[sudo-workers] How to specify prefix for openssl

Renato Botelho garga at FreeBSD.org
Tue Oct 31 16:17:51 MDT 2023 

On 31/10/23 18:09, Todd C. Miller via sudo-workers wrote:
> On Tue, 31 Oct 2023 17:50:54 -0300, Renato Botelho wrote:
> 
>> I'm maintainer of sudo on FreeBSD ports tree and recently user reported
>> a problem [1].
>>
>> Just to give you some context, FreeBSD has OpenSSL available on its base
>> system, and in this case, on FreeBSD 13.2, it's OpenSSL 1.1.1.  This is
>> installed under /usr prefix.
>>
>> It's also possible to install another instance of OpenSSL using ports
>> tree, and in this case, version is 3.x.  This is installed under prefix
>> /usr/local and is completely separated from base system.
>>
>> After investigating this scenario reported by user I noticed that sudo
>> build scripts are linking binaries against openssl 1.1.1:
>>
>> % ldd
>> /wrkdirs/usr/ports/security/sudo/work/sudo-1.9.15rc1/lib/util/.libs/libsudo_u
>> til.so
>> /wrkdirs/usr/ports/security/sudo/work/sudo-1.9.15rc1/lib/util/.libs/libsudo_u
>> til.so:
>>           libcrypto.so.111 => /lib/libcrypto.so.111 (0x2a89c4a15000)
>>           libc.so.7 => /lib/libc.so.7 (0x2a89c293f000)
>>           libthr.so.3 => /lib/libthr.so.3 (0x2a89c5cee000)
>>
>> FreeBSD ports build system sets some environment variables like:
>>
>> OPENSSLBASE=/usr/local
>> OPENSSLDIR=/usr/local/openssl
>> OPENSSLINC=/usr/local/include
>> OPENSSLLIB=/usr/local/lib
>> OPENSSLRPATH=/usr/local/lib
>>
>> But those are not being used by build scripts and it doesn't seem
>> --enable-openssl is designed to accept any parameters.
> 
> You can use --enable-openssl=BASEDIR to set base directory but it
> will still try to use pkg-config to determine things if possible.
> 
> Basically, if BASEDIR is specified, configure will look for a
> BASEDIR/*/pkgconfig and build PKG_CONFIG_LIBDIR from that before
> calling pkg-config.  If no pkgconfig files are found, configure
> will append BASEDIR/lib LDFLAGS and BASEDIR/include to CPPFLAGS.
> 
> 
> The logic (in m4/openssl.m4) is somewhat complicated so it is
> possible that there is a problem with it.  I've built sudo using
> OpenSSL 3.x on OpenBSD but there the pkgconfig files have a different
> prefix from those in the base system.

I've added pkg-config as a build dependency and added 
--enable-openssl=${OPENSSLBASE} to the port Makefile and it seems to fix 
the problem.

Thanks!
-- 
Renato Botelho

More information about the sudo-workers mailing list