[openssl-users] error when linking with OpenSSL library dynamically

Jakob Bohm jb-openssl at wisemo.com
Tue Feb 2 00:05:02 UTC 2016

On 01/02/2016 22:45, Viktor Dukhovni wrote:
> On Mon, Feb 01, 2016 at 10:21:49PM +0100, Martin Vegter wrote:
>> I have a C program, which is using AES routines from the OpenSSL
>> library. I have the necessary library installed (libssl-dev
>> 1.0.1e-2+deb7u19):
>>    $ ls /usr/lib/x86_64-linux-gnu/libcrypto.*
>>    /usr/lib/x86_64-linux-gnu/libcrypto.a
>>    /usr/lib/x86_64-linux-gnu/libcrypto.so
>>    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
>> I can compile my program statically:
>>    gcc -s -o aes aes.c /usr/lib/x86_64-linux-gnu/libcrypto.a
>> but when i try to compile it dynamically, I get following error:
>>    $ gcc -s -o aes aes.c -lcrypto
>>    /tmp/ccofFr4N.o: In function `encrypt':
>>    aes.c:(.text+0x9f): undefined reference to `aesni_set_encrypt_key'
>>    aes.c:(.text+0xd9): undefined reference to `aesni_cbc_encrypt'
>>    aes.c:(.text+0x1a0): undefined reference to `aesni_cbc_encrypt'
>>    /tmp/ccofFr4N.o: In function `decrypt':
>>    aes.c:(.text+0x2d4): undefined reference to `aesni_set_decrypt_key'
>>    aes.c:(.text+0x31e): undefined reference to `aesni_cbc_encrypt'
>>    collect2: error: ld returned 1 exit status
> You're using internal function names that are not exported by the
> libcrypto shared library on Debian systems.  Use the EVP interface.
> In future versions of OpenSSL constrained visibility of shared
> library symbols will be extended to more platforms (than just Debian
> where the export list was created by the Debian package maintainer).
> The EVP interface is faster on many systems (supports AES-NI on
> suitably capable Intel CPUs) and also safer (avoids timing
> side-channels).
The OP is already invoking the AES-NI functions (those are in fact
the ones failing).

As for the side channel protection: Is this really restricted to
the EVP interface (which would be a security bug in 1.0.x), or is
it simply that the EVP interface does not expose certain lower
level APIs that can be accidentally invoked without side channel
protection options?


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160202/fa0c8550/attachment.html>

More information about the openssl-users mailing list