Bug 2153626

Summary:	OpenSSH fails to build with OpenSSL 3.0.7-2.el9
Product:	Red Hat Enterprise Linux 9	Reporter:	Chris Rapier <rapier>
Component:	openssh	Assignee:	Dmitry Belyavskiy <dbelyavs>
Status:	CLOSED ERRATA	QA Contact:	Marek Havrila <mhavrila>
Severity:	high	Docs Contact:
Priority:	high
Version:	CentOS Stream	CC:	bstinson, jjelen, jwboyer, mhavrila
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	All
OS:	Unspecified
Whiteboard:
Fixed In Version:	openssh-8.7p1-25.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-05-09 08:24:39 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Chris Rapier 2022-12-14 23:19:36 UTC

Description of problem:

The source package for OpenSSH 8.7 fails to build under CentOS9 Stream when the OpenSSL library install is openssl-libs 1:3.0.7-2.el9. It did build with openssl-libs 1:3.0.7-1.el9.

Version-Release number of selected component (if applicable): 8.7


How reproducible: 
Consistently


Steps to Reproduce:
1. ensure that you are using openssl-libs 1:3.0.7-2.el9
2. rpmbuild -ba openssh.spec

Actual results:
[...]
gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o audit.o audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth2.o auth-options.o session.o auth2-chall.o groupaccess.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor.o monitor_wrap.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o srclimit.o sftp-server.o sftp-common.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o sandbox-solaris.o uidswap.o ssh-sk-client.o -L. -Lopenbsd-compat/  -pie -z relro -z now -fstack-protector-strong  -lssh -lopenbsd-compat -laudit -lpam -ldl -lsystemd  -lcrypto -lz  -lcrypt -lselinux -lgssapi_krb5  -lkrb5 -lk5crypto -lcom_err 
/usr/bin/ld: /tmp/ccx2rKSw.ltrans0.ltrans.o: in function `do_ssh2_kex':
/home/rapier/rpmbuild/BUILD/openssh-8.7p1/sshd.c:2543: undefined reference to `FIPS_mode'
/usr/bin/ld: /tmp/ccx2rKSw.ltrans0.ltrans.o: in function `main':
/home/rapier/rpmbuild/BUILD/openssh-8.7p1/sshd.c:1934: undefined reference to `FIPS_mode'
/usr/bin/ld: /home/rapier/rpmbuild/BUILD/openssh-8.7p1/sshd.c:2151: undefined reference to `FIPS_mode'
/usr/bin/ld: /tmp/ccx2rKSw.ltrans5.ltrans.o: in function `sshkey_read':
/home/rapier/rpmbuild/BUILD/openssh-8.7p1/sshkey.c:1546: undefined reference to `FIPS_mode'
/usr/bin/ld: /tmp/ccx2rKSw.ltrans7.ltrans.o: in function `choose_dh':
/home/rapier/rpmbuild/BUILD/openssh-8.7p1/dh.c:167: undefined reference to `FIPS_mode'
/usr/bin/ld: /tmp/ccx2rKSw.ltrans8.ltrans.o:/home/rapier/rpmbuild/BUILD/openssh-8.7p1/kexgen.c:318: more undefined references to `FIPS_mode' follow
collect2: error: ld returned 1 exit status
make: *** [Makefile:216: sshd] Error 1
[...]

Expected results:
Successful build

Additional info:
The FIPS_mode() calls from the openssh-7.7p1-fips.patch. I also know that OpenSSL removed FIPS_mode() from OpenSSL 3. So I'm guessing support for it had been forward ported until now. If you have a patch or update for this or simply plan on removing the fips patch please let me know.

Comment 1 Dmitry Belyavskiy 2022-12-15 08:54:30 UTC

Yes, support for FIPS_mode is still here but we had to adjust the #include order to avoid cyclical dependencies. Will be fixed.

Comment 4 Chris Rapier 2022-12-15 15:07:39 UTC

Dmitry, 

Thanks for the update. Do you know when you'll be pushing out that fix? This problem is currently holding up a copr package distribution for Centos Stream 9. Which isn't a huge deal but I'm concerned about the 3.0.7-2 release propagating out to other RH/Fedora distros which would be a larger issue. 

Thanks for your time, 

Chris

Comment 5 Dmitry Belyavskiy 2022-12-15 19:16:45 UTC

I'll try to do it tomorrow but don't promise.

Comment 6 Dmitry Belyavskiy 2022-12-16 11:15:37 UTC

Done, should build now.

Comment 7 Chris Rapier 2022-12-16 17:23:58 UTC

Wonderful, thank you so much for the work. When you you expect this to get pushed out? 

Thanks!

Comment 8 Dmitry Belyavskiy 2022-12-16 17:27:34 UTC

I've committed it but don't plan to run build soon if you don't insist.

Comment 9 Dmitry Belyavskiy 2023-01-05 18:39:20 UTC

Build is done.

Comment 13 Chris Rapier 2023-03-22 20:22:17 UTC

I'm seeing this problem cropping up again in the latest build of OpenSSL. I see that Fedora 38 and a number of other targets are using openssl-libs 1:3.0.8-1.fc39. Are you planning on forward porting FIPS mode to this release as well?

Comment 15 errata-xmlrpc 2023-05-09 08:24:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssh bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2554