Re: OpenSSH-7.1p1 fails configure check with LibreSSL-2.2.4

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, Nov 09, 2015 at 22:23:12 -0600, Austin English wrote:
> On Mon, Nov 9, 2015 at 5:35 PM, Darren Tucker <dtucker@xxxxxxxxxx> wrote:
> > On Tue, Nov 10, 2015 at 9:22 AM, Austin English <austinenglish@xxxxxxxxx> wrote:
> >> Howdy,
> >>
> >> I'm attempting to compile openssh-7.1p1 using libressl-2.2.4 for the
> >> ssl implementation. Unfortunately, this fails to work (tested on
> >> Debian Unstable and Gentoo):
> > [...]
> >> conftest.c:225:4: warning: implicit declaration of function 'exit'
> >> [-Wimplicit-function-declaration]
> >>     exit(1);
> >>     ^
> >
> > These things are noise.  I'll fix them, but they're not the cause of
> > your problem.
> 
> Sure, just wanted to be complete.
> 
> >> ./conftest: error while loading shared libraries: libcrypto.so.35:
> >> cannot open shared object file: No such file or directory
> >
> > This is the problem: configure is telling the linker to link against
> > libcrypto in the libressl directory but you have not told the runtime
> > linker to look there for shared libraries, so your binaries (in this
> > case, the configure test) fail at runtime.
> >
> > To fix this you probably want to either:
> >  - add /opt/libressl-2.2.4/lib to /etc/ld.conf or /etc/ld.conf.d/ and
> > run ldconfig
> >  - remove the .so files from /opt/libressl-2.2.4/lib so that the
> > linker will pick up the static libcrypto.
> 
> I tried removing the .so's, but openssh then falls back to the system
> openssl instead of the specified ssl. The .a's are present (I also
> tried explicitly building libressl with --enable-shared, but that made
> no difference).

This is actually an old issue that predates LibreSSL. The static library
is not compiled with -fPIC, so it it unusable by OpenSSH when the
build-hardening options are enabled. If you rebuild LibreSSL with
CLFAGS=-fPIC and also supply --disable-shared to ./configure, OpenSSH
should be able to build. Alternatively, you could disable the build
hardening in OpenSSH, but that seems like a step backwards.

> 
> >> doing:
> >> export LD_LIBRARY_PATH=/opt/libressl-2.2.4
> >>
> >> Works around this issue, and allows OpenSSH to compile (though some
> >> tests fail that don't with openssl-1.0.2d.
> >
> > That'll help anything that inherits the environment, but anything that
> > sanitizes its environment (eg sudo) will fail, and the resulting
> > binaries won't work without the environment variable.
> >

Another alternative would be to pass -Wl,-R/opt/libressl-2.2.4/lib to
the compiler to embed the search path in the headers of the executables.
You could add --with-ldflags=-Wl,-R/opt/libressl-2.2.4/lib to the
configure options to OpenSSH.

It might be nice if this option was added automatically be configure,
but I don't know if it's sufficiently portable to be worthwhile.

-- 
Iain Morgan

> > --
> > Darren Tucker (dtucker at zip.com.au)
> > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
> >     Good judgement comes with experience. Unfortunately, the experience
> > usually comes from bad judgement.
> 
> 
> 
> -- 
> -Austin
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Iain Morgan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux