openssh unix dev - Oct 2022 - Call for testing: openssh-9.1

On Fri, 30 Sept 2022 at 02:23, Val Baranov <val.baranov at duke.edu>
wrote:
[...]
> For a number of releases since introducing OpenSSH  ver. 8, AIX
experiencing a problem configuring OpenSSH with static OpenSSL libs ver.
1.1.1.(x).
The thing that changed is that your libcrypto is now built to link
against pthreads whereas previously it was not.  It's not a change in
OpenSSH itself.
> Looks like it is a sort of misleading info provided by
"configure" output by displaying the error with "libcrypto"
while in fact "config.log" contains lines with ".pthread"
errors  just before "libcrypto" error (could it be a 'side'
effect of ".pthread" symbols being not found - ?).
> ld: 0711-317 ERROR: Undefined symbol: .pthread_atfork
This means that the little test program configure tried to build
failed when linking because the pthreads functions were not available
to it.  Configure itself does not know why it failed, just that it
failed.  That was resolved when you added -lpthreads to LDFLAGS.

As it stands, configure does not know that libcrypto needs pthreads.
The usual way of dealing with this is pkg-config, which reads that
data from .pc files, although OpenSSH does not currently use that for
OpenSSL.  You may find there's a libcrypto.pc file in there somewhere
with lines something like:

Libs: -L${libdir} -lcrypto
Libs.private: -lz -ldl -pthread

although you may not, as my understanding is that even modern AIX does
not have pkg-config (certainly the ancient versions I am familiar with
do not).

We should probably tell configure to use pkg-config for OpenSSL, but
that's a non-trivial change (even with the recent simplifications done
with the OpenSSL configure bits), it won't help if you don't have
pkg-config and it'd have to go in early in the next release cycle
anyway.

Is your libcrypto part of the base OS, in /opt/freeware or something else?

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On Monday, October 3, 2022 5:33 AM
Darren Tucker <dtucker at dtucker.net> wrote:
>On Fri, 30 Sept 2022 at 02:23, Val Baranov <val.baranov at duke.edu>
wrote:
>> For a number of releases since introducing OpenSSH  ver. 8, AIX
experiencing a problem configuring OpenSSH with static OpenSSL libs ver.
1.1.1.(x).
>The thing that changed is that your libcrypto is now built to link against
pthreads whereas previously it was not.  It's not a change in OpenSSH
itself.
>> Looks like it is a sort of misleading info provided by
"configure" output by displaying the error with "libcrypto"
while in fact "config.log" contains lines with ".pthread"
errors  just before "libcrypto" error (could it be a 'side'
effect of ".pthread" symbols being not found - ?).
>> ld: 0711-317 ERROR: Undefined symbol: .pthread_atfork
>This means that the little test program configure tried to build failed when
linking because the pthreads functions were not available to it.  Configure
itself does not know why >it failed, just that it failed.  That was resolved
when you added -lpthreads to LDFLAGS.
>As it stands, configure does not know that libcrypto needs pthreads.
>The usual way of dealing with this is pkg-config, which reads that data from
.pc files, although OpenSSH does not currently use that for OpenSSL.  You may
find there's a libcrypto.pc file in there somewhere with lines something
like:
>Libs: -L${libdir} -lcrypto
>Libs.private: -lz -ldl -pthread
>although you may not, as my understanding is that even modern AIX does not
have pkg-config (certainly the ancient versions I am familiar with do not).
>We should probably tell configure to use pkg-config for OpenSSL, but
that's a non-trivial change (even with the recent simplifications done with
the OpenSSL configure bits), it won't help if you don't have pkg-config
and it'd have to go in early in the next release cycle anyway.
>Is your libcrypto part of the base OS, in /opt/freeware or something else?
"libcrypto" is not a part of OS but is locally built under
"/usr/local/openssl".
The information above looks reasonable, because the issue was first discovered
upon moving out from OpenSSL 1.0.1 over to  1.1.1 (I can accept that some
changes were introduced with ver. 1.1.1).
Another thing found is that, OpenSSH 9.1p "configure" failed anyway
with the same "libcrypto" error even if using "-lpthread",
thus producing another set of errors but this time related to "zlib":
<...>
configure:15328: cc -qlanglvl=extc99 -o conftest -g -q64
-I/usr/local/openssl/include -I/usr/local/zlib/include  -L/usr/local/openssl/lib
-L/usr/local/zlib/lib  -q64 conftest.c -lcrypto  -lpthread >&5
ld: 0711-317 ERROR: Undefined symbol: .deflate
ld: 0711-317 ERROR: Undefined symbol: .zError
ld: 0711-317 ERROR: Undefined symbol: .deflateInit_
ld: 0711-317 ERROR: Undefined symbol: .inflate
ld: 0711-317 ERROR: Undefined symbol: .inflateInit_
ld: 0711-317 ERROR: Undefined symbol: .inflateEnd
ld: 0711-317 ERROR: Undefined symbol: .deflateEnd
So, now "configure" requires 
     --with-libs='-lpthread -lz' 
To finish successfully.
For testing purposes, two sources ver. 8.9p1 and 9.1p1 were configured in the
same environment one-by-one in a matter of few minutes.
Ver. 8.9p1 finished successfully while ver. 9.1p1 produced the errors above
unless "-lz" option is added - this is a strong evidence (am I wrong?)
that, something has changes starting OpenSSH ver. 9.X.

--
Val Baranov (val.baranov at duke.edu