openssl static libs [was: RE: Call for testing: openssh-9.1]

Tim Rice tim at multitalents.net
Sat Oct 8 10:45:16 AEDT 2022 

On Fri, 7 Oct 2022, Val Baranov wrote:

[snip]
> "libcrypto" is not a part of OS but is locally built under "/usr/local/openssl".
> The information above looks reasonable, because the issue was first discovered upon moving out from OpenSSL 1.0.1 over to  1.1.1 (I can accept that some changes were introduced with ver. 1.1.1). 
> Another thing found is that, OpenSSH 9.1p "configure" failed anyway with the same "libcrypto" error even if using "-lpthread", thus producing another set of errors but this time related to "zlib":
> <...>
> configure:15328: cc -qlanglvl=extc99 -o conftest -g -q64 -I/usr/local/openssl/include -I/usr/local/zlib/include  -L/usr/local/openssl/lib -L/usr/local/zlib/lib  -q64 conftest.c -lcrypto  -lpthread >&5
> ld: 0711-317 ERROR: Undefined symbol: .deflate
> ld: 0711-317 ERROR: Undefined symbol: .zError
> ld: 0711-317 ERROR: Undefined symbol: .deflateInit_
> ld: 0711-317 ERROR: Undefined symbol: .inflate
> ld: 0711-317 ERROR: Undefined symbol: .inflateInit_
> ld: 0711-317 ERROR: Undefined symbol: .inflateEnd
> ld: 0711-317 ERROR: Undefined symbol: .deflateEnd
> So, now "configure" requires 
>      --with-libs='-lpthread -lz' 
> To finish successfully.
> For testing purposes, two sources ver. 8.9p1 and 9.1p1 were configured in the same environment one-by-one in a matter of few minutes. 
> Ver. 8.9p1 finished successfully while ver. 9.1p1 produced the errors above unless "-lz" option is added - this is a strong evidence (am I wrong?) that, something has changes starting OpenSSH ver. 9.X.
> 

This MAY account for the change in behavior in your environment.
....
commit f117e372b3f42f2fbdb0a578d063b2609ab58e1f
Author: Darren Tucker <dtucker at dtucker.net>
Date:   Fri Jul 22 09:24:45 2022 +1000

    Do not link scp, sftp and sftp-server w/ zlib.

    Some of our binaries (eg sftp, sftp-server, scp) do not interact with
    the channels code and thus do use libraries such as zlib and libcrypto
    although they are linked with them.  This adds a CHANNELLIBS and starts
    by moving zlib into it, which means the aformentioned binaries are no
    longer linked against zlib.  ok djm@
....

However, in general, configure does not play well with static libs.

If your openssl was built with dynamic libs, your libcrypto would
have had a NEEDED entry in its header saying it needed libz. Since
you are using static libs, you need to add the libs your openssl build
depends on.


-- 
Tim Rice				Multitalents
tim at multitalents.net

More information about the openssh-unix-dev mailing list