diff] mit-krb5-1.15.2-openssl-1.1-p2.patch I find it needs this second patch as well, to fix these errors that occur building with dev-libs/openssl-1.1.0f with only the first patch applied: + x86_64-pc-linux-gnu-gcc -m32 -shared -fPIC -Wl,-h,pkinit.so.0 -Wl,--no-undefined -o pkinit.so pkinit_accessor.so pkinit_srv.so pkinit_lib.so pkinit_clnt.so pkinit_kdf_constants.so pkinit_profile.so pkinit_identity.so pkinit_matching.so pkinit_crypto_openssl.so -L../../../lib -lkrb5 -lcom_err -lk5crypto -lcrypto -ldl -lkrb5support -lkeyutils -lresolv -Wl,-O1 -Wl,--as-needed -Wl,--version-script binutils.versions pkinit_crypto_openssl.so: In function `pkinit_openssl_init': /var/tmp/portage/app-crypt/mit-krb5-1.15.2/work/krb5-1.15.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3011: undefined reference to `ERR_load_crypto_strings' /var/tmp/portage/app-crypt/mit-krb5-1.15.2/work/krb5-1.15.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3012: undefined reference to `OpenSSL_add_all_algorithms' pkinit_crypto_openssl.so: In function `cms_signeddata_create': /var/tmp/portage/app-crypt/mit-krb5-1.15.2/work/krb5-1.15.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1203: undefined reference to `X509_STORE_CTX_trusted_stack' pkinit_crypto_openssl.so: In function `cms_signeddata_verify': /var/tmp/portage/app-crypt/mit-krb5-1.15.2/work/krb5-1.15.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1633: undefined reference to `X509_STORE_CTX_trusted_stack' collect2: error: ld returned 1 exit status make[1]: *** [Makefile:724: pkinit.so] Error 1 make[1]: Leaving directory '/var/tmp/portage/app-crypt/mit-krb5-1.15.2/work/krb5-1.15.2/src-abi_x86_32.x86/plugins/preauth/pkinit' make: *** [Makefile:1523: all-recurse] Error 1 * ERROR: app-crypt/mit-krb5-1.15.2::gentoo failed (compile phase): * emake failed
Package compiles against openssl-1.1* from ::gentoo, so closing this bug.
