building 0.8.11 with ssl and tls is broken

[terefang]

i see this command at the final linking stage:

x86_64-linux-musl-cc -Wall -Wundef -Werror=implicit-function-declaration \
-Wno-char-subscripts -Wno-pointer-sign -funsigned-char -Wno-restrict \
-Wno-format-overflow -I . -Os -ffunction-sections -fdata-sections \
-fno-asynchronous-unwind-tables -fno-strict-aliasing [lots of .o files] \
-Wl,--gc-sections -Wl,--as-needed --static \
-lcrypt -lcrypto -lm -lresolv -lssl -ltls -lutil -lz -o generated/unstripped/toybox

and receive a lot of the following errors:

/toolchain/bin/../lib/gcc/x86_64-linux-musl/10.2.1/../../../libssl.a(libssl_la-ssl_rsa.o): in function `ssl_use_certificate_chain_bio':
ssl_rsa.c:(.text+0x14ae): undefined reference to `PEM_read_bio_X509_AUX'
/toolchain/bin/../lib/gcc/x86_64-linux-musl/10.2.1/../../../../x86_64-linux-musl/bin/ld: ssl_rsa.c:(.text+0x1562): undefined reference to `PEM_read_bio_X509'
collect2: error: ld returned 1 exit status
make: *** [Makefile:17: toybox] Error 1

looks like the intended linking order becomes faulty because of the sort command in make.sh:70 ...

LIBRARIES=$(
  [ -z "$V" ] && X=/dev/null || X=/dev/stderr
  for i in util crypt m resolv selinux smack attr crypto z log iconv tls ssl
  do
    do_loudly ${CROSS_COMPILE}${CC} $CFLAGS $LDFLAGS -xc - -l$i >>$X 2>&1 \
      -o /dev/null <<<"int main(int argc,char*argv[]){return 0;}" &&
      echo -l$i &
  done | sort | xargs
)

at least for tls/ssl the library order should be:

-ltls -lssl -lcrypto -lz -lcrypt -lm

[landley]

Does LDFLAGS="--static -Wl,--start-group" work?

[landley]

The problem I'm having is I can dynamically pull in libssl from my host, but when I try to statically link additional libraries my build goes all /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/8/libgcc_eh.a(unwind-dw2.o): in function uw_init_context_1': (.text+0x1de5): undefined reference to pthread_once'
which is libgcc_eh.a trying to pull in pthreads, and from there it goes /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/libcrypto.a(dso_dlfcn.o): in function dlfcn_globallookup': (.text+0x11): undefined reference to dlopen' which CAN'T work (you can't dlopen() from a static binary)...

You're saying you have a build environment in which statically linking libssl is possible in the first place, and I'm going... alpine maybe?

I tried to use the android NDK to statically build android_defconfig but that went ./lib/lsm.h:7:10: fatal error: 'selinux/selinux.h' file not found NDK r25c doesn't have selinux.h.

So I tried to set up a fedora kvm to test static libselinux building, but "sudo yum install glibc-static" there didn't give me static libraries for anything else (still only libselinux.so not .a)...

This is part of the reason I try to minimize build dependencies. The accelerators are available for android to use them, and Elliott tests them, but they tend to tangle for me.

[enh-google]

I tried to use the android NDK to statically build android_defconfig but that went ./lib/lsm.h:7:10: fatal error: 'selinux/selinux.h' file not found NDK r25c doesn't have selinux.h.

yeah, libselinux (which is code you should only look at on a strong stomach: SELinuxProject/selinux#417) is not part of the NDK.

This is part of the reason I try to minimize build dependencies. The accelerators are available for android to use them, and Elliott tests them, but they tend to tangle for me.

the rules around building these libraries are weird because of FIPS, but i can report "works for me!".

[landley]

Link order only matters for static libraries. I can maintain a magic link order (although I'd rather have the compiler just do --start-group and resolve it itself if that still works), but can't test it...

[terefang]

yes i am using musl static toolchain ... will try the option

[terefang]

TBO ... my build environment currently looks like this:

• Linux Mint 21.x aka. Ubuntu 22.04.x (glibc)
• static musl toolchain build using musl-cross-make
• maven based airlock build system

[terefang]

ok with the option the toybox binary builds fine.

the only warning i get is:

/toolchain/bin/../lib/gcc/x86_64-linux-musl/10.2.1/../../../../x86_64-linux-musl/bin/ld: 
missing --end-group; added as last command line option

[terefang]

i also tested the wget bugger, i was getting the build errors in the first place.

a simple toybox wget https://www.google.com worked.

[terefang]

could it make sense to add a STATIC_BUILD option to config that would set LDFLAGS="--static -Wl,--start-group" automatically ?

[landley]

Does commit 1b6d64f work for you?

[terefang]

test compiles ... ok
wget on https://www.google.com ... works

good work !

[oliverkwebb]

In case this is not known yet, this apparently breaks the build on MacOS:

ld: unknown option: --start-group

[terefang]

In case this is not known yet, this apparently breaks the build on MacOS:

ld: unknown option: --start-group

is that a missing feature of clang ?

[oliverkwebb]

Apparently, the fix for this seems pretty simple though. Some
stuff in portability.sh should fix it.

Actually, since we are doing -l, I don't even think we need the
start-group stuff, it compiles fine without it on my system

[terefang]

@landley after reading your blog, please pardon me as i was not observing enough.

i will keep using custom LDFLAGS for my buildsystem.

please keep up the good work !