Build error: undefined reference to `FIPS_mode'

[uihsnv]

When I build the project using make, I encounter the following error.

/bin/sh ./libtool --mode=link gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect2.o mux.o ssh-sk-client.o -L. -Lopenbsd-compat/  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie  -lssh -lopenbsd-compat  /home/user/Applications/gct/gsi/gss_assist/source/libglobus_gss_assist.la /home/user/Applications/gct/gsi/gssapi/source/library/libglobus_gssapi_gsi.la /home/user/Applications/gct/common/source/library/libglobus_common.la  -lcrypto -lmd -lz  -lcrypt -lpthread 
libtool: link: gcc -o .libs/ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect2.o mux.o ssh-sk-client.o -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,-z -Wl,noexecstack -fstack-protector-strong -pie  -L. -Lopenbsd-compat/ -lssh -lopenbsd-compat /home/user/Applications/gct/gsi/gss_assist/source/.libs/libglobus_gss_assist.so /home/user/Applications/gct/callout/source/library/.libs/libglobus_callout.so /home/user/Applications/gct/gsi/gssapi/source/library/.libs/libglobus_gssapi_gsi.so /home/user/Applications/gct/gsi/proxy/proxy_core/source/library/.libs/libglobus_gsi_proxy_core.so /home/user/Applications/gct/gsi/credential/source/library/.libs/libglobus_gsi_credential.so /home/user/Applications/gct/gsi/callback/source/library/.libs/libglobus_gsi_callback.so /home/user/Applications/gct/gsi/callback/source/library/oldgaa/.libs/libglobus_oldgaa.so /home/user/Applications/gct/gsi/cert_utils/source/library/.libs/libglobus_gsi_cert_utils.so /home/user/Applications/gct/gsi/sysconfig/source/library/.libs/libglobus_gsi_sysconfig.so /home/user/Applications/gct/gsi/openssl_module/source/library/.libs/libglobus_openssl.so /home/user/Applications/gct/gsi/proxy/proxy_ssl/source/library/.libs/libglobus_proxy_ssl.so /home/user/Applications/gct/gsi/openssl_error/source/library/.libs/libglobus_openssl_error.so -lssl /home/user/Applications/gct/common/source/library/.libs/libglobus_common.so -lltdl -lcrypto -lmd -lz -lcrypt -lpthread -pthread
/usr/bin/ld: ./libssh.a(kexgexc.o): in function `input_kex_dh_gex_group':
/home/user/Applications/gct/gsi_openssh/source/kexgexc.c:119: undefined reference to `FIPS_mode'
collect2: error: ld returned 1 exit status

The issue seems to be that the openssl library on my machine is version 3.0.7. But this merge should have fixed things: https://github.com/gridcf/gct/pull/159 . Is that not so?

If using the latest version of openssl is not possible, I can install version 1.1, but how do I tell make or configure to use that version?

[uihsnv]

Using the following environment variables seems to prevent the error:

export LDFLAGS="-L/usr/lib/openssl-1.1/"
export CPPFLAGS="-I/usr/include/openssl-1.1/"

But the binary that is detected during ./configure is still the newer version:

checking for openssl... /usr/bin/openssl

So I am not sure what's going on.

Is there no way to use v3.0 of OpenSSL?

[fscheiner]

Is there no way to use v3.0 of OpenSSL?

Actually this should work and did in the past AFAIK.

Could you please add more details about your build process, e.g. which code base and which command lines did you use (especially for ./configure [...]) and on which OS are you doing this?

Afterwards give me a little time to look into this.

[uihsnv]

I attempted to use both a git clone as well as the latest source installer from https://repo.gridcf.org/gct6/sources/

The flags I passed to configure are:

./configure --prefix="/usr/local" --datarootdir="/usr/share" --enable-myproxy --disable-ccommonlibs --disable-gridftp --disable-gram5

I am running Arch linux on my machine.

[fscheiner]

I think I forgot to include the fips_mode_replacement.h header file in https://github.com/gridcf/gct/blob/50fc40ba2eef7197a93807d2391c6dc3bb077a1b/gsi_openssh/source/kexgexc.c (like outlined here) when updating to GSI-OpenSSH 8.7p1. Which leads to:

[...]
/home/user/Applications/gct/gsi_openssh/source/kexgexc.c:119: undefined reference to `FIPS_mode'
[...]

Not sure why this doesn't trigger a problem on Rocky Linux 9 or CentOS Stream 9 which both use OpenSSL 3.x already.

Could you manually add the following line after #include "openbsd-compat/openssl-compat.h" in the above mentioned [...]/gsi_openssh/source/kexgexc.c file:

#include "fips_mode_replacement.h"

...and try again (but first read the part below)?

The flags I passed to configure are:

./configure --prefix="/usr/local" --datarootdir="/usr/share" --enable-myproxy --disable-ccommonlibs --disable-gridftp --disable-gram5

I believe you need the "ccommonlibs" for GSI-OpenSSH to work - at least "libglobus_common" is a dependency for GSI-OpenSSH on CentOS 7. So please clean your build dir, reconfigure without --disable-ccommonlibs and try the build again (with the change proposed above).

[uihsnv]

That seems to fix the issue. Thank you!

[uihsnv]

Also, a build-script is now available in the Archlinux User Repository: https://aur.archlinux.org/packages/gct

[fscheiner]

That seems to fix the issue. Thank you!

Great! Interestingly builds on ~Rocky Linux~ CentOS Stream 9 ~and (most likely CentOS Stream 9, too)~ start to fail now, too. No idea why they didn't fail earlier. :-/

Also, a build-script is now available in the Archlinux User Repository: https://aur.archlinux.org/packages/gct

Nice. I already had a look. Say, why do you not intend to build the GridFTP server and client by default? It can be used with the same X.509 proxy certificates than GSI-OpenSSH or even so-called limited proxies that per default do not allow logins with GSI-OpenSSH, but only GridFTP.

[uihsnv]

I see. I had disabled it because I had not planned on using it. The AUR only serves these build-scripts directly, and not the built binaries. So users can always make modifications as needed.

But I have changed the script to enable GridFTP by default.

[fscheiner]

Kept open until next release.