On Sat, Jan 18, 2014 at 10:09:31PM -0500, Eric Radman wrote:
> On Sat, Jan 18, 2014 at 09:59:13PM +0100, Landry Breuil wrote:
> > On Fri, Jan 17, 2014 at 11:21:13AM -0500, Eric Radman wrote:
> > > Resubmitting a patch for firefox that includes all of the symbols
> > > required to load gssapi. From moz.log:
> > >
> > > 784166112[83e29180]: service = inout.deshaw.com
> > > 784166112[83e29180]: using negotiate-gss
> > > 784166112[83e29180]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> > > 784166112[83e29180]: Attempting to load gss functions
> > > 784166112[83e29180]: entering nsAuthGSSAPI::Init()
> > > 784166112[83e29180]: nsHttpNegotiateAuth::GenerateCredentials()
> > > [challenge=Negotiate]
> > > 784166112[83e29180]: entering nsAuthGSSAPI::GetNextToken()
> > > 784166112[83e29180]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
> > > 784166112[83e29180]: Sending a token of length 1730
> > >
> > > Notes on the patch:
> > >
> > > - Remove `&& !lib` from the module load loop because it would stop
> > > loading modules the first time dlopen succeeded
> > >
> > > - Had to replace PR_LoadLibrary with PR_LoadLibraryWithFlags so I
> > > could use the PR_LD_GLOBAL option
> >
> > So, after having had some time to actually look at your patch - i
> > suppose that we need to dlopen all the libs one by one in the right
> > order, because they're not inter-dependent in our case?
>
> libgssapi.so doesn't appear to reference any of it's dependencies. On
> many other platforms they are; this is Debian 7.0:
>
> $ readelf -d /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2 | grep NEEDED
> 0x00000001 (NEEDED) Shared library: [libkrb5.so.3]
> 0x00000001 (NEEDED) Shared library: [libk5crypto.so.3]
> 0x00000001 (NEEDED) Shared library: [libcom_err.so.2]
> 0x00000001 (NEEDED) Shared library: [libkrb5support.so.0]
> 0x00000001 (NEEDED) Shared library: [libdl.so.2]
> 0x00000001 (NEEDED) Shared library: [libkeyutils.so.1]
> 0x00000001 (NEEDED) Shared library: [libresolv.so.2]
> 0x00000001 (NEEDED) Shared library: [libc.so.6]
>
> > Why do you need RTLD_GLOBAL ? It fails if you use the default symbol
> > visibility flag ?
>
> RTLD_GLOBAL seems to be required, although I don't understand why. This
> is how I'm testing:
>
> #include <dlfcn.h>
>
> main()
>
> {
>
> dlopen("libasn1.so", RTLD_GLOBAL);
> dlopen("libcrypto.so", RTLD_GLOBAL);
> dlopen("libroken.so", RTLD_GLOBAL);
> dlopen("libheimbase.so", RTLD_GLOBAL);
> dlopen("libcom_err.so", RTLD_GLOBAL);
> dlopen("libkrb5.so", RTLD_GLOBAL);
> dlopen("libgssapi.so", RTLD_GLOBAL|RTLD_NOW);
> }
>
> Instead of patching Firefox, would it be better to change the way
> OpenBSD links the Heimdal libraries to make the interdependent libraries
> implicit?
I think there was a reason for having it done this way when kerberos was
updated, and iirc it lead to having quite a bunch of patches around.
Robert, Antoine ?
Landry
