Link error with openssl-1.1.1-c on AIX

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Link error with openssl-1.1.1-c on AIX

Bill Hallahan
To whom it may concern.

I am trying to build openssl-1.1.1-c on AIX using the xlc compiler.  I know Linux quite well, but only have passing knowledge of AIX.

This is the system. (The name is sanitized - I am paranoid about security).

bash-4.2$ uname -a
AIX sanitized 1 6 00CD1ECE4C00
bash-4.2$

I have found the c99 compiler and the xlc compiler seem to work best. The arguments produced by the following configuration command are not compatible with gcc.

   ./config -static no-ec no-mdc2 no-rc5 no-idea --openssldir=/path_sanitized

I would prefer to use the xlc compiler.

(I am still trying to figure out how to get the compiler version. "-V" does not work).

I was getting many linker errors, but I have fixed the Makefile to include certain libraries.  Now I just have one unresolved external, which is "ecp_nistz256_mul_mont".

This is the output of the link failure.

/usr/local/packages/vac_remote/9-sept2008/./usr/vac/bin/.orig/xlc: 1501-210 (W) command option t contains an incorrect subargument
ld: 0711-317 ERROR: Undefined symbol: .ecp_nistz256_mul_mont
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
make[2]: *** [apps/openssl] Error 8
make[2]: Leaving directory `/scratch/bhallaha/view_storage/bhallaha_o2_19_18_1_ossl/reliaty/web/openssl-1.1.1c'

I see a perl script related to the needed module and a number of assembly language files, and I presume only one is for AIX.

I've tried adding  -DECP_NISTZ256_ASM to the compile lines, but I still get that unresolved external.

Does anyone know what I need to do?  I'll eventually figure this out, but I'd like this to work as soon as possible.

    Regards,
         Bill



Reply | Threaded
Open this post in threaded view
|

Re: Link error with openssl-1.1.1-c on AIX

Viktor Dukhovni
On Wed, Jun 26, 2019 at 10:29:00PM +0000, Bill Hallahan wrote:

> I am trying to build openssl-1.1.1-c on AIX using the xlc compiler.  I
> know Linux quite well, but only have passing knowledge of AIX.
>
>    ./config -static no-ec no-mdc2 no-rc5 no-idea --openssldir=/path_sanitized

You're disabling elliptic-curve crytography for some reason, this
is generally unwise.

> I was getting many linker errors, but I have fixed the Makefile to include
> certain libraries.  Now I just have one unresolved external, which is
> "ecp_nistz256_mul_mont".

As a result that function is no longer-available, but it seems that
"no-ec" is not enough to suppress all the call-sites.  Your best bet
is to not specify "no-ec".

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

RE: Link error with openssl-1.1.1-c on AIX

Michael Wojcik
In reply to this post by Bill Hallahan
> From: openssl-users [mailto:[hidden email]] On Behalf Of Bill Hallahan
> Sent: Wednesday, June 26, 2019 16:29

> I am trying to build openssl-1.1.1-c on AIX using the xlc compiler.

> I have found the c99 compiler and the xlc compiler seem to work best. The arguments
> produced by the following configuration command are not compatible with gcc.

>   ./config -static no-ec no-mdc2 no-rc5 no-idea --openssldir=/path_sanitized

We run Configure rather than config, bootstrapping our AIX openssl build with:

$ ./Configure aix-cc threads enable-ssl3 no-ec2m no-idea no-rc5 enable-weak-ssl-ciphers no-shared -DOPENSSL_NO_AUTOLOAD_CONFIG --prefix=`pwd`/buildoutput --openssldir=`pwd`/buildoutput -qmaxmem=-1 -qlanglvl-stdc99 -qlanglvl=stdc99 -D_LARGE_FILES=1

(I'm not currently the maintainer of our OpenSSL build process, so I can't provide the rationale for all of that, but it's working in our environment.)

For 64-bit, use aix64-cc instead.

Now, that's what config ought to select, but I'm not a fan of config, personnally. For a repeatable build process I like to tell the OpenSSL build process how to configure itself.

> I would prefer to use the xlc compiler.

The "c99" and "xlc" commands both invoke the same compiler - IBM's XL C compiler (aka "C/Set", etc, in some releases). They just set different default options for things like language level and extensions.

> (I am still trying to figure out how to get the compiler version. "-V" does not work).

$ lslpp -i '*xlc*'

will list the LPPs (Licensed Program Products) that have "xlc" in the name. You should have one named xlccmp.X.Y.Z, followed by a handful with the same name variously suffixed (e.g. "xlccmp.13.1.0.lib"). The X.Y.Z are the XLC version.

For more info, run e.g.

$ lslpp -l xlccmp.13.1.0

which will show what patch level you're at.

The LPP stuff is one of the remaining AIXisms in AIX.

> I was getting many linker errors, but I have fixed the Makefile to include certain
> libraries.

That shouldn't be necessary, so it sounds like configuration did not run properly.

>   Now I just have one unresolved external, which is "ecp_nistz256_mul_mont".

Well, that does sound like an issue with the assembly routines, since there's a PPC version of that one (I think, glancing at the source). You could try configurinng with no-asm, but generally you only want to do that when diagnosing an issue, not for production use. (There's widespread opinion that OpenSSL is too slow for production use without the assembly routines. I think that depends on use cases, but it's a popular opinion.)

> I've tried adding  -DECP_NISTZ256_ASM to the compile lines, but I still get that
> unresolved external.

Trying to fool the configuration generally isn't a useful approach.

I suggest reconfiguring, using a variation on my command line above that includes the options you want. Or you might try mine verbatim (well, probably without --prefix and --openssldir) to see if it works, then change it to use your options to see if you can narrow down what's causing the issue.

Incidentally: why no-ec? Removing all ECC is going to give you a rather outdated set of crypto algorithms. If you're concerned about possible IP encumbrance, I'd recommend no-ec2m. (I am not a lawyer, but I'm happy to offer worthless legal advice on the Internet.)

--
Michael Wojcik
Distinguished Engineer, Micro Focus